Merge pull request #1045 from hlxsites/runtime-pascal-update3-RN-LA

Update Pascal 33.03 RN changes

docs/en/compute-edition/32/rn/release-information/release-notes-32-03.adoc

@@ -196,6 +196,10 @@ The  ‘packageType’ field is added to the vulnerabilities schema responses.
 |*Agentless Scanning*
 |The agentless scanner boot volume now enforces encryption by default.
 
+//CWP-58870
+|*Vulnerability Scan
+|Fixed an issue that caused duplicate jar entries with mismatched versions in vulnerability scan reports.
+
 |===
 
 // [#backward-compatibility]

docs/en/compute-edition/32/rn/release-information/release-notes-32-07.adoc

@@ -138,6 +138,10 @@ There are no API changes for this release.
 [cols="1,1"]
 |===
 
+//CWP-61752
+|*WAAS Counters Periodically Stop Incrementing and Need Defender Restart*
+| The issue related to interruption in the communication between a defender and the console—​that was introduced by the newly introduced fail-safe mechanism aimed to prevent any impact to customer traffic or downtime—​is resolved. The fix requires you to upgrade the Console and the Defenders to version 33.00.
+
 //CWP-61027
 |*Reporting All Affected Versions for GO Package CVEs*
 |For some GO package CVEs, Prisma Cloud did not completely report all the affected versions, particularly when multiple version ranges were involved, resulting in occasional false negatives.

docs/en/compute-edition/33/admin-guide/install/fragments/install-defender-twistcli-export-kubectl.adoc

@@ -73,9 +73,9 @@ $ <PLATFORM>./twistcli defender export kubernetes \
 * <PRISMA_CLOUD_COMPUTE_HOSTNAME> specifies the address Defender uses to connect to Prisma Cloud Console. You can use the external IP address exposed by your load balancer or the DNS name that you manually set up.
 
 * Once you run the given command, after altering the fields for your environment, you will get a prompt requesting a password. The password is the secret key of the Prisma Cloud user with the System Admin role that you should have created as part of the prerequisite.
-+
-[NOTE]
-====
+
+Note:
+
 * For provider managed clusters, Prisma Cloud automatically gets the cluster name from your cloud provider.
 
 * To override the cluster name used that your cloud provider has, use the `--cluster` option.
@@ -87,7 +87,8 @@ $ <PLATFORM>./twistcli defender export kubernetes \
 * When using an AWS Bottlerocket-based EKS cluster, pass the `--container-runtime crio` flag when creating the `YAML` file.
 
 * To use Defenders in *GKE on ARM*, you must https://cloud.google.com/kubernetes-engine/docs/how-to/prepare-arm-workloads-for-deployment#node-affinity-multi-arch-arm[prepare your workloads].
-====
+
+* For Kubernetes defenders on RKE2, create the YAML file with the “SELinux Policy” option.
 
 . Deploy the Defender `DaemonSet` custom resource.
 +

docs/en/compute-edition/33/rn/book.yml

@@ -18,6 +18,8 @@ dir: release-information
 topics:
   - name: Prisma(TM) Cloud Compute Edition Release Information
     file: release-information.adoc
+  - name: 33.03 (Build 33.03.138)
+    file: release-notes-33-03.adoc
   - name: 33.02 (Build 33.02.134)
     file: release-notes-33-02.adoc
   - name: 33.01 (Build 33.01.137)

docs/en/compute-edition/33/rn/book_point_release.yml

@@ -2,7 +2,7 @@
 kind: book
 title: Prisma Cloud Compute Edition Release Notes
 author: Prisma Cloud team
-version: 33.02
+version: 33.03
 ditamap: prisma-cloud-compute-edition-release-notes
 dita: techdocs/en_US/dita/prisma/prisma-cloud/33/prisma-cloud-compute-edition-release-notes
 ---
@@ -12,8 +12,8 @@ dir: release-information
 topics:
   - name: Prisma(TM) Cloud Compute Edition Release Information
     file: release-information.adoc
-  - name: 33.02 (Build 33.02.130)
-    file: release-notes-33-02.adoc
+  - name: 33.03 (Build 33.03.TBD)
+    file: release-notes-33-03.adoc
 ---
 kind: chapter
 name: Get Help

docs/en/compute-edition/33/rn/release-information/known-issues-33.adoc

@@ -9,6 +9,16 @@ The following table lists the fixed issues for 33.xx releases.
 |*ISSUE ID*
 |*DESCRIPTION*
 
+|*CWP-62576*
+
+tt:[Fixed in 33.03.138]
+
+| *Resolving Severity Scores and CVE Links for GO Vulnerabilities in OSV Feed*
+
+When processing CVEs sourced from both the GO and GitHub Security Advisories (GHSA) formats in the Open Source Vulnerability (OSV) feed, incorrect severity scores and CVE links were assigned. 
+
+This issue is resolved. The fix ensures that the severity scores, CVSS values, and CVE links for GO vulnerabilities are accurate and aligned with the official OSV GO feed.
+
 |*CWP-62313*
 
 tt:[Fixed in 33.02.130]
@@ -301,6 +311,29 @@ The following table lists the known issues for 33.00 release.
 
 // In Prisma Cloud Compute Edition instances that have the Clustered DB mode enabled for the Console, the Console fails to start after upgrading to release 32.06.
 
+|*CWP-59515*
+
+|*K8s Defender Crash Loop on RKE2*
+
+The K8s defender pods on the RKE2 go into a crash loop if the defender is deployed using the default YAML file options.
+
+*Workaround*: For Kubernetes defenders on RKE2, create the YAML file with the “SELinux Policy” option. This workaround is applicable to RKE2 only.
+
+// |*CWP-62358*
+
+// |*Incorrect Version Detection for Go Binaries with Missing Dependencies*
+
+//When a Go binary has no listed dependencies in its build information (verified using `go version -m <path to binary>`), the version of its external dependencies is used to identify the version of the Go binary. This could result in incorrect vulnerability data.
+
+
+//PCSUP-25103
+|*CWP-62297*
+
+|*Twistlock console unable to list image tags from remote repo*
+
+If defender and remote repository are in different subnet, the image tag pulling using `podman search --list -tags` is not supported with the same access token issued by registry.twistlock.com. 
+
+
 //PCSUP-23081
 |*CWP-59435*
 

docs/en/compute-edition/33/rn/release-information/release-notes-33-03.adoc

@@ -0,0 +1,182 @@
+:toc: macro
+== 33.03 Release Notes
+
+The following table outlines the release particulars:
+
+[cols="1,4"]
+|===
+|Build
+|33.03.138
+
+|Code name
+|Pascal Update 3 
+
+|Release date
+|January 05, 2024
+
+|Type
+|Minor release
+
+|SHA-256
+|a071ad84ace670a9f4ee37fc3e2f44f270527d4671ebc8e3dc448a6d50282d3d
+|===
+
+Review the https://docs.prismacloud.io/en/compute-edition/33/admin-guide/install/system-requirements[system requirements] to learn about the supported operating systems, hypervisors, runtimes, tools, and orchestrators.
+
+You can download the release image from the Palo Alto Networks Customer Support Portal, or use a program or script (such as curl, wget) to download the release image directly from our CDN:
+
+<URL available from the Support Portal>
+//https://cdn.twistlock.com/releases/RhRanogV/prisma_cloud_compute_edition_33_02_134.tar.gz[https://cdn.twistlock.com/releases/RhRanogV/prisma_cloud_compute_edition_33_02_134.tar.gz]
+
+toc::[]
+
+=== Lifecycle Support Update
+
+Prisma Cloud officially guarantees backward compatibility with up to two previous major versions (n-2).
+
+Although the support lifecycle remains unchanged, starting from version 33.xx, Prisma Cloud will not restrict the usage of Defender versions or REST API calls from up to three major releases before the current version (upto n-3 major releases).
+
+For example, with the current version at 33.xx, API calls and Defenders from version 30.xx will be allowed. However, support and complete backward compatibility is guaranteed for the 32.xx and 31.xx releases.
+
+[#upgrade]
+=== Upgrade from Previous Releases
+
+[#upgrade-defender]
+==== Upgrade Defenders
+
+Starting with the `v33.00` release, the https://docs.prismacloud.io/en/compute-edition/33/admin-guide/upgrade/support-lifecycle[Defender versions supported (n, n-1, and n-2)] are `v33.00`, `v32.00`, and `v31.00` respectively. In addition, starting from release 33.00, Prisma Cloud will not restrict the usage of Defender versions or REST API calls from the n-3 version. So the current release will allow Defenders and REST API calls from release 30.xx also. Failure to upgrade Defenders below version `v30.00`, such as `v22.12`, will result in disconnection of the Defenders from the Console.
+
+However, to maintain full support, you must upgrade your Defenders to `v31.xx` or a higher release.
+
+To summarize, the level of support for the different versions of Defenders is as follows:
+
+* Defender versions 33.xx, 32.xx, and 31.xx have full support
+* Defender versions 30.xx are functional (will be able to connect to version 33.xx Console) but support is not available for such Defenders
+* Defender versions previous to 30.xx, such as 22.12, are neither supported nor functional (cannot connect to version 33.xx Console)
+
+
+[#upgrade-console]
+==== Upgrade the Prisma Cloud Console
+
+Starting with the `v33.00` release, the https://docs.prismacloud.io/en/compute-edition/33/admin-guide/upgrade/support-lifecycle[supported Console versions (n, n-1, and n-2)] are `v33.00`, `v32.00`, and `v31.00` respectively. 
+
+NOTE: Defenders from the n-3 release will remain functional as described above.
+
+You can upgrade the Prisma Cloud console directly from any n-1 version to n. For example, with `v33.00` as n and `v32.00` as n-1, you can upgrade directly from `v32.05.124` to `v33.01.137`.
+
+NOTE: You have to upgrade any version of `v31.00` to `v32.00` before upgrading to `v33.00`. For example, you must upgrade from `v31.02.137` to `v32.07.123` before you upgrade to `v33.01.137`.
+
+
+
+
+
+//[#cve-coverage-update]
+//=== CVE Coverage Update
+
+//[#announcement]
+//=== Announcement
+
+
+[#enhancements]
+=== Enhancements
+[cols="30%a,70%a"]
+|===
+|*Feature*
+|*Description*
+
+|Enhancement to Prevent Action with `fsmon_v2`
+//CWP-62711
+
+|To improve the handling of file system events for Prevent Action in the Runtime Policy, a new version `fsmon_v2` has been developed. `fsmon_v2` manages event timeouts in an efficient way and ensures independent handling of each event, thus reducing bottlenecks and improving overall performance.
+
+While `fsmon_v2` brings significant improvements, it is still under active development, and further enhancements are planned. Currently, `fsmon_v2` is being rolled out gradually. 
+
+This feature is disabled by default. Customers who want to activate this feature should submit a ticket requesting engineering to enable it.
+
+|"last-connected" Field Added to Defender Stats Logs
+//CWP-62666
+
+|A new field, last-connected, has been added to each Defender stats log. This field records the last confirmed connection time between the Defender and the Console, even when the Connected flag is set to false. The timestamp is represented in epoch seconds (UTC), providing customers with a reliable way to track connection history.
+|===
+
+[#intelligence-stream-updates]
+=== Intelligence Stream Updates
+[cols="30%a,70%a"]
+|===
+|*Feature*
+|*Description*
+|Enhancements to Vulnerability Reporting for Red Hat Enterprise Linux (RHEL) Versions 8 and 9
+//CWP-30827
+
+tt:[Secure the Runtime]
+
+tt:[33.03.138]
+|To ensure accurate vulnerability reporting, Intelligence Stream will include RPM module and stream information for RHEL in the reports. This approach improves detection of vulnerabilities and ensures that all associated RPM packages installed by a module are examined during the scan.
+
+*What are RPM Modules and Streams?*
+
+In Red Hat Enterprise Linux (RHEL), an RPM module is a collection of related RPM packages that represent a software component, such as an application, its dependencies, and helper utilities. Starting with RHEL 6 and 7, modules replaced the Software Collections mechanism.
+
+Modules are structured in the following way:
+
+* *Module Streams*: Virtual repositories within the AppStream repository. Each stream corresponds to a specific version of the module and receives independent updates.
+
+* *Stream Activation*: At any time, only one stream of a module can be active, meaning only one version of a component can be installed on a system.
+
+For example, the notation `python39:3.9/python39` indicates the module `python39`, the stream `3.9`, and the source package `python39`.
+
+*Enhancements to Vulnerability Reporting*
+
+* *Module-Based Vulnerability Identification*: Scans will report vulnerabilities based on the module and stream configuration. This ensures accurate detection and avoids false positives or false negatives caused by discrepancies in versioning or backported fixes.
+
+* *Inclusion of RPM Module Metadata in Scan Results*: The enhanced implementation associates RPM packages with their respective modules and streams. The Prisma Cloud console will include this module information in vulnerability scan results.
+
+
+*Benefits of Module-Aware Vulnerability Reporting*
+
+* *Improved Accuracy*: Matches CVE fixes to the correct module stream.
+* *Reduced False Positives*: Avoids misreporting of vulnerabilities fixed in older streams.
+* *Comprehensive Coverage*: Links all RPM packages installed by a module to its vulnerabilities.
+
+|Enhanced Vulnerability Reporting for NuGet Packages
+//CWP-49786
+
+tt:[Secure the Runtime]
+
+tt:[33.03.138]
+|Previously, the scanning process included NuGet packages listed in the `.deps.json` files, which were essential for the runtime environment but not related to the application itself. These unrelated packages result in false positives in vulnerability reporting. 
+
+With this enhancement, the scanning process excludes runtime-specific dependencies that are not directly related to the application. This provides a more accurate view of vulnerabilities directly associated with the application, and reduces false positive alerts.
+
+*NOTE*: 
+
+* This enhancement requires upgrading Defenders to the latest version. 
+
+* The updated Defender accurately identifies package dependencies, which leads to fewer false positives.
+
+* Older Defender versions will remain unaffected by this change, and their behavior remains unchanged.
+
+|===
+
+
+//[#new-features-agentless-security]
+// === New Features in Agentless Security
+
+// [#new-features-core]
+// === New Features in Core
+
+// [#new-features-host-security]
+// === New Features in Host Security
+
+// [#new-features-serverless]
+// === New Features in Serverless
+
+// [#new-features-waas]
+// === New Features in WAAS
+
+// [#api-changes]
+// === API Changes and New APIs
+
+// [#deprecation-notices]
+// === Deprecation Notices
+