A scanner in an unhealthy state disables "prevent vulnerable images from running" #22143
Description
Description
-
Problem : scanned vulnerabilities are ignored when pulling if the scanner is unhealthy
-
Desired behaviour :
- high priority : pulling should use the cached scan report to prevent vulnerable images from running, even if the scanner is currently unhealthy.
- medium priority : the cached vulnerability report should still display even if the scanner is unhealthy
- Rationale for the change : allowing vulnerable images to be pulled by servers just because the scanner is unhealthy is a security risk
Steps to reproduce
- install harbor (tested with 2.12.1 offline installer)
- configure an external scanner
- push an image with a known vulnerabilty >= Low
- scan the image, vulnerabilities are shown in the report
- set option "prevent vulnerable images from running" to "Low or above"
- try to pull the image = pull fails due to security option
- stop the external scanner (poweroff, disconnect, etc..)
- wait for the scanner to become unhealthy
- repo image does not show vulnerability report --> see desired behaviour 2)
- try to pull the image = pull succeeds --> see desired behaviour 1)