Anchore Engine Release Notes - Version 0.10.0

Anchore Engine 0.10.0

API version - 0.1.18

DB Schema version - 0.0.15

This release contains a database schema update, but no data migration only new tables added.

Configurable Vulnerability Providers

0.10.0 is a significant release for Engine as it now has both Syft and Grype integrations in place to move to a unified vulnerability scanning core across local tools as well as stateful Engine services. This release adds Grype integration as a new vulnerability scanning option in the policy engine. There is now a configuration option for specifying a vulnerability scanning provider in the policy engine service configuration. The legacy provider (non-Grype) is the default to ensure smooth upgrades and allow operators to choose whent to make the switch. The new Grype provider syncs vulnerability data from the same upstream sources as Engine, but uses the Grype DB update mechanism to achieve much faster feed updates, and no longer uses the https://ancho.re endpoint for retrieving data. See Grype Mode for more information and links.

Note:

  • Grype mode is a beta release and not recommended for production use, but we encourage feedback and use in dev environments.
  • The vulnerability_data_unavailable and stale_feed_data policy triggers in the vulnerabilities gate are not yet supported for the Grype provider. They will return incorrect results when used with the Grype provider.

The vulnerability provider is now configurable in the policy_engine service configuration of the config.yaml. See Default Config for more info.

Owned Package Filtering Control

A new configuration option: services.analyzer.enable_owned_package_filtering: <bool> is now available in the analyzer service configuration. By default, the analyzer will filter packages that are determined by Syft to be “owned” by a parent package when that packages is a distro-managed package and it installs the child package entirely. That behavior can be disabled by setting this configuration value to “false”. The filtering removes false positives associated with packages installed by yum, apt, or apkg, that also install language packages like python, npms, or gems that have backports applied by the distro maintainer but no corresponding language package version change other than the parent package version. However, if you package your own applications as rpms, debs, or similar and need to ensure all included packages are scanned directly against NVD sources, then you can disable this behavior.

Deprecations

  • The affected_package_version query parameter in GET /query/vulnerabilities is not supported in Grype mode and has known correctness issues in the legacy mode. It is deprecated and will be removed in a future release.
  • The legacy feed service endpoint (https://ancho.re) used by the legacy vulnerability provider is now officially deprecated, and will be replaced by the Grype DB sync introduced in this release. We will be announcing an End-of-Life timeline for the service along with the upcoming 1.0 Engine release in the next few months. The timeline will include reasonable time to upgrade and migrate deployments to 1.0+ versions. This deprecation notice serves as an early notice ahead of the actual 1.0 release and formal timeline announcement. For 0.10.0, there are no changes to the service or user actions required.

Breaking Changes

Note: the policy engine feed sync configuration is now in the policy engine service configuration as part of the provider configuration. The provided helm charts, docker-compose.yaml and default configurations handle this change automatically.

Changes

  • Added - Policy engine should leverage Grype. Fixes #706 and #707
  • Added - Improved alpine vulnerability scanning by using NVD matches for OS packages for CVEs that are not yet present in Alpine SecDB. Fixes #268
  • Added - Analyzer service configuration option to control package-ownership filtering. Allows exposing all packages regardless of ownership relationship. Fixes #1122
  • Fixed - Adds missing fields and fixes errors in the swagger spec for the API
  • Fixed - Restores file package verification data ingress during image load to fix a regression. Fixes #965
  • Fixed - Malware policy gate can fail causing policy eval error when malware not enabled and other rules precede malware rule in a policy. Fixes #992
  • Fixed - JSON serialization error in internal policy engine user image listing API. Fixes #1093
  • Fixed - “package_cpe23” field missing in vulnerabilities. Fixes #959
  • Fixed - Ensure python38 used in the Dockerfile build, and set tox tests to only run py38. Fixes #1025
  • Improved - Performance of GET operations between services improved by better streaming memory management for large payload transfers. Fixes #1010
  • Improved - Use UBI 8.4 as base image in Docker build
  • Improved - Updates skopeo version used to 1.2.1, allowing removal of the ‘lookuptag’ field in the POST /repositories call for watching repositories that do not have a latest tag. Fixes #484.
  • Additional minor fixes and improvements

Upgrading


Last modified June 28, 2021: Fixes typos (5760c874)