Enable MSR security scanning

  1. Log in to the MSR web UI as an administrator.

  2. In the left-side navigation panel, click System and navigate to the Security tab.

  3. Slide the Enable Scanning toggle to the right.

  4. Set the security scanning mode by selecting either Online or Offline.

    • Online mode:

      Online mode downloads the latest vulnerability database from a Docker server and installs it.

      1. Select whether to include jobrunner and postgresDB logs

      2. Click Sync Database now.

    • Offline mode:

      Offline mode requires that you manually perform the following steps.

      1. Download the most recent CVE database.

        Be aware that the example command specifies default values. It instructs the container to output the database file to the ~/Downloads directory and configures the volume to map from the local machine into the container. If the destination for the database is in a separate directory, you must define an additional volume. For more information, refer to the table that follows this procedure.

        docker run -it --rm \
        -v ${HOME}/Downloads:/data \
        -e CVE_DB_URL_ONLY=false \
        -e CLOBBER_FILE=false \
        -e DATABASE_OUTPUT="/data" \
        -e DATABASE_SCHEMA=3 \
        -e DEBUG=false \
        -e VERSION_ONLY=false \
        mirantis/get-dtr-cve-db:latest
        
      2. Click Select Database and open the downloaded CVE database file.

Runtime environment variable override

Variable

Default

Override detail

CLOBBER_FILE

false

Set to true to overwrite an existing file with the same database name.

CVE_DB_URL_ONLY

false

Set to true to output the CVE database URL; does not download the CVE database.

DATABASE_OUTPUT

/data

Indicates the database download directory inside the container.

DATABASE_SCHEMA

3

Valid values:

  • 1 (DTR 2.2.5 or lower)

  • 2 (DTR 2.3.x; 2.4.x; 2.5.15 or lower; 2.6.11 or lower; 2.7.4 or lower)

  • 3 (DTR 2.5.16 or higher; 2.6.12 or higher; 2.7.5 or higher)

DEBUG

false

Set to true to execute the script with set -x.

VERSION_ONLY

false

Set to true to produce a dry run that outputs the CVE database version number, but does not download the CVE database.