Components installed with Container Vulnerability Response
Several types of components are installed with activation of the Container Vulnerability Response application, including tables, user roles, and scheduled jobs.
Demo data is available for this feature.
Starting with v2.11 of Container Vulnerability Response, the most frequently used system properties are now accessible within the Container Vulnerability Response application. To view these system properties, navigate to .
Roles installed with Container Vulnerability Response
Roles are added with activation of Container Vulnerability Response.
Persona and granular roles are available to help you manage what users and groups can see and do in the Vulnerability Response application. For an initial assignment of the persona roles in Setup Assistant, see Assign the Vulnerability Response persona roles using Setup Assistant. For more information about managing granular roles, see Manage persona and granular roles for Vulnerability Response.
If you are an upgrade customer, access for the users and groups you assigned with the sn_vul.vulnerability_read and sn_vul.vulnerability_write permissions prior to v10.3 has not changed. Users and groups remain assigned with these roles until you change them. However, starting with v10.3, you may prefer assigning granular roles for more control over what users and groups can do and see in the Vulnerability Response application. For an overview and more information about managing these roles, see Vulnerability Response personas and granular roles and Manage persona and granular roles for Vulnerability Response.
| Role title [name] | Description |
|---|---|
| sn_vul_container.delete | Deletes source records. Contains the sn_vul_cmn.delete, and sn_vul_container.delete_vi roles. |
| sn_vul_container.ci_manager | Manages reclassification of unmatched configuration items (CIs). |
| sn_vul_container.configure_integrations | Configures container integrations. |
| sn_vul_container.configure_vi_granularity | Configures container vulnerable item granularity. |
| sn_vul_container.create_vi | Can create container vulnerable items manually. |
| sn_vul_container.delete_vi | Can delete manually created container vulnerable items. |
| sn_vul_container.exception_approver | Approves exceptions, deferrals, and closures of container vulnerable items. Contains sn_vul.view_manager_workspace role. Starting with v2.3, the granular role, sn_vul_container.read_all, has been removed for this role so that you can access the container vulnerable items and remediation tasks assigned to you and your group instead of all the container vulnerable items and remediation tasks. |
| sn_vul_container.false_positive_approver | Approves or rejects closing container vulnerable items as a false positive. Contains the sn_vul.view_manager_workspace role. |
| sn_vul_container.manage_assignment_rules | Defines and updates container vulnerable items assignment rules. |
| sn_vul_container.manage_auto_close_stale_vi | Configure the auto-close stale container vulnerable items |
| sn_vul_container.manage_auto_exception_rule | Manage (create/read/update/delete) exception rules |
| sn_vul_container.manage_normalized_severity | Can update the mapping to normalize the severity. |
| sn_vul_container.manage_permissions | Can assign container vulnerability response roles to users. |
| sn_vul_container.manage_remediation_target_rules | Defines and updates container remediation target rules. |
| sn_vul_container.manage_risk_score_configuration | Defines and updates risk score Calculators, risk rules, and vulnerability Rollup Calculators for Container Vulnerable Items. |
| sn_vul_container.read_all | Can view all container vulnerable items and related information. Contains the sn_vul.view_manager_workspace role |
| sn_vul_container.read_assigned | Can view container vulnerable items assigned to you or your groups either in the Classic UI or IT Remediation Workspace. Contains the sn_vul.view_rem_workspace role. Important: Starting with v24.0 of Vulnerability Response, the sn_vul_container.read_assigned role has the privilege to access the IT Remediation Workspace. |
| sn_vul_container.read_assignment_rules | Can view container vulnerable items Assignment Rules. |
| sn_vul_container.read_auto_exception_rule | Read Exception rules |
| sn_vul_container.read_discovered_image | Can view discovered items. |
| sn_vul_container.read_integrations | Can view results from integration runs. |
| sn_vul_container.read_normalized_severity | Can view the normalized severity mapping. |
| sn_vul_container.read_remediation_target_rules | Can view Remediation Target Rules. |
| sn_vul_container.read_risk_score_configuration | Can view risk score calculators, risk rules, and vulnerability rollup calculators for Container Vulnerable Items. |
| sn_vul_container.remediation_owner | Reads and writes container vulnerable items assigned to them. Vulnerability records are also readable by a user with this role. |
| sn_vul_container.update_assigned_to | Can update assignment of container vulnerable items. Requires sn_vul_container.write_all or sn_vul_container.write_assigned. |
| sn_vul_container.update_assignment_group | Can update assignment group for container vulnerable items. Requires sn_vul_container.write_all or sn_vul_container.write_assigned. |
| sn_vul_container.update_state | Can update states of vulnerable items. Requires sn_vul_container.write_all or sn_vul_container.write_assigned. |
| sn_vul_container.vulnerability_admin | Configures all rules, integrations, and so on for the Container Vulnerability Response product. |
| sn_vul_container.vulnerability_analyst | Monitors remediation of all container vulnerable items. |
| sn_vul_container.write_all | Can update all container vulnerable items and remediation tasks. |
| sn_vul_container.write_assigned | Can update container vulnerable items or remediation tasks assigned to me or my groups. |
| sn_vul_container.read_watch_topic | Can read Watch Topics for container vulnerabilities. |
| sn_vul_container.create_watch_topic | Can create Watch Topics for container vulnerabilities. |
| sn_vul_container.edit_watch_topic | Can edit Watch Topics for container vulnerabilities. |
| sn_vul_container.manage_exception_configuration | Can manage exception management configurations. |
Tables installed with Container Vulnerability Response
Tables are added with activation of Container Vulnerability Response (CVR).
| Table | Description |
|---|---|
| Container image finding sn_vul_container_image_findings |
Stores information on the associated vulnerabilities, image layer, docker image,image repository, and discovered image. Starting with v2.11.3 of Container Vulnerability Response, you can also view the path where the finding is shown. |
| Container Image Layer sn_vul_container_image_layer |
Contains the information of each image layer. An image is a static file with executable code that can create a container on a computing system. |
| Container Image Package sn_vul_container_image_package |
Provides information about the packages where the vulnerabilities exist. The Binary package details are also provided as a comma-separated
value. Starting with v2.11.3 of Container Vulnerability Response, you can also view the package URL (PURL). |
| Container vulnerable item sn_vul_container_image_vulnerable_item |
Contains details of each finding and the corresponding vulnerability. Starting with v2.11.3 of Container Vulnerability Response, you can also view information on the last scan date of an image running as a container. |
| Vulnerability Entry sn_vul_entry |
Provides information on the severity of a CVE and any additional information sent by Prisma. |
| Discovered container image sn_vul_container_image |
Provides information on the image ID, Docker image, and the image repository. It also stores the layer information and associates it with the discovered
image. Starting with v2.11.3 of Container Vulnerability Response, it also provides information on Image digest of a docker image and last scan date of an image running as a container and a registry. |
| Finding Mappings sn_vul_container_finding_m2m_vul_item |
M2M relationship of the container image findings and the container vulnerable items (CVITs). |
| Auto-close Vulnerable Items sn_vul_container_image_auto_close_config |
Contains the information on how to close the stale container image findings and roll up the state to the CVITs. |
| Container Image Vulnerability Keys sn_vul_container_image_vulnerability_keys |
Contains the granularity configuration for creation of CVITs from the container image findings. |
| Docker Related Services sn_vul_cmn_m2m_ci_services |
Contains all the business services related with a container image. |
| VR Container Counts sn_vul_container_vr_container_counts |
Contains the rolling average of container instances spun off from a container image over the last 90 days. |
| Container Remediation Task Item sn_vul_container_m2m_vul_group_item |
M2M table between CVIT and container remediation tasks. |
| Container Remediation Task sn_vul_container_vulnerability |
Contains container remediation tasks. |
| Container Remediation Task Manifest sn_vul_container_rt_manifest |
Any updates on remediation task will be done by using this manifest table by scheduled jobs. |
Scheduled jobs installed with Container Vulnerability Response
Scheduled jobs are added with activation of Container Vulnerability Response.
Demo data is available for this feature.
| Scheduled job | Description |
|---|---|
| Associate existing Container VIs with Auto Exception Rule | Automatically associates the Auto Exception Rule with existing container vulnerable items (CVITs). |
| Check Container Vulnerable Item Deferment Expiration | Sends notifications if container vulnerable items or container vulnerabilities have expired (and if they expire in one week). |
| Vulnerability Response Container Count (Application - Vulnerability Response and Configuration Compliance for Containers) | Runs daily to populate the sn_vul_container_vr_container_counts table that calculates the 90-day rolling average for containers. |
| Auto-Close CVITs | Automatically closes container vulnerability items that match the condition defined in the auto-close configuration. Their status is changed to 'fixed'. |
| Calculate Business Criticality for CVIT | Processes all active CVITs and updates the Business Criticality field, based on the affected services of the docker image of the CVIT. |
| Close cancel CVITs that do not have a Docker Image associated | Automatically expires CVITs that don’t have a CI associated with. Their state is set to Closed, and substate to Canceled. |
| Calculate Related VI Counts for Container Remediation Task | Calculates the counts on Container Remediation Task records. |
| Rollup container vulnerable item values to vulnerability and group | Calculates vulnerabilities and group roll ups for container vulnerable items. Note: Starting with v2.10 of Container Vulnerability Response, the scheduled job is enhanced to create background jobs with multithreading capabilities. This upgrade involves segmenting the job into several smaller child jobs, which are executed
either in parallel or concurrently. This modification enables processing of multiple records simultaneously, thus significantly speeding up the overall task. |