Vulnerability report is returned for non-final index reports (IndexError or still in progress)

[frostmar]

Description of Problem / Feature Request

A potentially incorrect Clair vulnerability report is returned when the digest's index report has not completed successfully (ie. index report is not in state="IndexFinished")

The vulnerability report returned is potentially incorrect as it's based on incomplete information, but the recipient can't tell that from the fields included. Clients can attempt to guess that empty distributions or packages may still have indexing in progress, but that's not definitive and could also be seen for eg. scratch images with indexing complete.

Expected Outcome

When state is IndexError
Perhaps HTTP500 with a body error structure suggesting it's a permanent error affecting this digest? Perhaps HTTP404?

When state is any other non-final
Suggest: HTTP404 similar to the result for not-present

curl -v -s localhost:6060/matcher/api/v1/vulnerability_report/sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff | jq .
*   Trying [::1]:6060...
* Connected to localhost (::1) port 6060
> GET /matcher/api/v1/vulnerability_report/sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff HTTP/1.1
> Host: localhost:6060
> User-Agent: curl/8.4.0
> Accept: */*
> 
< HTTP/1.1 404 Not Found
< Content-Type: application/json
< Trailer: Clair-Error
< X-Content-Type-Options: nosniff
< Date: Mon, 29 Jan 2024 15:05:19 GMT
< Transfer-Encoding: chunked
< 
{ [155 bytes data]
* Connection #0 to host localhost left intact
{
  "code": "not-found",
  "message": "index report for manifest \"sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\" not found"
}

Actual Outcome

state=IndexError example:

when the DB column indexreport.scan_result contains:

{
  "err": "failed to fetch layers: encountered error while fetching a layer: error realizing layer sha256:a2e84cb56b2b64f359029d7a59023b4ef96578ff90566e256a019e0173a633cb: tarfs: error finding segments: bad block at 0: got magic \" ]\\n  }\"",
  "state": "IndexError",
  "success": false,
  "packages": {},
  "repository": {},
  "environments": {},
  "distributions": {},
  "manifest_hash": "sha256:4a595675213b020a5d57264743c5cf05ef2a0ba3dd639849726e7060a45ac690"
}

A vuln report request completes successfully, and appears to be completely clean:

curl -s localhost:6060/matcher/api/v1/vulnerability_report/sha256:4a595675213b020a5d57264743c5cf05ef2a0ba3dd639849726e7060a45ac690 | jq .
{
  "manifest_hash": "sha256:4a595675213b020a5d57264743c5cf05ef2a0ba3dd639849726e7060a45ac690",
  "packages": {},
  "distributions": {},
  "repository": {},
  "environments": {},
  "vulnerabilities": {},
  "package_vulnerabilities": {},
  "enrichments": {}
}

state in progress example:
This is harder to catch in progress, but as the indexing state machine updates the DB each step, I believe there'll be a row present in table indexreport after the first step, but the package list won't be complete until every scanner has run on every layer.

While the indexing is in progress, a vuln report will be partly-complete, giving varying info depending on what's been found so far.

Environment

• Clair version/image: we're running v4.7.2, from code inspection it'd still be true on the current main
• Clair client name/version: curl
• Host OS: Linux
• Kernel (e.g. uname -a):
• Kubernetes version (use kubectl version): n/a
• Network/Firewall setup: n/a