Import Vulnerability Data to an Offline Harbor instance
Clair has been removed as the default vulnerability scanner in Harbor v2.2. It’s highly recommended that you configure Trivy as your default scanner instead. If you want to continue using Clair in v2.2 and later, you must configure it as an external scanner.
If Harbor is installed in an environment without an internet connection, Clair cannot fetch data from the public vulnerability database. In this case, the Harbor administrator must update the Clair database manually.
You have an instance of Clair that has an internet connection. If you have another instance of Harbor that has internet access, this also works.
Check whether your Clair instance has already updated its vulnerability database to the latest version.
Use docker ps to find out the container ID of the Clair service.
Run docker logs <container_id> to check the log of the Clair container. If you are using Harbor you can find the latest Clair logs under /var/log/harbor/2017-xx-xx/clair.log.
The phrase finished fetching indicates that Clair has finished a round of vulnerability updates from an endpoint. Make sure all of the rhel, alpine, oracle, debian, and ubuntu endpoints are updated correctly. If they have not, wait for Clair to get the data.
Dump Vulnerability Data
Log in to the host, that is connected to Internet, on which the Postgres Clair database is running.
Dump Clair’s vulnerability database by running the following commands.
The container name clair-db is a placeholder for the database container used by the internet-connected instance of Clair.