In air-gapped or restricted network environments, the Tanzu Hub portal may display a large number of critical Common Vulnerabilities and Exposures (CVEs) stuck in the "in_triage" state.

Even when users apply filters for "Not Affected" or "False Positive," these critical CVEs persist in the Triage view and do not transition to a final state.

VMware Tanzu Platform - Hub 10.x

Tanzu Hub's vulnerability scanner defaults all newly identified components to the "in_triage" state Tanzu Vulnerability Response.

To transition these CVEs to "Resolved" or "Not Affected," the scanner requires the latest vulnerability definition files (metadata) to match against the environment's Software Bill of Materials (SBOM).

In an air-gapped environment, the system cannot reach the Broadcom/Tanzu update servers to download these definition updates.

Without the latest definitions, the scanner cannot verify if a released fix has been applied, causing the vulnerabilities to remain in the investigative "Triage" state.

To resolve this, you must manually provide the latest vulnerability definitions to the air-gapped environment:

1. Download Definitions: From a machine with internet access, log in to the Broadcom Support Portal and download the latest Tanzu Vulnerability Definition files.
2. Transfer Files: Securely transfer the downloaded metadata files to your air-gapped Tanzu Hub control plane.
3. Import Definitions: Follow the standard offline update procedure for your specific Tanzu Hub version to import the new definitions into the local vulnerability database.
4. Trigger Scan: Once the definitions are updated, initiate a manual scan of the affected tiles (e.g., Extended App Support).
5. Verify: Confirm that the CVEs transition from "in_triage" to their correct state (Resolved, Not Affected, or False Positive) based on the updated metadata.

https://techdocs.broadcom.com/us/en/vmware-tanzu/platform/tanzu-hub/10-3/tnz-hub/vulnerabilities-airgap.html

https://knowledge.broadcom.com/external/article?articleNumber=429853