Release 1.39.0
July 07, 2025
- Qualys strongly recommends upgrading your Qualys Container Security Sensor to 1.39.0 version to avail the latest features and enhancements.
Added Support for Asset Tracking Activity
Asset Tracking Activity refers to the ongoing actions or events related to the discovery, monitoring, and life-cycle changes of assets (Images, Registry Schedules, Sensor Containers) in your cloud environment. Earlier, all sensor errors were monitored using sensor logs sent by you. This process was time-consuming. With this release, Container Security delivers the initial phase of Asset Tracking Activity, wherein it offers more visibility to the assets by showing a few errors and status messages on the Qualys Enterprise TruRisk™ Platform and faster response with the help of Qualys Container Security Sensors. This also helps in live tracking of the assets.
The Asset Tracking Activity feature is enabled by default. You can disable it by using --disable-features 'sensor-asset-tracking'
command during the sensor launch.
Sensor queues the activity messages and sends them together in bulk to Qualys Enterprise TruRisk™ Platform. To control the quantity and time interval of this bulk messaging, we have introduced the two arguments - --qlys-asset-tracking-flush-threshold-count
and --qlys-asset-tracking-flush-duration-in-seconds
.
See the new aruguments usage below.
Entity | Arguments |
installsensor.sh | AssetTrackingFlushDurationInSeconds= <Optional parameter to specify flush duration time in seconds for asset activity messages> AssetTrackingFlushCountThreshold= <Optional parameter to specify flush count threshold for asset activity messages> |
Docker run, Yamls | --qlys-asset-tracking-flush-threshold-count: After queuing x messages, the sensor sends messages to Qualys Enterprise TruRisk™ Platform. Valid values - This value must range between 5 and 50. Default value - 20. --qlys-asset-tracking-flush-duration-in-seconds: After x time intervals in seconds, the sensor sends the messages to Qualys Enterprise TruRisk™ Platform. Valid values - This value must range between 10 to 3600 seconds. Default value - 60 seconds |
To know about errors and status messages offered under Asset Tracking Activity, refer to Container Security 1.39 Release Notes.
Added Support for Java DB Update Interval
CS Sensor downloads java.db to enable Java-specific vulnerability detection. The downloaded java.db is also useful for offline scanning. With this release, the CS Sensor downloads java.db only if .jar files are present in a package. GitHub Container Registry (GHCR) acts as a default repository to host the java.db. The SCA scans of the images without .jar files are faster than the images with the .jar files, as the time utilized for the GHCR call is saved. Also, this enhancement saves your network bandwidth.
With this release, CS Sensor has introduced '--qlys-java-db-update-interval'
flag to set the frequency of the java.db download. Using this flag, you can decide the number of days after which CS Sensor can download the java.db from the cache directory.
Refer to the table below to understand java.db update interval argument based on the installation entity.
Entity | Arguments |
installsensor.sh | JavaDbUpdateIntervalInDays=<no. of days> |
Unified Helm chart | --set qcsSensor.qualys.args.qlysJavaDBUpdateIntervalInDays=<no. of days> |
Docker run, Podman run, Yamls | --qlys-java-db-update-interval <no. of days> |
As of today, the default value of this flag is '15' (15 days).
Sensor Installation on Cluster using IPV6 Format
With this release, the sensor can be installed and operate fully on cluster nodes that use IPv6 networking.
IPv6 is the next-generation Internet Protocol that provides:
- A larger address space
For example, IPV6 address can be2001:db8::1
vs IPV4 address such as192.168.1.1
- Often used in modern data centers, cloud-native environments, and IoT
With this change, the Sensor can monitor and protect your IPv6-based traffic. The result will be displayed on Qualys Enterprise TruRisk™ Platform. To know more, refer refer to Container Security 1.39 Release Notes.
Update in HostIP Environment Variable
With this release, the HostIP environment variable, in a runtime environment, is renamed from SENSOR_HOST_IP
to QUALYS_SENSOR_HOST_IP
to align with best practices in your runtime environments. This also helps prevent naming collisions in runtime environments where multiple tools or components may use generic variable names like SENSOR_HOST_IP. You are requested to update your environment with the latest deployment Yaml files.
Under env:
- name: QUALYS_SENSOR_HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
Added Support to Disable Log Collection in Sensor
Earlier, we added support to add logs inside the container sensor (qpa.log) when the console logging was enabled using --enable-console-logs
. At times, you may not need to save the sensor logs under the default log collection file - qpa.log. To support this, we have added an argument --qlys-disable-default-logging-to-file
to disable the default log generation in qpa.log file.