Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-26140

Docker Remotes and Virtuals do not give the proper Xray Blocked message

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: 4 - Normal
    • Resolution: Unresolved
    • Affects Version/s: 7.21.3
    • Fix Version/s: None
    • Component/s: Artifactory, Docker
    • Labels:
      None
    • Environment:

      Environment details: 

      Reproduced on latest version, environment doesn't affect behaviour (HA vs standalone, external DB type, etc).

    • Location:
      External

      Description

      Problem description: 

      When configuring Xray to block downloads of unscanned/vulnerable artifacts, docker remotes and virtuals give a vague error instead of the Blocked by Xray message, causing confusion and inconsistencies.

       

      Expected behavior:

      The following message should appear: 

      Error response from daemon: unauthorized: The client does not have permission for manifest: Unauthorized: Artifact download request rejected: alpine/latest/manifest.json was not downloaded due to the download blocking policy configured in Xray for docker-local

      but currently, this only happens for local repositories.

       

      Steps to reproduce:

      1. Set up a docker local, remote, and virtual

      2. Set up Xray to block unscanned/vulnerable images

      3. Add a vulnerable image to docker local and run a docker pull url/docker-local/image:tag see it gives the verbose Xray Download Blocking Policy response

      4. Pull the same image from the docker-remote and docker-virtual, see the message is a simple and vague

       unknown: Forbidden

       with no further information

      5. To test further, we can see if you run something like

      curl "http://<ARTIFACTORY_URL>:8082/artifactory/docker-remote-cache/library/postgres/sha256__90b8a9f0cc7aad1bd17e49c5b753cde29615229acbc6a350390ca1a788458a19/manifest.json?trace" 

       it shows in the trace the 

      Download denied (Artifact download request rejected: library/postgres/sha256__90b8a9f0cc7aad1bd17e49c5b753cde29615229acbc6a350390ca1a788458a19/manifest.json was not downloaded due to the download blocking policy configured in Xray for docker-remote-cache.) - returning blocked resource 

      message, but when running the docker pull or using artifactory/api/docker/docker-repo it only returns "unknown: Forbidden"

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              niro Nir Ovadia
              Votes:
              1 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:

                  Sync Status

                  Connection: RTFACT Sync
                  RTMID-26141 -
                  SYNCHRONIZED
                  • Last Sync Date: