diff --git a/integration/integrate-with-image-vulnerability-scanners.adoc b/integration/integrate-with-image-vulnerability-scanners.adoc index 759c6c3768c9..5cf5fae16200 100644 --- a/integration/integrate-with-image-vulnerability-scanners.adoc +++ b/integration/integrate-with-image-vulnerability-scanners.adoc @@ -30,7 +30,9 @@ This enhanced support gives you greater flexibility and choice in managing your == Scanners included in {product-title-short} * Scanner V4: Beginning with {product-title-short} version 4.4, a new scanner is introduced that is built on link:https://github.com/quay/claircore[Claircore], which also powers the link:https://github.com/quay/clair[Clair] scanner. Scanner V4 supports scanning of language and OS-specific image components. Scanner V4 is enabled by default during installation beginning in release 4.8. For more information about Scanner V4, including links to the installation documentation, see xref:../operating/examine-images-for-vulnerabilities.adoc#about-scanner-v4_examine-images-for-vulnerabilities[About {product-title-short} Scanner V4]. -* StackRox Scanner: This scanner was the default scanner in {product-title-short} before being replaced by Scanner V4. It originates from a fork of the Clair v2 open source scanner. If delegated scanning is configured and only the StackRox Scanner is installed on secured clusters, StackRox Scanner must also be enabled on the cluster where Central is installed or delegated scanning will not work. +* StackRox Scanner: This scanner was the default scanner in {product-title-short} before being replaced by Scanner V4. It originates from a fork of the Clair v2 open source scanner. Keep the following guidelines in mind: +** Although the StackRox Scanner is deprecated, it still must be enabled on the cluster where Central is installed due to software dependencies. +** You can disable the StackRox scanner on secured clusters if Scanner V4 is enabled or if you do not need scanning by using secured clusters. [id="alternative-scanners_{context}"] == Alternative scanners diff --git a/modules/central-services-public-config.adoc b/modules/central-services-public-config.adoc index 33aa1f2eaab0..d88834695cda 100644 --- a/modules/central-services-public-config.adoc +++ b/modules/central-services-public-config.adoc @@ -292,7 +292,7 @@ Setting a value for this parameter overrides the `central.db.image.registry`, `c [id="central-services-public-configuration-file-scanner_{context}"] == StackRox Scanner -The following table lists the configurable parameters for the StackRox Scanner. The StackRox Scanner is deprecated. +The following table lists the configurable parameters for the StackRox Scanner. Although the StackRox Scanner is deprecated, it still must be enabled on the cluster where Central is installed due to software dependencies. |=== | Parameter | Description diff --git a/modules/con-vuln-sources.adoc b/modules/con-vuln-sources.adoc index 18bbd98ae47e..01fda165393b 100644 --- a/modules/con-vuln-sources.adoc +++ b/modules/con-vuln-sources.adoc @@ -7,6 +7,11 @@ = Vulnerability data sources Sources for vulnerabilities depend on the scanner that is used in your system. {product-title-short} contains two scanners: StackRox Scanner and Scanner V4. The StackRox Scanner is deprecated. Scanner V4 is the default image scanner. ++ +[NOTE] +==== +Although the StackRox Scanner is deprecated, it still must be enabled on the cluster where Central is installed due to software dependencies. +==== [id="scanner-v4-vuln-sources"] == Scanner V4 sources diff --git a/modules/default-requirements-central-services.adoc b/modules/default-requirements-central-services.adoc index c32239b8c8f6..cdcbc8a7e6b5 100644 --- a/modules/default-requirements-central-services.adoc +++ b/modules/default-requirements-central-services.adoc @@ -14,7 +14,7 @@ Central services contain the following components: * Central * Scanner V4 -* StackRox Scanner (optional) +* StackRox Scanner: Although the StackRox Scanner is deprecated, it still must be enabled on the cluster where Central is installed due to software dependencies. [id="default-requirements-central-services-central_{context}"] == Central diff --git a/modules/install-central-operator.adoc b/modules/install-central-operator.adoc index 9b94c475f0e4..32bda55f567d 100644 --- a/modules/install-central-operator.adoc +++ b/modules/install-central-operator.adoc @@ -78,7 +78,7 @@ spec: |Use this parameter to configure additional hostnames to resolve in the pod's hosts file. |=== -* *Scanner Component Settings*: Settings for the StackRox Scanner. See the "Scanner" table in the "Public configuration file" section in "Installing Central services for {product-title-short} on {osp}". +* *Scanner Component Settings*: Settings for the StackRox Scanner. See the "Scanner" table in the "Public configuration file" section in "Installing Central services for {product-title-short} on {osp}". Although the StackRox Scanner is deprecated, it still must be enabled on the cluster where Central is installed due to software dependencies. * *Scanner V4 Component Settings*: Settings for Scanner V4 scanner, the default scanner. See the "Scanner V4" table in the "Public configuration file" section in "Installing Central services for {product-title-short} on {osp}". + You can configure the following options for Scanner V4: diff --git a/modules/rhcos-enable-node-scan-scannerv4.adoc b/modules/rhcos-enable-node-scan-scannerv4.adoc index 8c8c403c21d1..1076f5da4db9 100644 --- a/modules/rhcos-enable-node-scan-scannerv4.adoc +++ b/modules/rhcos-enable-node-scan-scannerv4.adoc @@ -20,7 +20,7 @@ For information about supported platforms and architecture, see the link:https:/ [NOTE] ==== -Node scanning with Scanner V4 is enabled by default in a new installation of release 4.8 and later. These steps are only required if you are updating from an earlier version of {product-title-short} and Scanner V4 was not enabled. +Node scanning with Scanner V4 is enabled by default in a new installation of release 4.8 and later. These steps are only required if you are updating from an earlier version of {product-title-short} and Scanner V4 was not enabled. Although the StackRox Scanner is deprecated as of release 4.9, it still must be enabled on the cluster where Central is installed due to software dependencies. It can be safely disabled on secured clusters if Scanner V4 is enabled or if scanning by using secured clusters is not needed. ==== . Ensure that Scanner V4 is deployed in the Central cluster: diff --git a/operating/examine-images-for-vulnerabilities.adoc b/operating/examine-images-for-vulnerabilities.adoc index 10eb9620f43c..289e227aeffb 100644 --- a/operating/examine-images-for-vulnerabilities.adoc +++ b/operating/examine-images-for-vulnerabilities.adoc @@ -18,7 +18,7 @@ With {product-title}, you can analyze images for vulnerabilities using the {prod {product-title-short} contains two scanners: Scanner V4 and the StackRox Scanner. -Scanner V4, built on Claircore, is the default scanner as of release 4.8. The StackRox Scanner, which originates from a fork of the Clair v2 open source scanner, is deprecated. +Scanner V4, built on Claircore, is the default scanner as of release 4.8. The StackRox Scanner, which originates from a fork of the Clair v2 open source scanner, is deprecated. Although the StackRox Scanner is deprecated, it still must be enabled on the cluster where Central is installed due to software dependencies. [NOTE] ==== diff --git a/release_notes/49-release-notes.adoc b/release_notes/49-release-notes.adoc index b19f6972dfab..46cae085a317 100644 --- a/release_notes/49-release-notes.adoc +++ b/release_notes/49-release-notes.adoc @@ -389,27 +389,27 @@ a|`roxctl` admission controller parameters: |GA |DEP -|StackRox Scanner +|StackRox Scanner^[9] |DEP |DEP |DEP -|`/v1/clustercves/suppress` APIs^[9,10]^ +|`/v1/clustercves/suppress` APIs^[10,11]^ |DEP |DEP |DEP -|`/v1/clustercves/unsuppress` APIs^[9,10]^ +|`/v1/clustercves/unsuppress` APIs^[10,11]^ |DEP |DEP |DEP -|`/v1/nodecves/suppress` APIs^[9,10]^ +|`/v1/nodecves/suppress` APIs^[10,11]^ |DEP |DEP |DEP -|`/v1/nodecves/unsuppress` APIs^[9,10]^ +|`/v1/nodecves/unsuppress` APIs^[10,11]^ |DEP |DEP |DEP @@ -419,7 +419,7 @@ a|`roxctl` admission controller parameters: |DEP |REM -|Vulnerability Management (1.0) menu item^[11]^ +|Vulnerability Management (1.0) menu item^[12]^ |DEP |DEP |DEP @@ -453,6 +453,8 @@ For more information, see link:https://cloud.google.com/artifact-registry/docs/t . A feature flag controls this API object, and you can enable or disable this API object by using the `ROX_VULN_MGMT_LEGACY_SNOOZE` environment variable. +. Although the StackRox Scanner is deprecated, it still must be enabled on the cluster where Central is installed due to software dependencies. + . The format for specifying duration in JSON requests to `v1/nodecves/suppress`, `v1/clustercves/suppress`, and `v1/imagecves/suppress` has been changed to the ProtoJSON format. Only a numeric value representing seconds with optional fractional seconds for nanosecond precision and followed by the `s` suffix is supported. +