When updating, Clair tries to contact Red Hat's OVAL page but fails to download data:
The OVAL in question does not exist in the database. According to Clair's code (Github), the first file that Clair should download is:
Both of these files exist in the OVAL database. After failing to download the mentioned file, the updater stops and the database remains empty so all results are returned as positives. Clair has been deployed in OpenShift in a disconnected environment so access to other data sources is not possible, but curling the RHEL database endpoint from inside the pod is possible and working.
Do you have any explanation why Clair would want to download a CVE that doesn't exist?