Headline
CVE-2022-1766: Anchore Enterprise Release Notes - Version 4.0.1
Anchore Enterprise anchorectl version 0.1.4 improperly stored credentials when generating a Software Bill of Materials. anchorectl will add the credentials used to access Anchore Enterprise API in the Software Bill of Materials (SBOM) generated by anchorectl. Users of anchorectl version 0.1.4 should upgrade to anchorectl version 0.1.5 to resolve this issue.
Anchore Enterprise 4.0.1
Anchore Enterprise v4.0.1 is a patch release containing targeted fixes and improvements. No database upgrade is necessary.
Fixes
- Fixes issues with vulnerability data matching for a small set of distros including Ubuntu, Oracle Linux, and Amazon Linux. All customers are recommended to upgrade to include this patch.
AnchoreCTL
The latest version of AnchoreCTL is 0.2.0. AnchoreCTL is dependent on Syft v0.39.3 as a library.
AnchoreCTL v0.1.4 is vulnerable to CVE-2022-1766, which was fixed in v0.1.5+. We strongly encourage users to upgrade to the latest version.
The current features that are supported are as follows:
- Ability to add sboms via anchorectl using stdin to provide an existing SBOM without re-creating it.
- Source Repository Management: Generate an SBOM and store the SBOM in Anchore’s database. Get information about the source repository, investigate vulnerability packages by requesting vulnerabilities for a single analyzed source repository, or get any policy evaluations.
- Download full image SBOMs for images analyzed with Enterprise 4.0.0.
- Compliance Reports: View and operate on runtime compliance reports, such as STIGs, created by the rem tool.
- Corrections Management: View and modify corrections information to help reduce false positives in your vulnerability results.
- Image Management: View, list, import local analysis, and request image analysis by the system.
- Runtime Inventory Management: Add, update, and view cluster configurations for Anchore to scan, as well as for the inventory reports themselves.
- System Operations: View and manage system information for your Enterprise deployment.
Last modified April 29, 2022