The Java scanning feature that shipped with Quay 3.6 is dependent on an external service (CRDA) for vulnerability data. This service may sometimes rate limit Clair if too many requests are made in a short period of time. This has the effect of Clair appearing to miss certain vulnerabilities (e.g. log4j) because it will not report the rate limiting on CRDA.

We should update our documentation to indicate that:

• The Java scanning feature in Clair with Quay 3.6 should be considered a Technical Preview
• The scanning feature may occasionally not detect certain vulnerabilities if its dependent service is not available or is rate limiting Clair.
• Clair is using a shared, default token to access the CRDA service which may lead to more likely rate limiting. Customers can obtain and use their own token for CRDA which can help avoid the chance of rate limiting from occurring <you can get details from Clair Eng team>.
• The Java scanning feature will be further enhanced in future Quay versions.