From 70de92113b2f3bea2f3beee643005d7891ccca04 Mon Sep 17 00:00:00 2001 From: smitapaloalto <156162707+smitapaloalto@users.noreply.github.com> Date: Thu, 26 Dec 2024 11:51:10 +0530 Subject: [PATCH 01/16] Update Pascal 33.03 RN changes --- docs/en/compute-edition/33/rn/book.yml | 2 + .../33/rn/book_point_release.yml | 6 +- .../release-notes-33-03.adoc | 108 ++++++++++++++++++ docs/en/enterprise-edition/rn/book.yml | 7 ++ .../features-introduced-in-january-2025.adoc | 69 +++++++++++ .../prisma-cloud-release-info.adoc | 6 +- 6 files changed, 192 insertions(+), 6 deletions(-) create mode 100644 docs/en/compute-edition/33/rn/release-information/release-notes-33-03.adoc create mode 100644 docs/en/enterprise-edition/rn/prisma-cloud-release-info/features-introduced-in-2025/features-introduced-in-january-2025.adoc diff --git a/docs/en/compute-edition/33/rn/book.yml b/docs/en/compute-edition/33/rn/book.yml index dd489ba5c8..0621a4b742 100644 --- a/docs/en/compute-edition/33/rn/book.yml +++ b/docs/en/compute-edition/33/rn/book.yml @@ -18,6 +18,8 @@ dir: release-information topics: - name: Prisma(TM) Cloud Compute Edition Release Information file: release-information.adoc + - name: 33.03 (Build 33.03.TBD) + file: release-notes-33-03.adoc - name: 33.02 (Build 33.02.134) file: release-notes-33-02.adoc - name: 33.01 (Build 33.01.137) diff --git a/docs/en/compute-edition/33/rn/book_point_release.yml b/docs/en/compute-edition/33/rn/book_point_release.yml index 8bab5af687..987b9a740c 100644 --- a/docs/en/compute-edition/33/rn/book_point_release.yml +++ b/docs/en/compute-edition/33/rn/book_point_release.yml @@ -2,7 +2,7 @@ kind: book title: Prisma Cloud Compute Edition Release Notes author: Prisma Cloud team -version: 33.02 +version: 33.03 ditamap: prisma-cloud-compute-edition-release-notes dita: techdocs/en_US/dita/prisma/prisma-cloud/33/prisma-cloud-compute-edition-release-notes --- @@ -12,8 +12,8 @@ dir: release-information topics: - name: Prisma(TM) Cloud Compute Edition Release Information file: release-information.adoc - - name: 33.02 (Build 33.02.130) - file: release-notes-33-02.adoc + - name: 33.03 (Build 33.03.TBD) + file: release-notes-33-03.adoc --- kind: chapter name: Get Help diff --git a/docs/en/compute-edition/33/rn/release-information/release-notes-33-03.adoc b/docs/en/compute-edition/33/rn/release-information/release-notes-33-03.adoc new file mode 100644 index 0000000000..72796ad92b --- /dev/null +++ b/docs/en/compute-edition/33/rn/release-information/release-notes-33-03.adoc @@ -0,0 +1,108 @@ +:toc: macro +== 33.03 Release Notes + +The following table outlines the release particulars: + +[cols="1,4"] +|=== +|Build +|33.03.TBD + +|Code name +|Pascal Update 3 + +|Release date +|Jan TBD, 2024 + +|Type +|Minor release + +|SHA-256 +|TBD +|=== + +Review the https://docs.prismacloud.io/en/compute-edition/33/admin-guide/install/system-requirements[system requirements] to learn about the supported operating systems, hypervisors, runtimes, tools, and orchestrators. + +You can download the release image from the Palo Alto Networks Customer Support Portal, or use a program or script (such as curl, wget) to download the release image directly from our CDN: + + +//https://cdn.twistlock.com/releases/RhRanogV/prisma_cloud_compute_edition_33_02_134.tar.gz[https://cdn.twistlock.com/releases/RhRanogV/prisma_cloud_compute_edition_33_02_134.tar.gz] + +toc::[] + +=== Lifecycle Support Update + +Prisma Cloud officially guarantees backward compatibility with up to two previous major versions (n-2). + +Although the support lifecycle remains unchanged, starting from version 33.xx, Prisma Cloud will not restrict the usage of Defender versions or REST API calls from up to three major releases before the current version (upto n-3 major releases). + +For example, with the current version at 33.xx, API calls and Defenders from version 30.xx will be allowed. However, support and complete backward compatibility is guaranteed for the 32.xx and 31.xx releases. + +[#upgrade] +=== Upgrade from Previous Releases + +[#upgrade-defender] +==== Upgrade Defenders + +Starting with the `v33.00` release, the https://docs.prismacloud.io/en/compute-edition/33/admin-guide/upgrade/support-lifecycle[Defender versions supported (n, n-1, and n-2)] are `v33.00`, `v32.00`, and `v31.00` respectively. In addition, starting from release 33.00, Prisma Cloud will not restrict the usage of Defender versions or REST API calls from the n-3 version. So the current release will allow Defenders and REST API calls from release 30.xx also. Failure to upgrade Defenders below version `v30.00`, such as `v22.12`, will result in disconnection of the Defenders from the Console. + +However, to maintain full support, you must upgrade your Defenders to `v31.xx` or a higher release. + +To summarize, the level of support for the different versions of Defenders is as follows: + +* Defender versions 33.xx, 32.xx, and 31.xx have full support +* Defender versions 30.xx are functional (will be able to connect to version 33.xx Console) but support is not available for such Defenders +* Defender versions previous to 30.xx, such as 22.12, are neither supported nor functional (cannot connect to version 33.xx Console) + + +[#upgrade-console] +==== Upgrade the Prisma Cloud Console + +Starting with the `v33.00` release, the https://docs.prismacloud.io/en/compute-edition/33/admin-guide/upgrade/support-lifecycle[supported Console versions (n, n-1, and n-2)] are `v33.00`, `v32.00`, and `v31.00` respectively. + +NOTE: Defenders from the n-3 release will remain functional as described above. + +You can upgrade the Prisma Cloud console directly from any n-1 version to n. For example, with `v33.00` as n and `v32.00` as n-1, you can upgrade directly from `v32.05.124` to `v33.01.137`. + +NOTE: You have to upgrade any version of `v31.00` to `v32.00` before upgrading to `v33.00`. For example, you must upgrade from `v31.02.137` to `v32.07.123` before you upgrade to `v33.01.137`. + + +//[#cve-coverage-update] +//=== CVE Coverage Update + +[#announcement] +=== Announcement + + + +[#enhancements] +=== Enhancements + + + +//[#new-features-agentless-security] +// === New Features in Agentless Security + +// [#new-features-core] +// === New Features in Core + +// [#new-features-host-security] +// === New Features in Host Security + +// [#new-features-serverless] +// === New Features in Serverless + +// [#new-features-waas] +// === New Features in WAAS + +// [#api-changes] +// === API Changes and New APIs + + +// [#addressed-issues] +// === Addressed Issues + + +// [#deprecation-notices] +// === Deprecation Notices + diff --git a/docs/en/enterprise-edition/rn/book.yml b/docs/en/enterprise-edition/rn/book.yml index cc4c294f88..e9434bf59a 100644 --- a/docs/en/enterprise-edition/rn/book.yml +++ b/docs/en/enterprise-edition/rn/book.yml @@ -17,6 +17,13 @@ dir: prisma-cloud-release-info topics: - name: Prisma® Cloud Release Information file: prisma-cloud-release-info.adoc + - name: Features Introduced in 2025 + dir: features-introduced-in-2025 + topics: + - name: Features Introduced in 2025 + file: features-introduced-in-2025.adoc + - name: Features Introduced in January 2024 + file: features-introduced-in-january-2024.adoc - name: Features Introduced in 2024 dir: features-introduced-in-2024 topics: diff --git a/docs/en/enterprise-edition/rn/prisma-cloud-release-info/features-introduced-in-2025/features-introduced-in-january-2025.adoc b/docs/en/enterprise-edition/rn/prisma-cloud-release-info/features-introduced-in-2025/features-introduced-in-january-2025.adoc new file mode 100644 index 0000000000..eb1bba1397 --- /dev/null +++ b/docs/en/enterprise-edition/rn/prisma-cloud-release-info/features-introduced-in-2025/features-introduced-in-january-2025.adoc @@ -0,0 +1,69 @@ +== Features Introduced in January 2024 + +Learn what's new on Prisma® Cloud in January 2024. + +* <> +* <> +* <> +* <> +* <> +* <> +* <> +* <> +//* <> +* <> + +[#announcement] +=== Announcement + +[cols="50%a,50%a"] +|=== +|*Feature* +|*Description* + + + +|=== + + +[#new-features] +=== New Features + +[cols="50%a,50%a"] +|=== +|*Feature* +|*Description* + +|=== + +[#policy-updates] +=== Policy Updates + +[cols="50%a,50%a"] +|=== +|*Policy Updates* +|*Description* + +|=== + + +[#new-compliance-benchmarks-and-updates] +=== New Compliance Benchmarks and Updates + +[cols="50%a,50%a"] +|=== +|*Compliance Benchmark* +|*Description* + +|=== + +[#rest-api-updates] +=== REST API Updates + +[cols="37%a,63%a"] +|=== +|*Change* +|*Description* + + +|=== diff --git a/docs/en/enterprise-edition/rn/prisma-cloud-release-info/prisma-cloud-release-info.adoc b/docs/en/enterprise-edition/rn/prisma-cloud-release-info/prisma-cloud-release-info.adoc index e0fd6b10cc..4bdbcfb6ee 100644 --- a/docs/en/enterprise-edition/rn/prisma-cloud-release-info/prisma-cloud-release-info.adoc +++ b/docs/en/enterprise-edition/rn/prisma-cloud-release-info/prisma-cloud-release-info.adoc @@ -7,16 +7,16 @@ Prisma Cloud is your code to cloud security platform that provides security at a //Prisma Cloud monitors your resources deployed on the Public cloud environments—AWS, Microsoft Azure, Google Cloud Platform, Oracle Cloud Infrastructure, and Alibaba Cloud—for cloud security and compliance risks. As the service automatically discovers new resources that are deployed in your cloud environment, it enables you to implement policy guardrails to ensure resource configurations adhere to industry standards and integrate configuration change alerts into DevOps and SecOps workflows to automatically resolve issues. This capability streamlines the process of identifying issues, detecting and responding to a list of prioritized risks to maintain an agile development process and operational efficiency. //Prisma Cloud Application Security identifies vulnerabilities, misconfigurations and compliance violations in Infrastructure as Code ( IaC) templates, container images and git repositories. -The current release for Prisma Cloud Security Platform is 24.12.1. +The current release for Prisma Cloud Security Platform is 25.1.1. -If you are using Runtime Security, the current version is 32.06. +If you are using Runtime Security, the current version is 33.03. //It will be upgraded to 32.00.xxx on >>>, 2023. To view the current operational status of Palo Alto Networks cloud services, see https://status.paloaltonetworks.com/[https://status.paloaltonetworks.com/]. Before you begin using Prisma Cloud, make sure you review the following information: -* xref:../prisma-cloud-release-info/features-introduced-in-2024/features-introduced-in-2024.adoc[Features Introduced in 2024] +* xref:../prisma-cloud-release-info/features-introduced-in-2025/features-introduced-in-2025.adoc[Features Introduced in 2025] * xref:../prisma-cloud-release-info/classic-releases/classic-releases.adoc[Classic Releases] * xref:../limited-ga-features-prisma-cloud/limited-ga-features-prisma-cloud.adoc[Limited GA Features] * xref:../look-ahead-planned-updates-prisma-cloud/look-ahead-planned-updates-prisma-cloud.adoc[Look Ahead—Planned Updates on Prisma Cloud] From 3485f267d7d23b5a515e0d1d798b6af54157b4f4 Mon Sep 17 00:00:00 2001 From: smitapaloalto <156162707+smitapaloalto@users.noreply.github.com> Date: Fri, 27 Dec 2024 14:35:59 +0530 Subject: [PATCH 02/16] CWP-61492 changes --- .../compliance/oss-license-management.adoc | 66 ------------------- .../operations/oss-license-management.adoc | 66 ------------------- 2 files changed, 132 deletions(-) delete mode 100644 docs/en/compute-edition/33/admin-guide/compliance/oss-license-management.adoc delete mode 100644 docs/en/enterprise-edition/content-collections/runtime-security/compliance/operations/oss-license-management.adoc diff --git a/docs/en/compute-edition/33/admin-guide/compliance/oss-license-management.adoc b/docs/en/compute-edition/33/admin-guide/compliance/oss-license-management.adoc deleted file mode 100644 index f319832102..0000000000 --- a/docs/en/compute-edition/33/admin-guide/compliance/oss-license-management.adoc +++ /dev/null @@ -1,66 +0,0 @@ -== OSS license management - -Prisma Cloud can detect licenses for package dependencies in code repositories. -It can scan code repos hosted by service providers (currently GitHub only). -It can also scan build folders constructed by CI build jobs. - -A license policy defines the criticality of a license. -For example, you might specify consider any package with a GPL license as a critical issue. -Depending on your license policy, Prisma Cloud can raise alerts and block builds. - - -[.task] -=== Create a license compliance policy - -Compliance policies consist of one or more rules. - -NOTE: Prisma Cloud ships with a default rule named *Default - alert all components*. -This rule ships with alerts disabled, so the policy is effectively disabled. -As a starting point, consider cloning this rule, and reconfiguring it for your own purposes. -Set a threshold, and declare licenses you consider critical. -Rule order is important, so be sure your custom rule sits above the default rule. - -[.procedure] -. Open Console. - -. Go to *Defend > Compliance > Code repositories*. - -. Choose the target of your policy. -+ -If your policy targets GitHub, go to the *Repositories* tab. -+ -If your policy targets your CI pipeline, go to the *CI* tab. - -. Click *Add rule*. - -. Specify a rule name. - -. In *Scope*, select one or more collections to apply your policy to specific repos. -+ -Use the default *All* collection to apply it to all repos. - -. Set the rule thresholds. - -. Specify the severity of each license of interest. -+ -Each field offers SPDX license identifiers as suggestions. -Pattern-matching expressions are supported (e.g., `GPL-*`). - - -=== Scan with twistcli - -To scan a folder with twistcli, use the following command: - - twistcli coderepo scan [FOLDER_PATH] --details - -Contents of the repo are assessed according to the policy in *Defend > Compliance > Code repositories > CI*. -Scan results are published in *Monitor > Compliance > Code repositories > CI* - -For CI only, a status column indicates if twistcli passed or failed the build according to the defined policy. - - -=== Review scan results. - -Go to *Monitor > Compliance > Code repositories*. -Each row in the results table has a meter which shows the number of compliance issues at each severity level. -Click on a row to drill into the details of the scan report. diff --git a/docs/en/enterprise-edition/content-collections/runtime-security/compliance/operations/oss-license-management.adoc b/docs/en/enterprise-edition/content-collections/runtime-security/compliance/operations/oss-license-management.adoc deleted file mode 100644 index c25c3c2c9a..0000000000 --- a/docs/en/enterprise-edition/content-collections/runtime-security/compliance/operations/oss-license-management.adoc +++ /dev/null @@ -1,66 +0,0 @@ -[#oss-license-management] -== OSS License Management - -Prisma Cloud can detect licenses for package dependencies in code repositories. -It can scan code repos hosted by service providers (currently GitHub only). -It can also scan build folders constructed by CI build jobs. - -A license policy defines the criticality of a license. -For example, you might specify consider any package with a GPL license as a critical issue. -Depending on your license policy, Prisma Cloud can raise alerts and block builds. - -[.task] -=== Create a license compliance policy - -Compliance policies consist of one or more rules. - -NOTE: Prisma Cloud ships with a default rule named *Default - alert all components*. -This rule ships with alerts disabled, so the policy is effectively disabled. -As a starting point, consider cloning this rule, and reconfiguring it for your own purposes. -Set a threshold, and declare licenses you consider critical. -Rule order is important, so be sure your custom rule sits above the default rule. - -[.procedure] -. Open Console. - -. Go to *Defend > Compliance > Code repositories*. - -. Choose the target of your policy. -+ -If your policy targets GitHub, go to the *Repositories* tab. -+ -If your policy targets your CI pipeline, go to the *CI* tab. - -. Click *Add rule*. - -. Specify a rule name. - -. In *Scope*, select one or more collections to apply your policy to specific repos. -+ -Use the default *All* collection to apply it to all repos. - -. Set the rule thresholds. - -. Specify the severity of each license of interest. -+ -Each field offers SPDX license identifiers as suggestions. -Pattern-matching expressions are supported (e.g., `GPL-*`). - - -=== Scan with twistcli - -To scan a folder with twistcli, use the following command: - - twistcli coderepo scan [FOLDER_PATH] --details - -Contents of the repo are assessed according to the policy in *Defend > Compliance > Code repositories > CI*. -Scan results are published in *Monitor > Compliance > Code repositories > CI* - -For CI only, a status column indicates if twistcli passed or failed the build according to the defined policy. - - -=== Review scan results. - -Go to *Monitor > Compliance > Code repositories*. -Each row in the results table has a meter which shows the number of compliance issues at each severity level. -Click on a row to drill into the details of the scan report. From 49c0f981803f1f3a497d59f3812efc6d4e131d63 Mon Sep 17 00:00:00 2001 From: smitapaloalto <156162707+smitapaloalto@users.noreply.github.com> Date: Mon, 30 Dec 2024 11:02:27 +0530 Subject: [PATCH 03/16] Update release-notes-32-03.adoc --- .../32/rn/release-information/release-notes-32-03.adoc | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs/en/compute-edition/32/rn/release-information/release-notes-32-03.adoc b/docs/en/compute-edition/32/rn/release-information/release-notes-32-03.adoc index 46b0e5acbe..66a15abaca 100644 --- a/docs/en/compute-edition/32/rn/release-information/release-notes-32-03.adoc +++ b/docs/en/compute-edition/32/rn/release-information/release-notes-32-03.adoc @@ -196,6 +196,10 @@ The ‘packageType’ field is added to the vulnerabilities schema responses. |*Agentless Scanning* |The agentless scanner boot volume now enforces encryption by default. +//CWP-58870 +|*Vulnerability Scan +|Fixed an issue that caused duplicate jar entries with mismatched versions in vulnerability scan reports. + |=== // [#backward-compatibility] From cbacbff1bc05570581e289f9ee2cda52e6802a6c Mon Sep 17 00:00:00 2001 From: smitapaloalto <156162707+smitapaloalto@users.noreply.github.com> Date: Mon, 30 Dec 2024 12:07:31 +0530 Subject: [PATCH 04/16] CWP-61752 changes --- .../32/rn/release-information/release-notes-32-07.adoc | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs/en/compute-edition/32/rn/release-information/release-notes-32-07.adoc b/docs/en/compute-edition/32/rn/release-information/release-notes-32-07.adoc index 5adac5845b..a515e29eaf 100644 --- a/docs/en/compute-edition/32/rn/release-information/release-notes-32-07.adoc +++ b/docs/en/compute-edition/32/rn/release-information/release-notes-32-07.adoc @@ -138,6 +138,10 @@ There are no API changes for this release. [cols="1,1"] |=== +//CWP-61752 +|*WAAS Counters Periodically Stop Incrementing and Need Defender Restart* +| The issue related to interruption in the communication between a defender and the console—​that was introduced by the newly introduced fail-safe mechanism aimed to prevent any impact to customer traffic or downtime—​is resolved. The fix requires you to upgrade the Console and the Defenders to version 33.00. + //CWP-61027 |*Reporting All Affected Versions for GO Package CVEs* |For some GO package CVEs, Prisma Cloud did not completely report all the affected versions, particularly when multiple version ranges were involved, resulting in occasional false negatives. From 7c81f8c73c64c62d83143ef129f306641ad6efdc Mon Sep 17 00:00:00 2001 From: smitapaloalto <156162707+smitapaloalto@users.noreply.github.com> Date: Mon, 30 Dec 2024 14:03:24 +0530 Subject: [PATCH 05/16] CWP-62297 changes --- .../33/rn/release-information/known-issues-33.adoc | 8 ++++++++ .../rn/known-issues/known-fixed-issues.adoc | 5 +++++ 2 files changed, 13 insertions(+) diff --git a/docs/en/compute-edition/33/rn/release-information/known-issues-33.adoc b/docs/en/compute-edition/33/rn/release-information/known-issues-33.adoc index 31a19125c7..caca2d4bbc 100644 --- a/docs/en/compute-edition/33/rn/release-information/known-issues-33.adoc +++ b/docs/en/compute-edition/33/rn/release-information/known-issues-33.adoc @@ -301,6 +301,14 @@ The following table lists the known issues for 33.00 release. // In Prisma Cloud Compute Edition instances that have the Clustered DB mode enabled for the Console, the Console fails to start after upgrading to release 32.06. +//PCSUP-25103 +|*CWP-62297* + +|*Twistlock console unable to list image tags from remote repo* + +If defender and remote repository are in different subnet, the image tag pulling using `podman search --list -tags` is not supported with the same access token issued by registry.twistlock.com. + + //PCSUP-23081 |*CWP-59435* diff --git a/docs/en/enterprise-edition/rn/known-issues/known-fixed-issues.adoc b/docs/en/enterprise-edition/rn/known-issues/known-fixed-issues.adoc index 05256c08b7..765ebaccc4 100644 --- a/docs/en/enterprise-edition/rn/known-issues/known-fixed-issues.adoc +++ b/docs/en/enterprise-edition/rn/known-issues/known-fixed-issues.adoc @@ -391,6 +391,11 @@ CVE-2024-3154 - Arbitrary Systemd Property Injection as Defender does not direct |*CWP-52710* |While upgrading consoles from the 30.03 release to a 32.xx release, the error log `failed to retrieve "size" specification option value` during the migration doesn't impact the migration process and can be ignored. +//PCSUP-25103 +|*CWP-62297* +|*Twistlock console unable to list image tags from remote repo* +If defender and remote repository are in different subnet, the image tag pulling using `podman search --list -tags` is not supported with the same access token issued by registry.twistlock.com. + // CWP-61287 -- Issue fixed // |*CWP-61287* From fe29e03963cc35f7aae29377b15726d48b7b78cf Mon Sep 17 00:00:00 2001 From: smitapaloalto <156162707+smitapaloalto@users.noreply.github.com> Date: Mon, 30 Dec 2024 14:41:59 +0530 Subject: [PATCH 06/16] CWP-61706 changes --- .../registry-scanning/configure-registry-scanning.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/en/enterprise-edition/content-collections/runtime-security/vulnerability-management/registry-scanning/configure-registry-scanning.adoc b/docs/en/enterprise-edition/content-collections/runtime-security/vulnerability-management/registry-scanning/configure-registry-scanning.adoc index 2fe4c7192a..d630ff9e40 100644 --- a/docs/en/enterprise-edition/content-collections/runtime-security/vulnerability-management/registry-scanning/configure-registry-scanning.adoc +++ b/docs/en/enterprise-edition/content-collections/runtime-security/vulnerability-management/registry-scanning/configure-registry-scanning.adoc @@ -108,7 +108,7 @@ At a high level, Defenders scan your registries following these steps. //. Scan registry settings one by one in sequential order. . Scan multiple registries in parallel, the default value is set to scan 4 registries at a time. -. There can be up to 9 registry scanning requests in the queue at a time. +. There can be up to 9 registry scanning requests in the queue at a time. Contact the Palo Alto Network Customer Support or your Customer Success Team to configure the default registry scan limit on your SaaS console. . Discover the repositories based on your registry configuration. . Discover the images using tags within each configured repository. . Scan the discovered images. From f2b17b52d50546660cdca90139baa7bd87915d3b Mon Sep 17 00:00:00 2001 From: smitapaloalto <156162707+smitapaloalto@users.noreply.github.com> Date: Tue, 31 Dec 2024 14:18:24 +0530 Subject: [PATCH 07/16] CWP-59515 changes --- .../install-defender-twistcli-export-kubectl.adoc | 9 +++++---- .../install-defender-twistcli-export-kubectl.adoc | 7 ++++--- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/docs/en/compute-edition/33/admin-guide/install/fragments/install-defender-twistcli-export-kubectl.adoc b/docs/en/compute-edition/33/admin-guide/install/fragments/install-defender-twistcli-export-kubectl.adoc index e0e5a17c41..bdf900e48e 100644 --- a/docs/en/compute-edition/33/admin-guide/install/fragments/install-defender-twistcli-export-kubectl.adoc +++ b/docs/en/compute-edition/33/admin-guide/install/fragments/install-defender-twistcli-export-kubectl.adoc @@ -73,9 +73,9 @@ $ ./twistcli defender export kubernetes \ * specifies the address Defender uses to connect to Prisma Cloud Console. You can use the external IP address exposed by your load balancer or the DNS name that you manually set up. * Once you run the given command, after altering the fields for your environment, you will get a prompt requesting a password. The password is the secret key of the Prisma Cloud user with the System Admin role that you should have created as part of the prerequisite. -+ -[NOTE] -==== + +Note: + * For provider managed clusters, Prisma Cloud automatically gets the cluster name from your cloud provider. * To override the cluster name used that your cloud provider has, use the `--cluster` option. @@ -87,7 +87,8 @@ $ ./twistcli defender export kubernetes \ * When using an AWS Bottlerocket-based EKS cluster, pass the `--container-runtime crio` flag when creating the `YAML` file. * To use Defenders in *GKE on ARM*, you must https://cloud.google.com/kubernetes-engine/docs/how-to/prepare-arm-workloads-for-deployment#node-affinity-multi-arch-arm[prepare your workloads]. -==== + +* For Kubernetes defenders on RKE2, create the YAML file with the “SELinux Policy” option. . Deploy the Defender `DaemonSet` custom resource. + diff --git a/docs/en/enterprise-edition/content-collections/runtime-security/install/fragments/install-defender-twistcli-export-kubectl.adoc b/docs/en/enterprise-edition/content-collections/runtime-security/install/fragments/install-defender-twistcli-export-kubectl.adoc index f65a9ef33c..8255f6ed08 100644 --- a/docs/en/enterprise-edition/content-collections/runtime-security/install/fragments/install-defender-twistcli-export-kubectl.adoc +++ b/docs/en/enterprise-edition/content-collections/runtime-security/install/fragments/install-defender-twistcli-export-kubectl.adoc @@ -70,8 +70,7 @@ $ ./twistcli defender export kubernetes \ * Once you run the given command, after altering the fields for your environment, you will get a prompt requesting a password. The password is the secret key of the Prisma Cloud user with the System Admin role that you should have created as part of the prerequisite. + -[NOTE] -==== +Note: * For provider managed clusters, Prisma Cloud automatically gets the cluster name from your cloud provider. * To override the cluster name used that your cloud provider has, use the `--cluster` option. @@ -83,7 +82,9 @@ $ ./twistcli defender export kubernetes \ * When using an AWS Bottlerocket-based EKS cluster, pass the `--container-runtime crio` flag when creating the `YAML` file. * To use Defenders in *GKE on ARM*, you must https://cloud.google.com/kubernetes-engine/docs/how-to/prepare-arm-workloads-for-deployment#node-affinity-multi-arch-arm[prepare your workloads]. -==== + +* For Kubernetes defenders on RKE2, create the YAML file with the “SELinux Policy” option. + . Deploy the Defender `DaemonSet` custom resource. + From 1b2d519aa595ddf78649d03263a1c39b82b8652c Mon Sep 17 00:00:00 2001 From: Kamesh-PaloAlto <166385805+Kamesh-PaloAlto@users.noreply.github.com> Date: Mon, 6 Jan 2025 11:53:31 +0530 Subject: [PATCH 08/16] release notes for pascal 3 --- .../rn/known-issues/known-fixed-issues.adoc | 10 ++ .../look-ahead-secure-the-runtime.adoc | 53 +----- .../features-introduced-in-january-2025.adoc | 163 +++++++++++++----- 3 files changed, 138 insertions(+), 88 deletions(-) diff --git a/docs/en/enterprise-edition/rn/known-issues/known-fixed-issues.adoc b/docs/en/enterprise-edition/rn/known-issues/known-fixed-issues.adoc index 765ebaccc4..b36fb4577e 100644 --- a/docs/en/enterprise-edition/rn/known-issues/known-fixed-issues.adoc +++ b/docs/en/enterprise-edition/rn/known-issues/known-fixed-issues.adoc @@ -76,6 +76,16 @@ Custom roles cannot be configured to include these permissions, as Google Cloud If the Viewer role or domain related built in role is not configured, the API ingestion will fail, and `'Missing Permissions'` warning for the above permissions will not be displayed on the account status page. +|*CWP-59515* + +|The K8s defender pods on the RKE2 go into a crash loop if the defender is deployed using the default YAML file options. + +*Workaround*: For Kubernetes defenders on RKE2, create the YAML file with the “SELinux Policy” option. Note that the workaround is applicable to RKE2 only. + +|*CWP-62358* + +|When a Go binary has no listed dependencies in its build information (verified using `go version -m `), the version of its external dependencies is used to identify the version of the Go binary. This could result in incorrect vulnerability data. + |*RLP-146718* //Added on 8/14/2024 after 24.8.1 diff --git a/docs/en/enterprise-edition/rn/look-ahead-planned-updates-prisma-cloud/look-ahead-secure-the-runtime.adoc b/docs/en/enterprise-edition/rn/look-ahead-planned-updates-prisma-cloud/look-ahead-secure-the-runtime.adoc index e43014a9a9..54807f9f7f 100644 --- a/docs/en/enterprise-edition/rn/look-ahead-planned-updates-prisma-cloud/look-ahead-secure-the-runtime.adoc +++ b/docs/en/enterprise-edition/rn/look-ahead-planned-updates-prisma-cloud/look-ahead-secure-the-runtime.adoc @@ -1,18 +1,17 @@ == Look Ahead—Planned Updates to Secure the Runtime -//Currently, there are no previews or announcements for updates. +Currently, there are no previews or announcements for updates. -The following sections provide a preview of the planned updates for the `v33.03` release of Runtime Security. +//The following sections provide a preview of the planned updates for the `v33.03` release of Runtime Security. -*NOTE*: +//*NOTE*: -The details and functionality listed below provide a preview of what is planned for the `v33.03` release. Both the updates and their actual release dates are subject to potential changes. +//The details and functionality listed below provide a preview of what is planned for the `v33.03` release. Both the updates and their actual release dates are subject to potential changes. //*<> //*<> //*<> - //* <> //* <> //* <> @@ -21,48 +20,4 @@ The details and functionality listed below provide a preview of what is planned //* <> //* <> -=== Intelligence Stream Updates - -==== Enhancements to Vulnerability Reporting for Red Hat Enterprise Linux (RHEL) Versions 8 and 9 -//CWP-30827 -To ensure accurate vulnerability reporting, Intelligence Stream will include RPM module and stream information for RHEL. This approach improves detection of vulnerabilities and ensures that all associated RPM packages installed by a module are examined during the scan. - -*What are RPM Modules and Streams?* - -In Red Hat Enterprise Linux (RHEL), an RPM module is a collection of related RPM packages that represent a software component, such as an application, its dependencies, and helper utilities. Starting with RHEL 6 and 7, modules replaced the Software Collections mechanism. - -Modules are structured in the following way: - -* *Module Streams*: Virtual repositories within the AppStream repository. Each stream corresponds to a specific version of the module and receives independent updates. - -* *Stream Activation*: At any time, only one stream of a module can be active, meaning only one version of a component can be installed on a system. - -For example, the notation `python39:3.9/python39` indicates the module `python39`, the stream `3.9`, and the source package `python39`. - -*Enhancements to Vulnerability Reporting* - -* *Module-Based Vulnerability Identification*: Scans will report vulnerabilities based on the module and stream configuration. This ensures accurate detection and avoids false positives or false negatives caused by discrepancies in versioning or backported fixes. - -* *Inclusion of RPM Module Metadata in Scan Results*: The enhanced implementation associates RPM packages with their respective modules and streams. The Prisma Cloud console will include this module information in vulnerability scan results. - - -*Benefits of Module-Aware Vulnerability Reporting* - -* *Improved Accuracy*: Matches CVE fixes to the correct module stream. -* *Reduced False Positives*: Avoids misreporting of vulnerabilities fixed in older streams. -* *Comprehensive Coverage*: Links all RPM packages installed by a module to its vulnerabilities. - -==== Enhanced Vulnerability Reporting for NuGet Packages -//CWP-49786 -Previously, the scanning process included NuGet packages listed in the `.deps.json` files, which were essential for the runtime environment but not related to the application itself. These unrelated packages result in false positives in vulnerability reporting. - -With this enhancement, the scanning process excludes runtime-specific dependencies that are not directly related to the application. This provides a more accurate view of vulnerabilities directly associated with the application, and reduces false positive alerts. - - -*NOTE*: - -* This enhancement requires upgrading Defenders to the latest version. - -* The updated Defender accurately identifies package dependencies, which leads to fewer false positives. -* Older Defender versions will remain unaffected by this change, and their behavior remains unchanged. \ No newline at end of file diff --git a/docs/en/enterprise-edition/rn/prisma-cloud-release-info/features-introduced-in-2025/features-introduced-in-january-2025.adoc b/docs/en/enterprise-edition/rn/prisma-cloud-release-info/features-introduced-in-2025/features-introduced-in-january-2025.adoc index eb1bba1397..604b099776 100644 --- a/docs/en/enterprise-edition/rn/prisma-cloud-release-info/features-introduced-in-2025/features-introduced-in-january-2025.adoc +++ b/docs/en/enterprise-edition/rn/prisma-cloud-release-info/features-introduced-in-2025/features-introduced-in-january-2025.adoc @@ -1,69 +1,154 @@ == Features Introduced in January 2024 -Learn what's new on Prisma® Cloud in January 2024. - -* <> -* <> -* <> -* <> -* <> -* <> -* <> -* <> +Learn what's new on Prisma® Cloud in January 2025. + +* <> +* <> +//* <> +//* <> +//* <> +//* <> +//* <> +//* <> +//* <> +//* <> //* <> -* <> +//* <> -[#announcement] -=== Announcement +//[#announcement] +//=== Announcement -[cols="50%a,50%a"] +//[cols="50%a,50%a"] +//|=== +//|*Feature* +//|*Description* +//|=== + +[#enhancements] +=== Enhancements +[cols="30%a,70%a"] |=== |*Feature* |*Description* +|Enhancement to Prevent Action with `fsmon_v2` +//CWP-62711 +|To improve the handling of file system events for Prevent Action in the Runtime Policy, `fsmon_v2` has been developed. This new version of fsmon manages event timeouts in an efficient way. This enhancement ensures independent handling of each event, reduces bottlenecks, and improves overall performance. -|=== +NOTE: While `fsmon_v2` brings significant improvements, it is still under active development, and further stability enhancements are planned. + +By default, fsmon_v2 is not enabled. To activate it, set the environment variable `FSMON_V2=true`. +You can verify the configuration by checking the Defender logs for the message, `Initializing filesystem monitoring agent /usr/local/bin/fsmon_v2`. -[#new-features] -=== New Features -[cols="50%a,50%a"] +|"last-connected" Field Added to Defender Stats Logs +//CWP-62666 + +tt:[Secure the Runtime] + +tt:[33.03.138] +|A new field, last-connected, has been added to each Defender stats log. This field records the last confirmed connection time between the Defender and the Console, even when the Connected flag is set to false. The timestamp is represented in epoch seconds (UTC), providing customers with a reliable way to track connection history. +|=== + +[#intelligence-stream-updates] +=== Intelligence Stream Updates +[cols="30%a,70%a"] |=== |*Feature* |*Description* +|Enhancements to Vulnerability Reporting for Red Hat Enterprise Linux (RHEL) Versions 8 and 9 +//CWP-30827 -|=== +tt:[Secure the Runtime] -[#policy-updates] -=== Policy Updates +tt:[33.03.138] +|To ensure accurate vulnerability reporting, Intelligence Stream will include RPM module and stream information for RHEL in the reports. This approach improves detection of vulnerabilities and ensures that all associated RPM packages installed by a module are examined during the scan. -[cols="50%a,50%a"] -|=== -|*Policy Updates* -|*Description* +*What are RPM Modules and Streams?* -|=== +In Red Hat Enterprise Linux (RHEL), an RPM module is a collection of related RPM packages that represent a software component, such as an application, its dependencies, and helper utilities. Starting with RHEL 6 and 7, modules replaced the Software Collections mechanism. +Modules are structured in the following way: -[#new-compliance-benchmarks-and-updates] -=== New Compliance Benchmarks and Updates +* *Module Streams*: Virtual repositories within the AppStream repository. Each stream corresponds to a specific version of the module and receives independent updates. -[cols="50%a,50%a"] -|=== -|*Compliance Benchmark* -|*Description* +* *Stream Activation*: At any time, only one stream of a module can be active, meaning only one version of a component can be installed on a system. -|=== +For example, the notation `python39:3.9/python39` indicates the module `python39`, the stream `3.9`, and the source package `python39`. -[#rest-api-updates] -=== REST API Updates +*Enhancements to Vulnerability Reporting* -[cols="37%a,63%a"] -|=== -|*Change* -|*Description* +* *Module-Based Vulnerability Identification*: Scans will report vulnerabilities based on the module and stream configuration. This ensures accurate detection and avoids false positives or false negatives caused by discrepancies in versioning or backported fixes. + +* *Inclusion of RPM Module Metadata in Scan Results*: The enhanced implementation associates RPM packages with their respective modules and streams. The Prisma Cloud console will include this module information in vulnerability scan results. + + +*Benefits of Module-Aware Vulnerability Reporting* + +* *Improved Accuracy*: Matches CVE fixes to the correct module stream. +* *Reduced False Positives*: Avoids misreporting of vulnerabilities fixed in older streams. +* *Comprehensive Coverage*: Links all RPM packages installed by a module to its vulnerabilities. + +|Enhanced Vulnerability Reporting for NuGet Packages +//CWP-49786 +tt:[Secure the Runtime] + +tt:[33.03.138] +|Previously, the scanning process included NuGet packages listed in the `.deps.json` files, which were essential for the runtime environment but not related to the application itself. These unrelated packages result in false positives in vulnerability reporting. + +With this enhancement, the scanning process excludes runtime-specific dependencies that are not directly related to the application. This provides a more accurate view of vulnerabilities directly associated with the application, and reduces false positive alerts. + +*NOTE*: + +* This enhancement requires upgrading Defenders to the latest version. + +* The updated Defender accurately identifies package dependencies, which leads to fewer false positives. + +* Older Defender versions will remain unaffected by this change, and their behavior remains unchanged. |=== + +//[#new-features] +//=== New Features + +//[cols="50%a,50%a"] +//|=== +//|*Feature* +//|*Description* + +//|=== + +//[#policy-updates] +//=== Policy Updates + +//[cols="50%a,50%a"] +//|=== +//|*Policy Updates* +//|*Description* + +//|=== + + +//[#new-compliance-benchmarks-and-updates] +//=== New Compliance Benchmarks and Updates + +//[cols="50%a,50%a"] +//|=== +//|*Compliance Benchmark* +//|*Description* + +//|=== + +//[#rest-api-updates] +//=== REST API Updates + +//[cols="37%a,63%a"] +//|=== +//|*Change* +//|*Description* + + +//|=== From ffc86e5a75cae494925f98f415ddb86097f7dba1 Mon Sep 17 00:00:00 2001 From: Kamesh-PaloAlto <166385805+Kamesh-PaloAlto@users.noreply.github.com> Date: Mon, 6 Jan 2025 12:02:08 +0530 Subject: [PATCH 09/16] Update features-introduced-in-january-2025.adoc --- .../features-introduced-in-january-2025.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/en/enterprise-edition/rn/prisma-cloud-release-info/features-introduced-in-2025/features-introduced-in-january-2025.adoc b/docs/en/enterprise-edition/rn/prisma-cloud-release-info/features-introduced-in-2025/features-introduced-in-january-2025.adoc index 604b099776..1a6bca4a2a 100644 --- a/docs/en/enterprise-edition/rn/prisma-cloud-release-info/features-introduced-in-2025/features-introduced-in-january-2025.adoc +++ b/docs/en/enterprise-edition/rn/prisma-cloud-release-info/features-introduced-in-2025/features-introduced-in-january-2025.adoc @@ -1,4 +1,4 @@ -== Features Introduced in January 2024 +== Features Introduced in January 2025 Learn what's new on Prisma® Cloud in January 2025. From 877102039128d8660076e578ed89f6e6a00e6da5 Mon Sep 17 00:00:00 2001 From: Kamesh-PaloAlto <166385805+Kamesh-PaloAlto@users.noreply.github.com> Date: Mon, 6 Jan 2025 12:14:38 +0530 Subject: [PATCH 10/16] Update known-fixed-issues.adoc --- .../rn/known-issues/known-fixed-issues.adoc | 20 +++++++++---------- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/docs/en/enterprise-edition/rn/known-issues/known-fixed-issues.adoc b/docs/en/enterprise-edition/rn/known-issues/known-fixed-issues.adoc index b36fb4577e..4d39ba4d4f 100644 --- a/docs/en/enterprise-edition/rn/known-issues/known-fixed-issues.adoc +++ b/docs/en/enterprise-edition/rn/known-issues/known-fixed-issues.adoc @@ -26,6 +26,15 @@ The list of fixed issues are not cumulative; only the issues that are fixed with //On *Inventory > Assets*, if you filter based on the _Key-Value_ *Asset Tag* and your environment has more that 1 million assets, the results will be inconclusive. //Contact your Prisma Cloud Customer Success representative for more details. +|*CWP-59515* + +|The K8s defender pods on the RKE2 go into a crash loop if the defender is deployed using the default YAML file options. + +*Workaround*: For Kubernetes defenders on RKE2, create the YAML file with the “SELinux Policy” option. Note that the workaround is applicable to RKE2 only. + +|*CWP-62358* + +|When a Go binary has no listed dependencies in its build information (verified using `go version -m `), the version of its external dependencies is used to identify the version of the Go binary. This could result in incorrect vulnerability data. |*RLP-153383* //PCSUP-25655 @@ -76,17 +85,6 @@ Custom roles cannot be configured to include these permissions, as Google Cloud If the Viewer role or domain related built in role is not configured, the API ingestion will fail, and `'Missing Permissions'` warning for the above permissions will not be displayed on the account status page. -|*CWP-59515* - -|The K8s defender pods on the RKE2 go into a crash loop if the defender is deployed using the default YAML file options. - -*Workaround*: For Kubernetes defenders on RKE2, create the YAML file with the “SELinux Policy” option. Note that the workaround is applicable to RKE2 only. - -|*CWP-62358* - -|When a Go binary has no listed dependencies in its build information (verified using `go version -m `), the version of its external dependencies is used to identify the version of the Go binary. This could result in incorrect vulnerability data. - - |*RLP-146718* //Added on 8/14/2024 after 24.8.1 From 9ca17c6bf1374fc27d8ffa5c5a90b67f635a1390 Mon Sep 17 00:00:00 2001 From: Kamesh-PaloAlto <166385805+Kamesh-PaloAlto@users.noreply.github.com> Date: Mon, 6 Jan 2025 12:23:33 +0530 Subject: [PATCH 11/16] Update known-fixed-issues.adoc --- .../enterprise-edition/rn/known-issues/known-fixed-issues.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/en/enterprise-edition/rn/known-issues/known-fixed-issues.adoc b/docs/en/enterprise-edition/rn/known-issues/known-fixed-issues.adoc index 4d39ba4d4f..2e4122f681 100644 --- a/docs/en/enterprise-edition/rn/known-issues/known-fixed-issues.adoc +++ b/docs/en/enterprise-edition/rn/known-issues/known-fixed-issues.adoc @@ -30,7 +30,7 @@ The list of fixed issues are not cumulative; only the issues that are fixed with |The K8s defender pods on the RKE2 go into a crash loop if the defender is deployed using the default YAML file options. -*Workaround*: For Kubernetes defenders on RKE2, create the YAML file with the “SELinux Policy” option. Note that the workaround is applicable to RKE2 only. +*Workaround*: For Kubernetes defenders on RKE2, create the YAML file with the “SELinux Policy” option. This workaround is applicable to RKE2 only. |*CWP-62358* From 300de4c17ad56e03bd0de6bfdd67d082763a2abb Mon Sep 17 00:00:00 2001 From: Kamesh-PaloAlto <166385805+Kamesh-PaloAlto@users.noreply.github.com> Date: Mon, 6 Jan 2025 14:48:24 +0530 Subject: [PATCH 12/16] added Compute release notes --- .../release-information/known-issues-33.adoc | 15 +++ .../release-notes-33-03.adoc | 97 +++++++++++++++++-- .../rn/known-issues/known-fixed-issues.adoc | 8 +- 3 files changed, 112 insertions(+), 8 deletions(-) diff --git a/docs/en/compute-edition/33/rn/release-information/known-issues-33.adoc b/docs/en/compute-edition/33/rn/release-information/known-issues-33.adoc index caca2d4bbc..b1c1a89bb4 100644 --- a/docs/en/compute-edition/33/rn/release-information/known-issues-33.adoc +++ b/docs/en/compute-edition/33/rn/release-information/known-issues-33.adoc @@ -301,6 +301,21 @@ The following table lists the known issues for 33.00 release. // In Prisma Cloud Compute Edition instances that have the Clustered DB mode enabled for the Console, the Console fails to start after upgrading to release 32.06. +|*CWP-59515* + +|*K8s Defender Crash Loop on RKE2* + +The K8s defender pods on the RKE2 go into a crash loop if the defender is deployed using the default YAML file options. + +*Workaround*: For Kubernetes defenders on RKE2, create the YAML file with the “SELinux Policy” option. This workaround is applicable to RKE2 only. + +|*CWP-62358* + +|*Incorrect Version Detection for Go Binaries with Missing Dependencies* + +When a Go binary has no listed dependencies in its build information (verified using `go version -m `), the version of its external dependencies is used to identify the version of the Go binary. This could result in incorrect vulnerability data. + + //PCSUP-25103 |*CWP-62297* diff --git a/docs/en/compute-edition/33/rn/release-information/release-notes-33-03.adoc b/docs/en/compute-edition/33/rn/release-information/release-notes-33-03.adoc index 72796ad92b..06921abca1 100644 --- a/docs/en/compute-edition/33/rn/release-information/release-notes-33-03.adoc +++ b/docs/en/compute-edition/33/rn/release-information/release-notes-33-03.adoc @@ -6,19 +6,19 @@ The following table outlines the release particulars: [cols="1,4"] |=== |Build -|33.03.TBD +|33.03.138 |Code name |Pascal Update 3 |Release date -|Jan TBD, 2024 +|January 05, 2024 |Type |Minor release |SHA-256 -|TBD +|a071ad84ace670a9f4ee37fc3e2f44f270527d4671ebc8e3dc448a6d50282d3d |=== Review the https://docs.prismacloud.io/en/compute-edition/33/admin-guide/install/system-requirements[system requirements] to learn about the supported operating systems, hypervisors, runtimes, tools, and orchestrators. @@ -67,17 +67,102 @@ You can upgrade the Prisma Cloud console directly from any n-1 version to n. For NOTE: You have to upgrade any version of `v31.00` to `v32.00` before upgrading to `v33.00`. For example, you must upgrade from `v31.02.137` to `v32.07.123` before you upgrade to `v33.01.137`. + + + //[#cve-coverage-update] //=== CVE Coverage Update -[#announcement] -=== Announcement - +//[#announcement] +//=== Announcement [#enhancements] === Enhancements +[cols="30%a,70%a"] +|=== +|*Feature* +|*Description* + +|Enhancement to Prevent Action with `fsmon_v2` +//CWP-62711 + +|To improve the handling of file system events for Prevent Action in the Runtime Policy, `fsmon_v2` has been developed. This new version of fsmon manages event timeouts in an efficient way. This enhancement ensures independent handling of each event, reduces bottlenecks, and improves overall performance. + +NOTE: While `fsmon_v2` brings significant improvements, it is still under active development, and further stability enhancements are planned. + +By default, fsmon_v2 is not enabled. To activate it, set the environment variable `FSMON_V2=true`. + +You can verify the configuration by checking the Defender logs for the message, `Initializing filesystem monitoring agent /usr/local/bin/fsmon_v2`. + + +|"last-connected" Field Added to Defender Stats Logs +//CWP-62666 + +tt:[Secure the Runtime] + +tt:[33.03.138] +|A new field, last-connected, has been added to each Defender stats log. This field records the last confirmed connection time between the Defender and the Console, even when the Connected flag is set to false. The timestamp is represented in epoch seconds (UTC), providing customers with a reliable way to track connection history. +|=== + +[#intelligence-stream-updates] +=== Intelligence Stream Updates +[cols="30%a,70%a"] +|=== +|*Feature* +|*Description* +|Enhancements to Vulnerability Reporting for Red Hat Enterprise Linux (RHEL) Versions 8 and 9 +//CWP-30827 + +tt:[Secure the Runtime] + +tt:[33.03.138] +|To ensure accurate vulnerability reporting, Intelligence Stream will include RPM module and stream information for RHEL in the reports. This approach improves detection of vulnerabilities and ensures that all associated RPM packages installed by a module are examined during the scan. + +*What are RPM Modules and Streams?* +In Red Hat Enterprise Linux (RHEL), an RPM module is a collection of related RPM packages that represent a software component, such as an application, its dependencies, and helper utilities. Starting with RHEL 6 and 7, modules replaced the Software Collections mechanism. + +Modules are structured in the following way: + +* *Module Streams*: Virtual repositories within the AppStream repository. Each stream corresponds to a specific version of the module and receives independent updates. + +* *Stream Activation*: At any time, only one stream of a module can be active, meaning only one version of a component can be installed on a system. + +For example, the notation `python39:3.9/python39` indicates the module `python39`, the stream `3.9`, and the source package `python39`. + +*Enhancements to Vulnerability Reporting* + +* *Module-Based Vulnerability Identification*: Scans will report vulnerabilities based on the module and stream configuration. This ensures accurate detection and avoids false positives or false negatives caused by discrepancies in versioning or backported fixes. + +* *Inclusion of RPM Module Metadata in Scan Results*: The enhanced implementation associates RPM packages with their respective modules and streams. The Prisma Cloud console will include this module information in vulnerability scan results. + + +*Benefits of Module-Aware Vulnerability Reporting* + +* *Improved Accuracy*: Matches CVE fixes to the correct module stream. +* *Reduced False Positives*: Avoids misreporting of vulnerabilities fixed in older streams. +* *Comprehensive Coverage*: Links all RPM packages installed by a module to its vulnerabilities. + +|Enhanced Vulnerability Reporting for NuGet Packages +//CWP-49786 + +tt:[Secure the Runtime] + +tt:[33.03.138] +|Previously, the scanning process included NuGet packages listed in the `.deps.json` files, which were essential for the runtime environment but not related to the application itself. These unrelated packages result in false positives in vulnerability reporting. + +With this enhancement, the scanning process excludes runtime-specific dependencies that are not directly related to the application. This provides a more accurate view of vulnerabilities directly associated with the application, and reduces false positive alerts. + +*NOTE*: + +* This enhancement requires upgrading Defenders to the latest version. + +* The updated Defender accurately identifies package dependencies, which leads to fewer false positives. + +* Older Defender versions will remain unaffected by this change, and their behavior remains unchanged. + +|=== //[#new-features-agentless-security] diff --git a/docs/en/enterprise-edition/rn/known-issues/known-fixed-issues.adoc b/docs/en/enterprise-edition/rn/known-issues/known-fixed-issues.adoc index 2e4122f681..8faf57ecb3 100644 --- a/docs/en/enterprise-edition/rn/known-issues/known-fixed-issues.adoc +++ b/docs/en/enterprise-edition/rn/known-issues/known-fixed-issues.adoc @@ -28,13 +28,17 @@ The list of fixed issues are not cumulative; only the issues that are fixed with |*CWP-59515* -|The K8s defender pods on the RKE2 go into a crash loop if the defender is deployed using the default YAML file options. +|*K8s Defender Crash Loop on RKE2* + +The K8s defender pods on the RKE2 go into a crash loop if the defender is deployed using the default YAML file options. *Workaround*: For Kubernetes defenders on RKE2, create the YAML file with the “SELinux Policy” option. This workaround is applicable to RKE2 only. |*CWP-62358* -|When a Go binary has no listed dependencies in its build information (verified using `go version -m `), the version of its external dependencies is used to identify the version of the Go binary. This could result in incorrect vulnerability data. +|*Incorrect Version Detection for Go Binaries with Missing Dependencies* + +When a Go binary has no listed dependencies in its build information (verified using `go version -m `), the version of its external dependencies is used to identify the version of the Go binary. This could result in incorrect vulnerability data. |*RLP-153383* //PCSUP-25655 From a4d473d6245cbcdac79f179f9a69a5d2d6531fea Mon Sep 17 00:00:00 2001 From: Kamesh-PaloAlto <166385805+Kamesh-PaloAlto@users.noreply.github.com> Date: Mon, 6 Jan 2025 15:09:02 +0530 Subject: [PATCH 13/16] updated book --- docs/en/compute-edition/33/rn/book.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/en/compute-edition/33/rn/book.yml b/docs/en/compute-edition/33/rn/book.yml index 0621a4b742..517d968f04 100644 --- a/docs/en/compute-edition/33/rn/book.yml +++ b/docs/en/compute-edition/33/rn/book.yml @@ -18,7 +18,7 @@ dir: release-information topics: - name: Prisma(TM) Cloud Compute Edition Release Information file: release-information.adoc - - name: 33.03 (Build 33.03.TBD) + - name: 33.03 (Build 33.03.138) file: release-notes-33-03.adoc - name: 33.02 (Build 33.02.134) file: release-notes-33-02.adoc From f8d5d81316efc6725309e35fd1c83ba9930a5f86 Mon Sep 17 00:00:00 2001 From: Kamesh-PaloAlto <166385805+Kamesh-PaloAlto@users.noreply.github.com> Date: Mon, 6 Jan 2025 22:53:43 +0530 Subject: [PATCH 14/16] new changes --- .../release-information/known-issues-33.adoc | 16 ++++++++++--- .../release-notes-33-03.adoc | 14 +++-------- .../rn/known-issues/known-fixed-issues.adoc | 24 +++++++++++++++++++ .../features-introduced-in-january-2025.adoc | 10 +++----- 4 files changed, 43 insertions(+), 21 deletions(-) diff --git a/docs/en/compute-edition/33/rn/release-information/known-issues-33.adoc b/docs/en/compute-edition/33/rn/release-information/known-issues-33.adoc index b1c1a89bb4..11a57029aa 100644 --- a/docs/en/compute-edition/33/rn/release-information/known-issues-33.adoc +++ b/docs/en/compute-edition/33/rn/release-information/known-issues-33.adoc @@ -9,6 +9,16 @@ The following table lists the fixed issues for 33.xx releases. |*ISSUE ID* |*DESCRIPTION* +|*CWP-62576* + +tt:[Fixed in 33.03.138] + +| *Resolving Severity Scores and CVE Links for GO Vulnerabilities in OSV Feed* + +When processing CVEs sourced from both the GO and GitHub Security Advisories (GHSA) formats in the Open Source Vulnerability (OSV) feed, incorrect severity scores and CVE links were assigned. + +This issue is resolved. The fix ensures that the severity scores, CVSS values, and CVE links for GO vulnerabilities are accurate and aligned with the official OSV GO feed. + |*CWP-62313* tt:[Fixed in 33.02.130] @@ -309,11 +319,11 @@ The K8s defender pods on the RKE2 go into a crash loop if the defender is deploy *Workaround*: For Kubernetes defenders on RKE2, create the YAML file with the “SELinux Policy” option. This workaround is applicable to RKE2 only. -|*CWP-62358* +// |*CWP-62358* -|*Incorrect Version Detection for Go Binaries with Missing Dependencies* +// |*Incorrect Version Detection for Go Binaries with Missing Dependencies* -When a Go binary has no listed dependencies in its build information (verified using `go version -m `), the version of its external dependencies is used to identify the version of the Go binary. This could result in incorrect vulnerability data. +//When a Go binary has no listed dependencies in its build information (verified using `go version -m `), the version of its external dependencies is used to identify the version of the Go binary. This could result in incorrect vulnerability data. //PCSUP-25103 diff --git a/docs/en/compute-edition/33/rn/release-information/release-notes-33-03.adoc b/docs/en/compute-edition/33/rn/release-information/release-notes-33-03.adoc index 06921abca1..a29e1ece93 100644 --- a/docs/en/compute-edition/33/rn/release-information/release-notes-33-03.adoc +++ b/docs/en/compute-edition/33/rn/release-information/release-notes-33-03.adoc @@ -87,14 +87,11 @@ NOTE: You have to upgrade any version of `v31.00` to `v32.00` before upgrading t |Enhancement to Prevent Action with `fsmon_v2` //CWP-62711 -|To improve the handling of file system events for Prevent Action in the Runtime Policy, `fsmon_v2` has been developed. This new version of fsmon manages event timeouts in an efficient way. This enhancement ensures independent handling of each event, reduces bottlenecks, and improves overall performance. +|To improve the handling of file system events for Prevent Action in the Runtime Policy, a new version `fsmon_v2` has been developed. `fsmon_v2` manages event timeouts in an efficient way and ensures independent handling of each event, thus reducing bottlenecks and improving overall performance. -NOTE: While `fsmon_v2` brings significant improvements, it is still under active development, and further stability enhancements are planned. - -By default, fsmon_v2 is not enabled. To activate it, set the environment variable `FSMON_V2=true`. - -You can verify the configuration by checking the Defender logs for the message, `Initializing filesystem monitoring agent /usr/local/bin/fsmon_v2`. +While `fsmon_v2` brings significant improvements, it is still under active development, and further enhancements are planned. Currently, `fsmon_v2` is being rolled out gradually. +This feature is disabled by default. Customers who want to activate this feature should submit a ticket requesting engineering to enable it. |"last-connected" Field Added to Defender Stats Logs //CWP-62666 @@ -183,11 +180,6 @@ With this enhancement, the scanning process excludes runtime-specific dependenci // [#api-changes] // === API Changes and New APIs - -// [#addressed-issues] -// === Addressed Issues - - // [#deprecation-notices] // === Deprecation Notices diff --git a/docs/en/enterprise-edition/rn/known-issues/known-fixed-issues.adoc b/docs/en/enterprise-edition/rn/known-issues/known-fixed-issues.adoc index 5d9209031e..ccaf3c63b6 100644 --- a/docs/en/enterprise-edition/rn/known-issues/known-fixed-issues.adoc +++ b/docs/en/enterprise-edition/rn/known-issues/known-fixed-issues.adoc @@ -26,6 +26,20 @@ The list of fixed issues are not cumulative; only the issues that are fixed with //On *Inventory > Assets*, if you filter based on the _Key-Value_ *Asset Tag* and your environment has more that 1 million assets, the results will be inconclusive. //Contact your Prisma Cloud Customer Success representative for more details. +|*CWP-59515* + +|*K8s Defender Crash Loop on RKE2* + +The K8s defender pods on the RKE2 go into a crash loop if the defender is deployed using the default YAML file options. + +*Workaround*: For Kubernetes defenders on RKE2, create the YAML file with the “SELinux Policy” option. This workaround is applicable to RKE2 only. + +// |*CWP-62358* + +// |*Incorrect Version Detection for Go Binaries with Missing Dependencies* + +//When a Go binary has no listed dependencies in its build information (verified using `go version -m `), the version of its external dependencies is used to identify the version of the Go binary. This could result in incorrect vulnerability data. + |*RLP-153383* //PCSUP-25655 @@ -415,6 +429,16 @@ If defender and remote repository are in different subnet, the image tag pulling |*ISSUE ID* |*DESCRIPTION* +|*CWP-62576* + +tt:[Fixed in 33.03.138] + +|*Resolving Severity Scores and CVE Links for GO Vulnerabilities in OSV Feed* + +When processing CVEs sourced from both the GO and GitHub Security Advisories (GHSA) formats in the Open Source Vulnerability (OSV) feed, incorrect severity scores and CVE links were assigned. + +This issue is resolved. The fix ensures that the severity scores, CVSS values, and CVE links for GO vulnerabilities are accurate and aligned with the official OSV GO feed. + |*CWP-62313* tt:[Fixed in 33.02.134] diff --git a/docs/en/enterprise-edition/rn/prisma-cloud-release-info/features-introduced-in-2025/features-introduced-in-january-2025.adoc b/docs/en/enterprise-edition/rn/prisma-cloud-release-info/features-introduced-in-2025/features-introduced-in-january-2025.adoc index 1a6bca4a2a..c6f6140969 100644 --- a/docs/en/enterprise-edition/rn/prisma-cloud-release-info/features-introduced-in-2025/features-introduced-in-january-2025.adoc +++ b/docs/en/enterprise-edition/rn/prisma-cloud-release-info/features-introduced-in-2025/features-introduced-in-january-2025.adoc @@ -33,15 +33,11 @@ Learn what's new on Prisma® Cloud in January 2025. |Enhancement to Prevent Action with `fsmon_v2` //CWP-62711 +|To improve the handling of file system events for Prevent Action in the Runtime Policy, a new version `fsmon_v2` has been developed. `fsmon_v2` manages event timeouts in an efficient way and ensures independent handling of each event, thus reducing bottlenecks and improving overall performance. -|To improve the handling of file system events for Prevent Action in the Runtime Policy, `fsmon_v2` has been developed. This new version of fsmon manages event timeouts in an efficient way. This enhancement ensures independent handling of each event, reduces bottlenecks, and improves overall performance. - -NOTE: While `fsmon_v2` brings significant improvements, it is still under active development, and further stability enhancements are planned. - -By default, fsmon_v2 is not enabled. To activate it, set the environment variable `FSMON_V2=true`. - -You can verify the configuration by checking the Defender logs for the message, `Initializing filesystem monitoring agent /usr/local/bin/fsmon_v2`. +While `fsmon_v2` brings significant improvements, it is still under active development, and further enhancements are planned. Currently, `fsmon_v2` is being rolled out gradually. +This feature is disabled by default. Customers who want to activate this feature should submit a ticket requesting engineering to enable it. |"last-connected" Field Added to Defender Stats Logs //CWP-62666 From bcf765d69fca2e9e7cb6268575dc79941e4a2c9f Mon Sep 17 00:00:00 2001 From: Kamesh-PaloAlto <166385805+Kamesh-PaloAlto@users.noreply.github.com> Date: Mon, 6 Jan 2025 23:08:20 +0530 Subject: [PATCH 15/16] added tags --- .../features-introduced-in-january-2025.adoc | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/docs/en/enterprise-edition/rn/prisma-cloud-release-info/features-introduced-in-2025/features-introduced-in-january-2025.adoc b/docs/en/enterprise-edition/rn/prisma-cloud-release-info/features-introduced-in-2025/features-introduced-in-january-2025.adoc index c6f6140969..b8b3181324 100644 --- a/docs/en/enterprise-edition/rn/prisma-cloud-release-info/features-introduced-in-2025/features-introduced-in-january-2025.adoc +++ b/docs/en/enterprise-edition/rn/prisma-cloud-release-info/features-introduced-in-2025/features-introduced-in-january-2025.adoc @@ -33,6 +33,11 @@ Learn what's new on Prisma® Cloud in January 2025. |Enhancement to Prevent Action with `fsmon_v2` //CWP-62711 + +tt:[Secure the Runtime] + +tt:[33.03.138] + |To improve the handling of file system events for Prevent Action in the Runtime Policy, a new version `fsmon_v2` has been developed. `fsmon_v2` manages event timeouts in an efficient way and ensures independent handling of each event, thus reducing bottlenecks and improving overall performance. While `fsmon_v2` brings significant improvements, it is still under active development, and further enhancements are planned. Currently, `fsmon_v2` is being rolled out gradually. From 8260a283ac1b62c060189570c7a190411dec677b Mon Sep 17 00:00:00 2001 From: Kamesh-PaloAlto <166385805+Kamesh-PaloAlto@users.noreply.github.com> Date: Mon, 6 Jan 2025 23:20:38 +0530 Subject: [PATCH 16/16] removed tag --- .../33/rn/release-information/release-notes-33-03.adoc | 3 --- 1 file changed, 3 deletions(-) diff --git a/docs/en/compute-edition/33/rn/release-information/release-notes-33-03.adoc b/docs/en/compute-edition/33/rn/release-information/release-notes-33-03.adoc index a29e1ece93..ab082bf154 100644 --- a/docs/en/compute-edition/33/rn/release-information/release-notes-33-03.adoc +++ b/docs/en/compute-edition/33/rn/release-information/release-notes-33-03.adoc @@ -96,9 +96,6 @@ This feature is disabled by default. Customers who want to activate this feature |"last-connected" Field Added to Defender Stats Logs //CWP-62666 -tt:[Secure the Runtime] - -tt:[33.03.138] |A new field, last-connected, has been added to each Defender stats log. This field records the last confirmed connection time between the Defender and the Console, even when the Connected flag is set to false. The timestamp is represented in epoch seconds (UTC), providing customers with a reliable way to track connection history. |===