Anchore Enterprise Release Notes - Version 5.1.0

Anchore Enterprise v5.1.0

Anchore Enterprise release v5.1.0 contains targeted fixes and improvements.

Enterprise Service Updates

Requirements

If upgrading from a previous v5.x release, a database update is required.

If upgrading from a v4.x release, please refer to the v4.x –> v5.x Migration Guide.

  • Enterprise v5.1.0 requires Postgres 13 or greater.
  • Enterprise v5.1.0 requires that the previous version was Enterprise v4.0.0 or greater. Strongly recommend that you upgrade to Enterprise v4.9.3 prior to attempting this upgrade.
  • Enterprise v5.1.0 requires the use of the Enterprise Helm Chart. Please see below the table containing compatible version.
  • Enterprise v5.1.0 requires that you upgrade your integrations and client. Please see below the table containing compatible versions.

Improvements

  • Global Artifact Lifecycle Policy
  • API Keys
    • Support for API Keys. API Keys are manually generated credentials used during authenticate with Anchore Enterprise. For more information, please see API Keys

      Note: This feature is not currently available for users who have authenticated using LDAP

  • Vulnerabilities
    • Provide additional vulnerability matching for goCompiledVersion.
    • Provide vulnerability matching for pre-released versions of Debian.
    • Support capture of vulnerability data for Ubuntu 23.04 (Lunar Lobster) and Ubuntu 23.10 (Mantic Minotaur) once publishing commences from Canonical.
  • Analysis
    • All namespaced python packages are persisted during analysis which improves displaying the installed location for python packages.
  • Reports
    • Report generation can be scaled out to multiple report pods.
    • Runtime reports now work with the enable_data_egress and data_egress_window configuration options. Please review Reports for more information.
    • Improved report service logging to provide better error messages.
    • Runtime report filters for Labels now supports multiple labels.
  • RBAC Roles
    • image-lifecycle - permissions around management of archival rules.
    • registry-editor - permissions to manage private registry credentials.
  • General System Improvements
    • Improve memory profile and behavior in the API service.
    • Improve logging within the feed service.
    • Provide clear logging of the service version and db schema during startup.

Fixes

  • Better error handling for policies that are missing data from the document store.
  • Ability to execute a software downgrade from a patch release to a release within the Major.Minor version numbers.
  • Prevent a deadlock when two agents are reporting inventory from the same Cluster/Namespace.
  • If report generation exceeds the configured timeout execution record will be marked as timed out and processing will be halted to allow other scheduled reports to start.
  • Vulnerability matching now properly accounts for maven versions according to the maven spec rather than the plain semver spec.
  • Fixed an issue that prevented new Windows OS containers from being analyzed properly.
  • Image digests will now match when an image is analyzed within Enterprise (centralised analysis) and the image SBOM is imported via AnchoreCTL (distributed analysis).
  • If an error occurs during database upgrade, the error will be elevated to the pod to prevent it from starting.
  • Image import that contains a secret or content search results, will now have the correct line number and name translations.
  • Fix a grypedb digest mismatch that can occur when Policy Engine syncs with the Feed Service.

UI Updates

Improvements

  • API Token Support
    • Users can now create and manage API keys for use with the Anchore API. Administrators can control the keys for all users from the System > Accounts view, and all users can create or revoke their own keys from the dropdown menu in the top navigation bar.

      Note: This feature is not currently available for users who have authenticated using LDAP

  • Application Vulnerabilities
    • Vulnerabilities data for an application group can now be downloaded in JSON format from the Applications view
  • The Artifact Analysis view now indicates, if available, the fat manifest ID associated with the currently selected artifact in the breadcrumb trail
  • The Artifact Analysis > SBOM view now includes a Version column to the Java sub-tab
  • Reports
    • The Vulnerabilities by ECS Container report now provides the Will Not Fix and Last Seen fields
    • The Vulnerabilities by Kubernetes Container report now provides the Last Seen field
    • The Fix Observed At field has been added as a default to a variety of vulnerability-related reports
    • Help text improvements have been made to the filters associated with runtime-related reports
  • Accounts
    • The email address associated with an account can now be updated by an administrator
    • The roles provided in the user-creation dialog within an account are now alphabetically sorted
  • UI Theme
    • A dark theme has been added to the application. This can be enabled by clicking the Dark Mode toggle in the top right of the UI. By default, the theme will follow the system theme, but it can be overridden by the user.

Fixes

  • Reports
    • Any previous errors are now cleared when the configuration dialog is opened. In addition, the title of the dialog no longer changes as a new name is entered.
    • The Report Results page displayed the execution schedule as UTC, which was inconsistent with the information shown in the Saved Reports view, where it is converted to the local timezone. Now fixed.
  • Licenses are now displayed correctly in the Artifact Analysis > SBOM view; previously they would be displayed as Unknown
  • Image Selection
    • A significant performance improvement has been applied to the repository summary operation that presents the interstitial dialog when adding a repository
    • Clicking an enabled alert subscription toggle for tags that inherit their subscription state from their parent repository would not disable the subscription for the tag; instead, a new subscription would be added for that specific tag, with another tag required to actively disable the entry. This has now been fixed
  • Various supporting libraries have been updated to improve security and performance, and to remove deprecation warnings from both browser and server output logs. Redundant libraries have been removed to reduce the application’s startup time and overall size.
ComponentSupported VersionAdditional Info
Enterprisev5.1.0With Syft v0.97.1 and Grype v0.73.3
Enterprise UIv5.1.0
AnchoreCTLv5.1.0Deploying AnchoreCTL
Enterprise Helm Chartv2.2.0https://github.com/anchore/anchore-charts
Anchore ECS Inventoryv1.2.0https://github.com/anchore/ecs-inventory
Anchore Kubernetes Inventoryv1.1.1https://github.com/anchore/k8s-inventory
Kubernetes Admission Controllerv0.5.0https://github.com/anchore/kubernetes-admission-controller
Jenkins Pluginv1.1.0https://plugins.jenkins.io/anchore-container-scanner
Harbor Scanner Adapterv1.2.0https://github.com/anchore/harbor-scanner-adapter
enterprise-gitlab-scanv4.0.0https://github.com/anchore/enterprise-gitlab-scan
Last modified February 20, 2024