Update Vulnerability Advisor to version 4 by 19 June 2023
The Vulnerability Advisor component of IBM Cloud® Container Registry is being updated. From 19 June 2023, Vulnerability Advisor version 3 will be replaced as the default by Vulnerability Advisor version 4.
Vulnerability Advisor version 3 is being deprecated as the default on 19 June 2023. From 19 June 2023, the default will be Vulnerability Advisor version 4. If you have version 3 set as the default, you can continue to use version 3 until the end of support date. An end of support date is not available yet.
What you need to know about this change
If you use the IBM Cloud console to access Vulnerability Advisor, no action is required. The IBM Cloud console is automatically updated to Vulnerability Advisor version 4.
If you use the IBM Cloud CLI and you want to use version 4 as the default, you must update the Container Registry CLI plug-in to version 1.0.0, or later, by 19 June 2023. Updating the Container Registry CLI plug-in to 1.0.0, or later, enables
the ibmcloud cr va
command and the --va
option on the ibmcloud cr images
and ibmcloud cr digests
commands to work with Vulnerability Advisor version 4.
On 19 June 2023, when the default changes to Vulnerability Advisor version 4, the Container Registry CLI automatically starts to use this version unless the ibmcloud cr va-version-set v3
command was run, in which case Vulnerability
Advisor version 3 continues to be used. You can use the ibmcloud cr va-version
command to determine which Vulnerability Advisor version is in use and the ibmcloud cr va-version-set v4
command to switch to Vulnerability
Advisor version 4. When Vulnerability Advisor version 3 reaches its end of support date, any Container Registry CLI commands that access Vulnerability Advisor version 3 cease to work. An end of support date is not available yet.
If you use the Vulnerability Advisor REST API to access Vulnerability Advisor, you must update your client call from /va/api/v3
APIs to /va/api/v4
APIs.
If you use one of the Vulnerability Advisor version 3 SDKs to access Vulnerability Advisor, you must update to the Vulnerability Advisor version 4 SDK.
Any exemptions that you previously defined continue to work. However, the security notice value that comes back in Vulnerability Advisor version 4 might not be the same as for Vulnerability Advisor version 3 because different sources of data are used. Therefore, if the returned value isn't the same as for Vulnerability Advisor version 3, you might have to update any existing exemptions that specify a security notice. Red Hat® security notices are unaffected. Exemptions that are defined by CVE value are also unaffected.
Differences in Vulnerability Advisor version 4 behavior are documented in About Vulnerability Advisor.
What actions you must take by 19 June 2023
You can choose whether to update to use version 4, the default, or to continue to use version 3, which is deprecated.
-
If you want to use Vulnerability Advisor version 4 as the default, update the following items as described in What you need to know about this change:
-
The Container Registry CLI plug-in and, if you have explicitly run the
ibmcloud cr va-version-set v3
command previously, run the following command.ibmcloud cr va-version-set v4
-
Any code that calls Vulnerability Advisor version 3 either through the API or through the SDK.
-
You might have to update any existing exemptions that specify a security notice.
-
-
If you want to continue to use Vulnerability Advisor version 3, run the following command:
ibmcloud cr va-version-set v3
Original announcement
The original announcement was published on 19 May 2023.