Anchore Enterprise Release Notes - Version 5.18.0
Anchore Enterprise v5.18.0
Enterprise Service Updates
Requirements
- If upgrading from a v4.x release, please refer to the v4.x –> v5.x Migration Guide.
- If upgrading from a release in the range of v5.0.0 - v5.17.x
- The upgrade will result in an automatic schema change that will require database downtime. Below are the estimated downtime durations for version that require significant downtime:
- The v5.3.0 schema change may take more than an hour to complete depending on the amount of data in your reporting system.
- The v5.6.0 schema change may take 2 hours or more depending on the amount of data in your system.
- The v5.11.x schema change will take approximately 1-2 minutes to complete for every 1 million vulnerable artifacts in your reporting system.
- If your Anchore Enterprise deployment is on FIPS enabled hosts and your database is being hosted on Amazon RDS, an upgrade to Postgres 16 or greater is required. For more information please see the FIPS section in Requirements.
- The upgrade will result in an automatic schema change that will require database downtime. Below are the estimated downtime durations for version that require significant downtime:
Improvements
- Anchore SBOM - SBOM Management
- Anchore Enterprise now provides the ability to upload and manage your company’s SBOMs.
- The feature provides the ability to view package contents and vulnerabilities found in the SBOMs uploaded to Anchore Enterprise.
- New Prometheus metrics are available to monitor the SBOM Management feature.
- The Imported SBOM count is included in your Total SBOM Usage available in the UI.
- For more detail on this feature, please see the SBOM Management documentation.
- Adds a new database index for reports_tags table to improve performance of queries that filter by account name and image digest.
- Adds support to detect chrome binaries.
- Improved the performance of the Tag Drift Policy Gate.
- Exposes the
max_scan_timeconfiguration option in the API to allow users to change the value within the UI. This value is the maximum time in milliseconds that a ClamAV Malware Scan is allowed to run. - License
- When license content is found but the license id can not be determined, the license value will be listed as
other-indeterminateand the license content will be included in the license data returned in/v2/images/{image_digest}/content/licenses.
- When license content is found but the license id can not be determined, the license value will be listed as
- Identification of old analysis data
- In a future release of Anchore Enterprise, analysis data generated prior to the
4.0release will no longer be supported. If these images are still important to your organization, we highly recommend that you force reanalyze them to ensure that you have the most current analysis data for them. Many improvements have been made to our scanning and analysis capabilities including improvements to package and vulnerability detection, license identification, and more. - To assist in identifying older artifacts in your system, a warning message for each artifact analyzed before the
4.0release will be printed during the upgrade job. It will include the account name, image pull string and image digest. This will allow you to identify which images need to be force reanalyzed.
- In a future release of Anchore Enterprise, analysis data generated prior to the
- Various supporting libraries have been updated in order to improve security.
Fixes
- Resolves an issue where an image that has a change in parent digest was not correctly reflected in reports.
- Addresses an issue in Syft which resulted in our inability to determine a dpkg license with the data provided during analysis.
- Addresses an issue in Syft which resulted in the license content showing up in the licenses field instead of just the license id.
- Addresses an issue in Syft where the Dotnet deps cataloger would hang while resolving dependencies.
- Fixes an issue seen when you have linux-kernel entries in your image and Enterprise was surfacing these entries as packages in the os type as well as linus-kernel type. The result caused any vulnerability matches to be duplicated for that image.
- Fixes an issue where the Dotnet cataloger within Syft could result in different number of packages when run on the same image multiple times.
- Fixes a failure with Strict Configuration Validation when enabling OSAA Migration.
- Resolved an issue where a warning message regarding unused environment variables was being printed 3 times during startup.
Deprecations
- Support for OpenStack Swift, which is an open-source object storage system, has been deprecated. Please see Object Storage for a list of supported Object Stores.
- The enterprise-gitlab-scan plugin is being deprecated in favor of using AnchoreCTL directly in your pipelines. Please see GitLab for more information on integrating Anchore Enterprise with GitLab.
- The webhook system managed in the configuration file is being deprecated in favor of the more advanced notification system which can be configured to send notifications to webhook endpoints. Please see Notifications for more information on configuring notifications.
UI Updates
Improvements
- SBOM Management
- Import and process SBOMs generated by any tool adhering to the SPDX or CycloneDX standards via the new Imported SBOMs tab. Establish a comprehensive inventory of software components and dependencies, regardless of origin.
- View packages within uploaded SBOMs, including their associated licenses.
- Automatically identify and report vulnerabilities within uploaded SBOMs, and export detailed vulnerability data in CSV format. Use the new Anchore Score - a composite metric combining CVSS score and severity, EPSS percentage, and CISA KEV data - to prioritize and triage vulnerabilities effectively, significantly reducing noise and accelerating triage time.
- Our table columns now clearly indicate whether they’re sortable, and when sorting is applied, they show the direction - ascending or descending - at a glance.
- For account administrators, a new ‘Groups’ column has been added within System > Accounts > Users which lists all use groups with roles for the user’s primary account.
- A new Show OS CVEs filter has been added to Artifact Analysis > Vulnerabilities. Combined with the existing Show Non-OS CVEs toggle, this new filter allows users to either exclusively display OS CVEs, hide them, or show everything.
- Page headers across the application have been refreshed for consistency and our lovely robots have been relocated to the sidebar. Primary actions are also highlighted in the top-right of the page header.
- The Add / Edit User Group modal under System > User Groups now allows you to associate system-wide roles with a group.
- For clarity, the Email field for an Account has been updated to be Contact Email instead.
Fixes
- When setting a system limit via deployment configuration, reaching the limit had the UI incorrectly stating that the limit was being approached instead. This has been fixed.
- Previously, it was possible to add invalid regular expressions as rule parameters for rules that required them (such as the
filename regexfield under thesecret scansgate). Validation is now enforced, and invalid expressions can no longer be added through the UI. - Previously, a user had to click the table column header text to sort the column. Now, a user can click anywhere within the table column header cell to trigger a sort.
- In previous versions, attempting to analyze a repository that already exists via the Analyze a Repository modal in the Image Selection view could cause a page exception after entering the repository details. This issue has now been resolved.
Recommended Component Versions
| Component | Supported Version | Helm Chart Version | Additional Info |
|---|---|---|---|
| Enterprise | v5.18.0 | v3.10.0 | With Syft v1.26.1 and Grype v0.87.0 |
| Enterprise UI | v5.18.0 | ||
| AnchoreCTL | v5.18.0 | Deploying AnchoreCTL | |
| Anchore ECS Inventory | v1.3.3 | v0.0.12 | https://github.com/anchore/ecs-inventory |
| Anchore Kubernetes Inventory | v1.7.6 | v0.5.6 | https://github.com/anchore/k8s-inventory |
| Kubernetes Admission Controller | v0.6.3 | v0.7.2 | https://github.com/anchore/kubernetes-admission-controller |
| Jenkins Plugin | v3.3.0 | https://plugins.jenkins.io/anchore-container-scanner | |
| Harbor Scanner Adapter | v1.4.1 | https://github.com/anchore/harbor-scanner-adapter |
Anchore Helm Chart can be found at https://github.com/anchore/anchore-charts
Syft Release Notes can be found at https://github.com/anchore/syft/releases/tag/v1.26.1
Grype Release Notes can be found at https://github.com/anchore/grype/releases/tag/v0.87.0
Last modified May 29, 2025