IBM BigFix Inventory: Content Release: Application Update 9.2.12 published 2018-06-26

IBM BigFix Inventory application update 9.2.12

This update contains features that extend software discovery and enhance license reporting. The key features include:

Reporting detailed hardware information
BigFix Inventory introduces a detailed hardware scan that allows you to retrieve detailed hardware information related to memory, operating systems, storage, processors, partitions, network adapters, SMBIOS data, IP addresses and logical processor capacity data.
Benefits: You can use the collected information to report and monitor hardware in your infrastructure. The new scan gives you a clear overview of your physical assets.

Preventing of security threats with information about Common Vulnerabilities and Exposures (CVE) added to the software catalog
Common Vulnerabilities and Exposures (CVE) is a list of known security threats that are assigned identification numbers. BigFix Inventory uses CVE that is provided by the National Vulnerability Database to help you identify potential threats in your environment. In this release, BigFix Inventory presents initial integration with National Vulnerability Database as a preview feature.
Benefits: Thanks to the visibility of potentially vulnerable software, it is possible to identify and prevent potential threats.

Retrieving information about the discovered software component as specified in the Common Platform Enumeration (CPE) dictionary
Common Platform Enumeration is a standardized naming scheme for software. This information is available in REST API for integration scenarios. BigFix Inventory uses the CPE dictionary to match CVEs and indicate known vulnerabilities in software products.
Benefits: You can analyze and compare the CPEs based on the data feeds provided by BigFix Inventory with other sources, such as CVEs that are available in the National Vulnerability Database.

Enhancements to reporting end of support dates for selected software products
The end of support dates for selected IBM software products and components for which the information has been announced are now available on the Software Classification panel. Additionally, a new Predefined End of Support column indicates whether the end of support date was provided by IBM or was specified manually by a user.
Benefits: You can use information about end of support to easily define license demand for the future. You can also use it for security purposes. For example, to determine whether software installed on a computer that is under investigation is still supported or could be exposed to security vulnerabilities.

Using Review Lite script for extended discovery of Oracle databases
Review Lite is a standard script used by the Oracle auditors to control the number of Oracle licenses within a company. BigFix Inventory allows you to automatically run this script on all computers in your environment. The results are interpreted by BigFix Inventory which provides you with an overview of the report that you are required to deliver to the auditors.
Benefits: You can use BigFix Inventory to prepare for the Oracle audit and better understand the results of the Review Lite script.

Automatic scanning of remote shared disks
Until now, remote shared disks could only be scanned with a manual procedure. With the newest release of BigFix Inventory, you can optimize this process and set up automatic scans. As a result, a single computer is designated to scan a specific shared disk and discover the installed software. The data is then automatically populated to all computers on which the same shared disk is mounted.
Benefits: The process of scanning remote shared disks is simplified. You can easily set up and maintain scans and monitor license usage on your shared disks.

Security enhancements

  • Java upgrade which addresses the following CVEs: CVE-2018-2633, CVE-2018-2618, CVE-2018-2603, CVE-2018-2602, CVE-2018-2579, CVE-2018-1417.
  • Update of the Xerces library to version 3.2.1 on Linux to keep the scanner secure and reliable.

Support for new virtualization technologies

  • Power VM on Power9 on AIX, IBM i and Linux.
  • KVM on IBM Power8.
  • Management of Citrix Xen through VM manager.

Action to take:
To learn how to get the application update and deploy it as well as to view the full list of new features and APARs that were fixed in this application update, see:
During the upgrade, new versions of the software catalog and PVU table are uploaded. The versions that are uploaded are the newest ones that were available during the release of the application update to which you are upgrading.

BigFix Inventory Team

Question in reference to the fixlets SQL 2016 notice:

Lack of support for MS SQL 2016 or higher!
IBM BigFix Inventory supports MS SQL up to version 2014. Using MS SQL 2016 or higher can cause serious loss of data that can significantly impact license auditing capabilities of BigFix Inventory.

We’ve been running our BFI on SQL 2016 since we first installed 9.2.9 in October 2017; and are now at 9.2.11.

We do not use the license auditing capabilities, so could one surmise that we are at less risk? Is there any benefit to reducing our SQL compatibility on the database from 2016 to 2014 until which time SQL 2016 is supported?

That’s a problem for me too, I’ve been running BFI on SQL 2016 up to now.

I have no interest in standing up a downlevel SQL server (along with licensing it) to support BFI; my shared SQL infrastructure is at SQL 2016.

Is there an estimate on when BFI will support SQL 2016? Any specific limitations and workarounds to keep in mind if we stay on SQL 2016 with BFI ?

Looks like we are on our own. I guess I’ll continue to upgrade as I have been and hope I don’t run into an issue…and wait for the update which includes SQL 2016 support.

UPDATE: PMR TS001121127
Q: We just want to understand the risk of upgrading to 9.2.12 if we do not use the license auditing capabilities feature.
A: Please do NOT upgrade. If you upgrade to 9.2.12 the application will no longer be operational (to prevent further data loss).

Q: We would like an estimated time when SQL 2016 will be supported.
A: We are planning to support SQL 2016 this year (current plan - Q3, however it may change).

1 Like

Yikes. I’m in the middle of trying to convince my management to use more BFI instead of deploying a competing product. This doesn’t help my case.

I can say it works fine with 9.2.11. Should not be too bad to use that and hope 9.2.13 will be out in Q3 and support SQL 2016. I gather you could also drop down to SQL2014 compatibility mode…

I’m standing fast… and will wait for the SQL 2016 support.

I am also staying below 9.2.12 for now - but the auto management of remote filesystem scans in 9.2.12 makes me wish I could upgrade.

In 9.2.12, I can see the “Vulnerability Risk (Preview)” column that lists CVE information: https:/url/sam/catalog/software_components

Will it no longer be a Preview in the next release, allowing us to sort and filter by CVE / Have a Report that starts from the CVE perspective?

I agree. Having the ability to filter/sort in the application interface is pretty useful.

Currently, the CVE data is only visible in the Software Components reports. So, as another improvement, I’d like to see the CVE data presented in Software Installations reports as well. This should be possible since Signatures are connected to the Component and the Computer.

FYI - IBM has version 9.2.13 in the Beta BFI environment right now, and the Vulnerability Risk is still in Preview.

Can anybody give more details about this improvement?
I am testing out the new version and I am not able to see the new data when I run a hardware report in BFI.

@fermt - this data is only available through the API.

Detailed hardware scan collects additional information about your hardware. The scan uses the same scanner technology as capacity scan. However, detailed hardware scan has a much broader spectrum and retrieves more hardware attributes. These details are not required to report license metrics. They can be used to monitor your hardware inventory or manage your assets. You can only retrieve the results of the detailed hardware scan through API.

See REST API for retrieving detailed hardware information (v2)

Procedure: Collecting detailed hardware scan information