NOTE: For users upgrading from 0.2.X to 0.3.X, please note that the upgrade process may take some time for deployments anchore-engine that have a large number of images stored (many thousands).  Please review the upgrade guide to safely plan for an upgrade, and plan for a longer service maintainance window than usual for this upgrade if your engine has a large number of images analyzed.


Features and Improvements


The Anchore Engine and Anchore CLi version 0.3.0 includes the following improvements and new features:

  • Major Version Update - anchore-engine and anchore-cli ported to Python3!
  • New Feature - Multi-user API and Structure
    • Adds user management and detection API routes: /accounts/*, /account, /user
    • New option in config.yaml for the "apiext" service: "authorization_handler" key, with default value "native". Allows extension point for other models in the future.
    • Accounts have one of three types: service (internal), admin, and user. Only admin account users can create other accounts/users.
    • During upgrade, existing users are migrated to accounts of the same name with user records with the same credentials.
    • Adds 'x-anchore-account' header support to allow admin users to make requests in the namespace of other accounts, for example to view events or image status, without requiring api route changes.
    • The existing config.yaml user sections are respected during first system initialization but ignored afterwards, so user management is purely via the APIs.
  • New Feature - Security-first Queries and Reports
    • Query for a list of images affected by input Vulnerability ID
    • Query for a list of images with an input package installed
    • Query for record information about a specific Vulnerability by ID
    • All queries include filter parameters to further refine results
    • API routes /v1/queries/ and corresponding CLI operation (anchore-cli query ...) included
  • New - Build and Testing infrastructure
    • Single canonical ./Dockerfile for container builds
    • CircleCI automation and test config
    • Unit and functional testing framework under ./test
  • Added - ability to add an image by specifying a digest,tag,created_at tuple with a POST to the /v1/images API route
  • Added - ability to add, fetch, store and refer to images by manifestList digest (common to see these digests in docker/runtime side) - reported as 'parentDigest' field for image records
  • Added - unauthenticated API route /version to retrieve service version information
  • Added - optional skopeo_global_timeout setting (seconds) for config.yaml which will be passed through to skopeo calls as the command-timeout option
  • Added - ability to ask for interactive (DB side effect free) policy evaluation via interactive=<true|false> query parameter to /v1/image/<image>/check route
  • Improved - java artifact manifest file parsing support and implementation (contributions by Matt Sicker <boards@gmail.com>)
  • Improved - add bootstrap process retries to improve behavior of simultaneous startup of distributed anchore-engine services
  • Improved - normalize all package database record handling for OS and Non-OS (NPM, GEM, Java, Python, etc) packages
  • Improved - better error passthrough from internal services (catalog/policy engine) back through external API to user (400, 404 instead of 500)
  • Improved - more consistent logging during bootstrap, throughout
  • Changed - move from CentOS to Ubuntu base image for anchore-engine containers
  • Removed - deprecated 'prune' routes and operations

Bug Fixes


The Anchore Engine and Anchore CLi version 0.3.0 includes many minor bugfixes and general improvements, including the following bugs:

  • Fix - handle case where manifests have incomplete history information, causing analysis failures (contribution by jianqli <jianqli@ebay.com>)
  • Fix - handle case that caused image analysis failure when package managers output non-integer values for package size metadata
  • Fix - prevent logging of DB connect string/credentials (Fix #95 contributed by Brendan Shaklovitz <nyanshak@users.noreply.github.com>)
  • Fix - bug where a container with no files triggers an analysis failure, during load in policy engine.  Fixes #105
  • Many bug fixes and improvements

Upgrading the Anchore Engine


The regular Anchore Engine upgrade procedure can be performed to upgrade the Anchore Engine to version 0.3.0, with any special considerations for this particular release listed in the 'NOTE' section below.


NOTE: For users upgrading from 0.2.X to 0.3.X, please note that the upgrade process may take some time for deployments anchore-engine that have a large number of images stored (many thousands).  Please review the upgrade guide to safely plan for an upgrade, and plan for a longer service maintainance window than usual for this upgrade if your engine has a large number of images analyzed.


NOTE: If upgrading with a configuration file (config.yaml) that has analyzer services enabled from version 0.2.2 or prior, but has no values set for 'endpoint_hostname', 'listen', and 'port', you will need to set these values for analyzer services to come up correctly in 0.2.X.  The analyzer service ports do not need to be exposed for normal operation, unless prometheus metrics are enabled and/or other site-specific features are enabled that require analyzer service port access (e.g. for pinging the /heath route, etc.).

Anchore Cli


The latest release is 0.3.0, which adds support for the new features and capabilities in Anchore Engine 0.3.0.