Anchore Enterprise Release Notes - Version 5.8.0

Anchore Enterprise v5.8.0

Anchore Enterprise release v5.8.0 contains targeted fixes and improvements.

Enterprise Service Updates

Requirements

  • If upgrading from a v4.x release, please refer to the v4.x –> v5.x Migration Guide.
  • If upgrading from a release in the range of v5.0.0 - v5.3.0
    • The upgrade will result in an automatic schema change that will require database downtime. We are anticipating that this schema change may take more than an hour to complete depending on the amount of data in your reporting system.
    • If your Anchore Enterprise deployment is on FIPS enabled hosts and your database is being hosted on Amazon RDS, an upgrade to Postgres 16 or greater is required. For more information please see the FIPS section in Requirements.
  • If upgrading from a release in the range of v5.4.x - v5.6.0
    • The upgrade will result in an automatic schema change that will require database downtime. We expect that this could take up to 2 hours depending on the amount of data in your system.
  • If upgrading from the v5.7.0 release
    • The upgrade will result in an automatic schema change that will require minimal database downtime.

Improvements

  • KEV (Known Exploited Vulnerabilities) Support
    • The KEV list is now available to be ingested as a Vulnerability Annotation feed within the Feed Service. The KEV list feed will be enabled by default within the helm chart. See Feeds for more info.
    • A new KEV List Trigger is now available as part of the Vulnerability Policy Gate. See Policy Checks for more info.
    • This replaces the CISA KEV Vulnerabilities Policy Pack, which can be removed after validating the behavior of this new trigger.
  • Improve the obfuscation of user credentials in the logs.
  • Allowlist entries can now include a specific package version. This can be accomplished by adding both the Package Name and Version in the “Package” field within the allowlist UI editor.
  • Improved the authentication path performance when using the User Group feature at scale.

Fixes

  • Improves error logs found in the report-worker service to include better information when an error occurs.
  • Fixes the issue where a success status is returned when deleting an image without the force flag when the image is not allowed to be deleted. This can occur when it is the latest image of the tag or if it has active subscriptions.
  • Fixes an issue where a repository watch subscription can be created or activated without having the proper RBAC permissions.
  • Removal of obsolete report-worker task data in the database. This would have no effect on the running system. The cleanup will take place during the db schema migration and is just a small cleanup of old data within the database.
  • Account Deletion
    • Ensure that the system will properly clean up an account and its associated data when the account name contains special characters.
    • Ensure that the system will properly delete any RBAC Principals associated with the account.
  • If the Disallow Native User feature is enabled, the system will now properly prevent access to GraphQL endpoints and System endpoints by native users.

Deprecations

  • Support for OpenStack Swift, which is an open-source object storage system, has been deprecated. Please see Object Storage for a list of supported Object Stores.
  • Package Feeds and Policy Gates for Ruby Gems and NPMs, are now deprecated. Please contact Anchore Support for more information.
  • The enterprise-gitlab-scan plugin is being deprecated in favor of using AnchoreCTL directly in your pipelines. Please see GitLab for more information on integrating Anchore Enterprise with GitLab.
  • The Feed Service is deprecated in v5.8.0. Starting in v5.10.0 a new service will be introduced to synchronize Feed data from Anchore.

UI Updates

Improvements

  • The Kubernetes view has been refactored with an improved data retrieval strategy to allow the component to work at a larger scale. Summary information is now fetched independently of the main dataset, and data fetches for the cluster and namespace tiers are now compartmentalized. Additional improvements have been made to the filtering and data composition operations to enhance performance and reduce time to availability. Please note that the reports service must be enabled to use this view.

Fixes

  • The error component used to display inline errors would overflow if the error information was too voluminous, sometimes exceeding the height of the viewport. The control is now constrained to a maximum height and is scrollable.
  • Several issues related to context-based routing, introduced in the previous release, were discovered. These issues primarily affected legacy routes that did not contain an account entry upon logging in. Additionally, a fix has been provided for manually changing the context in the URL for routes with URI encoded entries (such as Artifact Analysis). Previously, these routes would lose encoding on reload, resulting in a 404 error. These and other routing issues have now been addressed.
  • Adding an LDAP URI without the ldap:// or ldaps:// protocol would crash the app when testing the configuration or logging in using LDAP. Guards against this error are now in place, and the protocol prefix is now mandatory.
  • Changing permissions could sporadically cause the app to crash due to an error in the event broadcast triggered by this action. This issue has been resolved.
  • Under certain circumstances, an error response from the SSO provider during authentication would crash the app. Error handling has been updated to gracefully manage errors and provide detailed information to the user.
  • In deployments where SSO is the sole authentication scheme, the LDAP authentication option was still present on the login page. This is no longer the case.
  • When an error occurred during the operation of submitting a repository for analysis, the toast message describing the problem was not raised. This issue has been addressed.
  • Due to a missing role-based access control permission, users without the createRepository permission could still interact with the Watch Repository toggle. This issue is now fixed.
  • Previously, it was not possible to add more than one annotation from the Metadata tab in the Artifact Analysis view. Additionally, adding a single annotation would result in an erroneous redirect. Both issues have been addressed.
  • Non-Chrome users who had not previously set their view theme would find the app defaulting to dark mode after invoking the print view control (present in the Policy Compliance and Vulnerabilities tabs). This issue has been resolved.
  • Various supporting libraries have been updated in order to improve security, performance, and also to remove deprecation warnings from browser and server output logs. Redundant libraries have been removed to reduce the app startup time and overall size.
ComponentSupported VersionHelm Chart VersionAdditional Info
Enterprisev5.8.0v2.9.0With Syft v1.9.0 and Grype v0.79.3
Enterprise Feedsv5.8.0v2.8.0
Enterprise UIv5.8.0
AnchoreCTLv5.8.0Deploying AnchoreCTL
Anchore ECS Inventoryv1.3.1v0.0.8https://github.com/anchore/ecs-inventory
Anchore Kubernetes Inventoryv1.6.2v0.4.3https://github.com/anchore/k8s-inventory
Kubernetes Admission Controllerv0.6.2v0.6.2https://github.com/anchore/kubernetes-admission-controller
Jenkins Pluginv3.1.2https://plugins.jenkins.io/anchore-container-scanner
Harbor Scanner Adapterv1.3.4https://github.com/anchore/harbor-scanner-adapter
enterprise-gitlab-scanv5.0.0docker.io/anchore/enterprise-gitlab-scan:v5.0.0

Anchore Helm Chart can be found at https://github.com/anchore/anchore-charts

Last modified August 22, 2024