Anchore Engine Release Notes - Version 0.9.0

Anchore Engine 0.9.0

Anchore Engine 0.9.0, features, bug fixes, and improvements. The latest summary can always be found in the Anchore Engine CHANGELOG on github.

NOTE: this release does involve a database schema update including column updates for some tables that may be quite large for some deployments, schedule downtime appropriately as it may take minutes to an hour depending on your database size and number of images you’ve analyzed and are present in the DB

Engine 0.9.0 begins the migration of image inspection and vulnerability scanning to the Syft and Grype tools which allow re-use of that logic outside of a deployed stateful system. Engine now consumes Syft internally for generating container bills-of-materials for all OS and application packages.

New API Revision

The API is updated to version 0.1.16

Update to Python Version

Engine 0.9.0 is built and tested against Python 3.8, and that is what is installed in the container image as well. Previous release used Python 3.6.

Changes of Note

Added

  • New APIs for uploading externally run Syft analysis of an image to generate an SBoM and importing results as an image into engine. Fixes #783
  • Support for analysis archive rules to trigger based on total number of images in each account. Fixes #700
  • Exclusion filters for analysis archive rules to allow specific registries or repos to be excluded from a broader rule. Fixes #699
  • Ability to exclude paths from vulnerability.packages rules using path regex. Fixes #229
  • Integrates new Syft tool (https://github.com/anchore/syft) as package bill of materials analyzer. Fixes #679, #685, #682
  • Ability to set an expiration for individual whitelist rules. Fixes #178,
  • Ability to test webhook delivery via API call and provide schemas for webhook payloads. Fixes #489, #490
  • Success and error counters in prometheus metrics exported by analyzers (“anchore_analysis_success” and “anchore_analysis_error”)

Fixed

  • Update Authlib to 0.15.2 from 0.12.1 to update cryptography dependency to 3.3.1 to resolve GHSA-hggm-jpg3-v476. Fixes #733
  • Remove varchar db column widths in policy engine tables. Fixes #712, #649
  • Allow pulling signed images by setting proper flag in skopeo call. Fixes #711
  • NPM and Gem policy gates (version checks etc) failed to handle results properly and were short-circuiting. Fixes #725
  • files.content_search policy trigger not checking b64 encoded values consistently. Fixes #756
  • Raise exception to log error and abort malware scan if image is larger than configured max malware scan size. Do not return a valid scan result. Fixes #677
  • Include fix version in check_output of policy evaluation if one is available, not just if the user specified it. Fixes #774
  • List archives API with no entries returns error. Fixes #588
  • Update urllib3 version to version 1.25.9

Additional minor fixes and enhancements

Upgrading