Anchore Enterprise Release Notes - Version 3.0.0
Anchore Enterprise 3.0
This represents a significant update in Enterprise, requiring database upgrades and adds new components to the system including an optional deployable agent for gathering runtime image inventory from Kubernetes clusters.
Runtime Kubernetes Inventory
Anchore now can receive inventory reports from a new agent that runs in the kubernetes cluster and reports which images are used in which namespaces. The new agent is KAI, and it can run within your Anchore deployment or in another kubernetes cluster to return which images are in-use over time. This allows Anchore to show which images are in use and facilitates focused triage and attention on in-use images to ensure you are addressing security findings in this most critical images first.
See Runtime Kubernetes Inventory for more information.
Action Plans and Remediation Recommendations
Anchore now provides fix suggestions for policy violations and a notification delivery mechanism so you can quickly and conveniently send notifications (email, Slack, MS Teams, Github, Jira, etc) to the image maintainer so they can take corrective action for policy findings such as updating packages, modifying the Dockerfile, or rebuilding on a new base image.
See Remediation recommendations for more information.
Policy Violation Alerts
The UI and API now present stateful alerts that will be raised for policy violations on tags to which you are subscribed for alerts. This raises a clear notification in the UI to help initiate the remediation workflow and address the violations via the remediation feature. Once all findings are addressed the alert is closed, allowing an efficient workflow for users to bring their image’s into compliance with their policy.
Improved Pipeline Scanning Integration
Anchore now has the ability to accept SBoM and image metadata from analysis run inside your CI/CD pipelines or local to developer machines and load it into the system for processing without requiring images to be pushed to an image registry. This enables more efficient scanning inside the pipelines and less data transfer to decrease the overall time to result. Analysis results are provided by Syft which is integrated into Anchore itself for SBoM generation of packages as well.
See Pipeline and Local Analysis for more information.
Feature Enhancements and Improvements
Configurable Image Maximum Allowed Size Limit
A new configurable maximum image size has been added to the system to enable administrators to ensure that very large images are not admitted into Anchore causing potential QoS or resource usage issues.
Enhanced Analysis Archive Rule Flexibility
New capabilities in the analysis archive rules allow more efficient description of what to archive and what to exclude as well as the ability to set rules to limit the number of images in each account to help with capacity management. These new capabilities include new selectors for exclusions to rules so that broader rules can be use to select candidates for archival and just exclusions set for specific images, tags, or repos.
See [Analysis Archive Rules]
Enterprise Service Changes
In Enterprise 3.0, the system now requires the deployment configuration to explicitly set a default admin password and will fail system initialization if one is not found in the configuration. This is automatically
configured for users of the helm chart and our Quickstart docker-compose.yaml, but if you have a custom deployment template and create a new deployment of Anchore, you must ensure that the
is set in the config.yaml used by the catalog component.
- Adds ability to block large images based on configurable max size
- Adds configurable image max size value to optionally limit size of images analyzed by system
- Adds corrections API to support artifact metadata corrections for false positive management
- Adds kubernetes inventory ingress API and agent to run in kubernetes clusters to track image inventory
- Adds additional archive analysis rule exclusions to allow rules to be broader but have specific exclusions so that fewer rules can be used
- Adds API to upload analysis SBoM generated by Syft and imported as image for remote analysis without Anchore retrieving the image content directly
- Adds CPEs used for vulnerability matching against NVD and VulnDB data to the image content output itself for greater transparency in matching
- Use Python 3.8 instead of Python 3.6
- Update base image for containers to UBI 8.3 from UBI 8.2
- Improved - Updated output messages and description for vulnerability_data_unavailable trigger and stale_feeds_data trigger to clarify only OS packages impacted.
- Improved - Do not allow selectors to be empty unless using max_images_per_account_rule.
- Improved - Updates Syft to version 0.12.4 to fix several issues in image analysis including empty package names/versions in invalid package.json files and java jar parent references being Nil.
- Improved - Require user to set explicit default admin password at bootstrap instead of defaulting to a value if none found.
- Improved - Update Authlib to 0.15.2 from 0.12.1
- Improved - Update PyYAML to 5.4.1
- Improved - Update Passlib to 1.7.4
- Improved - Update to use Python 3.8
- Improved - Update base image to UBI 8.3.
- Fixed - Failed analysis due to incorrect manifest mime types due to bug in buildah that caused incorrect content type to be in the manifest at build time.
- Fixed - External API service swagger spec for GetRegistry response is inconsistent with actual returned JSON.
- Fixed - Fixed analysis archive rules that did not fire if delete transition rule present.
- Fixed - Force re-analysis of tag and digest rejected if create_at_override timestamp not provided.
Additional minor bug fixes and enhancements
False Positive Management feature incompatible with legacy Engine report/query routes Using the
GET /query/images_by_vulnerabilityendpoint for querying all images with a specific vulnerability using the legacy Engine API does not support the new False Positives management feature. It is recommended to use the Enterprise Reporting Service GraphQL API to get the same information that does support the corrections.
Change to now require an explicitly set default admin password at system bootstrap may cause issues with some deployment templates If your deployment template (chart, docker-compose, etc) does not ensure that the config.yaml for services includes
default_admin_passwordexplicitly set to a value, the system will no longer bootstrap with a built-in default. This does not affect our updated helm chart or quickstart docker-compose.yaml files, those have been updated appropriately.
Enterprise UI Changes
- New compliance landing page
- Alerts view in dashboard
- Alerts selection for repositories and tags
- Remedation workflow and Actions Workbench
- Kubernetes runtime inventory reports
- “Last Seen” timestamp in image analysis to overlay runtime inventory in analysis view
- Updated dependencies
Additional minor bug fixes and enhancements