This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

AnchoreCTL Release Notes

1 - AnchoreCTL Release Notes - Version 5.0.1

The latest version of AnchoreCTL is 5.0.1.

NOTE: This version of AnchoreCTL only supports Anchore Enterprise 5.0.X, if you’re using Anchore Enterprise 4.9.X, please use AnchoreCTL v4.9.0, and for any version of enterprise prior to 4.9.X, please use the version of AnchoreCTL that is matched to your enterprise deployment, which is noted in the release notes for each given version of Anchore Enterprise.

AnchoreCTL 5.0.1 is a bug fix release which includes:

A fix for a stack overflow that can be seen when executing the command anchorectl image check <image> --detail. This can occur when the image has an allowlisted policy finding.

2 - AnchoreCTL Release Notes - Version 5.0.0

The latest version of AnchoreCTL is 5.0.0.

AnchoreCTL 5.0.0 is a feature and bug fix release which includes:

Dependency updates, and general client updates to support Anchore Enterprise v5.0.0
Change to version scheme, switching to keep version of AnchoreCTL inline with the version of Anchore Enterprise that the client supports (by semver compatibility)
Add sub-command for policy update
Add single java version column to the table output for java content
Remove rbac-url requirement from configuration in support of Anchore Enterprise v5.0.0’s single API feature
Remove the fix_observed_at date from table output for image vulnerability operation
Update the inventory watch commands
Update source policy check output to be more inline with image policy check output
Fix to some cases where the command could hang or terminal could get scrambled

Update to Syft 0.90.0, inline with the version of Syft used in Anchore Enterprise 5.0.0

3 - AnchoreCTL Release Notes - Version 4.9.0

AnchoreCTL 4.9.0 is a V2 API-compatibility release that is otherwise identical to 1.8.0.

Warning

AnchoreCTL 4.9.0 is compatible Enterprise 4.9.x or greater ONLY since it requires the V2 API.

To minimize impact to automated installations, the V2 API compatible AnchoreCTL will not be automatically upgraded using the install script. See Installation for more information.

AnchoreCTL v4.9.0 uses Syft 0.84.1, the same as AnchoreCTL v1.8.0

4 - AnchoreCTL Release Notes - Version 5.0.0-alpha1

NOTE: This is a special pre-release only compatible with Anchore v4.9+.

The purpose of this release is to support customer migration from 4.x -> 5.x by providing both:

Enterprise V2 API support (no v1 support)
The same Syft version as Enterprise v4.9.x to ensure consistent analysis results.

Coming Changes for the next GA Release of AnchoreCTL

AnchoreCTL 5.0.0-alpha1 is pre-release of the upcoming AnchoreCTL 5.0.

Coming changes in AnchoreCTL:

Move to versioning that is in lockstep with Anchore Enterprise releases
Migration to using the V2 API in Anchore. This API was released in Anchore 4.9.0.

Update to using Syft 0.84.1

5 - AnchoreCTL Release Notes - Version 1.8.0

The latest version of AnchoreCTL is 1.8.0.

AnchoreCTL 1.8.0 is a feature and bug fix release which includes:

Adds the ability to create explicit SAML users with user add --idp_name
Adds the ability to list, activate and deactivate runtime inventory watchers with inventory watch
Extends image content command to support the type content_search
Extends image content command to support the type retrieved_files
Extends image content command to support the type secret_search
Adds the ability to specify the image platform to retrieve and analyze when using the --from registry source in the image add command so that local analysis can be done on images of a different architecture than the local host where the analysis occurs.
Add an API version check to prevent accidental use of 1.8.0 against an Anchore V2 API endpoint. See Configuration for more information.

Update to using Syft 0.84.1

6 - AnchoreCTL Release Notes - Version 1.7.0

The latest version of AnchoreCTL is 1.7.0.

AnchoreCTL 1.7.0 is a feature and bug fix release which includes:

Adds more detail from the Anchore Enterprise service for error responses, exposing the server side error detail to the user
Adds new formats (spdx, cycloneDX) to the SBOM output options when using the content get options during image add operations
Add support for new ancestor list command
Add new recommendation field to policy evaluation table output for the image check operation
Changed the policy evaluation level of detail from basic to full detail when fetching policy evaluation during image add operation
Fixed issue where the sbom content was not being fetched when the all type was given to the get option, in the image add operation

Update to using Syft 0.80.0

7 - AnchoreCTL Release Notes - Version 1.6.0

The latest version of AnchoreCTL is 1.6.0.

AnchoreCTL 1.6.0 is a feature and bug fix release which includes:

Adds ability to generate container image SBOMs using a new ‘–from’ option to anchorectl image add. This removes the need to use Syft with anchorectl. AnchoreCTL can now perform all the analysis itself and upload it to your Enterprise deployment. See Using CLI for Images for mor information.
Adds extra analysis locally in addition to the SBOM generation. Filesystem metadata, secret scans, content scans, and file retrieval are now supported as they are when doing analysis of an image inside and Anchore Enterprise deployment
- The additional analysis features of secret scans, filesystem metdata, and content searches are only compatible with Anchore Enterprise 4.7+
Fixes the –help output for the ‘completion’ commands to provide correct autocompletion setup guidance
Fixes duplication of vulns shown when no type is specified in anchorectl image vuln <digest> usage

Update to using Syft 0.79.0

8 - AnchoreCTL Release Notes - Version 1.5.0

The latest version of AnchoreCTL is 1.5.0.

AnchoreCTL 1.5.0 is a bug fix release which includes:

Updates a help string for subscription update command to include the runtime_inventory subscription type
Fixes image add <tag> --wait failure with image not found if the same tag is added with another image digest by another client while waiting for the original image to analyze

Update to using Syft 0.75.0

9 - AnchoreCTL Release Notes - Version 1.4.0

The latest version of AnchoreCTL is 1.4.0.

AnchoreCTL 1.4.0 is a feature release which includes:

Adds full output format option support to ‘source sbom’ command similar to ‘image sbom’ operation, including spdx and cyclonedx formats
Adds new command to get a list of vulnerabilities in a specific application version across all artifacts (images and sources)
Adds csv output format for source-repo vulnerability and policy evaluation commands
Fixes adding of incorrect image to application version when using a tag reference in cases where more than one image with that tag is present in the system

Update to using Syft 0.72.1

10 - AnchoreCTL Release Notes - Version 1.3.0

The latest version of AnchoreCTL is 1.3.0.

AnchoreCTL 1.3.0 is a maintenance release which includes:

Added SPDX, CycloneDX and other format options alongside the default JSON format, to the ‘image sbom’ fetch operation
Added CSV format option to ‘image vulnerabilities’ and ‘image check’ operations
Enable ability add container images to Anchore Enterprise by image digest
Add a new ‘CVEs’ column to default table output for ‘image vulnerabilities’ operation for non-CVE findings that refer to one or more CVEs
Update ‘image add’ from SBOM to respect the –no-auto-subscribe flag
Fixes segfault when adding application association to an image that is in analyzing state

Update to using Syft 0.62.3

11 - AnchoreCTL Release Notes - Version 1.2.0

The latest version of AnchoreCTL is 1.2.0.

AnchoreCTL 1.2.0 is a maintenance release which includes:

Support for ‘recommendation’ fields from policy evaluations when used with Enterprise 4.1.1
Fixed to only show a vulnerability once in anchorectl image vuln when not using the -t/--type option
Help and command typo fixes

Updated to using Syft v0.58.0

12 - AnchoreCTL Release Notes - Version 1.1.0

The latest version of AnchoreCTL is 1.1.0.

AnchoreCTL 1.1.0 is a maintenance release which includes:

inventory list command to show all images in the inventory
compatability with Syft v0.56.0

Updated to using Syft v0.56.0

13 - AnchoreCTL Release Notes - Version 1.0.0

The latest version of AnchoreCTL is 1.0.0.

AnchoreCTL 1.0.0 represents the first stable release of the tool as the primary CLI for Anchore Enterprise users. Configuration, command structure and capabilities have all been renovated to support the usage of the client by administrators, users, and within scripting environments for automated integration

Added new administrative command groupings:

Account commands (add, get, list, delete, enable, disable)
User commands (add, get, list, delete, set-password)
Analysis archive rule commands (add, get, list, delete)
Analysis archive image commands (add, get list, delete, restore)
Event commands (get, list, delete)
Feed commands (list, sync)
Policy commands (add, get, list, delete, activate)
Registry commands (add, get list, delete, update)
Repo commands (add, get, list, delete, watch, unwatch)
Subscription commands (get, list, delete, activate, deactivate)
System commands (status, wait, delete)

The image add and source add commands have been revisited to additionally provide a simple way to extract common data from Anchore Enterprise:

anchorectl image add <my-image> --get vulnerabilities,content : get a summary of content and vulnerabilities to stdout
anchorectl image add <my-image> --get all=/path/to/store/results: get policy evaluation, vuln, and content results, and store all raw JSON files to /path/to/store/results
anchorectl image add <my-image> --get policy-evaluation: will get the policy evaluation results and set the return code to 1 if the policy evaluation is not passing (allowing use as a quality gate)

Added the ability to associate images and sources with an application name and version when adding into the system (e.g. anchorectl image add <my image> --application <name>@<version>).

The UI for all commands has been enhanced to convey intermediate progress and be transparent about actions taken to any result. For instance, using ANCHORECTL_DEBUG_API=true and increasing log levels to “debug” or “trace” (-vv or -vvv) will show individual API events and responses

The anchorectl.yaml application configuration has changed, use anchorectl --help to see the latest configuration schema

Added flag to switch output format for most commands to one of text, json, json-raw, or ID

Updated to using syft v0.52.0

14 - AnchoreCTL Release Notes - Version 0.2.0

The latest version of AnchoreCTL is 0.2.0. AnchoreCTL is dependent on Syft v0.39.3 as a library.

The current features that are supported are as follows:

Ability to add sboms via anchorectl using stdin to provide an existing SBOM without re-creating it.

15 - AnchoreCTL Release Notes - Version 0.1.4

The latest version of AnchoreCTL is 0.1.4. AnchoreCTL is dependent on Syft v0.39.3 as a library.

The current features that are supported are as follows:

Source Repository Management: Generate an SBOM and store the SBOM in Anchore’s database. Get information about the source repository, investigate vulnerability packages by requesting vulnerabilities for a single analyzed source repository, or get any policy evaluations.
Download full image SBOMs for images analyzed with Enterprise 4.0.0.
Compliance Reports: View and operate on runtime compliance reports, such as STIGs, created by the rem tool.
Corrections Management: View and modify corrections information to help reduce false positives in your vulnerability results.
Image Management: View, list, import local analysis, and request image analysis by the system.
Runtime Inventory Management: Add, update, and view cluster configurations for Anchore to scan, as well as for the inventory reports themselves.
System Operations: View and manage system information for your Enterprise deployment.