Xanadu |
- New Properties module
- Starting with v2.11.3 of Container Vulnerability Response, a new Properties module has been added to the navigation menu under the Administration section. This module enables direct modification of the
values, offering a user-friendly method to manage and update system properties directly from the interface.
- Create auto-close rules for Container Vulnerability Response
- Starting with v2.11.3 of Container Vulnerability Response, define auto-close rules with advanced conditions to automatically close older or stale CVITs based on defined filter criteria on container vulnerabilities.
- Customize the calculation of Age and Age closed parameters of a container vulnerable item
- Starting with v2.11.3 of Container Vulnerability Response, the Age and Age Closed durations of a Container Vulnerable Item can be configured to be calculated from the date in the Created, Opened, or First Found fields.
- Open the search results in the Vulnerability Manager Workspace or IT Remediation Workspace rather than the Classic UI
- Starting with v24.0.6 of Vulnerability Response, automatically open your search results in the Vulnerability Manager Workspace or IT Remediation Workspace rather than the Classic UI, by adjusting the application scope in the unified navigation bar to Vulnerability Manager Workspace or IT Remediation Workspace respectively. These application scopes are available to you based on your assigned role.
- Vulnerability Manager Workspace access to the sn_vul_container.read_all role
- Starting with v24.0.6 of Vulnerability Response, as a user with the sn_vul_container.read_all role, you can view the container vulnerable items in the Vulnerability Manager Workspace.
- IT Remediation Workspace access to the sn_vul_container.read_assigned role
- Starting with v24.0.6 of Vulnerability Response, as a user with the sn_vul_container.read_assigned role, you can view the container vulnerable items assigned to you and your assignment groups in the IT Remediation Workspace and remediate them.
- Navigate to the List page in the Vulnerability Manager Workspace or IT Remediation Workspace by selecting the links from the All menu
- Starting with v24.0.6 of Vulnerability Response, when you enable the 'sn_vul_cmn_ws.navigate_to_workspace' system property, selecting predefined filter links in the Container Vulnerability Response module from the 'All' menu will automatically
open these links in the List page in the Vulnerability Manager Workspace or IT Remediation Workspace based on your role.
- Hide the record count on the lists in the Vulnerability Manager Workspace and IT Remediation Workspace
- Starting with v24.0.6 of Vulnerability Response, you can hide the record count on the lists in the List page of the Vulnerability Manager Workspace and IT Remediation Workspace, by adding the table names to the glide.ui.list.seismic.omit.count system property.
- Enable automatic refresh for the Home page dashboard in the Vulnerability Manager Workspace
- Starting with v24.0.6 of Vulnerability Response, when creating and editing filters on the Container Vulnerabilities tab on the Home page of the Vulnerability Manager Workspace, you can configure the widgets to automatically refresh. Otherwise, you can manually refresh the widgets by selecting the Refresh button on the Container Vulnerabilities
tab.
- Re-evaluating remediation properties for all records in the Vulnerability Manager Workspace
- Starting with v24.0.6 of Vulnerability Response, you can evaluate the remediation properties for all the Container Vulnerable Items from the Container Vulnerable Items list by selecting the All items in the Record
selection field of the Re-evaluate remediation properties modal in the Vulnerability Manager Workspace.
- Re-evaluate the remediation properties for container vulnerable items in the Vulnerability Manager Workspace
- Select the container vulnerable items conditionally for reevaluating the following remediation properties in Vulnerability Manager Workspace:
- Assignments
- Remediation tasks
- Remediation target date
- Exceptions (Vulnerability Response v24.0.6)
- Risk score
- Enhanced processing performance of scheduled job
- The Rollup container vulnerable item values to vulnerability and group scheduled job is enhanced to create background jobs with multithreading capabilities. This upgrade involves segmenting the job into
several smaller child jobs, which are executed either in parallel or concurrently. This modification enables processing of multiple records simultaneously, thus significantly speeding up the overall task.
- for Container Vulnerability Response
-
After upgrades and deployments of new applications or integrations, run quick start tests to verify that Container Vulnerability Response works as expected. If you customized Container Vulnerability Response, copy the quick start tests and configure them for your customizations.
- Vulnerability Response Prisma Registry Integration
- Now you can ingest the static image findings obtained from the Prisma registry scan into the ServiceNow Container Vulnerability Response.
|
Yokohama |
- Enhancements to the Vulnerability Manager and IT Remediation workspaces starting with version 2.13
- The Unassign workflow is supported for container vulnerable items (CVITs) and remediation tasks (CVULs).
- Streamline vulnerability assignments in the workspaces with the Unassign UI action from the more actions menu on a CVIT.
- Reassign incorrectly assigned CVITs, clarify ownership for reassessment, and maintain accurate triage records in workspace views.
- You have the option to send unassign requests for approval prior to clearing the Assigned to and Assignment group fields on records.
[Placeholder link text to key cvr-assignment-rules]. You can use the following values imported from the Prisma Cloud Compute integration as conditions when you create or update your assignment rules to help you track ownership across your
container environments.
- Cloud account IDs
- Image namespaces
- Registry
- Hosts
- Labels
- Status - Vendor status for a resolved (Fixed) vulnerability
- Create container remediation tasks manually in the Vulnerability Manager Workspace
- With the sn_vul_container.vulnerability_analyst or sn_vul_container.vulnerability_admin role, you can create container remediation tasks manually by selecting some or all the records in the Container vulnerable items lists
in the Vulnerability Manager Workspace. These records are grouped into one or more remediation tasks according to the grouping criteria selected while creating container remediation tasks.
- Create container remediation tasks manually in the IT Remediation Workspace
- With the role sn_vul_container.remediation_owner, you can create container remediation tasks manually by selecting some or all the records in the Container vulnerable items’ lists in the IT Remediation Workspace. These records are grouped into one or more remediation tasks according to the grouping criteria selected while creating container remediation tasks.
- Configure container vulnerable items (CVITs) granularity using Registry and data source
- Starting with v2.12.2 of Container Vulnerability Response, you can configure the granularity of container vulnerable items (CVITs) using Registry information and data sources. Depending on the chosen data source, you can view either image or
kubernetes information related to a CVIT record.
- Additional columns in the container vulnerable items (CVITs) table
- Starting with v2.12.2 of Container Vulnerability Response, you can see the precise date and time when a CVIT was first discovered, last opened, resolved, and last found, ensuring clarity and accounting for different time zones.
- View risk score details of a container vulnerable item in the Work Notes section
- Starting with v2.12.2 of Container Vulnerability Response, the system property sn_sec_cmn.risk_score_changes_add_worknotes is inactive by default. If you enable it, only then you can see all the changes related to the risk
score of a container vulnerable item in the Work notes section. Additionally, the work notes are updated only if there’s a change in the risk score.
|
Zurich |
- Remediation task rule execution mode
- You can now choose how remediation task rules are evaluated during ingestion. The new Match First execution mode evaluates rules sequentially and applies only the first matching rule, assigning each finding to exactly one
remediation task. The default Match All mode continues to evaluate all applicable rules.
- Enhancements to the Vulnerability Response Integration with Wiz
-
- The Universally Unique Identifier (UUID) that identifies detections for the Wiz Host Vulnerability integration will be mapped to a detection key.
Note: This enhancement is supported for new customers only. For existing
customers, the detection key for the Wiz Host Vulnerability integration is created using the combination of vulnerability, asset_id, and proof.
- Added the source_id column to the Container Image Finding table (sn_vul_container_image_findings) and mapped the id attribute from the Wiz import to this field on findings records.
Note: Perform a full import after
upgrading to view the enhancement on container image findings, container image, and container image vulnerabilities records.
- The image repository name format for new and existing discovered container images has been updated to align with the discovery format. The supported format is registry/repository. A separate finding is created for a
repository present in each registry.
- Appended all repositories that are associated with an image to the Repository field on the Discovered Container Image [sn_vul_container_image] table, which can help you see images from specific repositories.
- The default integration instance parameter for configuring finding keys for the Container Vulnerability Integration includes src_ci, vulnerability, package, image_layer, and image_repository.
- Enhancements to the Vulnerability Response Integration with Wiz
-
The Missing Assets [sn_vul_wiz_missing_asset] is deprecated. After updating to version 1.1, you must backdate your existing primary Wiz integrations by three days and run them.
The backfill integrations are activated by default.
After you run them after updating to v1.1, the following backfill integrations are no longer required:
- Host Vulnerability Backfill Integration
- Test Results Backfill Integration
- Host Test Results Backfill Integration
- Issues Backfill Integration
Data for resources that have the validated_at_runtime flag set to 'yes' is imported and populated on detections.
The CMDB internet-facing field on the discovered item is mapped to Limited Internet Exposure on findings.
Fix information that includes 'Fix available', 'Partial fix available', 'No fix available', and 'Fix version' from the [fix_available] and [fix_version] columns is rolled up to CVITs from findings. Note: If there are two or
more findings on a CVIT, the fixed version might only apply to one. In that case, 'Partial fix available' is rolled up to the CVIT.
The Wiz vendor severity attribute is mapped to the 'Source severity' column on findings records in the Container Image Findings [sn_vul_container_image_findings] table.
The cluster and namespace is evaluated for all the following entity Types: DEPLOYMENT, DAEMON_SET, STATEFUL_SET, POD.
- Import container vulnerability data with the Vulnerability Response Integration with Wiz
- Import configuration test results from Wiz to detect non-compliant cloud configurations. Findings are mapped to cloud test results (CTRs) in the Configuration Compliance application to help you enforce security policies and
standards across your cloud environment.
- Enhancements to imported scanner results
- Enhancements support more scanner data on imports. Namespaces and hierarchy cluster are considered and populated in the discovered container image [sn_vul_container_image] table if this data is imported.
|
Australia |
- Enhancements to Container Vulnerability Response
-
The image repository name format for new and existing discovered container images in the Container Vulnerability Response application has been updated to align with the discovery format. Perform a complete import to view the registry/repository enhancements on existing and new records.
- The registry/repository format is supported for all third-party integrations including the Vulnerability Response integration with Palo Alto Networks Prisma Cloud Compute and Vulnerability Response Integration with Wiz third-party integrations.
- Appended all repositories that are associated with an image to the Repository field on records on the Discovered Container Image [sn_vul_container_image] table, which can help you see images from specific
repositories.
- The default integration instance parameter for configuring finding keys for the Container Vulnerability Integration includes src_ci, vulnerability, package, image_layer, and image_repository.
Added the source_id column to the Container Image Finding [sn_vul_container_image_findings] table. Mapped the id attribute from imports to the Source id field on findings records for all third-party integrations including
the Vulnerability Response Integration with Palo Alto Networks Prisma Cloud Compute and Vulnerability Response Integration with Wiz third-party integrations.
- AWS Integration for Security Exposure Management
- The AWS Integration for Security Exposure Management supports integrations with the following AWS services:
- AWS Inspector is an automated vulnerability management service that continuously scans EC2 instances, ECR container images, and Lambda functions for software vulnerabilities (CVEs) and
unintended network exposure. The Vulnerability Response integration with AWS Inspector imports host and container vulnerability findings from AWS Inspector.
- AWS Security Hub is a security service that is used to centralize and update security checks across AWS accounts. It provides a unified view of security alerts and compliance status by integrating with various AWS services. The Vulnerability Response integration with AWS Security Hub imports host, container vulnerabilities, and misconfigurations from AWS Security Hub.
- Unified Microsoft Defender Integration for Security Exposure Management
- The Microsoft Defender for Cloud and Microsoft Defender Threat and Vulnerability Management (MS TVM) plugins are now consolidated into a single plugin: Microsoft Defender Integration for Security Exposure Management. This
consolidation deprecates the standalone Microsoft Defender for Cloud plugin. The unified plugin also introduces container image vulnerability ingestion from Microsoft Defender for Cloud, creating Container Vulnerable Items on
your instance. A guided migration path is available to transfer existing data from the deprecated applications to the unified plugin.
- Configure Image Vulnerability keys for Container Vulnerability Response CVIT creation
- Configure records on the Configure Image Vulnerability Keys [sn_vul_container_image_vulnerability_keys] table in your ServiceNow AI Platform® instance for the Image Vulnerability Keys that create container vulnerable items (CVIT)s.
- The Universally Unique Identifier (UUID) provided by Wiz is now mapped as the detection key for the Wiz Host Vulnerability integration.
- AWS ECS (Elastic Container Service) and AWS EKS (Elastic Kubernetes Service) environments are supported.
- Cluster and Service are supported for AWS ECS environments.
- Namespace, Registry, and Service are supported for AWS EKS environments.
- Choose either Scanner (third-party scanners) or Discovery (Configuration Management Database (CMDB)) as sources for data import for AWS ECS and AWS EKS.
Note:
If you choose Discovery as the data source, the Populate image relationships scheduled job runs daily to pre-import cluster and service details, and you should schedule your third-party
integration runs at least 4 hours after this scheduled job is completed to verify that the pre-import data is available. This job is activated by default, but you must set the schedule so it runs before your scheduled
third-party integration runs.
For new customers only: The system property, sn_vul_container.image_relationship_mapping_months sets the number of previous months (1-12) that you want your third-party integration to look for container image updates
when processing relationship mappings. This data is used to filter images by the sys_updated_on field. The default setting is three months. After you configure the integration run, relationship mapping is created for
images which have been scanned in the last 90 days and present in discovered container images.
- Column labels on the Container Vulnerable item [sn_vul_container_image_vulnerable_item] table are updated to support the scanner and discovery options, depending on your choice on the Configure Image Vulnerability Keys
configuration page:
- Cluster (Scanner) Namespace (scanner), and Service (scanner) for scanner data
- Cluster (Discovery), Namespace (Discovery) and Service (Discovery) for Discovery
|