Consolidated page of all release notes for Container Vulnerability Response from Yokohama to Zurich.
How to use this page
To help you prepare for your upgrade, we have combined the cross-family Container Vulnerability Response release notes onto one page. Read this summary of the new features, changes, and updated information for your product from Yokohama to Zurich.
Tip: If there were no updates for a release notes section in a certain family release, we included a short note for your reference. For example, if a product did not have any updates in Tokyo, the row says "No updates for this release."
Important information for upgrading Container Vulnerability Response to Zurich
Before you upgrade to Zurich, review these pre- and post-upgrade tasks and complete the tasks as needed.
| Release |
Release notes |
Yokohama |
No updates for this release. |
Zurich |
If you are currently using Container Vulnerability Response, and you do not intend to upgrade to Unified Security Exposure Management (USEM), install a version below v30.x of Container Vulnerability Response and for upgrades to supported third-party integration applications.
The Missing Assets [sn_vul_wiz_missing_asset] table used for storing assets imported by the backfill integrations for the Vulnerability Response Integration with Wiz is deprecated. If you are currently using the Vulnerability Response with Wiz integrations, after updating to version 1.1, you must backdate any of your existing Wiz primary integrations by three days and run them. Please review more information about the Wiz integration at SecOps articles on the Security Operations Community.
For more information about the released versions of the Container Vulnerability Response application as well as the third-party and ServiceNow applications that are compatible with the Zurich release, see the Vulnerability Response Compatibility Matrix and Release Schema Changes [KB0856498] article in the Now Support
Knowledge Base.
|
New features
Between your current release family and Zurich, new features were introduced for Container Vulnerability Response.
| Release |
Release notes |
Yokohama |
- Enhancements to the Vulnerability Manager and IT Remediation workspaces starting with version 2.13
- The Unassign workflow is supported for container vulnerable items (CVITs) and remediation tasks (CVULs).
- Streamline vulnerability assignments in the workspaces with the Unassign UI action from the more actions menu on a CVIT.
- Reassign incorrectly assigned CVITs, clarify ownership for reassessment, and maintain accurate triage records in workspace views.
- You have the option to send unassign requests for approval prior to clearing the Assigned to and Assignment group fields on records.
[Placeholder link text to key cvr-assignment-rules]. You can use the following values imported from the Prisma Cloud Compute integration as conditions when you create or update your assignment rules to help you track ownership across your
container environments.
- Cloud account IDs
- Image namespaces
- Registry
- Hosts
- Labels
- Status - Vendor status for a resolved (Fixed) vulnerability
- Create container remediation tasks manually in the Vulnerability Manager Workspace
- With the sn_vul_container.vulnerability_analyst or sn_vul_container.vulnerability_admin role, you can create container remediation tasks manually by selecting some or all the records in the Container vulnerable items lists
in the Vulnerability Manager Workspace. These records are grouped into one or more remediation tasks according to the grouping criteria selected while creating container remediation tasks.
- Create container remediation tasks manually in the IT Remediation Workspace
- With the role sn_vul_container.remediation_owner, you can create container remediation tasks manually by selecting some or all the records in the Container vulnerable items’ lists in the IT Remediation Workspace. These records are grouped into one or more remediation tasks according to the grouping criteria selected while creating container remediation tasks.
- Configure container vulnerable items (CVITs) granularity using Registry and data source
- Starting with v2.12.2 of Container Vulnerability Response, you can configure the granularity of container vulnerable items (CVITs) using Registry information and data sources. Depending on the chosen data source, you can view either image or
kubernetes information related to a CVIT record.
- Additional columns in the container vulnerable items (CVITs) table
- Starting with v2.12.2 of Container Vulnerability Response, you can see the precise date and time when a CVIT was first discovered, last opened, resolved, and last found, ensuring clarity and accounting for different time zones.
- View risk score details of a container vulnerable item in the Work Notes section
- Starting with v2.12.2 of Container Vulnerability Response, the system property sn_sec_cmn.risk_score_changes_add_worknotes is inactive by default. If you enable it, only then you can see all the changes related to the risk
score of a container vulnerable item in the Work notes section. Additionally, the work notes are updated only if there’s a change in the risk score.
|
Zurich |
- Remediation task rule execution mode
- You can now choose how remediation task rules are evaluated during ingestion. The new Match First execution mode evaluates rules sequentially and applies only the first matching rule, assigning each finding to exactly one
remediation task. The default Match All mode continues to evaluate all applicable rules.
- Enhancements to the Vulnerability Response Integration with Wiz
-
- The Universally Unique Identifier (UUID) that identifies detections for the Wiz Host Vulnerability integration will be mapped to a detection key.
Note: This enhancement is supported for new customers only. For existing
customers, the detection key for the Wiz Host Vulnerability integration is created using the combination of vulnerability, asset_id, and proof.
- Added the source_id column to the Container Image Finding table (sn_vul_container_image_findings) and mapped the id attribute from the Wiz import to this field on findings records.
Note: Perform a full import after
upgrading to view the enhancement on container image findings, container image, and container image vulnerabilities records.
- The image repository name format for new and existing discovered container images has been updated to align with the discovery format. The supported format is registry/repository. A separate finding is created for a
repository present in each registry.
- Appended all repositories that are associated with an image to the Repository field on the Discovered Container Image [sn_vul_container_image] table, which can help you see images from specific repositories.
- The default integration instance parameter for configuring finding keys for the Container Vulnerability Integration includes src_ci, vulnerability, package, image_layer, and image_repository.
- Enhancements to the Vulnerability Response Integration with Wiz
-
The Missing Assets [sn_vul_wiz_missing_asset] is deprecated. After updating to version 1.1, you must backdate your existing primary Wiz integrations by three days and run them.
The backfill integrations are activated by default.
After you run them after updating to v1.1, the following backfill integrations are no longer required:
- Host Vulnerability Backfill Integration
- Test Results Backfill Integration
- Host Test Results Backfill Integration
- Issues Backfill Integration
Data for resources that have the validated_at_runtime flag set to 'yes' is imported and populated on detections.
The CMDB internet-facing field on the discovered item is mapped to Limited Internet Exposure on findings.
Fix information that includes 'Fix available', 'Partial fix available', 'No fix available', and 'Fix version' from the [fix_available] and [fix_version] columns is rolled up to CVITs from findings. Note: If there are two or
more findings on a CVIT, the fixed version might only apply to one. In that case, 'Partial fix available' is rolled up to the CVIT.
The Wiz vendor severity attribute is mapped to the 'Source severity' column on findings records in the Container Image Findings [sn_vul_container_image_findings] table.
The cluster and namespace is evaluated for all the following entity Types: DEPLOYMENT, DAEMON_SET, STATEFUL_SET, POD.
- Import container vulnerability data with the Vulnerability Response Integration with Wiz
- Import configuration test results from Wiz to detect non-compliant cloud configurations. Findings are mapped to cloud test results (CTRs) in the Configuration Compliance application to help you enforce security policies and
standards across your cloud environment.
- Enhancements to imported scanner results
- Enhancements support more scanner data on imports. Namespaces and hierarchy cluster are considered and populated in the discovered container image [sn_vul_container_image] table if this data is imported.
|
Changes
Between your current release family and Zurich, some changes were made to existing Container Vulnerability Response features.
| Release |
Release notes |
Yokohama |
No updates for this release. |
Zurich |
- Configure maximum rows in related lists
- To improve readability and performance, you can now limit the number of rows shown in related lists on forms by setting the system property sn_vul_cmn.related_list.set_max_row.
|
Removed
Between your current release family and Zurich, some Container Vulnerability Response features or functionality were removed.
| Release |
Release notes |
Yokohama |
No updates for this release. |
Zurich |
No updates for this release. |
Deprecations
Between your current release family and Zurich, some Container Vulnerability Response features or functionality were deprecated.
| Release |
Release notes |
Yokohama |
No updates for this release. |
Zurich |
No updates for this release. |
Activation information
Review information on how to activate Container Vulnerability Response.
| Release |
Release notes |
Yokohama |
Install Container Vulnerability Response by requesting it from the ServiceNow Store. Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.
|
Zurich |
Install Container Vulnerability Response and third-party integrations by requesting them from the ServiceNow Store. Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.
|
Additional requirements
If any additional requirements were introduced or changed for Container Vulnerability Response we have noted them here.
| Release |
Release notes |
Yokohama |
No updates for this release. |
Zurich |
No updates for this release. |
Browser requirements
If any specific browser requirements were introduced or changed for Container Vulnerability Response we have noted them here.
| Release |
Release notes |
Yokohama |
No updates for this release. |
Zurich |
No updates for this release. |
Accessibility information
Review details on accessibility information for Container Vulnerability Response, such as specific requirements or compliance levels.
| Release |
Release notes |
Yokohama |
No updates for this release. |
Zurich |
- Dark theme
- The new Coral theme includes a dark theme option for web and mobile experiences. This option is commonly used to alleviate eye strain and improve readability.
|
Localization information
If there are specific localization considerations for Container Vulnerability Response we have noted them here.
| Release |
Release notes |
Yokohama |
No updates for this release. |
Zurich |
No updates for this release. |
Highlight information
If there are specific highlight considerations for Container Vulnerability Response we have noted them here.
| Release |
Release notes |
Yokohama |
- With the sn_vul_container.vulnerability_analyst or sn_vul_container.vulnerability_admin role, create container remediation tasks manually in the Vulnerability Manager Workspace.
- With the role sn_vul_container.remediation_owner, create container remediation tasks manually in the IT Remediation Workspace.
See Container Vulnerability Response for more information.
|
Zurich |
- If you are currently using Container Vulnerability Response and you want to upgrade to Unified Security Exposure Management (USEM), see Unified Security Exposure Management release notes for more information about USEM and the Unified Security Exposure Management migration.
- Import container image vulnerability data from the Wiz scanners into container vulnerable items (CVITs) with the Vulnerability Response Integration with Wiz.
- With the sn_vul_container.vulnerability_analyst or sn_vul_container.vulnerability_admin role, create container remediation tasks manually in the Vulnerability Manager Workspace.
- With the role sn_vul_container.remediation_owner, create container remediation tasks manually in the IT Remediation Workspace.
See Container Vulnerability Response for more information.
|