Release 4.0.0

February 28, 2024

What’s New?

Added Support for Local Cache

QScanner now supports a new cache type called "local". Using --cache local command, QScanner creates a local cache database in $USER_CACHE_DIR/qualys/qscanner/.
This path can be overridden by using --cache-dir flag. 

Earlier, --use-cache flag was used for faster data collection. If multiple QScanner instances are spawned simultaneously, this option blocks other instances. This release replaces the --use-cache flag name with the --cache <cache-type> flag. 

Faster Scanning of Images having Java Files

QScanner downloads the Java index database locally instead of accessing the Maven repository for each JAR file. With this release, QScanner downloads the Java index database once and periodically checks for its updates. This increases the scanning speed of images with Java files.

By default, the Java index database is downloaded while scanning an image using the Online mode only. 

Added Support for Offline Scan

A new flag "--offline-scan" is introduced to run an SCA scan in Offline mode. QScanner issues the API requests to identify dependencies. If you don't want QScanner to access the outside network, you can run the scan in Offline mode.

To enable the offline scan, use - "--offline-scan=true". The default value is "false". 

 The Offline scan may produce incorrect vulnerability reports for images that contain Java files. Hence, it is recommended to run the SCA scan in Online mode. 

Reduced CPU and Memory Consumption

A new argument called `--limit-resource-usage` is introduced which allows scanning with lower CPU and memory consumption. 

Change in the Proxy Flag

For ease of use, the proxy argument name is shortened. Instead of using `--use-proxy <proxy_url>` command, now you need to use `--proxy <proxy_url>`. The functionality of this command remains unchanged.

Tabular Report Generation

With this release, QScanner generates a Tabular vulnerability report for the detected vulnerabilities when `--mode get-report` command is used. This tabular report is visible on the console. A screenshot of such a tabular report (truncated) is shown below. It shows the layer from where the vulnerable package originated.

Special Provisioning for Qualys PODs

A new flag, `--pod` is introduced to provide a Qualys-specific gateway option. For mentioning non-Qualys PODs, you can use '--gateway-url' flag. This is an ease-of-use enhancement. With this, you don't have to enter the long gateway URL every time you run QScanner. 

Image Scanning Using "overlay2" FileSystem

With this release, you can support image scanning using overlay2 filesystem. QScanner saves the image and creates a tar out of it. This operation can be time-consuming for large images. You can pull the image locally, and with the help of the container runtime's underlying filesystem, you can avoid image saving by using the runtime's underlying filesystem.

This feature is supported only with the docker runtime.

To enable this, a new flag "--storage-driver" is introduced. 

Deprecated Flags

The following flags are deprecated with this release. 

  • --report-file - This flag was used to write the generated vulnerability report into the specified file. Without this flag, the report.json gets printed on the console. As Tabular Report is introduced for the reporting on the console, and report.json will always be created in the output directory, the --report-file flag is no longer required. 
  • --customer-id - This flag indicates your Customer ID. Use Access Token instead. This makes it a bit easier for you as you don't need to provide another parameter (customer-id) to perform vulnerability scanning.

Issues Addressed

The following issues have been fixed with this release:

Category Issue
QScanner After completing a scan on a build machine, QScanner failed to clean the archived directory and files in the "/tmp" folder, which led to the "shortage of disk space" issue. 
Remote Host In the Proxy environment, QScanner failed to communicate with Qualys Gateway even when the environment variable "HTTP_PROXY/HTTPS_PROXY" is set.