A scanner in an unhealthy state disables "prevent vulnerable images from running"

[nipil]

Description

• Problem : scanned vulnerabilities are ignored when pulling if the scanner is unhealthy

• Desired behaviour :

1. high priority : pulling should use the cached scan report to prevent vulnerable images from running, even if the scanner is currently unhealthy.
2. medium priority : the cached vulnerability report should still display even if the scanner is unhealthy

• Rationale for the change : allowing vulnerable images to be pulled by servers just because the scanner is unhealthy is a security risk

Steps to reproduce

1. install harbor (tested with 2.12.1 offline installer)
2. configure an external scanner
3. push an image with a known vulnerabilty >= Low
4. scan the image, vulnerabilities are shown in the report
5. set option "prevent vulnerable images from running" to "Low or above"
6. try to pull the image = pull fails due to security option
7. stop the external scanner (poweroff, disconnect, etc..)
8. wait for the scanner to become unhealthy
9. repo image does not show vulnerability report --> see desired behaviour 2)
10. try to pull the image = pull succeeds --> see desired behaviour 1)

[wy65701436]

Currently, this is the intended behavior — Harbor marks all artifacts as unsupported and ignoes their scan reports when the scanner is unhealthy.

I'll revisit this scenario and follow up on the issue. Thanks for reporting it!

[reasonerjt]

When the scanner is not accessible, the artifact will be considered "not scannable".
IMO, we should not skip the vuln check if the artifact has a scan report, even when it is not scannable in the middleware.

I'll write a PR to make the update.