Anchore Enterprise Release Notes - Version 5.20.0
Anchore Enterprise v5.20.0
v5.20.0 Release
During the release testing of Anchore Enterprise v5.20.0, a timing issue was discovered that could result in the Data Syncer Service failing to correctly download the datasets. This issue would be visible via the UI’s system tab showing less than 5 datasets (feeds) present after the upgrade. This issue has been resolved and a patch release of v5.20.1 will be available shortly.v5.20.x Compatibility for Air-gapped Users
Air-gapped users of Anchore Enterprise 5.20.x need to ensure that they are using the same/supported version of AnchoreCTL with Anchore Enterprise for all airgap workflows, this is due to a new dataset format for vulnerability data (GrypeDB v6). It is important to immediately upload the new dataset upon upgrade.Enterprise Service Updates
Requirements
- If upgrading from a v4.x release, please refer to the v4.x –> v5.x Migration Guide.
- If upgrading from a release in the range of v5.0.0 - v5.19.x
- The upgrade will result in an automatic schema change that will require database downtime. Below are the estimated downtime durations for version that require significant downtime:
- The v5.3.0 schema change may take more than an hour to complete depending on the amount of data in your reporting system.
- The v5.6.0 schema change may take 2 hours or more depending on the amount of data in your system.
- The v5.11.x schema change will take approximately 1-2 minutes to complete for every 1 million vulnerable artifacts in your reporting system.
- If your Anchore Enterprise deployment is on FIPS enabled hosts and your database is being hosted on Amazon RDS, an upgrade to Postgres 16 or greater is required. For more information please see the FIPS section in Requirements.
- The upgrade will result in an automatic schema change that will require database downtime. Below are the estimated downtime durations for version that require significant downtime:
Improvements
- Anchore STIG for Container Images
- Anchore Enterprise now provides two new Graphql queries to help identify container images that have one or more
STIG evaluations uploaded to them.
imagesWithStig
runtimeImagesWithStig
- Anchore Enterprise now provides two new Graphql queries to help identify container images that have one or more
STIG evaluations uploaded to them.
- Prometheus Metrics
- The existing
anchore_queue_length
metric now has a new labelpriority
which will indicate how many items have been queued with the priority bit set.
- The existing
- Improved logging when authentication fails due to external timestamp drift.
- The Vulnerability Database (grypedb) is now using the latest schema version which will provide additional metadata for vulnerabilities. This will allow for better filtering and searching of vulnerabilities. This schema has already been in use by Grype for several month now.
- CVSS
- Anchore can now be configured to show the highest secondary CVSS score if the Primary NVD score has not been provided for a CVE.
- If you wish to opt in to the new behavior, you can change the configuration setting of
services.policy_engine.vulnerabilities.nvd_fallback_to_secondary_cvss
via the API or UI.
- SBOM Management
- Now provides system events that help track the creation and deletion of SBOMs and SBOM Groups.
- Now has the ability to update the details of a specific SBOM Group with the new
PUT /exp/sbom-groups/{group_uuid}
endpoint. - Provides limited support of a valid SPDX 3.0 SBOM. Note well: This version of SPDX is not fully supported by Anchore Enterprise. Although you can upload and download SPDX 3.0 SBOMs, the content and vulnerability analysis of the SBOM contents will not be functional.
- SBOM scans that identify a distro without any version information, will now return results for all versions of that distro.
- Performance improvement when processing stateless vulnerability scans at high loads.
- Various supporting libraries have been updated in order to improve security.
Fixes
GET /v2/polices/{policy_id}
endpoint will return the complete policy document unless thedetail
query parameter is set tofalse
.- The ephemeral storage, within the Policy Engine service, is no longer used to store the vulnerability database.
- Addresses an issue where an image can fail analysis when it contains a recursive Nix package dependency.
Deprecations
- Support for OpenStack Swift, which is an open-source object storage system, has been deprecated. Please see Object Storage for a list of supported Object Stores.
- The enterprise-gitlab-scan plugin is being deprecated in favor of using AnchoreCTL directly in your pipelines. Please see GitLab for more information on integrating Anchore Enterprise with GitLab.
- The webhook system managed in the configuration file is being deprecated in favor of the more advanced notification system which can be configured to send notifications to webhook endpoints. Please see Notifications for more information on configuring notifications.
UI Updates
Improvements
- New report types are now available for Images and Runtime Inventory Images with STIG evaluations if your system is entitled
- Following on from 5.19, new report templates now automatically lowercase the default Artifact Type filter value to ensure compatibility with backend requirements
- The Events & Notifications view now automatically fetches the latest event types for the custom selector, ensuring the options stay up to date without requiring manual edits
Fixes
- Fixed an issue where long license text that was truncated in the SBOM table would display in a popup that could overflow the screen. The popup has been adjusted to accommodate larger bodies of text.
- Fixed an issue in the SBOM import dialog where users could not re-select the same file after clearing it
- Fixed an issue where rapidly clicking the Upload & Save button during SBOM uploads could result in multiple submissions being processed
- Fixed an issue where the SBOM Vulnerabilities tab would not display an error message due to server-side errors or network issues
- Fixed an issue where editing multiple LDAP mappings in a row could briefly show data from the previously viewed mapping before the correct data loaded
- Fixed an issue in the Artifact Analysis > Policy Compliance view. When users opened the Add / Remove Allowlist Item modal and tried to scroll within its dropdown menu, the view would refresh and close the dropdown, which prevented selection.
- Various supporting libraries have been updated in order to improve security, performance, and also to remove deprecation warnings from browser and server output logs. Redundant libraries have been removed to reduce the app startup time and overall size.
Recommended Component Versions
Component | Supported Version | Helm Chart Version | Additional Info |
---|---|---|---|
Enterprise | v5.20.0 | n/a | With Syft v1.27.1 and Grype v0.95.0 |
Enterprise UI | v5.20.0 | ||
AnchoreCTL | v5.20.0 | Deploying AnchoreCTL | |
Anchore ECS Inventory | v1.3.3 | v0.0.12 | https://github.com/anchore/ecs-inventory |
Anchore Kubernetes Inventory | v1.7.7 | v0.5.6 | https://github.com/anchore/k8s-inventory |
Kubernetes Admission Controller | v0.7.0 | v0.7.3 | https://github.com/anchore/kubernetes-admission-controller |
Jenkins Plugin | v3.3.0 | https://plugins.jenkins.io/anchore-container-scanner | |
Harbor Scanner Adapter | v1.4.1 | https://github.com/anchore/harbor-scanner-adapter |
Anchore Helm Chart can be found at https://github.com/anchore/anchore-charts
Syft Release Notes can be found at https://github.com/anchore/syft/releases/tag/v1.27.1
Grype Release Notes can be found at https://github.com/anchore/grype/releases/tag/v0.95.0
Last modified August 8, 2025