Anchore Enterprise Release Notes - Version 5.0.0

Anchore Enterprise v5.0.0

Enterprise Service Updates

5.0 Migration Guide

Requirements

  • Enterprise v5.0.0 requires Postgres 13 or greater.
  • Enterprise v5.0.0 requires that the previous version was Enterprise v4.0.0 or greater. Strongly recommend that you upgrade to Enterprise v4.9.0 prior to attempting this upgrade.
  • Enterprise v5.0.0 requires the use of the Enterprise Helm Chart v2.0.0.
  • Enterprise v5.0.0 requires that you upgrade your integration and client. Please see below the table containing compatible versions.

Improvements

  • V2 API
    • The Anchore Enterprise API has been updated. For complete details, please review Migrating from API V1 to V2.
    • The Anchore Enterprise API is found in the API Service. The RBAC Manager API, Notifications API, and Reports API are now served through that same endpoint. Those services are now internal-only services for processing requests in the 5.0 release.
    • fix_observed_at is now returned as part of the GET /v2/images/{image_digest}/vuln/{vuln_type} endpoint response where a fix is available.
  • Reports
    • Scheduled Query Executions now contain a status field. Values include: pending, error, running, and complete.
    • The pagination of the scheduledQueries query has been improved. An additional query scheduledQueryExecutions has been added to allow pagination of the executions of a specific scheduled query.
    • Provided a Fix Observed Date for all report queries that contain vulnerabilities information. This Fix Observed Date is the date which Anchore observed that a fix was available.
    • Improved the Filter Descriptions within the runtime reports.
  • False Positive Reduction
    • Provide configuration settings so users can select which package types use CPE-base matching against NVD. For additional details, please review False Positive Management
  • Policy
    • Improvements in presentation and validation during policy editing have been made. Please see Policy for an overview on using policies.
    • New distro policy gate has been added with a deny trigger. Required parameters include the Name of the Distribution, Version of Distribution, and the Operation to perform the evaluation (ie. <, >, !=).
  • RBAC Roles
    • Provided a new user role called image-developer. Used alone, the role limits the user to viewing images, vulnerabilities, polices and policy evaluations.
  • Events
    • The ANCHORE_EVENT_RETENTION_AGE_DAYS has now been set to 180 days by default.
  • Runtime Inventory
    • Now supports a new configuration option inventory_ingest_overwrite which, when set to true, stores only the most recent inventory per cluster/namespace. Note: the inventory_ttl_days continues to be available for use.

Fixes

  • Image Dockerfile Status now reports correctly even after a force re-analysis.
  • Images analyzed from runtime inventory now have the correct Dockerfile Status reported.
  • Policy
    • Improved Policy validation; The policy editor no longer allows saving policies with unknown elements.
    • Policy Name is now a required field during the creating of new policies.
    • Tag Drift Gate no longer fails with images analyzed with 4.9.x.
  • The createScheduledQuery mutation now returns correct returns the createdAt, updatedAt, and account fields.
  • A verbose warning log message in the Policy Engine Service, regarding sqlalchemy, has been attended to.
  • Addressed an exception in the Report Service when loading an image with an empty dockerfile_mode.
  • The report vulnerabilitiesByKubernetesContainer executes correctly even when node information is not present.
  • The V2 API now specifies the version field in the ContentJAVAPackageResponse. This is the response for GET v2/images/{image_digest}/content/java.
  • Fixed a scale issue where an image, which has been queued for analysis, can be garbage collected prior to being processed.

Deprecations

  • The anchore-cli has been deprecated and removed from the docker.io/anchore/enterprise image
    • AnchoreCTL is available within docker.io/anchore/enterprise image today
    • AnchoreCTL is the only supported command line tool for interacting with Anchore Enterprise.
    • For more details, please see AnchoreCTL
  • KAI (Kubernetes Automated Inventory) no longer be compatible with Enterprise v5.0.0. A new version of this agent, called anchore-k8s-inventory, is available now and compatible with Enterprise v4.7.0. You may start to migrate to this new agent today.
  • Support for REM (Remote Execution Manager) has been deprecated. It is no longer be supported in Enterprise v5.0.0.
  • Analyzer Service no longer supports multiple analysis threads. The concurrentTasksPerWorker value is no longer valid within the Enterprise Helm Chart. Analysis throughput should be increased by adding more analyzer pods instead.

UI Updates

Improvements

  • The Anchore Enterprise Client now uses the Anchore Enterprise V2 API. This transition should be transparent to users. However, if you encounter any issues, please contact support.

  • The Reports feature has been rebuilt to provide a more intuitive and streamlined experience for creating, scheduling, and managing reports. The new report manager is now the default view when you click the Reports icon in the main navigation bar. If any reports are already present, the Saved Reports tab will be displayed. If no reports are yet available, you will initially see the New Report tab. Once you have created at least one report, the Saved Reports tab will become available as the default.

    This component offers the following enhancements:

    • Report composition is simplified, combining the capabilities of the previous Quick Reports and Report Manager features.
    • Scheduling has also been simplified. Reports can either be generated on demand or scheduled to run at a specific time.
    • Templates can now be created at any time, either from an ad-hoc report or from a scheduled report, and are stored in their own dedicated tab. Custom (user) templates and system templates are separated into their own views.
    • Report data, whether scheduled or ad-hoc, can be downloaded in CSV or JSON format at any time.
    • Report schedules can be easily reconfigured or removed after their creation.
    • Individual report items can be removed.

    In addition to the above, performance improvements have been made to the report generation process.

    Note: In previous versions of the UI, users could create reports using entities known as queries, which were stored filter sets. These sets could be associated with one or more schedules, each containing multiple result items. In the new reports UI, the concept of queries within the Reports Manager has been replaced by storing individual reports under Saved Reports. Therefore, migrating to version 5.0.0 will have the following effects:

    • Queries that contain schedules will be converted into multiple reports—one for each schedule—with their associated result entries displayed when the report item is expanded.
    • Queries that do not contain schedules will be turned into custom templates.
  • The Fix Observed Date is now displayed within the Vulnerabilities tab of the Images view. This date, which is the date Anchore observed a fix being available for a given vulnerability, is also included in the reports where applicable.

  • Clicking the View Reports button in either the Images or Vulnerabilities views will take you directly to the Saved Reports tab in the Reports view. Here, you can view all reports containing data for the selected image or vulnerability.

  • Minor improvements have been made to the display of summary data in the rule composition dialog of the Policy Editor.

  • Service logging has been enhanced to provide information about connections made from the web service to the Anchore Enterprise API services. This information is displayed at the DEBUG level.

  • There’s a more comprehensive presentation of error details when errors are logged and displayed in the UI.

  • A new image-developer RBAC role has been added, which is applied to the rule-sets for the UI features. This role is intended for users who need to view images, vulnerabilities, policies, and policy evaluations, but do not need to create or edit them.

Fixes

  • AppDB database migrations will not execute unless the app is connected to a running instance of Anchore Enterprise services.

  • The application tour dialog no longer redirects users to the Dashboard view when displayed.

  • Logging in will now present the user with a landing page appropriate for their RBAC role.

  • Textual references to Anchore Engine have been replaced with Anchore Enterprise.

  • An error will now be displayed if a user attempts to submit a repository that has already been analyzed.

  • The issue where the UI sometimes did not update to reflect a logout event (even though the event was executed on the server) has been addressed.

  • Notification endpoints that have been disabled by an administrator can no longer be selected in the Action Workbench feature of the Artifact Analysis view.

  • Security enhancements have been made to the test connection operation within the Notifications view.

  • Package size is now accurately displayed in the Package Detail popup within the Vulnerabilities view of Artifact Analysis.

  • Multi-select and clear-all operations now function correctly in both the Events view and the Images view of Artifact Analysis when viewing repositories.

  • Dashboard metrics now use inclusive terminology.

  • Broken links to documentation in the Malware subtab of the Content view of Artifact Analysis have been addressed.

  • Various supporting libraries have been updated to improve security and performance, and to remove deprecation warnings from both browser and server output logs. Redundant libraries have been removed to reduce the application’s startup time and overall size.

ComponentSupported VersionAdditional Info
Enterprisev5.0.0With Syft v0.90.0 and Grype v0.67.0
Enterprise UIv5.0.0
AnchoreCTLv5.0.1Deploying AnchoreCTL
Enterprise Helm Chartv2.0.2https://github.com/anchore/anchore-charts
anchore-ecs-inventoryv1.2.0https://github.com/anchore/ecs-inventory
anchore-k8s-inventoryv1.1.1https://github.com/anchore/k8s-inventory
Kubernetes Admission Controllerv0.5.0https://github.com/anchore/kubernetes-admission-controller
Jenkins Pluginv1.1.0https://plugins.jenkins.io/anchore-container-scanner
Harbor Scanner Adapterv1.2.0https://github.com/anchore/harbor-scanner-adapter
enterprise-gitlab-scanv4.0.0https://github.com/anchore/enterprise-gitlab-scan
Last modified February 2, 2024