Anchore Enterprise Release Notes - Version 4.2.0

Anchore Enterprise 4.2.0

Anchore Enterprise release v4.2.0 contains targeted fixes and improvements. A Database update will be required.

Enterprise Service Updates

Improvements

  • SSO feature enhancements includes
    • The ability for an Anchore administrator to create another user in the admin account who will authenticate using SSO/SAML enabling use of 2FA and other SSO security mechanisms.
    • A strict mode which will require SAML users to be configured in Anchore Enterprise prior to user login as an alternative to the existing behavior that creates Anchore users at login time only. This allows administrators to restrict login access for SSO users to only those users specifically allocated by the Anchore admin.
    • See https://docs.anchore.com/current/docs/configuration/sso/ for additional information about SSO.
  • Adds detection of non-packaged node.js binaries during image analysis to support sbom and vulnerability scanning.
  • The Reporting Service now offers the ability to show and filter on vulnerabilities that the vendor of an image distribution either disagrees with or has decided not to fix. This matches the ‘vendor_only’ filtering behavior of the vulnerability APIs and AnchoreCTL.

Fixes

  • Fixed an issue where the analysis queue processing stops. This was seen in environments with multiple Catalog, Policy Engine, and Analyzer Containers running.
  • Populates fix information per module for rpm-based feeds such as oracle, rhel, and centos. The rpm modularity is now taken into account when matching rpm packages to vulnerabilities.
  • Make RedHat/CentOS AppStream modules fully supported for vulnerability matching with reduced false positives and more accurate fix versions.
  • Improved error handling during SSO IDP Configuration changes.
  • During the creation of an SSO default account, the default policy bundles are correctly populated.
  • Improved error handling in the MSRC feed driver so that invalid records are skipped and processing will continue for other records.

Feature Removal

  • Removed the Kubernetes Runtime Inventory Embedded mode, and associated cluster configuration APIs. This feature saw limited usage and the same goal can be accomplished by deploying KAI into the cluster directly in inventory mode. See https://docs.anchore.com/current/docs/configuration/runtime_inventory/ for more information about configuring KAI in agent mode.

Deprecation Reminders

  • The anchore-cli python client will be deprecated as of Enterprise Release v4.2.0. AnchoreCTL will be the only supported command line tool for interacting with Anchore Enterprise.

UI Updates

Improvements

  • The UI now supports the creation and configuration of administrators who can authenticate directly using Single Sign-On (SSO). In addition, administrators in deployments that have been configured to use exclusionary account assignment by disabling “Just-in-Time” account provisioning for SSO can now associate specific standard users with an individual IDP.
  • For environments where analytical volume is extremely high, the Kubernetes page now provides an optimized presentational view that excludes information from the reporting services. This version of the view can be enabled via the file- or environment-based Enterprise Client application configuration parameters.
  • The Vulnerabilities tab now provides a client-side filter for Vendor Only CVEs that is enabled by default. When disabled, the full vulnerability dataset is now displayed. Upon disabling the filter, a new Will Not Fix column is will be displayed within the results table.
  • A Vulnerability Will Not Fix filter has been added to the following base templates in the Scheduled Reports view:
    • Images With Critical Vulnerabilities
    • Artifacts by Vulnerability
    • Tags by Vulnerability
    • Images Affected by Vulnerability

Fixes

  • In previous versions, setting a boolean filter to true in Quick Reports would not get correctly passed to the web service. This is now fixed.
  • Users with the policy-editor role should not have access to the Artifact Analysis view. Although the associated navbar icon was correctly disabled, users could still access the page (albeit in read-only mode) directly via the URL. This behavior has now been addressed.
  • The Only Show toggles in the Vulnerabilities tab of the Artifact Analysis view provide a number of filters that can reduce the number of items displayed. When applied, the table updates accordingly—however, prior to this fix the graph and vulnerability severity summary counts did not. This issue has now been addressed.
  • Prior to this fix, if a user encountered an error when saving a policy, there was no way for them to fix the error and save the policy again because the Save button remained disabled. Users can now attend to the error and save the policy.
  • Various supporting libraries have been updated in order to improve security, performance, and also to remove deprecation warnings from browser and server output logs. Redundant libraries have been removed to reduce the app startup time and overall size.
Last modified October 27, 2023