Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Feature Request] Provide a UI to visualize container vulnerabilities #10496

Closed
cdchris12 opened this issue Jan 15, 2020 · 13 comments
Closed

[Feature Request] Provide a UI to visualize container vulnerabilities #10496

cdchris12 opened this issue Jan 15, 2020 · 13 comments
Assignees

Comments

@cdchris12
Copy link

When trying to identify which containers within our registry contain vulnerabilities, it is frustrating to have to check every individual tag, within every individual registry, within every individual project. It's entirely infeasible to check every single container vulnerability report using the current UI framework for doing so.

Ideally, we would like to see a UI which would show the status of all container scans, scoped according to a user's permissions to view specific projects. This UI would allow users concerned with maintaining container security to get a high level view of the actual contents of these scans across all the projects they have access to. This data lends itself well to helping users determine which CVEs are worth allocating time to resolving due to their widespread occurrence across all their stored container images

@xaleeks xaleeks added kind/requirement New feature or idea on top of harbor area/vulnerability-scan labels Jan 19, 2020
@xaleeks
Copy link
Contributor

xaleeks commented Jan 19, 2020

I think maybe one view in each project is more reasonable. We will think about this. But this be easily retrievable via API as a workaround for now, let me know if you need help with that.

@gunboe
Copy link

gunboe commented Jun 4, 2020

This new feature sounds good for me too. A consolidated report and a critical CVE list of Images found will be nice to rectify or expunge the Image.

@maxmiles39
Copy link

A consolidated report with filter is crucial for operations. A all-in-one on-line downloadable report to show all the vulnerabilities, white listing(scope, expiration) alone with artifact is very helpful.
As side notes, it will be nice to have the CVE white list at image level to have better control.

@brondum
Copy link

brondum commented Jul 17, 2020

+1 from here

@ghost
Copy link

ghost commented Jun 14, 2021

I think maybe one view in each project is more reasonable. We will think about this. But this be easily retrievable via API as a workaround for now, let me know if you need help with that.

@xaleeks I am interested to know which API to use in your solution? Thanks

@ikarlashov
Copy link

Any update on this? It feels like the whole scanning mechanism is useless without this feature. Indeed, it's not possible to check all images that are pushed by our developers. So we have 0 observability about vulnerabilities of our images.

@kirkanos
Copy link

Any updates on this? I really need this, a workaround via api doesn't really work for us.

@Mabchour
Copy link

Any updates on this.

@dale-c-anderson
Copy link

Figured out how to at least retrieve one repsitory's vulnerabilities from the API.

I assume one would need to loop over all the repos of all the projects, and also apply sorting to find only the latest vulnerability scan of a given repo.

To get a list of vulnerability scan result paths for a given repo,

curl -Ss --header "authorization: Basic $AUTH" -X GET "$HARBOR_SERVER/api/v2.0/projects/$PROJECT_NAME/repositories/$REPO_NAME/artifacts" | jq -r '.[].addition_links.vulnerabilities.href'
  • REPO_NAME needs to be escaped for slashes if it contains any - foo-bar/ding would be foo-bar%2Fding.

To just arbitrarily accept the first result from the list,

ARTIFACT_PATH=$(curl -Ss --header "authorization: Basic $AUTH" -X GET "${HARBOR_SERVER}/api/v2.0/projects/${PROJECT_NAME}/repositories/${REPO_NAME}/artifacts" | jq -r '.[0].addition_links.vulnerabilities.href')

To retrieve one scan of one repo of one project,

SCAN_RESULTS=$(curl -Ss --header "authorization: Basic $AUTH" -X GET "${HARBOR_SERVER}${ARTIFACT_PATH}")

@benediktberger
Copy link

We would love to integrate the scanning results in an external security overviews. Therefore I would need a link to display this information. As far as I could see from the rendered HTML there is no such possibility because the tooltip is rendered statically in the Harbor UI.
I was referring to a info badge like Dependency Track or GitLab provide, see https://docs.dependencytrack.org/integrations/badges/ or https://docs.gitlab.com/ee/user/project/badges.html for example.

@wy65701436
Copy link
Contributor

We would like to make some improvements to the scan report view and @AllForNothing will gather requirements and investigate this part.

@matthiasbaldi
Copy link

@wy65701436, would there be a possibility to export the vulnerabilities as an SBOM to DependencyTrack?
So Harbor will scan (i.e. with Trivy) and then have an API to export that detected stuff as an valid SBOM to DependencyTrack to visualize everything?

@stonezdj stonezdj self-assigned this Apr 24, 2023
@stonezdj stonezdj added the Epic label Apr 24, 2023
@AllForNothing
Copy link
Contributor

Fixed by #18942, closing it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.