Anchore Enterprise Release Notes - Version 5.5.0

Anchore Enterprise v5.5.0

Anchore Enterprise release v5.5.0 contains targeted fixes and improvements.

Enterprise Service Updates

Requirements

  • If upgrading from a v4.x release, please refer to the v4.x –> v5.x Migration Guide.
  • If upgrading from a release in the range of v5.0.0 - v5.3.0
    • The upgrade will result in an automatic schema change that will require database downtime. We are anticipating that this schema change may take more than an hour to complete depending on the amount of data in your reporting system.
    • If your Anchore Enterprise deployment is on FIPS enabled hosts and your database is being hosted on Amazon RDS, an upgrade to Postgres 16 or greater is required. For more information please see the FIPS section in Requirements.
  • If upgrading from the v5.4.x release, no additional action is needed.

Improvements

  • Feeds Service

    • Defaults to using the anchore produced workspaces for each vulnerability feed provider. These workspaces are updated every six (6) hours. Please see Feeds for more detailed information.
    • Ubuntu 24.04 Feed Provider is now supported.

  • Reports

    • Reduced the number of links to upstream sources of vulnerabilities within the reports by adding a new field in the reports. This should be seamless to users of the UI reporting service.

  • Authentication

    • Improved the error message returned when requesting an API Key expiry date exceeds the configured setting.
    • Removes the restriction that prevents creation of SSO users explicitly in Anchore when sso_require_existing_users is not set. SSO users may now be created manually and associated with an IDP by user admins regardless of the configuration of the IDP integration. This is only available directly via the API.

  • API

    • Provides a new endpoint to download the compatible version of AnchoreCTL directly from the product. GET /system/anchorectl
    • Provide new value of stateless_sbom_analysis from GET /system/statistics

  • AUDIT Logs

    • The helm chart now provides the ability to disable the AUDIT logging that was introduced in v5.4.0. The default is set to enable.
      audit:
  enabled: true
    • Now includes the following endpoint
      • /v2/user/api-keys
      • /v2/user/api-keys/{key_name}
      • /v2/user/credentials
      • /v2/accounts/{account_name}/users/{username}/credentials

  • Update the built-in CIS policy to the latest version (v1.6.0). The new policy will automatically be populated for newly created accounts.

  • Service Logging

    • Improved logging output
    • Ability to enable service log output as structured logs
    • Ability to change service log size and rotation rules
    • Helm chart has deprecated the previous log_level control
      ## NOTE: This is deprecated, use logging.log_level
  anchoreConfig:
    log_level: INFO
    • New helm chart controls are
      anchoreConfig:
    logging:
      file_rotation_rule: "10 MB"
      file_retention_rule: 10
      log_level: INFO
      structured_logging: false

Fixes

  • Removes false-positive vulnerability matches on the kernel headers packages for RHEL and Debian when the match is on the full kernel and the kernel is not present in the image.
  • Better handle overlapping vulnerability scans for the same image.
  • Better detection of vulnerabilities for Calico images.
  • Improved error messages for misconfigured S3 buckets during service startup.
  • Fixed the filter of Vendor Only when used by the Vulnerabilities Policy Gate and Package Trigger.
  • Better handle Runtime Inventory that contains missing IDs.
  • Reports, Vulnerabilities by ECS Container, Vulnerabilities by Kubernetes Container, and Vulnerabilities by Kubernetes Namespace, no longer produce results that are not part of the current inventory tracked by Catalog Service. This behavior is now the same as other provided reports.

Deprecations

  • Support for OpenStack Swift, which is an open-source object storage system, has been deprecated. Please see Object Storage for a list of supported Object Stores.

UI Updates

Improvements

  • The Image Selection view has been optimized to improve performance when loading the different data tiers (registry, repository, and tags). This optimization should reduce the time taken to present the information in each of these tables.
  • The report templates that contain links to external references now use the Image Link field by default, replacing the (deprecated) Links field. This prevents duplication of results where the only differences between row entries were the links themselves.

Fixes

  • Operations against the services utilized by the Inventory view are now correctly logged in the system logs.

  • Various supporting libraries have been updated in order to improve security, performance, and also to remove deprecation warnings from browser and server output logs. Redundant libraries have been removed to reduce the app startup time and overall size.

ComponentSupported VersionAdditional Info
Enterprisev5.5.0With Syft v1.2.0 and Grype v0.77.0
Enterprise UIv5.5.0
AnchoreCTLv5.5.0Deploying AnchoreCTL
Enterprise Helm Chartv2.6.0https://github.com/anchore/anchore-charts
Anchore ECS Inventoryv1.3.0https://github.com/anchore/ecs-inventory
Anchore Kubernetes Inventoryv1.4.0https://github.com/anchore/k8s-inventory
Kubernetes Admission Controllerv0.5.0https://github.com/anchore/kubernetes-admission-controller
Jenkins Pluginv3.0.0https://plugins.jenkins.io/anchore-container-scanner
Harbor Scanner Adapterv1.3.2https://github.com/anchore/harbor-scanner-adapter
enterprise-gitlab-scanv4.0.0docker.io/anchore/enterprise-gitlab-scan:v4.0.0
Last modified September 30, 2024