0
30.3.2
Australia, Zurich, Yokohama Patch 6, Yokohama, Xanadu Patch 9, Xanadu
Standalone Application
Note:
This app version is intended for Unified Security Exposure Management (USEM), a significant architectural upgrade to the Vulnerability Response applications.
If you are currently using Vulnerability Response and upgrading to USEM for the first time, you must use the Migration assistant for Unified Security Exposure Management to ensure a safe and successful upgrade. For full details, please refer to the KB2556844 and documentation before proceeding.
If you do not intend to upgrade to USEM, please select a version below 30.x when installing or upgrading.
Vulnerability Response and Configuration Compliance for Containers helps organizations respond to container vulnerabilities quickly and efficiently by connecting security and application teams, and providing real-time visibility into your security posture. Container Vulnerability Response connects the workflow and automation capabilities of the Now Platform® with vulnerability scan data from leading container security vendors to give your teams a single platform for a response that can be shared between security and application teams.
The Vulnerability Response and Configuration Compliance for Containers application includes the following capabilities:
- Refer to a Docker image as a configuration item (CI) from the container vulnerable items (CVITs).
- Provide runtime context such as Kubernetes Services, Clusters, Namespaces, and cloud account metadata for security teams so they can make decisions on assignment, remediation target, risk score calculation, and more.
- Assignment rules automatically assign container vulnerabilities to the application teams based on Docker Image labels, Kubernetes cluster/namespace/service information, cloud account ID, cloud account name, cloud region, cloud provider, etc.
- Populate base OS image vulnerable items separately to facilitate independent tracking of these vulnerabilities.
- Provide flexibility to configure granularity of container vulnerable items to track at Docker image level, cluster level, service level, etc.
- Automatically detect new versions of container images being deployed and close vulnerabilities reported on older versions.
- Exception management features for remediation owners to request for exceptions, multi-level approval workflow, and exception rules to automatically defer container vulnerable items.
- PA dashboard, which provides visibility into vulnerability and remediation trends.
New:
- Added support for AWS ECS clusters and services in the container vulnerability integration. The integration now builds a unified relationship and hierarchy model for ECS assets — alongside existing Kubernetes support — to enable CVIT ingestion, service scoring, and impact analysis across both Discovery and Scanner data sources.
Changed:
- The length of the source_id column on the Container Image Finding [sn_vul_container_image_findings] table has been increased to accommodate longer AWS source identifiers.
- Deployment hierarchy data for both ECS and EKS is now precomputed and stored in a cache table, reducing redundant computation during import. ECS support is supported starting with this release. EKS support was already available and now benefits from the same optimized caching model.
Fixed:
- The Short Description, Assignment Group, and Assigned to fields now autopopulate when creating a change from a Container Vulnerable Item (CVUL) in the Vulnerability Manager workspace.
- The Split Task UI action for Container Remediation Tasks (CVUL). Previously, splitting a remediation task left the Assignment Group and Assigned To fields empty on the newly created task
- The IsBaseImage flag has been deprecated on Container Vulnerable Items (CVITs) as it is image-specific data. It is now correctly mapped on the Discovered Container Image [sn_vul_container_image] table, where it is imported from the Prisma Base Image integration payload.
- The Path field on Container Image Package records now matches the path on the related Container Image Finding record for Prisma and other third-party scanners
- The Impacted Services related list is now available on Container Vulnerable Item records, which is consistent with the related list that exists on Vulnerable Item records.
- A security vulnerability in the ContainerVulnerabilityAJAX script include where ACL checks were not enforced, allowing any authenticated user to invoke functions above their privilege level. Execute ACLs and role checks have been added to restrict access to authorized roles only.
- An integration run queued in the Ready state is now automatically triggered after the preceding integration run completes successfully. Previously, the PostIntegrationProcessor script include used setWorkflow(false) when closing a run, which prevented the workflow from picking up the next queued run — leaving it stuck indefinitely in the Ready state.
The following application for Vulnerability Response and Configuration Compliance for Containers application must be installed and activated.
- Vulnerability Response
- Security Exposure Management (requires entitlement from the store)
Permissions and roles
- Roles required:
- For installation: System Admin (admin)
- For configurations: Container Vulnerability Admin (sn_vul_container.vulnerability_admin) for Container Vulnerability Response