Anchore Enterprise Release Notes - Version 5.7.0
Anchore Enterprise v5.7.0
Anchore Enterprise release v5.7.0 contains targeted fixes and improvements.
Attention
The v5.5.0 release changed the defaults for the feed provider’s configuration. The new defaults will import results published by Anchore every six (6) hours. This will reduce configuration to multiple sources, provide the NVD with Anchore Enriched data, as well as make GitHub Security Advisories available to customers that have firewall constraints. Please ensure that you have access to https://enterprise.vunnel.feed.anchore.io for uninterrupted feeds service.Enterprise Service Updates
Requirements
- If upgrading from a v4.x release, please refer to the v4.x –> v5.x Migration Guide.
- If upgrading from a release in the range of v5.0.0 - v5.3.0
- The upgrade will result in an automatic schema change that will require database downtime. We are anticipating that this schema change may take more than an hour to complete depending on the amount of data in your reporting system.
- If your Anchore Enterprise deployment is on FIPS enabled hosts and your database is being hosted on Amazon RDS, an upgrade to Postgres 16 or greater is required. For more information please see the FIPS section in Requirements.
- If upgrading from a release in the range of v5.4.x - v5.6.x
- The upgrade will result in an automatic schema change that will require database downtime. We expect that this could take up to 2 hours depending on the amount of data in your system.
Improvements
- Adds the ability for users to override the base image used throughout the system. This is accomplished by adding an image annotation to the image
anchore.user/marked_base_image
.- API endpoints
/v2/images/{image_digest}/check
and/v2/images/{image_digest}/vuln/{vuln_type}
now takeauto
as a value forbase_digest
parameter. This will allow the system to determine which ancestor will be used as the Base Image. - This feature is enabled by default in v5.7.0. To disable this feature, set
services.policy_engine.enable_user_base_image
tofalse
in the values.yaml file.
- API endpoints
- API access for users configured for
native
access can now be disabled by settinganchoreConfig.user_authentication.disallow_native_users
totrue
in the values.yaml file. - Adds info level log messages to runtime inventory post handlers.
- Improves report Vuln ID Filter description to include CVEs.
- Removes the
image_cpes
database table that is no longer used and can consume a large amount of database space. - Improve validation of object_store and analysis_archive settings during startup.
- Response object GET
/v2/rbac-manager/my-roles
now includes more detail about the account for each role. - Admin users can now create an API Key that can be used to manage Accounts, User Groups and RBAC Roles.
- Reduced the size of the Enterprise Image.
Fixes
- The
Fix Observed At
value on vulnerabilities from all ecosystems now display correctly. - Deployments using
db
as their object store driver will now be able to store large objects over 1GB in size. This means very large SBOMs will now successfully store. - Addresses an issue where account deletion didn’t fully clean up db artifacts stored for the account. Example is some reporting data.
- The CycloneDX SBOM now contains the
bom-ref
field as part of the output. - Allow users with
read-only
orread-write
RBAC Authorization to have the following permissions:getECSContainers
getECSServices
getECSTasks
getKubernetesClusters
getKubernetesVulnerabilities
listRuntimeInventories
getKubernetesNamespaces
getKubernetesContainers
getKubernetesNodes
getKubernetesPods
- Fixes an issue in the
policy_creation
counter found in theGET /v2/system/statistics
endpoint. - Explicit SAML Users are now allowed to use the
:
character in usernames. - Account names are now prevented from being created with the
#
character.
Deprecations
- Support for OpenStack Swift, which is an open-source object storage system, has been deprecated. Please see Object Storage for a list of supported Object Stores.
- Package Feeds and Policy Gates for
Ruby Gems
andNPMs
, are now deprecated. Please contact Anchore Support for more information.
UI Updates
Improvements
The login page has been updated with a new design that uses tabs to switch between configured authentication methods. When multiple authentication methods are available, tabs are shown for each available method. The user’s last-selected method is remembered and shown as the default tab on subsequent visits.
Anchore Enterprise now supports a Single Sign-On (SSO) only mode. This mode allows administrators to disable the local authentication mechanism, which removes the default login form. This is an opt-in feature enabled by setting the
sso_auth_only
configuration option toTrue
.The Analyze a Tag control has been updated to allow users to provide a SHA256 digest for the image they wish to analyze. This feature is useful when you only want to analyze a specific image. In addition, you can now populate the Registry, Repository, and Tag fields by pasting a pull string (e.g.,
docker pull docker.io/library/alpine:latest
) in the inline control provided.The reported base image in the Artifact Analysis view now reflects changes made within our platform services, whereby the system can either make the determination automatically or have the base image specified by an
anchore.user/marked_base_image
annotation associated with an image in the ancestry.
Fixes
Previously, the selected default entry in the table page size dropdown was not being set correctly when opened, and was defaulting to the first entry. This has now been addressed.
Our application security policies have been updated to prevent client-side caching, the execution of arbitrary code within our dependent packages using
eval()
, and the HTTP Strict Transport Security (HSTS) header has been added to enforce the use of HTTPS connections and to remove the ability for users to click through warnings about invalid certificates.Within Artifact Analysis, when the route for this view (and the associated compliance data request) contained the fat manifest digest, the
image_digest
returned would still be the platform-specific digest. This caused an equality check with the route to fail. This has now been fixed.The Vulnerability ID filter description has been updated to clarify that it filters the Vulnerability and CVE fields.
The Delete Events modal within the Events tab was successfully deleting events in batches, but the progress bar was not visually updating to indicate this. This has now been fixed.
The calculation in the Dashboard view that describes how many vulnerabilities were affecting how many repositories was inaccurate because the summarization included duplicate entries. This was a consequence of different vulnerabilities against the same repository advancing the repository count. This has now been corrected.
An issue with the policy allowlist data payload was preventing updates (such as removals) from taking place against allowlists displayed by the associated dialog in the Artifact Analysis view. Now fixed.
The donut chart displayed in the printable version of the Policy Compliance tab in the Artifact Analysis view was not positioned correctly. This has now been fixed.
Boolean values for annotations are now displayed correctly.
The Twitter social media logo has been updated to 𝕏 to reflect the change in brand and name.
Various supporting libraries have been updated in order to improve security, performance, and also to remove deprecation warnings from browser and server output logs. Redundant libraries have been removed to reduce the app startup time and overall size.
Recommended Component Versions
Component | Supported Version | Helm Chart Version | Additional Info |
---|---|---|---|
Enterprise | v5.7.0 | v2.8.0 | With Syft v1.7.0 and Grype v0.79.1 |
Enterprise Feeds | v5.7.0 | v2.7.0 | |
Enterprise UI | v5.7.0 | ||
AnchoreCTL | v5.7.0 | Deploying AnchoreCTL | |
Anchore ECS Inventory | v1.3.1 | v0.0.7 | https://github.com/anchore/ecs-inventory |
Anchore Kubernetes Inventory | v1.6.2 | v0.4.2 | https://github.com/anchore/k8s-inventory |
Kubernetes Admission Controller | v0.6.2 | v0.6.2 | https://github.com/anchore/kubernetes-admission-controller |
Jenkins Plugin | v3.1.2 | https://plugins.jenkins.io/anchore-container-scanner | |
Harbor Scanner Adapter | v1.3.3 | https://github.com/anchore/harbor-scanner-adapter | |
enterprise-gitlab-scan | v4.0.0 | docker.io/anchore/enterprise-gitlab-scan:v4.0.0 |
Anchore Helm Chart can be found at https://github.com/anchore/anchore-charts
Last modified July 21, 2024