Update the CVE scanning database

MSR security scanning indexes the components in your MSR images and compares them against a CVE database. This database is routinely updated with new vulnerability signatures, and thus MSR must be regularly updated with the latest version to properly scan for all possible vulnerabilities. After updating the database, MSR matches the components in the new CVE reports to the indexed components in your images, and generates an updated report.

Note

MSR users with administrator access can learn when the CVE database was last updated by accessing the Security tab in the MSR System page.

Update CVE database in online mode

In online mode, MSR security scanning monitors for updates to the vulnerability database, and downloads them when available.

To ensure that MSR can access the database updates, verify that the host can access both https://license.mirantis.com and https://dss-cve-updates.mirantis.com/ on port 443 using HTTPS.

MSR checks for new CVE database updates every day at 3:00 AM UTC. If an update is available, it is automatically downloaded and applied, without interrupting any scans in progress. Once the update is completed, the security scanning system checks the indexed components for new vulnerabilities.

To set the update mode to online:

  1. Log in to the MSR web UI as an administrator.

  2. In the left-side navigation panel, click System and navigate to the Security tab.

  3. Click Online.

Your choice is saved automatically.

Note

To check immediately for a CVE database update, click Sync Database now.

Update CVE database in offline mode

When connection to the update server is not possible, you can update the CVE database for your MSR instance using a .tar file that contains the database updates.

To set the update mode to offline:

  1. Log in to the MSR web UI as an administrator.

  2. In the left-side navigation panel, click System and navigate to the Security tab.

  3. Select Offline

  4. Click Select Database and open the downloaded CVE database file.

MSR installs the new CVE database and begins checking the images that are already indexed for components that match new or updated vulnerabilities.