Added Features
- Telemetry collection enabled by default for self-managed installations. Opt-out is available on bundle generation, or at any time via the System Configuration UI.
- Integration with OpenShift Container Platform monitoring is configured and enabled by default for OpenShift 4 installations. The flag
monitoring.openshift.enabled: false
disables the integration. - A new environment variable
ROX_DISABLE_REGISTRY_REPO_LIST
has been added to Central (defaults tofalse
). When set totrue
will disable registry repo list (/v2/_catalog
) usage when matching integrations to image registries. - A new environment variable
ROX_REGISTRY_MIRRORING_ENABLED
has been added to Sensor that is set totrue
by default and enables processing registry mirrors during Sensor image enrichment. Mirror details are obtained via theImageContentSourcePolicy
,ImageDigestMirrorSet
, andImageTagMirrorSet
CRs. - ROX-17112: CORE_BPF collection is now generally available.
- ROX-17702: Product usage metrics experimental API:
/v1/product/usage/secured-units/current
,/v1/product/usage/secured-units/max
. New/api/product/usage/secured-units/csv
endpoint. - ROX-19096, ROX-19098, ROX-19099: StackRox Scanner now supports alpine:v3.18, debian:12, ubuntu:23.04, ubuntu:23.10
Removed Features
- The
--offline-mode
flag for theroxctl scanner generate
command was removed, as Scanner's default behavior is
to fetch vulnerability updates from Central. - In version 4.0, RHACS released the collections feature that replaced access scopes used in report configurations.
RHACS automatically created equivalent collections for access scopes used in existing report configurations and migrated report configurations to use newly-created collections.
If the migration failed, the report configurations became non-functional, and RHACS logged the error messages in Central logs. In this release, any report configurations that could not be migrated will be deleted.
Deprecated Features
- RBAC risk was deprecated in release 4.0 due to poor performance.
- (Tech preview feature) CLI command
roxctl generate netpol
is deprecated in favor ofroxctl netpol generate
- (Tech preview feature) CLI command
roxctl connextivity-map
is deprecated in favor ofroxctl netpol connectivity map
- The CIS Docker v1.2.0 standard will be removed from RHACS Compliance checks starting in RHACS version 4.4.
- The Syslog notifier used to send the message header incorrect - the severity and name fields were flipped. Starting in this release, there is now an option
to choose which format the header should be sent it:CEF
which is the correct order orCEF (legacy field order)
which is the older incorrect way.
The UI will default toCEF
but when using the API if a value isn't selected, it will default toCEF (legacy field order)
.
Starting in version 4.4 the notifier will default toCEF
. - A few public endpoints will soon require authentication, ensure that any flow interacting with these endpoints is authenticated going forward:
/v1/featureflags
/v1/resources
Technical Changes
- ROX-16962: A new parameter
spec.admissionControl.replicas
has been added to theSecuredCluster
CRD. - ROX-18073: The implementation of Add Capabilities policy criteria has been fixed to ensure violations are generated
correctly for the specified values. - Rollback to a 3.y release or the 4.0 release will no longer be supported starting from 4.3.
- Rollbacks from future releases to the 4.2 or later release will no longer require
ForceRollbackVersion
to be set. - ROX-18173: A few previously public endpoints now require authentication:
/v1/metadata
,
/v1/database/status
,/v1/mitreattackvectors
. This reduces the surface for DoS attacks and
prevents an attacker from taking advantage of the information served by these endpoints. - Non autogenerated image integrations will no longer use repo list (
/v2/_catalog
) during matching. - ROX-18477: Fixed an issue that breaks operator installations if a
Central
orSecuredCluster
CR configures egress proxy environment variables while openshift cluster-wide proxy is enabled. - ROX-15969: The column
Component Upgrade
in vulnerability reports has been renamed toCVE Fixed In
. - The removal of
/v1/report
APIs in this release, that was communicated in release 4.0.0, has been postponed by one release. Consequently, the/v1/report
APIs will continue to be available in this release. - The
/api/docs/swagger
API previously required read on the resourceIntegration
.
Now it only requires users to be authenticated to via the API docs. - StackRox Scanner will now opt to scan the image whose architecture matches the Scanner's architecture instead of always opting for amd64 when scanning a multi-arch image.
- For example, if StackRox Scanner is running on arm64, and there is an arm64 version of the multi-arch image, it will scan that arm64 image.
- If there is no image which matches Scanner's architecture, then it will attempt to scan the amd64 version, as it did previously.