image last pull time updated by image scan though global option set not to do so

[alexanderdalloz]

If you are reporting a problem, please make sure the following information are provided:

Expected behavior and actual behavior: In Harbor v2.9.1-5cbb1b01 under "Configuration" the option "Retain Image "last pull time" is checked. Thus if a a scan is executed the pull time info of an image should not be updated. But it is.

Steps to reproduce the problem: Activate the configuration option, trigger an image scan and check the pull time info in the UI.

Versions: Harbor v2.9.1-5cbb1b01

• harbor version: v2.9.1-5cbb1b01
• docker engine version: 25.0.1
• docker-compose version: 1.29.2

Additional context: The scanner configured and used is the Palo Alto Prisma Cloud (twistlock).

Mar  4 11:58:08 172.18.0.1 jobservice[342063]: 2024-03-04T10:58:08Z [INFO] [/pkg/scan/job.go:387]: {
Mar  4 11:58:08 172.18.0.1 jobservice[342063]:   "uuid": "909daa99-6be3-11ed-9503-0242ac120006",
Mar  4 11:58:08 172.18.0.1 jobservice[342063]:   "name": "SYS02",
Mar  4 11:58:08 172.18.0.1 jobservice[342063]:   "description": "Prisma Cloud Console",
Mar  4 11:58:08 172.18.0.1 jobservice[342063]:   "url": "https://prisma-sys02.example.org/api/v1/harbor/secretcode",
Mar  4 11:58:08 172.18.0.1 jobservice[342063]:   "disabled": false,
Mar  4 11:58:08 172.18.0.1 jobservice[342063]:   "is_default": true,
Mar  4 11:58:08 172.18.0.1 jobservice[342063]:   "health": "healthy",
Mar  4 11:58:08 172.18.0.1 jobservice[342063]:   "auth": "",
Mar  4 11:58:08 172.18.0.1 jobservice[342063]:   "access_credential": "[HIDDEN]",
Mar  4 11:58:08 172.18.0.1 jobservice[342063]:   "skip_certVerify": false,
Mar  4 11:58:08 172.18.0.1 jobservice[342063]:   "use_internal_addr": false,
Mar  4 11:58:08 172.18.0.1 jobservice[342063]:   "adapter": "PCC Vulnerability Scanner",
Mar  4 11:58:08 172.18.0.1 jobservice[342063]:   "vendor": "Palo Alto Networks",
Mar  4 11:58:08 172.18.0.1 jobservice[342063]:   "version": "31.01.123",
Mar  4 11:58:08 172.18.0.1 jobservice[342063]:   "create_time": "2022-11-24T10:34:24.636047Z",
Mar  4 11:58:08 172.18.0.1 jobservice[342063]:   "update_time": "2022-11-24T10:34:24.636048Z"
Mar  4 11:58:08 172.18.0.1 jobservice[342063]: }
Mar  4 11:58:08 172.18.0.1 jobservice[342063]: 2024-03-04T10:58:08Z [INFO] [/pkg/scan/job.go:387]: {
Mar  4 11:58:08 172.18.0.1 jobservice[342063]:   "registry": {
Mar  4 11:58:08 172.18.0.1 jobservice[342063]:     "url": "https://registry-sys02.example.org",
Mar  4 11:58:08 172.18.0.1 jobservice[342063]:     "authorization": "[HIDDEN]"
Mar  4 11:58:08 172.18.0.1 jobservice[342063]:   },
Mar  4 11:58:08 172.18.0.1 jobservice[342063]:   "artifact": {
Mar  4 11:58:08 172.18.0.1 jobservice[342063]:     "namespace_id": 497,
Mar  4 11:58:08 172.18.0.1 jobservice[342063]:     "repository": "processmining/imagename",
Mar  4 11:58:08 172.18.0.1 jobservice[342063]:     "tag": "0.0.30",
Mar  4 11:58:08 172.18.0.1 jobservice[342063]:     "digest": "sha256:b72e4c64d6f631e2e04b57ddc5d14c964a44f3bfc1f6ab1aee6d417f074ee05d",
Mar  4 11:58:08 172.18.0.1 jobservice[342063]:     "mime_type": "application/vnd.docker.distribution.manifest.v2+json"
Mar  4 11:58:08 172.18.0.1 jobservice[342063]:   }
Mar  4 11:58:08 172.18.0.1 jobservice[342063]: }
Mar  4 11:58:08 172.18.0.1 jobservice[342063]: 2024-03-04T10:58:08Z [INFO] [/pkg/scan/job.go:167]: Report mime types: [application/vnd.scanner.adapter.vuln.report.harbor+json; version=1.0 application/vnd.security.vulnerability.report; version=1.1]
Mar  4 11:58:08 172.18.0.1 jobservice[342063]: 2024-03-04T10:58:08Z [INFO] [/pkg/scan/job.go:224]: Get report for mime type: application/vnd.security.vulnerability.report; version=1.1
Mar  4 11:58:08 172.18.0.1 jobservice[342063]: 2024-03-04T10:58:08Z [INFO] [/pkg/scan/job.go:224]: Get report for mime type: application/vnd.scanner.adapter.vuln.report.harbor+json; version=1.0
Mar  4 11:58:11 172.18.0.1 jobservice[342063]: 2024-03-04T10:58:11Z [INFO] [/pkg/scan/postprocessors/report_converters.go:153]: 1 vulnerabilities' severity changed
Mar  4 11:58:11 172.18.0.1 jobservice[342063]: 2024-03-04T10:58:11Z [INFO] [/pkg/scan/postprocessors/report_converters.go:196][report="3a431dee-eebf-4a48-978a-a99cc0efeb6b" scanner="909daa99-6be3-11ed-9503-0242ac120006" vulnerabilityRecords="883"]: Converted vulnerability records to the new schema
Mar  4 11:58:12 172.18.0.1 jobservice[342063]: 2024-03-04T10:58:12Z [INFO] [/pkg/scan/postprocessors/report_converters.go:196][report="3dbea834-6863-401f-ba58-48e50ef0f4e1" scanner="909daa99-6be3-11ed-9503-0242ac120006" vulnerabilityRecords="883"]: Converted vulnerability records to the new schema
Mar  4 11:58:12 172.18.0.1 jobservice[342063]: 2024-03-04T10:58:12Z [INFO] [/jobservice/runner/redis.go:152]: Job 'IMAGE_SCAN:7d9fd3d11debf22075ab1fa4' exit with success

harbor_sys02=> select * from properties where k = 'scanner_skip_update_pulltime';
 id |              k               |  v
----+------------------------------+------
 39 | scanner_skip_update_pulltime | true
(1 row)

harbor_sys02=> select pull_time from artifact where repository_name = 'processmining/imagename';
         pull_time
----------------------------
 2024-03-04 10:58:09.189116
(1 row)

[alexanderdalloz]

In the core.log I see

Mar  4 11:58:14 172.18.0.1 core[342063]: 2024-03-04T10:58:14Z [INFO] [/pkg/task/dao/execution.go:471]: scanned out 1 executions with outdate status, refresh status to db
Mar  4 11:58:14 172.18.0.1 core[342063]: 2024-03-04T10:58:14Z [INFO] [/pkg/task/dao/execution.go:512]: refresh outdate execution status done, 1 succeed, 0 failed

but no log line with [INFO] [/lib/config/userconfig.go:255]: skip_update_pull_time:true by that time. Though core.log contains lots of these messages (as addressed in https://github.com/goharbor/harbor/issues/19795).

[MinerYang]

You could set Retain Image last pull time On Scanning on system configuration since 2.8

[stonezdj]

see https://github.com/goharbor/harbor/pull/17807

[alexanderdalloz]

Sorry, have you read through my report? I have clearly set the system configuration to retain the last image pull time on scanning. You need a screenshot?

harbor_sys02=> select * from properties where k = 'scanner_skip_update_pulltime'; id | k | v ----+------------------------------+------ 39 | scanner_skip_update_pulltime | true (1 row)

Thought that would be enough to prove I have set it. I even stated that I see [INFO] [/lib/config/userconfig.go:255]: skip_update_pull_time:true messages in the core.log, just not for the case where I have explicitly noted that the pull time got modified by a scanner pull.

[alexanderdalloz]

@MinerYang or @stonezdj please reopen this issue or at least please explain to me what I am seeing different than you.

[Vad1mo]

Reopening the issue as @alexanderdalloz mentioned he has enabled the option Retain Image last pull time On Scanning, yet in some cases the pull time is updated.

[ricardojdsilva87]

Hello, We also see that, we currently have the PrismaCloud scanner configured that scans and pulls all images once a day for CVE scanning. Is there any extra configuration that might be added so that the pull can be ignored? Like it's mentioned on the settings for Trivy, some other configuration, like account that is pulling, or even other settings. This would help alot also in the definition of the cleanup policies for pull time, for example to delete images that are not pulled for x days.

Thanks!

[github-actions[bot]]

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

[github-actions[bot]]

This issue was closed because it has been stalled for 30 days with no activity. If this issue is still relevant, please re-open a new issue.