Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"/accessories"-API should return actual OCI 1.1 artifactType of the artifact #21344

Open
ChristianCiach opened this issue Dec 20, 2024 · 1 comment
Open

"/accessories"-API should return actual OCI 1.1 artifactType of the artifact #21344

ChristianCiach opened this issue Dec 20, 2024 · 1 comment
Assignees
@wy65701436
Labels
Won't Fix The cost of fixing this is not justified.

Comments

@ChristianCiach
Copy link

Is your feature request related to a problem? Please describe.

When listing the accessories of an artifact by using the /accessories endpoint of the API, the results currently do not contain the actual artifactType of the artifact as specified by the OCI 1.1 image spec. The Accessory model used by Harbor has a type attribute, but the value can only be one of a few predefined constants, severely limiting its usefulness.

Describe the solution you'd like
Instead of the fallback subject.accessory type, I would like to see the actual artifactType as returned by the Referrers-API as the accessory type. Since this would be a (slightly) breaking change, as an alternative we could add a new artifact_type attribute to the Accessory model.

Also, it should be possible to query only the artifacts of a specific artifactType. Since Harbor v2.12 there is a new endpoint to query all artifacts of a project that have a given artifact_type, but this only works for the whole project, not when listing the accessories of a given repository. For this, I currently have to query the Referrer-API directly:

curl 'https://localhost/v2/{project}/{repo}/referrers/{digest}?artifactType=example/artifact-type'

In summary:

  • The /accessories endpoint should return the actual artifactType of the OCI 1.1 artifact.
  • The /accessories endpoint should support to query by a specific artifactType.
@ChristianCiach ChristianCiach mentioned this issue Dec 20, 2024
Open
@wy65701436
Copy link
Contributor

wy65701436 commented Dec 23, 2024
edited
Loading

hi @ChristianCiach thanks for reporting this issue.

Let me clarify: the OCI distribution specification is defined for all v2 APIs, while the /accessories endpoint is specific to the Harbor API and is defined solely for use with the Harbor UI/CLI.

If you call the referers API, which is defined in the Distribution 1.1 specification, you will receive a response that includes the artifact_type, like this:

{
    "schemaVersion": 2,
    "mediaType": "application/vnd.oci.image.index.v1+json",
    "manifests": [
        {
            "mediaType": "application/vnd.oci.image.manifest.v1+json",
            "digest": "sha256:a012de24c611dc8f4e752dd7993cfcda4c7e5844fa3c8e31e297b28dbbddb54a",
            "size": 766,
            "annotations": {
                "created": "2024-12-23T04:49:15Z",
                "created-by": "Harbor",
                "org.opencontainers.artifact.created": "2024-12-23T04:49:15Z",
                "org.opencontainers.artifact.description": "SPDX JSON SBOM"
            },
            "artifactType": "application/vnd.goharbor.harbor.sbom.v1"
        }

]

}

@wy65701436 wy65701436 self-assigned this Dec 23, 2024
@wy65701436 wy65701436 added the Won't Fix The cost of fixing this is not justified. label Dec 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@wy65701436 wy65701436

Labels
Won't Fix The cost of fixing this is not justified.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@wy65701436 @ChristianCiach