Images can't be pulled while scan is "PENDING", including during daily scan #19486

funkypenguin · 2023-10-26T00:55:01Z

I previously reported this behavior in #15406, but the issue was close for being stale.

I'm sorry to say that the issue is still present under v2.9.0 (below)

If you are reporting a problem, please make sure the following information are provided:

Expected behavior and actual behavior:

When Harbor is configured to Prevent vulnerable images from running, images can' be pulled while a scan is pending.
When the daily vulnerability scan runs on a large collection of images (we have 200+, total 45GB), this results in a situation where images can't be pulled for 20-30 min while the daily scan runs, even though no new CVEs are necessarily detected.

Steps to reproduce the problem:

Configure Harbor registry with to Prevent vulnerable images from running.
Initiate global vulnerabliity scan
Observe that all images / digest status are now set to "Scanning..."
Try to pull an image in the "Pending" state
Receive an error like this:

Error response from daemon: unknown: current image with "Pending" status of vulnerability scanning cannot be pulled due to configured policy in 'Prevent images with vulnerability severity of "High" or higher from running.' To continue with pull, please contact your project administrator for help.

Versions:
Please specify the versions of following systems.

harbor version: 2.9.0
docker engine version: Kubernetes
docker-compose version: Kubernetes

Additional context:

Harbor config files: You can get them by packaging harbor.yml and files in the same directory, including subdirectory.
Log files: You can get them by package the /var/log/harbor/ .

The text was updated successfully, but these errors were encountered:

chlins · 2023-10-30T02:24:46Z

It may duplicate with #19385.

chlins · 2023-10-30T08:46:31Z

From a functional design perspective, the current behavior is as expected. However, I understand your scenario. When there is a daily scan and a large number of images exist, the scanning task often has a relatively high latency. This may result in a number of images that cannot be successfully pulled during this period. However, from a security perspective, Harbor cannot know if the image has vulnerabilities that do not meet expectations until the scanning is complete. Therefore, it cannot make a judgment on whether it can be pulled. However, from the principle of minimum security, the current behavior may be the safest, but it may not be user-friendly. Do you have any suggestions?

funkypenguin · 2023-10-30T09:27:40Z

How about another status for previously-scanned images, which doesn't block pulls? Pending could then indicate an image which has never been scanned, while (for example) Refreshing would indicate that a rescan was scheduled.

Another idea (IDK how functionally feasible this is) might be to avoid changing the vulnerability status of an image to Pending until its scan job actually starts, so it's only in an unknown state for as long as the scanner takes to actually perform the vulnerability scan...

abenabid · 2023-11-09T14:47:11Z

Hello,
I've noticed that when the scan task is added to the queue, the previous scan report is removed from the database.
IMO, the previous scan report is still legitimate, so it should bet kept in the database until the scanner finishes the scan successfully.
Can this solve the image pull issue ?

github-actions · 2024-01-09T09:03:33Z