Release 1.34.0
September 24, 2024
Qualys strongly recommends upgrading your Qualys Container Security Sensor to 1.34.0 version to avail the latest features and enhancements.
What's New?
Support to Harbor Robot Account
Admin or user can create a robot account under a project that authenticates to your Harbor instance using a secret or generated password, allowing you to connect to your Harbor instance through the OCI client or Harbor API to automate tasks. A project robot account can only perform actions within the project that it is created.
Refer to Harbor Documentation to find out how to create a robot account.
CS Sensor now provides support or Harbor registry scan using Registry sensor for Robot accounts.
For a successful scan in a Private Repository with a Robot account, the following three permissions are mandatory:
- List Repository
- Pull Repository
- List Artifact
- Regex use: We support regex for repository and tag names only.
- Project name: The project name should be specified in absolute terms using "/" as per Harbor's convention for mentioning a repository.
- Repository name: The user will enter the repository name in the format `<project_name>/<repository_name>`, and the tag in the format `project/repository:tag`.
- Proxy cache: For proxy cache, we only support already cached images in Harbor when regex is used for creating a scan job. If a user wants to scan a non-cached image, the absolute values for both the repository and tag must be provided.
Disabling Container Scanning
Currently we cannot disable container scanning in the general sensor. With this feature, you can now disable container scanning with the help of a new parameter - '--disableContainerScan'. The inventory of the containers will still be collected but scanning won't take place if this feature is enabled.
For more information, refer to Sensor Deployment Help.
Disk Space Check
While performing a scan, the Container Security Sensor's host and, eventually, the sensor may run out of disk space. With this release, we are enhancing the sensor's behavior in such cases. If a sensor is performing a Static, SCA, Secret or Malware scan, it will check if sufficient disk space is available before attempting the scan. If your host lacks enough space for a scan and its resultant tar file, the sensor will not start the scan. To enable this feature, use '--enable-disk-space-check' parameter while deploying the sensor.
When the sensor is being launched with the below parameters, the minimum disk space on the host should be as mentioned below:
a) SCA + Online scan = 1.5GB
b) Any other parameters defined = 500MB
Increased CPU Limit for Sensor Scan using Yaml
With this release, the default CPU limit applied to the sensor is increased from 0.2 to 0.5. Earlier, the default CPU usage limit was 20% of one core on the host. Now, it is 50% of a core on the host. This has optimized the scan performance.
You can increase or reduce CPU limit by changing the CPU value in the below section:
resources:
limits:
cpu: "0.5"
CS Sensor launches a POD (K8s) or a container (docker, standalone) for scanning a container image with default CPU limits. If you want to change the default value of CPU limit, you can use the new variables as shown in the table below.
| Entity | Argument |
| installsensor.sh | QCSImageScanningContCpuLimit=<QCSImageScanningCont CPU usage limit. Value should be float> |
| Kubernetes | You can modify the environment variables under env: section: name: QUALYS_SCANNING_CONTAINER_CPULIMIT name: QUALYS_SCANNING_CONTAINER_CPUREQUEST
|
Added Support for Operating Systems
CS Sensor now supports scanning images based on the following Operating Systems.
- Chainguard
- Photon
Added Support to Sensor and Sensor Profile Tagging
With this release, you can create and assign tags to the Sensors and Sensor Profiles which will help you to categorize them.
Sensor Tagging
A sensor tag can be created and assigned to a sensor only during the creation of the sensor. Sensor tagging is enabled only through Command Line Interface (CLI). With this release, a new flag '--tag-sensor-profile' is introduced to assign tags to a sensor. See the table below.
| Entity | Argument |
| installsensor.sh | TagSensorProfile=<tag1>,<tag2> |
| Docker run or Kubernetes | --tag-sensor-profile=<tag1>,<tag2> |
A sensor, having same tag as that of a Sensor profile, will be assigned to the respective sensor profile automatically. To know more about Sensor Tagging, refer to Sensor Deployment Help.
You can view the tags associated with Sensors on the Qualys Cloud Platform under Container Security > CONFIGURATIONS > Sensors.
Sensor Profile Tagging
A sensor profile tag can be created and assigned to a sensor profile during or after its creation. Sensor tagging can be done only through the Command Line Interface (CLI), which is also possible through Qualys Cloud Platform > Container Security.
To support dynamic assignment of sensor profiles, sensor can be installed with arguments providing 'Tags' that will be associated to the 'Tags' assigned to Sensor Profile on UI.
You can create, edit, view, and delete the tags associated with Sensor Profiles on the Qualys Cloud Platform under Container Security > CONFIGURATIONS > Sensor Profile.
- You can assign tags to sensor only while creating or launching them whereas, Sensor Profile tags can be assigned during or after the creation of the Sensor Profile.
- Max limit for the total number of tags assigned to a sensor or sensor profile is '10'.
Rules about Tag name:
- Special characters are not allowed in a Sensor and Sensor Profile tags.
For example, characters such as, '*' ':' '{}' or '&' are not allowed.
- A Tag name must be 63 characters or less (can be empty). Unless it is empty, it must begin and end with an alphanumeric character ([a-z0-9A-Z]).
- A tag could contain dashes (-), underscores (_), dots (.), and alphanumerics between.
- No spaces are allowed in tag or value.
To know how to create, and assign a tag to a sensor or sensor profile, refer to Container Security Online Help.
Customization of POD URL
With this release, you can customize the pod URL in the 'installsensor.sh' script using POD URL parameter, so that you can install sensors for custom pods. To know more, refer to 'Installsensor.sh Script Command Line Parameters' topic from Sensor Deployment Help.
Helm Chart 1.13.0 Updates
The Qualys Container Security package consists of the 'values.yaml' file which deploys the sensor in various environments. This section explains the updates in the latest Helm chart (values.yaml) file.
Enhancements
With this release, the following flags are introduced or updated in the 'values.yaml' file.
| Flag/Entity | Status | Flag Location in YAML 1.13.0 | Description |
| CPU Limit | Updated | Line no. 42 | Specifies the CPU limit for a sensor scan. Valid value: 0 to 100 Default value: 0.5 |
| tagSensorProfile | New | Line no. 68 | (Optional) Assigns tags to the specified Sensor or Sensor Profile. Valid values: <tag1>, <tag2>, ... Default value: None |
| disableContainerScan | New | Line no. 69 | (Optional) Disables the container scan. Valid values: true or false Default value: false |
| enableDiskSpaceCheck | New | Line no. 70 | (Optional) Checks the available disk space on your host. Valid values: true or false Default value: false |
Issue Addressed
The following issue has been fixed with this release.
| Category | Issue |
|---|---|
| Scan | While running a scan, a sensor was executing commands in a Customer's Openshift setup which resulted in creation of zombie processes. |