With Quay 3.6 the Clair scan results implicitly include CRDA data for Java packages. Thes scan results are unreliable as the CRDA endpoint may potentially rate limit Clair's request for vulnerability data. This causes the Java scan results to appear and sometimes disappear when scanning the same image.

The proper long-term solution here is the Clair plug-in system in development however it's not clear this will be delivered in time for Quay 3.7.

For Quay 3.7, the use of CRDA in Clair should be made explicit and opt-in for users. We should no longer ship with a default shared key, and enabling the use of CRDA for scan results should be something customers are required to consciously enable in Clair's configuration.

This should also include them acquiring their own key from CRDA.

Our documentation should be clear on how to enable this, and how this is different from 3.6. This does not change the designation of our Java scan results as Tech Preview (we should consider them GA once the proper plug-in mechanism is in place).