Add an Security Dashboard

goharbor / harbor

An open source trusted cloud native registry project that stores, signs, and scans content.

https://goharbor.io

Apache License 2.0

24.18k stars 4.76k forks source link

Add an Security Dashboard #16121

Closed Krumbelfix closed 1 year ago

Krumbelfix commented 2 years ago

Describe the solution you'd like It would be great to have an Dashboard where all vulnerabilitys are shown, so its possible to filter (for example after an specific CVE) or Project. I was searching for all images with the "log4j" vulnerability. Additionally it could show additional information like all known CVE's in the trivy database statistics.

YAMLcase commented 2 years ago

Agreed. At the very least have a way to search for a particular CVE through the API

flbla commented 2 years ago

if you have access to the database, you can do it in SQL :

SELECT artifact.repository_name, tag.name
FROM vulnerability_record 
JOIN report_vulnerability_record ON vuln_record_id = vulnerability_record.id 
JOIN scan_report ON uuid = report_uuid 
JOIN artifact ON artifact.digest=scan_report.digest 
JOIN tag ON tag.repository_id = artifact.repository_id AND tag.artifact_id = artifact.id 
WHERE cve_id LIKE 'CVE-2021-44228';

AlenversFr commented 2 years ago

What we need is :

Get all image:tags with a specific CVE as parameter
Get all CVE on a specific image:tag as parameter
Get all CVE on all image:tag with a specific project as parameter (group by CVE)
Get all CVE on all image:tag on all project (full list)

@Sncf (France) we use Harbor in production with 560 distinct private projects, around 2000 distinct repos and around 22 000 distincts tags.

The above queries could take a while to respond with an API call for us, maybe usefull to use an extra component dedicated to dashboarding CVE results like Redash.

QiuToo commented 2 years ago

I've been looking forward to the graphical interface

toastbrotch commented 2 years ago

github-actions[bot] commented 2 years ago

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

toastbrotch commented 2 years ago

security does not seem to be of any focus of harbor. so don't use it therefore... (see #16218 )

stefanlasiewski commented 1 year ago

I agree that this is an important, but missing feature in Harbor. Cluster administrators and security groups need the ability to look at an entire Harbor registry to see what vulnerabilities are present in the images used by users. This, combined with pull-through caching would be very helpful to detect vulnerable software in a cluster.

When I speak to others about Harbor, many are surprised that Harbor doesn't provide an administrative dashboard to show a vulnerability view of all images in the registry.

Harbor 2.6 does include a way to export a list of CVEs to a CSV file, however this is hard to use unless your site builds it's own dashboard to read the CSV. Since there is little documentation about this feature, writing a custom app is difficult.

chlins commented 1 year ago

Closed as Security Hub has introduced in the v2.9, see https://goharbor.io/blog/harbor-2.9/.