goharbor · heww · Mar 12, 2021 · Mar 9, 2021
diff --git a/api/v2.0/swagger.yaml b/api/v2.0/swagger.yaml
@@ -2739,6 +2739,44 @@ paths:
           $ref: '#/responses/403'
         '500':
           $ref: '#/responses/500'
+  /system/CVEAllowlist:
+    get:
+      summary: Get the system level allowlist of CVE.
+      description: Get the system level allowlist of CVE.  This API can be called by all authenticated users.
+      operationId: getSystemCVEAllowlist
+      tags:
+        - SystemCVEAllowlist
+      responses:
+        '200':
+          description: Successfully retrieved the CVE allowlist.
+          schema:
+            $ref: "#/definitions/CVEAllowlist"
+        '401':
+          $ref: '#/responses/401'
+        '500':
+          $ref: '#/responses/500'
+    put:
+      summary: Update the system level allowlist of CVE.
+      description: This API overwrites the system level allowlist of CVE with the list in request body.  Only system Admin
+        has permission to call this API.
+      operationId: putSystemCVEAllowlist
+      tags:
+        - SystemCVEAllowlist
+      parameters:
+        - in: body
+          name: allowlist
+          description: The allowlist with new content
+          schema:
+            $ref: "#/definitions/CVEAllowlist"
+      responses:
+        '200':
+          description: Successfully updated the CVE allowlist.
+        '401':
+          $ref: '#/responses/401'
+        '403':
+          $ref: '#/responses/403'
+        '500':
+          $ref: '#/responses/500'
   /system/scanAll/schedule:
     get:
       summary: Get scan all's schedule.

diff --git a/src/common/dao/cve_allowlist.go b/src/common/dao/cve_allowlist.go
diff --git a/src/common/dao/cve_allowlist_test.go b/src/common/dao/cve_allowlist_test.go
diff --git a/src/common/models/base.go b/src/common/models/base.go
@@ -35,6 +35,5 @@ func init() {
 		new(NotificationJob),
 		new(ProjectBlob),
 		new(ArtifactAndBlob),
-		new(CVEAllowlist),
 	)
 }
diff --git a/src/common/models/project.go b/src/common/models/project.go
@@ -22,6 +22,7 @@ import (
 	"time"
 
 	"github.com/astaxie/beego/orm"
+	"github.com/goharbor/harbor/src/pkg/allowlist/models"
 	"github.com/lib/pq"
 )
 
@@ -36,20 +37,20 @@ const (
 
 // Project holds the details of a project.
 type Project struct {
-	ProjectID    int64             `orm:"pk;auto;column(project_id)" json:"project_id"`
-	OwnerID      int               `orm:"column(owner_id)" json:"owner_id"`
-	Name         string            `orm:"column(name)" json:"name" sort:"default"`
-	CreationTime time.Time         `orm:"column(creation_time);auto_now_add" json:"creation_time"`
-	UpdateTime   time.Time         `orm:"column(update_time);auto_now" json:"update_time"`
-	Deleted      bool              `orm:"column(deleted)" json:"deleted"`
-	OwnerName    string            `orm:"-" json:"owner_name"`
-	Role         int               `orm:"-" json:"current_user_role_id"`
-	RoleList     []int             `orm:"-" json:"current_user_role_ids"`
-	RepoCount    int64             `orm:"-" json:"repo_count"`
-	ChartCount   uint64            `orm:"-" json:"chart_count"`
-	Metadata     map[string]string `orm:"-" json:"metadata"`
-	CVEAllowlist CVEAllowlist      `orm:"-" json:"cve_allowlist"`
-	RegistryID   int64             `orm:"column(registry_id)" json:"registry_id"`
+	ProjectID    int64               `orm:"pk;auto;column(project_id)" json:"project_id"`
+	OwnerID      int                 `orm:"column(owner_id)" json:"owner_id"`
+	Name         string              `orm:"column(name)" json:"name" sort:"default"`
+	CreationTime time.Time           `orm:"column(creation_time);auto_now_add" json:"creation_time"`
+	UpdateTime   time.Time           `orm:"column(update_time);auto_now" json:"update_time"`
+	Deleted      bool                `orm:"column(deleted)" json:"deleted"`
+	OwnerName    string              `orm:"-" json:"owner_name"`
+	Role         int                 `orm:"-" json:"current_user_role_id"`
+	RoleList     []int               `orm:"-" json:"current_user_role_ids"`
+	RepoCount    int64               `orm:"-" json:"repo_count"`
+	ChartCount   uint64              `orm:"-" json:"chart_count"`
+	Metadata     map[string]string   `orm:"-" json:"metadata"`
+	CVEAllowlist models.CVEAllowlist `orm:"-" json:"cve_allowlist"`
+	RegistryID   int64               `orm:"column(registry_id)" json:"registry_id"`
 }
 
 // GetMetadata ...
@@ -242,10 +243,10 @@ type BaseProjectCollection struct {
 
 // ProjectRequest holds informations that need for creating project API
 type ProjectRequest struct {
-	Name         string            `json:"project_name"`
-	Public       *int              `json:"public"` // deprecated, reserved for project creation in replication
-	Metadata     map[string]string `json:"metadata"`
-	CVEAllowlist CVEAllowlist      `json:"cve_allowlist"`
+	Name         string              `json:"project_name"`
+	Public       *int                `json:"public"` // deprecated, reserved for project creation in replication
+	Metadata     map[string]string   `json:"metadata"`
+	CVEAllowlist models.CVEAllowlist `json:"cve_allowlist"`
 
 	StorageLimit *int64 `json:"storage_limit,omitempty"`
 	RegistryID   int64  `json:"registry_id"`

diff --git a/src/common/rbac/const.go b/src/common/rbac/const.go
@@ -74,4 +74,5 @@ const (
 	ResourceScanAll            = Resource("scan-all")
 	ResourceSystemVolumes      = Resource("system-volumes")
 	ResourceOIDCEndpoint       = Resource("oidc-endpoint")
+	ResourceSystemCVEAllowList = Resource("system-cve-allowlist")
 )
diff --git a/src/common/rbac/system/policies.go b/src/common/rbac/system/policies.go
@@ -65,5 +65,7 @@ var (
 		{Resource: rbac.ResourceOIDCEndpoint, Action: rbac.ActionRead},
 		{Resource: rbac.ResourceLdapUser, Action: rbac.ActionCreate},
 		{Resource: rbac.ResourceLdapUser, Action: rbac.ActionList},
+		{Resource: rbac.ResourceSystemCVEAllowList, Action: rbac.ActionRead},
+		{Resource: rbac.ResourceSystemCVEAllowList, Action: rbac.ActionUpdate},
 	}
 )
diff --git a/src/controller/p2p/preheat/enforcer_test.go b/src/controller/p2p/preheat/enforcer_test.go
@@ -26,6 +26,7 @@ import (
 	car "github.com/goharbor/harbor/src/controller/artifact"
 	"github.com/goharbor/harbor/src/controller/tag"
 	"github.com/goharbor/harbor/src/lib/selector"
+	models2 "github.com/goharbor/harbor/src/pkg/allowlist/models"
 	ar "github.com/goharbor/harbor/src/pkg/artifact"
 	po "github.com/goharbor/harbor/src/pkg/p2p/preheat/models/policy"
 	pr "github.com/goharbor/harbor/src/pkg/p2p/preheat/models/provider"
@@ -119,7 +120,7 @@ func (suite *EnforcerTestSuite) SetupSuite() {
 	).Return(&models.Project{
 		ProjectID:    1,
 		Name:         "library",
-		CVEAllowlist: models.CVEAllowlist{},
+		CVEAllowlist: models2.CVEAllowlist{},
 		Metadata: map[string]string{
 			proMetaKeyContentTrust:  "true",
 			proMetaKeyVulnerability: "true",

diff --git a/src/controller/project/controller.go b/src/controller/project/controller.go
@@ -23,11 +23,11 @@ import (
 	"github.com/goharbor/harbor/src/lib/log"
 	"github.com/goharbor/harbor/src/lib/orm"
 	"github.com/goharbor/harbor/src/lib/q"
+	"github.com/goharbor/harbor/src/pkg/allowlist"
 	"github.com/goharbor/harbor/src/pkg/notification"
 	"github.com/goharbor/harbor/src/pkg/project"
 	"github.com/goharbor/harbor/src/pkg/project/metadata"
 	"github.com/goharbor/harbor/src/pkg/project/models"
-	"github.com/goharbor/harbor/src/pkg/scan/allowlist"
 	"github.com/goharbor/harbor/src/pkg/user"
 )
 
@@ -89,7 +89,7 @@ func (c *controller) Create(ctx context.Context, project *models.Project) (int64
 			return err
 		}
 
-		if err := c.allowlistMgr.CreateEmpty(projectID); err != nil {
+		if err := c.allowlistMgr.CreateEmpty(ctx, projectID); err != nil {
 			log.Errorf("failed to create CVE allowlist for project %s: %v", project.Name, err)
 			return err
 		}
@@ -233,7 +233,7 @@ func (c *controller) Update(ctx context.Context, p *models.Project) error {
 	}
 
 	if p.CVEAllowlist.ProjectID == p.ProjectID {
-		if err := c.allowlistMgr.Set(p.ProjectID, p.CVEAllowlist); err != nil {
+		if err := c.allowlistMgr.Set(ctx, p.ProjectID, p.CVEAllowlist); err != nil {
 			return err
 		}
 	}
@@ -285,7 +285,7 @@ func (c *controller) loadCVEAllowlists(ctx context.Context, projects models.Proj
 	}
 
 	for _, p := range projects {
-		wl, err := c.allowlistMgr.Get(p.ProjectID)
+		wl, err := c.allowlistMgr.Get(ctx, p.ProjectID)
 		if err != nil {
 			return err
 		}
@@ -303,7 +303,7 @@ func (c *controller) loadEffectCVEAllowlists(ctx context.Context, projects model
 
 	for _, p := range projects {
 		if p.ReuseSysCVEAllowlist() {
-			wl, err := c.allowlistMgr.GetSys()
+			wl, err := c.allowlistMgr.GetSys(ctx)
 			if err != nil {
 				log.Errorf("get system CVE allowlist failed, error: %v", err)
 				return err
@@ -312,7 +312,7 @@ func (c *controller) loadEffectCVEAllowlists(ctx context.Context, projects model
 			wl.ProjectID = p.ProjectID
 			p.CVEAllowlist = *wl
 		} else {
-			wl, err := c.allowlistMgr.Get(p.ProjectID)
+			wl, err := c.allowlistMgr.Get(ctx, p.ProjectID)
 			if err != nil {
 				return err
 			}

diff --git a/src/controller/project/controller_test.go b/src/controller/project/controller_test.go
@@ -19,17 +19,17 @@ import (
 	"fmt"
 	"testing"
 
-	commonmodels "github.com/goharbor/harbor/src/common/models"
 	"github.com/goharbor/harbor/src/lib/errors"
 	"github.com/goharbor/harbor/src/lib/orm"
 	"github.com/goharbor/harbor/src/lib/q"
+	models2 "github.com/goharbor/harbor/src/pkg/allowlist/models"
 	"github.com/goharbor/harbor/src/pkg/project/models"
 	usermodels "github.com/goharbor/harbor/src/pkg/user/models"
 	ormtesting "github.com/goharbor/harbor/src/testing/lib/orm"
 	"github.com/goharbor/harbor/src/testing/mock"
+	allowlisttesting "github.com/goharbor/harbor/src/testing/pkg/allowlist"
 	"github.com/goharbor/harbor/src/testing/pkg/project"
 	"github.com/goharbor/harbor/src/testing/pkg/project/metadata"
-	"github.com/goharbor/harbor/src/testing/pkg/scan/allowlist"
 	"github.com/goharbor/harbor/src/testing/pkg/user"
 	"github.com/stretchr/testify/suite"
 )
@@ -42,8 +42,8 @@ func (suite *ControllerTestSuite) TestCreate() {
 	ctx := orm.NewContext(context.TODO(), &ormtesting.FakeOrmer{})
 	mgr := &project.Manager{}
 
-	allowlistMgr := &allowlist.Manager{}
-	allowlistMgr.On("CreateEmpty", mock.Anything).Return(nil)
+	allowlistMgr := &allowlisttesting.Manager{}
+	allowlistMgr.On("CreateEmpty", mock.Anything, mock.Anything).Return(nil)
 
 	metadataMgr := &metadata.Manager{}
 
@@ -74,7 +74,7 @@ func (suite *ControllerTestSuite) TestGetByName() {
 	mgr.On("Get", ctx, "test").Return(nil, errors.NotFoundError(nil))
 	mgr.On("Get", ctx, "oops").Return(nil, fmt.Errorf("oops"))
 
-	allowlistMgr := &allowlist.Manager{}
+	allowlistMgr := &allowlisttesting.Manager{}
 
 	metadataMgr := &metadata.Manager{}
 	metadataMgr.On("Get", ctx, mock.Anything).Return(map[string]string{"public": "true"}, nil)
@@ -103,7 +103,7 @@ func (suite *ControllerTestSuite) TestGetByName() {
 	}
 
 	{
-		allowlistMgr.On("Get", mock.Anything).Return(&commonmodels.CVEAllowlist{ProjectID: 1}, nil)
+		allowlistMgr.On("Get", mock.Anything, mock.Anything).Return(&models2.CVEAllowlist{ProjectID: 1}, nil)
 		p, err := c.GetByName(ctx, "library", WithCVEAllowlist())
 		suite.Nil(err)
 		suite.Equal("library", p.Name)

diff --git a/src/core/api/harborapi_test.go b/src/core/api/harborapi_test.go
@@ -117,7 +117,6 @@ func init() {
 	beego.Router("/api/email/ping", &EmailAPI{}, "post:Ping")
 	beego.Router("/api/labels", &LabelAPI{}, "post:Post;get:List")
 	beego.Router("/api/labels/:id([0-9]+", &LabelAPI{}, "get:Get;put:Put;delete:Delete")
-	beego.Router("/api/system/CVEAllowlist", &SysCVEAllowlistAPI{}, "get:Get;put:Put")
 
 	beego.Router("/api/replication/adapters", &ReplicationAdapterAPI{}, "get:List")