Anchore Enterprise Release Notes - Version 5.25.0

Anchore Enterprise v5.25.0

Enterprise Service

Requirements

• If upgrading from a v4.x release, please refer to the v4.x –> v5.x Migration Guide.
• If upgrading from a release in the range of v5.0.0 - v5.24.x
  • The upgrade will result in an automatic schema change that will require database downtime. Below are the estimated downtime durations for version that require significant downtime:
    • The v5.3.0 schema change may take more than an hour to complete depending on the amount of data in your reporting system.
    • The v5.6.0 schema change may take 2 hours or more depending on the amount of data in your system.
    • The v5.11.x schema change will take approximately 1-2 minutes to complete for every 1 million vulnerable artifacts in your reporting system.
  • If your Anchore Enterprise deployment is on FIPS enabled hosts and your database is being hosted on Amazon RDS, an upgrade to Postgres 16 or greater is required. For more information please see the FIPS section in Requirements.
• Minimum recommended memory for the Analyzer and Policy Engine services has been increased from 8GB to 16GB to better support the performance improvements in the new image analysis system. See the Deployment Requirements Documentation for more information.

New Features

• Artifact Lifecycle Policy
  • Support for Imported SBOMs has been added to the Artifact Lifecycle Policy feature, enabling the automatic deletion of Imported SBOMs based on user-defined criteria. See Artifact Lifecycle Policies for more information.
• RBAC
  • A new RBAC role called user-viewer has been added in the system domain. This role provides read-only access to user-related information without the ability to modify user data. This role can be assigned to users who need to view user information but should not have permissions to create, update, or delete users. See the RBAC documentation for more information.
• API
  • Added a username query parameter to the GET /v2/accounts/users endpoint to allow filtering the user list by username.
  • Added a type query parameter to the GET /exp/sboms endpoint to allow filtering Imported SBOMs based on the type of SBOM. See the Anchore SBOM API Reference for more information.
  • Added an annotations query parameter to the GET /exp/sboms endpoint to allow filtering Imported SBOMs based on user-defined annotations. See the Anchore SBOM API Reference for more information.

Improvements

• Image Analysis
  • Anchore Enterprise’s image analysis and vulnerability scanning engine has been completely rewritten to more directly align with the native behaviour of Syft and Grype. This results in improved performance, accuracy, and consistency when analyzing images, scanning for vulnerabilities, and evaluating policies. As such, you may observe differences in SBOM content and vulnerability results when comparing images analyzed prior to v5.25 against the same image analyzed with v5.25.
    • Notable improvements include:
      • Performance during image analysis has been significantly improved, reducing analysis time for most images by approximately 40%.
      • Data artifacts generated during image analysis have been reduced in size, resulting in object storage savings of approximately 15% per image.
      • SBOMs generated via AnchoreCTL and Anchore Enterprise’s image analysis system are now more consistent with each other, as both now use the same underlying analysis library for SBOM generation. This results in improved consistency and accuracy of SBOM content across different workflows.
      • SBOMs now provide various improvements including:
        • Full container file listing.
        • Improved distro detection accuracy.
        • Improved package detection accuracy.
      • Image SBOMs downloaded from Anchore Enterprise have increased in size, due to the inclusion of the full file listing, by approximately 2-3x.
      • Changing the value of the services.analyzer.enable_owned_package_filtering configuration option will now take effect immediately for images analyzed in v5.25 and later. Previously, this setting only took effect after re-analysis of an image.
    • The new image analysis system is designed to be fully backward compatible with existing images. This means that:
      • All existing images will continue to function as normal, with no re-analysis required. An image re-analysis is only required if you want to take advantage of the improved analysis and scanning capabilities for existing images.
      • Newly analyzed images will automatically benefit from the improved analysis and scanning capabilities.
• Metrics
  • Several new prometheus metrics have been added to provide visibility into the performance of the new image analysis system. See the Prometheus Documentation for more information on using prometheus with Anchore Enterprise.
• Updated the descriptions of the vendor_only and will_not_fix query parameters in the reporting and policy APIs to better clarify their behavior. See the Anchore Enterprise API Reference for more information.

Fixes

• Fixed an issue where updates to Kubernetes inventory cluster names were not being captured correctly.
• Fixed an issue where some Debian based images were not being correctly identified during image analysis.
• Fixed an issue where deleting a base image could cause errors when retrieving policy evaluation results for child images.
• Fixed an issue where some Red Hat Universal Base Image (UBI) based images were not being correctly identified during image analysis.
• Fixed an issue where the epss_score filter was not applied correctly when retrieving a vulnerability CSV file for an Imported SBOM or SBOM Group.
• Fixed an issue when updating license overrides via the PUT /exp/system/package-overrides/licenses API where not all fields would be updated correctly.
• Improved error handling when attempting to create an Account with a conflicting name, returning a 409 Conflict response code instead of a 400 Bad Request.
• Fixed an issue where the matched_on_cpes value returned by the Image Vulnerabilities API could be "None" instead of an empty list when no CPEs were matched.

Deprecations

• Support for OpenStack Swift, which is an open-source object storage system, has been deprecated. Please see Object Storage for a list of supported Object Stores.
• The enterprise-gitlab-scan plugin is being deprecated in favor of using AnchoreCTL directly in your pipelines. Please see GitLab for more information on integrating Anchore Enterprise with GitLab.
• The webhook system managed in the configuration file is being deprecated in favor of the more advanced notification system which can be configured to send notifications to webhook endpoints. Please see Notifications for more information on configuring notifications.
• Images analyzed prior to Anchore Enterprise v4.0.0 will be updated to indicate that their analysis has failed, as Anchore Enterprise no longer supports the analysis artifacts produced prior to v4.0.0. Please ensure that any required images are re-analyzed after upgrading to v5.25.0.
• Images archived prior to Anchore Enterprise v4.0.0 can no longer be restored into the active dataset. Please ensure that any required archived images are restored prior to upgrading to v5.25.0.

UI Updates

Improvements

• Within Imported SBOMs:
  • When viewing vulnerabilities associated with an Imported SBOM or SBOM Group, the following new filter options are now available:
    • The previous Minimum Severity filter has been replaced with a Severity filter that supports selecting one or more severities
    • A Minimum EPSS Score filter
    • A KEV status filter to find vulnerabilities that either are or are not on the KEV list
  • When uploading an SBOM, users can now select the Type of SBOM in question, in order to provide more clarity as to what the SBOM represents
  • SBOM lists now offer more flexible filter options, including filtering by SBOM Name, Version, and Type. The previous table search, which would filter by SBOM Name, has been removed in favor of these new controls
  • SBOM lists now include an Annotations column, displaying a truncated list of annotations for each SBOM (if defined). The cell shows as many annotations as can fit onto one line, with the remainder shown in a popup on hover.
• Within System:
  • The Custom Message configuration setting has now been enabled for editing in the UI. Message content can be defined using markdown to allow for custom formatting, but it is sanitized to prevent any malicious HTML content from being injected.

Fixes

• Fixed an issue where exporting SBOM Compliance data could possibly include stale Evaluation Problems data after switching Policy
• When switching Policy Preview in SBOM Compliance, any previously applied filters are now reset. This ensures that the full evaluation data is presented, avoiding possible confusion from filters that are no longer relevant in the context of the applied Policy.
• Fixed an issue where partial configuration values from multiple sources (environment variables and config file) were not being properly merged for configs that support this capability. For example, setting ANCHORE_AUTHENTICATION_LOCK_COUNT via environment variable and expires via config-ui.yaml now correctly produces a merged configuration. The UI also now displays improved messaging when configurations come from mixed sources or when incomplete configurations are detected.
• Fixed an issue where checkboxes for nullable configuration fields did not accurately reflect the active state when a default value was being applied. Additionally, toggling a checkbox off and back on now preserves the user-entered value instead of reverting to the default.
• Fixed an issue where UI database migrations could fail unexpectedly. We believe this has only affected our internal testing environments. However, if you have noticed migration errors in your logs during application startup, it should now be resolved. Please reach out to Anchore Support if you continue to experience issues.
• Fixed an issue where the OS Packages filter for the vulnerability results in Artifact Analysis table did not correctly include Windows KB vulnerabilities. The filter now properly includes all OS package types (Windows KB, Nix, and ALPM) alongside the previously supported types (Debian, Alpine, and RPM).
• Various supporting libraries have been updated in order to improve security, performance, and also to remove deprecation warnings from browser and server output logs. Redundant libraries have been removed to reduce the app startup time and overall size.

Recommended Component Versions

Anchore Helm Chart can be found at https://github.com/anchore/anchore-charts

Syft Release Notes can be found at https://github.com/anchore/syft/releases/tag/v1.41.2

Grype Release Notes can be found at https://github.com/anchore/grype/releases/tag/v0.104.1