The October 2023 SaaS Update Release includes the following changes with respect to the previous SaaS product release. Unless otherwise stated, all updates were made available on October 15.


TABLE OF CONTENTS


Aqua Platform

GCP organizational onboarding

(available November 6)


GCP Auto-Discovery now supports onboarding a GCP organization.


Update to list of sub-processors

(available October 31)


As a side effect of using Aqua Platform, your data may be processed by one or more third-party businesses or contractors, known as sub-processors. The list of sub-processors has been updated on the Aqua Security Data Processing documentation page.


Workload Protection


Trivy-Operator (deployed with the KubeEnforcer) replaces Starboard (general availability delayed)


Delivery of this feature, previously announced, has been delayed to allow us to complete our standard performance and capacity testing. As before, Starboard will be deployed when deploying KubeEnforcers using manifest files or Helm charts.


If you have deployed any KubeEnforcers with Trivy-Operator, and are experiencing performance issues, we recommend that you redeploy them with Starboard.


We will update these Release Notes when Trivy-Operator becomes generally available.


Notifications triggered by Response Policies will include a direct link to the corresponding Aqua UI page for viewing complete event details.


TLS authentication support between Aqua and Sonatype Nexus integration

The Sonatype Nexus Repository OSS registry type now supports the integration of the Sonatype Nexus image registry with Aqua using TLS authentication through the following attributes:

  • Certificate
  • Private Key


CISA (Cybersecurity and Infrastructure Security Agency) metrics on Vulnerabilities detail screen

CISA information is displayed on the Vulnerabilities detail screen, providing insights to prioritize vulnerability remediation efforts. For each CVE categorized as a known exploited vulnerability, the following metrics are available:

  • Published date by CISA
  • Due Date by CISA

Note that CISA information is only available for vulnerabilities detected with the Trivy Premium scanner.


Windows Server 2022 support

Aqua supports Windows Server 2022 as a host operating system. One limitation applies; see Platform Support Differences and Limitations, Windows, Image Assurance.


Documentation


Aqua Platform Environment and Components

The architectural diagram and component descriptions in Aqua Platform Environment and Components have been rewritten to more accurately describe the architecture of the Aqua SaaS Platform.


Behavioral Detection signatures

The Signatures List for Behavioral Detection has been updated with new and updated signatures.


New Aqua Enforcer environment variable

Refer to Aqua Enforcer (optional environment variables) for documentation of AQUA_PRELOAD_NO_LIBDL.


V1/hostsbatch API endpoint


The request and response structures of the Create Enforcer Group (hostsbatch) V1 API endpoint have been updated.


Account Management


API Keys

The Account Management API Keys screen allows you to generate and manage Aqua Platform API keys and secrets. Refer to API Keys for updated documentation on this functionality. (Note: API key and secret generation was previously part of the CSPM module.)


Problems fixed

Aqua Server

Aqua ID: SLK-66887

Summary: It is not possible to log in to the Aqua UI using SSO.


Aqua ID: SLK-67705

Summary: The console crashes daily due to a continuous increase in memory consumption.


Aqua Server (UI)

Aqua ID: SLK-66900

Summary: The data displayed on the 'Host Assurance Policy Compliance' widget is sometimes inconsistent.


Aqua ID: SLK-67624

Summary: Vulnerability data from other images is sometimes seen when exporting the data for a specific image.


Aqua ID: SLK-68334

Summary: The Risk Explorer screen sometimes unresponsive due to performance issues.


Aqua ID: SLK-69901

Summary: Unable to view Kubernetes and kubelet resources in the AKS cluster on the Workloads > VMs screen.


Aqua ID: SLK-71380

Freshdesk: 33283

Summary: The Application Scopes option is sometimes not visible in the Administration menu of the UI.


Aqua ID: SLK-73161

Freshdesk: 31269

Summary: Non-compliant VMs are sometimes displayed as 'Passed' on the Workloads > VMs > Scan History tab.


Integrations

Aqua ID: SLK-70287

Freshdesk: 32419 and 33003

Summary: The automatic schedule set up to pull and scan images from the Harbor registry, as configured in the Integrations > Image Registries > Registry Configuration tab, sometimes does not work as expected.


Aqua ID: SLK-73157

Summary: Unable to integrate Amazon Elastic Container Registry using a cloud connector.


Aqua ID: SLK-73484

Summary: Automatic cleanup of images and repositories, as configured in the Integrations > Image Registries > Registry Configuration tab, sometimes does not work as expected.


Scanning

Aqua ID: SLK-63786

Summary: The Trivy Premium scanner fails to save the Aqua GUID after scanning a MicroEnforcer image, causing Workloads to be tagged as "Unregistered Image," even though the image is registered with Aqua.


Aqua ID: SLK-68019 and SLK-69913

Freshdesk: 31141

Summary: The error "Failed loading previous results, cannot continue twirp error internal: image scan data does not exist” occurs at times during the rescan of an image.


Aqua ID: SLK-70102

Freshdesk: 32894

Summary: Scan results are sometimes sent to the Webhook even when the "Enable sending image scan results to webhook" option is disabled.


Aqua ID: SLK-71218

Freshdesk: 32726

Summary: The "Error Message in Scanner Container Log: Scanner with same logical name already exists" error occurs at times when setting up a scanner.


Aqua ID: SLK-71561 and SLK-71615

Freshdesk: 32825

Summary: "Twirp syntax" errors are sometimes seen when images are scanned.


Aqua ID: SLK-72227

Summary: Postee log events of a specific scanned image are sometimes seen in the server logs, even when the associated Response Policy is disabled.


Aqua ID: SLK-73162

Freshdesk: 32609

Summary: Critical vulnerabilities in an image are at times ignored during image scans through the CI/CD pipeline.


Aqua scanner product images


To obtain the Aqua scanner product images:

  1. Login to the Aqua Registry with this command; replace <AQUA_USERNAME> and <AQUA_PASSWORD>with the SSO credentials you have received from Aqua Security.
    docker login registry.aquasec.com -u <AQUA_USERNAME> -p <AQUA_PASSWORD>
  2. Once you have logged in, you can pull the Linux scanner image.
  3. You can download the scanner (Windows) and scanner-cli binary by using your Aqua username and password at download.aquasec.com.


ComponentImage name / download link
scanner (Linux: AMD64)registry.aquasec.com/scanner:2310.2.6
scanner (Windows)AquaScannerWindowsInstaller.2310.2.6.msi
scanner (Windows) for Azure DevOpsAquaScannerWindowsInstaller.2310.2.6.vsts.zip
scanner-cli binaryscannercli