Anchore Enterprise Release Notes - Version 5.4.0

Anchore Enterprise v5.4.0

Anchore Enterprise release v5.4.0 contains targeted fixes and improvements.

Enterprise Service Updates

Requirements

• If upgrading from a v5.x release, a database update is required.
• If upgrading from a v4.x release, please refer to the v4.x –> v5.x Migration Guide.
• If your Anchore Enterprise deployment is on FIPS enabled hosts and the database is being hosted on Amazon RDS, an upgrade to Postgres 16 or greater is required. For more information please see the FIPS section in Requirements.

Improvements

• AUDIT event logs have been added to the API Service for the following endpoints
  • /accounts
  • /accounts/{account_name}
  • /accounts/{account_name}/state
  • /accounts/{account_name}/users
  • /accounts/{account_name}/users/{username}
  • /accounts/{account_name}/users/{username}/api-keys
  • /accounts/{account_name}/users/{username}/api-keys/{key_name}
  • /rbac-manager/roles
  • /rbac-manager/roles/{role_name}/members
  • /rbac-manager/saml/idps
  • /rbac-manager/saml/idps/{name}
  • /rbac-manager/saml/idps/{name}/user-group-mappings
  • /system/user-groups
  • /system/user-groups/{group_uuid}
  • /system/user-groups/{group_uuid}/roles
  • /system/user-groups/{group_uuid}/users
• Deployment
  • We have simplified the Anchore Enterprise deployment by removing the need to create RBAC Authorizer Service and RBAC Manager Service. RBAC functionality within the product is unchanged.
• Reports
  • Reports which contain vulnerability information have a new column for CVEs.
    • The CVEs may be different from the Vulnerability ID which was used to match on if it was an Advisory ID.
    • The CVEs column may contain N/A if a CVE has not been published or detected for the Advisory’s ID yet.
    • Current saved reports remain unchanged. To see this new column, you will need to generate a new saved report.
    • The Vulnerability ID Filter has been updated to work on both the Vulnerability ID and the CVEs.
• API
  • /system/deployment-history is a new endpoint that returns a history of your future upgrades.
  • /system/statistics endpoint now includes the number of total number of policy creations, the current number of policies in the deployment, and the total number of policy evaluations.

Fixes

• Policy delete now properly removes document store artifacts from this policy.
• Improves the account creation errors returned to the user when the failure is regarding policy creation.
• Deletion of an image will no longer cause other images to return 500 errors. This could occur when the two image shared the same image ID.
• Fixes the Policy Gate: Tag Drift Trigger failure that was seen when multiple versions of the tag existed and the comparison was against the newest one.
• Improves the archive rule deletion errors returned to the user when they did not have permissions for the operation.
• Return the image content even when the parent digest is being used for the request. This was seen in a error in anchorectl image content.
• Improves errors from POST /rbac-manager/roles/{role_name}/members
  • when the user is an admin user
  • when the username is not valid or is a reserved system name
• Improves errors from POST /system/user-groups/{group_uuid}/users
  • when the user is an admin user
  • when the username is not valid or is a reserved system name
• Improves errors from POST /system/user-groups
  • when the user group name is a reserved system name
  • when the user group name overlaps with a username
• Fixes the response of PATCH /system/user-groups/{group_uuid} to return the entire user group value.
• Fixes a 500 error in the Action Workbench when selecting a notification endpoint.

Deprecations

• Support for OpenStack Swift, which is an open-source object storage system, has been deprecated. Please see Object Storage for a list of supported Object Stores.

UI Updates

Improvements

• The User Groups view provides a summary of all user groups and the accounts associated with each group. From this view, administrators can create, edit, and delete user groups, and define the accounts and associated permissions accessible to users within each group. Native users, LDAP users, and SSO users can all be assigned to user groups from their respective Add or Edit dialogs.

• A performance improvement has been applied to the image summary data processing operation that calculates the artifact taxonomy for registries, repositories, and tags. This improvement should reduce the time taken to present the Image selection view.

Fixes

• A default of N/A has now been provided for empty entries in the CVEs column of the Vulnerabilities tab. This change ensures that the CVEs column is always populated with data, even if the vulnerability has no associated CVEs.

• During template creation, we identified an issue where the state of unchanged boolean filters marked as False was incorrectly recorded as null after being saved. This error caused the filter to be omitted from any report queries generated from that template. While the issue was resolved in the 5.3.2 release for new templates, pre-existing templates remained unchanged. An AppDB migration has been added to automatically correct this issue for existing templates.

• The Last Seen popup contained broken links to the Inventory page for ECS containers. Images of this type are not currently supported in the Inventory view, and the links have now been removed.

• Reports downloaded from the Reports view that contained multiple CVE entries would not display correctly in the CSV format on account of the data itself being comma-separated. This issue has now been addressed.

• Various supporting libraries have been updated in order to improve security, performance, and also to remove deprecation warnings from browser and server output logs. Redundant libraries have been removed to reduce the app startup time and overall size.

Recommended Component Versions