Scanning prevents previously-safe versions images from being pulled while in a "pending" state

[funkypenguin]

Expected behavior and actual behavior:

An image in my registry, with no vulnerabilities, cannot be pulled from the registry while being (re)scanned.

We pull images from our registry often. We also run frequent scans of the registry. We've found that when an image (which has previously been scanned and found to have no vulnerabilities) is being scanned, it cannot be pulled from the registry due to its "pending" state

Before a scan is triggered:

root@cowboy:~# docker pull registry.myord.org/retort/tooling:latest
latest: Pulling from retort/tooling
Digest: sha256:96c722f565f65135b48908e8154737799b02324f3e964b06f4a7b1dbe2b22384
Status: Image is up to date for registry.myorg.org/retort/tooling:latest
registry.g3rg.org/retort/tooling:latest

During a scan:

root@cowboy:~# docker pull registry.myorg.org/retort/tooling:latest
Error response from daemon: unknown: current image with "Pending" status of vulnerability scanning cannot be pulled due to configured policy in 'Prevent images with vulnerability severity of "High" or higher from running.' To continue with pull, please contact your project administrator for help.
You have new mail in /var/mail/root
root@cowboy:~#

What I'd expect would be that an image's status would change only after being scanned, so that there would be no status transition on a previously-safe image, unless new vulnerabilities are detected as a result of the scan.

Steps to reproduce the problem:

1. Configure a project to prevent vulnerable images from running
2. Push an image into the project with no vulnerabilites
3. Allow the image to be scanned once to confirm no vulnerabilities
4. Pull the image from the registry to confirm
5. Trigger a scan of the image
6. While the scan is running, attempt to pull the image again and observe the failure due to the "Pending" state

Versions:
Please specify the versions of following systems.

• harbor version: 2.3.1

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[funkypenguin]

Not stale, still an issue

[github-actions]

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

[funkypenguin]

Still not stale, still a problem :)

[github-actions]

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

[funkypenguin]

Still a problem, still not stale..

[github-actions]

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

[github-actions]

This issue was closed because it has been stalled for 30 days with no activity. If this issue is still relevant, please re-open a new issue.

[funkypenguin]

This is still a problem on the latest (v2.9.0), I now have a daily period of 20-30 min during which images can't be pulled because their scan state is "PENDING"