Anchore Enterprise Release Notes - Version 4.1.0

Anchore Enterprise 4.1.0

Anchore Enterprise release v4.1.0 contains targeted fixes and improvements. A Database update will be required.

4.1.0 Upgrade Notes

The 4.1 upgrade requires a new vulnerability database to be built by the feed service using a new schema. In the time between the new deployment startup and the completion of the first post-upgrade feed service data sync, the policy engine API will return errors for vulnerability scans. Once it receives the newly built vulnerability database from the upgraded feed service it will resume normal operation. Depending on the deployment, the data update and new db build may take several hours. The system will resolve this condition on its own but your maintenance window should take this into account.

Notes for new deployments

Due to improved error handling in the vulnerability scanner (see details below) new deployments will not provide vulnerability reports via the API until the first full vulnerability sync has occurred but images may be analyzed during this time. Once the first sync is completed (you can see using anchorectl feed list), the vulnerability scans will return successfully.

Enterprise Service Updates

Improvements

  • Source to Image SBOM Drift
    • Introduces a new artifact relationship API which provides the ability to indicate that a container image was built from one or more specific source repository revisions. Allowing Anchore to show when the source repository’s SBOM packages are correctly found in the image SBOM.
    • Introduces a new policy gate and trigger which will raise drift findings in the policy compliance evaluations.
  • Vulnerability False Positives Reduction
    • Introduces an Anchore vulnerability feed shown as ‘anchore:exclusions’. This is a curated feed of vulnerability matches which will be automatically excluded from results in order to reduce false positives.
    • The feed utilizes Version 4 of the Grype database schema which provides support for vulnerability match exclusion data.
  • Application Name and Version Name improvements
    • Added uniqueness and non nullable constraints to the following fields:
      • Application.name must be unique per account
      • ApplicationVersion.version_name must be unique per application
    • Attempting to create or update these fields to a non-unique value will result in a 409 error.
    • During upgrade, if existing records are found to have the same value, they will be automatically renamed by appending ‘_N’ where ‘N’ is incremented for each conflict. For example, if there are two applications named “test” within an account, one will be renamed “test_1”.
  • Accounts may now be created with a name that contains an underscore (_) as the last character.
  • Tag subscriptions will now be removed when the last image for a tag is deleted from the system.
  • Adds last_seen_in_days field to the archival rule exclusion block that allows images to be excluded from archive if there is a corresponding runtime inventory image where last_seen is within the specified number of days
  • Image Vulnerabilities now provides the timestamp when each vulnerability was detected on the image. This is now available in the API and is indicated with the “detected_at” field.
  • Reduced the number of Error Events generated when there is an issue accessing the registry. You will now only see on event generated per registry/repo. Previously there would be an event for each image.
  • In order to reduce vulnerability false positives, it is recommended that users do not attempt vulnerability matches on go main modules with pseudo-version v0.0.0- or (devel) unless the true version has been specified via correction.

Fixes

  • Subscriptions are now being properly cleaned up when images are deleted or archived.
  • The API will return a proper error message if the caller attempts to delete an image, using the image ID, that is the latest of its tags and still has an active subscription.
  • Providing an unsupported vulnerability type for API sources/{source_id}/vuln will result in a proper error message.
  • Addressed an incorrect error events regarding Image Registry Lookups. This event was generated in error even when registry credentials were valid and the lookup succeeded.
  • Errors that are detected during a vulnerability scan are now properly reflected in the API. Previously, it was possible that the scan would fail, but it would appear that the image had no vulnerabilities.
  • Importing an image SBOM where the distro version is NULL or None, will now succeed.
  • A max-images-per-account Archive Rule will correctly handle an image that has more than one tag associated with it.

Deprecations

  • The Embedded Inventory Mode Feature has been deprecated as of this release. It will be removed from the Enterprise product during the future release of v4.2.0.
  • Configuration Variable ‘ANCHORE_VULNERABILITIES_PROVIDER’ is no longer supported by Enterprise.
  • Configuration Variable ‘ANCHORE_ENTERPRISE_FEEDS_THIRD_PARTY_DRIVERS_ENABLED’ is no longer supported by Enterprise.

Future Deprecations

  • The anchore-cli Python client will be deprecated as of version 4.2 of Anchore Enterprise. AnchoreCTL contains all of the functionality of anchore-cli and is the default, supported tool for interacting with Anchore Enterprise as of 4.1.

UI Updates

Improvements

  • In SSL-enabled environments, all requests made from client are automatically upgraded to use a secure connection.
  • Account entries and user entries are now both permitted to contain spaces in their names. In addition, account names are now permitted to contain a trailing underscore (_) character.
  • Various supporting libraries have been updated in order to improve security, performance, and also to remove deprecation warnings from browser and server output logs. Redundant libraries have been removed to reduce the app startup time and overall size.

Fixes

  • Single sign-on (SSO) authentication now preserves the page URL. Prior to this update, the user would always be sent to the Dashboard view, but now the original location is used after the SSO authorization round-trip is complete.
  • Due to a cookie misconfiguration, completion of the SSO round-trip would not always place the user inside an authenticated view, requiring a page refresh—this issue has now been addressed.
  • The Whats's New tour dialog will now be displayed for new SSO users / SSO users logging in after a version update.
  • When changing the displayed item range for any table within the Kubernetes view, under certain circumstances the app would whitescreen—this issue has now been fixed. In addition, the summary total of items shown for each table is now displayed correctly.
  • The documentation link provided in the Add Cluster popup in the Kubernetes view is now correct.
Last modified October 27, 2023