Anchore Enterprise Release Notes - Version 4.0.0

Anchore Enterprise 4.0.0

The Anchore Enterprise 4.0.0 release offers significant new supply chain security features expanding the Anchore Enterprise SBOM management platform beyond container scanning. Users can now generate and continuously monitor SBOMs for their source code repositories to identify vulnerability and security risks. Policy rules that are specific to managing source code are now available in the Policy Engine. Multiple source code and container image SBOMs can also now be grouped together as an Application that can be managed as a single set enabling generation of SBOMs representing a total application or service.

Additional new SBOM capabilities enable users to observe and limit SBOM drift between container image builds. Users can use policy rules to enforce immutable container best practices or help detect potentially malicious activity.

AnchoreCTL, the integration tool for use in CI/CD pipelines, has also been updated to include Source Repository Management.

A number of performance improvements have also been made to improve the response of the GUI, reporting service, as well as the efficiency of the queue processing processes.

Version 4.0.0 also includes other improvements and fixes.

New Features

The following new features are included in Enterprise 4.0.

SBOM Management

You can now generate SBOMs using AnchoreCTL as part of a command line or CI/CD workflow, through pulling content from a registry, or by submitting an artifact to the Anchore API.

SBOMs can be managed using the command line, API or GUI, where contents can be grouped together, annotated, viewed, or searched. Artifact metadata, vulnerability information, and policy evaluations can also be viewed and managed through the same interfaces.

All SBOMs can be downloaded into a variety of formats, either individually or collectively, to be sent to security teams, customers or end-users.

Applications

You can now build applications in Anchore Enterprise. Applications are the top-level building block in a hierarchical view, containing artifacts like packages or image artifacts. Applications can represent any project your teams deliver. Each application is associated with one or more application versions which track the specific grouping of artifacts that comprise a product version.

Anchore Enterprise lets you model your versioned applications to create a comprehensive view of the vulnerability and security health of the projects your teams are building across the breadth of your Software Delivery Lifecycle.

By grouping related components into applications, and updating those components across application versions as projects grow and change, you can get a holistic view of the current and historic security health of the applications from development through built image artifacts.

SBOM Drift

You can now set triggers for policy violations on changes in the SBOM between images, with the same tag, so that it can detect drift over time between builds of your images.

There is a new gate called: tag_drift

The triggers are:

  • packages_added
  • packages_removed
  • packages_modified

Legacy Vulnerability Scanner No Longer Supported

The legacy vulnerability scanner is no longer included as an option when installing or upgrading Anchore Enterprise.

If you currently have Enterprise configured to use the legacy vulnerability scanner, you will not be able to successfully upgrade and start the system without explicitly configuring the default vulnerability scanner.

You can remove that configuration variable so the system can default to the current vulnerability scanner.

If you choose not to upgrade, instead performing a new installation of Enterprise, the vulnerability scanner will be configured by default.

Improvements

  • Analyzers no longer wait 5 seconds between analysis tasks if the last queue check had work available.
  • Adds global image count metrics to the set of available prometheus metrics.
  • Adds new internal reports_worker service that processes async tasks for reporting data.
  • Adds reporting task (data load, refresh, etc) to the set of available prometheus metrics.
  • System can be configured to automatically delete events older than a specified age to help manage data growth.
  • Go modules detected and reported from within binaries.
  • Removes old and unsupported PG8000 DB driver from container image. Database connection strings starting with “pg8000:” will no longer work.
  • Default PostgreSQL version used in the Quickstart docker-compose.yaml is updated from 9.6 to 12. Anchore’s Postgres requirements are unchanged.
  • Reporting service can be configured to remove reporting data for images deleted or archived.
  • Reporting service data update performance improvements and scalability improvements.

Fixes

  • Resolved data leaks from the grypedb feeds driver that could occur when process terminated by OS.
  • Resolved reporting service refresh issue.
  • Reporting service no longer looks at or attempts to refesh deleted image data. Reporting procedures now operate on data sets where the analysis state is analyzed and image state is active.
  • There was an issue with the Debian driver providing empty content. The grype-db-builder now builds all Debian data in the feeds service.
  • The NVD CVSS scores known issue from the 3.3.0 release has been fixed. NVD CVSS scores are now present in the API responses for the request to get a detailed information query about a vulnerability feed record.
  • Stale feeds policy trigger issue fixed.
  • Report worker tag refresh issue fixed.
  • Fixes vulnerability scanning failures for container images with no known distro.

Known Issues

  • The vulnerability scanner needs to be explicitly configured for Grype. If it is configured for v1 (legacy) vulnerability scanner, you will get an error during upgrade.

    • Workaround:

      Helm chart: Set services->policy_engine->vulnerabilities->provider to grype. Docker-compose: The environment variable ANCHORE_VULNERABILITIES_PROVIDER=grype must be present for the policy-engine service.

  • Image drift only supports comparison of images analyzed by 4.0.0. Images analyzed prior to upgrade do not support drift computation and will result in a policy evaluation warning message.

  • Image SBOM downloads do not include content hints entries or detected binaries (python, go) that are not installed via a package manager.

Enterprise UI Changes

  • New Applications tab. Observe applications in Enterprise and see a summary of the artifacts that have been collected into an application. From the application view, you can drill down into the source repositories or container images that make up the application, and browse their SBOMS.
  • View applications and application versions from source repositories and image containers. The information is categorized by applications, with sub-categories of application versions available.
  • You can download an SBOM report in JSON format for everything in an application.
  • View information about an artifact, such as the policies set up, the vulnerabilities, SBOM contents,and metadata information.
  • From the Policies tab, set up policies and policy bundles for source repositories.

Fixes

  • Fixed inventory view performance issues with large data sets.
  • Report manager now returns preview results.
  • The inventory service error now returns the appropriate 500 error message.
  • Fixed how the ordering of policy bundle mappings are displayed within a table.
  • Increased the LDAP filter character limit.
  • Package names within the Vulnerability tab are now sorted alphanumerically.

Upgrading

Upgrading to Anchore Enterprise 4.0.0 involves a database upgrade that the system will handle itself. It may cause the upgrade to take several minutes.

If you currently have Enterprise configured to use the legacy vulnerability scanner, you will not be able to successfully upgrade and start the system without explicitly configuring the default vulnerability scanner.

You can remove that configuration variable so the system can default to the current vulnerability scanner.

If you choose not to upgrade, instead performing a new installation of Enterprise, the vulnerability scanner will be configured by default.

AnchoreCTL

The latest version of AnchoreCTL is 0.1.4. AnchoreCTL is dependent on Syft v0.39.3 as a library.

The current features that are supported are as follows:

  • NEW! Source Repository Management: Generate an SBOM and store the SBOM in Anchore’s database. Get information about the source repository, investigate vulnerability packages by requesting vulnerabilities for a single analyzed source repository, or get any policy evaluations.
  • NEW! Download full image SBOMs for images analyzed with Enterprise 4.0.0.
  • Compliance Reports: View and operate on runtime compliance reports, such as STIGs, created by the rem tool.
  • Corrections Management: View and modify corrections information to help reduce false positives in your vulnerability results.
  • Image Management: View, list, import local analysis, and request image analysis by the system.
  • Runtime Inventory Management: Add, update, and view cluster configurations for Anchore to scan, as well as for the inventory reports themselves.
  • System Operations: View and manage system information for your Enterprise deployment.
Last modified March 14, 2022