Anchore Enterprise Release Notes - Version 4.3.0

Anchore Enterprise 4.3.0

Anchore Enterprise release v4.3.0 contains targeted fixes and improvements. A Database update will be required.

Enterprise Service Updates

Improvements

  • Reporting Improvements
    • The runtimeInventoryImagesByVulnerability report query now supports various vulnerability filters such as Vulnerability Id.
    • Various vulnerability-related report queries, such as artifactsByVulnerability, tagsByVulnerability, now support filtering by one or more severities via the Severities option.
    • A new report query called runtimeInventoryUnscannedImages is now available. It provides the list of images in the runtime inventory that have not been analyzed.
    • See https://docs.anchore.com/current/docs/using/api_usage/reports/ for an overview of how to access reports via the API.
  • API now supports the ability to query a list of vulnerabilities found for a specific Application Version. See https://docs.anchore.com/current/docs/sbom_management/application_groups/application_management_anchore_api for additional information about Applications.
  • Introducing a new RBAC Role called repo-analyzer. It is meant to be a companion to the image-analyzer role and specifically provides the ability to create a repository subscription.
  • Now importing the Wolfi Security Feed. Used in vulnerability matching for Wolfi OS Packages.

Fixes

  • Fixed a failure during the cleanup of old versions of GrypeDB. This was seen to cause an issue during feed sync.
  • When deploying with multiple instances of policy-engine, there will only be a maximum of two GrypeDB instances.
  • Addressed an issue which prevented a scheduled query of a Runtime Inventory Images By Vulnerability from running.
  • Fixed the unlikely condition where a deleted image is added back into the system, due to a subscription processing error.
  • Image analysis properly displays all found versions of the same OS package.
  • Increased accuracy of vulnerability matches on Debian source packages when the source package version differs from the binary package version. Requires re-analysis in order to populate necessary metadata for existing scans.
  • Identifies improper SSO IDP Configuration during creation or modification of an existing configuration.

Deprecation Reminders

  • The anchore-cli python client has been deprecated as of Enterprise Release v4.2.0. It will be removed from the Enterprise image during the v4.4.0 Release. AnchoreCTL is the only supported command line tool for interacting with Anchore Enterprise. It will be included in the Enterprise image during the v4.4.0 Release.

UI Updates

Improvements

  • A new Quick Report for Unscanned Runtime Inventory Images is now available. It shows which images running in Kubernetes clusters have not yet been analyzed by Anchore so that users can verify all images are scanned in CI/CD.
  • The Runtime Inventory Images by Vulnerability report type now supports various vulnerability filters such as Vulnerability Id. This makes it easier to focus efforts on zero-days (or other critical and well-known vulnerabilities) and find exactly which runtime contexts (and the images within) are impacted by a specific vulnerability.
  • Various vulnerability-related reports (Artifacts by Vulnerability, Tags by Vulnerability, etc.) now support filtering by one or more severities via the Vulnerability Severities option.
  • An improvement has been made to our cookie management for higher entropy via an autogenerated encryption key unique to each deployment and to allow administrators to change it if they wish.

Fixes

  • Fixed a bug causing logins made directly via an IDP, as opposed to the SSO link on the Anchore login page, to fail with a 404 error.
  • Improved fault-tolerance in the event of an invalid or malicious websocket request: using a scanner such as Nessus could under certain conditions lead to an application crash.
  • Fixed a routing issue causing requests to /artifacts/image/ with a trailing slash to lead to a 404 page not found error.
  • Various supporting libraries have been updated in order to improve security, performance, and also to remove deprecation warnings from browser and server output logs. Redundant libraries have been removed to reduce the app startup time and overall size.
Last modified September 30, 2024