Expected behavior and actual behavior:
It is not really clear what is exact purpose of CVE allowlists, but I would expect that if I have "Prevent vulnerable images from running" and if I configure all CVE's affecting restriction to allowlists that I could pull images from Harbor, however this is not the case.
What client sees on pull is a message:
error from registry: current image without vulnerability scanning cannot be pulled due to configured policy in 'Prevent images with vulnerability severity of "Critical" or higher from running.' To continue with pull, please contact your project administrator for help.
Steps to reproduce the problem:
Tested on hub proxy to https://hub.docker.com
- Configure: Deployment security/ Prevent vulnerable images from running : Critical
- Try to pull image which has critical vulnerabilities present. -> it cannot be pulled (expected)
- Add all Critical CVE's detected on the image to (either project or system no difference) allow lists
- Repeat vulnerability scan (or do not repeat, it will make no difference)
- Try to pull image which has critical vulnerabilities present. -> it cannot be pulled (not expected now)
- If you disable "Prevent vulnerable images from running", user can pull image
Versions:
Please specify the versions of following systems.
- harbor version: [v2.14.4]
- docker engine version: [29.1.3]
- docker-compose version: [2.40.3]
Expected behavior and actual behavior:
It is not really clear what is exact purpose of CVE allowlists, but I would expect that if I have "Prevent vulnerable images from running" and if I configure all CVE's affecting restriction to allowlists that I could pull images from Harbor, however this is not the case.
What client sees on pull is a message:
Steps to reproduce the problem:
Tested on hub proxy to https://hub.docker.com
Versions:
Please specify the versions of following systems.