Anchore Enterprise Release Notes - Version 5.17.0
Anchore Enterprise v5.17.0
Enterprise Service Updates
Requirements
- If upgrading from a v4.x release, please refer to the v4.x –> v5.x Migration Guide.
- If upgrading from a release in the range of v5.0.0 - v5.16.x
- The upgrade will result in an automatic schema change that will require database downtime. Below are the estimated downtime durations for version that require significant downtime:
- The v5.3.0 schema change may take more than an hour to complete depending on the amount of data in your reporting system.
- The v5.6.0 schema change may take 2 hours or more depending on the amount of data in your system.
- The v5.11.x schema change will take approximately 1-2 minutes to complete for every 1 million vulnerable artifacts in your reporting system.
- If your Anchore Enterprise deployment is on FIPS enabled hosts and your database is being hosted on Amazon RDS, an upgrade to Postgres 16 or greater is required. For more information please see the FIPS section in Requirements.
- The upgrade will result in an automatic schema change that will require database downtime. Below are the estimated downtime durations for version that require significant downtime:
Improvements
- Memory Usage Improvements
- We’ve made targeted improvements to the memory usage profile of various services that reduces the amount of memory the services use in most circumstances.
- Image Analysis
- When adding an image to Anchore Enterprise from a multi-platform manifest list, the Linux operating system digest will be preferred over a Windows digest. This change ensures that the most commonly used platform is prioritized for analysis and scanning.
- Prometheus Metrics
- Now available on a per-account basis. This allows for more granular monitoring and alerting based on account-specific metrics.
- Per-account metrics are enabled in the helm chart by setting
services.catalog.account_prometheus_metrics
to true.
- License
- A new endpoint that provides detailed information about the software licenses for each package contained within an image.
GET /v2/images/{image_digest}/content/licenses
- Feeds
GET /v2/system/feeds
endpoint has been updated to include two new timestamps that should improve the clarity of when vulnerability data was downloaded and built in the Anchore Data Servicedata_service_built_at
and when it was received by your enterprise deploymententerprise_received_at
. All other timestamps returned by that endpoint continue to be updated but have been marked deprecated.
- Corrections
- Now have templating support for the package URL (PURL) field.
- Logging
- Anchore Enterprise will print a warning level log message when any
ANCHORE_*
Environment Variables that are detected without a reference in the config file. This is an indication of a potential misconfiguration. The log message will start with the wordsDetected Anchore environment variables which are not referenced in the configuration file: {'ANCHORE_...
.
- Anchore Enterprise will print a warning level log message when any
Fixes
- Fixes an issue where the
Vulnerability Fix Observed At Date
was not being captured. - When the root owning package node is a nix package, any owned packages are no longer filtered. This is due to the fact that there is currently no distro-level vulnerability data ingested for nix. The only method of getting a possible vulnerability match will be via the descendant packages (python, npm, go, etc).
- When first configuring SSO on your Anchore Enterprise deployment, if you allowed the default account to be automatically created when the first user logged in, the account would not have received the default policy. This has been fixed.
- Fixes an exception seen when requesting a forced feed sync via
POST /v2/system/feeds?force_sync=true
. - Fixes the error message returned if the user provided an invalid policy gates.
- When the image is “force reanalyzed”, the analysis will re-evaluate the parent digest.
- Fixes an issue where the license policy gate was not working properly for non-os packages.
Deprecations
- Support for OpenStack Swift, which is an open-source object storage system, has been deprecated. Please see Object Storage for a list of supported Object Stores.
- The enterprise-gitlab-scan plugin is being deprecated in favor of using AnchoreCTL directly in your pipelines. Please see GitLab for more information on integrating Anchore Enterprise with GitLab.
- The webhook system managed in the configuration file is being deprecated in favor of the more advanced notification system which can be configured to send notifications to webhook endpoints. Please see Notifications for more information on configuring notifications.
UI Updates
Improvements
- Sticky headers are now enabled on select tables, so you can keep column names in view while scrolling. Try it out in the Images, Events, and System > Accounts views.
- The sidebar navigation menu now includes tooltips when collapsed to help identify the icons and their associated views.
- The Redis connection string now supports the
rediss://
protocol, allowing TLS connections to resources that use a certificate authority. - The SBOM > Malware tab in Artifact Analysis will now show whether Malware Scanning is active on your Anchore instance or if there are no findings from the scan. It has also been pinned in the top list.
- Loading the list of LDAP mappings on the System page has been optimized to improve performance.
- The generic error message displayed when an artifact analysis fails has been replaced in favor of more informative service-level messaging to aid in troubleshooting.
- Various supporting libraries have been updated in order to improve security, performance, and also to remove deprecation warnings from browser and server output logs. Redundant libraries have been removed to reduce the app startup time and overall size.
Fixes
- In previous versions, the tour step information associated with adding a repository and adding a tag was inverted. Now fixed.
- Previously,
nix
andalpm
packages were not displaying correctly within the Artifact Analysis > Vulnerabilities view. This has been fixed. - In the Dashboard detail view, the labels at the top-right of the page could be occluded by the robot image. Now fixed.
- Fixed an issue where new users were shown the welcome banner on both their first and second logins.
Recommended Component Versions
Component | Supported Version | Helm Chart Version | Additional Info |
---|---|---|---|
Enterprise | v5.17.0 | v3.7.0 | With Syft v1.21.0 and Grype v0.87.0 |
Enterprise UI | v5.17.0 | ||
AnchoreCTL | v5.17.0 | Deploying AnchoreCTL | |
Anchore ECS Inventory | v1.3.3 | v0.0.10 | https://github.com/anchore/ecs-inventory |
Anchore Kubernetes Inventory | v1.7.4 | v0.5.1 | https://github.com/anchore/k8s-inventory |
Kubernetes Admission Controller | v0.6.3 | v0.6.4 | https://github.com/anchore/kubernetes-admission-controller |
Jenkins Plugin | v3.3.0 | https://plugins.jenkins.io/anchore-container-scanner | |
Harbor Scanner Adapter | v1.4.1 | https://github.com/anchore/harbor-scanner-adapter |
Anchore Helm Chart can be found at https://github.com/anchore/anchore-charts
Syft Release Notes can be found at https://github.com/anchore/syft/releases/tag/v1.21.0
Grype Release Notes can be found at https://github.com/anchore/grype/releases/tag/v0.87.0
Last modified April 29, 2025