Release 4.3.0
December 9, 2024
What’s New?
Added Support for Operating Systems
QScanner now supports scanning images based on the following Operating Systems.
- Wolfi
- Microsoft Azure Linux
Support to Download SBOM Report
QScanner offers an option to download the Software Bill of Material (SBOM) report. The SBOM report provides details about your software, such as the software components used, their versions, relationships with each other, metadata, and so on. You can use the SBOM report to analyze your software.
SBOM (spdx.json) will always be uploaded to Qualys Cloud Platform when QScanner is running a scan. With this release, when a QScanner scan is run, the SBOM report (SPDX.json) is generated and is uploaded to your Qualys Cloud Platform account. You can download the SBOM on Qualys Cloud Platform under Container Security > ASSETS > Images > Quick Actions.
The SBOM can be downloaded in the following formats.
- SPDX - This is the default SBOM report format offered by Qualys. The SPDX SBOM package is primarily a collection of three elements: Documents (metadata about the SBOM), Packages (groups of elements), and Files (single files). It is managed by 'The Linux Foundation'. To know more about SPDX SBOM, refer to https://spdx.dev/about/overview/ .
- CycloneDX - The CycloneDX Software Bill of Materials (SBOM) includes metadata and outlines a collection of software elements, organized into components, services, and dependencies. Additionally, the SBOM defines relationships between these elements through a specific architecture. It is managed by OWASP. To know more about CycloneDX, refer to https://cyclonedx.org/ .
SARIF Report in compliance with GitHub Actions
With this release, SARIF report generated by the QScanner is in compliance with the GitHub Actions tab. The SARIF report has a new field - locations - for a scan result. This new field shows the artifact (secret, image, or OS package) location which has enabled your SARIF report to be compliant with the GitHub Actions.
Fallback to Offline Scan
QScanner downloads the java-db while conducting an SCA scan. With this release, if java-db download or update fails due to any reason, QScanner will fallback to offline scan. This prevents scan failure due to java-db download.
Improvement in SCA Scan
With this release, the .Net runtime detection is improved for Software Composition Analysis (SCA). QScanner while running an SCA scan can now detect the software packages for the .Net runtimes based on App.runtimeconfig.json files.
Issues Addressed
The following issues have been fixed with this release.
Category | Issue |
---|---|
Image Scan | QScanner collected incorrect OS version while scanning an image. |
Data Collection | QScanner was throwing an irrelvant warning "dpkg:scan error xxxxxxx" while scanning a certain files. Now QScanner ignores such irrelevant warnings. |