Anchore Enterprise Release Notes - Version 5.11.0
Anchore Enterprise v5.11.0
Note
Two customers experienced an upgrade failure to the v5.11.x release. The failure occurred when a parent_digest field is set to Null within the reports_images database table. This condition has been properly handled in the v5.12.0 database schema changes. Please consider upgrading directly to v5.12.0 to avoid any possible issues.Enterprise Service Updates
Requirements
- If upgrading from a v4.x release, please refer to the v4.x –> v5.x Migration Guide.
- If upgrading from a release in the range of v5.0.0 - v5.10.0
- The upgrade will result in an automatic schema change that will require database downtime.
- The v5.3.0 schema change may take more than an hour to complete depending on the amount of data in your reporting system.
- The v5.6.0 schema change may take 2 hours or more depending on the amount of data in your system.
- The v5.11.0 schema change will take approximately 1-2 minutes to complete for every 1 million vulnerable artifacts in your reporting system.
- If your Anchore Enterprise deployment is on FIPS enabled hosts and your database is being hosted on Amazon RDS, an upgrade to Postgres 16 or greater is required. For more information please see the FIPS section in Requirements.
Improvements
- RBAC
- New ability to assign administrative privileges to users who are not members of the admin account. This role may be granted either directly be another admin user or via a User Group membership.
- RBAC Role name:
system-admin
- RBAC Domain Name:
*
- RBAC Role name:
- New ability to assign administrative privileges to users who are not members of the admin account. This role may be granted either directly be another admin user or via a User Group membership.
- API
- New endpoint
GET /v2/accounts/users
returns a list of all users in the system, including their roles and the accounts to which they belong. This is only available to admin users. - New endpoint
GET /v2/accounts/{account_name}/users-with-roles
returns a list of users that have been granted roles in the specified account. - The following endpoints have improved data associated with Users and RBAC Roles. Each user object includes a list of roles that have been granted to the user and an indication of how the role has been granted.
GET /v2/user
GET /v2/accounts/users
GET /v2/accounts/{account_name}/users
GET /v2/accounts/{account_name}/users-with-roles
- Improved the response time of endpoints that return a list of users.
- Improved the response time of
GET /v2/system/user-groups
- The endpoint
GET /v2/system/statistics
now includes the following new metrics:report_creation
- The number of reports that have been created.report_inventory
- The number of generated reports currently in the system.
- New endpoint
- Configuration
- Added log messages which warn the user when an incorrect configuration value is detected.
- Integration Health Status
- When using the
k8s-inventory
agent release v1.7.0, the agent will automatically register itself with the Anchore Enterprise. It will then send periodic health status updates so you can validate the health of your k8s-inventory agents directly from Enterprise. - The API has new endpoints to view the health status of the
k8s-inventory
agent.GET /v2/integrations/k8s-inventory/health
GET /v2/integrations/k8s-inventory/health/{agent_id}
- New AnchoreCTL commands are available to view integration health.
- Please see the following for more information.
- When using the
- Reports
- Improves database space usage for the following reports by reorganizing the data into new tables:
Vulnerabilities by ECS Container
Vulnerabilities by Kubernetes Container
Vulnerabilities by Kubernetes Namespace
- Once the upgrade is complete and you are comfortable with the resulting reports, you may wish to truncate the legacy tables and reduce database space usage.
- Improves database space usage for the following reports by reorganizing the data into new tables:
- Policy
- Add support for the
value
parameter when thecheck
parameter isexists
ornot exists
. Previously thevalue
parameter would be ignored for these check types.
- Add support for the
- SBOM Improvements
- Utilizes a new JVM cataloger which improves the identification of java installs which occur outside of an OS package manager. This also normalizes version comparison logic for earlier java versions which did not use semantic versioning which should lead to more accurate vulnerability matching.
- Adds vulnerability matching support for Azure Linux 3
- Adds support for identifying OCaml packages
- Adds binary classifiers for the following:
- curl
- dart
- haskell
- ghttp
- proftpd
- zstd
- xz
- gzip
- jq
- sqlcipher
Fixes
- Fixes an issue where some java-archive artifact had a blank Name or Version field within the Syft SBOM.
- Fixes an issue where
GET /v2/accounts/{account_name}/users/{username}
endpoint failed to return all the user’s roles when some had been granted via a User Group membership. - Returns a more specify error code and response to
GET /v2/images/{image_digest}/check
when specifying an invalid policy_id. - Policy Creation Metric now correctly increments when a policy is created via the API. This
policy_creation
metric can be seen in theGET /v2/system/statistice
endpoint. - Minor fixes to the debug level logging within the API Service.
- The
Ancestry
Policy Gate withallowed base image tags
Trigger now allows wildcard matching for base image tags. - Fixes a missing event when a report in the pending state has been cancelled.
- Improves error handling for
GET /v2/images/{image_digest}/check
when specifyingbase_digest=auto
. - Fixes an issue with the Dockerfile Policy Gate where we failed to handle multi-line directives.
- Using the
POST /v2/policies
API with an existing policy ID will now fail with a 409 response instead of incorrectly updating the existing policy. Please usePUT /v2/policies/{policy_id}
to update policies. - Fixes an issue in the response code of
POST /v2/vulnerability-scan
.
Deprecations
- Support for OpenStack Swift, which is an open-source object storage system, has been deprecated. Please see Object Storage for a list of supported Object Stores.
- Package Feeds and Policy Gates for
Ruby Gems
andNPMs
, are now EOL. Please contact Anchore Support for more information. - The enterprise-gitlab-scan plugin is being deprecated in favor of using AnchoreCTL directly in your pipelines. Please see GitLab for more information on integrating Anchore Enterprise with GitLab.
- Feed Service: The Feed Service has been deprecated and replaced by the Data Syncer service. The Feed Service is no longer supported in Enterprise installations.
- Package Feeds: The
Ruby Gems
andNPMs
package feeds and policy gates have been declared End Of life and are no longer supported.
UI Updates
Improvements
- In this release, administrators are identified by the presence of
the
system-admin
role. This role is automatically assigned to users in theadmin
account, but users in other accounts can be promoted to or demoted from an administrative role through this assignment. The role can be directly assigned to a user during account creation or indirectly through group membership. Note that this role is read-only for users in theadmin
account. - Markdown markup is now supported in the Recommendation field of a policy rule. This allows for more detailed explanations to be provided to users when a policy rule is triggered.
Fixes
- Multiple fixes applied to improve the appearance of the UI theme
- Because of a mishandled error condition, a non-admin user would be logged out if they try to access a global report, which can occur if they click on an associated report link surfaced on the the
- In previous versions of the application, column widths in the Artifact Analysis view would reset to their default values when the page state changed due to background data updates. This issue has now been resolved, and column widths will persist even when the underlying data changes.
- The card view is now the default for Feeds Sync details on the System Health page. However, if a user has previously overridden this setting, the table view will still be applied. Additionally, dataset and checksum names are now displayed on the cards. Aesthetic adjustments have been made to support these changes.
- In previous versions of the application, selecting all visible events while a filter was applied would inadvertently select all events, not just the visible ones. This issue has now been resolved, ensuring that only visible events are selected when a filter is active. Additionally, an issue with string-based filtering—where the filter failed to correctly match the user-entered string in the
- To remain consistent with the outcome of changes made against individual users, changes made to user groups will now trigger a log out event for any users associated with any user groups that are modified or deleted.
- Various supporting libraries have been updated in order to improve security, performance, and also to remove deprecation warnings from browser and server output logs. Redundant libraries have been removed to reduce the app startup time and overall size.
Recommended Component Versions
Component | Supported Version | Helm Chart Version | Additional Info |
---|---|---|---|
Enterprise | v5.11.0 | v3.1.0 | With Syft v1.13.1 and Grype v0.82.0 |
Enterprise UI | v5.11.0 | ||
AnchoreCTL | v5.11.0 | Deploying AnchoreCTL | |
Anchore ECS Inventory | v1.3.2 | v0.0.9 | https://github.com/anchore/ecs-inventory |
Anchore Kubernetes Inventory | v1.7.1 | v0.5.0 | https://github.com/anchore/k8s-inventory |
Kubernetes Admission Controller | v0.6.2 | v0.6.2 | https://github.com/anchore/kubernetes-admission-controller |
Jenkins Plugin | v3.2.0 | https://plugins.jenkins.io/anchore-container-scanner | |
Harbor Scanner Adapter | v1.4.0 | https://github.com/anchore/harbor-scanner-adapter | |
enterprise-gitlab-scan | v5.0.0 | docker.io/anchore/enterprise-gitlab-scan:v5.0.0 |
Anchore Helm Chart can be found at https://github.com/anchore/anchore-charts
Last modified December 9, 2024