Anchore Enterprise Release Notes - Version 5.2.0

Anchore Enterprise v5.2.0

Anchore Enterprise release v5.2.0 contains targeted fixes and improvements.

Enterprise Service Updates

Requirements

If upgrading from a v5.x release, a database update is required.

If upgrading from a v4.x release, please refer to the v4.x –> v5.x Migration Guide.

  • Enterprise v5.2.0 requires Postgres 13 or greater.
  • Enterprise v5.2.0 requires that the previous version was Enterprise v4.0.0 or greater. Strongly recommend that you upgrade to Enterprise v4.9.5 prior to attempting this upgrade.
  • Enterprise v5.2.0 requires the use of the Enterprise Helm Chart. Please see below the table containing compatible version.
  • Enterprise v5.2.0 requires that you upgrade your integrations and client. Please see below the table containing compatible versions.

Improvements

  • RBAC Roles
    • Adds new system role called account-viewer. This role allows the user to list all the accounts within Anchore Enterprise. Authorization to bestow this role is restricted to system administrators.
  • Reports
    • Provides a configuration variable, services.reports.use_volume, which directs the Report Service to use disk space instead of memory while generating reports.
    • The “Inherited From Base” field is now available the vulnerability-related reports including:
      • Artifacts by Vulnerability
      • Images Affected by Vulnerability
      • Runtime Inventory Images by Vulnerability
      • Tags by Vulnerability
      • Vulnerabilities by ECS Container
      • Vulnerabilities by Kubernetes Container
      • Vulnerabilities by Kubernetes Namespace
    • Improves the performance of the Kubernetes Namespace Vulnerability Loader within the Report Worker Service.
  • API
    • Adds a /system/statistics endpoint to return various system statistics and counters over time.
    • The /images/{image_digest}/vuln/{vuln_type} endpoint provides a query flag, include_vuln_description, that indicates when to include the vulnerability description field in the response.
    • Provides a new field, password_last_updated, in the response of /accounts/{account_name}/users.
  • API Keys
    • Provides a configuration variable, user_authentication.remove_deleted_user_api_keys_older_than_days, which determines the number of days API Keys will remain in the database.

Fixes

  • Corrects the time that a Scheduled Query started to be generated in the unlikely occurrence that system restarted the report.
  • Addresses an issue with the RedHat vulnerability data provider not automatically updating OVAL files which prevents getting accurate fix version information for appstream packages in RHEL 9.
  • Addresses an issue with grype-db matching logic for RHEL 9, where they are no longer reporting a modularity, resulting in false positives. Specifically, RHEL 9’s default stream no longer reports a modularity.
  • API endpoint /images/{image_digest}/content/java returns a version format consistent with the output from AnchoreCTL.
  • Fixes an issue where the services.reports_worker.data_egress_window was not working correctly for the runtime reports.
  • Fixes a failure in the Source SBOM import that refer to poetry.lock or python requirements files.
  • An interrupted report generation will correctly error out correctly instead of trying to persist a partially generated report.
  • Fixes an issue where CVE-2023-44487 would show the incorrect severity.
  • Licenses for all package content types are now returned when available.
  • Cpes property returns a list of strings or an empty list for all package content types.
  • Reintroduced the Policy Evaluation Cache which aids in better evaluation performance.
  • Logging
    • Reduces the number of log warning messages for orphaning services.
    • Suppress an SQLite exception that was not impacting the system.
    • Removes an incorrect error message in the Reports Service that looked like the following “Could not trigger reports_image_refresh after multiple retries. Will retry on next cycle”.

Deprecations

  • Support for OpenStack Swift, which is an open-source object storage system, has been deprecated. Please see Object Storage for a list of supported Object Stores.

UI Updates

Improvements

  • Administrators can now assign the system-wide account-viewer role to users. This role allows users to list all accounts in the system and is intended for programmatic access to the Anchore API.

  • Administrators can now view the last time a user password was changed from the summary table in the Accounts view.

  • The error indicator for a failed report has been updated to provide more information about the failure.

  • From within the new Data Management view, administrators can now set policies to determine the removal schedule for images in the system across all accounts. The policies allow you to specify the number of days to retain images, based on either presence in the runtime inventory or their presence globally.

  • Logs are now written to a file (by default in the /var/log/anchore directory) in addition to the console. The logs are rolled once a maximum capacity of 10Mb is reached, and the last 10 log files are retained. In addition, outbound requests made by the application to our Anchore Enterprise API now display the request identifier used within our services, which can be used to correlate the UI request with the platform service logs.

  • A Licenses column has been added to the Java sub-tab.

  • The "Inherited From Base" field has been added as a default to a variety of vulnerability-related reports including:

    • Artifacts by Vulnerability
    • Images Affected by Vulnerability
    • Runtime Inventory Images by Vulnerability
    • Tags by Vulnerability
    • Vulnerabilities by ECS Container
    • Vulnerabilities by Kubernetes Container
    • Vulnerabilities by Kubernetes Namespace

Fixes

  • Administrators who switch into a different (non-administrative) account context are no longer able to create global reports in that account.

  • Previously, when a saved report was reconfigured (for example, by changing the name or description), the filter details would be dropped from the AppDB record, preventing the report from being viewed (although it would still be available for download). This issue has now been fixed.

  • Administrators who are authenticated via LDAP are now able to create and manage API keys for non-LDAP administrative and standard users (although not for themselves, because we currently don’t support API Key self-service for LDAP authenticated users).

  • Various supporting libraries have been updated in order to improve security, performance, and also to remove deprecation warnings from browser and server output logs. Redundant libraries have been removed to reduce the app startup time and overall size.

ComponentSupported VersionAdditional Info
Enterprisev5.2.0With Syft v0.101.1 and Grype v0.74.3
Enterprise UIv5.2.0
AnchoreCTLv5.2.0Deploying AnchoreCTL
Enterprise Helm Chartv2.3.0https://github.com/anchore/anchore-charts
Anchore ECS Inventoryv1.2.0https://github.com/anchore/ecs-inventory
Anchore Kubernetes Inventoryv1.1.1https://github.com/anchore/k8s-inventory
Kubernetes Admission Controllerv0.5.0https://github.com/anchore/kubernetes-admission-controller
Jenkins Pluginv1.1.2https://plugins.jenkins.io/anchore-container-scanner
Harbor Scanner Adapterv1.2.0https://github.com/anchore/harbor-scanner-adapter
enterprise-gitlab-scanv4.0.0https://github.com/anchore/enterprise-gitlab-scan
Last modified February 20, 2024