Export CVE data is inaccurate

[YangJiao0817]

Expected behavior and actual behavior:
Expected:The exported CVE data is consistent with the UI page
Actual:The exported CVE data is inconsistent with the UI page.Package column displayed incorrectly.Missing CVE data

Steps to reproduce the problem:

1. Create a project as test02
2. Push images to this project
   docker push domain/test02/goharbor/harbor-portal:v2.5.3
   docker push domain/test02/goharbor/notary-server-photon:v2.5.3
3. Scan
4. Export CVE And download

5. Compare CVE data
   UI page Projects<test02<goharbor/notary-server-photon

Package column is not consistent with UI page, there are curl and curl-libs in UI page, only curl-libs in CSV file.
UI page has 8 records in curl + curl-libs and 7 records in CSV file.

Versions:

• harbor version: v2.6.0-f3edb03b

[AllForNothing]

@prahaladdarkin Please have a look at this

[prahaladdarkin]

@YangJiao0817 I tried to reproduce the above issue with the following images:
mongo:latest , ubuntu:latest, goharbor/prepare:v2.5.3. In all cases my count matched.

Could this be an issue with the goharbor/notary-server-photon?

cc @wy65701436 @AllForNothing

[YangJiao0817]

@prahaladdarkin
goharbor/harbor-portal:v2.5.3:

goharbor/notary-server-photon:v2.5.3:

goharbor/harbor-portal:v2.5.3 and goharbor/notary-server-photon:v2.5.3 have some of the same CVEs, maybe this is the reason

[prahaladdarkin]

@YangJiao0817 referring to the attached CSV file image for image harbor-portal - the CVE data matches the UI.

For the notary-server-photon image though there is one row less. This is due to presence of a particular CVE (in this case CVE-2022-27191) present in two version of the same Go package as shown in below screenshot (the package versions are highlighted).

As a part of the fix for issue #17188, package versions are now being included within the CSV report and this inclusion should help resolve the observation mentioned in the current issue

[prahaladdarkin]

Fixed within #17232 (under review).