Anchore Enterprise Release Notes - Version 5.13.0
Anchore Enterprise v5.13.0
Warning for Large Deployments
This release contains a potential deadlock seen when booting the services on initial install or after an upgrade. Customers with large deployments (32 or more services) should consider upgrading directly to v5.13.1 to avoid any possible issues.Enterprise Service Updates
Requirements
- If upgrading from a v4.x release, please refer to the v4.x –> v5.x Migration Guide.
- If upgrading from a release in the range of v5.0.0 - v5.12.x
- The upgrade will result in an automatic schema change that will require database downtime. Below are the estimated downtime durations for version that require significant downtime:
- The v5.3.0 schema change may take more than an hour to complete depending on the amount of data in your reporting system.
- The v5.6.0 schema change may take 2 hours or more depending on the amount of data in your system.
- The v5.11.x schema change will take approximately 1-2 minutes to complete for every 1 million vulnerable artifacts in your reporting system.
- If your Anchore Enterprise deployment is on FIPS enabled hosts and your database is being hosted on Amazon RDS, an upgrade to Postgres 16 or greater is required. For more information please see the FIPS section in Requirements.
- The upgrade will result in an automatic schema change that will require database downtime. Below are the estimated downtime durations for version that require significant downtime:
Improvements
- Malware Scanning is now available on images larger than 4 GB.
- For images larger than 4 GB, Enterprise will split images into individual files of 2 GB or smaller.
- Any files within the image that are greater than 2 GB will be skipped during analysis. Any skipped file will be identified with a Malware Signature as
ANCHORE.FILE_SKIPPED.MAX_FILE_SIZE_EXCEEDED. - When performing Malware Scanning on these larger images, please expect an increase in your analysis time.
- A new configuration option
malware.clamav.max_scan_timehas been added to the analyzer_config.yaml. This will allow for the configuration of the maximum time allowed for a single scan. The default value is 30 minutes. - The
MalwarePolicy Gate with theScan FindingsTrigger will ignore the newANCHORE.FILE.SKIPPED.SIZE_EXCEEDEDfindings as they do not represent positively identified malware. Instead, these findings can be identified using theScan Not Runtrigger by enabling thefire_on_skipped_filesparameter.
Fixes
- The data-syncer service now correctly frees memory and disk space after processing each dataset.
- Addresses an issue where Vulnerability Fix field’s value can change when a RHEL image that contains perl is re-analyzed.
- Fixes an error that occurs when an analyzer service fails to parse the clamav db metadata.
- Corrects two issues with the config parsing, which is completed at startup, causing an error seen in the catalog or policy-engine Service.
- The first issue was when the root level
webhookswas not present. - The second issue was when the
services.policy_engine.vulnerabilities.matching.excludewas not present.
- The first issue was when the root level
- Fixes an analysis race condition that could cause two analyzer services to attempt to analyze the same image at the same time. This would lead to the image analysis failing and would require a manual request for a force reanalysis.
- Images that are imported from AnchoreCTL now correctly benefit from the complete list of supported package types.
- Fixes a condition where a large number of system events could cause the notification service to fail to forward the notifications.
Deprecations
- Support for OpenStack Swift, which is an open-source object storage system, has been deprecated. Please see Object Storage for a list of supported Object Stores.
- The enterprise-gitlab-scan plugin is being deprecated in favor of using AnchoreCTL directly in your pipelines. Please see GitLab for more information on integrating Anchore Enterprise with GitLab.
UI Updates
Improvements
- The status of Kubernetes inventory agents are now displayed within the System > Health view. This allows administrators to quickly identify that all agents are reporting in as expected.
- The Image Selection view now includes the ability to remove repositories without any images from the system.
Fixes
- A regression was introduced in the previous release where the route was preserved upon logout. This has now been fixed.
- The
namefield in the Add a New Registry Credential became required because of a code regression. It is now optional again. - Fix for a scenario whereby a user without any pre-existing tour-state properties would not have them assigned on login. Now addressed.
- Various supporting libraries have been updated in order to improve security, performance, and also to remove deprecation warnings from browser and server output logs. Redundant libraries have been removed to reduce the app startup time and overall size.
Recommended Component Versions
| Component | Supported Version | Helm Chart Version | Additional Info |
|---|---|---|---|
| Enterprise | v5.13.0 | v3.3.0 | With Syft v1.17.0 and Grype v0.85.0 |
| Enterprise UI | v5.13.0 | ||
| AnchoreCTL | v5.13.0 | Deploying AnchoreCTL | |
| Anchore ECS Inventory | v1.3.3 | v0.0.10 | https://github.com/anchore/ecs-inventory |
| Anchore Kubernetes Inventory | v1.7.1 | v0.5.0 | https://github.com/anchore/k8s-inventory |
| Kubernetes Admission Controller | v0.6.2 | v0.6.3 | https://github.com/anchore/kubernetes-admission-controller |
| Jenkins Plugin | v3.3.0 | https://plugins.jenkins.io/anchore-container-scanner | |
| Harbor Scanner Adapter | v1.4.1 | https://github.com/anchore/harbor-scanner-adapter | |
| enterprise-gitlab-scan | v5.0.0 | docker.io/anchore/enterprise-gitlab-scan:v5.0.0 |
Anchore Helm Chart can be found at https://github.com/anchore/anchore-charts
Last modified December 19, 2024