You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
We are using true OCI artifacts to attach SBOMs and vulnerability scan results to our images by using the Referrers-API as specified by the OCI Distribution spec 1.1. In the OCI Image spec 1.1, the artifactType is a new top-level attribute of the artifact manifest.
Unfortunately, Harbor doesn't show the artifact-type of an artifact when using the UI. Example screenshot:
As you can see, the type of the attachments is always showing as subject.accessory, which isn't very helpful. The true types of the shown artifacts are trivy-sbom/cyclonedx and trivy-vuln/results. The actual types are shown neither in the listing of the accessories, nor when showing the artifact details of an accessory!
Describe the solution you'd like
I think the fallback type subject.accessory used by Harbor is mostly useless. It should instead show the actual artifactType of the artifact, if available. Alternatively we could introduce a new column named Artifact type, but this could be problematic since there is not a lot of horizontal space available.
The artifact type should also be displayed when viewing the details of the artifact by clicking on a specific accessory.
This proposal probably depends on an addition to the accessories-API as described here:
The artifactType is an attribute defined in the OCI specification, specifically for the referers API. Are you asking if you'd like to see the artifactType of the pushed accessory displayed in the Harbor UI? And can you show us the use case?
By the way, the type of accessory is defined within Harbor itself. By default, it is set to subject.accessory. However, when Harbor recognizes the pushed accessory — such as a signature generated by Notary or Cosign — it will be displayed as subject.signature, subject.sbom, and so on.
Is your feature request related to a problem? Please describe.
We are using true OCI artifacts to attach SBOMs and vulnerability scan results to our images by using the Referrers-API as specified by the OCI Distribution spec 1.1. In the OCI Image spec 1.1, the
artifactType
is a new top-level attribute of the artifact manifest.Unfortunately, Harbor doesn't show the artifact-type of an artifact when using the UI. Example screenshot:
As you can see, the type of the attachments is always showing as
subject.accessory
, which isn't very helpful. The true types of the shown artifacts aretrivy-sbom/cyclonedx
andtrivy-vuln/results
. The actual types are shown neither in the listing of the accessories, nor when showing the artifact details of an accessory!Describe the solution you'd like
I think the fallback type
subject.accessory
used by Harbor is mostly useless. It should instead show the actualartifactType
of the artifact, if available. Alternatively we could introduce a new column namedArtifact type
, but this could be problematic since there is not a lot of horizontal space available.The artifact type should also be displayed when viewing the details of the artifact by clicking on a specific accessory.
This proposal probably depends on an addition to the accessories-API as described here:
artifactType
of the artifact #21344The text was updated successfully, but these errors were encountered: