Upvotes 0 Share PDF

DTR warning 'Cannot perform security scans because no vulnerability database was found'

Issue

If Docker Trusted Registry is displaying a banner with the message:

Cannot perform security scans because no vulnerability database was found.

It means that the vulnerability database is empty, so it's not possible to scan your images for vulnerabilities.

Some systems generate this warning when Security Scanning is first enabled, or if it is enabled in Offline mode, but the vulnerability database has not yet been uploaded. The warning is expected to go away once the database is first loaded into DTR.

Resolution

Pssible resolutions include:

Make sure your node can reach https://dss-cve-updates.docker.com/.

If you see this warning during normal operations, and DTR has successfully scanned images in the past, to troubleshoot this problem in more depth, it is helpful to obtain a set of logs (with timestamps) for the container that's performing the scanning. That requires a combination of UI actions and a fairly simple command run on one of the nodes.

  1. Go to UCP -> Resources -> Containers.

  2. In the search box in the upper right hand, enter dtr-scanning . This should isolate the dtr-scanningstore container.

  3. Note the node where the container is running (under the Node column).

  4. Log into that node using an account that can run the docker CLI.

  5. Run the following command:

    docker ps | grep scanning
    

    This should provide a container ID and confirm the container is actually running on that node.

  6. Run the following command:

    docker logs -t [container_id] > /var/tmp/scanning.log.txt
    

    replacing [container_id] with the ID you found. A sample command would look like this:

    docker logs -t 3f53fb440398 > /var/tmp/scanning.log.txt
    

    The resulting log file will help determine if there's anything unexpected going on with the scanning database.