Several types of components are installed with activation of the Container Vulnerability Response application, including tables, user roles, and scheduled jobs.

Note: The Application Files table lists the components that are installed with this application. For instructions on how to access this table, see Find components installed with an application.

Demo data is available for this feature.

Starting with v2.11 of Container Vulnerability Response, the most frequently used system properties are now accessible within the Container Vulnerability Response application. To view these system properties, navigate to AllContainer Vulnerability ResponseProperties.

Roles installed with Container Vulnerability Response

Roles are added with activation of Container Vulnerability Response.

Persona and granular roles are available to help you manage what users and groups can see and do in the Vulnerability Response application. For an initial assignment of the persona roles in Setup Assistant, see Assign the Vulnerability Response persona roles using Setup Assistant. For more information about managing granular roles, see Manage persona and granular roles for Vulnerability Response.

Note:

If you are an upgrade customer, access for the users and groups you assigned with the sn_vul.vulnerability_read and sn_vul.vulnerability_write permissions prior to v10.3 has not changed. Users and groups remain assigned with these roles until you change them. However, starting with v10.3, you may prefer assigning granular roles for more control over what users and groups can do and see in the Vulnerability Response application. For an overview and more information about managing these roles, see Vulnerability Response personas and granular roles and Manage persona and granular roles for Vulnerability Response.

Role title [name]Description
V2.10: sn_vul_container.delete Deletes source records. Contains the sn_vul_cmn.delete, and sn_vul_container.delete_vi roles.
sn_vul_container.ci_manager Manages reclassification of unmatched configuration items (CIs).
sn_vul_container.configure_integrations Configures container integrations.
sn_vul_container.configure_vi_granularity Configures container vulnerable item granularity.
sn_vul_container.create_vi Can create container vulnerable items manually.
sn_vul_container.delete_vi Can delete manually created container vulnerable items.
sn_vul_container.exception_approver Approves exceptions, deferrals, and closures of container vulnerable items.

Contains sn_vul.view_manager_workspace role.

Starting with v2.3, the granular role, sn_vul_container.read_all, has been removed for this role so that you can access the container vulnerable items and remediation tasks assigned to you and your group instead of all the container vulnerable items and remediation tasks.
sn_vul_container.false_positive_approver Approves or rejects closing container vulnerable items as a false positive.

Contains the sn_vul.view_manager_workspace role.
sn_vul_container.manage_assignment_rules Defines and updates container vulnerable items assignment rules.
sn_vul_container.manage_auto_close_stale_vi Configure the auto-close stale container vulnerable items
sn_vul_container.manage_auto_exception_rule Manage (create/read/update/delete) exception rules
sn_vul_container.manage_normalized_severity Can update the mapping to normalize the severity.
sn_vul_container.manage_permissions Can assign container vulnerability response roles to users.
sn_vul_container.manage_remediation_targ… Defines and updates container remediation target rules.
sn_vul_container.manage_risk_score_confi... Defines and updates risk score Calculators, risk rules, and vulnerability Rollup Calculators for Container Vulnerable Items.
sn_vul_container.read_all Can view all container vulnerable items and related information.

Contains the sn_vul.view_manager_workspace role
sn_vul_container.read_assigned Can view container vulnerable items assigned to you or your groups either in the Classic UI or IT Remediation Workspace.

Contains the sn_vul.view_rem_workspace role.

Important: Starting with v24.0 of Vulnerability Response, the sn_vul_container.read_assigned role has the privilege to access the IT Remediation Workspace.
sn_vul_container.read_assignment_rules Can view container vulnerable items Assignment Rules.
sn_vul_container.read_auto_exception_rule Read Exception rules
sn_vul_container.read_discovered_image Can view discovered items.
sn_vul_container.read_integrations Can view results from integration runs.
sn_vul_container.read_normalized_severity Can view the normalized severity mapping.
sn_vul_container.read_remediation_target... Can view Remediation Target Rules.
sn_vul_container.read_risk_score_configu... Can view risk score calculators, risk rules, and vulnerability rollup calculators for Container Vulnerable Items.
sn_vul_container.remediation_owner Reads and writes container vulnerable items assigned to them. Vulnerability records are also readable by a user with this role.
sn_vul_container.update_assigned_to

Can update assignment of container vulnerable items.

Requires sn_vul_container.write_all or sn_vul_container.write_assigned.
sn_vul_container.update_assignment_group

Can update assignment group for container vulnerable items.

Requires sn_vul_container.write_all or sn_vul_container.write_assigned.
sn_vul_container.update_state

Can update states of vulnerable items.

Requires sn_vul_container.write_all or sn_vul_container.write_assigned.
sn_vul_container.vulnerability_admin Configures all rules, integrations, and so on for the Container Vulnerability Response product.
sn_vul_container.vulnerability_analyst Monitors remediation of all container vulnerable items.
sn_vul_container.write_all Can update all container vulnerable items and remediation tasks.
sn_vul_container.write_assigned Can update container vulnerable items or remediation tasks assigned to me or my groups.
sn_vul_container.read_watch_topic Can read Watch Topics for container vulnerabilities.
sn_vul_container.create_watch_topic Can create Watch Topics for container vulnerabilities.
sn_vul_container.edit_watch_topic Can edit Watch Topics for container vulnerabilities.
sn_vul_container.manage_exception_configuration Can manage exception management configurations.

Tables installed with Container Vulnerability Response

Tables are added with activation of Container Vulnerability Response (CVR).

TableDescription
Container image finding

sn_vul_container_image_findings

 Stores information on the associated vulnerabilities, image layer, docker image,image repository, and discovered image.

Starting with v2.11.3 of Container Vulnerability Response, you can also view the path where the finding is shown.
Container Image Layer

sn_vul_container_image_layer

 Contains the information of each image layer. An image is a static file with executable code that can create a container on a computing system.
Container Image Package

sn_vul_container_image_package

 Provides information about the packages where the vulnerabilities exist. The Binary package details are also provided as a comma-separated value.

Starting with v2.11.3 of Container Vulnerability Response, you can also view the package URL (PURL).
Container vulnerable item

sn_vul_container_image_vulnerable_item

 Contains details of each finding and the corresponding vulnerability.

Starting with v2.11.3 of Container Vulnerability Response, you can also view information on the last scan date of an image running as a container.
Vulnerability Entry (v2.11.3)

sn_vul_entry

 Provides information on the severity of a CVE and any additional information sent by Prisma.
Discovered container image

sn_vul_container_image

 Provides information on the image ID, Docker image, and the image repository. It also stores the layer information and associates it with the discovered image.

Starting with v2.11.3 of Container Vulnerability Response, it also provides information on Image digest of a docker image and last scan date of an image running as a container and a registry.
Finding Mappings

sn_vul_container_finding_m2m_vul_item

 M2M relationship of the container image findings and the container vulnerable items (CVITs).
Auto-close Vulnerable Items

sn_vul_container_image_auto_close_config

 Contains the information on how to close the stale container image findings and roll up the state to the CVITs.
Container Image Vulnerability Keys

sn_vul_container_image_vulnerability_keys

 Contains the granularity configuration for creation of CVITs from the container image findings.
Docker Related Services

sn_vul_container_m2m_ci_services

 Contains all the business services related with a container image.
VR Container Counts

sn_vul_container_vr_container_counts

 Contains the rolling average of container instances spun off from a container image over the last 90 days.
Container Remediation Task Item

sn_vul_container_m2m_vul_group_item

 M2M table between CVIT and container remediation tasks.
Container Remediation Task

sn_vul_container_vulnerability

 Contains container remediation tasks.
Container Remediation Task Manifest

sn_vul_container_rt_manifest

 Any updates on remediation task will be done by using this manifest table by scheduled jobs.

Scheduled jobs installed with Container Vulnerability Response

Scheduled jobs are added with activation of Container Vulnerability Response.

Note: The Application Files table lists the components that are installed with this application. For instructions on how to access this table, see Find components installed with an application.

Demo data is available for this feature.

Scheduled jobDescription
Associate existing Container VIs with Auto Exception Rule Automatically associates the Auto Exception Rule with existing container vulnerable items (CVITs).
Check Container Vulnerable Item Deferment Expiration Sends notifications if container vulnerable items or container vulnerabilities have expired (and if they expire in one week).
Vulnerability Response Container Count (Application - Vulnerability Response and Configuration Compliance for Containers) Runs daily to populate the sn_vul_container_vr_container_counts table that calculates the 90-day rolling average for containers.
Auto-Close CVITs Automatically closes container vulnerability items that match the condition defined in the auto-close configuration. Their status is changed to 'fixed'.
Calculate Business Criticality for CVIT Processes all active CVITs and updates the Business Criticality field, based on the affected services of the docker image of the CVIT.
Close cancel CVITs that do not have a Docker Image associated Automatically expires CVITs that don’t have a CI associated with. Their state is set to Closed, and substate to Canceled.
Calculate Related VI Counts for Container Remediation Task Calculates the counts on Container Remediation Task records.
Rollup container vulnerable item values to vulnerability and group Calculates vulnerabilities and group roll ups for container vulnerable items.
Note: Starting with v2.10 of Container Vulnerability Response, the scheduled job is enhanced to create background jobs with multithreading capabilities. This upgrade involves segmenting the job into several smaller child jobs, which are executed either in parallel or concurrently. This modification enables processing of multiple records simultaneously, thus significantly speeding up the overall task.