Trivy container scans fail because of trying to download java-db in air gapped site

search cancel

Trivy container scans fail because of trying to download java-db in air gapped site

book

Article ID: 391881

calendar_today

Updated On: 03-25-2025

Products

VMware Tanzu Kubernetes Grid Integrated Edition

Issue/Introduction

The Trivy container scanner relies on the trivy-db and trivy-java-db.

Because of security reasons these files cannot be downloaded directly from the internet. These files were downloaded and applied manually.

In opsman Harbor tile enabled the option: [x] Skip to update trivy CVE database.

This works great for scans that only require the trivy-db and not the trivy-java-db. The problem occurs when there is need to scan images with java content.

Trivy tries to download the Java db and ignores the local db placed in "/var/vcap/store/harbor/trivy-adapter/trivy/java-db".

When look at the trivy settings inside harbor the following is present:

env.SCANNER_TRIVY_OFFLINE_SCAN: true
env.SCANNER_TRIVY_SKIP_UPDATE: true
env.SCANNER_TRIVY_SKIP_JAVA_DB_UPDATE: false
This setting cannot be edited because it is set by the opsman deployment. Within opsman there seems to be missing a option to skip the java db update.

From the release notes for Harbor 2.11.0.

---

Enhancements

The Harbor Registry Tile v2.11.0 release includes the following enhancements:

Enable configuration of skip_java_db_update

Environment

Harbor 2.11.0

Cause

This issue is confirmed to be missing in the UI and pending update in the next version of Harbor

Resolution

Please note the applied update is not persistent and apply change on the harbor tile will result in reversal of the workaround:

From Opsman/jumpbox

sudo -i

navigate to /var/vcap/packages/harbor-app/common/config

cd /var/vcap/packages/harbor-app/common/config

take backup of the file and edit env

vim env

The setting should looks like below

SCANNER_TRIVY_IGNORE_UNFIXED=False
SCANNER_TRIVY_SKIP_UPDATE=True
SCANNER_TRIVY_SKIP_JAVA_DB_UPDATE=True
SCANNER_TRIVY_OFFLINE_SCAN=True

Once the change is applied

Restart harbor service and verify if the setting takes place from the harbor UI navigate to the Administration -> Interrogation Services - Scanners - trivy

Additional Information

We used method described in https://techdocs.broadcom.com/us/en/vmware-sde/telco-cloud/vmware-telco-cloud-platform-ran/5-0/harbor-for-cnfs-deployment-and-configuration-guide/managing-harbour/harbor-custom-reconfiguration-/updating-trivyy-db-for-image-scanning-in-airgap-environment.html

And customised the setting for harbor.

Feedback

thumb_up Yes

thumb_down No