This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

AnchoreCTL Release Notes

Version Compatibility

The version scheme for AnchoreCTL changed as part of the Enterprise 5.0 release. AnchoreCTL is now version aligned with Enterprise.

Note For Enterprise 4.9.0 and beyond: the major and minor versions should be the same, but the patch versions may differ. For example, Enterprise X.Y.* is compatible with AnchoreCTL X.Y.*

Note For Enterprise versions earlier than 4.9.0: see the Enterprise version release notes for the version you have deployed

Release Notes

1 - AnchoreCTL Release Notes - Version 5.4.0

The latest version of AnchoreCTL is 5.4.0. Note: AnchoreCTL v5.4.x versions are compatible with Anchore Enterprise v5.4.x deployments.

AnchoreCTL v5.4.0 is a feature and bug fix release which includes:

  • RBAC Role Support

    • Addition of the following commands that are accessible by users with admin, account-user-admin, or full-control.
      • anchorectl system role list - returns the list of supported RBAC Roles.
      • anchorectl system role get <rbac role name> - returns description and list of permissions of the specified role.

  • User Group Support

    • Commands for the management of User Groups
    • anchorectl usergroup add <usergroup name or uuid> [--description <string>]
    • anchorectl usergroup delete <usergroup name or uuid>
    • anchorectl usergroup get <usergroup name or uuid>
    • anchorectl usergroup list [--contains-user <username>] [--contains-account <account name>] [--user-group-name <usergroup name>]
    • anchorectl usergroup update <usergroup name> --description <string>
    • anchorectl usergroup role add <usergroup name> <account name> --role <rbac role name>
    • anchorectl usergroup role delete <usergroup name> <account name> --role <rbac role name>
    • anchorectl usergroup role list <usergroup name>
    • anchorectl usergroup user add <usergroup name> --user <username>
    • anchorectl usergroup user delete <usergroup name> --user <username>
    • anchorectl usergroup user list <usergroup name>

  • anchorectl system wait command now defaults to waiting only on the Enterprise API Service. The –services flag can be used to specify other services that should be waited on as well.

  • Return the image content even when the parent digest is being used for the request. This was seen in a error in anchorectl image content.

  • Various supporting libraries have been updated in order to improve security

2 - AnchoreCTL Release Notes - Version 5.3.0

The latest version of AnchoreCTL is 5.3.0. Note: AnchoreCTL v5.3.x versions are compatible with Anchore Enterprise v5.3.x deployments.

AnchoreCTL v5.3.0 is a feature and bug fix release which includes:

  • Enable the dotnet-deps-cataloger for image analysis
  • Various supporting libraries have been updated in order to improve security

3 - AnchoreCTL Release Notes - Version 5.2.0

The latest version of AnchoreCTL is 5.2.0. Note: AnchoreCTL v5.2.x versions are compatible with Anchore Enterprise v5.2.x deployments.

AnchoreCTL v5.2.0 is a feature and bug fix release which includes:

  • Adds the ability to delete runtime inventory with inventory delete.
  • Adds the ability for admins to edit the email field of accounts with account update.
  • Addresses an exception in the system artifact-lifecycle-policy update command when the policy uuid was not provided.
  • Adds a new field, password_last_updated, to the response of user list and user get commands.
  • image content command correctly displays the licenses property in the response.
  • image vuln command provides an optional flag, --include-description, that is available with the json output format. Using this flag will include the description for each vulnerability listed.

4 - AnchoreCTL Release Notes - Version 5.1.0

The latest version of AnchoreCTL is 5.1.0.

AnchoreCTL 5.1.0 is a feature and bug fix release which includes:

  • Commands to manage artifact lifecycle policies
  • Removes errant ‘status’ string at beginning of anchorectl image check <img> --detail output which caused invalid json.
  • Updates Syft version to v0.97.1 aligned with Enterprise 5.1.0

AnchoreCTL 5.1.x versions are compatible with Anchore Enterprise 5.1.X deployments.

5 - AnchoreCTL Release Notes - Version 5.0.1

The latest version of AnchoreCTL is 5.0.1.

AnchoreCTL 5.0.1 is a bug fix release which includes:

  • A fix for a stack overflow that can be seen when executing the command anchorectl image check <image> --detail. This can occur when the image has an allowlisted policy finding.

AnchoreCTL 5.0.x versions are compatible with Anchore Enterprise 5.0.X deployments.

6 - AnchoreCTL Release Notes - Version 5.0.0

The latest version of AnchoreCTL is 5.0.0.

NOTE: This version of AnchoreCTL only supports Anchore Enterprise 5.0.x

AnchoreCTL 5.0.0 is a feature and bug fix release which includes:

  • Dependency updates, and general client updates to support Anchore Enterprise v5.0.0
  • Change to version scheme, switching to keep version of AnchoreCTL inline with the version of Anchore Enterprise that the client supports (by semver compatibility)
  • Add sub-command for policy update
  • Add single java version column to the table output for java content
  • Remove rbac-url requirement from configuration in support of Anchore Enterprise v5.0.0’s single API feature
  • Remove the fix_observed_at date from table output for image vulnerability operation
  • Update the inventory watch commands
  • Update source policy check output to be more inline with image policy check output
  • Fix to some cases where the command could hang or terminal could get scrambled

Update to Syft 0.90.0, inline with the version of Syft used in Anchore Enterprise 5.0.0

AnchoreCTL 5.0.x versions are compatible with Anchore Enterprise 5.0.X deployments.

7 - AnchoreCTL Release Notes - Version 4.9.0

AnchoreCTL 4.9.0 is a V2 API-compatibility release that is otherwise identical to 1.8.0.

To minimize impact to automated installations, the V2 API compatible AnchoreCTL will not be automatically upgraded using the install script. See Installation for more information.

AnchoreCTL v4.9.0 uses Syft 0.84.1, the same as AnchoreCTL v1.8.0

AnchoreCTL 4.9.x versions are compatible with Anchore Enterprise 4.9.X deployments.

8 - AnchoreCTL Release Notes - Version 1.8.0

The latest version of AnchoreCTL is 1.8.0.

AnchoreCTL 1.8.0 is a feature and bug fix release which includes:

  • Adds the ability to create explicit SAML users with user add --idp_name
  • Adds the ability to list, activate and deactivate runtime inventory watchers with inventory watch
  • Extends image content command to support the type content_search
  • Extends image content command to support the type retrieved_files
  • Extends image content command to support the type secret_search
  • Adds the ability to specify the image platform to retrieve and analyze when using the --from registry source in the image add command so that local analysis can be done on images of a different architecture than the local host where the analysis occurs.
  • Add an API version check to prevent accidental use of 1.8.0 against an Anchore V2 API endpoint. See Configuration for more information.

Update to using Syft 0.84.1

9 - AnchoreCTL Release Notes - Version 1.7.0

The latest version of AnchoreCTL is 1.7.0.

AnchoreCTL 1.7.0 is a feature and bug fix release which includes:

  • Adds more detail from the Anchore Enterprise service for error responses, exposing the server side error detail to the user
  • Adds new formats (spdx, cycloneDX) to the SBOM output options when using the content get options during image add operations
  • Add support for new ancestor list command
  • Add new recommendation field to policy evaluation table output for the image check operation
  • Changed the policy evaluation level of detail from basic to full detail when fetching policy evaluation during image add operation
  • Fixed issue where the sbom content was not being fetched when the all type was given to the get option, in the image add operation

Update to using Syft 0.80.0

10 - AnchoreCTL Release Notes - Version 1.6.0

The latest version of AnchoreCTL is 1.6.0.

AnchoreCTL 1.6.0 is a feature and bug fix release which includes:

  • Adds ability to generate container image SBOMs using a new ‘–from’ option to anchorectl image add. This removes the need to use Syft with anchorectl. AnchoreCTL can now perform all the analysis itself and upload it to your Enterprise deployment. See Using CLI for Images for mor information.
  • Adds extra analysis locally in addition to the SBOM generation. Filesystem metadata, secret scans, content scans, and file retrieval are now supported as they are when doing analysis of an image inside and Anchore Enterprise deployment
    • The additional analysis features of secret scans, filesystem metdata, and content searches are only compatible with Anchore Enterprise 4.7+
  • Fixes the –help output for the ‘completion’ commands to provide correct autocompletion setup guidance
  • Fixes duplication of vulns shown when no type is specified in anchorectl image vuln <digest> usage

Update to using Syft 0.79.0

11 - AnchoreCTL Release Notes - Version 1.5.0

The latest version of AnchoreCTL is 1.5.0.

AnchoreCTL 1.5.0 is a bug fix release which includes:

  • Updates a help string for subscription update command to include the runtime_inventory subscription type
  • Fixes image add <tag> --wait failure with image not found if the same tag is added with another image digest by another client while waiting for the original image to analyze

Update to using Syft 0.75.0

12 - AnchoreCTL Release Notes - Version 1.4.0

The latest version of AnchoreCTL is 1.4.0.

AnchoreCTL 1.4.0 is a feature release which includes:

  • Adds full output format option support to ‘source sbom’ command similar to ‘image sbom’ operation, including spdx and cyclonedx formats
  • Adds new command to get a list of vulnerabilities in a specific application version across all artifacts (images and sources)
  • Adds csv output format for source-repo vulnerability and policy evaluation commands
  • Fixes adding of incorrect image to application version when using a tag reference in cases where more than one image with that tag is present in the system

Update to using Syft 0.72.1

13 - AnchoreCTL Release Notes - Version 1.3.0

The latest version of AnchoreCTL is 1.3.0.

AnchoreCTL 1.3.0 is a maintenance release which includes:

  • Added SPDX, CycloneDX and other format options alongside the default JSON format, to the ‘image sbom’ fetch operation
  • Added CSV format option to ‘image vulnerabilities’ and ‘image check’ operations
  • Enable ability add container images to Anchore Enterprise by image digest
  • Add a new ‘CVEs’ column to default table output for ‘image vulnerabilities’ operation for non-CVE findings that refer to one or more CVEs
  • Update ‘image add’ from SBOM to respect the –no-auto-subscribe flag
  • Fixes segfault when adding application association to an image that is in analyzing state

Update to using Syft 0.62.3

14 - AnchoreCTL Release Notes - Version 1.2.0

The latest version of AnchoreCTL is 1.2.0.

AnchoreCTL 1.2.0 is a maintenance release which includes:

  • Support for ‘recommendation’ fields from policy evaluations when used with Enterprise 4.1.1
  • Fixed to only show a vulnerability once in anchorectl image vuln when not using the -t/--type option
  • Help and command typo fixes

Updated to using Syft v0.58.0

15 - AnchoreCTL Release Notes - Version 1.1.0

The latest version of AnchoreCTL is 1.1.0.

AnchoreCTL 1.1.0 is a maintenance release which includes:

  • inventory list command to show all images in the inventory
  • compatability with Syft v0.56.0

Updated to using Syft v0.56.0

16 - AnchoreCTL Release Notes - Version 1.0.0

The latest version of AnchoreCTL is 1.0.0.

AnchoreCTL 1.0.0 represents the first stable release of the tool as the primary CLI for Anchore Enterprise users. Configuration, command structure and capabilities have all been renovated to support the usage of the client by administrators, users, and within scripting environments for automated integration

Added new administrative command groupings:

  • Account commands (add, get, list, delete, enable, disable)
  • User commands (add, get, list, delete, set-password)
  • Analysis archive rule commands (add, get, list, delete)
  • Analysis archive image commands (add, get list, delete, restore)
  • Event commands (get, list, delete)
  • Feed commands (list, sync)
  • Policy commands (add, get, list, delete, activate)
  • Registry commands (add, get list, delete, update)
  • Repo commands (add, get, list, delete, watch, unwatch)
  • Subscription commands (get, list, delete, activate, deactivate)
  • System commands (status, wait, delete)

The image add and source add commands have been revisited to additionally provide a simple way to extract common data from Anchore Enterprise:

  • anchorectl image add <my-image> --get vulnerabilities,content : get a summary of content and vulnerabilities to stdout
  • anchorectl image add <my-image> --get all=/path/to/store/results: get policy evaluation, vuln, and content results, and store all raw JSON files to /path/to/store/results
  • anchorectl image add <my-image> --get policy-evaluation: will get the policy evaluation results and set the return code to 1 if the policy evaluation is not passing (allowing use as a quality gate)

Added the ability to associate images and sources with an application name and version when adding into the system (e.g. anchorectl image add <my image> --application <name>@<version>).

The UI for all commands has been enhanced to convey intermediate progress and be transparent about actions taken to any result. For instance, using ANCHORECTL_DEBUG_API=true and increasing log levels to “debug” or “trace” (-vv or -vvv) will show individual API events and responses

The anchorectl.yaml application configuration has changed, use anchorectl --help to see the latest configuration schema

Added flag to switch output format for most commands to one of text, json, json-raw, or ID

Updated to using syft v0.52.0

17 - AnchoreCTL Release Notes - Version 0.2.0

The latest version of AnchoreCTL is 0.2.0. AnchoreCTL is dependent on Syft v0.39.3 as a library.

The current features that are supported are as follows:

  • Ability to add sboms via anchorectl using stdin to provide an existing SBOM without re-creating it.

18 - AnchoreCTL Release Notes - Version 0.1.4

The latest version of AnchoreCTL is 0.1.4. AnchoreCTL is dependent on Syft v0.39.3 as a library.

The current features that are supported are as follows:

  • Source Repository Management: Generate an SBOM and store the SBOM in Anchore’s database. Get information about the source repository, investigate vulnerability packages by requesting vulnerabilities for a single analyzed source repository, or get any policy evaluations.
  • Download full image SBOMs for images analyzed with Enterprise 4.0.0.
  • Compliance Reports: View and operate on runtime compliance reports, such as STIGs, created by the rem tool.
  • Corrections Management: View and modify corrections information to help reduce false positives in your vulnerability results.
  • Image Management: View, list, import local analysis, and request image analysis by the system.
  • Runtime Inventory Management: Add, update, and view cluster configurations for Anchore to scan, as well as for the inventory reports themselves.
  • System Operations: View and manage system information for your Enterprise deployment.