Release 4.1.0

July 05, 2024

What’s New?

Storage Driver for Containerd Runtime

During an image scan, a QScanner Storage driver avoids the 'image save' operation, which can sometimes be time-consuming. QScanner has introduced a new storage driver for scans using the 'Containerd' runtime. Until now, QScanner offered the 'overlay2 file system' storage driver for scans that use the 'docker' runtime. With this release, QScanner has introduced the 'containerd-overlay' storage driver for scans that use the 'containerd' runtime. 

Storage driver for CRI-O runtime is not yet supported.

New Inventory Output Formats

With this release, QScanner supports standard Software Bill of Material (SBOM) formats - SPDX and CycloneDX. You can generate your inventory output in Software Package Data Exchange (SPDX) or CycloneDX format. Both these options are available in JSON file format, whereas SPDX output can also be generated in Tag-value (TLV) file format.

The inventory output shows data associated with the SCA package and OS package and detailed information about the target image.

Vulnerability Report in SARIF

QScanner generates vulnerability reports in JSON (default format) and Tabular formats. With this release, QScanner also provides the Vulnerability report in 'Static Analysis Results Interchange Format (SARIF)'. QScanner SARIF report provides more information than a Tabular or JSON report. To see a SARIF report, see the 'Report Samples' topic in QScanner Online Help.

With the upcoming QScanner release, the SARIF report will be your default vulnerability report.

Vulnerability Scan without a Container Runtime

QScanner can now scan container images without a container runtime (docker, containerd, or cri-o), which is responsible for managing the container image life cycle. With this release, QScanner can pull an image from a remote registry (for example, JFrog, Harbor, and so on) and generate a vulnerability report without runtime help. 

Authentication while Pulling Remote or Private Registry Images

Qualys recommends setting up your environment variables in the system instead of manually using Registry authentication tags.

Authentication is introduced for QScanner to pull images from a remote or private registry. As a part of this, the following new registry CLI flags are introduced - --registry-username--registry-password, and --registry-token. To learn more details about the usage of these flags, refer to the 'Scanning a Private Registry Image' topic from QScanner Online Help. 

Scan Support for OCI Layout .tar Archives

'Open Container Initiative Layout (OCI layout)' is a JSON object that provides 'Open Container Image Layout' details and information about the Image Layout version used. QScanner can now scan OCI layout Tar files and provide you with vulnerability findings.

Flags for Cache Cleanup

QScanner identifies old and unused cache entries that can be deleted later. With this release, you can clean the redundant cache. To do this, QScanner has introduced the following new flags -

  • --enable-cache-cleanup
    This flag enables the cleanup of unused cache entries.
  • --cache-cleanup-duration-threshold
    Specify the threshold of cache cleanup duration in seconds. If a cache entry is not used for this duration, QScanner will remove it from the cache database on the next cleanup operation. This will be ignored if--enable-cache-cleanup is 'false'. The default value is six (6) months. This means QScanner will remove all cache entries not accessed from the last six (6) months.
  • --cache-cleanup-frequency
    Specify the duration after which QScanner attempts to clean up old unused local cache entries. This ensures that the cache cleanup process is not attempted on each run. This will be ignored if --enable-cache-cleanup is set to 'false'.
    Its default value is one (1) month. This means that QScanner finds out old unused cache entries once in every month. Once such entries are identified based on the value of the --cache-cleanup-duration-threshold flag, they will be removed from the cache database.

Flag for Specifying Report Format

A new flag '--report-format' is introduced to indicate the type of Vulnerability Report to be generated. By default, QScanner generates the report in JSON and Table formats. You can use this flag to get the report in either SARIF or Tabular format.

To know usage of these flags, refer to QScanner 4.1.0 Online Help.

Added Support for Conda Package Manager

QScanner now supports the collection of packages installed using Conda Package Manager. This affects the collection of your Python packages. This change will increase the reach of scanning packages.

To see supported Software Composition Analysis (SCA) languages, refer to Supported SCA Languages in QScanner Online Help. 

Improved Scan Performance

QScanner has optimized its internal settings to increase the data collection and image scan speed. This change has improved the performance of an image scan.

Issues Addressed

The following issue has been fixed with this release.

Category Issue
Reports QScanner reported a false Positive entry for 'zlib vulnerability' and provided an error - Ubuntu Security Notification for zlib Vulnerability (USN-5570-2).