Anchore Enterprise Release Notes - Version 5.16.0
Anchore Enterprise v5.16.0
Enterprise Service Updates
Requirements
- If upgrading from a v4.x release, please refer to the v4.x –> v5.x Migration Guide.
- If upgrading from a release in the range of v5.0.0 - v5.15.x
- The upgrade will result in an automatic schema change that will require database downtime. Below are the estimated downtime durations for version that require significant downtime:
- The v5.3.0 schema change may take more than an hour to complete depending on the amount of data in your reporting system.
- The v5.6.0 schema change may take 2 hours or more depending on the amount of data in your system.
- The v5.11.x schema change will take approximately 1-2 minutes to complete for every 1 million vulnerable artifacts in your reporting system.
- If your Anchore Enterprise deployment is on FIPS enabled hosts and your database is being hosted on Amazon RDS, an upgrade to Postgres 16 or greater is required. For more information please see the FIPS section in Requirements.
- The upgrade will result in an automatic schema change that will require database downtime. Below are the estimated downtime durations for version that require significant downtime:
Improvements
- Policy
- The
files
Gate withsuid or guid set
Trigger now provides a new parameterignore dir
to allow users to indicate if directories should be ignored when checking for setuid/setgid. This parameter is optional and defaults tofalse
. - The
package
Gate withdenylist
Trigger now provides a new parameter that allow version comparison operations. The default behavior is still an exact match.
- The
- Package License Names
- For newly analyzed images, the license names are now normalized to the SPDX License List. This will help with
consistency in the UI and API responses. When an exact match is not found, we will continue to use the
value
found within the image and extracted by Syft. For more information on normalized license names, please review SPDX License List.- Please Note: if you are currently using the
license
field in your policy gates, you may need to update your policy to reflect the new normalized license names. For example, if you are usingGPL-2.0
in your policy, you will need to update it toGPL-2.0-only
to match the SPDX License List.
- Please Note: if you are currently using the
- For newly analyzed images, the license names are now normalized to the SPDX License List. This will help with
consistency in the UI and API responses. When an exact match is not found, we will continue to use the
- Image Hints
- When using image hints, the result application of the hints will be visible in a downloaded SBOM in Syft Native, SPDX, and CycloneDX formats. This will allow users to see the hints that were applied to the image.
- This will apply to only newly analyzed images. If you would like to see hints applied to an existing image, you will need to reanalyze the image.
Fixes
- Fixes a URL encoding issue found in some notifications when the account name has a space in it.
- Centralized Analysis now supports images that have been compressed using zstd compression.
- RBAC Roles are now correctly reflecting the allowed permissions. During a review, it was found
that the
read-only
,read-write
, andimage-developer
roles had includedlistFeeds
,updateFeeds
,listServices
andgetService
permissions that were not correct. These permissions were only allowed to users withsystem-admin
role. This is documentation only, no change in user behavior is expected. - Provides a better error message when creating a new user and the name conflicts with an existing User Group name.
- Prevents race conditions that could occur when adding the same image multiple times and also when deleting the same image. This could result in the image analysis failing.
- Improves the analyzer queue by implementing a Round Robin algorithm to ensure that each account is serviced equally.
Deprecations
- Support for OpenStack Swift, which is an open-source object storage system, has been deprecated. Please see Object Storage for a list of supported Object Stores.
- The enterprise-gitlab-scan plugin is being deprecated in favor of using AnchoreCTL directly in your pipelines. Please see GitLab for more information on integrating Anchore Enterprise with GitLab.
- The webhook system managed in the configuration file is being deprecated in favor of the more advanced notification system which can be configured to send notifications to webhook endpoints. Please see Notifications for more information on configuring notifications.
UI Updates
Improvements
- All links to documentation within the application have been updated to use the version your system is using for accuracy, not just the latest version.
- Administrators can now configure a custom message on the login screen with a character limit of 10,0000 characters. The title also now supports a limit of 250 characters.
- The About modal now includes the commit SHA and build timestamp of the Enterprise Client and Service. This information is useful for troubleshooting and support purposes.
- Various supporting libraries have been updated in order to improve security, performance, and also to remove deprecation warnings from browser and server output logs. Redundant libraries have been removed to reduce the app startup time and overall size.
Fixes
- When a small screen height was used, the login content could display over the top navigation bar. This has been fixed.
Recommended Component Versions
Component | Supported Version | Helm Chart Version | Additional Info |
---|---|---|---|
Enterprise | v5.16.0 | v3.6.0 | With Syft v1.20.0 and Grype v0.87.0 |
Enterprise UI | v5.16.0 | ||
AnchoreCTL | v5.16.0 | Deploying AnchoreCTL | |
Anchore ECS Inventory | v1.3.3 | v0.0.10 | https://github.com/anchore/ecs-inventory |
Anchore Kubernetes Inventory | v1.7.4 | v0.5.1 | https://github.com/anchore/k8s-inventory |
Kubernetes Admission Controller | v0.6.3 | v0.6.4 | https://github.com/anchore/kubernetes-admission-controller |
Jenkins Plugin | v3.3.0 | https://plugins.jenkins.io/anchore-container-scanner | |
Harbor Scanner Adapter | v1.4.1 | https://github.com/anchore/harbor-scanner-adapter |
Anchore Helm Chart can be found at https://github.com/anchore/anchore-charts
Syft Release Notes can be found at https://github.com/anchore/syft/releases/tag/v1.20.0
Grype Release Notes can be found at https://github.com/anchore/grype/releases/tag/v0.87.0
Last modified April 4, 2025