Supported Scans

You can specify the scans you want to perform by using --scan-types <scan-types> flag. QScanner offers the following scan options.

Operating System (OS) Scan

OS scan broadly performs:

  • OS fingerprinting
    Information about target OS. The OS name collected is in the format that Qualys' signature evaluation expects.
  • Collecting OS packages
    Creates a list of OS installed packages.

To know about supported OSs, refer to Appendix: Supported Operating Systems

Supported Package Managers

QScanner supports collection of OS installed packages from the following package managers:

  • APK
  • DPKG
  • RPM

Software Composition Analysis (SCA)

With SCA it is possible to scan for vulnerabilities in the application dependencies. To know about supported SCA languages, refer to Appendix: Supported SCA Languages.

To disable collection of packages for certain SCA languages, use --disable-sca-languages <languages_to_disable>. The values to this flag are case insensitive. For example, below command will not collect Ruby, .NET and Node.js packages from the given image.

$ ./qscanner image sentry --disable-sca-languages ruby,.net,Node.js 

Java Index Database (java-db)

Java Index database is an SQlite DB that stores ArtifactID, GroupID, Version and SHA1 for JAR files. This data is created by parsing all indices from Maven repository.
QScanner runs in Online scan mode by default. In this, it downloads java-db from https://ghcr.io periodically. This database is used when scanning JAR files so that QScanner can identify the groupId, artifactId, and version of JAR files. It is automatically downloaded and updated when needed. This gets downloaded in java-db directory within the QScanner cache directory - $USER_CACHE_DIR/qualys/qscanner/ or the path specified using --cache-dir flag.
The default cache directory is /root/.cache/qualys/qscanner/.


- When using the clear-local-cache command, it will clear the entire cache directory which includes local cache database and the java index database.
- If java-db download fails, qscanner will fall back to Offline Scan.

Offline Scan

It is possible to avoid downloading java-db and run in --offline-scan=true. Use this parameter to disable internet access for the SCA and run the scan in Offline mode instead.

It is recommended to run a scan in Online mode. Quality of software package enumeration for Java substantially degrades when the scan is run in offline mode. This can affect accuracy of the vulnerability posture of the image.

./qscanner image maven \
    --mode inventory-only \
    --format json \
    --offline-scan=true  

 

Scanning Multi-architectural Images

QScanner supports scanning of images built on multiple architectures. You need to specify the platform flag (--platform) along with `<os>/<architecture>/<variant>` format. Depending on architecture of the image, a default variant is used automatically. You need not provide all the 3 components (os, arch & variant).

For example, see valid inputs of 'os, architecture, and variant' format for the `--platform` flag.

  • linux/arm64/v8
  • linux/arm64
  • linux/amd64/v2
  • linux/amd64

Provide all the values that are applicable for the target image wherein OS and architecture are the mandatory parameters.  
Below are the formats for the the 'platform' flag in which image can be provided:  
1. `<index-digest>` + `--platform`
2. `<name>:<tag>` + `--platform`
3. `<name>:<tag>@<index-digest>` + `--platform`
4. `<name>:<tag>@<manifest-digest>` (platform flag not required)

When a multi-arch image is pulled, for example, using `docker pull <name>@<manifest-digest>` (without using the 'platform' flag), output of `docker images` shows 'none' in image's tag. In this case, you should use option #4 (as mentioned above) to scan it. 

If `--platform` flag is not mentioned or the value is empty then Qscanner will use OS and Architecture value of the host and perform scanning based on that.

For more details refer to:  https://github.com/containerd/containerd/blob/v1.4.3/platforms/platforms.go#L63  

QScanner supports scanning of images built on multiple architectures using `--platform` flag in following conditions and targets as of now:

Category Target Platform flag applicable - Yes/No?
  Remote images Yes
archive (oci/docker) No



Runtime
docker No
containerd Yes
podman No
crio No



Runtime with Storage Driver
docker-overlay Yes
docker-overlay2 No
containerd-overlay Yes
podman-overlay No
crio-overlay No