stackrox/stackrox 4.2.0-rc.2

on GitHub

Added Features

• Telemetry collection enabled by default for self-managed installations. Opt-out is available on bundle generation, or at any time via the System Configuration UI.
• Integration with OpenShift Container Platform monitoring is configured and enabled by default for OpenShift 4 installations. The flag monitoring.openshift.enabled: false disables the integration.
• A new environment variable ROX_DISABLE_REGISTRY_REPO_LIST has been added to Central (defaults to false). When set to true will disable registry repo list (/v2/_catalog) usage when matching integrations to image registries.
• A new environment variable ROX_REGISTRY_MIRRORING_ENABLED has been added to Sensor that is set to true by default and enables processing registry mirrors during Sensor image enrichment. Mirror details are obtained via the ImageContentSourcePolicy, ImageDigestMirrorSet, and ImageTagMirrorSet CRs.
• ROX-17112: CORE_BPF collection is now generally available.
• ROX-17702: Product usage metrics experimental API: /v1/product/usage/secured-units/current, /v1/product/usage/secured-units/max. New /api/product/usage/secured-units/csv endpoint.
• ROX-19096, ROX-19098, ROX-19099: StackRox Scanner now supports alpine:v3.18, debian:12, ubuntu:23.04, ubuntu:23.10

Removed Features

• The --offline-mode flag for the roxctl scanner generate command was removed, as Scanner's default behavior is
  to fetch vulnerability updates from Central.
• In version 4.0, RHACS released the collections feature that replaced access scopes used in report configurations.
  RHACS automatically created equivalent collections for access scopes used in existing report configurations and migrated report configurations to use newly-created collections.
  If the migration failed, the report configurations became non-functional, and RHACS logged the error messages in Central logs. In this release, any report configurations that could not be migrated will be deleted.

Deprecated Features

• RBAC risk was deprecated in release 4.0 due to poor performance.
• (Tech preview feature) CLI command roxctl generate netpol is deprecated in favor of roxctl netpol generate
• (Tech preview feature) CLI command roxctl connextivity-map is deprecated in favor of roxctl netpol connectivity map
• The CIS Docker v1.2.0 standard will be removed from RHACS Compliance checks starting in RHACS version 4.4.
• The Syslog notifier used to send the message header incorrect - the severity and name fields were flipped. Starting in this release, there is now an option
  to choose which format the header should be sent it: CEF which is the correct order or CEF (legacy field order) which is the older incorrect way.
  The UI will default to CEF but when using the API if a value isn't selected, it will default to CEF (legacy field order).
  Starting in version 4.4 the notifier will default to CEF.
• A few public endpoints will soon require authentication, ensure that any flow interacting with these endpoints is authenticated going forward:
  • /v1/featureflags
  • /v1/resources

Technical Changes

• ROX-16962: A new parameter spec.admissionControl.replicas has been added to the SecuredCluster CRD.
• ROX-18073: The implementation of Add Capabilities policy criteria has been fixed to ensure violations are generated
  correctly for the specified values.
• Rollback to a 3.y release or the 4.0 release will no longer be supported starting from 4.3.
• Rollbacks from future releases to the 4.2 or later release will no longer require ForceRollbackVersion to be set.
• ROX-18173: A few previously public endpoints now require authentication: /v1/metadata,
  /v1/database/status, /v1/mitreattackvectors. This reduces the surface for DoS attacks and
  prevents an attacker from taking advantage of the information served by these endpoints.
• Non autogenerated image integrations will no longer use repo list (/v2/_catalog) during matching.
• ROX-18477: Fixed an issue that breaks operator installations if a Central or SecuredCluster CR configures egress proxy environment variables while openshift cluster-wide proxy is enabled.
• ROX-15969: The column Component Upgrade in vulnerability reports has been renamed to CVE Fixed In.
• The removal of /v1/report APIs in this release, that was communicated in release 4.0.0, has been postponed by one release. Consequently, the /v1/report APIs will continue to be available in this release.
• The /api/docs/swagger API previously required read on the resource Integration.
  Now it only requires users to be authenticated to via the API docs.
• StackRox Scanner will now opt to scan the image whose architecture matches the Scanner's architecture instead of always opting for amd64 when scanning a multi-arch image.
  • For example, if StackRox Scanner is running on arm64, and there is an arm64 version of the multi-arch image, it will scan that arm64 image.
  • If there is no image which matches Scanner's architecture, then it will attempt to scan the amd64 version, as it did previously.