31.00 Release Notes
Table of Contents
31.00 Release Notes
The following table outlines the release particulars:
Build | 31.00.129 |
Code name | Newton |
Release date | August 20, 2023 |
Type | Major release |
SHA-256 | 989ad4e38e32de192f9545e4070175555d88038a402f2639e93f3383b8e1dc1d |
Review the system requirements to learn about the supported operating systems, hypervisors, runtimes, tools, and orchestrators.
Upgrade from Previous Releases
Upgrade Defender Versions 22.06 and Earlier
With the 31.00.xxx release, Defender versions supported (n, n-1, and n-2) are v31.xx.xxx, v30.xx.xxx, and v22.12.xxx.
To prepare for this update, you must upgrade your Defenders from version v22.06.xx.xxx (Kepler) or earlier to a later version.
Failure to upgrade Defenders will result in disconnection of any Defender version below 22.12 such as 22.06.
Upgrade the Prisma Cloud Console
With the 31.00.xxx release, the supported Console versions (n, n-1, and n-2) are v31.xx.xxx, v30.xx.xxx, and v22.12.xxx.
You can upgrade the Prisma Cloud console directly from any version for n-1 to n.
With 30.xx as n-1 and 31.xx as n, you can for example go directly from 30.01.153 to 31.00.129.
You have to upgrade any version of 22.12.xx to 30.xx before upgrading to 31.xx.
For example, you can upgrade from 22.12.693 to 30.02.123 and then upgrade to 31.00.129.
Enhancements
Expanded Support for Red Hat’s Non-RPM Content
The Prisma Cloud Intelligence Stream now includes vulnerability data on non-RPM content from Red Hat, including binaries, Python scripts, JavaScript files, and Java JAR files within layered products like OpenShift.
Rather than just flagging these as vulnerable, Prisma Cloud can now leverage Red Hat’s own detailed image analysis, enhancing precision in threat detection.
Support of Registry Tags directly in Compute Collections
Added support for registry labels under collections to enable role-based access control (RBAC).
The scan results for deployed images are now segregated with a
Custom label
within collections.
This enhancement facilitates the association between the registry and the scanned images pertaining to that registry, along with registry-based role-based access control (RBAC) for improved security and management.Support for Continuous Integration (CI) Scanning of Images on Linux Using Containerd
Added the ability for users to run CI scans on Linux using the containerd runtime. This change benefits customers using Kubernetes environments, which no longer support Docker as they need to perform CI scans without Docker.
GKE CIS Compliance Checks for Worker Nodes
CIS Benchmark for Google Kubernetes Engine (GKE) version 1.4.0 is now supported.
This update includes compliance checks for worker nodes.
API Changes and New APIs
Support and Identification of Registry Asset in Registry Scan
Starting with 31.00, the value in the field
type
for an object returned in the API endpoint response GET, api/vVERSION/registry
is now registry
instead of image
.31.00 and onwards:
type shared.ScanType
Possible values: [registry,ciImage,container,host,agentlessHost,registry,serverlessScan,ciServerless,vm,tas,ciTas,cloudDiscovery,serverlessRadar,serverlessAutoDeploy,hostAutoDeploy,codeRepo,ciCodeRepo]30.03 and earlier:
type shared.ScanType
Possible values: [image,ciImage,container,host,agentlessHost,registry,serverlessScan,ciServerless,vm,tas,ciTas,cloudDiscovery,serverlessRadar,serverlessAutoDeploy,hostAutoDeploy,codeRepo,ciCodeRepo]Addressed Issues
- Fixed an issue limiting the support of Prisma Cloud Compute as a pluggable scanner in Harbor. The support is now extended to instances where the Defenders operate in a CRI environment.
- Fixed an issue that caused missing version detection for jar packages when the version name included a date, for example, 20171018.
- Fixed an issue preventing agentless scanning of onboarded Azure government accounts
- Fixed an issue caused when listing container details of containers on hosts using Docker as the CRI.With this fix agentless scanning successfully discovers containers on the specified host. It also the scan process tolerance to errors during the retrieval of container metadata.
End of Support Notifications
End of Support for Docker Access Control
The Docker Access Control at
Defend > Access > Docker
and Access User role at Manage > Authentication > Roles
were planned for End of Support in Newton (v31.00.129) as announced in 22.06 Release Notes.
The deprecation is now extended until the next release Newton Update 1 (v31.01.xxx), when the feature will be no longer supported.Deprecation Notices
Support for Cloud Native Network Segmentation (CNNS)
The ability to create CNNS policies that Defenders use to limit traffic from containers and hosts was planned for End of Support in this release v31.00.129. The deprecation notice is now extended until the next major release code named O’Neal (v32.0.xxx).
The configuration settings on the console (
Compute > Defend > CNNS
) and the corresponding APIs for CNNS will be dropped in v32.00.xxx.Radar has a container and a host view, where you can view the network topology for your containerized apps and hosts respectively, and this will continue to be available.
List of API endpoints that are no longer supported:
Support for Code Repo Scanning
Scanning your code repositories from the Prisma Cloud Compute Console at
Compute > Monitor> Vulnerabilities > Code repositories
and use of Twistcli for code repo scanning was planned for End of Support in this release v31.00.129. The deprecation notice is now extended until the next major release code named O’Neal (v32.00.xxx), when the support will be dropped.You must now use the
Code Security
capabilities on Prisma Cloud to scan IaC templates, code repositories, and CI pipelines for misconfigurations and vulnerabilities.