Anchore Enterprise Release Notes - Version 2.4.0

Anchore Enterprise 2.4.0

Features & changes of note:

  • Malware scanning capabilities
  • Image ancestry and comparison of an image’s policy and vulnerability findings with a base image
  • New analyzers for binaries not delivered in packages,
  • A “content hints” capability in the analyzers so developers or image builders can pass metadata to augmentation analysis results
  • UI improvements for scanning and deleting repositories with warnings for very large repositories
  • Asynchronous deletion of images
  • A new enterprise extension to the external API, available with base route: /v1/enterprise/

Malware Scanning

Anchore Enterprise now integrates ClamAV for optional (disabled by default) malware scanning of image content during the analysis phase and with policy rules to trigger on findings. This is particularly useful for using Engine to validate external images in an image catalog or “golden repo” where you must guard against both vulnerable and malicious code from external sources.

For more information see: Malware Scanning

Image Ancestry and Base Image Comparisons for Vulnerabilities and Policy Findings

Anchore now provides an API and UI enhancements to show an image’s base image as well as any images in its ancestry. Using this information, Anchore can now also show which vulnerabilities and policy findings are inherited from an image’s base. This allows quicker triage, analysis, and remediation of image findings. See Base Images.

New Binary Content Type

A new binary analyzer will check for and inspect binaries that are often installed outside of package managers. This supports a common use-case of language or runtime-specific base images such as Python and Go images where the runtime is installed via an archive and thus no package db entry exists. The analyzer supports specific binaries that it searches and can get metadata for: Go, Python, and BusyBox.

Once detected, these are checked for vulnerabilities, just like regular packages using the NVD and other non-OS vulnerability sources.

Content Hints

A new “hints” feature allows users to pass specific metadata into the analyzers to help identify and augment content that existing analyzers would not have been discovered. This feature is useful if you have libraries statically compiled into another binary or installed outside of a package manager that you want to tell Anchore about so you can get vulnerability matches for and include them in the image’s content manifests. This is accomplished with a specific JSON file present in the image: /anchore_hints.JSON. The entries are merged into the analyzer results to augment their findings for different content types.

For more information, see: Content Hints

Changed Image Deletion Behavior

Image deletion is now an asynchronous operation and the image_status property in the image record now has possible states ‘active’ and ‘deleting’. Deletion of an image by API call will transition the image record to a deleting status as indicated by the image_status property. Images in that state will be deleted by an asynchronous process on a duty cycle. This approach helps manage database load under a high volume of delete operations and also makes the client-perceived response time much lower.

NOTE: Responses for GET /images and GET /summaries/imagetags do not include images in the deleting state by default, though new query parameters allow those images to be returned in those calls if desired (image_status=deleting or image_status=all)

New API Extension for Enterprise

The engine API is updated to version 0.1.15 There is also a new enterprise extension to the API, available at /v1/enterprise/ that has its own version (0.1.0) and has calls specific to the Enterprise edition. These calls include the new base-image comparison and ancestry API calls.

The swagger spec for this is available from the service using the route: /v1/enterprise/swagger.json

Enterprise Service Changes

Added

  • Changed image deletion to asynchronous behavior to make API more responsive and throttle db load during image deletes.
  • New dry-run mode for repository scan request to return list of tags that would be scanned without scanning or persisting the record.
  • Support for a “hints” JSON file in the image. JSON file to pass additional metadata to augment analyzer findings.
  • Adds API support for deleting multiple images in a single call.
  • Support for malware scanning using ClamAV and new ‘malware’ content type in API and policy gate to trigger on findings as well as scan not run. Disabled by default.
  • Support for content type ‘binary’ with analyzers to detect specific binaries: Python, Golang, Busybox not installed by package manager.
  • Query parameter filters for GET /images calls to filter by image_status and analysis_status.
  • Ability to indicate which vulnerability findings are inherited from the base image.
  • Ability to indicate which policy findings are inherited from the base image.
  • API call to return the ancestor images (parent and base images) for an image.

Improved

  • Change image analysis queue processing behavior to fair share across accounts.
  • Removes image_to_get property in GET body of /images route, since body in GET operations is not standard behavior.

Fixes

  • Handle scratch images correctly in files gate behavior.
  • Add missing fields in swagger JSON spec for GET /query/vulnerabilities.
  • Better handling of java packages missing certain metadata in MANIFEST.MF files.

Additional minor bug fixes and enhancements

Enterprise UI Changes

Added

  • New image count summaries to Image Analysis pages
  • Warning during “Analyze Repo” workflow if repo to be added has a lot of images, allowing users to cancel operation before the analysis is requested to avoid unintentional workload.
  • “Whats New” message on initial login and available in the “About Enterprise Client” selection from Account dropdown in top right of screen.
  • “Binary” content type in Image Contents tab
  • “Golang” content type in Image Contents tab
  • “Malware” content type in Image Contents tab
  • Ability to cancel all pending analyses from a single repository
  • Download for report preview data as JSON and CSV
  • Show image’s base image in Image Overview page
  • Shows which vulnerabilities are inherited from the base image in the Vulnerabilities view
  • Shows which policy findings are inherited from the base image in the Compliance view
  • Images can be deleted via the UI
  • Repository deletion (deletes all image analyses for that repository)

Improved

  • Order accounts by name in Associate Accounts pop-up
  • Analysis status is its own column to allow sorting by analysis status in repository view of tags
  • Adds total image counts to repository view, main page, and tag listing
  • Improved error handling in GraphQL responses for Reports
  • Custom control for relative time filters in reporting

Fixes

  • Some table cell truncations for image digests and other fields in the Image Analysis tab
  • Changelog showing entries when no change is apparent
  • Re-analysis of images that failed analysis
  • Version mismatch after container restart
  • Results shown after whitelisting an item with an inactive bundle

Additional minor bug fixes and enhancements

Upgrading

Built on Anchore Engine v0.8.1: Anchore Enterprise is built on top of the open-source Anchore Engine, which has received new features and updates as well See Anchore Engine Release Notes for information on new features, bug fixes, and improvements in Anchore Engine.


Last modified February 4, 2021: Releasenotes 030 (#277) (44bfc21)