Anchore Enterprise Release Notes - Version 5.26.0

Anchore Enterprise v5.26.0

Enterprise Service

Requirements

• If upgrading from a v4.x release, please refer to the v4.x –> v5.x Migration Guide.
• If upgrading from a release in the range of v5.0.0 - v5.25.x
  • The upgrade will result in an automatic schema change that will require database downtime. Below are the estimated downtime durations for version that require significant downtime:
    • The v5.3.0 schema change may take more than an hour to complete depending on the amount of data in your reporting system.
    • The v5.6.0 schema change may take 2 hours or more depending on the amount of data in your system.
    • The v5.11.x schema change will take approximately 1-2 minutes to complete for every 1 million vulnerable artifacts in your reporting system.
  • If your Anchore Enterprise deployment is on FIPS enabled hosts and your database is being hosted on Amazon RDS, an upgrade to Postgres 16 or greater is required. For more information please see the FIPS section in Requirements.
• Minimum recommended memory for the Analyzer and Policy Engine services has been increased from 8GB to 16GB to better support the performance improvements in the new image analysis system. See the Deployment Requirements Documentation for more information.

New Features

• Vulnerability Data Sources
  • Adds vulnerability data source support for VMware PhotonOS, enabling vulnerability monitoring for images based on PhotonOS.
  • Adds vulnerability data source support for Fedora, including EPEL packages sourced from the Bodhi update system.
  • Adds vulnerability matching and policy evaluation support for SecureOS and Arch Linux.
• CPE Matching Configuration
  • CPE matching for GitHub-covered ecosystems is now disabled by default for new deployments. Existing deployments that upgrade to v5.26.0 will see no change. This setting is configurable via the API, allowing administrators to customize CPE matching behavior per ecosystem. See Vulnerability Scanning for more information.

Improvements

• Updates the embedded Grype vulnerability scanner to handle version string prefix changes for improved compatibility.
• The policy engine now correctly handles hints-synthesized Java packages with null virtualPath metadata, preventing potential crashes during analysis.

Fixes

• Fixes an issue where configuration patches of array string values are not applied correctly.
• Fixes an issue where notification exceptions are not properly hidden in the logs.
• Fixes an issue where the GET /v2/images/{image_digest}/metadata/{metadata_type} API returns a 500 error instead of 404 when the given image digest is not found.
• Fixes an issue where listing policies with detail fails if the policy is not accessible from the object store.
• Fixes an issue where not all image analysis events include the full image pullstring.
• Fixes an issue with the IDP authentication workflow related to the request.data deprecation.
• Fixes an issue where image content search regex values are double base64 encoded.
• Fixes a SQL injection vulnerability in the /reports/graphql endpoint nextToken parameter.
• Fixes an issue where /query/vulnerabilities endpoint responses are missing some fields on certain NVD records.
• Fixes an issue where binary hints are being dropped when there is a duplicated location.
• Fixes an issue where Java hints are not being applied correctly.
• Fixes an issue where image analysis fails when using license hints.
• Fixes an issue where the catalog service fails to parse valid OCI image manifests.
• Fixes an issue where the Windows analyzer is using the wrong package type for Grype.

Deprecations

• Support for OpenStack Swift, which is an open-source object storage system, has been deprecated. Please see Object Storage for a list of supported Object Stores.
• The enterprise-gitlab-scan plugin is being deprecated in favor of using AnchoreCTL directly in your pipelines. Please see GitLab for more information on integrating Anchore Enterprise with GitLab.
• The webhook system managed in the configuration file is being deprecated in favor of the more advanced notification system which can be configured to send notifications to webhook endpoints. Please see Notifications for more information on configuring notifications.
• Images analyzed prior to Anchore Enterprise v4.0.0 will be updated to indicate that their analysis has failed, as Anchore Enterprise no longer supports the analysis artifacts produced prior to v4.0.0. Please ensure that any required images are re-analyzed after upgrading to v5.25.0.
• Images archived prior to Anchore Enterprise v4.0.0 can no longer be restored into the active dataset. Please ensure that any required archived images are restored prior to upgrading to v5.25.0.

UI Updates

Improvements

• Within Image Analysis:
  • When viewing the Vulnerabilities tab, the filter previously labeled Vendor Packages has been renamed to Disputed by Vendor to better describe its purpose: filtering vulnerabilities where the distribution vendor’s assessment differs from NVD and no fix is planned.
• Within Imported SBOMs:
  • SBOM lists can now be filtered by their Annotation entries. The control supports a compound filter criteria of up to five key-value pairs to find matching SBOMs.
  • In the Compliance tab, the Recommendation filter has been replaced by a boolean Has Recommendation filter, which makes it easy to display only findings that either have or do not have a recommendation, rather than filtering by the contents of the recommendation.
• Within System:
  • A new user-viewer role can now be assigned to user groups or directly to users. A user with this role can use AnchoreCTL or the API to view all the users of the system across all accounts.

Fixes

• Fixed an issue where missing or unavailable content data for a predecessor image could prevent the Vulnerabilities, Contents, and Changelog pages from loading for the current image.
• Addressed a contrast issue with the selected auth type on the Login screen, which was particularly hard to see in light mode. The active auth type is now outlined.
• When using the Evaluation Preview option in the Policy Editor, the Inherited from Base and Allowlisted columns always displayed No, even when they should have had a value. That issue has been addressed.
• Fixed an issue where the search input and pagination controls would disappear when result filters produced zero results, but remained visible when the table search produced zero results. The controls now persist consistently as long as the artifact has vulnerabilities, allowing users to adjust their filters regardless of how results were narrowed.
• The list of mappings used by a specific allowlist did not account for SBOM or Source Repository mappings, and listed only Container Image mappings. That issue has now been addressed.
• Fixed an issue where persistence of URL query params for selected SBOM Groups was lost. The view now correctly retains the selection across page reloads and filters the list of SBOMs as expected.
• Fixed an issue where the policy compliance table in the Artifact Analysis view would revert to the default sort order (Gate Action) after adding an entry to an allowlist. The table now preserves the user’s selected sort order when compliance data is refreshed after this change.
• Various supporting libraries have been updated in order to improve security, performance, and also to remove deprecation warnings from browser and server output logs. Redundant libraries have been removed to reduce the app startup time and overall size.

Recommended Component Versions

Anchore Helm Chart can be found at https://github.com/anchore/anchore-charts

Syft Release Notes can be found at https://github.com/anchore/syft/releases/tag/v1.42.2

Grype Release Notes can be found at https://github.com/anchore/grype/releases/tag/v0.109.1