Anchore Enterprise Release Notes - Version 5.14.0

Anchore Enterprise v5.14.0

Enterprise Service Updates

Requirements

  • If upgrading from a v4.x release, please refer to the v4.x –> v5.x Migration Guide.
  • If upgrading from a release in the range of v5.0.0 - v5.13.x
    • The upgrade will result in an automatic schema change that will require database downtime. Below are the estimated downtime durations for version that require significant downtime:
      • The v5.3.0 schema change may take more than an hour to complete depending on the amount of data in your reporting system.
      • The v5.6.0 schema change may take 2 hours or more depending on the amount of data in your system.
      • The v5.11.x schema change will take approximately 1-2 minutes to complete for every 1 million vulnerable artifacts in your reporting system.
    • If your Anchore Enterprise deployment is on FIPS enabled hosts and your database is being hosted on Amazon RDS, an upgrade to Postgres 16 or greater is required. For more information please see the FIPS section in Requirements.

Improvements

  • System Configuration
    • The Anchore Enterprise API has new endpoints to view system configuration and dynamically change a few configuration values.
      • GET /v2/system/configurations
      • PATCH /v2/system/configurations
      • GET /v2/system/configurations/{config_key}
      • PUT /v2/system/configurations/{config_key}
      • DELETE /v2/system/configurations/{config_key}
        • Restores the configuration value to the default value.
    • The following system configuration values are now configurable via the API:
      • Enable ClamAV Malware Scanner - services.analyzer.analyzer_scanner_config.malware.clamav.enabled
      • Global Log Level - logging.log_level
      • Per Service Log Level - example services.apiext.logging.log_level
    • For additional information on system configuration, please see the API Accessible Configuration documentation.
  • Policy
    • When using the max_days_since_fix within the VulnerabilityGate and PackageTrigger, the findings will now provide the following data:
      • fixed in - the version which the fix was applied.
      • max_days_since_creation - the number of days since the finding was created.
      • vuln_dectected - the date the vulnerability was detected.
      • fix_released - the date the fix was released.
      • max_days_since_fix - the number of days since the fix was applied per your policy trigger.
  • Reports
    • The following reports now include the field Artifact Vulnerable From which is the date when Anchore’s Reporting Service first detected the vulnerability on the artifact:
      • Runtime Inventory Images by Vulnerability
      • Tags by Vulnerability
      • Artificts by Vulnerability
  • Logging
    • Structured log output now provides the service name and service version.
  • Memory Usage
    • If your deployment is configured to use the Object Store Database Driver, the memory usage profile of the Catalog Service will be reduced.

Fixes

  • Policy-engine service gracefully handles errors when the catalog service no longer can access images referenced by ancestors.
  • Policy Gate packages with Trigger required_package now correctly allows the version match type to detect a minimum package version.
  • Policy Gate packages with Trigger required_package now correctly handles some java packages that do not have a proper version string. When the version comparison fails, the policy will now trigger a finding.
  • The Data-syncer Service now correctly removes older versions of GrypeDB from the Object Store.

Deprecations

  • Support for OpenStack Swift, which is an open-source object storage system, has been deprecated. Please see Object Storage for a list of supported Object Stores.
  • The enterprise-gitlab-scan plugin is being deprecated in favor of using AnchoreCTL directly in your pipelines. Please see GitLab for more information on integrating Anchore Enterprise with GitLab.

UI Updates

Improvements

  • Admins can now verify and manage system settings with our new Configuration view within the System tab. Editable configuration options are displayed by default and read-only items are searchable and accessible for viewing via a toggle. The options currently available for editing include global / service-level log levels and enabling the ClamAV Malware Scanner.
  • The following report templates now include the Artifact Vulnerable From field by default which is the date when Anchore’s Reporting Service first detected the vulnerability on the artifact:
    • Runtime Inventory Images by Vulnerability
    • Tags by Vulnerability
    • Artifacts by Vulnerability

Fixes

  • Within the Kubernetes tab, search text could sometimes lag behind what a user was typing as the table updated dynamically. Now, searching is seamless during updates and intermediate network requests are canceled.
  • Previously, when an admin wanted to update their LDAP configuration, the password field was required even if the password was not being updated. This is no longer the case.
  • Feed errors within the System > Health view are now handled gracefully and displayed within their section rather than obfuscating the entire page.
  • When a user logged into an account context containing special characters after a system restart, the user would be automatically redirected to their default account. This has been fixed.
  • Various supporting libraries have been updated in order to improve security, performance, and also to remove deprecation warnings from browser and server output logs. Redundant libraries have been removed to reduce the app startup time and overall size.
ComponentSupported VersionHelm Chart VersionAdditional Info
Enterprisev5.14.0v3.4.0With Syft v1.19.0 and Grype v0.87.0
Enterprise UIv5.14.0
AnchoreCTLv5.14.0Deploying AnchoreCTL
Anchore ECS Inventoryv1.3.3v0.0.10https://github.com/anchore/ecs-inventory
Anchore Kubernetes Inventoryv1.7.4v0.5.1https://github.com/anchore/k8s-inventory
Kubernetes Admission Controllerv0.6.2v0.6.3https://github.com/anchore/kubernetes-admission-controller
Jenkins Pluginv3.3.0https://plugins.jenkins.io/anchore-container-scanner
Harbor Scanner Adapterv1.4.1https://github.com/anchore/harbor-scanner-adapter

Anchore Helm Chart can be found at https://github.com/anchore/anchore-charts

Syft Release Notes can be found at https://github.com/anchore/syft/releases/tag/v1.19.0

Grype Release Notes can be found at https://github.com/anchore/grype/releases/tag/v0.87.0

Last modified January 31, 2025