Features Introduced in January 2023

The host, container, and serverless capabilities on the
tab are being upgraded starting on Jan 29, 2023. When upgraded the version will be 22.12.427.

New Features in Prisma Cloud Compute

CVE Coverage Update
As part of the 22.12 release, Prisma Cloud has rolled out updates to its vulnerability data for Common Vulnerabilities and Exposures (CVEs) in the Intelligence Stream. The new additions are as follows:
  • CVEs in Go packages are now detected in the package scope for more accurate results, and not only in the module scope. To read more about Go modules and packages, see Modules overview.
  • Fix date improvement. For any feed collected by IS that does not provide a fix date for CVE, Prisma Cloud Compute will determine the fix date as the date when the fix for the CVE was first seen by the Intelligence Stream.
  • Fixed versions enriched for fixed vulnerabilities.
  • New PRISMA-IDs have increased 131% since the Kepler major release.
  • Fast addition of CVEs (pre-filled CVEs).
    CVEs were added to the Intelligence Stream on an average of 13 days before they were analyzed in the NVD. As an example, a Kubernetes CVE (CVE-2022-3172) was published on September 16, 2022. The CVE was added to the Prisma Cloud Intelligence stream on September 19, 2022. And at this time in December 2022, the CVE is still reserved in MITRE and not analyzed in NVD.
New Features in the Core Platform
Filter Defender by TAS Foundation ID
Added a new field value
Manage > Defenders > Deployed Defenders
in the Prisma Cloud Compute user interface to filter Defenders by TAS Foundation ID. You can use this value in the
query parameter of the API endpoint
GET, /api/vVERSION/defenders
to filter Defenders by TAS Foundation ID.
Support for Talos Linux - container vulnerabilities and compliance
Orchestrator Defenders for Talos Linux are now supported. Talos Linux Defenders allow you to perform vulnerability and compliance scans for running containers and perform registry scans. To deploy on Talos Linux cluster, use the new "Talos Linux deployment" toggle in the Defenders deployment page, or the new --talos flag in twistcli.
The following functionality is not available.
  • Scanning of underlying hosts.
  • Runtime scanning.
  • Agentless scanning.
  • Automatic recognition of the cluster name.
  • Block policies.
Auto Import Prisma Cloud Accounts for Agentless Scans
The Cloud accounts onboarded in the Platform are now auto-imported under
Manage > Cloud accounts
with the default settings including agentless scanning and cloud discovery enabled. Both individual accounts and the accounts of an organization are auto-imported for compute workload scanning.
Note: The number of accounts onboarded per customer is limited to 5K.
Support for AWS SQS Notification in Compute Alerts
Added support for AWS SQS as an alert trigger under
Compute > Manage > Alerts > Add profile
. Prisma Compute users can now use the AWS SQS integration configured in the Prisma platform to send compute workloads alerts to AWS SQS.
To use this feature, create an AWS SQS queue and add this Amazon SQS integration under
SaaS > Settings > Integrations > Add Integration
Support for Orchestrators
Review the system requirements for the supported operating systems, hypervisors, runtimes, tools, and orchestrators.
Vulnerability Scanning of Debian 11 Distroless Images
Defenders now scan distroless container images for vulnerabilities and display the results on
Monitor > Vulnerabilities > Images
along with other scans. The following distroless images are supported.
  • gcr.io/distroless/static-debian11` – latest
  • gcr.io/distroless/base-debian11` – latest
  • gcr.io/distroless/cc-debian11` – latest
  • gcr.io/distroless/python3-debian11` – latest
  • gcr.io/distroless/java-base-debian11` – latest
  • gcr.io/distroless/java11-debian11` – latest
  • gcr.io/distroless/java17-debian11` – latest
  • gcr.io/distroless/nodejs-debian11` – 14, 16, 18, latest
Immediate Image Registry Scanning
You can now trigger a specific image scan in the registry and get immediate results. This allows you to scan the images as soon as they are added to the registry, without waiting for the scheduled scans. Triggering the scan is done using the Scan Registry API, and this API scan will not interrupt the ongoing scheduled scans that are run from under
Monitor > Vulnerabilities > Images > Registries
The registry must first be configured in the registry settings to scan images.
Deployment Date and Elapsed Time for Deployed Image
You can now view the deployment date and the elapsed time since the image was first deployed in a container.
See the image details view in the
Vulnerability Explorer
to determine the start time of a vulnerable image.
Support for More Registry Entries
You can now add up to 19,999 registry entries to
Defend > Vulnerabilities > Images > Registry settings
. And on
Monitor > Vulnerabilities > Images > Registries
, view scan results for a maximum of 100,000 images.
NOTE: When you upgrade to Lagrange, if you have configured 20,000 entries or more, you cannot add or update any registry settings until you are within the limit of 20,000. To add or modify any registry settings, you must delete the entries that exceed the limit.
Individual Effects per Protection for Container Runtime Policy
The Container runtime policy rules now allow individual effect per protection, such as. anti-malware, crypto miners, reverse shell attacks, etc. instead of one global effect for each section - Processes, Networking, File System, and Anti-malware. The effect includes the following options: Disabled/Alert/Prevent/Block according to the supported effects for each detection.
To allow for individual effects per protection, the container runtime rule schema of the rules has changed. Refer to the API Container runtime policy page for the updated schema.
As a result, if you manually export rules from 22.06 or older versions of Console to 22.12 Console, the operation will fail.
The existing rules will be migrated into the new schema by taking the single global effect from each section of the rule (Processes, Networking, and File system) and setting that effect to each one of the detections in that section. For example, if the Networking section effect was "Alert", now each one of the detections under Networking - Networking activity from modified binaries, Port scanning, and Raw sockets will get the "Alert" effect.
To support the effect conversion for Defenders from supported previous versions, or when fetching the rules using an API of a previous version, we convert from an individual effect per detection to a single effect per section. In the conversion, we will take the least severe effect for the detections that are enabled and set it as the section effect. For detections with the Disabled effect the toggle will be disabled.
FIPS 140-2 Certification
The FIPS 140-2 Level 1 BoringCrypto GoLang branch has been merged into GoLang 1.19. You can deploy the Console and Defender to enforce the use of the FIPS validated cryptographic libraries and cipher suites.
Custom Certificate Trust for Registry Scanning
You can now enter a custom self-signed certificate while configuring the registry scans, this allows Prisma Cloud to validate the registry.
Custom CA certificate validation is supported only for non-Docker nodes (Defenders running on CRI runtime) and for the following providers:
  • Docker registry v2
  • JFrog Artifactory (On-prem)
  • Harbor
  • Sonatype Nexus
Support for JFrog Artifactory Registry Scan on JFrog Cloud
Fixed an error with JFrog artifactory registry scan running on JFrog Cloud. With Lagrange, the Defenders support registry scans and on-demand scans running on both JFrog On-prem and JFrog Cloud.
Vulnerability Assessment for Go Packages
CVEs in Go packages are now detected at the package level for more accurate results, and not only at the module level. To read more about Go modules and packages, see Modules overview.
Immediate Alerts for Registry Scan Vulnerabilities
Added support for sending immediate alerts for registry images vulnerabilities. When configuring alerts under
Compute > Manage > Alerts
, the "Immediately alert for vulnerabilities" toggle now applies not only to deployed images and hosts but also to registry images. Furthermore, the existing trigger for "Image vulnerabilities (registry and deployed)" is now split into 2 triggers: "Deployed images vulnerabilities" and "Registry images vulnerabilities", to allow you to configure your alert profile as granular as your environment requires.
If you already have an alert profile with
Deployed image vulnerabilities (registry and deployed)
along with
Immediately alert for vulnerabilities
enabled, then post Lagrange upgrade you might, depending on your environments, start getting loads of immediate alerts for vulnerable registry images along with immediate alerts for deployed images.
Risk-Factor Based Actions
Vulnerability rules for images and hosts can now trigger different actions such as alert, block, and fail based on risk factors. All the vulnerabilities that match either the severity thresholds or the risk factors will be listed in the scan results under
Monitor > Vulnerabilities > Images > Deployed/Registries/CI
Exceptions for Base Image Vulnerabilities
For deployed and CI images, you can now exclude base image vulnerabilities introduced by the base images or the middleware image while configuring the Vulnerability Management rules under
Defend > Vulnerabilities > Images > Deployed/CI
. To use this feature, you need to first specify the base image under
Defend > Vulnerabilities > Images > Base images
When you enable this feature, the vulnerabilities that come from the base images will not be included on the scan results view under
Monitor > Vulnerabilities > Images > Deployed/Registries/CI
Alert Trigger Enhancements for Google Security Command Center
The following new fields were added to existing alert triggers for Google SCC.
  • Image vulnerabilities (deployed)
    : Includes the following properties.
    • Collections
    • Cluster Name
    • Account ID
  • Container runtime
    : Includes the following properties.
    • Collections
    • Cluster Name
    • Account ID
  • Incidents
    : Includes the following properties.
    • Collections
    • Cluster Name
    • Account ID
The container and image compliance trigger was added for Google SCC. This new trigger sends full data with every scan.
Path and Layer Information in Syslog Output
The image scan syslog output that the Prisma Cloud Console produces now includes two new fields: package_path and layer.
The host scan syslog output that the Prisma Cloud Console produces now includes one new field: package_path.
The twistcli command line interface JSON output also shows the following new fields.
Regional STS Endpoint Support for Defender on AWS
AWS recommends the use of a regional STS endpoint over the use of the global STS endpoint sts.amazonaws.com. When onboarding your AWS cloud account, you can now use a regional sts.REGION.amazonaws.com STS endpoint. Then, your deployed Defenders don’t need to access the global STS endpoint. Defenders can get the STS token from the regional STS endpoint to perform scans such as registry scans. To enable regional STS endpoints, refer to the AWS documentation.
Support to Generate Vulnerability Reports by Package and Risk Factors
You can filter the
Vulnerability (CVE) results
in the Vulnerability Explorer (
Monitor > Vulnerabilities > Vulnerability Explorer
) to view the vulnerabilities present in your deployments in a package pivot. Similarly, you can also filter using risk factors.
Support for Distro-level Exclusions in Package Vulnerability Scans
Package vulnerability scans now account for any exclusions based on vendor-specific distributions. For the packages you install through the operating system, the vulnerability scans show you only the vendor-specific analysis, if it exists. If you don’t install the packages through the operating system package manager, the scan shows the relevant vulnerabilities for the packages. Your scan results might change and you can review the results under
Monitor > Vulnerabilities
Dedicated Defenders for Blobstore Scanning
To specialize the function of the Defenders in Tanzu environments, you can now deploy dedicated Defenders that only perform blobstore scanning and are deployed on dedicated Linux VMs. Use the dedicated scanners if you want to avoid using the Defenders installed on the Diego cells to perform the blobstore scanning. The dedicated Blobstore scanning Defenders are not supported on Windows VMs.
Upgrade Confirmation for Defenders on Tanzu
When you upgrade to v22.12, the Defenders in Tanzu environments are automatically upgraded and the user confirmation for upgrading to subsequent versions becomes available. To upgrade the Defenders in your Tanzu environment starting with the next update for v22.12, download the latest tile from the Prisma Cloud Console and import it into your environment using the Tanzu Ops Manager. With this change, Tanzu Defender upgrade is not available directly from the Prisma Cloud Console.
Added Support for Tanzu Application Service (TAS) on Windows
You can now deploy Defenders to scan your Windows TAS environments. The Defenders are deployed as addon software on the Windows Diego cells of your TAS environment, which is similar to how they are deployed on Linux. You must now select the Orchestrator deployment method to deploy the TAS Defenders. Because of this change you can filter your TAS Defenders by foundation.
The following features are not available for Defenders on Windows TAS environments.
  • Scan of applications running Docker images on TAS
  • Use of a proxy to install a tile
  • Cert-based authentication
  • Blobstore scanning: Defenders on Windows can’t be scanners and Windows droplets have no results.
New Fields to Splunk Alerts
The following fields are added to Splunk alerts.
  • command - Shows the command which triggered the runtime alert.
  • namespaces - Lists the Kubernetes namespaces associated with the running image.
  • startup process - Shows the executed process activated when the container is initiated.
In-Depth Scanning of Nested Java Archives
In previous releases, Defenders scanned two levels deep in nested Java Archives (JARs). The latest version of Defender can scan up to ten levels of nested JARs. While this level of nesting is atypical, this capability improved the scan accuracy by detecting the vulnerabilities in the deepest nested jars. You can view the vulnerabilities in your images with the following steps.
  1. Go to
    Monitor > Vulnerabilities > Images
  2. Filter the results to show your packages using JARs.
  3. Click on the shown results to see the details.
  4. Go to Package info and filter the results.
Twistcli Sandbox for Third-Party Assessment Tools
To help you augment and expand the compliance checks the twistcli sandbox now enables you to run a third-party binary/script of choice within the sandboxed container.
You can view the scan results on the mounted volume and on
Image analysis sandbox
. In this example the output of the 3rd party testing tool will be written to the /opt/sandbox_testing_tools/output.txt file on the sandbox host.
Twistcli for ARM64 Mac
twistcli is now supported on ARM64 Mac machines.
Download the ARM64 Mac-compatible version of twistcli from
, or using the API /util/osx/arm64/twistcli.
New Features in Agentless Security
Agentless Vulnerability Scanning of Containers in AWS, Azure, and GCP
You can now use agentless scanning to identify vulnerabilities in your deployed containers and images for AWS, Azure, and GCP platforms, and view the results of the agentless scans on
Monitor > Vulnerabilities > Images> Deployed
Agentless Scanning for Oracle Cloud Infrastructure
You can now onboard Oracle Cloud Infrastructure accounts for agentless scanning of your hosts on Oracle Cloud Infrastructure (OCI). You can view the results of the vulnerability scans on
Monitor > Vulnerabilities > Images> Deployed
New Features in Host Security
Application Control for Hosts
You can now set specific application control rules to make sure your Linux hosts that are protected by Defenders, can install or run specific application versions. The Application control rules allow you to define the match criteria and the severity levels, and to enforce compliance, you must attach the rule to your compliance policy. In addition, you can import the list of applications and versions from hosts in your environment to easily create new application control rules.
New Features in Serverless
Account Information and Filtering for serverless functions
You can now filter the Serverless functions for vulnerabilities and compliance issues with specific Account IDs for each Cloud provider. The account ID column is added under
Defend/Monitor > Vulnerabilities/Compliance > Functions
Existing customers won’t see the Account ID until the customer’s accounts are re-added to Prisma Cloud.
New features in Web Application and API Security (WAAS)
Automated Patch for Known CVEs
Introduced a capability in custom rules to auto-apply virtual patches to known CVEs vulnerabilities detected by Prisma Cloud under
Defend > WAAS > Container/Host > In-Line/Out-Of-Band
. You can override the default effects by selecting User-selected custom rules that are always applied regardless of the global
Auto-apply virtual patches
Enhancement in API Discovery
Monitor > WAAS > API discovery
is enhanced to include all discovered resource paths with HTTP method, instead of a per-app view. The API discovery page now includes
Path risk factors
to flag endpoints that have sensitive, unauthenticated, or internet-accessible data.
You can also protect all endpoints in an app with a single click and download the API specifications in JSON.
Create a WAAS rule under
Defend > WAAS > Sensitive data
to identify and flag sensitive data from incoming request and responses from the discovered endpoints on the API discovery page.
Allow list to Bypass Geo Access Control
You can now add a specific network list to bypass the IP-based or Geo-based access control under
Defend > WAAS > Container/Host/App-Embedded/Agentless > Add/Edit App > Access control > Network controls > Exceptions
allowing you to exempt specific IPs from the access control rules.
JWT Parsing
WAAS Custom rules expressions are extended to support functions that validate Java Web Tokens (JWTs) in both requests and responses, in order to inspect the content for malicious, sensitive, and insecure information, and extract key values from the payload.
OWASP Mapping for WAAS Events
WAAS events are now mapped to the appropriate OWASP Top 10 risk and OWASP API Top 10 risk. And, you can view event summaries for each of these risks on the
WAAS Explorer
Support TLS in Out-Of-Band Rules
WAAS Out-Of-Band now supports TLS (1.0, 1.1, 1.2) protocol.
You can enable the TLS support for an endpoint in
Defend > WAAS > Container/Host > Out-Of-Band
and enter the TLS certificate in PEM format.
Simplified Onboarding for VPC Traffic Mirroring
Setting up WAAS for agentless now comes with easier onboarding configuration for AWS VPC traffic mirroring under
Defend > WAAS > Agentless
that auto-deploys the Observers into the AWS instance and creates sessions with the resources within your VPC to monitor the incoming/outgoing traffic.
WAAS Defend Tabs Reorganized
WAAS defend tabs are now reorganized to distinguish between Agentless and agent-based OOB rules. Out-Of-Band tab is split into Agentless that supports VPC traffic mirroring, Container OOB, and Host OOB.
Monitor > Events > WAAS for out-of-band
is now changed to
Monitor > Events > WAAS for agentless
, and the out-of-band events are included along with the in-line events under
WAAS for containers
WAAS for App-Embedded
WAAS for hosts
, and
WAAS for serverless

API Changes

Supports new body parameters for a Defender daemonset script
You can use the following new optional body parameters in POST, api/vVERSION/defenders/helm/twistlock-defender-helm.tar.gz and POST, api/vVERSION/defenders/daemonset.yaml to create a daemonset install script for a Defender with customized parameters: * Annotations * Tolerations * CPULimit * MemoryLimit * PriorityClassName * RoleARN
API support for Agentless Scanning
Adds support for agentless scanning for vulnerabilities and compliance in hosts and containers. You can use the following APIs: POST, api/vVERSION/agentless/templates: Downloads a tarball file containing the agentless resource templates required with the credential for onboarding. POST, api/vVERSION/agentless/scan: Starts an agentless scan. GET, api/vVERSION/agentless/progress: Displays the progress of an ongoing scan. POST, api/vVERSION/agentless/stop: Stops an ongoing scan.
Improved Severity Assessment with Exploit Data
Introduces a response parameter exploit for better severity assessment and improved risk factor calculation in the following APIs: * GET, api/vVERSION/images * GET, api/vVERSION/hosts * GET, api/vVERSION/serverless
The improved features include the following: * Enriched PoC data that helps assigning a vulnerability with a PoC published around the web. * New risk factor, Exploit in the wild, provides information about which CVEs (from CISA KEV) have a proven risk of being exploited. * Create alert/block policies for exploits in the wild vulnerabilities, as well as for CVEs with PoC. * Improved mechanism for detecting Remote execution and DoS risk factors.
New environmental risk factors that adds to better and improved risk score calculation:
  • Sensitive information: Provided in environment variables or private keys and is stored in image or serverless function.
  • Root Mount: Indicates that the vulnerability exists in a container with access to the host filesystem.
  • Runtime socket: Indicates that the vulnerability exists in a container with access to the host container runtime socket.
  • Host Access: Indicates that the vulnerability exists in a container with access to the host namespace, network, or devices.
You can use the exploit data to understand the exploit type, its kind, and get more information from the source where it’s listed.
Support for Audit Records through APIs
Adds support for Audits APIs to create and store audit event records for all controls.
The following new API endpoints are now supported:
  • GET, api/vVERSION/audits/mgmt
  • GET, api/vVERSION/audits/mgmt/filters
  • GET, api/vVERSION/audits/mgmt/download
  • GET, api/vVERSION/audits/access
  • GET, api/vVERSION/audits/access/download
  • GET, api/vVERSION/audits/admission
  • GET, api/vVERSION/audits/admission/download
  • PATCH, api/vVERSION/audits/incidents/acknowledge/{id}
  • GET, api/vVERSION/audits/firewall/app/app-embedded
  • GET, api/vVERSION/audits/firewall/app/app-embedded/download
  • GET, api/vVERSION/audits/firewall/app/app-embedded/timeslice
  • GET, api/vVERSION/audits/firewall/app/container
  • GET, api/vVERSION/audits/firewall/app/container/download
  • GET, api/vVERSION/audits/firewall/app/container/timeslice
  • GET, api/vVERSION/audits/firewall/app/host
  • GET, api/vVERSION/audits/firewall/app/host/download
  • GET, api/vVERSION/audits/firewall/app/host/timeslice
  • GET, api/vVERSION/audits/firewall/app/serverless
  • GET, api/vVERSION/audits/firewall/app/serverless/download
  • GET, api/vVERSION/audits/firewall/app/serverless/timeslice
  • GET, api/vVERSION/audits/firewall/app/agentless
  • GET, api/vVERSION/audits/firewall/app/agentless/timeslice
  • GET, api/vVERSION/audits/firewall/app/agentless/download
  • GET, api/vVERSION/audits/firewall/network/container
  • GET, api/vVERSION/audits/firewall/network/container/download
  • GET, api/vVERSION/audits/firewall/network/host
  • GET, api/vVERSION/audits/firewall/network/host/download
  • GET, api/vVERSION/audits/kubernetes
  • GET, api/vVERSION/audits/kubernetes/download
  • GET, api/vVERSION/audits/runtime/app-embedded
  • GET, api/vVERSION/audits/runtime/app-embedded/download
  • GET, api/vVERSION/audits/runtime/container
  • GET, api/vVERSION/audits/runtime/container/download
  • GET, api/vVERSION/audits/runtime/container/timeslice
  • GET, api/vVERSION/audits/runtime/file-integrity
  • GET, api/vVERSION/audits/runtime/file-integrity/download
  • GET, api/vVERSION/audits/runtime/host
  • GET, api/vVERSION/audits/runtime/host/download
  • GET, api/vVERSION/audits/runtime/host/timeslice
  • GET, api/vVERSION/audits/runtime/log-inspection
  • GET, api/vVERSION/audits/runtime/log-inspection/download
  • GET, api/vVERSION/audits/runtime/serverless
  • GET, api/vVERSION/audits/runtime/serverless/download
  • GET, api/vVERSION/audits/runtime/serverless/timeslice
  • GET, api/vVERSION/audits/trust
  • GET, api/vVERSION/audits/trust/download
Immediate Image Scanning
Introduces a body parameter, onDemandScan, that triggers an on-demand image scan without interrupting the current or ongoing scan for the following API: * POST, api/vVERSION/registry/scan
The image’s registry must be predefined in the registry settings.
Severity Level Based Report for Vulnerabilities
Introduces a query parameter normalizedSeverity for host, images, registry, VMs, and serverless APIs to report vulnerabilities based on severity level.
You can use the following APIs to report vulnerabilities based on the normalized severity:
  • GET, api/vVERSION/images
  • GET, api/vVERSION/images/download
  • GET, api/vVERSION/hosts
  • GET, api/vVERSION/hosts/download
  • GET, api/vVERSION/serverless
  • GET, api/vVERSION/serverless/download
  • GET, api/vVERSION/registry
  • GET, api/vVERSION/registry/download
  • GET, api/vVERSION/vms,
  • GET, api/vVERSION/vms/download
Supports Viewing 250 Reports or Entries Per Page
The query parameter limit now supports a page size of 250 entries or reports. The default value is 50 entries or reports per page.
For example: Use the following way to retrieve the first 250 reports with a limit query parameter for an API endpoint /hosts:
$ curl -k \ -u <USER> \ -H 'Content-Type: application/json' \ -X GET \ ‘https://<CONSOLE>/api/v<VERSION>/hosts?limit=250&offset=0’
Support for More Registry Entries
You can now add or edit up to 19,999 registry entries by using the following API: * POST, api/vVERSION/settings/registry * PUT, api/vVERSION/settings/registry
DISA STIG Scan Findings and Justifications
Every release, we perform an SCAP scan of the Prisma Cloud Compute Console and Defender images. The process is based upon the U.S. Air Force’s Platform 1 "Repo One" OpenSCAP scan of the Prisma Cloud Compute images. We compare our scan results to IronBank’s latest approved UBI8-minimal scan findings. Any discrepancies are addressed or justified.

Addressed Issues

Fixed a JAR naming detection mismatch in scan results to match with the CVE data we have in the Intelligence Stream (IS). The JAR names in Prisma under
Monitor > Vulnerabilities > Images/Hosts > Deployed/CI
now match with the Maven repo standards. Now, when the GroupID of the JAR can’t be found in the file and only the ArtifactID is detected, we identify the JAR file by other identifiers. Only the ArtifactID will be present in the scan results.
For any feed collected by IS that does not provide a fix date for CVE, Prisma Cloud Compute will determine the fix date as the date when the fix for the CVE was first seen by the Intelligence Stream. Therefore, the calculation for the grace period will now start with the date on which the CVE fix was seen on the Intelligence Stream and not the CVE publish date.
For example, if a CVE was first discovered without a fix, and a fix was released later, the grace period for fixing the CVE would start from the date the fix was published, even though the vendor feed didn’t provide us with an explicit fix date.
For the feeds that provide a fix date for the CVEs (such as RHEL), the fix date will always be determined as the fix date provided by the vendor, and the grace period will be calculated using this fix date.
There will be no change in the fix date for the existing CVEs in the IS, only the fix date for the new CVE fixes starting from Lagrange will change.
With this update, all supported version of Console will receive the change for CVEs with no fix date provided by the vendor, because the change is on the Intelligence Stream (IS) which is avialable to all supported versions of Console.
For some package types, the process for inferring the fix status for CVEs that didn’t have a fix status before is improved. The package types improved are:
  • jar
  • python
  • Application packages such as MySQL, Java, Jenkins.
Fixed the serverless compliance results CSV report. The functions with no compliance/vulnerability issues were not added to the serverless compliance CSV report, this is now fixed and the report now includes all functions irrespective of Compliance/Vulnerabilities issues.
A new "Compliance ID" column is added to indicate the compliance-related issues specifically.
Python package info is updated to include the path.

Backward Compatibility for New Features

With this release, Defenders running versions earlier than 22.01 will no longer be able to connect to the console.
Unsupported Component (Defender/twistcli)
Risk-Factor Based Actions
Defenders and twistcli
Previous versions of Defenders and twistcli will not be able to enforce the policy actions that are based on risk factors.
Exceptions for Base Image Vulnerabilities
Defenders and twistcli
Previous versions of Defenders and twistcli will not be able to enforce excluding base image vulnerabilities from the scan results.
Upgrade Confirmation for Defenders on Tanzu
The confirmation for upgrade will take effect for v22.12 (Lagrange) upgrades . The first upgrade from 22.06 to 22.12 will still upgrade existing Defenders.
Custom Certificate Trust for Registry Scanning
Previous versions of Defenders will not support using the configured custom CA certificate while scanning the registry
Support for Distro-level Exclusions in Package Vulnerability Scans
The change will not apply for scans performed by previous versions of Defenders.
Regional STS Endpoint Support for Defender on AWS
Previous versions of Defenders will not support using regional STS endpoint for scans in the cloud account.
Path and Layer Information in Syslog Output
Previous version of twistcli will not support the path and layer information in the JSON scan results.
Individual Effects per Protection for container Runtime Policy
Previous versions of Defenders will not support individual effects per protection. The least severe effect from the policy configured in the Console will be set as the single effect which the old Defender will use to enforce the policy.
Support for JFrog Artifactory Registry Scan on JFrog Cloud
Previous versions of Defenders will not be able to scan JFrog Cloud registry. Only the 22.12 Defenders will be selected from the scanners scope to scan the JFrog Cloud registry.
JAR Vulnerability Detection Improvement
The improvements will not apply for scans performed by previous versions of Defenders.
Vulnerability Assessment for Go Packages
The improvements will not apply for scans performed by previous versions of Defenders.
FIPS 140-2 certification
Previous versions of Defenders will not be FIPS 140-2 compliant.
In-Depth Scanning for Nested Java Archives
The improvements will not apply for scans performed by old Defenders
JWT Parsing
Previous versions of Defenders will not parse JWT payloads and extract the entire payload or a specific attribute.
[Out of Band] Support TLS in WAAS Out of Band Rules
Previous versions of Defenders will not support TLS in out of band rules.
Auto Apply WAAS Virtual Patches Based on CVEs in Image Scan
Previous versions of Defenders will not apply a WAAS virtual patch to the application firewall.
Allow list to Bypass Geo Access Control
Previous versions of Defender will not support an "allow list" to bypass Geo Access Control.
Application Control for Linux Hosts
Previous versions of Defender will not control which applications and versions are allowed to run on your hosts.

Recommended For You