Troubleshooting "Can't obtain quarantine status" Error with Nexus Firewall for Docker

Problem

After upgrading to Nexus Repository Manager (NXRM) 3.83.0+ and Nexus IQ Server 194+, Docker pull requests may fail if both of the following conditions are met:

• Firewall for Docker is enabled on a Docker proxy repository.
• The NXRM instance is configured to use an HTTP proxy.

You may see the following error on the client side when pulling an image:

"Can't obtain the quarantine status due to the error: Error performing the container image evaluation: null. See nexus. log for more details or contact your Nexus Repository Manager

The nexus.log file will show connection-related errors, indicating that the scanner cannot reach external resources. These errors can include:
Error 1: DNS Failure

com.sonatype.insight.scan.container.image.Standalone - Error scanning container image
com.sonatype.insight.scan.container.image.ContainerImageScanException: java.net.UnknownHostException: xxxxxx: Name or service not known 

Error 2: Connection Timeout

com.sonatype.insight.scan.container.image.Standalone - Error scanning container image
com.sonatype.insight.scan.container.image.ContainerImageScanException: org.apache.http.conn.ConnectTimeoutException: Connect to
...
com.sonatype.nexus.clm.internal.datastore.FirewallContributedHandler - Could not get latest quarantine status for asset xxxxxx: Error performing the container image evaluation: null

Error 3: Network Unreachable

com.sonatype.insight.scan.container.image.Standalone - Error scanning container image
com.sonatype.insight.scan.container.image.ContainerImageScanException: java.net.SocketException: Network is unreachable
	at com.sonatype.insight.scan.container.image.cvetools.CveSearch.<init>(CveSearch.java:106)
	at com.sonatype.insight.scan.container.image.Standalone.getCveSearch(Standalone.java:79)
	at com.sonatype.insight.scan.container.image.Standalone.scanOnDemand(Standalone.java:48)

Possible causes

The Firewall for Docker ignores the HTTP proxy in the Nexus repository. 

This is a known issue (internal JIRA ID NEXUS-47655) and has been fixed in 3.86.0. 

Solution

As a temporary workaround until a permanent fix is available, you need to disable the Firewall Audit and Quarantine Capability for the affected Docker repositories.

If you have any further concerns, please open a support ticket.