Update the CVE scanning database¶
MSR security scanning indexes the components in your MSR images and compares them against a CVE database. This database is routinely updated with new vulnerability signatures, and thus MSR must be regularly updated with the latest version to properly scan for all possible vulnerabilities. After updating the database, MSR matches the components in the new CVE reports to the indexed components in your images, and generates an updated report.
Note
MSR users with administrator access can learn when the CVE database was last updated by accessing the Security tab in the MSR System page.
Update CVE database in online mode¶
In online mode, MSR security scanning monitors for updates to the vulnerability database, and downloads them when available.
To ensure that MSR can access the database updates, verify that the host can
access both https://license.mirantis.com
and
https://dss-cve-updates.mirantis.com/
on port 443 using HTTPS.
MSR checks for new CVE database updates every day at 3:00 AM UTC. If an update is available, it is automatically downloaded and applied, without interrupting any scans in progress. Once the update is completed, the security scanning system checks the indexed components for new vulnerabilities.
To set the update mode to online:
Log in to the MSR web UI as an administrator.
In the left-side navigation panel, click System and navigate to the Security tab.
Click Online.
Your choice is saved automatically.
Note
To check immediately for a CVE database update, click Sync Database now.
Update CVE database in offline mode¶
When connection to the update server is not possible, you can update the CVE
database for your MSR instance using a .tar
file that contains the database
updates.
To set the update mode to offline:
Log in to the MSR web UI as an administrator.
In the left-side navigation panel, click System and navigate to the Security tab.
Select Offline
Click Select Database and open the downloaded CVE database file.
MSR installs the new CVE database and begins checking the images that are already indexed for components that match new or updated vulnerabilities.