Anchore Enterprise Release Notes - Version 5.1.0
Anchore Enterprise v5.1.0
Anchore Enterprise release v5.1.0 contains targeted fixes and improvements.
Enterprise Service Updates
Requirements
If upgrading from a previous v5.x release, a database update is required.
If upgrading from a v4.x release, please refer to the v4.x –> v5.x Migration Guide.
Enterprise v5.1.0requiresPostgres 13or greater.Enterprise v5.1.0requires that the previous version wasEnterprise v4.0.0or greater. Strongly recommend that you upgrade toEnterprise v4.9.3prior to attempting this upgrade.Enterprise v5.1.0requires the use of theEnterprise Helm Chart. Please see below the table containing compatible version.Enterprise v5.1.0requires that you upgrade your integrations and client. Please see below the table containing compatible versions.
Improvements
- Global Artifact Lifecycle Policy
- Provide rules for lifecycle management of system artifacts. For more information please see Using Artifact Lifecycle Policies
- API Keys
Support for API Keys. API Keys are manually generated credentials used during authenticate with Anchore Enterprise. For more information, please see API Keys
Note: This feature is not currently available for users who have authenticated using LDAP
- Vulnerabilities
- Provide additional vulnerability matching for
goCompiledVersion. - Provide vulnerability matching for pre-released versions of Debian.
- Support capture of vulnerability data for Ubuntu 23.04 (Lunar Lobster) and Ubuntu 23.10 (Mantic Minotaur) once publishing commences from Canonical.
- Provide additional vulnerability matching for
- Analysis
- All namespaced python packages are persisted during analysis which improves displaying the installed location for python packages.
- Reports
- Report generation can be scaled out to multiple report pods.
- Runtime reports now work with the
enable_data_egressanddata_egress_windowconfiguration options. Please review Reports for more information. - Improved report service logging to provide better error messages.
- Runtime report filters for Labels now supports multiple labels.
- RBAC Roles
- image-lifecycle - permissions around management of archival rules.
- registry-editor - permissions to manage private registry credentials.
- General System Improvements
- Improve memory profile and behavior in the API service.
- Improve logging within the feed service.
- Provide clear logging of the service version and db schema during startup.
Fixes
- Better error handling for policies that are missing data from the document store.
- Ability to execute a software downgrade from a patch release to a release within the Major.Minor version numbers.
- Prevent a deadlock when two agents are reporting inventory from the same Cluster/Namespace.
- If report generation exceeds the configured timeout execution record will be marked as
timed outand processing will be halted to allow other scheduled reports to start. - Vulnerability matching now properly accounts for maven versions according to the maven spec rather than the plain semver spec.
- Fixed an issue that prevented new Windows OS containers from being analyzed properly.
- Image digests will now match when an image is analyzed within Enterprise (centralised analysis) and the image SBOM is imported via AnchoreCTL (distributed analysis).
- If an error occurs during database upgrade, the error will be elevated to the pod to prevent it from starting.
- Image import that contains a secret or content search results, will now have the correct line number and name translations.
- Fix a
grypedbdigest mismatch that can occur when Policy Engine syncs with the Feed Service.
UI Updates
Improvements
- API Token Support
Users can now create and manage API keys for use with the Anchore API. Administrators can control the keys for all users from the System > Accounts view, and all users can create or revoke their own keys from the dropdown menu in the top navigation bar.
Note: This feature is not currently available for users who have authenticated using LDAP
- Application Vulnerabilities
- Vulnerabilities data for an application group can now be downloaded in JSON format from the Applications view
- The Artifact Analysis view now indicates, if available, the fat manifest ID associated with the currently selected artifact in the breadcrumb trail
- The Artifact Analysis > SBOM view now includes a Version column to the Java sub-tab
- Reports
- The
Vulnerabilities by ECS Containerreport now provides theWill Not FixandLast Seenfields - The
Vulnerabilities by Kubernetes Containerreport now provides theLast Seenfield - The
Fix Observed Atfield has been added as a default to a variety of vulnerability-related reports - Help text improvements have been made to the filters associated with runtime-related reports
- The
- Accounts
- The email address associated with an account can now be updated by an administrator
- The roles provided in the user-creation dialog within an account are now alphabetically sorted
- UI Theme
- A dark theme has been added to the application. This can be enabled by clicking the Dark Mode toggle in the top right of the UI. By default, the theme will follow the system theme, but it can be overridden by the user.
Fixes
- Reports
- Any previous errors are now cleared when the configuration dialog is opened. In addition, the title of the dialog no longer changes as a new name is entered.
- The Report Results page displayed the execution schedule as UTC, which was inconsistent with the information shown in the Saved Reports view, where it is converted to the local timezone. Now fixed.
- Licenses are now displayed correctly in the Artifact Analysis > SBOM view; previously they would be displayed as
Unknown - Image Selection
- A significant performance improvement has been applied to the repository summary operation that presents the interstitial dialog when adding a repository
- Clicking an enabled alert subscription toggle for tags that inherit their subscription state from their parent repository would not disable the subscription for the tag; instead, a new subscription would be added for that specific tag, with another tag required to actively disable the entry. This has now been fixed
- Various supporting libraries have been updated to improve security and performance, and to remove deprecation warnings from both browser and server output logs. Redundant libraries have been removed to reduce the application’s startup time and overall size.
Recommended Component Versions
| Component | Supported Version | Additional Info |
|---|---|---|
| Enterprise | v5.1.0 | With Syft v0.97.1 and Grype v0.73.3 |
| Enterprise UI | v5.1.0 | |
| AnchoreCTL | v5.1.0 | Deploying AnchoreCTL |
| Enterprise Helm Chart | v2.2.0 | https://github.com/anchore/anchore-charts |
| Anchore ECS Inventory | v1.2.0 | https://github.com/anchore/ecs-inventory |
| Anchore Kubernetes Inventory | v1.1.1 | https://github.com/anchore/k8s-inventory |
| Kubernetes Admission Controller | v0.5.0 | https://github.com/anchore/kubernetes-admission-controller |
| Jenkins Plugin | v1.1.0 | https://plugins.jenkins.io/anchore-container-scanner |
| Harbor Scanner Adapter | v1.2.0 | https://github.com/anchore/harbor-scanner-adapter |
| enterprise-gitlab-scan | v4.0.0 | https://github.com/anchore/enterprise-gitlab-scan |