Release 4.4.0
March 27, 2025
What’s New?
Added Support for Harbor Scanner Adapter
Harbor is an open-source container image registry that can store, scan, and distribute container images securely. The Harbor Scanner Adapter acts as a bridge between Harbor and third-party vulnerability scanning tools, enabling Harbor to perform container image security scans. QScanner now supports the Harbor Scanner Adapter, which can scan your container images. Using QScanner, you can scan the entire Harbor registry or a few selected images.
You can view the resultant vulnerabilities on the Harbor UI, as well as, on Qualys Enterprise TruRisk™ Platform.
QScanner Image on DockerHub
With this release, Qualys is supporting QScanner as an Image. This image is available on DockerHub at this location - https://hub.docker.com/r/qualys/qscanner
With this change, you can easily switch between QScanner versions and can install its container with more ease.
Storage Driver for Cri-O and Podman Runtimes
Until now, QScanner offered the 'overlay2 file system' storage driver for scans that use the 'docker' runtime and 'overlay file system' storage driver for 'containerd' runtime. 'Overlay File System' is optimized for containerized environments, making scans faster. With this release, QScanner has introduced the 'crio-overlay' and 'podman-overlay' storage drivers support for scans that use the 'Crio' and 'Podman'. The new storage drivers allow scans to work directly with the Overlay file system, eliminating redundant image save.
Supported Storage Drivers by QScanner
| Runtime | Storage Driver |
|---|---|
| Docker | docker-overlay2 |
| Containerd | containerd-overlay |
| Crio | crio-overlay |
| Podman | podman-overlay |
Update in Software Composition Analysis
With this release, QScanner has upgraded its Software Composition Analysis (SCA) by improving the collection of software language packages. With this change, packages of the following languages are upgraded.
- Golang
- DotNet
- PHP
- Python
- Java
Support java-db download from multiple registries
Earlier, QScanner was offering JavaDB download from GHCR environment. You can now download JavaDB from these repositories - GHCR, AWS, Docker. A new parameter is introduced to support this feature - 'QSCANNER_ENABLED_JAVADB_REPOS'. With this change, Qualys has reduced the chances of JavaDB download failure.
JavaDB locations on the repositories are given below.
| Repository | JavaDB Location |
|---|---|
| GHCR | https://ghcr.io/v2/ |
| AWS | https://public.ecr.aws/v2/ |
| Docker | https://index.docker.io/v2/ |
Retry Mechanism for Changelist.db and SBOM uploads in Qscanner
In the case of Changelist.db or SBOM upload failure (Temporary server errors such as, 500, 502, 503 and so on), QScanner now retries the upload after certain intervals. When a Changelist.db or SBOM upload used to fail on the first attempt, QScanner used to report 'failed to upload changelist' and exits the process. This was impacting the workflow. With the latest change, the workflow interruption due to changelist.db or SBOM upload failure are reduced.
Support Scanning of Multi-architecture (multi-arch) Images
Multi-architecture (multi-arch) images are container images that support multiple CPU architectures (For example, x86_64, ARM64, and so on), allowing a single image reference to work across different hardware platforms. You can scan multi-architectural images using QScanner. To support this, a new flag '--platform' is introduced.
To know how to scan multi-arch images, refer to QScanner Online Help > Supported Scans > Scanning Multi-architectural Images.
Change in the Location of 'Config.json' File
With this release, QScanner has changed the default configuration file path as indicated below.
Old Path: ~/.config/qscanner.json
New Path: ~/.config/qualys/qscanner/config.json
With this change, QScanner has maintained the consistencies in the directory structure.
Issue Addressed
The following issue has been fixed with this release.
| Category | Issue |
|---|---|
| Image Scan on Containerd Runtime | Vulnerability scan of an image failed when QScanner scanned specific images with 'containerd' runtime. |
| Changelist.db or SBOM | QScanner was exiting the scan process due to failure in changelist.db or SBOM upload. |
| Data Collection | QScanner failed to detect OS packages. To tackle this issue, collection of packages from RPM package manager is improved. |