What's new with Tanzu Application Catalog - Nov 2023
Welcome to another edition of What’s new with Tanzu Application Catalog.
Latest Product Upgrades
VMware Application Catalog is now VMware Tanzu Application Catalog
VMware Application Catalog has been renamed as VMware Tanzu Application Catalog. The name change's main objective is to strengthen the association and awareness that the product is part of the Tanzu portfolio of application delivery solutions. Please note that this name change will not have any direct impact on the usage, pricing, or functionality of the product; nor will this change have any impact on the virtual machine-related capabilities of the product. The product will continue to have virtual-machine-related capabilities.
VEX documentation, FIPS 140-2 compliance, verification in air-gapped environments, and more to help enterprises mitigate upstream vulnerabilities
To help our customers enhance their compliance posture and better address the security risks posed by open source software (OSS), we announced a number of new features and upgrades to Tanzu Application Catalog at VMware Explore Las Vegas. If you are interested in learning more about VEX documentation, check out and
Avail ARM Support in Tanzu Application Catalog
So far, users of Tanzu Application Catalog have been able to get container images in the AMD64 format. However, from now on, the container images with Debian 11, Debian 12, Photon OS 4, or RedHat UBI 9 as the base OS image are shipped as multi-arch images, supporting ARM64 architecture as well as AMD64. This means that these container images can be deployed as ARM64 or AMD64, depending on the architecture of the platform on which they are deployed. The higher power efficiency and cost-reduction provided by ARM servers have made several enterprises invest in ARM. Such enterprises stand to benefit greatly from this update.
Consume SBOMs through an intuitive graphical view
The SPDX SBOMs provided by Tanzu Application Catalog are now made available in an intuitive graphical format as well, in addition to the already available JSON format. Note that SPDX SBOM comes with all three form factors (Helm charts, containers and virtual machines) supported by Tanzu Application Catalog.
To get this graphical view of an SBOM, follow the steps listed below after signing in to Tanzu Application Catalog.
- Under My Applications tab, click on the Details button of the application whose SBOM is to be viewed
- Then go to the Build Time Reports section and click on the Graph icon which appears next to the Download button of SBOM, as highlighted in the screenshot below.
- Then you will be to see the graph view of the SBOM
Graph view of the SBOM of PostreSQL packaged by VMware with Photon OS 4.0 as the base OS image
Gain an overview of your exposure to upstream risks with CVE Summary
Every application in the catalog now has a corresponding CVE summary indicating the number of critical, high, medium, and low risk vulnerabilities. This can help customers better manage their risks and exposure to upstream vulnerabilities by selecting the base OS image and OSS apps that better align with their policies. To view the CVE summary, after signing in to Tanzu Application Catalog, go to the ‘Library’ section and click on ‘Details’ button corresponding to the application whose CVE summary you want to view.
Screenshot from Tanzu Application Catalog UI highlighting the CVE Summary of RabbitMQ packaged by VMware
Bitnami Vulnerability Database integrated with Trivy
To better enable vulnerability scanners detect vulnerabilities in Bitnami components, earlier this year we launched the Bitnami Vulnerability Database, a public CVE security feed available on GitHub with extensive information about the vulnerabilities on Bitnami components. Trivy becomes the first security scanner to consume the Bitnami Vulnerability Database. This enhancement was added as an experimental feature on Trivy v0.45.0. Read more in this blog.
New additions to the catalog
As always, we have added several new applications to our catalog. To keep up with the increasing demand for ML/AI-related applications, we have focused on populating our catalog with more ML/AI-related apps. All newly added Helm charts, containers and Virtual machines are listed below.
Helm charts & containers
- (A deep learning software suite for empowering ChatGPT-like model training) - Container & Helm chart
- (A scalable open-source solution for search, analytics, and observability) - Container & Helm chart
- (An open-source platform designed to manage the end-to-end machine learning lifecycle) Container & Helm chart
- (An open-source machine learning framework for Python) - Container
- (A command-line utility for interacting with Pinniped. Pinniped is an identity service provider for Kubernetes) - Container
- (A command-line tool for interacting with NATS clusters. NATS is an open source, lightweight and high-performance messaging system) - Container
- (A CLI project to add signatures as standard items in the OCI registry ecosystem, and to build a set of simple tooling for signing and verifying these signatures) - Container
- (an HTTP proxy that can perform RBAC authorization against the Kubernetes API based on the SubjectAccessReview authorization resource) - Container
- (a framework and distributed processing engine for stateful computations over unbounded and bounded data streams) – Previously available only as Helm chart & container, now available as virtual machine as well.
Thought Leadership: Zero CVEs? Don’t Compromise Quality for Easy Compliance
There has been a lot of buzz around zero CVEs of late, which is understandable. But, at the same time, it's important to understand that the potential effects of this zero-CVE chatter could be detrimental. Our Staff Engineer Martin Perez shares his thoughts on how you can minimize CVEs and the harm they cause, while maintaining software quality, by following some sustainable practices in this blog.
Demo Video: Securing Software Supply Chain with Tanzu Application Platform and Tanzu Application Catalog
Watch our Staff Solution Engineer Eknath Reddy demonstrate how your developers working with Tanzu Application Platform can leverage Tanzu Application Catalog to mitigate the supply chain risks posed by OSS .
Whitepaper: Security Measures in Tanzu Application Catalog
There are several key security measures we have undertaken in Tanzu Application Catalog to ensure that our customers minimize security risks and achieve strict regulatory compliance while working with OSS.