Skip to content

Files

Latest commit

 

History

History
58 lines (48 loc) · 2.66 KB

java-image-scan-not-working.adoc

File metadata and controls

58 lines (48 loc) · 2.66 KB

Java image scanning not work with disconnected Clair

In {productname} 3.8, Java image scanning does not work in a disconnected Clair environment. It requires an active connection to the internet.

To resolve this issue, you must disable Java scanning from Clair, or connect to the internet.

Use the following procedure to disable Java scanning from Clair.

Procedure
  1. Check which SHA ID errors out by reaching out to the Maven indexer, for example:

    {"level":"warn","file":"spring-web/lib/jcip-annotations-1.0.jar","layer":"sha256:7072d1ca8cd39f2ae4fd36d5a5272e4564a06c92441bdf29185c312ff87432ee","component":"java/Scanner.Scan","version":"3","scanner":"java","manifest":"sha256:d2eed634032c3827bd36f8aae86ef6113d9f4763fbeb6ad041b1f2a3962b6b24","state":"ScanLayers","kind":"package","error":"Get \"https://search.maven.org/solrsearch/select?q=1%3A%22afba4942caaeaf46aab0b976afd57cc7c181467e%22&wt=json\": dial tcp 52.1.120.204:443: i/o timeout","time":"2023-02-08T10:46:59Z","message":"error making request"}
  2. Run the following command to reveal which image this SHA ID belongs to:

    quay=# SELECT t1.username AS namespace, t2.name AS repo_name, t4.content_checksum AS sha_digest FROM "user" AS t1 INNER JOIN repository AS t2 ON t1.id = t2.namespace_user_id INNER JOIN manifestblob AS t3 on t2.id = t3.repository_id INNER JOIN imagestorage AS t4 ON t3.blob_id = t4.id WHERE t4.content_checksum = 'sha256:0cea90e4778f9241c20421d8c97a8d182fd0fa51e6c84210dc4b57522fc901b8';
    Example output
    namespace | repo_name |                               sha_digest
    -----------+-----------+-------------------------------------------------------------------------
    redhat    | quay      | sha256:0cea90e4778f9241c20421d8c97a8d182fd0fa51e6c84210dc4b57522fc901b8
  3. Run the following command to find the base operating system of the image, assuming it is Java-based:

    $ podman run image:tag  /bin/bash -c "cat /etc/*release"
  4. There are no documented steps to stop the Maven indexer. Run the following command in a development or test cluster first, setting the API request to a page that returns a 404 so that it fails quickly:

    scanner:
      package:
        java:
          api: https://quay.github.io/clair404

    Replace the API with a known page that returns error 404. This should fail the Maven indexer and turn it off for that image.

Additional resources

For more information, see In disconnected Clair, java image scanning is not working.