ce76144 
Release Notes
Enhancements to Vulnerability Reporting for Red Hat Enterprise Linux (RHEL) Versions 8 and 9
To ensure accurate vulnerability reporting, Intelligence Stream will include RPM module and stream information for RHEL in the reports. This approach improves detection of vulnerabilities and ensures that all associated RPM packages installed by a module are examined during the scan.
What are RPM Modules and Streams?
In Red Hat Enterprise Linux (RHEL), an RPM module is a collection of related RPM packages that represent a software component, such as an application, its dependencies, and helper utilities. Starting with RHEL 6 and 7, modules replaced the Software Collections mechanism.
Modules are structured in the following way:
- Module Streams: Virtual repositories within the AppStream repository. Each stream corresponds to a specific version of the module and receives independent updates.
- Stream Activation: At any time, only one stream of a module can be active, meaning only one version of a component can be installed on a system.
For example, the notation python39:3.9/python39 indicates the module python39, the stream 3.9, and the source package python39.
Enhancements to Vulnerability Reporting
- Module-Based Vulnerability Identification: Scans will report vulnerabilities based on the module and stream configuration. This ensures accurate detection and avoids false positives or false negatives caused by discrepancies in versioning or backported fixes.
- Inclusion of RPM Module Metadata in Scan Results: The enhanced implementation associates RPM packages with their respective modules and streams. The Prisma Cloud console will include this module information in vulnerability scan results.
Benefits of Module-Aware Vulnerability Reporting
- Improved Accuracy: Matches CVE fixes to the correct module stream.
- Reduced False Positives: Avoids misreporting of vulnerabilities fixed in older streams.
- Comprehensive Coverage: Links all RPM packages installed by a module to its vulnerabilities.
NOTE:
- This enhancement requires upgrading Defenders to the latest version.
- The older versions of Defender will remain unaffected by this change, and their behavior remains unchanged.
Enhanced Vulnerability Reporting for NuGet Packages
Previously, the scanning process included NuGet packages listed in the .deps.json files, which were essential for the runtime environment but not related to the application itself. These unrelated packages result in false positives in vulnerability reporting.
With this enhancement, the scanning process excludes runtime-specific dependencies that are not directly related to the application. This provides a more accurate view of vulnerabilities directly associated with the application, and reduces false positive alerts.
NOTE:
- This enhancement requires upgrading Defenders to the latest version.
- The updated Defender accurately identifies package dependencies, which leads to fewer false positives.
- The older versions of Defender will remain unaffected by this change, and their behavior remains unchanged.
Enhancement to Prevent Action with fsmon_v2
To enhance the handling of file system events for the Prevent Action in the Runtime Policy, a new version, fsmon_v2, has been developed. This version improves stability by managing timeouts more promptly and in a robust manner, thereby reducing bottlenecks and enhancing overall stability.
While fsmon_v2 brings significant improvements, it is still under active development, and further enhancements are planned. Currently, fsmon_v2 is being rolled out gradually.
This feature is disabled by default. Customers who want to activate this feature should submit a ticket requesting engineering to enable it.
"last-connected" Field Added to Defender Stats Logs
A new field, last-connected, has been added to each Defender stats log. This field records the last confirmed connection time between the Defender and the Console, even when the Connected flag is set to false. The timestamp is represented in epoch seconds (UTC), providing customers with a reliable way to track connection history.
Helm Chart Updates
Replaced values limits_cpu and limits_memory
The values of limits_cpu and limits_memory did not match with the official Helm Chart, so these values were replaced by limit_cpu and limit_memory respectively to match the official values that indicates the Defender DaemonSet resource limits.
Included labels
Added the capacity to add labels to the Defender DeamonSet. To use this add entries to the labels value as the following example:
labels:
hello: worldInmutable DEFENDER_CLUSTER_ID
The DEFENDER_CLUSTER_ID used to generate a new random value every time it executes an upgrade. Now once the helm chart is being installed, this value won't change.
Removed mandatory creation of the secret to pull the defender image
If you are using a private registry to store the defender image, but is not required to have a secret to pull the image, for example in AWS ECR, then you can omit the creation of this secret by setting the value image_pull_secret to blank as in the following:
image_pull_secret:Dynamic Remote Keys names for External Secrets
Included the following values:
secret_store:
properties_name:
service_parameter: SERVICE_PARAMETER
defender_ca: DEFENDER_CA
defender_client_cert: DEFENDER_CLIENT_CERT
defender_client_key: DEFENDER_CLIENT_KEY
admission_cert: ADMISSION_CERT
admission_key: ADMISSION_KEY
registry: REGISTRY
username: REGISTRY_USER
password: REGISTRY_PASS
install_bundle: INSTALL_BUNDLE
ws_address: WS_ADDRESSThis allows to override the names of the remote key name located in the remote secret.