Anchore Enterprise Release Notes - Version 4.4.0

Anchore Enterprise 4.4.0

Anchore Enterprise release v4.4.0 contains targeted fixes and improvements. A Database update will be required.

Please Note: If you are upgrading from an Anchore Enterprise version prior to v4.2.0, there is a known issue that will require you to upgrade to v4.2.0 or v4.3.0 first. Once completed, you will have no issues upgrading to v4.4.0. Please contact Anchore Support if you need further assistance.

Enterprise Service Updates

Improvements

  • The AnchoreCTL binary for linux x86 is now packaged into the docker.io/anchore/enterprise image for use via direct ’exec’ invocation or to copy from the image into your environment without having to access external networks. The packaged binary will be the current release of AnchoreCTL at the time of release of Enterprise.

  • Configuration Options

    • enable_package_db_load is a new configuration option that will allow users to disable the use of the package.verify policy trigger. Disabling this trigger, will prevent further additions in the image_package_db_entries table, which will reduce load on the database. In addition, users may now safely delete the existing entries in the table and reclaim database capacity usage. See Database for more details.
    • A new option for users to specify the endpoint used for the Ubuntu Feed Driver. See Feeds for more information.
  • Enterprise API now supports the ability to download SBOMs in SPDX Format and CycloneDX Format.

    • /images/{imageDigest}/sboms/spdx-json
    • /images/{imageDigest}/sboms/cyclonedx-json
    • /sources/{source_id}/sbom/spdx-json
    • /sources/{source_id}/sbom/cyclonedx-json
  • A new Image Ancestry Policy Gate has been added. Allows the user to verify that a specified image contains an approved base image. See Policy Checks for complete details.

  • Binary detection is now consistent between uploaded SBOMs generated by AnchoreCTL and SBOMs generated by the backend Enterprise Service.

  • Tech Preview: Enterprise Reporting provides a global endpoint which will allow administrators to generate queries that will include data from all accounts. See Reports from more details.

  • Vulnerability data is now available from Feed Group - Ubuntu 22.10 (Kinetic Kudu).

Fixes

  • Vulnerability feed group information is now populated at time of switch-over. This should address issues with displaying the vulnerability group record counts in systems with a large number of active images.
  • Addressed an error path exception in the Application Version Vulnerability API.
  • Addressed a parsing issue within the execution of Policy Gate retrieved files with Trigger content regex.
  • Schedule Report generation will gracefully handle an error found in a report and continue with the generation of other reports.
  • Properly account for rolling distros (currently Wolfi) when evaluating the vulnerabilities.vulnerability_data_unavailable trigger.
  • Addressed an analysis failure during SBOM generation for certain images with cycles of soft links.

Deprecation Reminders

  • The anchore-cli python client has been deprecated as of Enterprise Release v4.2.0. It will be removed from the docker.io/anchore/enterprise image during the v4.5.0 Release. AnchoreCTL is the only supported command line tool for interacting with Anchore Enterprise.

UI Updates

Improvements

  • Reporting
    • Prometheus logging has now been added to the application with the following data now being captured and reported:
    • General node process metrics
    • Number of active sessions
    • Count of HTTP requests, split by endpoint and status code
    • HTTP request duration
    • Latency of each service, calculated during every health check cycle
  • Configuration
    • Sessions will now preferentially use OAuth tokens to provide and maintain ongoing authentication state
    • In the event that the token dispensation is not possible when the user logs in, the system will fall back to using basic authentication
    • Added confirmation toast on dashboard widget creation
    • Updated various supporting libraries to improve security and performance
    • Redundant libraries have been removed to reduce the app startup time and overall size

Fixes

  • Reporting
    • Schedules that contain queries with data enumerations can now be saved properly
  • Configuration
    • Increased the opacity on both the filter input and the sort dropdown when either are in a disabled state-that is, when no application data exists
    • This ensures the text is legible while still clearly indicating the inactive state
    • Policy Editor Evaluation correctly updates after changes are applied
    • RBAC rules are now correctly applied to the radio button used to change the active bundle
    • Copy bundle modal would now allow all key events
    • Service errors and access control errors are now properly articulated
Last modified September 6, 2024