NOTE: This version of Anchore Engine is not compatible with Anchore Enterprise 2.2.x. If you are an Enterprise user you should not upgrade to this version, but instead wait for the Enterprise 2.3 release.
Anchore Engine 0.7.0 new Features, bug fixes and improvements. The latest summary can always be found in the Anchore Engine CHANGELOG on github.
New vulnerability data feed and package matching from the GitHub Advisory Database (https://github.com/advisories).
This will result in GHSA matches for non-os packages such as java, python, ruby, and npm. The GHSA match includes the relevant CVEs that the GHSA addresses.
New vulnerability data feed from the Red Hat Security Data API, replaces RHSA as default RPM vulnerability matching data source. NOTE: RHSA information is still available, but the primary identifier is now CVE ids for RPM matches, using this new data source.
This provides better matches for CVEs that are not yet fixed or will not be fixed since those do not yet have RHSAs. It also makes the CVE the match key rather than RHSA for more consistent whitelisting and policy handling compared to other distros.
New APIs for granular control of data feeds, including enable/disable toggles and data flush capabilities.
This provides finer grained control over which feeds will sync and which are used for matching vulnerabilities against images. Includes new anchore-cli commands to use the API calls:
anchore-cli system feeds config --enable|--disable <feed> [ --group <group name> ]
anchore-cli system feeds delete <feed> [ --group <group name> ]
For more information see CLI Usage - Feeds
Switched base OS for all services to Redhat UBI 8 from Redhat UBI 7.
Additional minor bug fixes, significant test framework improvements, and performance updates in image analysis.
0.7.0 Upgrade Information
The upgrade from 0.6.1 to 0.7.0 involves some data migration to support the move from RHSA-based vulnerability reporting to CVE-based for RedHat-based image. The ancho.re feed service has already been updated to serve the new data which shows up in 0.6.1 and 0.7.0 systems as:
During the upgrade process the system will automatically perform the following steps:
anchore-cli system feeds listif you upgrade to the 0.7.0 version of anchore-cli.a
The logging during this process is verbose to give you plenty of insight into what the system is doing. Because it must re-scan all rpm packages, step #2 can take quite a while depending on your specific deployment and how many images you have analyzed that are based on centos or rhel.
NOTE: Restoring RHSA-based matching is possible, but not recommended. See the Reverting Back to RHSA Data