New features and enhancements

MSR 2.10.0 includes the following new features and enhancements:

Cosign and Notary updates

Component and dependency updates

Cosign and Notary updates

MSR introduces Cosign-aware signing in the web UI, deprecates legacy Notary, and adds API endpoints for Notary lifecycle management.

[ENGDTR-4543] Automatic Notary decommissioning

MSR now automatically disables the deprecated Notary subsystem during installation and upgrade when no Notary trust data (signed images) is present on the system.

[ENGDTR-4544] Notary management API endpoints

MSR adds the following API endpoints:

  • GET /api/v0/admin/notary/status - Reports the current status of the Notary subsystem.

  • POST /api/v0/admin/notary/disable - Initiates decommissioning of the Notary subsystem.

[ENGDTR-4545] Cosign-aware signing

The MSR web UI now distinguishes between Cosign and legacy Notary signatures. The Signed column and image header display the appropriate signing status for each image.

[ENGDTR-4561] Notary deprecation banner

MSR now displays a deprecation banner on the image tag detail page when legacy Notary signatures are present.

[ENGDTR-4587] Signature facility badges

The MSR web UI now displays signature facility badges on each image tag to indicate whether the tag is signed with Cosign, DCT (Notary), or both:

  • A blue C badge indicates a valid Cosign signature.

  • A blue D badge indicates a valid DCT signature.

  • A red D badge indicates an expired DCT signature.

Both badges can appear together for a single tag. Unsigned tags display no badges. Each badge includes a hover tooltip with additional signature details.

Component and dependency updates

MSR updates the Black Duck security scanner, Docker, and the version-check source used by the upgrade API.

[ENGDTR-4509] Black Duck security scanner update

MSR updates the Black Duck security scanner (previously Synopsys security scanner) to version 2025.12.0. Notable upstream changes since the previous version include the following:

  • Chainguard container images

  • Minimus container images

  • Rust binaries

  • Go binaries

  • .NET components

  • OpenWRT ipkg packages

  • Wind River Linux

In addition, the following issues are resolved in Black Duck 25.12.0:

  • False negative CVE-2021-23792 missing from imageio-metadata 3.3.2

  • Unexpected match .NET 20171205-snapshot-8cb086ca for coreclr.dll

  • c-ares version is being detected as the wrong version

  • False negative: Apache Common Beanutils missing vulnerability

  • freeRTOS false positive match

  • CVE-2022-3515 mapping to gnupg 2.2.27-3ubuntu2.1

  • Fixed a memory consumption issue in a background job that applies new vulnerabilities to existing scans

  • Fixed an issue in distribution backport matching in cases where no backports matched to a component via hash sum; this will improve backport matching for example when linux distribution info is overridden via an analysis configuration file

  • Improved query for calculating vulnerability counts with large scans

[ENGDTR-4532] Version-check source update for the upgrade API

MSR now retrieves its version update list from registry.mirantis.com instead of Docker Hub.

Note

Ensure that your network filtering rules allow outbound connections to registry.mirantis.com so that the MSR web UI can display notification banners when a new product version becomes available.

[ENGDTR-4541] Docker update

MSR adds support for Docker Engine v25 and v29.