Anchore Enterprise Release Notes - Version 5.12.0

Anchore Enterprise v5.12.0

If upgrading from a v4.x release, please refer to the v4.x –> v5.x Migration Guide.
If upgrading from a release in the range of v5.0.0 - v5.11.x
- The upgrade will result in an automatic schema change that will require database downtime. Below are the estimated downtime durations for version that require significant downtime:
  - The v5.3.0 schema change may take more than an hour to complete depending on the amount of data in your reporting system.
  - The v5.6.0 schema change may take 2 hours or more depending on the amount of data in your system.
  - The v5.11.x schema change will take approximately 1-2 minutes to complete for every 1 million vulnerable artifacts in your reporting system.
- If your Anchore Enterprise deployment is on FIPS enabled hosts and your database is being hosted on Amazon RDS, an upgrade to Postgres 16 or greater is required. For more information please see the FIPS section in Requirements.

The Exploit Prediction Scoring System (EPSS) is now included as an additional dataset from the Anchore Data Service. It is automatically downloaded by the Data-Syncer Service.
- This dataset is used in the Vulnerabilities Policy Gate and Package Trigger with optional parameters:
  - EPSS Score Comparison
  - EPSS Score
  - EPSS Percentile Comparison
  - EPSS Percentile
RBAC
- New RBAC role called image-delete has been added. This role allows users to delete images, sources and archives from the system.
- Removed additional authorization checks for adding the special annotation anchore.user/marked_base_image to an image.
API
- New endpoint which returns the currently enabled resource-limits (if any) and the current usage of those limits. GET /v2/system/resource-limits
Metric
- New metrics have been added to provide more data around the database pool
  - anchore_db_pool_size - Max Number of connections in the pool
  - anchore_db_pool_available - Number of connections available for use in the pool
  - anchore_db_pool_in_use - Number of connections currently in use
SBOM
- Enterprise will no longer surface packages with unknown versions. This will reduce the number of false positives seen during analysis.
Logging
- When structured logging is enabled, the output on disk will include the json output as well as the normal text format which is easier to read.

Improves error handling during image analysis that could have caused unnecessary analysis failures.
Fixes the permission when deleting a source artifact from the system. Only users with system-admin, full-control, read-write, or image-delete roles can delete sources.
Improves handling of alpine patch versions during vulnerability matching. For more information please see issue.
Handles a v5.10.0 upgrade failure when parent_digest is Null within the reports_images database table.
Fixes a policy eval failure that is seen when multiple evaluations on the same image are running concurrently.

Support for OpenStack Swift, which is an open-source object storage system, has been deprecated. Please see Object Storage for a list of supported Object Stores.
The enterprise-gitlab-scan plugin is being deprecated in favor of using AnchoreCTL directly in your pipelines. Please see GitLab for more information on integrating Anchore Enterprise with GitLab.

The authenticated interface has been updated with a new vertical navigation bar that offers quick access to various views within the application. The navigation bar is collapsible and responsive, enhancing the user experience by providing a streamlined interface. Additionally, the open or collapsed state of the navigation bar is now persisted across sessions. This new navigation bar lays the groundwork for future global controls and usability enhancements.
The application now uses the full width of the screen, offering more space for content. The font size and visual elements dynamically adjust to the viewport size, ensuring a consistent user experience across various screen widths and resolutions.
The image-delete role has been added to the RBAC system. This role allows users to delete images, sources, and archives from the system and is now provided amongst the other RBAC settings in the user and group management controls under System.
The EPSS service is now available as a datasource for use by policy gates and triggers in the Policy Manager. This service provides a score and percentile for each vulnerability based on the likelihood of exploitation. The EPSS score and percentile can be used as parameters in the Vulnerabilities policy gate, and Package trigger. The availability and health of this service is displayed alongside the other service details in the System > Health view.

The API Keys breadcrumb no longer includes the account name and now displays only the username. Since API keys are not tied to a specific account and user permissions may allow switching between accounts, this change helps eliminate ambiguity.
The page displayed when a license has expired or is invalid now contains links to the Anchore Support page instead of an email address.
Various supporting libraries have been updated in order to improve security, performance, and also to remove deprecation warnings from browser and server output logs. Redundant libraries have been removed to reduce the app startup time and overall size.

Component	Supported Version	Helm Chart Version	Additional Info
Enterprise	v5.12.0	v3.2.0	With `Syft v1.16.0` and `Grype v0.84.0`
Enterprise UI	v5.12.0
AnchoreCTL	v5.12.0		Deploying AnchoreCTL
Anchore ECS Inventory	v1.3.2	v0.0.9	https://github.com/anchore/ecs-inventory
Anchore Kubernetes Inventory	v1.7.1	v0.5.0	https://github.com/anchore/k8s-inventory
Kubernetes Admission Controller	v0.6.2	v0.6.3	https://github.com/anchore/kubernetes-admission-controller
Jenkins Plugin	v3.2.0		https://plugins.jenkins.io/anchore-container-scanner
Harbor Scanner Adapter	v1.4.0		https://github.com/anchore/harbor-scanner-adapter
enterprise-gitlab-scan	v5.0.0		docker.io/anchore/enterprise-gitlab-scan:v5.0.0

Anchore Helm Chart can be found at https://github.com/anchore/anchore-charts

Last modified November 26, 2024