Anchore Enterprise Release Notes - Version 2.3.0
This release focuses on enabling the Microsoft ecosystem within Anchore to allow the same analysis flow and pipelines that you use for linux images to be applied to Windows images
as well for a consistent approach across ecosystems. It also includes several enhancements to the reporting and event management features of the UI.
New Features
Windows Container Image Support
- Analyze and get vulnerabilities for Windows OS-based containers. Anchore ingresses Microsoft vulnerability data via the MSRC
- No requirement to run Anchore itself on windows or other changes to the infrastructure needed to deliver this feature
NuGet/.NET Package Support (Tech Preview)
- Detection and inclusion in analysis output as well as vulnerability scans
GitHub Advisories vulnerability data
- See Configuring GitHub advisories for information on configuring the new feed including creating a GitHub token the driver can use for API calls to GitHub.
Scheduled Reports
- Create report templates for easy re-use of your most frequently used reports
- Schedule reports for generation and get notifications when they are ready, delivered via Slack, email, webhooks, and the other supported notification integrations Enterprise provides.
Event Management in the UI
- Improved sorting, filtering, and deletion of events in the UI directly
Improved RHEL/CentOS vulnerability matching using CVE-based feeds instead of RHSA-based data
- To help provide early detection of vulnerabilities before a fix is available or for issues where a fix is not issued, Anchore now uses RedHat’s CVE information instead of RHSA information
- This also provides improved whitelist consistency between RHEL/Centos and images based on other distros since CVEs are consistent
- For more details see RHSA-to-CVE Feed Change
Improved feed data and configuration management via APIs and CLI
- New APIs and CLI commands allow dynamic configuration of which feeds to sync and the ability to enable/disable and delete feed data without updating configuration files or restarting containers.
- See CLI Feeds configuration
Built on Anchore Engine v0.7.1: Anchore Enterprise is built on top of the OSS Anchore Engine, which has received new features and updates in the 0.7 series. See Anchore Engine Release Notes for information on new features, bug fixes, and improvements in Anchore Engine for versions v0.7.0 and v0.7.1.
Changes
Starting in 2.3.0 all services except the UI in an Enterprise deployment must:
Have the license.yaml available in /license.yaml inside the image. This is currently how the Notifiations, Reports, and RBAC services are run, and is now extended to all services.
Be started with the anchore-enterprise-manager command instead of anchore-manager. This ensures that enterprise extensions and functionality is properly loaded and available.
The docker-compose.yaml is no longer built into the image, but is available in the Docker Compose guide via a link to download. The image versions will be set to the release version matching the documentation version.
These changes are all configured by default in the new Docker Compose guide and are also enabled in the updated Helm chart for this release.
As with previous releases, we recommend upgrading with the newest deployment templates rather than just changing the image references in existing templates.
Bug Fixes and Enhancements
- Fixed user deletion and role removal failures
- Uses NVD severity for Debian vulnerabilties when ‘urgency’ field not set in the upstream data
- Updates alpine feed driver to ensure severies are set using newer nvd2 driver data instead of older nvd driver that may have had stale data due to old NVD XML feed
- Adds new ‘–no-auto-upgrade’ option to anchore-enterprise-manager to start services that will not upgrade the db automatically, enabling more control over the upgrade process
- Fixed Report CSV/JSON download missing records in UI
- Fixed scrollbar functionality issue in Policy Bundle editor in UI
- Fixed missing scrollbar for context switching in UI
- Fixed problem with sorting vulnerability columns in UI causing hangs and missing links
- Updates to dependencies
- Fixes in the Anchore Engine v0.7.0 release notes and v0.7.1 release notes
Upgrading from Anchore Enterprise 2.2 to 2.3.0
This is a significant upgrade. Backups should be taken, and downtime expected to complete the process.
NOTE The upgrade from 2.2.x to 2.3.0 will take several minutes at least for the database schema upgrade and involves a data migration can take longer to fully transition the RHSA data to CVE data. Part of this process is done during
the database upgrade, but part of the process can only complete after the upgraded feed service is able to run and sync the new RedHat CVE data. Because of this, there will be an interval where RHEL-based images
will have no vulnerabilities listed. That will automatically resolve itself once the feed syncs, and all affected images will have CVE-based vulnerability matches as expected, but depending on deployment environment and number
of images in the database, this may take a long time (hours potentially).
See RHSA-to-CVE Feed Change for more information on the change and upgrade implications.
To upgrade, use the new version of the Helm chart or docker-compose provided with this release. The new chart and compose files contain all needed configuration changes. See Enterprise Upgrade to 2.3.0 for details on this specific upgrade process and how to update your own deployment templates if you are not using the official Helm chart.
1 - RHSA to CVE Feed Changes for RHEL-Based Images
Starting in Enterprise 2.3.0, Anchore Enterprise uses the RedHat Security API for CVEs for vulnerability matches for RHEL, CentOS, and UBI images. This
is a change from previous releases that utilized the API for Advisories (RHSAs) instead.
What Changed
In short, rhel:* replaces centos:* in the vulnerability feed for matches against RHEL-based distros such as CentOS and UBI.
Specifically, in Enterprise 2.2.x, all RHEL-based images (CentOS, RHEL, UBI) used data from the RedHat Security Advisories API. This data populated
the centos:* groups of the vulnerabilities feed, as seen when you run anchore-cli system feeds list or via the UI’s system page showing feed syncs.
Changed for Enterprise 2.3.0, RHEL-based images will match against a new feed source by default: data from the RedHat CVE API .
This new source populates the rhel:* groups of the vulnerabilities feed. The centos:* groups are no longer used for matches by default.
Reason for Change
The CVE source provides the ability to match vulnerabilities that have not yet been fixed upstream or via backports by Redhat as well as information on
vulnerabilities that will not be fixed. Both of these classes of vulnerability are not covered in the RHSA data because that data is generated by fix
releases. Overall, the change gives better matches earlier in the vulnerability triage and fix process so you can make better decisions about issues
that affect your images.
Upgrade
During upgrade Anchore will change the matching logic to transition images to use the new feed groups. This update involves:
Completed Automatically During DB Upgrade:
- Updating db schema to support new enable/disable flags for feeds and groups.
- Disabling the existing
centos:* feed groups from future syncs by setting the groups to disabled status. - Updating the internal mappings for distros to use the new groups.
When the system starts, all RHEL/CentOS/UBI images will still have RHSA matches, but the centos:* groups will be disabled so no new updates arrive for those groups.
After upgrade, when the system is running the new version:
- Feed service will sync the new data from the source
- Policy engine syncs from feed service to get new data
- Once the
rhel:* groups sync in the policy engine, all RHEL/CentOS/UBI pre-upgrade analyzed images will now show both CVE and RHSA matches. - Images analyzed after the upgrade will only match CVEs.
The output from a CLI feed listing should look roughly like (note the disabled centos groups and synced rhel groups:
anchore@c4799ee0b36e enterprise]$ anchore-cli system feeds list
Feed Group LastSync RecordCount
...
vulnerabilities centos:5(disabled) 2020-05-15T16:33:53.165136 1171
vulnerabilities centos:6(disabled) 2020-05-15T16:33:47.819467 1219
vulnerabilities centos:7(disabled) 2020-05-15T16:33:48.007930 1044
vulnerabilities centos:8(disabled) 2020-05-15T16:33:51.662811 255
...
vulnerabilities rhel:5 2020-05-15T22:23:56.300077 7237
vulnerabilities rhel:6 2020-05-15T22:23:55.343614 6833
vulnerabilities rhel:7 2020-05-15T22:23:56.040785 5893
vulnerabilities rhel:8 2020-05-15T22:23:56.561123 1472
...
You can optionally flush the old RHSA matches by using the anchore-cli to delete the centos group data, which will remove the both the feed data and vulnerability matches for the RHSAs, leaving only the CVE matches.
To accomplish this, via the cli run:
[anchore@c4799ee0b36e enterprise]$ anchore-cli system feeds delete vulnerabilities --group centos:5
Group LastSync RecordCount
centos:5(disabled) pending 0
[anchore@c4799ee0b36e enterprise]$ anchore-cli system feeds delete vulnerabilities --group centos:6
Group LastSync RecordCount
centos:6(disabled) pending 0
[anchore@c4799ee0b36e enterprise]$ anchore-cli system feeds delete vulnerabilities --group centos:7
Group LastSync RecordCount
centos:7(disabled) pending 0
[anchore@c4799ee0b36e enterprise]$ anchore-cli system feeds delete vulnerabilities --group centos:8
Group LastSync RecordCount
centos:8(disabled) pending 0
Listing will now show:
anchore@c4799ee0b36e enterprise]$ anchore-cli system feeds list
Feed Group LastSync RecordCount
...
vulnerabilities centos:5(disabled) - 0
vulnerabilities centos:6(disabled) - 0
vulnerabilities centos:7(disabled) - 0
vulnerabilities centos:8(disabled) - 0
...
vulnerabilities rhel:5 2020-05-15T23:45:04.969330 7237
vulnerabilities rhel:6 2020-05-15T23:45:03.552281 6833
vulnerabilities rhel:7 2020-05-15T23:45:04.678325 5894
vulnerabilities rhel:8 2020-05-15T23:45:05.232375 1473
...
At this point all RHSA matches for all images in the DB have also been removed, leaving only the CVE matches from the new RedHat CVE source.
Feed Service Driver Configuration
The new RHEL CVE feed is enabled in the feed service by default. No changes to configuration are necessary to enable it.
Policy Engine Configuration
No changes to the policy engine configuration are needed to enable the new data because it is delivered as new groups in the existing vulnerabilities feed,
which syncs all groups automatically.
Rolling Back
If you need to restore the old behavior see the rollback guide
2 - Reverting Back to use RHSA Data
NOTE: This section is only for very specific situations where you absolutely must revert the matching system to use the RHSA data. This should not be done lightly. The newer CVE-based data is more accurate, specific, and provides a more consistent experience with other distros.
If your processing of anchore output relies on RHSA keys as vulnerability matches, or you have large RHSA-based whitelists that cannot be converted to CVE-based,
then it is possible, though not recommended, to migrate your system back to using the RHSA-based feeds (centos:* groups).
Here is the process. It requires the Anchore CLI with access to the API as well as direct access to the internal policy engine API endpoint. That may require a docker exec or kubectl exec call
to achieve and will be deployment/environment specific.
Revert the distro mapping records that map centos, fedora, and rhel to use the RHEL vuln data.
- With API access to the policy engine directly (output omitted for brevity), remove the existing distro mappings to RHEL data. These are the used by Anchore:
curl -X DELETE -u admin:foobar http://localhost:8087/v1/distro_mappings?from_distro=centos
curl -X DELETE -u admin:foobar http://localhost:8087/v1/distro_mappings?from_distro=rhel
curl -X DELETE -u admin:foobar http://localhost:8087/v1/distro_mappings?from_distro=fedora
- Continuing with API access to the policy engine directly, replace the removed mappings with new mappings to the centos feeds:
curl -H "Content-Type: application/json" -X POST -u admin:foobar -d'{"from_distro":"centos", "to_distro":"centos", "flavor":"RHEL"}' http://localhost:8087/v1/distro_mappings
curl -H "Content-Type: application/json" -X POST -u admin:foobar -d'{"from_distro":"fedora", "to_distro":"centos", "flavor":"RHEL"}' http://localhost:8087/v1/distro_mappings
curl -H "Content-Type: application/json" -X POST -u admin:foobar -d'{"from_distro":"rhel", "to_distro":"centos", "flavor":"RHEL"}' http://localhost:8087/v1/distro_mappings
Note: if something went wrong and you want to undo the progress you’ve made, just make the same set of calls as the last two steps in the same order but with the to_distro values set to ‘rhel’.
- Now, ensure you are back where you have access to the main Anchore API and the Anchore CLI installed. Disable the existing rhel feed groups
anchore-cli system feeds config vulnerabilities --disable --group rhel:5
anchore-cli system feeds config vulnerabilities --disable --group rhel:6
anchore-cli system feeds config vulnerabilities --disable --group rhel:7
anchore-cli system feeds config vulnerabilities --disable --group rhel:8
anchore-cli system feeds delete vulnerabilities --group rhel:8
anchore-cli system feeds delete vulnerabilities --group rhel:7
anchore-cli system feeds delete vulnerabilities --group rhel:6
anchore-cli system feeds delete vulnerabilities --group rhel:5
- Enable the centos feed groups that have the RHSA vulnerability data
anchore-cli system feeds config vulnerabilities --enable --group centos:8
anchore-cli system feeds config vulnerabilities --enable --group centos:7
anchore-cli system feeds config vulnerabilities --enable --group centos:6
anchore-cli system feeds config vulnerabilities --enable --group centos:5
NOTE: if you already have centos data in your feeds (verify with anchore-cli system feeds list) then you’ll need to delete the centos data groups as well
to ensure a clean re-syncin the next steps. This is accomplished with:
anchore-cli system feeds delete vulnerabilities --group centos:5
anchore-cli system feeds delete vulnerabilities --group centos:6
anchore-cli system feeds delete vulnerabilities --group centos:7
anchore-cli system feeds delete vulnerabilities --group centos:8
- Now do a sync to re-match any images using rhel/centos to the RHSA data
[root@d64b49fe951c ~]# anchore-cli system feeds sync
WARNING: This operation should not normally need to be performed except when the anchore-engine operator is certain that it is required - the operation will take a long time (hours) to complete, and there may be an impact on anchore-engine performance during the re-sync/flush.
Really perform a manual feed data sync/flush? (y/N)y
Feed Group Status Records Updated Sync Duration
github github:composer success 0 0.28s
github github:gem success 0 0.34s
github github:java success 0 0.33s
github github:npm success 0 0.23s
github github:nuget success 0 0.23s
github github:python success 0 0.29s
nvdv2 nvdv2:cves success 0 60.59s
vulnerabilities alpine:3.10 success 0 0.27s
vulnerabilities alpine:3.11 success 0 0.31s
vulnerabilities alpine:3.3 success 0 0.31s
vulnerabilities alpine:3.4 success 0 0.25s
vulnerabilities alpine:3.5 success 0 0.26s
vulnerabilities alpine:3.6 success 0 0.25s
vulnerabilities alpine:3.7 success 0 0.26s
vulnerabilities alpine:3.8 success 0 0.35s
vulnerabilities alpine:3.9 success 0 0.28s
vulnerabilities amzn:2 success 0 0.26s
vulnerabilities centos:7 success 1003 34.91s
vulnerabilities centos:8 success 199 9.15s
vulnerabilities debian:10 success 2 0.50s
vulnerabilities debian:11 success 4 60.53s
vulnerabilities debian:7 success 0 0.30s
vulnerabilities debian:8 success 3 0.34s
vulnerabilities debian:9 success 2 0.38s
vulnerabilities debian:unstable success 4 0.39s
vulnerabilities ol:5 success 0 0.31s
vulnerabilities ol:6 success 0 0.29s
vulnerabilities ol:7 success 0 0.41s
vulnerabilities ol:8 success 0 0.28s
vulnerabilities rhel:5 success 0 0.28s
vulnerabilities rhel:6 success 0 0.43s
vulnerabilities ubuntu:12.04 success 0 0.45s
vulnerabilities ubuntu:12.10 success 0 0.25s
vulnerabilities ubuntu:13.04 success 0 0.24s
vulnerabilities ubuntu:14.04 success 0 0.37s
vulnerabilities ubuntu:14.10 success 0 0.25s
vulnerabilities ubuntu:15.04 success 0 0.42s
vulnerabilities ubuntu:15.10 success 0 0.23s
vulnerabilities ubuntu:16.04 success 0 0.35s
vulnerabilities ubuntu:16.10 success 0 0.33s
vulnerabilities ubuntu:17.04 success 0 0.33s
vulnerabilities ubuntu:17.10 success 0 0.31s
vulnerabilities ubuntu:18.04 success 0 0.42s
vulnerabilities ubuntu:18.10 success 0 0.37s
vulnerabilities ubuntu:19.04 success 0 0.45s
vulnerabilities ubuntu:19.10 success 0 0.32s
[root@d64b49fe951c ~]# anchore-cli image vuln centos os
Vulnerability ID Package Severity Fix CVE Refs Vulnerability URL Type Feed Group Package Path
RHSA-2020:0271 libarchive-3.3.2-7.el8 High 0:3.3.2-8.el8_1 CVE-2019-18408 https://access.redhat.com/errata/RHSA-2020:0271 rpm centos:8 pkgdb
RHSA-2020:0273 sqlite-libs-3.26.0-3.el8 High 0:3.26.0-4.el8_1 CVE-2019-13734 https://access.redhat.com/errata/RHSA-2020:0273 rpm centos:8 pkgdb
RHSA-2020:0575 systemd-239-18.el8_1.1 High 0:239-18.el8_1.4 https://access.redhat.com/errata/RHSA-2020:0575 rpm centos:8 pkgdb
RHSA-2020:0575 systemd-libs-239-18.el8_1.1 High 0:239-18.el8_1.4 https://access.redhat.com/errata/RHSA-2020:0575 rpm centos:8 pkgdb
RHSA-2020:0575 systemd-pam-239-18.el8_1.1 High 0:239-18.el8_1.4 https://access.redhat.com/errata/RHSA-2020:0575 rpm centos:8 pkgdb
RHSA-2020:0575 systemd-udev-239-18.el8_1.1 High 0:239-18.el8_1.4 https://access.redhat.com/errata/RHSA-2020:0575 rpm centos:8 pkgdb
Note in the last command output that the OS vulnerabilities are again showing ‘RHSA’ matches. The restoration to RHSA-based vuln data is complete.