Removed Features
- ROX-11784: The
RenamePolicyCategory
andDeletePolicyCategory
methods in the
v1/policycategories
endpoint have been removed. - Support for violation tags and process tags has been removed.
Deprecated Features
- ROX-11284: Permission
ClusterCVE
is deprecated and will be superseded by the existing permissionCluster
. Label
andAnnotation
search options are deprecated and will be removed in 3.73. Use the following search options starting 3.73:Resource Deprecated Search Option New Search Option Node Label Node Label Node Annotation Node Annotation Namespace Label Namespace Label Deployment Label Deployment Label ServiceAccount Label Service Account Label ServiceAccount Annotation Service Account Annotation K8sRole Label Role Label K8sRole Annotation Role Annotation K8sRoleBinding Label Role Binding Label K8sRoleAnnotation Annotation Role Binding Annotation
Technical Changes
- ROX-11181: Any clusters that have been unhealthy (defined as central being unable to reach sensor running on those clusters) for a configured period of time will be automatically removed. The number of days after which an 'unhealthy' cluster is removed can be configured in the System Configuration page or using the cluster API.
- Any cluster that is expected to be unavailable for a period of time (e.g. clusters used in disaster recovery), can be tagged with a customizable label. Clusters with those labels will never be removed automatically.
- By default, this unhealthy cluster removal is disabled (number of days set to 0)
- ROX-7591: Policy
Fixable CVSS >= 6 and Privileged
disabled by default on new installations, new policySeverity Important and Privileged
added and enabled by default. - ROX-11348: The email notifier now allows for unauthenticated SMTP. By default,
authentication is still required for an email notifier, but the user can now choose to turn it off. - Previously, the syslog integration did not respect a configured TCP proxy. This is now fixed.
- The default technique used by string expression searches will be to match any substrings in future release. Currently, string search uses prefix matching technique in most cases.
- ROX-9484: When integrating Quay registry you can now optionally use robot account instead of just OAuth tokens. In fact this is Quay's recommended integration credentials. However, integration with Quay scanner still requires an OAuth token.
- The
init-db
init-container for ScannerDB now specifies resource requests/limits which match thedb
container in ScannerDB. - Starting 3.73, CSV export API
/api/vm/export/csv
would require to passCVE Type
filter as part of the input query parameter. Requests that do not have the filter would error out.- Examples :
CVE Type:NODE_CVE
,CVE_Type:IMAGE_CVE
,CVE_TYPE:K8S_CVE
- Examples :