Release 1.34
September 24, 2024
What’s New?
TruRisk™ Score and QDS
Qualys Container Security now supports the TruRisk™ score and Qualys Detection Score (QDS) for your Container Security assets. These scores are calculated in pre-defined formulas. The TruRisk™ score is based on the Asset Criticality Score (ACS), Risk (QDS) score for each severity level, and weighing factor (w) for each severity level of QIDs. Whereas, the QDS is computed for every QID based on QVS of associated CVEs & for assets based on vulnerabilities.
Vulnerability exceptions are not considered while calculating the TruRisk™ score.
A new column TruRisk™ Score is introduced under ASSETS > Images tab.
The QDS is displayed under Vulnerabilities tab.
To know more about TruRisk™ and QDS feature, refer to TruRisk™ Score and QDS in Container Security topic in CS Online Help.
Added Support to Sensor and Sensor Profile Tagging
With this release, you can create and assign tags to the Sensors and Sensor Profiles which will help you to categorize them.
Sensor Tagging
A sensor tag can be created and assigned to a sensor only during creation of the sensor. Sensor tagging is enabled only through Command Line Interface (CLI). With this release, a new flag '--tag-sensor-profile' is introduced to assign tags to a sensor.
A sensor, having same tag as that of a Sensor profile, will be assigned to the respective sensor profile automatically. To know more about Sensor Tagging, refer to Sensor Deployment Help.
You can view the tags associated with Sensors on the Qualys Cloud Platform under Container Security > CONFIGURATIONS > Sensors.
Sensor Profile Tagging
A sensor profile tag can be created and assigned to a sensor profile during or after the creation of the sensor profile. Sensor tagging can be done only through Command Line Interface (CLI). This is possible only through Qualys Cloud Platform > Container Security.
You can create, edit, view, and delete the tags associated with Sensor Profiles on the Qualys Cloud Platform under Container Security > CONFIGURATIONS > Sensor Profile.
-
- You can assign tags to sensor only while creating or launching them whereas, Sensor Profile tags can be assigned during or after the creation of the Sensor Profile.
- Max limit for the total number of tags assigned to a sensor or sensor profile is '10'.
Rules about Tag name:
- Special characters are not allowed in a Sensor and Sensor Profile tags.
For example, characters such as, '*' ':' '{}' or '&' are not allowed.
- A Tag name must be 63 characters or less (can be empty). Unless it is empty, it must begin and end with an alphanumeric character ([a-z0-9A-Z]).
- A tag could contain dashes (-), underscores (_), dots (.), and alphanumerics between.
- No spaces are allowed in tag or value.
To know how to create, and assign a tag to a sensor or sensor profile, refer to CS Online Help.
New Sensor Download Page
With this release, Container Security has upgraded its Sensor Download page. Now, you can select your environment for the sensor, and based on that you can choose the sensor.
With this new page, you can use the helm chart, or daemon set yaml for cluster type installations and traditional binary download option for sensor installations. You can pick and choose the installation type, sensor type, platform and container environment on which the sensor needs to be installed in a single go as a drop down menu selections.
Container Runtime Sensor (Runtime) option is visible only to the customers who have opted for it. To know more, contact your administrator or Qualys Technical Account Manager.
Added Support to the Harbor Container Registry
Container Security now supports a new registry named 'Harbor Container Registry'. Harbor is an open-source cloud registry that saves user's scanned content. The new Harbor Container Registry option is available to you under Registry Type while creating a registry (ASSETS > Registries > New Regsitry).
We are supporting Harbor Robot accounts starting from version 1.34.0, with native API support from Harbor.
For a successful scan in a Private Repository with a robot account, the following three permissions are mandatory:
- List Repository
- Pull Repository
- List Artifact
- We support regex for repository names and tag names only. The project name should be specified in absolute terms using "/" as per Harbor's convention for mentioning a repository. You need to enter the repository name in the format `<project_name>/<repository_name>`, and provide a tag name in the Images field.
- For proxy cache, we only support already cached images in Harbor when regex is used for creating a scan job. If a user wants to scan a non-cached image, the absolute values for both the repository and tag must be provided.
Container Runtime Sensor (CRS)
With this release, Qualys has launched a new sensor - 'Qualys Container Runtime Sensor'. It collects the system activities (syscalls) related to any file within a specific pod (container), and process activities occurring in your containers. Both activities are considered as File events and Process events respectively. CRS is also integrated with Qualys FIM (File Integrity Monitoring), allowing file-related events to be visible in the FIM UI. The supported actions for this release include READ, WRITE, OPEN, RENAME, and DELETE.
The following are the Process Events:
- Launch: Tracks the initiation of a new process within the container.
- Terminate: Captures the termination or exit of a process, providing details on its lifecycle completion.
You can generate file events by applying the Tracing policies we provide. These generated events (File and Process) are visible in Qualys Cloud Platform under the Events tab.
The runtime sensor instances are visible under CONFIGURATIONS > Sensors tab.
Sensor Details page shows you details of CRS.
To know more about CRS usage, see Container Runtime Sensor Online Help.
Support Cluster Sensor Profile
Container Security has introduced a new Sensor Profile - Cluster. All cluster sensor profiles present in your account are reported under the CONFIGURATIONS > Sensor Profile tab. With the help of Sensor Profiles tab, you can create, view, edit, or delete a cluster sensor profile.
You can also assign or remove a cluster sensor from a sensor profile using CONFIGURATIONS > Sensors.
To know how to create, edit and delete a Cluster Sensor Profile, refer to the 'Managing Sensor Profiles' topic in CS Online Help.
Registry Enhancement
Container Security now shows you the number of failed images in your registry. The failed image number is displayed under ASSETS > Registries. Registry scanning is divided into 2 parts - Listing & Scanning. Earlier, when any error codes were generated while Image scans are failed, the error code was mapped to the 'Scan Job' page, and only the last error code was shown. However with this release, such error codes are mapped to the image entity. Where you can view the total failed scans of an image if any.
The number displayed in Failed images is clickable, which takes you to the respective image tab. Images that are failed show warning icon on the Image listing page.
Along with this, the Summary page in Image Details shows the Last Scanned By Sensor entry along with the error details. The Last Scanned By Sensor displays the sensor ID.
The sensor id is clickable, that takes you to the Sensor Details page.
Known Issue
The following issue is the Known issues in this release.
| Category | Issue |
|---|---|
| Drift Vulnerability | QDS is not shown for the vulnerabilities on the Containers>drift Vulnerabilities list. |