Release 1.35
December 16, 2024
What’s New?
Support to Download SBOM Report
Qualys offers the option to download the Software Bill of Material (SBOM) report. The SBOM report provides details about your software, such as the software components used, their versions, relationships with each other, metadata, and so on. You can use the SBOM report to analyze your software. You can download the SBOM on Qualys Cloud Platform under Container Security > ASSETS > Images > Quick Actions.
The SBOM can be downloaded in the following formats.
- SPDX - This is the default SBOM report format offered by Qualys. The SPDX SBOM package is primarily a collection of three elements: Documents (metadata about the SBOM), Packages (groups of elements), and Files (single files). It is managed by 'The Linux Foundation'. To know more about SPDX SBOM, refer to https://spdx.dev/about/overview/ .
- CycloneDX - The CycloneDX Software Bill of Materials (SBOM) includes metadata and outlines a collection of software elements, organized into components, services, and dependencies. Additionally, the SBOM defines relationships between these elements through a specific architecture. It is managed by OWASP. To know more about CycloneDX, refer to https://cyclonedx.org/ .
Base Image Identification
With this release, Container Security can identify your Base image. Under Container Security > ASSETS > Images > Image Details > Image Information, you can see the sha of the base image and the number of child images associated to that base image. You can click the base image sha or child image number to see more details about them.
- You must deploy CS Sensor 1.35.0 in order to use this feature. This is applicable only while deploying a sensor with SCA scan enabled (--perform-sca-scan
).
- SBOM feature is enabled by default. You must not disable it in order to use the Base Image Identification feature.
- Container Security does not perform the base image identification once a base image is identified for that image.
Disabled Container Scanning
With this release, Container Scanning is disabled by default. Instead, you can use Vulnerability Propagation (Static Scanning). If you still need Container Scanning feature, you can reach out to Qualys Support. This is applicable only for General Sensor.
This feature is applicable only if you are a new users (CS 1.35 release and onward). For the old users, Container Scanning is enabled by default.
Detecting Publicly Exposed Containers and Workloads
Container Security shows you publicly exposed containers and the workloads associated with such containers. To enable this, Container Security has introduced the following two new tiles -
- Exposed to World - Indicates containers or associated workloads which are connected to the Internet. Such assets are more prone to the threats.
- Exposed Outside Cluster - Indicates containers or associated workloads which are exposed outside its own cluster but within the Network/VPN.
Both of above tiles are visible under Qualys Cloud Platform > Container Security > ASSETS > Containers and Qualys Cloud Platform > Container Security > ASSETS > Clusters > View Details > Workloads pages. Using these tiles, you can quickly navigate between the containers which are connected to the internet or exposed outside its cluster.
The capability to detect publicly exposed containers in the OpenShift environment is currently limited, particularly for their exposure through routes.
Enhancement in TruRisk™ Score
With this release, Qualys Container Security has updated its logics for calculating TruRisk™ score of the containers that are exposed to the Internet and calculating Asset Criticality Score of images and containers.
More Weightage to the Publicly Exposed Containers
With this release, Qualys Container Security has updated its logics for calculating TruRisk™ score of the containers that are exposed to the Internet. If your container is exposed to the Internet, then the TruRisk™ score is multiplied by '1.2' value. With this change, the exposed container is given a higher weightage (20% more) than the container which is not exposed to the Internet.
Increased Accuracy of the Asset Criticality Score
Asset Criticality Score (ACS) is one of the factor considered while calculating the TruRisk™ Score of your containers. Earlier, for each TruRisk™ score calculation, the ACS value was considered as '2'. With this release, the ACS value is calculated from the tags associated with the respective container. For example, if a container has a tag having its ACS as '5', then the TruRisk™ score considers ACS value as '5' during the calculation. For example, see the below screenshot showing details of an image.
If an image has more than one tag, the tag with maximum ACS value is considered along with its ACS value for the TruRisk™ score calculation. For example, if an image has Tag1 and Tag2 with ACS values as '2' and '5' respectively. Then, for TruRisk™ score calculation of that image, the ACS value of Tag2 is considered which is '5'.
Dynamic Tagging for Images and Containers
With this release, you can create and assign dynamic tags to the containers and images. This dynamic tagging is based on the dynamic rules which are assigned to the respective tag. The tags are automatically assigned to the containers and images that matches the rules. You can create and assign dynamic tags using Add Tags option present in Quick Actions menu of an image. To know more, refer to CS Online Help.
In this release, Dynamic tags don't support Boolean values (True/False), and in Numeric fields only ':' sign is allowed and not '<' or '>'.
Enhancement in Reporting
With this release, you can edit the selected scheduled reporting to a greater extent. For example, you can choose to compress the generated report in order to save the email size. Also, you can update the schedule settings, filter query, as well as, report display attributes.
Only Active schedules can be edited, and not completed ones.
You can send email notifications along with the on-demand and scheduled report to single or multiple recipients, both Qualys and non-qualys users (not more than 50) at once. You can add the email subject and email body content to the email and choose how you wish to receive the report, either CSV attachment or URL form. If your email report attachment size is more than 15 MB, then the report will be sent using a download link which will take you to the Qualys Cloud Platform for log-in.
The following fields are newly introduced in the Report Display page. The fields vary depending on the report template you choose.
Report Template | New Field | Description |
Image Vulnerability | QDS | Creates a column in your report to display the QDS. |
First Detected | Creates a column to indicate the first detected time. | |
TruRisk Score | Creates a column to indicate the TruRisk™ Score. | |
Image Secrets | ------ | No new fields were introduced in the Image Secrets template. |
Container Vulnerability | QDS | Creates a column in your report to display the QDS. |
TruRisk Score | Creates a column to indicate the TruRisk™ Score. | |
Image Malware | ------ | No new fields were introduced in the Image Malware template. |
Cloud and Cluster Information in Container Vulnerability Report
Qualys Container Security have added the support to select Cloud and Cluster-related fields associated with the container. While creating a Container Vulnerability report, on the Report Display page, you can now select Cloud Attributes like Cloud Provider, Region, Cloud Account, Cluster ID, and K8s attributes like Cluster Name, Namespace Labels, Namespace Annotations. If you select these attributes, they are added as columns in the report.
Section | New Attribute | Description |
Cloud Attributes | Cloud Provider | Specify Cloud Provider column |
Region | Specify region column | |
Account Id | Specify account id column | |
ClusterId | Specify Cluster ID column | |
K8s Attributes | Cluster Name | Specify cluster name |
Namespace Labels | Specify labels column for the namespace | |
Namespace Annotations | Specify annotations column for the namespace |
Support Runtime Sensor Profile
With this release, Container Security has introduced a new Sensor Profile - Runtime. All runtime sensor profiles present in your account are reported under CONFIGURATIONS > Sensor Profiles.
With the help of Sensor Profiles tab, you can create, view, edit, or delete a Runtime Sensor profile. You can see the Runtime Sensor option under Profile Type.
On Assign Sensors page, a new setting - Sensor Events Settings - is added. When it is enabled, the Runtime Sensor tracks events occurring in your container and you can see those events on the Qualys Cloud Platform under the Events tab.
A new page - Process Exclusion - is introduced, using which you can exclude unwanted runtime events. In Processes, only absolute path and binary names of processes are allowed.
The firewall aligned with Qualys Cloud Platform may restrict creating or
updating Runtime Sensor profile as it considers certain paths such as '/usr/bin/cat', or '/etc/passwd' to be sensitive.
In such cases, in the Processes box, you are requested to provide the Binary names instead of Absolute paths.
For example, instead of providing '/usr/bin/cat', provide 'cat'.
You can verify the excluded processes under the Process Exclusion section on the Review page.
Active Images Detected by General Sensor
Earlier, the Image In Use tile present in ASSETS > Images showed the Active images detected by Cluster Sensors. With this release, Image In Use tile also shows Active images detected by the General sensor. This will also help to show the containers generated using such images.
You can see the last updated time of the selected image in Image Details > Last Image Used of that image.
New Region for AWS ECR Registry
With this release, the Container Security module has enabled a new region for AWS ECR Registry. You can choose this region while creating a new AWS ECR registry.
Known Issues
The following issues are the Known issues in this release.
Category | Issue |
---|---|
Workloads Exposed to World | Sometime, the Exposed to World card present on the Clusters > Workloads page of Qualys Cloud Platform shows inaccurate number of the Workloads exposed to the world. |
Base Image Identification | If a child image is created using --no-cache option (without cache), the CS Sensor may fail to identify the base image. |
Runtime Sensor Profile | CS may fail to create or update a Sensor profile and shows the Unauthorized Access error. |