Anchore Enterprise Release Notes - Version 5.21.0
Anchore Enterprise v5.21.0
Enterprise Service
Requirements
- If upgrading from a v4.x release, please refer to the v4.x –> v5.x Migration Guide.
- If upgrading from a release in the range of v5.0.0 - v5.20.x
- The upgrade will result in an automatic schema change that will require database downtime. Below are the estimated downtime durations for version that require significant downtime:
- The v5.3.0 schema change may take more than an hour to complete depending on the amount of data in your reporting system.
- The v5.6.0 schema change may take 2 hours or more depending on the amount of data in your system.
- The v5.11.x schema change will take approximately 1-2 minutes to complete for every 1 million vulnerable artifacts in your reporting system.
- If your Anchore Enterprise deployment is on FIPS enabled hosts and your database is being hosted on Amazon RDS, an upgrade to Postgres 16 or greater is required. For more information please see the FIPS section in Requirements.
- The upgrade will result in an automatic schema change that will require database downtime. Below are the estimated downtime durations for version that require significant downtime:
New Features
- Redhat Enterprise Linux (RHEL) Extended Update Support (EUS)
- Anchore Enterprise now supports the use of RHEL EUS data when scanning relevant container images for vulnerabilities.
- See Anchore Secure - Vulnerability Management for more information.
- STIG Evaluations on Kubernetes Containers
- See the STIG for Kubernetes documentation for more information.
Improvements
- Datasets
- CISA Known Exploitable Vulnerabilities (KEV) Database and Exploit Prediction Scoring System (EPSS) Database
are no longer downloaded by the data-syncer service. These datasets continue to be required:
- Vulnerability Database
- Vulnerability Match Exclusions Database
- ClamAV malware Database
- The KEV and EPSS data are now sourced directly from the Vulnerability Database provided by the Anchore Data Service.
- As this change eliminates additional database queries, some users may see an improvement in the performance of vulnerability scans.
- CISA Known Exploitable Vulnerabilities (KEV) Database and Exploit Prediction Scoring System (EPSS) Database
are no longer downloaded by the data-syncer service. These datasets continue to be required:
- KEV and EPSS data
- Now available in the response to the following endpoints:
GET /v2/images/{image_digest}/vuln
GET /v2/sources/{source_id}/vuln
- The Policy Trigger
kev list data missing
has been deprecated
- Now available in the response to the following endpoints:
- Artifact Lifecycle Policies
- Adds support for selecting images that are in a failed analysis state for deletion.
- See Artifact Lifecycle Policies for more information.
- Anchore SBOM
- Improves text formatting of notifications related to Anchore SBOM.
- SBOMs added to your system via Anchore SBOM will now be counted towards your Total SBOM Usage shown in the Enterprise UI.
- Policy
- Concurrency of Policy Engine workers has been improved to better handle large volumes of simultaneous vulnerability scans.
- Improves the
/v2/sources/{source_id}/check
API error response when called with an invalid Policy ID.
- API
- The description of expected status codes for all endpoints in the API documentation has been updated and improved.
Fixes
- Resolves an issue where recursive Nix package dependencies could cause image analysis to fail.
- Resolves an issue where signed images added to Anchore Enterprise from a Harbor registry could fail to analyze.
- Resolves an erroneous STOP warning when evaluating Busybox images against the DISA policy pack.
- Resolves an issue Azul JDK packages could be misidentified as Oracle JDK packages during image analysis.
- Resolves an issue where passwd_file gates could fail to be evaluated for some images.
- Resolves an issue where exposed_ports triggers could fail to identify exposed ports listed in the Docker History.
- Resolves an issue where large datasets from the Anchore Data Service could fail to be added to the Enterprise database.
- Resolves a STIG evaluation issue for the UBI 8 profile.
- Resolves an issue with the
db_echo
database configuration option not being applied correctly. - Resolves an issue with Events relating to Policy Evaluation updates not being recorded correctly.
- Resolves an issue when archiving images with policy evaluation records.
Deprecations
- Support for OpenStack Swift, which is an open-source object storage system, has been deprecated. Please see Object Storage for a list of supported Object Stores.
- The enterprise-gitlab-scan plugin is being deprecated in favor of using AnchoreCTL directly in your pipelines. Please see GitLab for more information on integrating Anchore Enterprise with GitLab.
- The webhook system managed in the configuration file is being deprecated in favor of the more advanced notification system which can be configured to send notifications to webhook endpoints. Please see Notifications for more information on configuring notifications.
UI Updates
Improvements
- Vulnerabilities that are on the CISA Known Exploited Vulnerabilities (KEV) catalog are now clearly marked with a red warning indicator within both the Artifact Analysis > Vulnerabilities and the Imported SBOMs > Vulnerabilities tabs.
- The Exploit Prediction Scoring System (EPSS) score and percentile are now displayed for each detected vulnerability within both the Artifact Analysis > Vulnerabilities and the Imported SBOMs > Vulnerabilities tabs.
- The CVSS Score filter within the Imported SBOMs > Vulnerabilities tabs now includes a number input field alongside the existing slider. Users can now set precise minimum CVSS scores by typing exact values (e.g., “7.5”) in addition to using the visual slider control.
Fixes
- The System > Accounts view for administrators has been fixed to reduce resource usage at scale.
- Deleting an account via the API did not remove its associated LDAP mapping, which caused an error that prevented the System > LDAP page from loading correctly. This has been fixed.
- Fixed an issue for the account-user-admin role where the Account view attempted to access User Groups data, to which they do not have the required permissions.
- Sometimes, while loading the contents of large SBOMs, an empty list of packages would be displayed for a short time, until loading was completed. We now correctly display a progress loader instead.
- Fixed an issue where navigating to invalid SBOM sub-tab URLs would display a blank page. Invalid tabs now automatically redirect to the summary tab.
- When displaying a list of images that spans several pages, deleting the last image of a page caused the list of images to be empty until the page was fully refreshed. We now switch to the previous page instead.
- Attempting to remove several account roles from a user group at one time failed to remove them all. That is now fixed.
- The name of a user group was previously limited to 50 characters, which was too restrictive for some use cases. We have lifted the limit to 128 characters.
- New validation has been added to user groups to prevent the creation of groups that lack both system-wide and account-specific roles, or that specify an account without assigning any roles to it.
- In multi-page tables, the selected page now consistently resets to the first page when sorting is changed. This behavior was already present in some tables, but it’s now applied uniformly across the app.
- Fixed an issue where switching account context from the Policy Compliance view in Artifact Analysis would cause an error and crash the page.
- Fixed an issue where the Image Ancestry popup in the Artifact Analysis > Image Metadata view would not display data correctly when the image had multiple ancestors.
- Fixed an issue where the “Fix Observed At” column in the vulnerability table was not sorting correctly. The column now sorts dates in descending chronological order (newest to oldest) with proper handling of null values.
- Fixed an issue where the Compliance column in the Kubernetes > Images table was not correctly mapping to the
reason
value. - Fixed an issue where the Watch Toggle in the Kubernetes > Clusters view would toggle multiple times when clicking it to disable watching a cluster. The toggle now correctly disables watching with a single click.
- Fixed a race condition where toast notifications for the same type of action could cause it to be dismissed instead of replaced.
- Various supporting libraries have been updated in order to improve security, performance, and also to remove deprecation warnings from browser and server output logs. Redundant libraries have been removed to reduce the app startup time and overall size.
Recommended Component Versions
Component | Supported Version | Helm Chart Version | Additional Info |
---|---|---|---|
Enterprise | v5.21.0 | v3.15.0 | With Syft v1.27.1 and Grype v0.95.0 |
Enterprise UI | v5.21.0 | ||
AnchoreCTL | v5.21.0 | Deploying AnchoreCTL | |
Anchore ECS Inventory | v1.3.4 | v0.0.13 | https://github.com/anchore/ecs-inventory |
Anchore Kubernetes Inventory | v1.7.7 | v0.5.7 | https://github.com/anchore/k8s-inventory |
Kubernetes Admission Controller | v0.7.0 | v0.7.3 | https://github.com/anchore/kubernetes-admission-controller |
Jenkins Plugin | v3.3.0 | https://plugins.jenkins.io/anchore-container-scanner | |
Harbor Scanner Adapter | v1.4.1 | https://github.com/anchore/harbor-scanner-adapter |
Anchore Helm Chart can be found at https://github.com/anchore/anchore-charts
Syft Release Notes can be found at https://github.com/anchore/syft/releases/tag/v1.27.1
Grype Release Notes can be found at https://github.com/anchore/grype/releases/tag/v0.95.0
Last modified September 5, 2025