Anchore Enterprise Release Notes - Version 4.9.0

Anchore Enterprise v4.9.0

Anchore Enterprise release v4.9.0 contains targeted fixes and improvements. A Database update is needed.

Upcoming Enterprise v5.0.0 Announcements

Enterprise Service Updates

Improvements

  • Anchore Enterprise V2 API is now available for use.
    • The V2 API has been provided for early adoption for any customer who has custom integrations or scripts that may directly access the V1 API. This will provide extra time to migrate to the new V2 API endpoints prior to the official Enterprise v5.0.0 release.
    • The V1 APIs were distributed across several files and have now been consolidated into the single V2 API.
      • Anchore API Swagger
    • The following V1 APIs have been deprecated:
      • Enterprise API Swagger
      • Engine API Swagger
      • Notifications Swagger
      • RBAC Manager Swagger
      • Reports Swagger
    • For more details about the Anchore Enterprise V2 API, and to view the V2 swagger, please visit API Usage
  • Kubernetes and ECS Runtime Inventory ingest path received performance enhancements.
  • Reports
    • Scheduled Queries now provide a executionsLimit filter
    • Improvement in both performance and memory consumption were completed on the following reports:
      • Vulnerabilities by Kubernetes Namespaces
      • Vulnerabilities by Kubernetes Containers
      • Vulnerabilities by ECS Containers
    • Added several new Metrics within the report service. These are now available via Prometheus.
  • Configuration
    • Image import maximum size is now configurable. Current default size is 100 MB.
      • Docker Compose users can set the environment variable ANCHORE_MAX_IMPORT_CONTENT_SIZE_MB
      • Helm users can modify max_import_content_size_mb
    • Source repository import maximum size is now configurable. Current default size is 100 MB.
      • Docker Compose users can set the environment variable ANCHORE_MAX_IMPORT_SOURCE_SIZE_MB
      • Helm users can modify max_source_import_size_mb
    • Provided a configuration option to bypass object store content checks. This was provided to aid our customer support team during specific triage. Please contact customer support for additional information.
  • Policy Engine can now capture and persist additional metadata for vulnerabilities reported by the vulnerability provider sync. The following observed dates are persisted:
    • The date on which a vulnerability within a provider namespace is first observed by Enterprise via the vulnerability provider sync.
    • The date on which a specific package fix is first observed by Enterprise via the vulnerability provider sync. This “fix observed date” will be used during policy eval of max days since fix to give a more consistent evaluation result across all newly analyzed image and source SBOMs.
  • Support capture of vulnerability data for Ubuntu 23.04 (Lunar Lobster) and Ubuntu 23.10 (Mantic Minotaur) once publishing commences from Canonical.
  • Provide support for vulnerability data for Mariner.
  • If a Vunnel Provider fails, the system will provide a new sync using the previous data for the failing provider and the new data from the other providers. This change also provides improved messaging around failing providers.
  • Improved Java matches for Source SBOMS by capturing more metadata during SBOM imports.

Fixes

  • Reports
    • Handle an error when the service is loading data for ECS Container Report Table and Kubernetes Container Report Table in cases where a container stops being reported long enough for it to be removed from the Catalog, and is then reported again.
    • The report service no longer triggers an out of memory error when running larger runtime workloads.
  • The Archive Image Delete force flag options now works even when the image is in the archiving state.
  • ECS Inventory which contains both tasks as part of a service and tasks that are run standalone will be properly accepted.
  • Fixed an issue seen with the Ubuntu provider failing to sync when the git repo has untracked files present.
  • Addressed an issue where distroless images reported incorrect findings from other catalogers.
  • Correctly handled the Ubuntu CVE Tracker change for labeling which indicated end of life. This could lead to unfixed CVEs to be missing from the data.
  • Modifying the value of the Catalog’s resource_metrics cycle timer is now honored.
  • API call POST /v1/enterprise/stateless/sbom/vuln/{vtype} now works as expected.
  • Proper handling for vulnerability transitions from affected to not-affected within the RHEL provider.

UI Updates

Fixes

  • Various supporting libraries have been updated in order to improve security, performance, and also to remove deprecation warnings from browser and server output logs. Redundant libraries have been removed to reduce the app startup time and overall size.
ComponentRecommended Version
Enterprisev4.9.0
Enterprise UIv4.9.0
Engine Helm Chartv1.27.0
AnchoreCTL (V1 API Compatible)v1.8.0
AnchoreCTL (V2 API Compatible)v4.9.0
anchore-k8s-inventoryv1.1.1
anchore-ecs-inventoryv1.1.0
KAI (Deprecated)v0.5.0
Kubernetes Admission Controllerv0.4.0
REM - Remote Execution Manager (Deprecated)v0.1.10
Harbor Scanner Adapterv1.2.0
Jenkins Pluginv1.0.25
Last modified November 16, 2023