Release 1.37.0

March 11, 2025

- Qualys strongly recommends upgrading your Qualys Container Security Sensor to 1.37.0 version to avail the latest features and enhancements.
- Ensure that you also update your existing Sensor Deployment Yaml files with the latest Yaml files released with 1.37.0 release.

What's New?

Support Sensor Scanning using 'Overlay2' Storage Driver on a host having 'Docker' Runtime

With this release, Qualys Container Security Sensor adds Overlay2 scanning support for CS Sensor on a host having Docker Runtime. The 'Overlay2' storage driver is supported by these sensors - General, CI/CD, and Registry.
To enable Overlay2 scanning, a new flag - 'StorageDriverType' - is introduced. See the exact argument for this flag in the table below.

Entity	Arguments
installsensor.sh	StorageDriverType=overlay2
Docker Run	--storage-driver-type=overlay2

To see the current storage driver used by Docker Runtime, use the 'docker info' command and look for the Storage Driver line:
$ docker info

Containers: 0 Images: 0 Storage Driver: overlay2 Backing Filesystem: xfs <...>

Ability to Scan 'Oracle Container Infrastructure Registry' Images

Qualys Container Security Sensor now supports scanning container images from Oracle Container Infrastructure Registry (OCIR). You can scan your OCIR to detect vulnerabilities and take corrective actions accordingly. To know about OCIR, refer to Oracle Documentation.

To scan images from OCIR, below permissions are required for the OCI user.

For repository under tenancy (root compartment),
- Read at the tenancy level
For a repository in a compartment under the tenancy,
- Inspect at the tenancy level
- Read at the compartment level

Enhancement in Authentication on a Registry having Podman Runtime

TLS (Transport Layer Security) verification is a process that ensures the authenticity, and confidentiality of communication over a network using cryptographic protocols. By default, the Podman Runtime enforces TLS verification using TLS verify parameter (--tls-verify=true).

Insecure Registry Parameter

At times, with Podman Runtime, you may need to work with a test, local, or private environment having self-signed certificates creating a need to disable the TLS verification. With this release, Qualys Container Security sensor has introduced '--insecure-registry' parameter that can be used to pass your test, local or private registry. You can use this parameter during Sensor installation using 'installsensor.sh', or 'Podman Run' command.
If you pass the '--insecure-registry' parameter, during authentication, the Qualys sensor automatically sets '--tls-verify=false' for Podman Pull (podman pull) and Podman Login (podman login) commands. This allows you to interact with your private registries. Earlier, Qualys Container Sensor introduced this parameter with an environment having Containerd Runtime.

Registry Certificate Directory Parameter

Along with '--insecure-registry' parameter, a new parameter 'REGISTRY_CERT_DIR' is introduced. This parameter allows you to specify a directory (For example, /etc/containers/creds.d) containing custom certificates. You can use this parameter during Sensor installation using 'installsensor.sh'.
If this argument is provided, Podman will use the certificates from the specified directory for authentication and secure connections.
For the podman run command, you need to pass the below command to map the directory.
-v <Your creds.d directory>:/etc/containers/creds.d:ro

To know more about 'Creds.d' directory, refer to Podman documentation - https://github.com/containers/image/blob/main/docs/containers-certs.d.5.md

Enhancement in Kubernetes Cluster Metadata Population

Sometimes, the population of Kubernetes Cluster Metadata under container details on Qualys Enterprise TruRisk™ Platform gets slightly delayed if the container vulnerability is available before the container event. With this release, a new sensor argument '--populate-k8smetadata' is introduced in the Sensor installation Yaml files. This will help populate the Kubernetes cluster metadata as soon as the vulnerabilities are available.

- This new flag works on cluster only with General Sensor deployment using Yaml files.
- It does not work with other environments such as, Docker Standalone, Docker Auto-update, or Docker Run.

Support Scanning of images present in Image Exclusion List

Qualys Container Sensor maintains a default list of system images as part of 'Image Exclusion List' in order to not perform vulnerability scans on them and focus on application images. 'Image Exclusion List' is also configurable from Qualys Enterprise TruRisk™ Platform as part of the Sensor profile.

With this release, the new argument '--ignore-exclusion-list-for-images' is introduced if you want to scan container images present in 'Image Exclusion List'. To scan such excluded images, the below argument is added in the Yaml files and it is also applicable to 'installsensor.sh' script and docker run installation.
--ignore-exclusion-list-for-images

Updates in Sensor Deployment Yaml files for Cri-O Runtimes

With this release, the following Deployment Yamls (cssensor-crio-ds.yml and cssensor-openshift-crio-ds.yml) are updated with the following updates. You are requested to upgrade your environment to the latest deployment yml files to perform a successful image tar operation.

Under volumeMounts:
mountPath: /etc/containers/storage.conf name: storage-config-volume readOnly: true
...
Under volumes:
- name: storage-config-volume hostPath: path: /etc/containers/storage.conf type: File

Helm Chart 1.16.0 Updates

The Qualys Container Security package consists of the 'values.yaml' file which deploys the sensor in various environments. This section explains the updates in the latest Helm chart (values.yaml) file. Refer to QCS Sensor Helm Chart (qcs-sensor).

Enhancements

With this release, the following flags are introduced or updated in the 'values.yaml' file.

Flag/Entity	Status	Flag Location in YAML 1.16.0	Description
storageConfigPath	New	Line no.15	Indicates storage configuration path. Applicable only to Crio and Openshift-crio Yamls. Default value: /etc/containers/storage.conf
storageDriverType	New	Line No. 29	Indicates type of the storage driver. Applicable only to the Docker runtime. Valid value: overlay2
populateK8sMetadata	New	Line no. 75	Use this to populate the Kubernetes cluster metadata as soon as the vulnerabilities are available. Default value: false
ignoreExclusionListForImages	New	Line no. 76	Use this to scan excluded container images (container images present in 'Image Exclusion List'). Default value: false

Unified Helm Chart (qualys-tc 2.3.1) Updates

The unified helm chart can be used to install Qcs Sensor, Admission Controller, Cluster Sensor, and Container Runtime Sensor. Refer to Qualys Unified Helm Chart (qualys-tc).

Enhancements

With this release, the following flags are introduced or updated in the 'qualys-tc 2.3.1' file.

Flag/Entity	Status	Flag Location (qualys-tc > charts > qcs-sensor > values.yaml)	Description
storageConfigPath	New	Line no.15	Indicates storage configuration path. Applicable only to Crio and Openshift-crio Yamls. Default value: /etc/containers/storage.conf
storageDriverType	New	Line No. 29	Indicates type of the storage driver. Applicable only to the Docker runtime. Valid value: overlay2
populateK8sMetadata	New	Line no. 75	Use this to populate the Kubernetes cluster metadata as soon as the vulnerabilities are available. Default value: false
ignoreExclusionListForImages	New	Line no. 76	Use this to scan excluded container images (container images present in 'Image Exclusion List'). Default value: false

Issue Addressed

The following issue has been fixed with this release.

Category Issue

Category	Issue
Openshift environment with Cri-o Runtime OR Cri-o Runtime environment	While generating an image tar with Cri-o runtime, a container image scan failed with error - 'Failed to generate image tar.' To address this issue, a new volume mount `storage-config-volume` is added in cri-o runtime deployment yml (cssensor-crio-ds.yml) and openshift deployment with cri-o runtime yml (cssensor-openshift-crio-ds.yml).

Openshift environment with Cri-o Runtime

Cri-o Runtime environment

While generating an image tar with Cri-o runtime, a container image scan failed with error - 'Failed to generate image tar.'
To address this issue, a new volume mount storage-config-volume is added in cri-o runtime deployment yml (cssensor-crio-ds.yml) and openshift deployment with cri-o runtime yml (cssensor-openshift-crio-ds.yml).