Goal: Make Clair more independent from online services like Maven Central and enable the same quality of Java vulnerability reporting in disconnected environments.

Background: As observed in CLAIRDEV-93, relying online services for indexing Java content can be tricky. In the specific example occasional rate-limiting led to an unidentified Java library, which was associated with critical CVEs. Because the lookup of the JAR in question only succeeded in some cases, some container images produced an incomplete vulnerability report, missing CVEs with the JAR in question, whereas other images had a complete report.

Requirements:

• Clair ships an index from Maven which contains all required information to lookup Java libraries (Artifact ID, group ID, version) by their SHA1 checksum
• this Maven offline index should be leveraged by the indexer API described in CLAIRDEV-99 to perform reverse lookups to identify old Java libraries that ship insufficient metadata about their identity
• the index should be kept up to date at appropriate intervals
• the index should be made part of the offline bundle experience described in OCPSTRAT-1407 and require no specific steps to obtain and be made available to a disconnected Clair deployment outside of the regular offline bundle import workflow{}