Supported Scans
You can specify the scans you want to perform by using --scan-types <scan-types> flag. QScanner offers the following scan options.
Operating System (OS) Scan
OS scan broadly performs:
- OS fingerprinting
Information about target OS. The OS name collected is in the format that Qualys' signature evaluation expects. - Collecting OS packages
Creates a list of OS installed packages.
To know about supported OSs, refer to Appendix: Supported Operating Systems.
Supported Package Managers
QScanner supports collection of OS installed packages from the following package managers:
- APK
- DPKG
- RPM
Software Composition Analysis (SCA)
With SCA it is possible to scan for vulnerabilities in the application dependencies. To know about supported SCA languages, refer to Appendix: Supported SCA Languages.
To disable collection of packages for certain SCA languages, use --disable-sca-languages <languages_to_disable>. The values to this flag are case insensitive. For example, below command will not collect Ruby, .NET and Node.js packages from the given image.
$ ./qscanner image sentry --disable-sca-languages ruby,.net,Node.js
Java Index Database (java-db)
Java Index database is an SQlite DB that stores ArtifactID, GroupID, Version and SHA1 for JAR files. This data is created by parsing all indices from Maven repository.
QScanner runs in Online scan mode by default. In this, it downloads java-db from https://ghcr.io periodically. This database is used when scanning JAR files so that QScanner can identify the groupId, artifactId, and version of JAR files. It is automatically downloaded and updated when needed. This gets downloaded in java-db directory within the QScanner cache directory - $USER_CACHE_DIR/qualys/qscanner/ or the path specified using --cache-dir flag.
The default cache directory is /root/.cache/qualys/qscanner/.
- When using the clear-local-cache command, it will clear the entire cache directory which includes local cache database and the java index database.
- If java-db download fails, qscanner will fall back to Offline Scan.
Offline Scan
It is possible to avoid downloading java-db and run in --offline-scan=true. Use this parameter to disable internet access for the SCA and run the scan in Offline mode instead.
It is recommended to run a scan in Online mode. Quality of software package enumeration for Java substantially degrades when the scan is run in offline mode. This can affect accuracy of the vulnerability posture of the image.
./qscanner image maven \
--mode inventory-only \
--format json \
--offline-scan=true
Scanning Multi-architectural Images
QScanner supports scanning of images built on multiple architectures. You need to specify the platform flag (--platform) along with `<os>/<architecture>/<variant>` format. Depending on architecture of the image, a default variant is used automatically. You need not provide all the 3 components (os, arch & variant).
For example, see valid inputs of 'os, architecture, and variant' format for the `--platform` flag.
- linux/arm64/v8
- linux/arm64
- linux/amd64/v2
- linux/amd64
Provide all the values that are applicable for the target image wherein OS and architecture are the mandatory parameters.
Below are the formats for the the 'platform' flag in which image can be provided:
1. `<index-digest>` + `--platform`
2. `<name>:<tag>` + `--platform`
3. `<name>:<tag>@<index-digest>` + `--platform`
4. `<name>:<tag>@<manifest-digest>` (platform flag not required)
When a multi-arch image is pulled, for example, using `docker pull <name>@<manifest-digest>` (without using the 'platform' flag), output of `docker images` shows 'none' in image's tag. In this case, you should use option #4 (as mentioned above) to scan it.
If `--platform` flag is not mentioned or the value is empty then Qscanner will use OS and Architecture value of the host and perform scanning based on that.
For more details refer to: https://github.com/containerd/containerd/blob/v1.4.3/platforms/platforms.go#L63
QScanner supports scanning of images built on multiple architectures using `--platform` flag in following conditions and targets as of now:
| Category | Target | Platform flag applicable - Yes/No? |
| Remote images | Yes | |
| archive (oci/docker) | No | |
Runtime |
docker | No |
| containerd | Yes | |
| podman | No | |
| crio | No | |
Runtime with Storage Driver |
docker-overlay | Yes |
| docker-overlay2 | No | |
| containerd-overlay | Yes | |
| podman-overlay | No | |
| crio-overlay | No |