Updating the Software Composition Analysis (SCA) vulnerability database

The Software Composition Analysis (SCA) vulnerability database includes the most popular security vulnerability databases (NVD, Github advisory, Microsoft MSRC), and a wide range of lesser-known security advisories and open source project issue trackers. AppScan 360° users can enable automatic updating of the SCA vulneratility database at installation or configure manual updating.

Regular updates of the vulnerability database ensure that AppScan 360° deployments always have the latest vulnerability information for Software Composition Analysis (SCA) scanning while minimzing downtime.

Updating can be set up for both online and offline deployments of AppScan 360°:

Online/automatic
When you installed AppScan 360°, you provided information about the Software Composition Analysis (SCA) database (as part of configuration questions in Custom installation of AppScan 360° on a single virtual machine or when setting up the configuration file for distributed installation of AppScan 360°). This information allowed the install process to configure automatic updating of the database. No further action is required.
As long as the AppScan 360° deployment maintains access to HCL Harbor with a valid HCL ID, AppScan 360° periodically checks the HCL Harbor registry for updates, and automatically pulls and applies those updates. The update process does not interrupt scanning or cause downtime.
Offline/manual
Regularly updating the latest Software Composition Analysis (SCA) vulnerablity database image into the local registry keeps your scanning results as current as the latest update, even in restricted or air-gapped environments.
Manual updating requires a third-party system to which to download the images from HCL Harbor (with a valid HCL ID) and a secure method to transfer those images to the AppScan 360° deployment system.
The third party system must have access to:
- hclcr.io/appscan360/as360-k8s-docker-images/librarysearchapi
- hclcr.io/appscan360/as360-k8s-docker-images/cvesearchapi
  Note: If the Docker private registry has self-signed certificates, those certificates must trusted by the Docker engine to ensure the registries do not fail with TLS validation error.

Manually update the Software Composition Analysis (SCA) vulnerability database

The process for updating the vulnerablity database is:

Download cvesearchapi and librarysearchapi from HCL Harbor to a third-party Internet connected system.
Download the ArgoApplication helm chart to a third-party Internet connected system.
Transfer images to the AppScan 360° deployment system.
Load the transferred images to the AppScan 360° deployment system.
Verify the downloads on the AppScan 360° deployment system.
Configure the ArgoCD image updater on the AppScan 360° deployment system.
Restart he ArgoCD image updater pod on the AppScan 360° deployment system.

To download cvesearchapi and librarysearchapi images to a third-party Internet connected system, run the following commands:

docker login hclcr.io -u <harbor username> -p <harbor password>

docker pull hclcr.io/appscan360/as360-k8s-docker-images/librarysearchapi:newest-build

docker image save hclcr.io/appscan360/as360-k8s-docker-images/librarysearchapi:newest-build > librarysearchapi_newest-build.tar

docker pull hclcr.io/appscan360/as360-k8s-docker-images/cvesearchapi:newest-build

docker image save hclcr.io/appscan360/as360-k8s-docker-images/cvesearchapi:newest-build > cvesearchapi_newest-build.tar

To download the ArgoApplication helm chart to a third-party Internet connected system, run the following commands:

helm registry login hclcr.io --username "<harbor username>" --password "<harbor password>"

helm pull oci://hclcr.io/appscan360/as360-k8s-helm-packages/scaargoapplication --version 0.1.1 --untar

```
helm package scaargoapplication/
```
Note: Verify if package scaargoapplication-0.1.1.tgz is created

To transfer the files from the third party Internet connected system to the AppScan 360° deployment system:

Using the file transfer approved by your organization, transfer the following files:

scaargoapplication-0.1.1.tgz
cvesearchapi_newest-build.tar
librarysearchapi_newest-build.tar

To load the images to your <customregistryurl> on the AppScan 360° deployment system:

docker load -i librarysearchapi_newest-build.tar

docker tag hclcr.io/appscan360/as360-k8s-docker-images/librarysearchapi:newest-build <custom registry url>/appscan360/as360-k8s-docker-images/librarysearchapi:newest-build

docker push <custom registry url>/appscan360/as360-k8s-docker-images/librarysearchapi:newest-build

docker load -i cvesearchapi_newest-build.tar

docker tag hclcr.io/appscan360/as360-k8s-docker-images/cvesearchapi:newest-build <custom registry url>/appscan360/as360-k8s-docker-images/cvesearchapi:newest-build

docker push <custom registry url>/appscan360/as360-k8s-docker-images/cvesearchapi:newest-build

helm registry login <custom registry url> --username "<custom registry username>" --password "<custom registry password>" --insecure

helm push scaargoapplication-0.1.1.tgz oci://<custom registry url>/appscan360-staging/as360-k8s-helm-packages/

To verify the downloads, run the following commands:

docker pull <custom registry url>/appscan360/as360-k8s-docker-images/cvesearchapi:newest-build

helm pull oci://<custom registry url>/appscan360-staging/as360-k8s-helm-packages/scaargoapplication:0.1.1

To configure the ArgoCD image updater, run the commands:

kubectl patch configmap argocd-image-updater-config \
    -n hcl-appscan-sca \
    --type merge \
    -p '{"data":{"registries.conf":"registries:\n  - name: sca180acr\n    defaultns: hcl-appscan-sca\n    default: true\n    api_url: https://<custom registry url>\n    prefix: <custom registry url>\n    insecure: true\n    credentials: pullsecret:hcl-appscan-sca/sca-harbor-registry-secret"}}'

To restart the ArgoCD image updater pod, run the command:

kubectl delete pod -l app.kubernetes.io/name=argocd-image-updater -n hcl-appscan-sca