Add release notes for 11.36

After a few weeks off this is the next release

Signed-off-by: Tim Smith <[email protected]>

docs/cnspec/cli/cnspec.md

@@ -29,6 +29,7 @@ cnspec is a cloud-native security testing tool for your entire infrastructure
 - [cnspec policy](cnspec_policy.md) - Manage local and upstream policies
 - [cnspec providers](cnspec_providers.md) - Providers add connectivity to all assets
 - [cnspec run](cnspec_run.md) - Run an MQL query
+- [cnspec scan](cnspec_scan.md) - Scan assets with one or more policies
 - [cnspec serve](cnspec_serve.md) - Start cnspec in background mode
 - [cnspec status](cnspec_status.md) - Verify access to Mondoo Platform
 - [cnspec vault](cnspec_vault.md) - Manage vault environments

docs/cnspec/cli/cnspec_scan.md

@@ -180,26 +180,23 @@ cnspec scan --inventory-file FILENAME
 ### Options
 
 ```
-      --annotation stringToString   Add an annotation to the asset. (default [])
-      --asset-name string           User-override for the asset name
-      --detect-cicd                 Try to detect CI/CD environments. If detected, set the asset category to 'cicd'. (default true)
-      --discover strings            Enable the discovery of nested assets. Supports: all,auto,container,container-images
-  -h, --help                        help for scan
-      --incognito                   Run in incognito mode. Do not report scan results to  Mondoo Platform.
-      --inventory-format-ansible    Set the inventory format to Ansible.
-      --inventory-format-domainlist Set the inventory format to domain list.
-      --inventory-file string       Set the path to the inventory file.
-  -j, --json                        Run the query and return the object in a JSON structure.
-  -o, --output string               Set output format: compact, csv, full, json, junit, report, summary, yaml (default "compact")
-      --output-target string        Set output target to which the asset report will be sent. Currently only supports AWS SQS topic URLs and local files
-      --platform-id string          Select a specific target asset by providing its platform ID.
-      --policy strings              Lists policies to execute. This requires --policy-bundle. You can pass multiple policies using --policy POLICY.
-  -f, --policy-bundle strings       Path to local policy file
-      --props stringToString        Custom values for properties (default [])
-      --record string               Record all resource calls and use resources in the recording
-      --score-threshold int         If any score falls below the threshold, exit 1.
-      --sudo                        Elevate privileges with sudo.
-      --use-recording string        Use a recording to inject resource data (read-only)
+      --annotation stringToString     Add an annotation to the asset. (default [])
+      --asset-name string             User-override for the asset name
+      --detect-cicd                   Try to detect CI/CD environments. If detected, set the asset category to 'cicd'. (default true)
+  -h, --help                          help for scan
+      --incognito                     Run in incognito mode. Do not report scan results to  Mondoo Platform.
+      --inventory-file string         Set the path to the inventory file.
+      --inventory-format-ansible      Set the inventory format to Ansible.
+      --inventory-format-domainlist   Set the inventory format to domain list.
+  -j, --json                          Run the query and return the object in a JSON structure.
+  -o, --output string                 Set output format: compact, csv, full, json, json-v1, json-v2, junit, report, summary, yaml, yaml-v1, yaml-v2 (default "compact")
+      --output-target string          Set output target to which the asset report will be sent. Currently only supports AWS SQS topic URLs and local files
+      --platform-id string            Select a specific target asset by providing its platform ID.
+      --policy strings                Lists policies to execute. This requires --policy-bundle. You can pass multiple policies using --policy POLICY.
+  -f, --policy-bundle strings         Path to local policy file
+      --props stringToString          Custom values for properties (default [])
+      --score-threshold int           If any score falls below the threshold, exit 1.
+      --trace-id string               Trace identifier
 ```
 
 ### Options inherited from parent commands

package.json

@@ -63,7 +63,7 @@
     "@types/react-helmet": "^6.1.11",
     "@types/react-router-dom": "^5.3.3",
     "prettier": "3.4.2",
-    "typescript": "^5.7.2"
+    "typescript": "^5.7.3"
   },
   "engines": {
     "node": ">=20.0"

releases/2025-01-07-mondoo-11.36-is-out.md

@@ -0,0 +1,98 @@
+---
+slug: mondoo-11.36-is-out/
+title: Mondoo 11.36 is out!
+description: Announcing the 11.36 release of Mondoo with Workspaces for adhoc asset organization, BAR, BAZ, and more!
+authors: [tim, chip]
+image: DEETS
+tags: [release, mondoo]
+---
+
+## 🥳 Mondoo 11.36 is out! This release includes FOO, BAR, BAZ, and more!
+
+Get this release: [Installation Docs](https://mondoo.com/docs/cnspec/) | [Package Downloads](https://releases.mondoo.com/cnspec/) | [Docker Container](https://hub.docker.com/r/mondoo/cnspec)
+
+---
+
+## 🎉 NEW FEATURES
+
+### Ad hoc asset organization with workspaces
+
+DEETS
+
+### Quick access to reports
+
+Quickly access compliance reports from the Reporting page in the navigation menu. Looking for more reports? Stay tuned for more updates in upcoming releases and if you're looking for something in particular let us know at [[email protected]](mailto:[email protected])!
+
+![Quick access to reports](/img/releases/2025-01-07-mondoo-11.36-is-out/reporting.png)
+
+## 🧹 IMPROVEMENTS
+
+### Optionally follow HTTP -> HTTPS redirects
+
+You now have additional control over how HTTP hosts are scanned in the `host` provider. By default cnquery/cnspec will no longer follow redirects from HTTP to HTTPS endpoints so you can inspect your HTTP configurations when specified. If you'd prefer to follow any redirects use the new `--follow-redirects` flag:
+
+DEETS from https://github.com/mondoohq/cnquery/pull/5011
+
+### Resource updates
+
+#### azure.subscriptions.defenderForContainers
+
+- Expose `Extensions` values
+
+#### azure.subscription.policy.assignment
+
+- New `parameters` field
+
+#### fstab
+
+- Update `options` field to be an array of options instead of a single string
+
+#### k8s.node
+
+- New `kubeletPort` field
+- New `nodeInfo` field
+- New `created` field
+
+#### microsoft.applications
+
+- Fetch all applications in large installations.
+
+### Improved CIS Benchmarks
+
+Sometimes the best changes are behind the scenes. This week we shipped reworked internal tooling we use to generate CIS benchmark policies. Not only will these changes allow us to bring you the latest and greatest policies more quickly in the future, they also allowed us to make a huge number of small improvements to existing policies:
+
+- New checks that were previously marked as requiring manual user validation
+- More clear and concise descriptions for each policy
+- Expanded check descriptions including rational behind the security concerns
+- New audit and remediation steps in many Linux distribution policies
+- Simplified MQL queries to improve readability
+- Additional platform version tags to improve searching for policies
+- Improve policy search results when searching for platform versions
+
+### Quickly find integrations
+
+Find the right integration with less scrolling. The add integration page now supports search based on integration categories in addition to integration names.
+
+![Integration filtering with a category](/img/releases/2025-01-07-mondoo-11.36-is-out/integration_filtering.png)
+
+## 🐛 BUG FIXES AND UPDATES
+
+- Display CVEs for Fedora 41 assets.
+- Fix a failure querying Microsoft 365 applications.
+- Correct the remediation steps in the BSI 'Ensure SSH Idle Timeout Interval is configured' check.
+- Add EOL dates for FreeBSD 14.2 and Alpine Linux 3.21.
+- Correct the EOL date for FreeBSD 14.1.
+- Update the Amazon Linux 2 EOL date, which has been extended to
+- Support EBS volume scanning of instances with LVM partitions.
+- Improve remediation step formatting in Mondoo VMware policies.
+- Open check remediation links in a new window or tab.
+- Fix display of score boxes on CVE and Advisory pages. https://github.com/mondoohq/console/pull/5336
+- Fix an `unknown-score-type` error when comparing semver data in checks.
+- Fix display of GitHub provider help.
+- Show the link to discovered assets on each integration page.
+- Add detection of the upcoming M4 MacBook Air/Pro models to asset overview information.
+- Add form validation to the MS Defender integration to ensure UIDs are correctly formatted.
+- Display platform icon for Nmap assets in affected asset tables.
+- Update Windows checks for the `RestrictSendingNTLMTraffic` registry entry to accept both Audit All and Deny All configurations.
+- Add a missing permission to the automated CLI Azure setup.
+- Show the platform in all cnspec scan results. Thanks for suggesting this [@DrackThor](https://github.com/DrackThor)

yarn.lock

@@ -3033,9 +3033,9 @@ braces@^3.0.3, braces@~3.0.2:
     fill-range "^7.1.1"
 
 browserslist@^4.0.0, browserslist@^4.18.1, browserslist@^4.23.0, browserslist@^4.23.1, browserslist@^4.23.3, browserslist@^4.24.0, browserslist@^4.24.3:
-  version "4.24.3"
-  resolved "https://registry.yarnpkg.com/browserslist/-/browserslist-4.24.3.tgz#5fc2725ca8fb3c1432e13dac278c7cc103e026d2"
-  integrity sha512-1CPmv8iobE2fyRMV97dAcMVegvvWKxmq94hkLiAkUGwKVTyDLw33K+ZxiFrREKmmps4rIw6grcCFCnTMSZ/YiA==
+  version "4.24.4"
+  resolved "https://registry.yarnpkg.com/browserslist/-/browserslist-4.24.4.tgz#c6b2865a3f08bcb860a0e827389003b9fe686e4b"
+  integrity sha512-KDi1Ny1gSePi1vm0q4oxSF8b4DR44GF4BbmS2YdhPLOEqd8pDviZOGH/GsmRwoWJ2+5Lr085X7naowMwKHDG1A==
   dependencies:
     caniuse-lite "^1.0.30001688"
     electron-to-chromium "^1.5.73"
@@ -6803,7 +6803,7 @@ path-type@^4.0.0:
   resolved "https://registry.yarnpkg.com/path-type/-/path-type-4.0.0.tgz#84ed01c0a7ba380afe09d90a8c180dcd9d03043b"
   integrity sha512-gDKb8aZMDeD/tZWs9P6+q0J9Mwkdl6xMV8TjnGP3qJVJ06bdMgkbBlLU8IdfOsIsFz2BW1rNVT3XuNEl8zPAvw==
 
-picocolors@^1.0.0, picocolors@^1.0.1, picocolors@^1.1.0, picocolors@^1.1.1:
+picocolors@^1.0.0, picocolors@^1.0.1, picocolors@^1.1.1:
   version "1.1.1"
   resolved "https://registry.yarnpkg.com/picocolors/-/picocolors-1.1.1.tgz#3d321af3eab939b083c8f929a1d12cda81c26b6b"
   integrity sha512-xceH2snhtb5M9liqDsmEw56le376mTZkEX/jEb/RxNFyegNul7eNslCXP9FDj/Lcu0X8KEyMceP2ntpaHrDEVA==
@@ -8666,10 +8666,10 @@ typedarray-to-buffer@^3.1.5:
   dependencies:
     is-typedarray "^1.0.0"
 
-typescript@^5.7.2:
-  version "5.7.2"
-  resolved "https://registry.yarnpkg.com/typescript/-/typescript-5.7.2.tgz#3169cf8c4c8a828cde53ba9ecb3d2b1d5dd67be6"
-  integrity sha512-i5t66RHxDvVN40HfDd1PsEThGNnlMCMT3jMUuoh9/0TaqWevNontacunWyN02LA9/fIbEWlcHZcgTKb9QoaLfg==
+typescript@^5.7.3:
+  version "5.7.3"
+  resolved "https://registry.yarnpkg.com/typescript/-/typescript-5.7.3.tgz#919b44a7dbb8583a9b856d162be24a54bf80073e"
+  integrity sha512-84MVSjMEHP+FQRPy3pX9sTVV/INIex71s9TL2Gm5FG/WG1SqXeKyZ0k7/blY/4FdOzI12CBy1vGc4og/eus0fw==
 
 undici-types@~6.20.0:
   version "6.20.0"
@@ -8780,12 +8780,12 @@ [email protected], unpipe@~1.0.0:
   integrity sha512-pjy2bYhSsufwWlKwPc+l3cN7+wuJlK6uz0YdJEOlQDbl6jo/YlPi4mb8agUkVC8BF7V8NuzeyPNqRksA3hztKQ==
 
 update-browserslist-db@^1.1.1:
-  version "1.1.1"
-  resolved "https://registry.yarnpkg.com/update-browserslist-db/-/update-browserslist-db-1.1.1.tgz#80846fba1d79e82547fb661f8d141e0945755fe5"
-  integrity sha512-R8UzCaa9Az+38REPiJ1tXlImTJXlVfgHZsglwBD/k6nj76ctsH1E3q4doGrukiLQd3sGQYu56r5+lo5r94l29A==
+  version "1.1.2"
+  resolved "https://registry.yarnpkg.com/update-browserslist-db/-/update-browserslist-db-1.1.2.tgz#97e9c96ab0ae7bcac08e9ae5151d26e6bc6b5580"
+  integrity sha512-PPypAm5qvlD7XMZC3BujecnaOxwhrtoFR+Dqkk5Aa/6DssiH0ibKoketaj9w8LP7Bont1rYeoV5plxD7RTEPRg==
   dependencies:
     escalade "^3.2.0"
-    picocolors "^1.1.0"
+    picocolors "^1.1.1"
 
 update-notifier@^6.0.2:
   version "6.0.2"