Release 1.35.0

December 16, 2024

Qualys strongly recommends upgrading your Qualys Container Security Sensor to 1.35.0 version to avail the latest features and enhancements.

CS Sensor deployment using Persistent Volume Claim (PVC) is supported only for Kubernetes clusters with a single node. In the case of a multi-node cluster, each sensor on different nodes attempts to write to the same PVC storage location, causing the sensor to fail.

What's New?

Added Support for Operating Systems

CS Sensor now supports scanning images based on the following Operating Systems.

Wolfi Linux
Microsoft Azure Linux

Added Support to Generate SBOM Report

Software Bill of Material (SBOM) lists the open source, as well as, commercial components of your software. It provides you the visibility over what is included in your software product. With this release, when an SCA scan [--perform-sca-scan] is enabled while launching a sensor, by default, the SBOM report (SPDX JSON) is generated and is sent to your Qualys Cloud Platform account. You can download this SBOM report for your further use.

The SBOM can be downloaded from Qualys Cloud Platform in the following formats.

SPDX - This is the default SBOM report format offered by Qualys. The SPDX SBOM package is primarily a collection of three elements: Documents (metadata about the SBOM), Packages (groups of elements), and Files (single files). It is managed by 'The Linux Foundation'. To know more about SPDX SBOM, refer to https://spdx.dev/about/overview/ .
CycloneDX - The CycloneDX Software Bill of Materials (SBOM) includes metadata and outlines a collection of software elements, organized into components, services, and dependencies. Additionally, the SBOM defines relationships between these elements through a specific architecture. It is managed by OWASP. To know more about CycloneDX, refer to https://cyclonedx.org/ .

CS Sensor supports SPDX JSON 2.3 and CycloneDX JSON 1.5 specification versions.

To disable the SBOM report generation, a new flag - 'Disable Features' - is introduced. See the exact argument for this flag in the table below.

Entity	Argument
installsensor.sh	DisableFeatures=SBOM
Docker run	--disable-features SBOM
Kubernetes	--disable-features=SBOM

For more information, refer to Sensor Deployment Help.

Optimized Image Scan

With the latest sensor deployment Yml files and Helm charts, the CS Sensor will be deployed with --optimize-image-scans flag.

This argument is applicable for General sensor only.

You are requested to use the latest Yml files (for example, cssensor-containerd-ds.yml) downloaded from the Qualys Cloud Platform or from the CS Sensor tar to use this argument or alternatively, you can add this argument in 'args' section of your deployment ymls.

Qualys Container Security CLI Tool

Qualys introduces a new Command Line Interface tool 'CS CLI Tool (qcs-cli)' to help you manage your components such as CS sensor, Cluster Sensor, Admission Controller installed on various environments. It simplifies the debugging of Qualys Container Security components at your end. This tool can,

Fetch a list of installed sensors. Provide the status of CS components running in your K8s cluster.
Export the CS components' logs from your K8s cluster.

Support to Upload the General Sensor Inventory after the Downtime

Qualys General Sensor now carries a capability to upload the inventory changes made during CS Services' downtime to Qualys Cloud Platform. Earlier, during Qualys container services' downtime, inventory changes were not getting reflected to your Qualys Cloud Platform account and you used to see stale data on it. With this release, a new parameter 'UploadInventoryDowntimePeriod' is introduced in the default configuration with its default value as '3600' (seconds). If the CS services' downtime is greater than or equal to the 'UploadInventoryDowntimePeriod', then the sensor uploads the fresh inventory to Qualys Cloud Platform. Due to this, the latest changes made during the Downtime are also considered.
For example, if CS service downtime is of '70' minutes, and considering '60' minutes of upload inventory downtime period, the sensor loads the fresh inventory once the downtime (70 minutes) is over.

Helm Chart 1.14.0 Updates

The Qualys Container Security package consists of the 'values.yaml' file which deploys the sensor in various environments. This section explains the updates in the latest Helm chart (values.yaml) file. Refer to QCS Sensor Helm Chart (qcs-sensor).

Enhancements

With this release, the following flags are introduced or updated in the 'values.yaml' file.

Flag/Entity	Status	Flag Location in YAML 1.14.0	Description
pod_name	New	Line no. 43	Indicates the name of the Qualys Cloud Platform to communicate. This is an alternative to qualys.pod_url. Format: pod_name:<POD> Example: pod_name:US1
disableFeatures	New	Line no. 72	(Optional) Disables the SBOM report generation. Valid values: SBOM Format: disableFeatures:SBOM
optimizeImageScans	Updated	Line no. 57	Used to optimize the image scan. The old value was 'false', with this release it'll be 'true' by default to optimize image scans for the general sensor.

Unified Helm Chart (qualys-tc 2.1.0) Updates

This is the unified helm chart to install Qcs Sensor, Admission Controller, Cluster Sensor, and Container Runtime Sensor. Refer to Qualys Unified Helm Chart (qualys-tc).

Enhancements

With this release, the following flags are introduced or updated in the 'qualys-tc 2.1.0' file.

Flag/Entity	Status	Flag Location	Description
concurrentScan	Updated	Line no. 46 of qualys-tc > values.yaml	Indicates the number of concurrent (parallel) scans. For QCS sensor installation with the unified helm chart (qualys-tc), the default concurrent scan thread is reduced from 4 to 2.
optimizeImageScans	Updated	Line no. 57 of qualys-tc > charts > qcs-sensor > values.yaml	Used to optimize the image scan. The old value was 'false', with this release it'll be 'true' by default to optimize image scans for the general sensor.

Issue Addressed

The following issue has been fixed with this release.

Category	Issue
Registry Sensor	During a registry scan with a large number of images, the sensor failed to refresh the token as it expired while fetching the image manifest. This caused an error in the Qualys Cloud Platform displaying 'Cannot connect to registry' for the finished job.