Anchore Enterprise Release Notes - Version 4.8.0

Anchore Enterprise v4.8.0

Anchore Enterprise release v4.8.0 contains targeted fixes and improvements. A Database update is needed.

Upcoming Enterprise v5.0.0 Announcements

Enterprise Service Updates

Improvements

  • Reporting

    • Vulnerabilities by Kubernetes Containers is a new report template which will allow you to view and filter on vulnerabilities found within a Kubernetes Container. The report will populate only if you have deployed the new anchore-k8s-inventory.
    • Vulnerabilities by ECS Containers is a new report template which will allow you to view and filter on vulnerabilities found within an ECS Container. The report will populate only if you have deployed the new anchore-ecs-inventory.
    • Vulnerabilities by Kubernetes Namespace report now displays the Anchore Account Name.
  • Configuration

    • A new configuration option is available that can show a significant reduction in resource usage. It is available for customers that do not use the /v1/query/images/by_vulnerability API.
      • Setting this configuration option to false will:
        • Disable the /v1/query/images/by_vulnerability API and return a 501 code if called.
        • Disable the SBOM vulnerability rescans which occur after each feed sync. It is these rescans that populate the data returned by the API.
      • Customers who are using /v1/query/images/by_vulnerability API, are encouraged to switch to calling the ImagesByVulnerability query in the GraphQL API. This query provides equivalent functionality and will allow you to benefit from this new configuration option.
      • Docker Compose users can set environment variable, ANCHORE_POLICY_ENGINE_ENABLE_IMAGES_BY_VULN_QUERY, in the policy engine to false.
      • Helm users can set services.policy_engine.enable_images_by_vulnerability_api key in config.yaml

Fixes

  • Improved operating system matching prior to determining if a CVE should be reported against an image.
  • CVSS Scores from NVD are now preferred over other source. This provides a more consistent end user experience.
  • Addressed a failure to properly generate the Policy Compliance by Runtime Inventory report while using the new anchore-k8s-inventory agent.
    A symptom was that the Compliance and Vulnerabiliy Count fields within the Kubernetes tab remained in Pending state.
  • Switch archive delimiter in malware scan output from ‘!’ to ‘:’ to ensure shell copy-paste ease of use.
  • Improved a few misleading internal service log messages.
  • Fixed an issue that resulted in a scheduled query, with a qualifying filter, failing to execute. Examples of filters which will result in this failure:
Query NameFilter Name
Tags by VulnerabilityVulnerability LastTag Detected In Last
Images Affected By VulnerabilityVulnerability LastTag Detected In LastImage Analyzed In Last
Artifacts By VulnerabilityVulnerability LastTag Detected In Last
Policy Compliance History by TagTag Detected In LastPolicy Evaluation Latest Evaluated In Last
Policy Compliance by Runtime Inventory ImagePolicy Evaluation Latest Evaluated In Last
Runtime Inventory Images by VulnerabilityVulnerability LastImage Last Seen In
Unscanned Runtime Inventory ImagesLast Seen In

UI Updates

  • The Watch Repository toggles displayed in the registry and repository view tables under Images can now be suppressed when the enable_add_repositories property in config-ui.yaml is set to False for admin or standard accounts. This and other parameters contained in the UI configuration file are described here.
  • The Vulnerabilities by ECS Container report template has been added that allows you to search for a specific vulnerability across ECS containers in order to view a list of clusters services, tasks and containers that are impacted by the vulnerability.
  • The Vulnerabilities by Kubernetes Container report template has been added that allows you to search for a specific vulnerability across Kubernetes containers in order to view a list of clusters services, tasks and containers that are impacted by the vulnerability.

Fixes

  • References to Anchore Engine have been removed and replaced app-wide with Anchore Enterprise Services
  • A fix has applied for an issue where a read-only user was not able to manage registry credentials in another context even when they had a full-control role associated with that account
  • An Account Name filter has been added to the Kubernetes Runtime Vulnerabilities by Namespace report template, and improved descriptions have been provided for the Label and Annotations filters
  • Various supporting libraries have been updated in order to improve security, performance, and also to remove deprecation warnings from browser and server output logs. Redundant libraries have been removed to reduce the app startup time and overall size.
ComponentRecommended Version
Enterprisev4.8.0
Enterprise UIv4.8.0
Helm Chartv1.26.0
AnchoreCTLv1.7.0
anchore-k8s-inventoryv1.0.0
anchore-ecs-inventoryv1.0.0
KAI (Deprecated)v0.5.0
Kubernetes Admission Controllerv0.4.0
REM (Remote Execution Manager)v0.1.10
Harbor Scanner Adapterv1.0.1
Jenkins Pluginv1.0.25
Last modified October 27, 2023