Anchore Enterprise Release Notes - Version 5.7.0

Anchore Enterprise v5.7.0

Anchore Enterprise release v5.7.0 contains targeted fixes and improvements.

Enterprise Service Updates

Requirements

• If upgrading from a v4.x release, please refer to the v4.x –> v5.x Migration Guide.
• If upgrading from a release in the range of v5.0.0 - v5.3.0
  • The upgrade will result in an automatic schema change that will require database downtime. We are anticipating that this schema change may take more than an hour to complete depending on the amount of data in your reporting system.
  • If your Anchore Enterprise deployment is on FIPS enabled hosts and your database is being hosted on Amazon RDS, an upgrade to Postgres 16 or greater is required. For more information please see the FIPS section in Requirements.
• If upgrading from a release in the range of v5.4.x - v5.6.x
  • The upgrade will result in an automatic schema change that will require database downtime. We expect that this could take up to 2 hours depending on the amount of data in your system.

Improvements

• Adds the ability for users to override the base image used throughout the system. This is accomplished by adding an image annotation to the image anchore.user/marked_base_image.
  • API endpoints /v2/images/{image_digest}/check and /v2/images/{image_digest}/vuln/{vuln_type} now take auto as a value for base_digest parameter. This will allow the system to determine which ancestor will be used as the Base Image.
  • This feature is enabled by default in v5.7.0. To disable this feature, set services.policy_engine.enable_user_base_image to false in the values.yaml file.
• API access for users configured for native access can now be disabled by setting anchoreConfig.user_authentication.disallow_native_users to true in the values.yaml file.
• Adds info level log messages to runtime inventory post handlers.
• Improves report Vuln ID Filter description to include CVEs.
• Removes the image_cpes database table that is no longer used and can consume a large amount of database space.
• Improve validation of object_store and analysis_archive settings during startup.
• Response object GET /v2/rbac-manager/my-roles now includes more detail about the account for each role.
• Admin users can now create an API Key that can be used to manage Accounts, User Groups and RBAC Roles.
• Reduced the size of the Enterprise Image.

Fixes

• The Fix Observed At value on vulnerabilities from all ecosystems now display correctly.
• Deployments using db as their object store driver will now be able to store large objects over 1GB in size. This means very large SBOMs will now successfully store.
• Addresses an issue where account deletion didn’t fully clean up db artifacts stored for the account. Example is some reporting data.
• The CycloneDX SBOM now contains the bom-ref field as part of the output.
• Allow users with read-only or read-write RBAC Authorization to have the following permissions:
  • getECSContainers
  • getECSServices
  • getECSTasks
  • getKubernetesClusters
  • getKubernetesVulnerabilities
  • listRuntimeInventories
  • getKubernetesNamespaces
  • getKubernetesContainers
  • getKubernetesNodes
  • getKubernetesPods
• Fixes an issue in the policy_creation counter found in the GET /v2/system/statistics endpoint.
• Explicit SAML Users are now allowed to use the : character in usernames.
• Account names are now prevented from being created with the # character.

Deprecations

• Support for OpenStack Swift, which is an open-source object storage system, has been deprecated. Please see Object Storage for a list of supported Object Stores.
• Package Feeds and Policy Gates for Ruby Gems and NPMs, are now deprecated. Please contact Anchore Support for more information.

UI Updates

Improvements

• The login page has been updated with a new design that uses tabs to switch between configured authentication methods. When multiple authentication methods are available, tabs are shown for each available method. The user’s last-selected method is remembered and shown as the default tab on subsequent visits.

• Anchore Enterprise now supports a Single Sign-On (SSO) only mode. This mode allows administrators to disable the local authentication mechanism, which removes the default login form. This is an opt-in feature enabled by setting the sso_auth_only configuration option to True.

• The Analyze a Tag control has been updated to allow users to provide a SHA256 digest for the image they wish to analyze. This feature is useful when you only want to analyze a specific image. In addition, you can now populate the Registry, Repository, and Tag fields by pasting a pull string (e.g., docker pull docker.io/library/alpine:latest) in the inline control provided.

• The reported base image in the Artifact Analysis view now reflects changes made within our platform services, whereby the system can either make the determination automatically or have the base image specified by an anchore.user/marked_base_image annotation associated with an image in the ancestry.

Fixes

• Previously, the selected default entry in the table page size dropdown was not being set correctly when opened, and was defaulting to the first entry. This has now been addressed.

• Our application security policies have been updated to prevent client-side caching, the execution of arbitrary code within our dependent packages using eval(), and the HTTP Strict Transport Security (HSTS) header has been added to enforce the use of HTTPS connections and to remove the ability for users to click through warnings about invalid certificates.

• Within Artifact Analysis, when the route for this view (and the associated compliance data request) contained the fat manifest digest, the image_digest returned would still be the platform-specific digest. This caused an equality check with the route to fail. This has now been fixed.

• The Vulnerability ID filter description has been updated to clarify that it filters the Vulnerability and CVE fields.

• The Delete Events modal within the Events tab was successfully deleting events in batches, but the progress bar was not visually updating to indicate this. This has now been fixed.

• The calculation in the Dashboard view that describes how many vulnerabilities were affecting how many repositories was inaccurate because the summarization included duplicate entries. This was a consequence of different vulnerabilities against the same repository advancing the repository count. This has now been corrected.

• An issue with the policy allowlist data payload was preventing updates (such as removals) from taking place against allowlists displayed by the associated dialog in the Artifact Analysis view. Now fixed.

• The donut chart displayed in the printable version of the Policy Compliance tab in the Artifact Analysis view was not positioned correctly. This has now been fixed.

• Boolean values for annotations are now displayed correctly.

• The Twitter social media logo has been updated to 𝕏 to reflect the change in brand and name.

• Various supporting libraries have been updated in order to improve security, performance, and also to remove deprecation warnings from browser and server output logs. Redundant libraries have been removed to reduce the app startup time and overall size.

Recommended Component Versions

Anchore Helm Chart can be found at https://github.com/anchore/anchore-charts