The Anchore Engine and Anchore CLi version 0.2.0 add the following features:
- New CVE handling for the Debian based distributions.
The Anchore Engine and the Anchore Feed service now includes the Debian specific no-DSA flag that indicates that while the package version is vulnerable to a given CVE the Debian build of this package, either because of build options or environment is not vulnerable. In the past whitelists were used to filter these records from policy output, with Anchore Engine 0.2.0 these CVEs will not be shown on the default CVE report or within the policy output.
A new command line parameter has been added to the Anchore CLI to allow the no-DSA records to be displayed. The default behavior will be to suppress the no-DSA records since these vulnerabilities do not directly impact Debian.
$ anchore-cli image vuln library/debian:latest os --vendor-only=false
For more details about CVEs in Debian see this blog.
- Anchore CLI System Version
Anchore Engine 0.1.9 added the system and database version numbers into the output the system status API. Anchore CLI 0.2.0 will return the Engine version and Anchore database version in the system status command.
$ anchore-cli system status ...... Engine DB Version: 0.0.6 Engine Code Version: 0.2.0dev
- Anchore Policy Engine Feed Service Initialization
In previous versions of the Anchore Engine the Policy Engine would not fully initialize until the initial feed service synchronization had completed. In Anchore Engine 0.2.0 the feed sync will not block initialization of the policy engine. The initial feed sync may take longer (between 10 and 60 minutes depending on the size of your system and network connectivity) than version 0.1.9 however the system will be responsive and handling load during the syncronization.
- Feed Status and Management
Two new API and CLI features have been added to allow for the control and reporting and control of feed synchronization.
Please refer to Feed Synchronization documentation for details.
- Prometheus Support
The Anchore Engine can now be configured to expose metrics for consumption by Prometheus. See Prometheus Integration page for details.
- Archive Storage
The Anchore Engine stores documents containing archives of image analysis data and policies as JSON documents. By default these documents are be stored within the PostgreSQL database. Anchore Engine 0.2.0 adds the option to store the archive documents in a file system (attached volume), S3 Object store, or Swift Object Store as well as the default location of the Postgres database. See Archive documentation for more details.
- Run Multiple Copies of Core Services.
While previous versions of the Anchore Engine allowed scale out of Analyzer workers it was not possible to run multiple copies of the core services. Anchore Engine 0.2.0 adds support for running multiple core services.
Upgrading the Anchore Engine
The regular Anchore Engine upgrade procedure can be performed to upgrade the Anchore Engine to version 0.2.0.
Upgrading the Anchore Cli
The regular Anchore CLI upgrade procedure can be performed to upgrade the Anchore CLI to version 0.2.0.