Anchore Enterprise Release Notes - Version 5.11.0

Anchore Enterprise v5.11.0

Enterprise Service Updates

Requirements

  • If upgrading from a v4.x release, please refer to the v4.x –> v5.x Migration Guide.
  • If upgrading from a release in the range of v5.0.0 - v5.10.0
    • The upgrade will result in an automatic schema change that will require database downtime.
    • The v5.3.0 schema change may take more than an hour to complete depending on the amount of data in your reporting system.
    • The v5.6.0 schema change may take 2 hours or more depending on the amount of data in your system.
    • The v5.11.0 schema change will take approximately 1-2 minutes to complete for every 1 million vulnerable artifacts in your reporting system.
    • If your Anchore Enterprise deployment is on FIPS enabled hosts and your database is being hosted on Amazon RDS, an upgrade to Postgres 16 or greater is required. For more information please see the FIPS section in Requirements.

Improvements

  • RBAC
    • New ability to assign administrative privileges to users who are not members of the admin account. This role may be granted either directly be another admin user or via a User Group membership.
      • RBAC Role name: system-admin
      • RBAC Domain Name: *
  • API
    • New endpoint GET /v2/accounts/users returns a list of all users in the system, including their roles and the accounts to which they belong. This is only available to admin users.
    • New endpoint GET /v2/accounts/{account_name}/users-with-roles returns a list of users that have been granted roles in the specified account.
    • The following endpoints have improved data associated with Users and RBAC Roles. Each user object includes a list of roles that have been granted to the user and an indication of how the role has been granted.
      • GET /v2/user
      • GET /v2/accounts/users
      • GET /v2/accounts/{account_name}/users
      • GET /v2/accounts/{account_name}/users-with-roles
    • Improved the response time of endpoints that return a list of users.
    • Improved the response time of GET /v2/system/user-groups
    • The endpoint GET /v2/system/statistics now includes the following new metrics:
      • report_creation - The number of reports that have been created.
      • report_inventory - The number of generated reports currently in the system.
  • Configuration
    • Added log messages which warn the user when an incorrect configuration value is detected.
  • Integration Health Status
    • When using the k8s-inventory agent release v1.7.0, the agent will automatically register itself with the Anchore Enterprise. It will then send periodic health status updates so you can validate the health of your k8s-inventory agents directly from Enterprise.
    • The API has new endpoints to view the health status of the k8s-inventory agent.
      • GET /v2/integrations/k8s-inventory/health
      • GET /v2/integrations/k8s-inventory/health/{agent_id}
    • New AnchoreCTL commands are available to view integration health.
    • Please see the following for more information.
  • Reports
    • Improves database space usage for the following reports by reorganizing the data into new tables:
      • Vulnerabilities by ECS Container
      • Vulnerabilities by Kubernetes Container
      • Vulnerabilities by Kubernetes Namespace
    • Once the upgrade is complete and you are comfortable with the resulting reports, you may wish to truncate the legacy tables and reduce database space usage.
  • Policy
    • Add support for the value parameter when the check parameter is exists or not exists. Previously the value parameter would be ignored for these check types.
  • SBOM Improvements
    • Utilizes a new JVM cataloger which improves the identification of java installs which occur outside of an OS package manager. This also normalizes version comparison logic for earlier java versions which did not use semantic versioning which should lead to more accurate vulnerability matching.
    • Adds vulnerability matching support for Azure Linux 3
    • Adds support for identifying OCaml packages
    • Adds binary classifiers for the following:
      • curl
      • dart
      • haskell
      • ghttp
      • proftpd
      • zstd
      • xz
      • gzip
      • jq
      • sqlcipher

Fixes

  • Fixes an issue where some java-archive artifact had a blank Name or Version field within the Syft SBOM.
  • Fixes an issue where GET /v2/accounts/{account_name}/users/{username} endpoint failed to return all the user’s roles when some had been granted via a User Group membership.
  • Returns a more specify error code and response to GET /v2/images/{image_digest}/check when specifying an invalid policy_id.
  • Policy Creation Metric now correctly increments when a policy is created via the API. This policy_creation metric can be seen in the GET /v2/system/statistice endpoint.
  • Minor fixes to the debug level logging within the API Service.
  • The Ancestry Policy Gate with allowed base image tags Trigger now allows wildcard matching for base image tags.
  • Fixes a missing event when a report in the pending state has been cancelled.
  • Improves error handling for GET /v2/images/{image_digest}/check when specifying base_digest=auto.
  • Fixes an issue with the Dockerfile Policy Gate where we failed to handle multi-line directives.
  • Using the POST /v2/policies API with an existing policy ID will now fail with a 409 response instead of incorrectly updating the existing policy. Please use PUT /v2/policies/{policy_id} to update policies.
  • Fixes an issue in the response code of POST /v2/vulnerability-scan.

Deprecations

  • Support for OpenStack Swift, which is an open-source object storage system, has been deprecated. Please see Object Storage for a list of supported Object Stores.
  • Package Feeds and Policy Gates for Ruby Gems and NPMs, are now EOL. Please contact Anchore Support for more information.
  • The enterprise-gitlab-scan plugin is being deprecated in favor of using AnchoreCTL directly in your pipelines. Please see GitLab for more information on integrating Anchore Enterprise with GitLab.
  • Feed Service: The Feed Service has been deprecated and replaced by the Data Syncer service. The Feed Service is no longer supported in Enterprise installations.
  • Package Feeds: The Ruby Gems and NPMs package feeds and policy gates have been declared End Of life and are no longer supported.

UI Updates

Improvements

  • In this release, administrators are identified by the presence of the system-admin role. This role is automatically assigned to users in the admin account, but users in other accounts can be promoted to or demoted from an administrative role through this assignment. The role can be directly assigned to a user during account creation or indirectly through group membership. Note that this role is read-only for users in the admin account.
  • Markdown markup is now supported in the Recommendation field of a policy rule. This allows for more detailed explanations to be provided to users when a policy rule is triggered.

Fixes

  • Multiple fixes applied to improve the appearance of the UI theme
  • Because of a mishandled error condition, a non-admin user would be logged out if they try to access a global report, which can occur if they click on an associated report link surfaced on the the
  • In previous versions of the application, column widths in the Artifact Analysis view would reset to their default values when the page state changed due to background data updates. This issue has now been resolved, and column widths will persist even when the underlying data changes.
  • The card view is now the default for Feeds Sync details on the System Health page. However, if a user has previously overridden this setting, the table view will still be applied. Additionally, dataset and checksum names are now displayed on the cards. Aesthetic adjustments have been made to support these changes.
  • In previous versions of the application, selecting all visible events while a filter was applied would inadvertently select all events, not just the visible ones. This issue has now been resolved, ensuring that only visible events are selected when a filter is active. Additionally, an issue with string-based filtering—where the filter failed to correctly match the user-entered string in the
  • To remain consistent with the outcome of changes made against individual users, changes made to user groups will now trigger a log out event for any users associated with any user groups that are modified or deleted.
  • Various supporting libraries have been updated in order to improve security, performance, and also to remove deprecation warnings from browser and server output logs. Redundant libraries have been removed to reduce the app startup time and overall size.
ComponentSupported VersionHelm Chart VersionAdditional Info
Enterprisev5.11.0v3.1.0With Syft v1.13.1 and Grype v0.82.0
Enterprise UIv5.11.0
AnchoreCTLv5.11.0Deploying AnchoreCTL
Anchore ECS Inventoryv1.3.2v0.0.9https://github.com/anchore/ecs-inventory
Anchore Kubernetes Inventoryv1.7.1v0.5.0https://github.com/anchore/k8s-inventory
Kubernetes Admission Controllerv0.6.2v0.6.2https://github.com/anchore/kubernetes-admission-controller
Jenkins Pluginv3.2.0https://plugins.jenkins.io/anchore-container-scanner
Harbor Scanner Adapterv1.4.0https://github.com/anchore/harbor-scanner-adapter
enterprise-gitlab-scanv5.0.0docker.io/anchore/enterprise-gitlab-scan:v5.0.0

Anchore Helm Chart can be found at https://github.com/anchore/anchore-charts

Last modified November 21, 2024