Anchore Enterprise Release Notes - Version 3.1.1

Anchore Enterprise 3.1.1

v3.1.1 is a patch release of Anchore Enterprise containing targeted fixes and improvements. No database upgrade is necessary.

Enterprise Service Changes

Note: the Content Hints feature now only supports adding new packages to the analysis report and can no longer modify or update package records found by the package analyzers. This is to ensure unintended conflicts do not occur.

Fixes

  • Some RPMs content in hints file causes analysis to fail
  • Feeds service driver for MSRC safely handles unexpected data from upstream
  • Feed service MSRC driver should not require a Microsoft API key
  • Ubuntu feed service driver git repo sync error
  • Github feed service driver incorrectly categorizes some data
  • Sometimes get error when trying to analyze image due to finding unsupported package types
  • Remove unused nvd scores from normalized vulnerability records
  • Alpine feeds driver to use CVSS v3 for severity scoring instead of CVSS v2
  • Events not generated correctly if an image digest has multiple tags
  • Ensure content hints do not conflict with findings from analyzers and only add entries and cannot modify existing analysis finings
  • SSL Error handling in swift objectstorage driver
  • Syft/Stereoscope cache in /tmp not cleaned up after image analysis
  • Adds will_not_fix field to vulnerability report API response
  • Adds will_not_fix field to /query/vulnerabilities response
  • Wrong tag may be used for image download during analysis if the digest is mapped to multiple tags
  • Dependency updates to resolve non-impacting vulnerability findings
  • Additional minor bug fixes and enhancements

Enterprise UI Changes

Fixes

  • Socket protocol now enforceable via configuration to avoid false positives with application scanners
  • Allow expiration of allowlist item to be set via Vulnerabilities table view in Image Analysis
  • Security vulnerability in package WS addressed
  • Add/Edit User & Add/Edit LDAP User Mapping modal content overflows issue fixed
  • Enable System button for users with correct requisite permissions
  • Users without correct permissions can no longer directly access app routes via URL
  • Default allowlist expiration now set to 30 days
  • Items with vulnerabilities inherited from base image can now be excluded by filter in Vulnerabilities view in Image Analysis
  • Users can now be prevented from accessing the app for a configurable amount of time after a configurable number of invalid login attempts
  • Improved internal field validation to prevent unexpected input in AppDB report routes
  • Additional minor bug fixes and enhancements

Upgrading

No database upgrades are required for this update.

AnchoreCTL

  • Updates vendor_only option to default to true for consistent experience with users coming from anchore-cli