Anchore Enterprise Release Notes - Version 5.2.0
Anchore Enterprise v5.2.0
Anchore Enterprise release v5.2.0 contains targeted fixes and improvements.
Enterprise Service Updates
Requirements
If upgrading from a v5.x release, a database update is required.
If upgrading from a v4.x release, please refer to the v4.x –> v5.x Migration Guide.
Enterprise v5.2.0
requiresPostgres 13
or greater.Enterprise v5.2.0
requires that the previous version wasEnterprise v4.0.0
or greater. Strongly recommend that you upgrade toEnterprise v4.9.5
prior to attempting this upgrade.Enterprise v5.2.0
requires the use of theEnterprise Helm Chart
. Please see below the table containing compatible version.Enterprise v5.2.0
requires that you upgrade your integrations and client. Please see below the table containing compatible versions.
Improvements
- RBAC Roles
- Adds new system role called
account-viewer
. This role allows the user to list all the accounts within Anchore Enterprise. Authorization to bestow this role is restricted to system administrators.
- Adds new system role called
- Reports
- Provides a configuration variable,
services.reports.use_volume
, which directs the Report Service to use disk space instead of memory while generating reports. - The “Inherited From Base” field is now available the vulnerability-related reports including:
Artifacts by Vulnerability
Images Affected by Vulnerability
Runtime Inventory Images by Vulnerability
Tags by Vulnerability
Vulnerabilities by ECS Container
Vulnerabilities by Kubernetes Container
Vulnerabilities by Kubernetes Namespace
- Improves the performance of the Kubernetes Namespace Vulnerability Loader within the Report Worker Service.
- Provides a configuration variable,
- API
- Adds a
/system/statistics
endpoint to return various system statistics and counters over time. - The
/images/{image_digest}/vuln/{vuln_type}
endpoint provides a query flag,include_vuln_description
, that indicates when to include the vulnerability description field in the response. - Provides a new field, password_last_updated, in the response of
/accounts/{account_name}/users
.
- Adds a
- API Keys
- Provides a configuration variable,
user_authentication.remove_deleted_user_api_keys_older_than_days
, which determines the number of days API Keys will remain in the database.
- Provides a configuration variable,
Fixes
- Corrects the time that a Scheduled Query started to be generated in the unlikely occurrence that system restarted the report.
- Addresses an issue with the RedHat vulnerability data provider not automatically updating OVAL files which prevents getting accurate fix version information for appstream packages in RHEL 9.
- Addresses an issue with grype-db matching logic for RHEL 9, where they are no longer reporting a modularity, resulting in false positives. Specifically, RHEL 9’s default stream no longer reports a modularity.
- API endpoint
/images/{image_digest}/content/java
returns a version format consistent with the output from AnchoreCTL. - Fixes an issue where the
services.reports_worker.data_egress_window
was not working correctly for the runtime reports. - Fixes a failure in the Source SBOM import that refer to poetry.lock or python requirements files.
- An interrupted report generation will correctly error out correctly instead of trying to persist a partially generated report.
- Fixes an issue where CVE-2023-44487 would show the incorrect severity.
Licenses
for all package content types are now returned when available.Cpes
property returns a list of strings or an empty list for all package content types.- Reintroduced the Policy Evaluation Cache which aids in better evaluation performance.
- Logging
- Reduces the number of log warning messages for orphaning services.
- Suppress an SQLite exception that was not impacting the system.
- Removes an incorrect error message in the Reports Service that looked like the following “Could not trigger reports_image_refresh after multiple retries. Will retry on next cycle”.
Deprecations
- Support for OpenStack Swift, which is an open-source object storage system, has been deprecated. Please see Object Storage for a list of supported Object Stores.
UI Updates
Improvements
Administrators can now assign the system-wide
account-viewer
role to users. This role allows users to list all accounts in the system and is intended for programmatic access to the Anchore API.Administrators can now view the last time a user password was changed from the summary table in the Accounts view.
The error indicator for a failed report has been updated to provide more information about the failure.
From within the new Data Management view, administrators can now set policies to determine the removal schedule for images in the system across all accounts. The policies allow you to specify the number of days to retain images, based on either presence in the runtime inventory or their presence globally.
Logs are now written to a file (by default in the
/var/log/anchore
directory) in addition to the console. The logs are rolled once a maximum capacity of 10Mb is reached, and the last 10 log files are retained. In addition, outbound requests made by the application to our Anchore Enterprise API now display the request identifier used within our services, which can be used to correlate the UI request with the platform service logs.A Licenses column has been added to the Java sub-tab.
The
"Inherited From Base"
field has been added as a default to a variety of vulnerability-related reports including:Artifacts by Vulnerability
Images Affected by Vulnerability
Runtime Inventory Images by Vulnerability
Tags by Vulnerability
Vulnerabilities by ECS Container
Vulnerabilities by Kubernetes Container
Vulnerabilities by Kubernetes Namespace
Fixes
Administrators who switch into a different (non-administrative) account context are no longer able to create global reports in that account.
Previously, when a saved report was reconfigured (for example, by changing the name or description), the filter details would be dropped from the AppDB record, preventing the report from being viewed (although it would still be available for download). This issue has now been fixed.
Administrators who are authenticated via LDAP are now able to create and manage API keys for non-LDAP administrative and standard users (although not for themselves, because we currently don’t support API Key self-service for LDAP authenticated users).
Various supporting libraries have been updated in order to improve security, performance, and also to remove deprecation warnings from browser and server output logs. Redundant libraries have been removed to reduce the app startup time and overall size.
Recommended Component Versions
Component | Supported Version | Additional Info |
---|---|---|
Enterprise | v5.2.0 | With Syft v0.101.1 and Grype v0.74.3 |
Enterprise UI | v5.2.0 | |
AnchoreCTL | v5.2.0 | Deploying AnchoreCTL |
Enterprise Helm Chart | v2.3.0 | https://github.com/anchore/anchore-charts |
Anchore ECS Inventory | v1.2.0 | https://github.com/anchore/ecs-inventory |
Anchore Kubernetes Inventory | v1.1.1 | https://github.com/anchore/k8s-inventory |
Kubernetes Admission Controller | v0.5.0 | https://github.com/anchore/kubernetes-admission-controller |
Jenkins Plugin | v1.1.2 | https://plugins.jenkins.io/anchore-container-scanner |
Harbor Scanner Adapter | v1.2.0 | https://github.com/anchore/harbor-scanner-adapter |
enterprise-gitlab-scan | v4.0.0 | https://github.com/anchore/enterprise-gitlab-scan |