New features and enhancements
MSR 2.10.0 includes the following new features and enhancements:
Cosign and Notary updates
Component and dependency updates
Cosign and Notary updates
MSR introduces Cosign-aware signing in the web UI, deprecates legacy Notary, and adds API endpoints for Notary lifecycle management.
[ENGDTR-4543] Automatic Notary decommissioning
MSR now automatically disables the deprecated Notary subsystem during installation and upgrade when no Notary trust data (signed images) is present on the system.
[ENGDTR-4544] Notary management API endpoints
MSR adds the following API endpoints:
GET /api/v0/admin/notary/status- Reports the current status of the Notary subsystem.POST /api/v0/admin/notary/disable- Initiates decommissioning of the Notary subsystem.
[ENGDTR-4545] Cosign-aware signing
The MSR web UI now distinguishes between Cosign and legacy Notary signatures. The Signed column and image header display the appropriate signing status for each image.
[ENGDTR-4587] Signature facility badges
The MSR web UI now displays signature facility badges on each image tag to indicate whether the tag is signed with Cosign, DCT (Notary), or both:
A blue C badge indicates a valid Cosign signature.
A blue D badge indicates a valid DCT signature.
A red D badge indicates an expired DCT signature.
Both badges can appear together for a single tag. Unsigned tags display no badges. Each badge includes a hover tooltip with additional signature details.
Component and dependency updates
MSR updates the Black Duck security scanner, Docker, and the version-check source used by the upgrade API.
[ENGDTR-4509] Black Duck security scanner update
MSR updates the Black Duck security scanner (previously Synopsys security scanner) to version 2025.12.0. Notable upstream changes since the previous version include the following:
Chainguard container images
Minimus container images
Rust binaries
Go binaries
.NET components
OpenWRT ipkg packages
Wind River Linux
In addition, the following issues are resolved in Black Duck 25.12.0:
False negative CVE-2021-23792 missing from imageio-metadata 3.3.2
Unexpected match .NET 20171205-snapshot-8cb086ca for coreclr.dll
c-ares version is being detected as the wrong version
False negative: Apache Common Beanutils missing vulnerability
freeRTOS false positive match
CVE-2022-3515 mapping to gnupg 2.2.27-3ubuntu2.1
Fixed a memory consumption issue in a background job that applies new vulnerabilities to existing scans
Fixed an issue in distribution backport matching in cases where no backports matched to a component via hash sum; this will improve backport matching for example when linux distribution info is overridden via an analysis configuration file
Improved query for calculating vulnerability counts with large scans
[ENGDTR-4532] Version-check source update for the upgrade API
MSR now retrieves its version update list from registry.mirantis.com
instead of Docker Hub.
Note
Ensure that your network filtering rules allow outbound connections to
registry.mirantis.com so that the MSR web UI can display notification
banners when a new product version becomes available.
[ENGDTR-4541] Docker update
MSR adds support for Docker Engine v25 and v29.