Anchore Enterprise Release Notes - Version 4.8.0
Anchore Enterprise v4.8.0
Anchore Enterprise release v4.8.0 contains targeted fixes and improvements. A Database update is needed.
Note
Please view the details around the upcoming Enterprise v5.0.0 release. Important requirements must be met before upgrade. See link below.Enterprise Service Updates
Improvements
Reporting
Vulnerabilities by Kubernetes Containersis a new report template which will allow you to view and filter on vulnerabilities found within a Kubernetes Container. The report will populate only if you have deployed the newanchore-k8s-inventory.Vulnerabilities by ECS Containersis a new report template which will allow you to view and filter on vulnerabilities found within an ECS Container. The report will populate only if you have deployed the newanchore-ecs-inventory.Vulnerabilities by Kubernetes Namespacereport now displays the AnchoreAccount Name.
Configuration
- A new configuration option is available that can show a significant reduction in resource usage. It is available for
customers that do not use the
/v1/query/images/by_vulnerabilityAPI.- Setting this configuration option to
falsewill:- Disable the
/v1/query/images/by_vulnerabilityAPI and return a 501 code if called. - Disable the SBOM vulnerability rescans which occur after each feed sync. It is these rescans that populate the data returned by the API.
- Disable the
- Customers who are using
/v1/query/images/by_vulnerabilityAPI, are encouraged to switch to calling theImagesByVulnerabilityquery in the GraphQL API. This query provides equivalent functionality and will allow you to benefit from this new configuration option. - Docker Compose users can set environment variable,
ANCHORE_POLICY_ENGINE_ENABLE_IMAGES_BY_VULN_QUERY, in the policy engine tofalse. - Helm users can set
services.policy_engine.enable_images_by_vulnerability_apikey in config.yaml
- Setting this configuration option to
- A new configuration option is available that can show a significant reduction in resource usage. It is available for
customers that do not use the
Fixes
- Improved operating system matching prior to determining if a CVE should be reported against an image.
- CVSS Scores from NVD are now preferred over other source. This provides a more consistent end user experience.
- Addressed a failure to properly generate the
Policy Compliance by Runtime Inventoryreport while using the newanchore-k8s-inventoryagent.
A symptom was that theComplianceandVulnerabiliy Countfields within theKubernetestab remained inPendingstate. - Switch archive delimiter in malware scan output from ‘!’ to ‘:’ to ensure shell copy-paste ease of use.
- Improved a few misleading internal service log messages.
- Fixed an issue that resulted in a scheduled query, with a qualifying filter, failing to execute. Examples of filters which will result in this failure:
| Query Name | Filter Name |
|---|---|
| Tags by Vulnerability | Vulnerability LastTag Detected In Last |
| Images Affected By Vulnerability | Vulnerability LastTag Detected In LastImage Analyzed In Last |
| Artifacts By Vulnerability | Vulnerability LastTag Detected In Last |
| Policy Compliance History by Tag | Tag Detected In LastPolicy Evaluation Latest Evaluated In Last |
| Policy Compliance by Runtime Inventory Image | Policy Evaluation Latest Evaluated In Last |
| Runtime Inventory Images by Vulnerability | Vulnerability LastImage Last Seen In |
| Unscanned Runtime Inventory Images | Last Seen In |
UI Updates
- The Watch Repository toggles displayed in the registry and repository view tables under Images can now be suppressed when the
enable_add_repositoriesproperty inconfig-ui.yamlis set toFalsefor admin or standard accounts. This and other parameters contained in the UI configuration file are described here. - The
Vulnerabilities by ECS Containerreport template has been added that allows you to search for a specific vulnerability across ECS containers in order to view a list of clusters services, tasks and containers that are impacted by the vulnerability. - The
Vulnerabilities by Kubernetes Containerreport template has been added that allows you to search for a specific vulnerability across Kubernetes containers in order to view a list of clusters services, tasks and containers that are impacted by the vulnerability.
Fixes
- References to Anchore Engine have been removed and replaced app-wide with Anchore Enterprise Services
- A fix has applied for an issue where a
read-onlyuser was not able to manage registry credentials in another context even when they had afull-controlrole associated with that account - An
Account Namefilter has been added to theKubernetes Runtime Vulnerabilities by Namespacereport template, and improved descriptions have been provided for theLabelandAnnotationsfilters - Various supporting libraries have been updated in order to improve security, performance, and also to remove deprecation warnings from browser and server output logs. Redundant libraries have been removed to reduce the app startup time and overall size.
Recommended Component Versions
| Component | Recommended Version |
|---|---|
| Enterprise | v4.8.0 |
| Enterprise UI | v4.8.0 |
| Helm Chart | v1.26.0 |
| AnchoreCTL | v1.7.0 |
| anchore-k8s-inventory | v1.0.0 |
| anchore-ecs-inventory | v1.0.0 |
| KAI (Deprecated) | v0.5.0 |
| Kubernetes Admission Controller | v0.4.0 |
| REM (Remote Execution Manager) | v0.1.10 |
| Harbor Scanner Adapter | v1.0.1 |
| Jenkins Plugin | v1.0.25 |