Trivy scan results are not up to date

[lixdavid94]

What steps did you take and what happened:

Trivy scans reports are not updating with the latest CVE vulnerabilities after the first scan. The reports are only updating after purging the reports from postgres. An example:

• 12/01/2023 - Image-X is scanned for the first time and reports that CVE-XXXXX is a vulnerability that does not have a fix
• 12/05/2023 - CVE-XXXXX is released with a fix
• 12/10/2023 - Image-X is re-scanned and still reports that CVE-XXXXX is a vulnerability that does not have a fix, despite the trivy-db being updated to the latest version

What did you expect to happen:

Trivy scan reports should be updated with latest CVE vulnerability data after triggering a scan to run instead of using what I believe is cached data.

Anything else you would like to add:

I need to purge the reports from the postgres instance and re-trigger scans to get reports with the most up to date vulnerabilities. I run the following on the postgres instance and then use harbor's API to trigger/create new scans.

DELETE FROM vulnerability_record;
DELETE FROM report_vulnerability_record;
DELETE FROM scan_report;

Environment:

• Harbor version: v2.9.1
• Harbor Scanner Adapter for Trivy version: v0.30.18
• Harbor installation process (Installer script, Helm chart, etc.): helm

[lixdavid94]

I opened this issue before in the goharbor/harbor repository but it was closed without any resolution.