AnchoreCTL Release Notes - Version 5.21.0
Note: AnchoreCTL v5.21.x
versions are compatible with Enterprise v5.21.x
deployments.
AnchoreCTL v5.21.0
v5.21.x Compatibility for Air-gapped Users
Air-gapped users of Anchore Enterprise 5.21.x need to ensure that they are using the same/supported version of AnchoreCTL with Anchore Enterprise for all airgap workflows, this is due to a dataset schema change for Vulnerability Database (GrypeDB v6) which occurred in 5.20.x. Using an older version of AnchoreCTL will no longer provide the correct datasets.New Features
- STIG Evaluations on Kubernetes Containers
- See the STIG for Kubernetes documentation for more information.
- RHEL Extended Update Support (EUS)
- AnchoreCTL commands now have indications included in the output of the
anchorectl image get
andanchoretl image vulnerabilities
commands when the-o json
option is supplied.- Extended Support in the
anchorectl image get
output indicates that EUS was detected during image analysis. - Extended Support in the
anchorectl image vulnerabilities
output indicates that EUS data was used during the vulnerability scan. - See Anchore Secure - Vulnerability Management for more information.
- Extended Support in the
- AnchoreCTL commands now have indications included in the output of the
Improvements
- Datasets
- Air-gagged workflow downloads will no longer list the CISA Known Exploitable Vulnerabilities (KEV) Database and Exploit Prediction Scoring System (EPSS) Database as separate downloads, as this data is now included in the primary Vulnerability Database.
- These datasets continue to be required:
- Vulnerability Database
- Vulnerability Match Exclusions Database
- ClamAV malware Database
- KEV and EPPS data has been added to the output of the
anchorectl image vulnerabilities
command.- The KEV indicator can be found in the table output as well as the json output.
- The EPSS data is included only in the json output.
- STIG
- The
anchorectl image stig
commands have been deprecated in favour of the newanchorectl stig docker image
commands. - See the STIG documentation for more information.
- The
- The
anchorectl system artifact-lifecycle-policy
add
andupdate
commands have been updated to support the new--include-failed-analysis
flag.- When
true
, artifacts that are in a failed analysis state can be selected for action - See the Artifact Lifecycle Policies documentation for more information.
- When
Fixes
- Resolves an issue with filenames in the output of the
anchorectl airgap feed upload
command which caused errors on NTFS filesystems. - Resolves an issue with the handling of the –enabled flag in the
anchorectl system artifact-lifecycle-policy add
andanchorectl system artifact-lifecycle-policy update
commands. - Resolves an issue with the value of the
Last Updated
field in the output of theanchorectl registry update
command not being populated correctly. - The Ubuntu 2004 STIG profile has been removed.