Anchore Enterprise Release Notes - Version 5.22.0

Anchore Enterprise v5.22.0

Enterprise Service

Requirements

• If upgrading from a v4.x release, please refer to the v4.x –> v5.x Migration Guide.
• If upgrading from a release in the range of v5.0.0 - v5.21.x
  • The upgrade will result in an automatic schema change that will require database downtime. Below are the estimated downtime durations for version that require significant downtime:
    • The v5.3.0 schema change may take more than an hour to complete depending on the amount of data in your reporting system.
    • The v5.6.0 schema change may take 2 hours or more depending on the amount of data in your system.
    • The v5.11.x schema change will take approximately 1-2 minutes to complete for every 1 million vulnerable artifacts in your reporting system.
  • If your Anchore Enterprise deployment is on FIPS enabled hosts and your database is being hosted on Amazon RDS, an upgrade to Postgres 16 or greater is required. For more information please see the FIPS section in Requirements.

New Features

• Vulnerability Annotation and Vulnerability Exploitability eXchange (VEX)
  • Vulnerability Annotation support has been added for image vulnerabilities. This provides the user the ability to annotate a vulnerability with the result of their assessment, including comments, capturing notes, remediation guidance, or a hyperlink to an external system record (e.g., a Jira issue), in order to facilitate remediation work.
  • A Vulnerability Exploitability eXchange (VEX) document can be generated per image via the API endpoint GET /v2/images/{image_digest}/vex/openvex.
  • Policy vulnerability Gate’s package Trigger now has new options for missing annotation and/or annotation status.
  • Vulnerability annotations are viewable by any user with the ability to listImages such as RBAC Role read-only. The ability to create, modify and delete vulnerability annotations are restricted to users with a new RBAC Role called vuln-annotator-editor.
  • Please see the Vulnerability Annotation and VEX documentation for more detailed information.

Improvements

• ClamAV
  • ClamAV will EOL versions 1.0.x on November 28, 2025.
  • Anchore Enterprise v5.22.0 has upgraded to ClamAV version 1.4.x. In doing so, Anchore Data Service is now providing a new ClamAV Database (v2).
  • ClamAV has stated that their previous database will no longer be updated with new virus signatures. Therefore, it is critical that you update to Anchore Enterprise v5.22.0 if you are using our malware detection feature.
  • If your deployment is using the data-syncer service with internet connectivity, you need only to update to Anchore Enterprise v5.22.0. The new ClamAV database will automatically be synced with your deployment.
  • If your deployment is using the data-syncer service in Air Gap Mode, it is critical that you run the Air Gap workflow as soon as your deployment has completed upgrade. Please note: you must use the AnchoreCTL versioned v5.22.0 to ensure you get the correct datasets.
• Reports
  • Now contain an indication that the Vulnerability is on the KEV List.
• Policy
  • The vulnerability gate’s package trigger now has an known exploited vulnerability option. This option allows a trigger to fire only when the vulnerability is found on the CISA KEV List.
    • The prior vulnerability gate’s kev list trigger has been deprecated.
  • The vulnerability gate vulnerability data unavailable trigger has improved messaging when handling a distroless image.
• API
  • The following endpoint’s vulnerability response object will now include the PURL
    • GET /v2/images/{image_digest}/vuln/{vuln_type}
    • GET /v2/sources/{source_id}/vuln/{vuln_type}
    • POST /v2/vulnerability-scan
    • POST /v2/scan
    • Within the experimental API endpoints, the PURL is now returned
      • GET /exp/sboms/{sbom_uuid}/vulnerabilities/detail-cvs
      • GET /exp/sbom-groups/{group_uuid}/vulnerabilities/detail-cvs
  • RHEL EUS support indication is now available for the one-time-scan commands.
    • POST /v2/vulnerability-scan
    • POST /v2/scan
  • Additional metadata is now available in the analysis_status_detail, including the analysis_engine and enterprise_version.
    • GET /v2/images/{image_digest
• Object Store Access
  • The deployment can now be configured to allow all services to directly access the object store. The previous and current default behavior is to route all object store access via the Catalog service. To change your deployment so that services have direct access, please update the configuration setting object_store.direct_access in your helm values file. After enabling this setting and restarting your cluster, you can verify that the configuration change was successful by observing the following messages at startup

  INFO: initializing object storage (direct_access=True)
  INFO: object storage initialization complete
  

• MS Teams Notification Endpoint change
  • MS Teams will be EOL the entire O365 Connectors service in Teams by the end of 2025. Anchore Enterprise is now ready to handle the new workflow. For more information on this change, please visit MSFT Teams Connector.

Fixes

• Dataset upload events are now generated when in air gap mode and using AnchoreCTL to upload the datasets.
• Improvements when comparing patch versions of the form 4.2.8p14 during stateless vulnerability scans.
• Removes confusing error logs seen while running an object store migration.
• When deleting a scheduled report execution either individually or as part of the entire scheduled report, the objects are now correctly removed from the object store.
• Fixes an issue for some RPM packages where the Fix Observed at Date could not be consistently identified due to a naming normalization oversight.
• Handles an Ubuntu format change which caused a Fix Observed at Date inconsistency to be seen as the analysis time. The Ubuntu format changed from 24.04 to 24.4.
• Fixes the example descriptions for the vulnerability Gate package Trigger for epss score and epss percentile optional parameters.
• Fixes the response data of GET /v2/query/vulnerabilities when the namespace of NVD is specified.

Deprecations

• Support for OpenStack Swift, which is an open-source object storage system, has been deprecated. Please see Object Storage for a list of supported Object Stores.
• The enterprise-gitlab-scan plugin is being deprecated in favor of using AnchoreCTL directly in your pipelines. Please see GitLab for more information on integrating Anchore Enterprise with GitLab.
• The webhook system managed in the configuration file is being deprecated in favor of the more advanced notification system which can be configured to send notifications to webhook endpoints. Please see Notifications for more information on configuring notifications.

UI Updates

Improvements

• Within Artifact Analysis > Vulnerabilities, the Vulnerability Report (both CSV and JSON) that can be downloaded now includes the EPSS score and percentile, as well as the KEV flag.
• Images analyzed with Red Hat Enterprise Linux (RHEL) Extended Update Support now display clear visual indicators in the Artifact Analysis header. The EUS label shows whether extended support was detected in the image and if it was used during vulnerability scanning. Multiple states are supported including annotation-based overrides, with detailed tooltips explaining the impact on vulnerability results. This helps users understand when EUS affects their security assessments.
• Added comprehensive VEX (Vulnerability Exploitability eXchange) support through a new vulnerability annotation form in the Artifact Analysis > Vulnerabilities tab. Users can now create and edit vulnerability annotations directly from the image analysis view, set annotation statuses, and add optional details such as action statements and justifications. The form includes proper permission handling with read-only tooltips for users without annotation permissions and full editing capabilities for authorized users.
• The View Incomplete Analyses modal now includes clickable hyperlinks on Full Tag values that navigate directly to the corresponding images section.
• The Artifact Analysis > SBOM tab has been renamed to Contents.
• Package URLs (PURL) are now supported through Artifact Analysis. PURLs are now displayed in the Package Detail popover within the Vulnerabilities table, and a dedicated PURL column has been added to the Contents table for improved package identification and traceability across different ecosystems.
• SBOM Groups can now be edited after creation. Users can modify the group name, version, and description through selecting Edit Group in the Actions dropdown.
• By default, Artifact Lifecycle Policies (ALP) or retention policies apply only to images that were successfully analyzed. A new option now allows users to specify that a retention policy should also include images that failed analysis.
• A new Associated Accounts column has been added to the Users list to display at a glance all the accounts each user has access to and, on hover over an account name, the user’s roles within that account.
• The System Status indicator shown alongside the System item in the side navigation now has a tooltip describing the current status for improved clarity. A loading icon is also shown while the status is still resolving.

Fixes

• Fixes a styling issue with table column headers that made the border between them invisible.
• When accounts are disabled or users deleted, active sessions are now instantly logged out. This eliminates confusing ‘unauthorized’ errors that previously appeared if they continued to navigate the application.
• Various supporting libraries have been updated in order to improve security, performance, and also to remove deprecation warnings from browser and server output logs. Redundant libraries have been removed to reduce the app startup time and overall size.

Recommended Component Versions

Anchore Helm Chart can be found at https://github.com/anchore/anchore-charts

Syft Release Notes can be found at https://github.com/anchore/syft/releases/tag/v1.31.0

Grype Release Notes can be found at https://github.com/anchore/grype/releases/tag/v0.99.1