Release 1.34

September 24, 2024

What’s New?

TruRisk™ Score and QDS

Qualys Container Security now supports the TruRisk™ score and Qualys Detection Score (QDS) for your Container Security assets. These scores are calculated in pre-defined formulas. The TruRisk™ score is based on the Asset Criticality Score (ACS), Risk (QDS) score for each severity level, and weighing factor (w) for each severity level of QIDs. Whereas, the QDS is computed for every QID based on QVS of associated CVEs & for assets based on vulnerabilities.

Vulnerability exceptions are not considered while calculating the TruRisk™ score.

A new column TruRisk™ Score is introduced under ASSETS > Images tab.

The QDS is displayed under Vulnerabilities tab.

To know more about TruRisk™ and QDS feature, refer to TruRisk™ Score and QDS in Container Security topic in CS Online Help.

Added Support to Sensor and Sensor Profile Tagging 

With this release, you can create and assign tags to the Sensors and Sensor Profiles which will help you to categorize them.

Sensor Tagging

A tag for a sensor can be created using Qualys Cloud Platform >  Container SecurityCONFIGURATIONSSensor Profiles > Assign Sensor Tags. You need to assign an existing tag to a sensor during the sensor launch using Command Line Interface (CLI). With this release, a new flag '--tag-sensor-profile' is introduced to assign the existing tags to a sensor.

A sensor, having same tags as that of a Sensor profile, will be assigned to the respective sensor profile automatically. This assignment happens only when the name and total number of tags of Sensor Profile matches with the tags assigned to the Sensor.
To know more about Sensor tagging, refer to 'Important Points about Sensor Tagging' mentioned in 'Installsensor.sh Script Command Line Parameters' topic.

You can view the tags associated with Sensors on the Qualys Cloud Platform under Container SecurityCONFIGURATIONS > Sensors

Sensor Profile Tagging

A sensor profile tag can be created and assigned to a sensor profile during or after the creation of the sensor profile. Sensor tagging can be done only through Command Line Interface (CLI). This is possible only through Qualys Cloud Platform > Container Security

You can create, edit, view, and delete the tags associated with Sensor Profiles on the Qualys Cloud Platform under Container SecurityCONFIGURATIONS > Sensor Profile.

 
Before assigning tags to a Sensor Profile, refer to 'Important Points about Sensor Tagging' mentioned in Installsensor.sh Script Command Line Parameters topic.

To know how to create, and assign a tag to a sensor or sensor profile, refer to CS Online Help.  

New Sensor Download Page

With this release, Container Security has upgraded its Sensor Download page. Now, you can select your environment for the sensor, and based on that you can choose the sensor.

With this new page, you can use the helm chart, or daemon set yaml for cluster type installations and traditional binary download option for sensor installations. You can pick and choose the installation type, sensor type, platform and container environment on which the sensor needs to be installed in a single go as a drop down menu selections. 

Container Runtime Sensor (Runtime) option is visible only to the customers who have opted for it. To know more, contact your administrator or Qualys Technical Account Manager.

Added Support to the Harbor Container Registry

Container Security now supports a new registry named 'Harbor Container Registry'. Harbor is an open-source cloud registry that saves user's scanned content. The new Harbor Container Registry option is available to you under Registry Type while creating a registry (ASSETS > Registries > New Regsitry). 
We are supporting Harbor Robot accounts starting from version 1.34.0, with native API support from Harbor.
For a successful scan in a Private Repository with a robot account, the following three permissions are mandatory:

  • List Repository
  • Pull Repository
  • List Artifact


- We support regex for repository names and tag names only. The project name should be specified in absolute terms using "/" as per Harbor's convention for mentioning a repository. You need to enter the repository name in the format `<project_name>/<repository_name>`, and provide a tag name in the Images field.

- For proxy cache, we only support already cached images in Harbor when regex is used for creating a scan job. If a user wants to scan a non-cached image, the absolute values for both the repository and tag must be provided.

Container Runtime Sensor (CRS)

With this release, Qualys has launched a new sensor - 'Qualys Container Runtime Sensor'. It collects the system activities (syscalls) related to any file within a specific pod (container), and process activities occurring in your containers. Both activities are considered as File events and Process events respectively. CRS is also integrated with Qualys FIM (File Integrity Monitoring), allowing file-related events to be visible in the FIM UI. The supported actions for this release include READ, WRITE, OPEN, RENAME, and DELETE.

The following are the Process Events:

  • Launch: Tracks the initiation of a new process within the container.
  • Terminate: Captures the termination or exit of a process, providing details on its lifecycle completion.

You can generate file events by applying the Tracing policies we provide. These generated events (File and Process) are visible in Qualys Cloud Platform under the Events tab. 

The runtime sensor instances are visible under CONFIGURATIONS > Sensors tab.

Sensor Details page shows you details of CRS.

To know more about CRS usage, see Container Runtime Sensor Online Help.

Support Cluster Sensor Profile

Container Security has introduced a new Sensor Profile - Cluster. All cluster sensor profiles present in your account are reported under CONFIGURATIONSSensor Profiles. With the help of Sensor Profiles tab, you can create, view, edit, or delete a cluster sensor profile. 

You can also assign or remove a cluster sensor from a sensor profile using CONFIGURATIONSSensors. 

To know how to create, edit and delete a Cluster Sensor Profile, refer to the 'Managing Sensor Profiles' topic in CS Online Help. 

Registry Enhancement

Container Security now shows you the number of failed images in your registry. The failed image number is displayed under ASSETS > Registries. Registry scanning is divided into 2 parts - Listing & Scanning. Earlier, when any error codes were generated while Image scans are failed, the error code was mapped to the 'Scan Job' page, and only the last error code was shown. However with this release, such error codes are mapped to the image entity. Where you can view the total failed scans of an image if any.

The number displayed in Failed images is clickable, which takes you to the respective image tab. Images that are failed show warning icon on the Image listing page. 

Along with this, the Summary page in Image Details shows the Last Scanned By Sensor entry along with the error details. The Last Scanned By Sensor displays the sensor ID.

The sensor id is clickable, that takes you to the Sensor Details page.

Known Issue

The following issue is the Known issues in this release.

Category Issue
Drift Vulnerability QDS is not shown for the vulnerabilities on the Containers>drift Vulnerabilities list.