Anchore Enterprise Release Notes - Version 5.9.0

Anchore Enterprise v5.9.0

Anchore Enterprise release v5.9.0 contains targeted fixes and improvements.

Enterprise Service Updates

Requirements

  • If upgrading from a v4.x release, please refer to the v4.x –> v5.x Migration Guide.
  • If upgrading from a release in the range of v5.0.0 - v5.8.1
    • The upgrade will result in an automatic schema change that will require database downtime.
    • The v5.3.0 schema change may take more than an hour to complete depending on the amount of data in your reporting system.
    • The v5.6.0 schema change may take 2 hours or more depending on the amount of data in your system.
    • The v5.7.0 - v5.8.1 schema change will require minimal database downtime.
    • If your Anchore Enterprise deployment is on FIPS enabled hosts and your database is being hosted on Amazon RDS, an upgrade to Postgres 16 or greater is required. For more information please see the FIPS section in Requirements.

Improvements

  • Package Types
    • Enterprise has increased the number of supported package types to be aligned with what is currently supported by Syft. Below is a list of the newly available package types:
      • ArchLinux alpm (under os)
      • CocoaPods
      • Conan
      • Dart Pub
      • Erlang/OTP
      • Gentoo Portage (under os)
      • GitHub Action Workflows
      • GitHub Actions
      • Hackage
      • Hex (Erlang)
      • Linux Kernel
      • Linux Kernel Module
      • LuaRocks
      • NixOS packages (under os)
      • PHP Composer
      • PHP PECL
      • R Package
      • Rust Crate
      • SWI-Prolog
      • Swift
      • WordPress Plugins
  • Policy
    • The Default Policy, which is automatically available in newly created accounts, has been renamed Anchore Enterprise - Secure - Default Policy. It has also received some updates to its rule sets.
    • The CIS Policy is no longer automatically available during new accounts creation.
    • The anchore_security_only Policy is no longer automatically available during new accounts creation.
    • Theancestry gate now supports denylisting ancestor images by tag or digest.
  • API
    • POST /v2/repositories endpoint now includes a query parameter exclude_existing_tags which when set will exclude tags that are already present in the repository. Only newly created tags will be added to the Enterprise system.
    • GET /v2/system/statistics API endpoint now includes the following
      • account_creation
      • account_inventory
      • user_creation
      • user_inventory
      • report_execution_inventory
      • image_inventory
      • source_inventory
    • GET /v2/summaries/image-tags endpoint now includes an optional flag runtime which when set to true will return only tags that are found in the runtime inventory.
  • Report Graphql
    • Support was added to cancel a report execution that is currently running or queued.

Fixes

  • The SPDX format will now have the correct originator field for JAVA jar packages.
  • Addresses an issue where Native Users that had active UI sessions continue to be able to access reports after Native Users are disabled.
  • Improves the error handling when listing policies that have a missing or invalid policy digest.
  • Fixes debug logging in the authorization path within the API Service.
  • Fixes an issue where we failed to fetch vulnerabilities for an Alpine image due to improper constraints.
  • The metadata trigger in the packages gate will now default to an equality (’=’) comparison for the package type, name and version fields. The comparison can be controlled by specifying the type_comparison, name_comparison or version_comparison parameters.

Deprecations

  • Support for OpenStack Swift, which is an open-source object storage system, has been deprecated. Please see Object Storage for a list of supported Object Stores.
  • Package Feeds and Policy Gates for Ruby Gems and NPMs, are now deprecated. Please contact Anchore Support for more information.
  • The enterprise-gitlab-scan plugin is being deprecated in favor of using AnchoreCTL directly in your pipelines. Please see GitLab for more information on integrating Anchore Enterprise with GitLab.
  • The Feed Service is deprecated in v5.8.0. Starting in v5.10.0 a new service will be introduced to synchronize Feed data from a hosted Anchore Data Service.

UI Updates

Improvements

  • The SBOM tab within the Image and Source Analysis views now supports many more package types such as Conan, Swift, etc.

  • A new Usage tab for administrators has been added to the System view which displays metrics related to SBOMs analyzed, total number of accounts, and the total number of users in the system. This tab is meant to provide insights into your installation and the value Anchore delivers. Additional detail is available for download as a JSON file.

  • The Analyze Repository dialog in the Image Selection view now has an option to exclude existing tags from analysis. This is ideal for scanning very large repositories without pulling in unnecessary history.

  • The Analyze Tag dialog now allows a Dockerfile to be uploaded when you submit a tag or image digest for analysis. The Dockerfile can then be used for policy gates which rely on it rather than the ‘guessed’ one.

  • The Incomplete Analyses modal within the Image Selection view has been further optimized to improve performance via server-side pagination, filtering, and sorting.

  • Within the Reports tab, users can now manually stop generating a report that is pending or currently running. For large-scale systems, this can be useful to prevent a report from consuming significant resources.

  • Within the Reports tab, the Account column is currently included by default for most of our system templates. This field is necessary when viewing global reports (results scoped to multiple accounts). When a new, global report is based on a template that does not include the Account column, the column is now automatically added during the report preview. Similarly, if the local scope is configured instead, the Account column is automatically removed during report preview. The column can still be manually added or removed prior to report creation.

Fixes

  • Users with the createRepository permission can now analyze a repository even if one or more tags have already been analyzed. Previously, a conflict would occur if the underlying repo_update subscription existed, regardless if it was active or not.

  • Previously, report filter values were not trimmed of whitespace prior to previewing a report. This issue is now fixed.

  • When sorting a report by a column that contains null values, the sorting order was incorrectly handled. This issue has now been addressed.

  • When deleting event(s) from the Events view, the confirmation modal buttons have had their language updated to be more descriptive. Instead of ‘Yes’ or ‘No’, the buttons now read ‘Delete’ and ‘Cancel’.

  • Various supporting libraries have been updated in order to improve security, performance, and also to remove deprecation warnings from browser and server output logs.

ComponentSupported VersionHelm Chart VersionAdditional Info
Enterprisev5.9.0v2.10.0With Syft v1.11.1 and Grype v0.80.0
Enterprise Feedsv5.9.0v2.9.0
Enterprise UIv5.9.0
AnchoreCTLv5.9.1Deploying AnchoreCTL
Anchore ECS Inventoryv1.3.2v0.0.9https://github.com/anchore/ecs-inventory
Anchore Kubernetes Inventoryv1.6.2v0.4.3https://github.com/anchore/k8s-inventory
Kubernetes Admission Controllerv0.6.2v0.6.2https://github.com/anchore/kubernetes-admission-controller
Jenkins Pluginv3.2.0https://plugins.jenkins.io/anchore-container-scanner
Harbor Scanner Adapterv1.4.0https://github.com/anchore/harbor-scanner-adapter
enterprise-gitlab-scanv5.0.0docker.io/anchore/enterprise-gitlab-scan:v5.0.0

Anchore Helm Chart can be found at https://github.com/anchore/anchore-charts

Last modified October 1, 2024