This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Anchore Enterprise Release Notes - Version 2.3.0

This release focuses on enabling the Microsoft ecosystem within Anchore to allow the same analysis flow and pipelines that you use for linux images to be applied to Windows images as well for a consistent approach across ecosystems. It also includes several enhancements to the reporting and event management features of the UI.

New Features

  • Windows Container Image Support

    • Analyze and get vulnerabilities for Windows OS-based containers. Anchore ingresses Microsoft vulnerability data via the MSRC
    • No requirement to run Anchore itself on windows or other changes to the infrastructure needed to deliver this feature
  • NuGet/.NET Package Support (Tech Preview)

    • Detection and inclusion in analysis output as well as vulnerability scans
  • GitHub Advisories vulnerability data

    • See Configuring GitHub advisories for information on configuring the new feed including creating a GitHub token the driver can use for API calls to GitHub.
  • Scheduled Reports

    • Create report templates for easy re-use of your most frequently used reports
    • Schedule reports for generation and get notifications when they are ready, delivered via Slack, email, webhooks, and the other supported notification integrations Enterprise provides.
  • Event Management in the UI

    • Improved sorting, filtering, and deletion of events in the UI directly
  • Improved RHEL/CentOS vulnerability matching using CVE-based feeds instead of RHSA-based data

    • To help provide early detection of vulnerabilities before a fix is available or for issues where a fix is not issued, Anchore now uses RedHat’s CVE information instead of RHSA information
    • This also provides improved whitelist consistency between RHEL/Centos and images based on other distros since CVEs are consistent
    • For more details see RHSA-to-CVE Feed Change
  • Improved feed data and configuration management via APIs and CLI

    • New APIs and CLI commands allow dynamic configuration of which feeds to sync and the ability to enable/disable and delete feed data without updating configuration files or restarting containers.
    • See CLI Feeds configuration
  • Built on Anchore Engine v0.7.1: Anchore Enterprise is built on top of the OSS Anchore Engine, which has received new features and updates in the 0.7 series. See Anchore Engine Release Notes for information on new features, bug fixes, and improvements in Anchore Engine for versions v0.7.0 and v0.7.1.

Changes

Starting in 2.3.0 all services except the UI in an Enterprise deployment must:

  • Have the license.yaml available in /license.yaml inside the image. This is currently how the Notifiations, Reports, and RBAC services are run, and is now extended to all services.

  • Be started with the anchore-enterprise-manager command instead of anchore-manager. This ensures that enterprise extensions and functionality is properly loaded and available.

  • The docker-compose.yaml is no longer built into the image, but is available in the Docker Compose guide via a link to download. The image versions will be set to the release version matching the documentation version.

These changes are all configured by default in the new Docker Compose guide and are also enabled in the updated Helm chart for this release.

As with previous releases, we recommend upgrading with the newest deployment templates rather than just changing the image references in existing templates.

Bug Fixes and Enhancements

  • Fixed user deletion and role removal failures
  • Uses NVD severity for Debian vulnerabilties when ‘urgency’ field not set in the upstream data
  • Updates alpine feed driver to ensure severies are set using newer nvd2 driver data instead of older nvd driver that may have had stale data due to old NVD XML feed
  • Adds new ‘–no-auto-upgrade’ option to anchore-enterprise-manager to start services that will not upgrade the db automatically, enabling more control over the upgrade process
  • Fixed Report CSV/JSON download missing records in UI
  • Fixed scrollbar functionality issue in Policy Bundle editor in UI
  • Fixed missing scrollbar for context switching in UI
  • Fixed problem with sorting vulnerability columns in UI causing hangs and missing links
  • Updates to dependencies
  • Fixes in the Anchore Engine v0.7.0 release notes and v0.7.1 release notes

Upgrading from Anchore Enterprise 2.2 to 2.3.0

This is a significant upgrade. Backups should be taken, and downtime expected to complete the process.

NOTE The upgrade from 2.2.x to 2.3.0 will take several minutes at least for the database schema upgrade and involves a data migration can take longer to fully transition the RHSA data to CVE data. Part of this process is done during the database upgrade, but part of the process can only complete after the upgraded feed service is able to run and sync the new RedHat CVE data. Because of this, there will be an interval where RHEL-based images will have no vulnerabilities listed. That will automatically resolve itself once the feed syncs, and all affected images will have CVE-based vulnerability matches as expected, but depending on deployment environment and number of images in the database, this may take a long time (hours potentially).

See RHSA-to-CVE Feed Change for more information on the change and upgrade implications.

To upgrade, use the new version of the Helm chart or docker compose provided with this release. The new chart and compose files contain all needed configuration changes. See Enterprise Upgrade to 2.3.0 for details on this specific upgrade process and how to update your own deployment templates if you are not using the official Helm chart.

1 - RHSA to CVE Feed Changes for RHEL-Based Images

Starting in Enterprise 2.3.0, Anchore Enterprise uses the RedHat Security API for CVEs for vulnerability matches for RHEL, CentOS, and UBI images. This is a change from previous releases that utilized the API for Advisories (RHSAs) instead.

What Changed

In short, rhel:* replaces centos:* in the vulnerability feed for matches against RHEL-based distros such as CentOS and UBI.

Specifically, in Enterprise 2.2.x, all RHEL-based images (CentOS, RHEL, UBI) used data from the RedHat Security Advisories API. This data populated the centos:* groups of the vulnerabilities feed, as seen when you run anchore-cli system feeds list or via the UI’s system page showing feed syncs.

Changed for Enterprise 2.3.0, RHEL-based images will match against a new feed source by default: data from the RedHat CVE API . This new source populates the rhel:* groups of the vulnerabilities feed. The centos:* groups are no longer used for matches by default.

Reason for Change

The CVE source provides the ability to match vulnerabilities that have not yet been fixed upstream or via backports by Redhat as well as information on vulnerabilities that will not be fixed. Both of these classes of vulnerability are not covered in the RHSA data because that data is generated by fix releases. Overall, the change gives better matches earlier in the vulnerability triage and fix process so you can make better decisions about issues that affect your images.

Upgrade

During upgrade Anchore will change the matching logic to transition images to use the new feed groups. This update involves:

Completed Automatically During DB Upgrade:

  1. Updating db schema to support new enable/disable flags for feeds and groups.
  2. Disabling the existing centos:* feed groups from future syncs by setting the groups to disabled status.
  3. Updating the internal mappings for distros to use the new groups.

When the system starts, all RHEL/CentOS/UBI images will still have RHSA matches, but the centos:* groups will be disabled so no new updates arrive for those groups.

After upgrade, when the system is running the new version:

  1. Feed service will sync the new data from the source
  2. Policy engine syncs from feed service to get new data
  3. Once the rhel:* groups sync in the policy engine, all RHEL/CentOS/UBI pre-upgrade analyzed images will now show both CVE and RHSA matches.
  4. Images analyzed after the upgrade will only match CVEs.

The output from a CLI feed listing should look roughly like (note the disabled centos groups and synced rhel groups:

anchore@c4799ee0b36e enterprise]$ anchore-cli system feeds list
Feed                   Group                     LastSync                          RecordCount        
...               
vulnerabilities        centos:5(disabled)        2020-05-15T16:33:53.165136        1171               
vulnerabilities        centos:6(disabled)        2020-05-15T16:33:47.819467        1219               
vulnerabilities        centos:7(disabled)        2020-05-15T16:33:48.007930        1044               
vulnerabilities        centos:8(disabled)        2020-05-15T16:33:51.662811        255                
...                
vulnerabilities        rhel:5                    2020-05-15T22:23:56.300077        7237               
vulnerabilities        rhel:6                    2020-05-15T22:23:55.343614        6833               
vulnerabilities        rhel:7                    2020-05-15T22:23:56.040785        5893               
vulnerabilities        rhel:8                    2020-05-15T22:23:56.561123        1472               
...             

You can optionally flush the old RHSA matches by using the anchore-cli to delete the centos group data, which will remove the both the feed data and vulnerability matches for the RHSAs, leaving only the CVE matches.

To accomplish this, via the cli run:

[anchore@c4799ee0b36e enterprise]$ anchore-cli system feeds delete vulnerabilities --group centos:5
Group                     LastSync        RecordCount        
centos:5(disabled)        pending         0                  

[anchore@c4799ee0b36e enterprise]$ anchore-cli system feeds delete vulnerabilities --group centos:6
Group                     LastSync        RecordCount        
centos:6(disabled)        pending         0                  

[anchore@c4799ee0b36e enterprise]$ anchore-cli system feeds delete vulnerabilities --group centos:7
Group                     LastSync        RecordCount        
centos:7(disabled)        pending         0                  

[anchore@c4799ee0b36e enterprise]$ anchore-cli system feeds delete vulnerabilities --group centos:8
Group                     LastSync        RecordCount        
centos:8(disabled)        pending         0                  

Listing will now show:

anchore@c4799ee0b36e enterprise]$ anchore-cli system feeds list
Feed                   Group                     LastSync                          RecordCount        
...                
vulnerabilities        centos:5(disabled)        -                                 0                  
vulnerabilities        centos:6(disabled)        -                                 0                  
vulnerabilities        centos:7(disabled)        -                                 0                  
vulnerabilities        centos:8(disabled)        -                                 0                  
...                
vulnerabilities        rhel:5                    2020-05-15T23:45:04.969330        7237               
vulnerabilities        rhel:6                    2020-05-15T23:45:03.552281        6833               
vulnerabilities        rhel:7                    2020-05-15T23:45:04.678325        5894               
vulnerabilities        rhel:8                    2020-05-15T23:45:05.232375        1473               
...      

At this point all RHSA matches for all images in the DB have also been removed, leaving only the CVE matches from the new RedHat CVE source.

Feed Service Driver Configuration

The new RHEL CVE feed is enabled in the feed service by default. No changes to configuration are necessary to enable it.

Policy Engine Configuration

No changes to the policy engine configuration are needed to enable the new data because it is delivered as new groups in the existing vulnerabilities feed, which syncs all groups automatically.

Rolling Back

If you need to restore the old behavior see the rollback guide

2 - Reverting Back to use RHSA Data

NOTE: This section is only for very specific situations where you absolutely must revert the matching system to use the RHSA data. This should not be done lightly. The newer CVE-based data is more accurate, specific, and provides a more consistent experience with other distros.

If your processing of anchore output relies on RHSA keys as vulnerability matches, or you have large RHSA-based whitelists that cannot be converted to CVE-based, then it is possible, though not recommended, to migrate your system back to using the RHSA-based feeds (centos:* groups).

Here is the process. It requires the Anchore CLI with access to the API as well as direct access to the internal policy engine API endpoint. That may require a docker exec or kubectl exec call to achieve and will be deployment/environment specific.

  1. Revert the distro mapping records that map centos, fedora, and rhel to use the RHEL vuln data.

    1. With API access to the policy engine directly (output omitted for brevity), remove the existing distro mappings to RHEL data. These are the used by Anchore:
    curl -X DELETE -u admin:foobar http://localhost:8087/v1/distro_mappings?from_distro=centos
    curl -X DELETE -u admin:foobar http://localhost:8087/v1/distro_mappings?from_distro=rhel
    curl -X DELETE -u admin:foobar http://localhost:8087/v1/distro_mappings?from_distro=fedora
    
    1. Continuing with API access to the policy engine directly, replace the removed mappings with new mappings to the centos feeds:
    curl -H "Content-Type: application/json" -X POST -u admin:foobar -d'{"from_distro":"centos", "to_distro":"centos", "flavor":"RHEL"}' http://localhost:8087/v1/distro_mappings
    curl -H "Content-Type: application/json" -X POST -u admin:foobar -d'{"from_distro":"fedora", "to_distro":"centos", "flavor":"RHEL"}' http://localhost:8087/v1/distro_mappings
    curl -H "Content-Type: application/json" -X POST -u admin:foobar -d'{"from_distro":"rhel", "to_distro":"centos", "flavor":"RHEL"}' http://localhost:8087/v1/distro_mappings
    

    Note: if something went wrong and you want to undo the progress you’ve made, just make the same set of calls as the last two steps in the same order but with the to_distro values set to ‘rhel’.

    1. Now, ensure you are back where you have access to the main Anchore API and the Anchore CLI installed. Disable the existing rhel feed groups
    anchore-cli system feeds config vulnerabilities --disable --group rhel:5
    anchore-cli system feeds config vulnerabilities --disable --group rhel:6
    anchore-cli system feeds config vulnerabilities --disable --group rhel:7
    anchore-cli system feeds config vulnerabilities --disable --group rhel:8
    
    anchore-cli system feeds delete vulnerabilities --group rhel:8
    anchore-cli system feeds delete vulnerabilities --group rhel:7
    anchore-cli system feeds delete vulnerabilities --group rhel:6
    anchore-cli system feeds delete vulnerabilities --group rhel:5
    
    1. Enable the centos feed groups that have the RHSA vulnerability data
    anchore-cli system feeds config vulnerabilities --enable --group centos:8
    anchore-cli system feeds config vulnerabilities --enable --group centos:7
    anchore-cli system feeds config vulnerabilities --enable --group centos:6
    anchore-cli system feeds config vulnerabilities --enable --group centos:5
    

    NOTE: if you already have centos data in your feeds (verify with anchore-cli system feeds list) then you’ll need to delete the centos data groups as well to ensure a clean re-syncin the next steps. This is accomplished with:

    anchore-cli system feeds delete vulnerabilities --group centos:5
    anchore-cli system feeds delete vulnerabilities --group centos:6
    anchore-cli system feeds delete vulnerabilities --group centos:7
    anchore-cli system feeds delete vulnerabilities --group centos:8
    
    1. Now do a sync to re-match any images using rhel/centos to the RHSA data
    [root@d64b49fe951c ~]# anchore-cli system feeds sync
    
    WARNING: This operation should not normally need to be performed except when the anchore-engine operator is certain that it is required - the operation will take a long time (hours) to complete, and there may be an impact on anchore-engine performance during the re-sync/flush.
    
    Really perform a manual feed data sync/flush? (y/N)y
    Feed                   Group                  Status         Records Updated        Sync Duration        
    github                 github:composer        success        0                      0.28s                
    github                 github:gem             success        0                      0.34s                
    github                 github:java            success        0                      0.33s                
    github                 github:npm             success        0                      0.23s                
    github                 github:nuget           success        0                      0.23s                
    github                 github:python          success        0                      0.29s                
    nvdv2                  nvdv2:cves             success        0                      60.59s               
    vulnerabilities        alpine:3.10            success        0                      0.27s                
    vulnerabilities        alpine:3.11            success        0                      0.31s                
    vulnerabilities        alpine:3.3             success        0                      0.31s                
    vulnerabilities        alpine:3.4             success        0                      0.25s                
    vulnerabilities        alpine:3.5             success        0                      0.26s                
    vulnerabilities        alpine:3.6             success        0                      0.25s                
    vulnerabilities        alpine:3.7             success        0                      0.26s                
    vulnerabilities        alpine:3.8             success        0                      0.35s                
    vulnerabilities        alpine:3.9             success        0                      0.28s                
    vulnerabilities        amzn:2                 success        0                      0.26s                
    vulnerabilities        centos:7               success        1003                   34.91s               
    vulnerabilities        centos:8               success        199                    9.15s                
    vulnerabilities        debian:10              success        2                      0.50s                
    vulnerabilities        debian:11              success        4                      60.53s               
    vulnerabilities        debian:7               success        0                      0.30s                
    vulnerabilities        debian:8               success        3                      0.34s                
    vulnerabilities        debian:9               success        2                      0.38s                
    vulnerabilities        debian:unstable        success        4                      0.39s                
    vulnerabilities        ol:5                   success        0                      0.31s                
    vulnerabilities        ol:6                   success        0                      0.29s                
    vulnerabilities        ol:7                   success        0                      0.41s                
    vulnerabilities        ol:8                   success        0                      0.28s                
    vulnerabilities        rhel:5                 success        0                      0.28s                
    vulnerabilities        rhel:6                 success        0                      0.43s                
    vulnerabilities        ubuntu:12.04           success        0                      0.45s                
    vulnerabilities        ubuntu:12.10           success        0                      0.25s                
    vulnerabilities        ubuntu:13.04           success        0                      0.24s                
    vulnerabilities        ubuntu:14.04           success        0                      0.37s                
    vulnerabilities        ubuntu:14.10           success        0                      0.25s                
    vulnerabilities        ubuntu:15.04           success        0                      0.42s                
    vulnerabilities        ubuntu:15.10           success        0                      0.23s                
    vulnerabilities        ubuntu:16.04           success        0                      0.35s                
    vulnerabilities        ubuntu:16.10           success        0                      0.33s                
    vulnerabilities        ubuntu:17.04           success        0                      0.33s                
    vulnerabilities        ubuntu:17.10           success        0                      0.31s                
    vulnerabilities        ubuntu:18.04           success        0                      0.42s                
    vulnerabilities        ubuntu:18.10           success        0                      0.37s                
    vulnerabilities        ubuntu:19.04           success        0                      0.45s                
    vulnerabilities        ubuntu:19.10           success        0                      0.32s                
    [root@d64b49fe951c ~]# anchore-cli image vuln centos os
    Vulnerability ID        Package                            Severity        Fix                     CVE Refs              Vulnerability URL                                      Type        Feed Group        Package Path        
    RHSA-2020:0271          libarchive-3.3.2-7.el8             High            0:3.3.2-8.el8_1         CVE-2019-18408        https://access.redhat.com/errata/RHSA-2020:0271        rpm         centos:8          pkgdb               
    RHSA-2020:0273          sqlite-libs-3.26.0-3.el8           High            0:3.26.0-4.el8_1        CVE-2019-13734        https://access.redhat.com/errata/RHSA-2020:0273        rpm         centos:8          pkgdb               
    RHSA-2020:0575          systemd-239-18.el8_1.1             High            0:239-18.el8_1.4                              https://access.redhat.com/errata/RHSA-2020:0575        rpm         centos:8          pkgdb               
    RHSA-2020:0575          systemd-libs-239-18.el8_1.1        High            0:239-18.el8_1.4                              https://access.redhat.com/errata/RHSA-2020:0575        rpm         centos:8          pkgdb               
    RHSA-2020:0575          systemd-pam-239-18.el8_1.1         High            0:239-18.el8_1.4                              https://access.redhat.com/errata/RHSA-2020:0575        rpm         centos:8          pkgdb               
    RHSA-2020:0575          systemd-udev-239-18.el8_1.1        High            0:239-18.el8_1.4                              https://access.redhat.com/errata/RHSA-2020:0575        rpm         centos:8          pkgdb               
    

Note in the last command output that the OS vulnerabilities are again showing ‘RHSA’ matches. The restoration to RHSA-based vuln data is complete.