Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-26140

Docker Remotes and Virtuals do not give the proper Xray Blocked message

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Done
    • Resolution: Done
    • Affects Version/s: 7.21.3
    • Fix Version/s: 7.29.8
    • Component/s: Artifactory, Docker
    • Labels:
      None
    • Environment:

      Environment details: 

      Reproduced on latest version, environment doesn't affect behaviour (HA vs standalone, external DB type, etc).

    • Location:
      External

      Description

      Problem description: 

      When configuring Xray to block downloads of unscanned/vulnerable artifacts, docker remotes and virtuals give a vague error instead of the Blocked by Xray message, causing confusion and inconsistencies.

       

      Expected behavior:

      The following message should appear: 

      Error response from daemon: unauthorized: The client does not have permission for manifest: Unauthorized: Artifact download request rejected: alpine/latest/manifest.json was not downloaded due to the download blocking policy configured in Xray for docker-local

      but currently, this only happens for local repositories.

       

      Steps to reproduce:

      1. Set up a docker local, remote, and virtual

      2. Set up Xray to block unscanned/vulnerable images

      3. Add a vulnerable image to docker local and run a docker pull url/docker-local/image:tag see it gives the verbose Xray Download Blocking Policy response

      4. Pull the same image from the docker-remote and docker-virtual, see the message is a simple and vague

       unknown: Forbidden

       with no further information

      5. To test further, we can see if you run something like

      curl "http://<ARTIFACTORY_URL>:8082/artifactory/docker-remote-cache/library/postgres/sha256__90b8a9f0cc7aad1bd17e49c5b753cde29615229acbc6a350390ca1a788458a19/manifest.json?trace" 

       it shows in the trace the 

      Download denied (Artifact download request rejected: library/postgres/sha256__90b8a9f0cc7aad1bd17e49c5b753cde29615229acbc6a350390ca1a788458a19/manifest.json was not downloaded due to the download blocking policy configured in Xray for docker-remote-cache.) - returning blocked resource 

      message, but when running the docker pull or using artifactory/api/docker/docker-repo it only returns "unknown: Forbidden"

        Attachments

          Issue Links

            Activity

                People

                Assignee:
                Unassigned
                Reporter:
                niro Nir Ovadia
                Votes:
                1 Vote for this issue
                Watchers:
                2 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved:

                    Sync Status

                    Connection: RTFACT Sync
                    RTMID-26141 -
                    SYNCHRONIZED
                    • Last Sync Date: