Introducing Zora OSS v0.9.0 and Zora Dashboard Enhancements

We are thrilled to announce the release of Zora OSS v0.9.0 and new updates to Zora Dashboard. This version brings significant improvements and new features, making Zora even more robust and user-friendly. Here’s a quick overview of what’s new.

Zora Dashboard Enhancements

Zora Dashboard has been significantly enhanced to provide a more intuitive and efficient user experience. One of the major updates is the ability to view grouped package details directly in the dashboard, making it easier to navigate and manage vulnerabilities. This new feature allows users to see which packages within an image are affected by a specific vulnerability, providing a clearer and more organized view.

Here is a showcasing the grouped packages:

These details are available through the vulnerabilities, both on the cluster screen and the workspace-wide vulnerabilities screen.

Zora OSS v0.9.0

Package grouping is also introduced in Zora OSS v0.9.0 within the VulnerabilityReport. This feature is part of the v1alpha2 version of the CRD and enables users to see which packages within an image are affected by a specific vulnerability. This enhancement provides a clearer and more organized view of vulnerabilities, helping users quickly identify and address issues.

Here’s an example of the new VulnerabilityReport structure (with some fields omitted):

apiVersion: zora.undistro.io/v1alpha2kind: 
VulnerabilityReportmetadata:  
  name: vulnerabilityreport-v1alpha2-sample
  spec:  
  # Some fields have been omitted  
    digest: myimage@sha256:eaa478cdd0b8e1be7a4813bc1b01948b838e2feaa6d999e60c  
    image: myimage:1.22.0  
    vulnerabilities:    
     - description: The function PEM_read_bio_ex() reads a PEM file...      
      id: CVE-2022-4450      
      lastModifiedDate: "2023-07-19T00:57:00Z"      
      packages:       
      - fixVersion: 1.1.1t-r0          
        package: libcrypto1.1          
        status: fixed          
        type: alpine          
        version: 1.1.1s-r0        
        - fixVersion: 1.1.1t-r0          
        package: libssl1.1          
        status: fixed          
        type: alpine          
        version: 1.1.1s-r0      
        publishedDate: "2023-02-08T20:15:00Z"      
        score: "7.5"      
        severity: HIGH      
        title: double free after calling PEM_read_bio_ex

This structured approach groups affected packages under their respective vulnerabilities, providing a comprehensive overview at a glance and significantly reducing the size of the reports. To see the YAML structure of a vulnerability report, you can use the following command: kubectl get vulnerabilityreports vulnerabilityreport-v1alpha2-sample -n zora-system -o yaml.

Note that the v1alpha1 version of the VulnerabilityReport is still compatible through the webhook conversion mechanism.

Additional Improvements in Zora OSS v0.9.0

Alongside the major update of grouping packages, Zora OSS v0.9.0 also includes several other enhancements and fixes:

• Using floating tags in plugins images;

• Prevent false-positives misconfigurations by delaying Popeye start;

• Running Trivy as non-root user;

• Fix volumes mount when Trivy persistence is disabled (#276 and #278);

• Fix clientset generation and add for informers and listers.

Conclusion

We are excited about the new features and improvements in Zora v0.9.0 and believe they will significantly enhance your experience. We encourage you to update to the latest version and explore the new functionalities.

Join our Office Hours and Slack for any questions, suggestions, or feedback.

Happy scanning! 🛡️