AnchoreCTL Release Notes - Version 5.21.0
Note: AnchoreCTL v5.21.x versions are compatible with Enterprise v5.21.x deployments.
AnchoreCTL v5.21.0
v5.21.x Compatibility for Air-gapped Users
Air-gapped users of Anchore Enterprise 5.21.x need to ensure that they are using the same/supported version of AnchoreCTL with Anchore Enterprise for all airgap workflows, this is due to a dataset schema change for Vulnerability Database (GrypeDB v6) which occurred in 5.20.x. Using an older version of AnchoreCTL will no longer provide the correct datasets.New Features
- STIG Evaluations on Kubernetes Containers
- See the STIG for Kubernetes documentation for more information.
- RHEL Extended Update Support (EUS)
- AnchoreCTL commands now have indications included in the output of the
anchorectl image getandanchoretl image vulnerabilitiescommands when the-o jsonoption is supplied.- Extended Support in the
anchorectl image getoutput indicates that EUS was detected during image analysis. - Extended Support in the
anchorectl image vulnerabilitiesoutput indicates that EUS data was used during the vulnerability scan. - See Anchore Secure - Vulnerability Management for more information.
- Extended Support in the
- AnchoreCTL commands now have indications included in the output of the
Improvements
- Datasets
- Air-gagged workflow downloads will no longer list the CISA Known Exploitable Vulnerabilities (KEV) Database and Exploit Prediction Scoring System (EPSS) Database as separate downloads, as this data is now included in the primary Vulnerability Database.
- Note that if you supply an existing file created from a prior verison of anchorectl you will see an error, you should start with a new file.
- These datasets continue to be required:
- Vulnerability Database
- Vulnerability Match Exclusions Database
- ClamAV malware Database
- KEV and EPPS data has been added to the output of the
anchorectl image vulnerabilitiescommand.- The KEV indicator can be found in the table output as well as the json output.
- The EPSS data is included only in the json output.
- STIG
- The
anchorectl image stigcommands have been deprecated in favour of the newanchorectl stig docker imagecommands. - See the STIG documentation for more information.
- The
- The
anchorectl system artifact-lifecycle-policyaddandupdatecommands have been updated to support the new--include-failed-analysisflag.- When
true, artifacts that are in a failed analysis state can be selected for action - See the Artifact Lifecycle Policies documentation for more information.
- When
Fixes
- Resolves an issue with filenames in the output of the
anchorectl airgap feed uploadcommand which caused errors on NTFS filesystems. - Resolves an issue with the handling of the –enabled flag in the
anchorectl system artifact-lifecycle-policy addandanchorectl system artifact-lifecycle-policy updatecommands. - Resolves an issue with the value of the
Last Updatedfield in the output of theanchorectl registry updatecommand not being populated correctly. - The Ubuntu 2004 STIG profile has been removed.