neuvector/neuvector v5.3.3 on GitHub

What's Changed

NVSHAS-8136(enforcer update): container is selected based on image=xxx criteria, add related containers to group by @jayhuang-suse in #929
NVSHAS-8136, container is selected based on image=xxx criteria, add related containers to group by @gfsuse in #915
NVSHAS-8155, previous host ip reused by POD, remove it from iphost cache by @gfsuse in #928
NVSHAS-7922: [Controller] When syslog server goes unreachable, contro… by @williamlin-suse in #927
NVSHAS-7994: the Federation.Demote event could be missing after a cluster is demoted by @williamlin-suse in #936
NVSHAS-6572: Parse image config spec referred in manifest by @becitsthere in #935
NVSHAS-8172: Not to write local file during benchmark by @becitsthere in #937
NVSHAS-7949: suggest to not showing the sensitive info in debug log by @jayhuang-suse in #896
NVSHAS-8170: Auto profile collection feature to capture profile data at the maximum memory by @jayhuang-suse in #917
NVSHAS-7449: Add extra vul data when report one cve per syslog by @becitsthere in #942
add rwlock to protect resources by @jeffhuang4704 in #943
NVSHAS-7077: Document scanner auto-scaling limitation with OpenShift … by @williamlin-suse in #941
NVSHAS-7379: exit container if proc keep restarting by @becitsthere in #945
[NVSHAS-8192] Fix dp crash at dp_ctrl_update_ip_fqdn_storage() by @kyledong-suse in #947
NVSHAS-8170 v2: make auto-profile default and adjustable memory threshold by @jayhuang-suse in #946
NVSHAS-8082: Not able to edit or delete process rules created using review rules from security events. by @williamlin-suse in #944
NV Protect: keep temporary agent's process records to improve the false-positive cases by @jayhuang-suse in #909
NVSHAS-8187: Fix bench script parsing error by @becitsthere in #951
NVSHAS-8196: Deleted CRD network rule's id stays in rules header list even after the CRD network rule is deleted by @williamlin-suse in #950
NVSHAS-8106: Prefer manifest v2 cmds by @becitsthere in #954
NVSHAS-8087: nvadmissioncontrolsecurityrules exists in k8s without corresponding NV Admission control rules by @williamlin-suse in #960
Fixed indentation and typo in api doc by @minchao in #955
NVSHAS-8147: Support Azure for csp-adapter cloud billing by @williamlin-suse in #962
Add ApiKey support to the API doc by @minchao in #961
Update apis.yaml version by @becitsthere in #966
NVSHAS-8197: configMap: No error is reported if password do not comply password profile by @williamlin-suse in #972
Fix parameter definition for post /v1/api_key api and properties for role_domains in api doc by @minchao in #968
NVSHAS-7728: Add image created time in scan result by @becitsthere in #979
NVSHAS-8243: Add image create time in repo scan report by @becitsthere in #980
NVSHAS-8210: use installation-specific key by @holyspectral in #963
NVSHAS-8241: Add extra vul info into one-per-log event by @becitsthere in #981
NVSHAS-8051: FileMonitor events are not getting aggregated by @jayhuang-suse in #891
NVSHAS-8091: remove process_replace_list entry from PATCH(v1/process_profile/:name) API by @jayhuang-suse in #976
NVSHAS 7990 & 7925 - cgroup error log fixes by @jaimeyu-suse in #970
NVSHAS-8181: cleanup cgroup path logic by @becitsthere in #982
NVSHAS-7728: NeuVector should provide container image build date in Assets -> Container details by @jayhuang-suse in #989
Controller: rewrite the flow of the learning file rule requests. by @jayhuang-suse in #987
NVSHAS-8213: Escape ad userfilter before authentication by @becitsthere in #991
NVSHAS-8240: patch a hole when pruneGroupsByNamespace() failed to acquire a policy lock by @jayhuang-suse in #992
NVSHAS-8212: allow using separate keys for jwt token by @holyspectral in #990
NVSHAS-8241: Add description to vul log by @becitsthere in #994
NVSHAS-8246, Improve pruning namespace func to delete related rules faster to avoid holding lock too long by @gfsuse in #997
NVSHAS-8240: Export of group policy does not return any actual YAML c… by @williamlin-suse in #998
NVSHAS-7962: Protobuf Changes by @alopez-suse in #1000
NVSHAS-8287: Skip handling the CRD CREATE/UPDATE requests if the CR's… by @williamlin-suse in #1002
NVSHAS-8287: Skip handling the CRD CREATE/UPDATE requests if the CR's… by @williamlin-suse in #1004
NVSHAS-8285: part of CRD groups cannot be pruned successfully after n… by @williamlin-suse in #1007
NVSHAS-7764: "Maximum concurrent syslog message reached Check syslog server settings " ERROR log can be rate limited by @jayhuang-suse in #1005
NVSHAS-8289: Use env variable in enforcer for enabling/disabling custom benchmark by @jayhuang-suse in #1006
NVSHAS-5295: extend options for cve report criteria in response rules… by @williamlin-suse in #1012
NVSHAS-8275: [Enforcer] Creating about 800K files under monitored directory causes enforcer memory bloat to 5G by @jayhuang-suse in #1014
NVSHAS-8111 - Custom scripts not running by @jaimeyu-suse in #1001
NVSHAS-7962: Trigger Scans on Signature or Sigstore config changes by @alopez-suse in #1003
NVSHAS-8249, restrict to non-host mode only for hostip reused as wl ip case by @gfsuse in #999
NVSHAS-8299: Parse extra image config spec by @becitsthere in #1015
NVSHAS-8270: Add more control on custom checks (controller) by @williamlin-suse in #1013
NVSHAS-8239: Implement detection for TLS1.1 in DP by @kyledong-suse in #1008
NVHSAS-8302: fix manifest scan error for unsigned images by @alopez-suse in #1017
NVSHAS-7704: show all deny rule violations during configuration assessment by @alopez-suse in #1019
NVSHAS-8170: move debug data into new folders by @jayhuang-suse in #965
NVSHAS-8264: Add CSP adapter version to Support Bundle by @williamlin-suse in #1016
NVSHAS-8312: goroutine crash at scan.IsQuayRegistry(...) by @williamlin-suse in #1020
NVSHAS-8311: goroutine crash at scan.GetCosignSignatureTagFromDigest(… by @williamlin-suse in #1021
NVSHAS-8270: Add more control on custom checks (controller) by @williamlin-suse in #1022
NVSHAS-8169: Namespace admin should be able to see the namespaces he/… by @williamlin-suse in #1023
NVSHAS-8270: Add more control on custom checks (controller) by @williamlin-suse in #1024
NVSHAS-8304: Scans failing on one Node only by @jayhuang-suse in #1026
NVSHAS-8310: don't scan unsigned images when sigstore configuration changes by @alopez-suse in #1025
NVSHAS-7704: Configuration assessments against Admission Control shou… by @williamlin-suse in #1027
NVSHAS-8223: Suppress repeated logs by @becitsthere in #1028
NVSHAS-8320: the criteria info is missing in Admission.Control.Denied… by @williamlin-suse in #1029
NVSHAS-8319: Modify SQLi signature to prevent false positive by @kyledong-suse in #1031
NVSHAS-8270: Add more control on custom checks (controller) by @williamlin-suse in #1033
NVSHAS-8121: suggest not report Container.Suspicious.Process incident for socat processes by @jayhuang-suse in #1035
NVSHAS-8322 & NVSHAS-8323: fix unnecessary signature rescans by @alopez-suse in #1034
NVSHAS-8212: Maintain JWT certificate inside NeuVector controllers by @holyspectral in #1030
NVSHAS-8226, Distribute network policy to enforcer with host awareness by @gfsuse in #978
NVSHAS-8203, Learn egress to external FQDN address group automatically by @gfsuse in #995
NVSHAS-5703: Improve update FQDN field in graph by @kyledong-suse in #1036
NVSHAS-5703: add extra logs for certificate reload by @holyspectral in #1038
NVSHAS-8336, still need to let relevant nodes know there are new workload detected so policy can be learned by @gfsuse in #1040
NVSHAS-8338, fix crash due to assignment to entry in nil map by @gfsuse in #1041
NVSHAS-8327: FileMonitor: Many automation cases fail due to many fields missing in the event. by @jayhuang-suse in #1044
NVSHAS-8341, policy distribution for host mode related workload need to consider client side for k8s platform by @gfsuse in #1048
NVSHAS-8342: the message info is incorrect in /v1/assess/admission/ru… by @williamlin-suse in #1050
NVSHAS-8344: REST API DELETE /v1/response/rule doesn't work by @williamlin-suse in #1051
NVSHAS-8340: unexpected scannerRegister lock error in controller by @jayhuang-suse in #1047
NVSHAS-8347: fed deny rule should have high priority than local deny … by @williamlin-suse in #1052
NVSHAS-8053 - 'ps' process incidents are raised by root process by @jaimeyu-suse in #1049
NVSHAS-8362: Support GCP for csp-adapter cloud billing by @williamlin-suse in #1056
NVSHAS-8373: fail to write cvedb into consul kv by @jayhuang-suse in #1061
NVSHAS-8313 Fix node state shows 'un-managed' but enforcer shows 'connected' by @kyledong-suse in #1057
NVSHAS-8350: Too many admission control logs when 3rd party keeps upd… by @williamlin-suse in #1058
NVSHAS-8371 fix part 1, only expand containers group to configured workload to avoid Missing policy mode for both src and dst error by @gfsuse in #1062
NVSHAS-8385: support output event to controller logs by @becitsthere in #1067
NVSHAS-5774: Assets > Containers: Show containers that were scanned in registry by @jayhuang-suse in #1065
NVSHAS-8247: Less cross-check when processing CRD by @williamlin-suse in #1068
NVSHAS-8324: the scan_summary info in workload object is gone after rolling upgrade by @jayhuang-suse in #1066
NVSHAS-8171, Report stats at group level by @gfsuse in #1055
NVSHAS-8368 goroutine crash by @holyspectral in #1060
NVSHAS-7520: CRD policy in k8s is different from the one in NV (after… by @williamlin-suse in #1069
NVSHAS-8400: waf and dlp sensor reference is not imported after the r… by @williamlin-suse in #1071
Add Vectorscan for Arm64 by @kyledong-suse in #1073
Fix Makefile.arm to use Makefile.rule_arm by @kyledong-suse in #1075
NVSHAS-8304: Scans failing on one Node only by @jayhuang-suse in #1072
NVSHAS-8406, only set service container's hasDatapath to true in istio case to avoid unexpected policy behavior by @gfsuse in #1074
Add rlock protection on the shared map, "activeContainers", access. by @jayhuang-suse in #1078
NVSHAS-8431 reduce log level for jwt cert manager by @holyspectral in #1080
NVSHAS-6739: ARM support for fanotify by @becitsthere in #1081
NVSHAS-8204: Add RESTConversationReportEntry into RESTExposedEndpoint by @kyledong-suse in #1083
NVSHAS-6097/7821: Import/Export of Vulnerability/Compliance Profiles by @williamlin-suse in #1077
NVSHAS-8387: Apply disabled nvadmissioncontrolsecurityrules yaml with kubectl by @williamlin-suse in #1088
NVSHAS-7616 SAML Single Logout (SLO) support by @holyspectral in #1090
NVSHAS-8436: Enforcer - remove the mounting runtime socket requirement by @jayhuang-suse in #1086
NVSHAS-7616 dismiss false positive on dependabot by @holyspectral in #1091
NVSHAS-8354: Apply admission control rules differently for containers… by @williamlin-suse in #1089
NVSHAS-8100: Fix output_event_to_logs json name by @becitsthere in #1093
Log event name in msg if msg is missing by @becitsthere in #1095
NVSHAS-8448 refine validation in server API by @holyspectral in #1097
NVSHAS-8162: To persist the accept status for RBAC error notifications by @williamlin-suse in #1094
NVSHAS-7347: Add password reset option to reset user password in console by @williamlin-suse in #1098
NVSHAS-8462: show unexpected crd error message in /v1/system/rbac by @williamlin-suse in #1100
NVSHAS-8456: controllers: remove the mounting runtime socket requirement by @jayhuang-suse in #1099
NVSHAS-7704: Configuration assessments against Admission Control shou… by @williamlin-suse in #1102
Arm build support change by @kyledong-suse in #1096
NVSHAS-8471: Configuration Assessment does not work in fleet 5011 by @williamlin-suse in #1107
NVSHAS-8464: Not to run controller in privileged mode in kubernetes by @jayhuang-suse in #1103
NVSHAS-8424: Restore of Federated Registry not appearing on managed n… by @williamlin-suse in #1110
NVSHAS-8332, add a controller ENV to allow enable icmp policy enforcement by @gfsuse in #1079
NVSHAS-8487: Policy Admission Control: import invalid yaml file retur… by @williamlin-suse in #1111
NVSHAS-8485: Merge option for Vulnerability Profile import thru REST … by @williamlin-suse in #1112
NVSHAS-7917: Deleting vulnerable "java package" files doesn't remove from vulnerability list by @jayhuang-suse in #1109
Webhook connection through proxy by @becitsthere in #1114
NVSHAS-8493: Admission control configuration assessment message is no… by @williamlin-suse in #1113
NVSHAS-8495: show duplicated match rule info in post /v1/assess/admis… by @williamlin-suse in #1115
NVSHAS-8496: the final action should be denied when multiple containe… by @williamlin-suse in #1117
NVSHAS-8332, add additional fix to allow enable icmp policy enforcement by @gfsuse in #1119
NVSHAS-8502 authentication token missing by @holyspectral in #1121
Add missing NV_TAG label for controller by @becitsthere in #1123
NVSHAS-8483: EKS - error=kubectl command not found by @jayhuang-suse in #1127
NVSHAS-8523: Run 'Configuration Assessment' for a yaml should not gen… by @williamlin-suse in #1126
NVSHAS-8432: un-managed node with "zombie" enforcer running by @jayhuang-suse in #1124
[NVSHAS-8474] Resolve the symbolic link files under proc's root path by @pohanhuangtw in #1122
NVSHAS-8247: Less cross-check when processing CRD (increase the chann… by @williamlin-suse in #1128
NVSHAS-8453: enable proxy auth with http destination by @becitsthere in #1131
NVSHAS-8537 and NVSHAS-8538: goroutine crashes from leadChangeHandler() by @jayhuang-suse in #1130
NVSHAS-8532 Fix find container's symbolic link with correct proc root. by @pohanhuangtw in #1129
Compare strings with strings.EqualFold by @Juneezee in #1132
NVSHAS-8477&8370, support-bundle enforcer debug RPC call fail due to received message larger than max by @gfsuse in #1134
NVSHAS-5999 AWS bottlerocket benchmark execution error by @pohanhuangtw in #1082
NVSHAS-8334: Remote Repository Export by @alopez-suse in #1120
NVSHAS-8334: Export CRD into Github thru REST API (controller) by @williamlin-suse in #1136
NVSHAS-8568: cannot export crd yaml to other branch in remote repo by @williamlin-suse in #1138
NVSHAS-8560: unexpected NV.Protect incidents are found on stat command by @jayhuang-suse in #1137
NVSHAS-8284 Warning status for some Compliance checks which however were satisfied by @pohanhuangtw in #1135
NVSHAS-8570: Events for 'export to remote repo' always show: Do remot… by @williamlin-suse in #1139
NVSHAS-8571: Export to remote repo(github) result incorrectly returne… by @williamlin-suse in #1140
NVSHAS-7720-Enhance_UI_Performance, implement vulnerability UI pagina… by @jeffhuang4704 in #1142
NVSHAS-8460 Support newer version of kubernetes cis benchmark by @pohanhuangtw in #1133
NVSHAS-8575: Enhance the event message for remote repo export event by @williamlin-suse in #1143
NVSHAS-8574 & NVSHAS-8576: same name CRD yaml should be allow to export to differen… by @williamlin-suse in #1148
NVSHAS-8578 & NVSHAS-8579 by @alopez-suse in #1146
NVSHAS-8573 remove github.com/pkg/errors by @holyspectral in #1147
NVSHAS-8589: unexpected NV.Protect incidents are found on yq and sort commands by @jayhuang-suse in #1151
NVSHAS-8585 Adjust the bug level of the GetContainerRealFilePath by @pohanhuangtw in #1149
NVSHAS-8369, prevent false positive network implicit violation for external traffic by @gfsuse in #1150
NVSHAS-7720-Enhance_UI_Performance, add perf test and adjust orderbyc… by @jeffhuang4704 in #1154
NVSHAS-8596-Invalid_Syslog_certificate by @jeffhuang4704 in #1158
NVSHAS-8591 fix watchPlans race condition by @holyspectral in #1159
NVSHAS-8460 bug fix open shift yaml by @pohanhuangtw in #1157
NVSHAS-7720-Enhance_UI_Performance_support_change_sort by @jeffhuang4704 in #1156
NVSHAS-8598: unexpected NV.Protect incidents is found on find command by @jayhuang-suse in #1160
NVSHAS-8604: Support enabling/disabling remote repository by @williamlin-suse in #1166
NVSHAS-7720-Enhance UI Performance fix query error by @jeffhuang4704 in #1165
NVSHAS-8396: Fix strlcpy() without using Null-terminated string as src by @kyledong-suse in #1164
NVSHAS-8460 - Fix for UI showing in-complete message by @pohanhuangtw in #1162
NVSHAS-7720-Enhance_UI_Performance, adjust quick filter behavior by @jeffhuang4704 in #1167
NVSHAS-7720-Enhance_UI_Performance_fix_query by @jeffhuang4704 in #1169
NVSHAS-8622: unexpected NV.Protect incidents is found on support command by @jayhuang-suse in #1171
Add/Update process rules for ARM64 images by @jayhuang-suse in #1173
NVSHAS-8453: Fix issues on webhook with http proxy by @becitsthere in #1174
NVSHAS-8613 repeated sigsegv in one controller by @holyspectral in #1172
NVSHAS-8627: Add a process rule for the bench tests on the Openshift cluster. by @jayhuang-suse in #1176
NVSHAS-8162: To persist the 'accept' status for RBAC error notifications by @williamlin-suse in #1175
NVSHAS-8626: accepted alerts selection is not reset after rolling upgrade by @williamlin-suse in #1177
Revert "NVSHAS-8613 repeated sigsegv in one controller" by @holyspectral in #1178
NVSHAS-8622: unexpected NV.Protect incidents is found on support command by @jayhuang-suse in #1181
NVSHAS-8626: accepted alerts selection is not reset after rolling upgrade by @williamlin-suse in #1180
NVSHAS-8624-Vulnerabilities_Cluster_node_is_unstable by @jeffhuang4704 in #1179
NVSHAS-8613 repeated sigsegv in one controller by @holyspectral in #1182
Remove extra text from readme by @bbodenmiller in #1183
Disable OPA telemetry by default by @ntimo in #1185
NVSHAS-8639: Correct API doc typo by @becitsthere in #1186
NVSHAS-8636 Scanning workload takes longer compared to 5.2.4 by @jeffhuang4704 in #1187
NVSHAS-8564: run python in virtual env for allinone by @becitsthere in #1188
NVSHAS-8572: secrets/vul scanning engine does not ignore mounted files by @jayhuang-suse in #1190
NVSHAS-8590: Fix inconsistent scan status in non-lead controller by @becitsthere in #1191
NVSHAS-8653 Add impact sort, NVSHAS-8669 Fix Internal Server Error in pagination by @jeffhuang4704 in #1192
NVSHAS-8377: add RootlessKeypairsOnly flag to proto by @alopez-suse in #1193
NVSHAS-8678 - Fix for UI showing in-complete message by @pohanhuangtw in #1195
NVSHAS-8685: Scanner's docker client version 1.21 is deprecated and no longer supported by @jayhuang-suse in #1198
NVSHAS-8680: Skip non-image artifacts by @becitsthere in #1199
NVSHAS-8224, batch delete empty groups to improve auto removal performance by @gfsuse in #1196
NVSHAS-8660: rke 1.25: runtime driver can not connect with the cri-dockerd.sock by @jayhuang-suse in #1200
Nvshas 8377 impl by @alopez-suse in #1194
NVSHAS-8693: goroutine crash at container.(*crioDriver).getContainer() by @jayhuang-suse in #1201
Add function to read packages of an app by @becitsthere in #1203
NVSHAS-6483 add support for php composer by @Acmarr in #1207
NVSHAS-8703: Move image download function to scanner by @becitsthere in #1209
NVSHAS-8707: Fix segfault in standalone scanner by @becitsthere in #1213
NVSHAS-8156: UPDATE on Pod is not monitored by NV by @williamlin-suse in #1216
NVSHAS-5391 & 8631 Improve Host i/f update monitoring by @kyledong-suse in #1217
NVSHAS-8224, auto remove imorted empty groups by @gfsuse in #1218
NVSHAS-8716: Newer scanner error for local image and produce inaccurate scanning results by @jayhuang-suse in #1219
NVSHAS-8720 Fix agent crash at main.intfHostMonitorLoop(0xc0000c0190,… by @kyledong-suse in #1220
NVSHAS-8720: fix agent crash at main.intfHostMonitorLoop by @kyledong-suse in #1222
NVSHAS-8580: GCP warning about neuvector-validating-admission-webhook by @williamlin-suse in #1223
NVSHAS-8156: UPDATE on Pod is not monitored by NV by @williamlin-suse in #1227
NVSHAS-8711 Risk page - only return the filtered assets while advance… by @jeffhuang4704 in #1228
NVSHAS-8677 Fix enforcer crash for arm64 by @kyledong-suse in #1229
NVSHAS-8716: reverse API version change by @jayhuang-suse in #1233
NVSHAS-8286: Suggest the unhandled NV CR objects should be handled ag… by @williamlin-suse in #1234
NVSHAS-8756: config_v2 fixes for the REST API by @williamlin-suse in #1235
NVSHAS-8752 Add ipFqdnStorageMutex to protect reading ipFqdnStorageCache by @kyledong-suse in #1237
NVSHAS-8701 - Add $ for unexpected NV.Protect incidents is found on paste command by @pohanhuangtw in #1236
NVSHAS-8736: unexpected jar package alert from pod deployment by @jayhuang-suse in #1241
NVSHAS-7145: implement no proxy hosts for registry scans by @alopez-suse in #1211
NVSHAS-8791: SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0x… by @williamlin-suse in #1242
NVSHAS-8780 - Fix the truncate msg in manual by @pohanhuangtw in #1245
NVSHAS-7145: compress fields into v2 object by @alopez-suse in #1243
NVSHAS-8820 In Risk page, the Published time in advanced filter behavior is inverted by @jeffhuang4704 in #1248
NVSHAS-8829 fix scored filter in risk page by @jeffhuang4704 in #1250
NVSHAS-8803: container is somehow unable to add to workload successfully frequently by @jayhuang-suse in #1249
NVSHAS-8780 - Fix the truncate msg in manual by @pohanhuangtw in #1247
NVSHAS-8812: rootlessKeypairsOnly overrides isPrivate by @alopez-suse in #1246
NVSHAS-8730 allow parsing multiple entries from manifest.mf by @Acmarr in #1252
NVSHAS-8551: Add pcap filename random length by @becitsthere in #1253
NVSHAS-8741: NeuVector scan shows inconsistent baseos image by @jayhuang-suse in #1254
NVSHAS-8520, allow traffic with LinkLocalUnicast IP for host-mode container by @gfsuse in #1255
NVSHAS-8730 / NVSHAS-8844 single entry per manifest.mf... by @Acmarr in #1257
NVSHAS-8829 scored filter issue by @jeffhuang4704 in #1258
NVSHAS-8730: Revert jar parsing changes. by @becitsthere in #1259
NVSHAS-7145: add v2 internal registry test types by @alopez-suse in #1261
NVSHAS-7145: add v2 registry test access by @alopez-suse in #1262
NVSHAS-8757,8730: Fix jar file package name parsing by @becitsthere in #1263
NVSHAS-8761, to prevent unexpected violation for hostmode container when allow rule exist by @gfsuse in #1264
Improve jar package parsing logic by @becitsthere in #1265
NVSHAS-8865, adjust early detection logic for host-mode container so that connection to external shows correct action by @gfsuse in #1266
NVSHAS-7145: correct proxy update by @alopez-suse in #1271
NVSHAS-8811: Increase repo scan limit to 32 by @becitsthere in #1275
NVSHAS-8648: Add group_dn to ldap server config by @becitsthere in #1279
NVSHAS-8886: Fix SQLi detection for "exec" statement by @kyledong-suse in #1281
NVSHAS-8901: Fix jar file parsing error by @becitsthere in #1282
NVSHAS-8904: Pre-existing NvClusterSecurityRule CRs are not handled w… by @williamlin-suse in #1285
Add statistic data interface of the scanner cacher by @becitsthere in #1288
NVSHAS-8906: Accept empty mediaType as OCI image by @becitsthere in #1292
NVSHAS-8847: Use default tempDir for jar parsing by @becitsthere in #1293
fix parsing of container id in container in container environments by @rjferguson21 in #1278
NVSHAS-8885: admission control user criteria reject comma as valid re… by @williamlin-suse in #1287
NVSHAS-8886: Add Word Boundaries before and after SQL keyword by @kyledong-suse in #1291
Cherry-pick scanner cache related commits by @becitsthere in #1295
NVSHAS-8519: Custom roles are not able to see everything the reader r… by @williamlin-suse in #1296
NVSHAS-8885: admission control user criteria reject comma as valid re… by @williamlin-suse in #1304
NVSHAS-8856: Re-init registry client when proxy setting changes by @becitsthere in #1305
NVSHAS-8952: the digest info is missing in local image scan by @jayhuang-suse in #1314
NVSHAS-8926 -Scanner read not-exist path when stand alone mode by @pohanhuangtw in #1311
NVSHAS-8908, not to use X-Forwarded-Port in security event by @gfsuse in #1318
NVSHAS-8969: REST-API should not accept 0 or negative value when setting mode_auto_d2m_duration and mode_auto_m2p_durationtt… by @jayhuang-suse in #1319
fix: NVSHAS-8968 resp.Body is not closed by @holyspectral in #1321
NVSHAS-8973: the value of .workloads[].privileged is incorrect in rke clusters with cri-dockerd runtime by @jayhuang-suse in #1323
NVSHAS-6483 fix incorrect map key for php parser by @Acmarr in #1322
NVSHAS-8144: Add another flag for dumping admission review payload in… by @williamlin-suse in #1325
NVSHAS-8974, separate hostmode and non-hostmode policyAddrMap to avoid false alert on host related traffic by @gfsuse in #1324
NVSHAS-8989, let such special passthrough packet from external to bypass policy match in the intermediate container by @gfsuse in #1328
fix: NVSHAS-8968 memory leak found during code review by @holyspectral in #1329
NVSHAS-9001 goroutine crash by @holyspectral in #1331
NVSHAS-7508: suggest to resume loading the initcfg or take some actio… by @williamlin-suse in #1330
NVSHAS-8979: CRD entry is already removed from kv, but still can be s… by @williamlin-suse in #1334
NVSHAS-8739: Report all occurrences of vul in different files by @becitsthere in #1336
NVSHAS-8995: add R-lang module parser by @jayhuang-suse in #1335
NVSHAS-8739: Report all occurrences of vul in different files (2) by @becitsthere in #1337
NVSHAS-8964: do not include "sudo" in the privilege escalation events by @jayhuang-suse in #1327
NVSHAS-8911: ProcessProfile: Child process of sshd should be reported as process violation when sshd parent is allowed but reported as suspicious process by @jayhuang-suse in #1297
NVSHAS-9026: dup and missing .NET module name by @jayhuang-suse in #1342
NVSHAS-8971-separate pod and nodes vulnerabilities in risk page by @jeffhuang4704 in #1343
NVSHAS-8846: Adding vuln count to exposed service report by @becitsthere in #1344
NVSHAS-9023: PP: Child process of sshd is still reported after white listing them in Basic and discovery mode by @jayhuang-suse in #1341
NVSHAS-8534 block usage of specific storage class name in Admission C… by @jeffhuang4704 in #1345
NVSHAS-9011: "Container list is empty" error happen in enforcer pod in GKE+Cilium cluster by @jayhuang-suse in #1340
NVSHAS-9028: unexpected NV.Protect incidents is found on crio-conmon command in k8s with crio runtime by @jayhuang-suse in #1348
NVSHAS-8990: Lower debug level for "fail to get image v1 schema" by @becitsthere in #1349
NVSHAS-8873: suspected false positive alerts on /etc/hosts modified by @jayhuang-suse in #1273
NVSHAS-9022, NVSHAS-9031: duplicate module entries by a JAR file by @jayhuang-suse in #1347
NVSHAS-9052 fix rest.validatePVC panic by @jeffhuang4704 in #1352
NVSHAS-8509: new API to return reg scan report without reg name by @becitsthere in #1353
NVSHAS-9054-Show-PVC-name-in-risk-report by @jeffhuang4704 in #1354
NVSHAS-8996, prioritize displaying remote hostip as address group by @gfsuse in #1351
NVSHAS-9058: Fix exception of rest API call by @becitsthere in #1356
NVSHAS-9057-panic-at-rest.handlerAssessAdmCtrlRules by @jeffhuang4704 in #1360
NVSHAS-6582 support claim sources on Azure OIDC (Azure Entra ID) by @holyspectral in #1362
NVSHAS-9060: Add content-type header in webhook by @becitsthere in #1363
NVSHAS-9061: the 60-second timer is reset after adding new file rules by @jayhuang-suse in #1364
NVSHAS-9055: continue parsing embedded jar files after parsing manife… by @becitsthere in #1365
NVSHAS-9064: /scan/image/ API should return scan result by image id by @becitsthere in #1369
NVSHAS-8392: the incorrect neuvector-validating-admission-webhook Val… by @williamlin-suse in #1371
NVSHAS-9059: CRD groups visible in NV even after deletion from K8s by @williamlin-suse in #1373
NVSHAS-9080: fed reader user is uanble to access POST /v1/fed/cluster… by @williamlin-suse in #1379
NVSHAS-9059: CRD groups visible in NV even after deletion from K8s by @williamlin-suse in #1388

New Contributors

@minchao made their first contribution in #955
@bbodenmiller made their first contribution in #1183
@ntimo made their first contribution in #1185
@rjferguson21 made their first contribution in #1278

Full Changelog: v8040.1...v5.3.3

neuvector/neuvector v5.3.3 Release 5.3.3 on GitHub

What's Changed

New Contributors

neuvector/neuvector v5.3.3
Release 5.3.3

on GitHub