Anchore Enterprise Release Notes - Version 4.9.0
Anchore Enterprise v4.9.0
Anchore Enterprise release v4.9.0 contains targeted fixes and improvements. A Database update is needed.
Note
Please view the details around the upcoming Enterprise v5.0.0 release. Important requirements must be met before upgrade. See link below.Enterprise Service Updates
Improvements
- Anchore Enterprise V2 API is now available for use.
- The V2 API has been provided for early adoption for any customer who has custom integrations or scripts that may directly access the V1 API. This will provide extra time to migrate to the new V2 API endpoints prior to the official Enterprise v5.0.0 release.
- The V1 APIs were distributed across several files and have now been consolidated into the single V2 API.
- Anchore API Swagger
- The following V1 APIs have been deprecated:
- Enterprise API Swagger
- Engine API Swagger
- Notifications Swagger
- RBAC Manager Swagger
- Reports Swagger
- For more details about the Anchore Enterprise V2 API, and to view the V2 swagger, please visit API Usage
- Kubernetes and ECS Runtime Inventory ingest path received performance enhancements.
- Reports
- Scheduled Queries now provide a
executionsLimit
filter - Improvement in both performance and memory consumption were completed on the following reports:
Vulnerabilities by Kubernetes Namespaces
Vulnerabilities by Kubernetes Containers
Vulnerabilities by ECS Containers
- Added several new Metrics within the report service. These are now available via Prometheus.
- Scheduled Queries now provide a
- Configuration
- Image import maximum size is now configurable. Current default size is 100 MB.
- Docker Compose users can set the environment variable
ANCHORE_MAX_IMPORT_CONTENT_SIZE_MB
- Helm users can modify
max_import_content_size_mb
- Docker Compose users can set the environment variable
- Source repository import maximum size is now configurable. Current default size is 100 MB.
- Docker Compose users can set the environment variable
ANCHORE_MAX_IMPORT_SOURCE_SIZE_MB
- Helm users can modify
max_source_import_size_mb
- Docker Compose users can set the environment variable
- Provided a configuration option to bypass object store content checks. This was provided to aid our customer support team during specific triage. Please contact customer support for additional information.
- Image import maximum size is now configurable. Current default size is 100 MB.
- Policy Engine can now capture and persist additional metadata for vulnerabilities reported by the vulnerability provider sync. The following observed dates are persisted:
- The date on which a vulnerability within a provider namespace is first observed by Enterprise via the vulnerability provider sync.
- The date on which a specific package fix is first observed by Enterprise via the vulnerability provider sync. This “fix observed date” will be used during policy eval of
max days since fix
to give a more consistent evaluation result across all newly analyzed image and source SBOMs.
- Support capture of vulnerability data for Ubuntu 23.04 (Lunar Lobster) and Ubuntu 23.10 (Mantic Minotaur) once publishing commences from Canonical.
- Provide support for vulnerability data for Mariner.
- If a Vunnel Provider fails, the system will provide a new sync using the previous data for the failing provider and the new data from the other providers. This change also provides improved messaging around failing providers.
- Improved Java matches for Source SBOMS by capturing more metadata during SBOM imports.
Fixes
- Reports
- Handle an error when the service is loading data for
ECS Container Report Table
andKubernetes Container Report Table
in cases where a container stops being reported long enough for it to be removed from the Catalog, and is then reported again. - The report service no longer triggers an out of memory error when running larger runtime workloads.
- Handle an error when the service is loading data for
- The Archive Image Delete
force
flag options now works even when the image is in thearchiving
state. - ECS Inventory which contains both tasks as part of a service and tasks that are run standalone will be properly accepted.
- Fixed an issue seen with the Ubuntu provider failing to sync when the git repo has untracked files present.
- Addressed an issue where distroless images reported incorrect findings from other catalogers.
- Correctly handled the Ubuntu CVE Tracker change for labeling which indicated end of life. This could lead to unfixed CVEs to be missing from the data.
- Modifying the value of the Catalog’s
resource_metrics
cycle timer is now honored. - API call
POST /v1/enterprise/stateless/sbom/vuln/{vtype}
now works as expected. - Proper handling for vulnerability transitions from
affected
tonot-affected
within the RHEL provider.
UI Updates
Fixes
- Various supporting libraries have been updated in order to improve security, performance, and also to remove deprecation warnings from browser and server output logs. Redundant libraries have been removed to reduce the app startup time and overall size.
Recommended Component Versions
Component | Recommended Version |
---|---|
Enterprise | v4.9.0 |
Enterprise UI | v4.9.0 |
Engine Helm Chart | v1.27.0 |
AnchoreCTL (V1 API Compatible) | v1.8.0 |
AnchoreCTL (V2 API Compatible) | v4.9.0 |
anchore-k8s-inventory | v1.1.1 |
anchore-ecs-inventory | v1.1.0 |
KAI (Deprecated) | v0.5.0 |
Kubernetes Admission Controller | v0.4.0 |
REM - Remote Execution Manager (Deprecated) | v0.1.10 |
Harbor Scanner Adapter | v1.2.0 |
Jenkins Plugin | v1.0.25 |