Open vndroid opened 4 months ago
I can reproduce that in our demo environment.
It looks like to be a signatures
see.
docker pull demo.goharbor.io/dockerhub/postgres@sha256:61015780063be263c7b98142d12e61b9c43989abb986c2766ac22044e114293b
demo.goharbor.io/dockerhub/postgres@sha256:61015780063be263c7b98142d12e61b9c43989abb986c2766ac22044e114293b: Pulling from dockerhub/postgres
unsupported media type application/vnd.in-toto+json
I think on Habor side we should address this particualar problem and future problems that we are going to see in the future. Goal is to disply such information accordingly.
Harbor treats SBOM as an accessory only when it follows the distribution-spec 1.1 standard which image manifest contains the Subject
field indicates whose SBOM it is. Otherwise, image manifest without Subject
fields will treat as normal image without associate to any other images and read the the arch from the config layer directly.
However, docker currently use application/vnd.in-toto+json
at the layer content
and assert subject digest in it as below , also have this in index.manifests[0].annotations
to track the associations
https://docs.docker.com/build/attestations/attestation-storage/#attestation-manifest which not consistent with Harbor.
cat 13/13865d4d6102dfb8b46055c1f5ab41b000f00e2695ae5512f6ebb56b1fb8fffb/data | jq '.manifests[1]'
{
"annotations": {
"vnd.docker.reference.digest": "sha256:d713b425436e91da0c2d45ed2a63f2ed0809f94759537bccb939c17055a1b2de",
"vnd.docker.reference.type": "attestation-manifest"
},
"digest": "sha256:61015780063be263c7b98142d12e61b9c43989abb986c2766ac22044e114293b",
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"platform": {
"architecture": "unknown",
"os": "unknown"
},
"size": 840
}
cat 61/61015780063be263c7b98142d12e61b9c43989abb986c2766ac22044e114293b/data
{
"schemaVersion": 2,
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"config": {
"mediaType": "application/vnd.oci.image.config.v1+json",
"digest": "sha256:7f15e8ed3db65816b810657e8c4ad5defb3506b10a24b27b47a843bbe5100368",
"size": 241
},
"layers": [
{
"mediaType": "application/vnd.in-toto+json",
"digest": "sha256:72948b605242cdafe3f83ff2c92bb08783aac234ebdea97f88a63715699bc7d5",
"size": 806188,
"annotations": {
"in-toto.io/predicate-type": "https://spdx.dev/Document"
}
},
{
"mediaType": "application/vnd.in-toto+json",
"digest": "sha256:74a8d5d93846e09e8f128e2eb536a7d4e885468f5257c7c67c95b821eaf77831",
"size": 36913,
"annotations": {
"in-toto.io/predicate-type": "https://slsa.dev/provenance/v0.2"
}
}
]
}
cat 7f/7f15e8ed3db65816b810657e8c4ad5defb3506b10a24b27b47a843bbe5100368/data | jq
{
"architecture": "unknown",
"os": "unknown",
"config": {},
"rootfs": {
"type": "layers",
"diff_ids": [
"sha256:72948b605242cdafe3f83ff2c92bb08783aac234ebdea97f88a63715699bc7d5",
"sha256:74a8d5d93846e09e8f128e2eb536a7d4e885468f5257c7c67c95b821eaf77831"
]
}
}
cat 72/72948b605242cdafe3f83ff2c92bb08783aac234ebdea97f88a63715699bc7d5/data | jq '.subject[0]'
{
"name": "pkg:docker/postgres@14.10-alpine3.18?platform=linux%2Famd64",
"digest": {
"sha256": "d713b425436e91da0c2d45ed2a63f2ed0809f94759537bccb939c17055a1b2de"
}
}
Expected behavior and actual behavior: In the new v2.10 version, The replications function has a bug now. It replicates some error unknow image.
Result:![CleanShot 2024-03-05 at 09 45 16@2x](https://github.com/goharbor/harbor/assets/15273693/9a27bd39-58ba-491f-841e-5fc8bbb17341)
Why?
Steps to reproduce the problem:
Config:![CleanShot 2024-03-05 at 09 42 48@2x](https://github.com/goharbor/harbor/assets/15273693/cdc99d49-3efb-4df6-a94a-afe7b4854019)
Versions: Please specify the versions of the following systems.
Additional context:
harbor.yml
and files in the same directory, including subdirectory./var/log/harbor/
.