TABLE OF CONTENTS
- Aqua Platform
- Workload Protection
- Lightning Mode: custom Runtime Policies
- Default Lightning Mode Runtime Policies: enhancement
- Switch from Classic to Lightning Mode
- Aqua Enforcer and scanner for TAS
- /images API enhancement: register images identified in JSON file
- EPSS (Exploit Prediction Scoring System) metrics on Vulnerabilities detail screen
- Export SBOM (Software Bill of Materials) resources
- New v2 API endpoint
- Scanning functions deployed from container images
- Supply Chain Security
- Problems fixed
- Aqua scanner product images
The What Is Auto-Discovery? documentation page has been updated and improved for completeness and clarity.
Lightning Mode: custom Runtime Policies
Custom Runtime Policies for Lightning Mode, previously announced for early availability, are now generally available.
Default Lightning Mode Runtime Policies: enhancement
The Default VM Workload Protection policy now supports the "Detect fileless execution" and "Detect reverse shells" controls. Refer to the Default Runtime Policies documentation for Lightning Mode.
Switch from Classic to Lightning Mode
It is possible to switch the Aqua Platform configuration from Classic to Lightning Runtime Protection Mode. See Switch to Lightning Runtime Protection Mode.
Aqua Enforcer and scanner for TAS
/images API enhancement: register images identified in JSON file
The v2 API /images endpoint can now register images that are identified in a JSON file that you provide. The file can contain up to 1,000 records, each specifying an image registry and image name. Aqua will register and scan all new images specified, and rescan all images that have already been registered.
EPSS (Exploit Prediction Scoring System) metrics on Vulnerabilities detail screen
EPSS metrics are displayed on the Vulnerabilities detail screen, allowing users to prioritize and manage vulnerabilities based on their predicted exploitability. For each CVE, you will find the following metrics:
- EPSS: Indicates the probability score as a percentage, along with its corresponding percentile. For example, 25.7% (47th percentile) indicates a 25.7% probability, ranking it within the 47th percentile.
- EPSS Date: The date of the EPSS assessment.
Note that EPSS metrics are exclusively available for vulnerabilities detected with the Trivy Premium scanner.
Export SBOM (Software Bill of Materials) resources
The Aqua platform provides the capability to export SBOM containing resources and licenses for the following sources:
- Images: from Images > Resources tab
- VMs: from Workloads > VMs > Resources> tab
- Containers: from Workloads > Containers > Resources tab
- Serverless Functions: from Functions > Resources tab
The exported SBOM is available in JSON format, and you have the option to obtain it in both CycloneDX and SPDX formats.
New v2 API endpoint
The new endpoint /api/v2/sbom/export generates a Software Bill of Materials (SBOM) file for various Aqua artifacts, including registry images, host images, ad-hoc scans, VMs, serverless functions, and workloads.
Scanning functions deployed from container images
When the Trivy Premium Scanner is selected, Aqua supports scanning AWS and Azure serverless functions deployed from container images (including the functions deployed from zip files). Scan results of these functions will be displayed on the Functions screen.
The Enforcers Overview documentation page has been updated to compare between the functionality provided in Lightning and Classic runtime protection modes, respectively. The page contents were updated and its readability was improved.
Deploy a Scanner Daemon
The Deploy a Scanner Daemon documentation page (under Aqua Scanner) has been updated and improved.
KubeEnforcer: Known Limitations and Problems
In KubeEnforcer: Known Limitations and Problems: limitation SLK-40061 (resolved) has been removed, and the description of limitation SLK-33035 has been updated.
The AQUA_DTA_WAITING_TIMEOUT_SECONDS optional environment variable for the scanner has been documented.
Supply Chain Security
Support for scanning the "Swift" programming language
Aqua now supports scanning the "Swift" programming language and its manifest files in the code repositories, to detect risks.
Enhancement to the supply chain suppression rules
Aqua ID: SLK-66887
Summary: Users are unable to log in to the Aqua UI using SSO.
Aqua ID: SLK-70503 and SLK-71024
Summary: The console pod sometimes restarts due to continuous increase in memory consumption.
Aqua ID: SLK-70837
Summary: Users cannot upgrade to the July SaaS version due to schema changes that have an impact on columns within the generated report.
Aqua Server (UI)
Aqua ID: SAAS-15677
Summary: Image Assurance Policies may sometimes fail to be implemented as expected according to the application scope and rules defined in the policy for ad-hoc scans.
Aqua ID: SAAS-17830
Summary: Users sometimes experience difficulties when trying to set up notification integrations following the deactivation of Aqua Hub.
Aqua ID: SAAS-18135
Summary: Users sometimes see high CPU utilization when accessing the Audit tab of a CI/CD scanned images.
Aqua ID: SAAS-18532
Summary: Users at times see an incorrect Enforcer link within the Enforcer group on the Workload Protection > Administration > Enforcers screen.
Aqua ID: SAAS-18714
Summary: Users sometimes see an "Error 500 - Internal Server Error" when attempting to apply vShield to a CVE.
Aqua ID: SLK-67624
Summary: Users sometimes see vulnerabilities data from other images when exporting the data of a specific image.
Aqua ID: SLK-68622
Summary: The SHA value of Schema 1 images in the registry may sometimes not match with the Content/Docker ID SHA value displayed in the Aqua UI.
Aqua ID: SLK-70232
Summary: Users with full permissions along with a custom Application Scope are sometimes unable to view the Sensitive Data Detection events on the Audits screen.
Aqua ID: SLK-70275
Summary: The configurations for File Integrity Monitoring (FIM) are not saved when creating a new Host Runtime Policy from the Policies > Runtime Policies screen.
Aqua ID: SLK-70773
Summary: Errors are sometimes observed in the Server logs following the completion of host malware scans.
Aqua ID: SLK-71246
Summary: Users sometimes see some vulnerabilities related to APK packages being incorrectly categorized as .NET vulnerabilities on the Workload Protection > Images > Vulnerabilities tab.
Aqua ID: SLK-71453
Summary: Users sometimes see an inaccurate OpenSSL version on the Workload Protection > Images > Resources screen.
Aqua ID: SLK-71629
Summary: In Lightning Mode, the Block Reverse Shell option sometimes does not appear on the Lighting Default Policies screen.
Aqua ID: SLK-71646
Summary: Duplicate entries are sometimes being registered when a Webhook integration is broken on the Audit screen.
Aqua ID: SLK-72255
Summary: Users sometimes see an "Error Message in Scanner Container Log: Scanner with same logical name already exists" when setting up a scanner.
Aqua ID: SAAS-17989
Summary: Aqua sometimes crashes when integrating with Serverless Applications using the Google Cloud Functions compute provider.
Aqua ID: SLK-68614 and SLK-71169
Summary: ACR registry integrations may sometimes not appear on the Workload Protection > Administration > Integrations > Image Registries screen.
Aqua ID: SLK-71306
Summary: Images are deleted even when the container hosting the registry is temporarily unavailable.
Aqua ID: SLK-71376
Summary: The Aqua scanner sometimes crashes when the "Automatically remove images that don't match the pull criteria" setting is enabled on the Integrations > Image Registries > Registry Configuration tab.
Aqua ID: SLK-69254
Summary: The KubeEnforcer certificate sometimes reference the default namespace in the Common Name (CN) details.
Aqua ID: SAAS-16260
Summary: Users sometimes see conflicting values for "num_running_workloads" and "has_running_workloads" when an image is running as a container while using the "/api/v2/images/registry/repository/image/tag/vulnerabilities" endpoint.
Aqua ID: SLK-70569
Summary: Users sometimes see "504 Gateway Timeout" error is sometimes seen when using the â€œ/api/v1/hostsâ€ endpoint.
Aqua ID: SLK-63154
Summary: The image results are sometimes inconsistent, depending on whether the image was scanned via CI/CD pipeline or by the Classic scanner.
Aqua ID: SLK-67438
Summary: Users sometimes see "502 Bad Gateway" error when performing scans using the Trivy Premium scanner.
Aqua ID: SLK-67510
Summary: When an image is scanned with the Trivy Premium scanner, the information displayed in the Vulnerabilities and Resources tabs appears inaccurate for specific scanned images.
Aqua ID: SLK-68137
Summary: Users sometimes not able to see the remediation for CVE-2023-0464 vulnerability when using the Classic scanner.
Aqua ID: SLK-70082
Summary: Specific scanned images are showing an inappropriate reporting of CVE-2020-5260.
Aqua ID: SLK-70987
Summary: "Twirp syntax" errors are sometimes seen when using the Trivy Premium scanner.
Aqua ID: SLK-71485
Summary: The error message is generic in both cases when Artifactory is unavailable and when the image does not exist in Artifactory during image scanning.
Aqua ID: SLK-71644
Summary: Warning messages are seen in the Suppress Docker logs when using a container engine other than Docker.
Aqua ID: SLK-72041
Summary: "Twirp syntax" errors are sometimes seen when images are scanned.
Aqua scanner product images
To obtain the Aqua scanner product images:
- Login to the Aqua Registry with this command; replace <AQUA_USERNAME> and <AQUA_PASSWORD> with the SSO credentials you have received from Aqua Security.
docker login registry.aquasec.com -u <AQUA_USERNAME> -p <AQUA_PASSWORD>
- Once you have logged in, you can pull the Linux scanner image.
- You can download the scanner (Windows) and scanner-cli binary by using your Aqua username and password at download.aquasec.com.
|Component||Image name / download link|
|scanner (Linux: AMD64)||registry.aquasec.com/scanner:2309.4.7|
Did you find it helpful?Send feedback