Private Locations image scan requirements

1 Introduction

This document is targeted at those responsible for security auditing on Customer sites.

BlazeMeter scans all images and components with each release and addresses identified vulnerabilities based on published Service Level Agreements (SLAs) and our internal Secure Software Development Lifecycle (SSDLC) Policy. Internal security auditors or Customer site personnel may conduct additional vulnerability scans and submit their findings to BlazeMeter. To facilitate the review and response to external scan results, specific submission requirements must be met. These requirements are detailed in this document.

To ensure BlazeMeter engineering can review and address submitted scan results, please adhere to the requirements outlined below..

2 Images

BlazeMeter accepts only external scans for images of agents that are installed on your Private Location. You must enable only capabilities that you will use in the Private Locations settings.

Install the latest versions of the images before scanning the Private Locations.

To stay up to date on the latest released versions of images, subscribe to the RSS feed specified in the Enable RSS Subscription for Image Updates article.

You can check the version of the installed images on a Private Location agent by executing the following command from a command prompt on the Private Location agent host: 

> sudo docker images

You can also use the BlazeMeter Private Location Image Versions API to obtain the version of images installed on a specific Private Location agent and their exact version number.

Enable Auto Update to update the agents of a Private Location to the latest Docker images. To check whether auto updates are enabled for Private Locations, use the following API: 

curl 'https://a.blazemeter.com/api/v4/private-locations/${harborId} --user '${api_key}:${api_secret}' | jq '.result.ships[].isAutoUpadate'

Scan reports must contain explicit version numbers, please do not use labels like “latest”.

3 Image version support and backwards compatibility

Image components are supported for the latest dot version, the two previous dot versions, and any dot versions released within the past two months. BlazeMeter also maintains backward compatibility for these versions.

For example, if the current version is 2.6.42, then versions 2.6.42, 2.6.41, and 2.6.40 are supported. If version 2.6.39 was released within the last two months, it is also supported. In the case of a major version update, such as 2.7.1 following 2.6.42, versions 2.7.1, 2.6.42, and 2.6.41 are supported.

4 BlazeMeter Docker image content

BlazeMeter’s docker images are based on Ubuntu and Alpine Linux distributions. Settings of Palo Alto Prisma Cloud must be configured accordingly.

Here is a list of components with their base Linux distributions:

Crane

Alpine
charmander

Ubuntu
taurus-cloud (v4) Ubuntu
proxy-recorder Alpine
apm-image (apm)

Alpine
service-mock (Service Virtualization) Alpine

5 Submitting scan results to BlazeMeter engineering

You can use your own scanning solutions to evaluate and submit CVEs found in images you are consuming. When reporting CVEs found, please submit a support ticket to BlazeMeter support. The report must contain the following:

  • Scan reports must contain explicit version numbers, please do not use labels like “latest”.

  • A table of CVEs identified, which require remediation, sorted by severity. This should contain at minimum the image name, the component, and the CVE-number and a description of the CVE. The output of most scanning software can provide this table.

To submit reports on multiple images, you must open one ticket per image. If you submit one ticket for multiple images the ticket will be returned.

6 Vulnerability remediation

Perforce uses Prisma to scan images and assess the results to verify the severity of any detected vulnerabilities. Please note that severity ratings may differ across scanning tools - other scanners might report different severity levels than those published by Perforce. These discrepancies are expected due to variations in vulnerability databases and scoring methodologies.

BlazeMeter uses Prisma as their primary scanning tool and our scoring methodologies are based on that tool. Our considerations might be different than customers using a different tool.

Critical and High priority CVEs are given highest priority consideration; medium and low priority CVEs are reviewed and prioritized according to business requirements.

Fix timelines for vulnerabilities in third-party components are determined by the respective third-party providers. While we do not control when fixes are made available, once a resolution is published, we will assess and prioritize the vulnerability for remediation based on its severity and impact.