Anchore Enterprise Release Notes - Version 6.0.0

Anchore Enterprise v6.0.0

Enterprise Service

Anchore Enterprise v6.0.0 introduces the new SBOM Management platform, organized around Apps, App Versions, and Assets. Assets are container images or imported SBOMs. Assets are grouped under App Versions, providing aggregated SBOM content, vulnerability findings, policy compliance results, and document exports. The platform is powered by a new asynchronous Jobs framework for analysis, import, and export operations.

Requirements

• Anchore Enterprise v6.0.0 requires PostgreSQL 17 or greater with the pg_cron extension installed and accessible by Anchore Enterprise. Pre-flight checks verify at startup that the database version and required extensions are working correctly, and the deployment will fail to start if these requirements are not met.
• SBOM ingestion in v6.0 drives larger parallel query plans against PostgreSQL, which use dynamic shared memory (/dev/shm on Linux). Docker’s default tmpfs of 64 MiB is insufficient for typical SBOM workloads. Operators running PostgreSQL on Kubernetes or self-managed hosts should size /dev/shm to at least 1 GiB - see Shared Memory for full guidance. Managed databases (Amazon RDS, Aurora) are unaffected.

Announcements

Behavior changes

• Default CPE matching configuration - New installs now default to a CPE matching configuration aligned with native Grype behavior. CPE-based matching is disabled for ecosystems with strong GitHub Security Advisory coverage (Java, Python, JavaScript, Ruby, .NET, and Go, with the Go standard library excepted) to reduce false positives. A curated mapping of known CPEs to Grype package specifiers, delivered through vulnerability database updates, preserves matching for well-known packages that are not distributed through public ecosystems.
• Hashed passwords and OAuth always enabled - Hashed password storage and OAuth for internal service communication are now always enabled and are no longer configurable. The related configuration options and the anchore-enterprise-manager utility for converting plaintext passwords have been removed.

New Features

Apps

Apps are a new way to organize the software you monitor with Anchore Enterprise. An App represents one of your software projects or products. Each App has Versions, and each Version holds the Assets — the container images and SBOMs — that make up that release. Anchore Enterprise rolls up the SBOM content, vulnerability findings, and policy compliance results from all of a Version’s Assets, so you can answer questions about an entire release instead of piecing together results one artifact at a time. Please see Apps for the full model and how to work with Apps, Versions, and Assets.

You can manage Apps, Versions, and Assets through new public APIs or with AnchoreCTL. Everything you’d expect comes along with the new model: new RBAC roles (application-editor, application-delete) for managing Apps, Versions, and Assets, events are generated as Apps, Versions, and Assets are added or deleted, and usage metrics count Apps, Versions, Assets, and unique artifacts. The new APIs also share a standardized error model — structured error codes with consistent JSON responses, a lookup API for code details, and documented remediation guidance for each code.

Assets

There are several ways to get Assets into an App Version:

• Container images — let Anchore Enterprise pull and analyze the image for you (centralized analysis), or analyze it locally with AnchoreCTL and upload the result (distributed analysis).
• Filesystems — analyze a directory tree locally with AnchoreCTL (e.g. a source repo, build artifact dir, or mounted VM) and upload the resulting SBOM. See Filesystem Assets.
• SBOMs you already have — import Syft, CycloneDX, or SPDX documents directly. Anchore Enterprise breaks them down into package contents that feed the Version’s aggregated views, vulnerability scans, and policy evaluations. Please Note: SPDX 3.x documents can be uploaded and downloaded today, but content and vulnerability analysis against them is not yet functional.

You can download an Asset’s SBOM at any time — you get back the original document for imported SBOMs, or the generated SBOM for container images.

Aggregated SBOM Content

Every App Version gives you a single, deduplicated view of the packages across all of its Assets. You can search packages, see a summary of unique packages by type, and ask which Assets contain a particular package.

Aggregated Vulnerability Results

Vulnerability findings are rolled up across all of a Version’s Assets and kept current as the vulnerability database updates. Scanning reports vulnerabilities even for packages of unknown type, and automatically enriches SBOMs with CPEs when none are present, so imported SBOMs get full match coverage. You can list and search findings, view a summary broken down by severity, fix availability, KEV listing, and EPSS coverage, and look up which packages a given vulnerability affects. To help you decide what to tackle first, each finding carries an Anchore Score (0-100) that blends CVSS, severity, EPSS, and KEV signals, shows where each CVSS score came from (NVD, CISA, GitHub, or Other), and links back to the upstream data sources. And when a vulnerability database update brings new findings for an App, you’ll get an event listing the affected Versions.

You can also record VEX annotations on an App to capture your assessment of a finding. Annotations apply to a specific vulnerability and package pair — so marking one package as not affected won’t hide other packages hit by the same CVE — and that state shows up everywhere: in listings, search, and summaries.

Aggregated Policy Compliance

Each App Version’s compliance status stays continuously up to date against your active policy — when Assets change, the policy changes, or the vulnerability database updates, Anchore Enterprise re-evaluates automatically. You can retrieve the overall pass/fail status with summary statistics, or dig into paginated, searchable policy findings.

Exports

When you need to hand results to another team or tool, you can export an App Version’s aggregated data as downloadable documents:

• SBOM in SPDX or CycloneDX format
• VDR (Vulnerability Disclosure Report) in CycloneDX JSON, VEX-aware with an optional flag for narrative annotation detail
• VEX document in CycloneDX format
• Vulnerabilities, package contents, and policy compliance documents in CSV format

Jobs

Asset analysis, SBOM import, and exports all run as asynchronous jobs, so long-running work doesn’t block you. Jobs are visible within an App Version and provide a view of the ongoing and completed work the system is doing. This view also provides a place to download any exported documents.

Fixes

• Fixes an issue where an invalid regular expression in a Dockerfile gate instruction trigger was accepted but caused policy evaluations to fail; regular expression values are now validated when the policy is submitted.
• Fixes an issue where the Dockerfile gate produced a misleading remediation suggestion when evaluating an SBOM that contained no Dockerfile.
• Fixes an issue where the image digest was reported inconsistently across event details; image-related events now expose the digest through a single, consistent field.
• Fixes an issue where Java package hints only applied the minimum fields (name, version, and type) and dropped additional properties such as location, origin, and implementation, Maven, and specification versions.
• Fixes an issue where some CPEs in the vulnerability database were transformed into invalid representations, causing affected-package fields to be missing or empty in vulnerability query results.
• Fixes an issue where analyzing an image containing hints-synthesized Java packages with a null virtual path caused policy engine ingestion to fail, leaving the image stuck in an analyzing state.
• Fixes an issue where retrieving license overrides failed with a 400 error when the package URL contained an @ in a namespaced package scope (for example, npm scoped packages such as @babel/code-frame).
• Fixes an issue where a transient database error during configuration refresh could cause the configuration watcher to crash repeatedly until the service was restarted.
• Fixes an issue where malware scanning failed when ClamAV output contained non-UTF-8 characters, causing image analysis to fail.
• Fixes an issue where image analysis failed during document view generation if the database was restarted without also restarting the Catalog service.
• Fixes an issue where the source content APIs returned legacy content types (docker_history, dockerfile, and manifest) that are not applicable to sources.

Deprecations

• The legacy Application APIs are deprecated in favor of the new Apps and App Versions APIs.

  • GET /v2/applications
  • POST /v2/applications
  • GET /v2/applications/{application_id}
  • PUT /v2/applications/{application_id}
  • DELETE /v2/applications/{application_id}
  • GET /v2/applications/{application_id}/versions
  • POST /v2/applications/{application_id}/versions
  • GET /v2/applications/{application_id}/versions/{application_version_id}
  • PUT /v2/applications/{application_id}/versions/{application_version_id}
  • DELETE /v2/applications/{application_id}/versions/{application_version_id}
  • GET /v2/applications/{application_id}/versions/{application_version_id}/artifacts
  • POST /v2/applications/{application_id}/versions/{application_version_id}/artifacts
  • DELETE /v2/applications/{application_id}/versions/{application_version_id}/artifacts/{association_id}
  • GET /v2/applications/{application_id}/versions/{application_version_id}/sboms/native-json
  • GET /v2/applications/{application_id}/versions/{application_version_id}/vulnerabilities

• The Source APIs are deprecated in favor of the new Apps APIs.

  • GET /v2/sources
  • GET /v2/sources/{source_id}
  • DELETE /v2/sources/{source_id}
  • GET /v2/sources/{source_id}/check
  • GET /v2/sources/{source_id}/content
  • GET /v2/sources/{source_id}/content-summary
  • GET /v2/sources/{source_id}/content/{content_type}
  • GET /v2/sources/{source_id}/sbom/cyclonedx-json
  • GET /v2/sources/{source_id}/sbom/native-json
  • GET /v2/sources/{source_id}/sbom/spdx-json
  • GET /v2/sources/{source_id}/vuln
  • GET /v2/sources/{source_id}/vuln/{vuln_type}
  • GET /v2/imports/sources
  • POST /v2/imports/sources
  • GET /v2/imports/sources/{operation_id}
  • DELETE /v2/imports/sources/{operation_id}
  • POST /v2/imports/sources/{operation_id}/finalize
  • GET /v2/imports/sources/{operation_id}/sbom
  • POST /v2/imports/sources/{operation_id}/sbom

• The following System Feed APIs are no longer in use and will return a 501 Not Implemented error.

  • PUT /v2/system/feeds/{feed} — toggle feed enabled
  • DELETE /v2/system/feeds/{feed} — delete feed groups/data

Removals

• The legacy webhooks subsystem, including the webhook configuration in the configuration file, has been removed. Use the Notifications system to deliver events to webhook endpoints.
• The OpenStack Swift object store driver has been removed. Please see Object Storage for the list of supported object stores.
• The deprecated feed- and dataset-sync event types (system.feeds.sync.* and system.dataset.sync.*) have been removed.
• The legacy Kubernetes and ECS runtime vulnerability report tables have been removed and are dropped from the database.
• The deprecated policy feed sync configuration options have been removed.
• The enable_owned_package_filtering configuration option has been removed. Legacy image, App Version, and Grype vulnerability scans now return consistent results, and the content APIs may now return overlapping (owned child) packages that were previously filtered out.
• The stale_feed_data policy trigger has been removed for SBOM policies and is no longer included in the default policy.
• The experimental Imported SBOM APIs (/exp/sboms and /exp/sbom-groups) have been removed. Import SBOMs as Assets in an App Version instead.
• The Artifact Lifecycle Policy (ALP) rules for imported SBOMs have been removed.

Recommended Component Versions

Anchore Helm Chart can be found at https://github.com/anchore/anchore-charts