Open vndroid opened 4 months ago
Vad1mo
commented
4 months ago I can reproduce that in our demo environment.
It looks like to be a signatures
see.
docker pull demo.goharbor.io/dockerhub/postgres@sha256:61015780063be263c7b98142d12e61b9c43989abb986c2766ac22044e114293b
demo.goharbor.io/dockerhub/postgres@sha256:61015780063be263c7b98142d12e61b9c43989abb986c2766ac22044e114293b: Pulling from dockerhub/postgres
unsupported media type application/vnd.in-toto+json
I think on Habor side we should address this particualar problem and future problems that we are going to see in the future. Goal is to disply such information accordingly.
MinerYang
commented
3 months ago Harbor treats SBOM as an accessory only when it follows the distribution-spec 1.1 standard which image manifest contains the Subject field indicates whose SBOM it is. Otherwise, image manifest without Subject fields will treat as normal image without associate to any other images and read the the arch from the config layer directly.
However, docker currently use application/vnd.in-toto+json at the layer content and assert subject digest in it as below , also have this in index.manifests[0].annotations to track the associations
https://docs.docker.com/build/attestations/attestation-storage/#attestation-manifest which not consistent with Harbor.
cat 13/13865d4d6102dfb8b46055c1f5ab41b000f00e2695ae5512f6ebb56b1fb8fffb/data | jq '.manifests[1]'
{
"annotations": {
"vnd.docker.reference.digest": "sha256:d713b425436e91da0c2d45ed2a63f2ed0809f94759537bccb939c17055a1b2de",
"vnd.docker.reference.type": "attestation-manifest"
},
"digest": "sha256:61015780063be263c7b98142d12e61b9c43989abb986c2766ac22044e114293b",
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"platform": {
"architecture": "unknown",
"os": "unknown"
},
"size": 840
}cat 61/61015780063be263c7b98142d12e61b9c43989abb986c2766ac22044e114293b/data
{
"schemaVersion": 2,
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"config": {
"mediaType": "application/vnd.oci.image.config.v1+json",
"digest": "sha256:7f15e8ed3db65816b810657e8c4ad5defb3506b10a24b27b47a843bbe5100368",
"size": 241
},
"layers": [
{
"mediaType": "application/vnd.in-toto+json",
"digest": "sha256:72948b605242cdafe3f83ff2c92bb08783aac234ebdea97f88a63715699bc7d5",
"size": 806188,
"annotations": {
"in-toto.io/predicate-type": "https://spdx.dev/Document"
}
},
{
"mediaType": "application/vnd.in-toto+json",
"digest": "sha256:74a8d5d93846e09e8f128e2eb536a7d4e885468f5257c7c67c95b821eaf77831",
"size": 36913,
"annotations": {
"in-toto.io/predicate-type": "https://slsa.dev/provenance/v0.2"
}
}
]
}cat 7f/7f15e8ed3db65816b810657e8c4ad5defb3506b10a24b27b47a843bbe5100368/data | jq
{
"architecture": "unknown",
"os": "unknown",
"config": {},
"rootfs": {
"type": "layers",
"diff_ids": [
"sha256:72948b605242cdafe3f83ff2c92bb08783aac234ebdea97f88a63715699bc7d5",
"sha256:74a8d5d93846e09e8f128e2eb536a7d4e885468f5257c7c67c95b821eaf77831"
]
}
}cat 72/72948b605242cdafe3f83ff2c92bb08783aac234ebdea97f88a63715699bc7d5/data | jq '.subject[0]'
{
"name": "pkg:docker/postgres@14.10-alpine3.18?platform=linux%2Famd64",
"digest": {
"sha256": "d713b425436e91da0c2d45ed2a63f2ed0809f94759537bccb939c17055a1b2de"
}
}
Expected behavior and actual behavior: In the new v2.10 version, The replications function has a bug now. It replicates some error unknow image.
Result:
Why?
Steps to reproduce the problem:
Config:
Versions: Please specify the versions of the following systems.
Additional context:
harbor.ymland files in the same directory, including subdirectory./var/log/harbor/.