clair: unable to run updaters

[hbandi]

we are observing frequent errors on Clair logs and also Clair is not detecting any vulns its always showing 0 for all images.

{"level":"error","component":"libvuln/New","component":"libvuln/Libvuln/loopUpdaters","error":"updating errors:\n\talpine-main-v3.9-updater: alpine: error making request: Get \"https://secdb.alpinelinux.org/v3.9/main.json\": http: serve
r gave HTTP response to HTTPS client\n\talpine-community-v3.7-updater: alpine: error making request: Get \"https://secdb.alpinelinux.org/v3.7/community.json\": http: server gave HTTP response to HTTPS client\n\talpine-main-v3.8-updater:
 alpine: error making request: Get \"https://secdb.alpinelinux.org/v3.8/main.json\": http: server gave HTTP response to HTTPS client\n\talpine-community-v3.4-updater: alpine: error making request: Get \"https://secdb.alpinelinux.org/v3.
4/community.json\": http: server gave HTTP response to HTTPS client\n\talpine-main-v3.6-updater: alpine: error making request: Get \"https://secdb.alpinelinux.org/v3.6/main.json\": http: server gave HTTP response to HTTPS client\n\talpi
ne-community-v3.11-updater: alpine: error making request: Get \"https://secdb.alpinelinux.org/v3.11/community.json\": http: server gave HTTP response to HTTPS client\n\talpine-main-v3.3-updater: alpine: error making request: Get \"https
://secdb.alpinelinux.org/v3.3/main.json\": http: server gave HTTP response to HTTPS client\n\talpine-community-v3.10-updater: alpine: error making request: Get \"https://secdb.alpinelinux.org/v3.10/community.json\": http: server gave HT
TP response to HTTPS client\n\talpine-community-v3.6-updater: alpine: error making request: Get \"https://secdb.alpinelinux.org/v3.6/community.json\": http: server gave HTTP response to HTTPS client\n\tdebian-buster-updater: failed to r
etrieve OVAL database: Get \"https://www.debian.org/security/oval/oval-definitions-buster.xml\": http: server gave HTTP response to HTTPS client\n\tsuse-updater-suse.linux.enterprise.server.11: Get \"https://support.novell.com/security/
oval/suse.linux.enterprise.server.11.xml\": http: server gave HTTP response to HTTPS client\n\tsuse-updater-opensuse.leap.15.0: Get \"https://support.novell.com/security/oval/opensuse.leap.15.0.xml\": http: server gave HTTP response to
HTTPS client\n\talpine-main-v3.4-updater: alpine: error making request: Get \"https://secdb.alpinelinux.org/v3.4/main.json\": http: server gave HTTP response to HTTPS client\n\tdebian-wheezy-updater: failed to retrieve OVAL database: Ge
t \"https://www.debian.org/security/oval/oval-definitions-wheezy.xml\": http: server gave HTTP response to HTTPS client\n\tdebian-stretch-updater: failed to retrieve OVAL database: Get \"https://www.debian.org/security/oval/oval-definit
ions-stretch.xml\": http: server gave HTTP response to HTTPS client\n\tsuse-updater-opensuse.leap.15.1: Get \"https://support.novell.com/security/oval/opensuse.leap.15.1.xml\": http: server gave HTTP response to HTTPS client\n\talpine-c
ommunity-v3.9-updater: alpine: error making request: Get \"https://secdb.alpinelinux.org/v3.9/community.json\": http: server gave HTTP response to HTTPS client\n\tsuse-updater-suse.linux.enterprise.server.12: Get \"https://support.novel
l.com/security/oval/suse.linux.enterprise.server.12.xml\": http: server gave HTTP response to HTTPS client\n\talpine-main-v3.10-updater: alpine: error making request: Get \"https://secdb.alpinelinux.org/v3.10/main.json\": http: server g
ave HTTP response to HTTPS client\n\taws-linux2-updater: failed to create client: failed to make request for linux2 mirrors: Get \"https://cdn.amazonlinux.com/2/core/latest/x86_64/mirror.list\": http: server gave HTTP response to HTTPS
client\n\tdebian-jessie-updater: failed to retrieve OVAL database: Get \"https://www.debian.org/security/oval/oval-definitions-jessie.xml\": http: server gave HTTP response to HTTPS client\n\tphoton-updater-photon3: Get \"https://packag
es.vmware.com/photon/photon_oval_definitions/com.vmware.phsa-photon3.xml\": http: server gave HTTP response to HTTPS client\n\talpine-main-v3.7-updater: alpine: error making request: Get \"https://secdb.alpinelinux.org/v3.7/main.json\":
 http: server gave HTTP response to HTTPS client\n\talpine-community-v3.3-updater: alpine: error making request: Get \"https://secdb.alpinelinux.org/v3.3/community.json\": http: server gave HTTP response to HTTPS client\n\talpine-main-v
3.12-updater: alpine: error making request: Get \"https://secdb.alpinelinux.org/v3.12/main.json\": http: server gave HTTP response to HTTPS client\n\talpine-community-v3.5-updater: alpine: error making request: Get \"https://secdb.alpin
elinux.org/v3.5/community.json\": http: server gave HTTP response to HTTPS client\n\tphoton-updater-photon1: Get \"https://packages.vmware.com/photon/photon_oval_definitions/com.vmware.phsa-photon1.xml\": http: server gave HTTP response
 to HTTPS client\n\tphoton-updater-photon2: Get \"https://packages.vmware.com/photon/photon_oval_definitions/com.vmware.phsa-photon2.xml\": http: server gave HTTP response to HTTPS client\n\talpine-community-v3.8-updater: alpine: error
making request: Get \"https://secdb.alpinelinux.org/v3.8/community.json\": http: server gave HTTP response to HTTPS client\n\talpine-community-v3.12-updater: alpine: error making request: Get \"https://secdb.alpinelinux.org/v3.12/commun
ity.json\": http: server gave HTTP response to HTTPS client\n\talpine-main-v3.5-updater: alpine: error making request: Get \"https://secdb.alpinelinux.org/v3.5/main.json\": http: server gave HTTP response to HTTPS client\n\talpine-main-
v3.11-updater: alpine: error making request: Get \"https://secdb.alpinelinux.org/v3.11/main.json\": http: server gave HTTP response to HTTPS client\n\tsuse-updater-suse.linux.enterprise.server.15: Get \"https://support.novell.com/securi
ty/oval/suse.linux.enterprise.server.15.xml\": http: server gave HTTP response to HTTPS client\n","time":"2021-01-07T14:44:39Z","time":"2021-01-07T14:44:39Z","message":"unable to run updaters"}

• Clair version/image: clairV4.0.0
• Clair client name/version: clairctl
• Host OS: centos
• Kernel (e.g. uname -a):
• Kubernetes version (use kubectl version):
• Network/Firewall setup:

[hdonnay]

It looks like none of the updaters were able to run, as signified by

http: server gave HTTP response to HTTPS client

and

"message":"unable to run updaters"

Sounds like some sort of proxy to me. The standard http_proxy environment variable should be supported, but it's possible an unconfigured client is in use somewhere.

[hbandi]

Thanks, @hdonnay
It's a proxy issue, we need to white list all the updater URLs at our end.
From logs, we found these 3 URLs.
www.debian.org
secdb.alpinelinux.org
support.novell.com
packages.vmware.com

where can we find the list of all updater URLs?

[hbandi]

From the code we found this super set
secdb.alpinelinux.org
www.debian.org
linux.oracle.com
packages.vmware.com
people.canonical.com
www.redhat.com
please let us know anything we missed.

[thomasmckay]

https://issues.redhat.com/browse/PROJQUAY-1444

[hbandi]

@hdonnay @thomasmckay
Thanks for your help

After adding the above URLs to proxy config,looks like it worked .
But now we are 403 error, please help us on this.

{"level":"error","component":"libvuln/New","component":"libvuln/Libvuln/loopUpdaters","error":"updating errors:\n\tRHEL8-openstack-16.0: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL6-satellite-tools-6.3: o
valutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-satellite-6.5: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-satellite-6.8: ovalutil: fetcher got unexpected HTTP response: 403 (
403 Forbidden)\n\tRHEL7-rhel-7.2-e4s: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL8-openshift-service-mesh-1.0: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL8-satellite-tools-
6.8: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL8-openshift-4.1: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL6-satellite-proxy-5.8: ovalutil: fetcher got unexpected HTTP res
ponse: 403 (403 Forbidden)\n\talpine-main-v3.5-updater: alpine: error making request: Get "https://secdb.alpinelinux.org/v3.5/main.json\": http: server gave HTTP response to HTTPS client\n\tRHEL7-rhel-7.3-tus: ovalutil: fetcher got une
xpected HTTP response: 403 (403 Forbidden)\n\tRHEL8-rhel-8.4-eus: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL8-satellite-tools-6.7: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\ta
lpine-community-v3.5-updater: alpine: error making request: Get "https://secdb.alpinelinux.org/v3.5/community.json\": http: server gave HTTP response to HTTPS client\n\tRHEL6-rhvh-4-including-unpatched: ovalutil: fetcher got unexpected
HTTP response: 403 (403 Forbidden)\n\tRHEL7-openshift-3.5-including-unpatched: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-jboss-cs-including-unpatched: ovalutil: fetcher got unexpected HTTP r

[xoleja01]

@hdonnay

HI, Im getting same issue with 4.0.2 image, but proxy is set and working...
403 means that server actively reject request. Is there any way to set CVE sources?

Have the issue with RH moved anywhere ?

No vulnerabilities are detected, but I guess it is because of no CVEs are imported from those dbs.

I tried it also from different IP in case of some blacklisting as mentioned somewhere here, but with no luck.

4:54PM ERR unable to run updaters error="updating errors:\n\tRHEL6-amq-clients-2-including-unpatched: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-openstack-12-including-unpatched: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL8-rhoar-nodejs-12: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-openshift-service-mesh-1.1-including-unpatched: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-rhel-7.2-tus: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL6-rhel-6-supplementary: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-ansible-2.6: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tdebian-stretch-updater: failed to read http body: read tcp 172.18.0.15:49136->10.226.56.41:3128: read: connection reset by peer\n\talpine-main-v3.6-updater: failed to parse the fetched vulnerability database: json: cannot unmarshal object into Go struct field Details.packages.pkg.secfixes of type []string\n\tRHEL7-fast-datapath: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-openshift-3.7: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL6-rhel-6.5-aus: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-rhel-7-extras: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-rhoar-nodejs-10-including-unpatched: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL6-rhel-6.4-aus: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL6-rhel-6.6-tus: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-satellite-tools-6.5: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-rhel-7.4-eus: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-storage-ceph-3-including-unpatched: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-cfme-5.8: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL8-storage-ceph-4-including-unpatched: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-storage-ceph-4: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-storage-gluster-3: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL6-rhel-6.1-eus: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-dotnet-2.2-including-unpatched: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-openshift-3.7-including-unpatched: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL6-rhel-6.2-aus: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-rhscl: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL8-rhoar-nodejs-10-including-unpatched: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL8-cfme-5-including-unpatched: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-rhel-7.2-eus: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL8-storage-ceph-5-including-unpatched: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL8-rhvh-4: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL6-jboss-ws-3: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-satellite-6.8: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-satellite-6.7: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL8-openstack-15.0: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL8-jboss-eap-7: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL6-jboss-ws-4: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL8-ansible-2-including-unpatched: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-openstack-7-including-unpatched: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL6-satellite-tools-6.5: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-dotnet-3.1-including-unpatched: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-openstack-8: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL8-rhel-8: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-openshift-3.5-including-unpatched: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL8-rhsso: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-satellite-tools-6.2: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL6-amq-clients-2: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL8-amq-clients-2: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL6-rhel-6.4-eus: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL8-amq-clients-2-including-unpatched: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-rhvh-4-including-unpatched: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-rhel-7-including-unpatched: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-rhel-7.1-eus: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-cfme-5-including-unpatched: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-openshift-3.0: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL8-satellite-6.6: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-openshift-4-including-unpatched: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-jboss-ws-4: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL8-fast-datapath-including-unpatched: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-openstack-7: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL8-openstack-16.0-including-unpatched: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL8-openshift-4: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-rhoar-nodejs-8: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL8-rhvh-4-including-unpatched: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-dotnet-3.1: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-rhvh-4: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL8-satellite-6.8: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-rhel-7.5-eus: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL8-storage-gluster-3: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-rhel-7.3-eus: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-rhel-7.7-aus: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL6-jboss-cs-including-unpatched: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL8-rhel-8.2-aus: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-cfme-5.9: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL8-ansible-2.8: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-satellite-6-including-unpatched: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-openshift-3.10: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL8-openstack-16.1: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-openshift-3.3-including-unpatched: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-amq-clients-1: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL6-jboss-eap-6: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-openstack-12: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-rhel-7.3-e4s: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-satellite-6.5: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL6-satellite-5.8: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL6-rhel-6-including-unpatched: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-amq-clients-2-including-unpatched: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-rhoar-nodejs-10: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL8-rhoar-nodejs-12-including-unpatched: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL8-openstack-15.0-including-unpatched: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL8-satellite-tools-6.7: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL8-satellite-tools-6-including-unpatched: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL8-satellite-tools-6.8: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-rhscl-including-unpatched: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-openshift-3.4-including-unpatched: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-satellite-tools-6.9: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-openstack-10-including-unpatched: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL8-fast-datapath: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-openshift-3.0-including-unpatched: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL8-rhel-8.1-eus: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL8-storage-ceph-5: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-rhvm-4: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL8-openshift-4-including-unpatched: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-dotnet-2.1-including-unpatched: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-storage-ceph-4-including-unpatched: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-rhvm-4-including-unpatched: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL8-rhacm-2: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-openshift-3.6-including-unpatched: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-dotnet-3.0-including-unpatched: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-ansible-2: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-rhel-7-supplementary: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-openstack-8-including-unpatched: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-openshift-4: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL6-storage-gluster-3-including-unpatched: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL6-rhel-6.6-eus: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-ansible-2.9: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-openshift-3.1: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL8-rhacm-1: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL8-rhel-8-including-unpatched: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL8-storage-ceph-4: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-satellite-tools-6-including-unpatched: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL6-jboss-ws-5: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL8-advanced-virtualization-including-unpatched: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-rhel-7.7-eus: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-rhsso: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL8-rhoar-nodejs-10: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-rhel-7.4-aus: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-openshift-3.6: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-rhel-7.4-tus: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL6-jboss-ws-5-including-unpatched: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-openshift-service-mesh-2.0-including-unpatched: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL6-satellite-tools-6.8: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL8-jboss-ws-5-including-unpatched: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL6-mrg-2: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL8-rhsso-including-unpatched: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-openshift-3.1-including-unpatched: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-satellite-6.2: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL8-openstack-16-including-unpatched: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-openstack-9: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-dotnet-2.2: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-rhel-7.6-eus: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL8-openstack-16.0: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL6-rhel-6.7-eus: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL6-storage-gluster-3: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-openshift-3.4: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-jboss-ws-5-including-unpatched: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-openshift-3.10-including-unpatched: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL8-ansible-2: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-rhel-7.6-tus: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL6-jboss-ws-4-including-unpatched: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL6-amq-clients-1: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL6-rhel-6.3-eus: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-openshift-3.11-including-unpatched: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-devtools: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-ansible-2-including-unpatched: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-openshift-3.11: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL6-rhsso-including-unpatched: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL8-rhel-8.2-tus: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL6-satellite-proxy-5.8: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-jboss-ws-4-including-unpatched: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL6-satellite-tools-6.3: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL8-jboss-cs: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL6-satellite-tools-6.7: ov� 4alutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-jboss-ws-3-including-unpatched: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL6-rhscl: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL6-rhel-6.5-eus: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\talpine-community-v3.3-updater: failed to parse the fetched vulnerability database: json: cannot unmarshal object into Go struct field SecurityDB.packages of type []alpine.Package\n\tRHEL7-openshift-3.2-including-unpatched: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-satellite-tools-6.8: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-satellite-6.3: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL8-rhel-8.4-eus: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-rhel-7.3-aus: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-jboss-ws-3: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL6-amq-clients-1-including-unpatched: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL8-rhel-8.0-e4s: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-openshift-3.2: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-rhel-7.3-tus: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-openshift-3.8-including-unpatched: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-ansible-2.5: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL6-jboss-ws-3-including-unpatched: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL6-satellite-tools-6-including-unpatched: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL8-advanced-virtualization: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL8-satellite-tools-6.9: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-amq-clients-2: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL8-rhel-8.2-eus: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n" component=libvuln/Libvuln/loopUpdaters

[hdonnay]

The 403 returns are out of our hands, as are the alpine errors.

A rate limiter would be helpful, but it's annoying because of wrong error code.

[hdonnay]

That's an issue with the server hosting the file, not Clair. We're trying to hunt it down, but it's an intermittent issue with another Red Hat team's server.

[hbandi]

Thank you very much for your response.
But we are also observing Clair is not able to detect vulnerabilities for any image, getting always empty vulns.
Can you help us to debug this issue?
Thanks

[hdonnay]

I'll take a look if you provide any details to reproduce with. To start, what's the image?

[ldelossa]

@hbandi is this still an issue?

[hbandi]

Thanks for asking @ldelossa
have not tried again, will try this week and update you guys.
Thanks,
Hanumanth

[brtkwr]

Yes I think it is, my Debian based image was only showing 23 unknown CVEs which on Quay.io was reporting 200+ of different kinds. I waiting a few days for this to change but no change. Not sure what I need to do to get the updater to run.

[hdonnay]

Are you seeing a similar log message, or just unexpected results? If the latter, that's a separate issue.

[felixkrohn]

Is there a way to extract all URLs from the DB or clair itself in order to test which one is causing problems?
I see 403 errors (109 of them in one line...) on RHEL reponames in my clair logs, but it's not visible which URL is used. It might indeed be a proxy issue, but I need to get the precise URL in order to test and get it fixed.

[...]ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-jboss-eap-7: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL8-jboss-cs-including-unpatched: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)\n\tRHEL7-cfme-5.10: ovalutil: fetcher got unexpected HTTP response: 403 (403 Forbidden)[...]

I also see the following one, but again I would need the URL to test if it's related:

[...]alpine-community-v3.3-updater: failed to parse the fetched vulnerability database: json: cannot unmarshal object into Go struct field SecurityDB.packages of type []alpine.Package[...]

[hdonnay]

There should be logs before this point that have the URL used, but I would be doubtful that this is a proxy issue as the upstream server returns 403 for a rate limit.

The alpine issue is due to the upstream data being malformed.

[felixkrohn]

Thanks for the alpine pointer!
And you're right, I can see in the logs that earlier attempts to download the data have been successful, indeed ruling out a proxy issue in this case (I've seen "403 URLBlocked" before on this network :-/). Grepping for the "run_id" helped finding the corresponding messages.

If you assume a rate limiting - would it be a possibility to direct Clair to a local RH Satellite nearby? (assuming the oval content is part of the mirrored data)

[hdonnay]

I think that would work, as the updater consumes a pulp manifest to discover all the individual oval manifests.

A stanza like the following should work, unless we messed up wiring the configurable bits around.
If it worked, there should be a log line with the message "configured manifest URL".

updaters:
  config:
    rhel:
      url: 'http://host/path/PULP_MANIFEST'