Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Harbor-UI should display the actual OCI 1.1 artifactType for artifact accessories #21345

Open
ChristianCiach opened this issue Dec 20, 2024 · 1 comment
Assignees

Comments

@ChristianCiach
Copy link

ChristianCiach commented Dec 20, 2024

Is your feature request related to a problem? Please describe.

We are using true OCI artifacts to attach SBOMs and vulnerability scan results to our images by using the Referrers-API as specified by the OCI Distribution spec 1.1. In the OCI Image spec 1.1, the artifactType is a new top-level attribute of the artifact manifest.

Unfortunately, Harbor doesn't show the artifact-type of an artifact when using the UI. Example screenshot:

grafik

As you can see, the type of the attachments is always showing as subject.accessory, which isn't very helpful. The true types of the shown artifacts are trivy-sbom/cyclonedx and trivy-vuln/results. The actual types are shown neither in the listing of the accessories, nor when showing the artifact details of an accessory!

Describe the solution you'd like

I think the fallback type subject.accessory used by Harbor is mostly useless. It should instead show the actual artifactType of the artifact, if available. Alternatively we could introduce a new column named Artifact type, but this could be problematic since there is not a lot of horizontal space available.

The artifact type should also be displayed when viewing the details of the artifact by clicking on a specific accessory.

This proposal probably depends on an addition to the accessories-API as described here:

@wy65701436
Copy link
Contributor

wy65701436 commented Dec 23, 2024

The artifactType is an attribute defined in the OCI specification, specifically for the referers API. Are you asking if you'd like to see the artifactType of the pushed accessory displayed in the Harbor UI? And can you show us the use case?

By the way, the type of accessory is defined within Harbor itself. By default, it is set to subject.accessory. However, when Harbor recognizes the pushed accessory — such as a signature generated by Notary or Cosign — it will be displayed as subject.signature, subject.sbom, and so on.

@wy65701436 wy65701436 self-assigned this Dec 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants