-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pluggable Scanner API schema changes to support enhanced reporting schema #4
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey @prahaladdarkin ! Good job. I left a few comments from my side.
Can you fix the DCO issue? Check https://github.com/goharbor/pluggable-scanner-spec/pull/4/checks?check_run_id=1314353432 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Incorporated review comments
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Incorporated review comment and introduced an array to hold CWE IDs
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey @prahaladdarkin I just left a few suggestions to keep the spec consistent
Signed-off-by: Prahalad Deshpande <prahaladd@vmware.com> Adding signature to commit
Signed-off-by: Prahalad Deshpande <prahaladd@vmware.com>
37dc3c7
to
a9a2280
Compare
Signed-off-by: Prahalad Deshpande <prahaladd@vmware.com> Signing unsigned commits
Signed-off-by: Prahalad Deshpande <prahaladd@vmware.com>
…or CWE_ID. Also renamed CVSS attribute names Signed-off-by: Prahalad Deshpande <prahaladd@vmware.com>
a9a2280
to
8f4fcb2
Compare
Signed-off-by: Prahalad Deshpande <prahaladd@vmware.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The CVSS structure looks good to me. I only left the comment that we should deprecate application/vnd.scanner.adapter.vuln.report.harbor+json; version=1.0
instead of removing it. Otherwise it's not backward compatible change.
….vuln.report.harbor+json; version=1.` instead of removing it Signed-off-by: Prahalad Deshpande <prahaladd@vmware.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Incorporated review comments.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
Accepting suggestion related to deprecation of Mime Types for Harbor vulnerability report Co-authored-by: Daniel Pacak <pacak.daniel@gmail.com> Signed-off-by: Prahalad Deshpande <prahaladd@vmware.com>
Signed-off-by: Prahalad Deshpande <prahaladd@vmware.com>
Signed-off-by: Prahalad Deshpande <prahaladd@vmware.com>
472c11a
to
efbb376
Compare
Description
An enhanced common vulnerability reporting schema for container images in a registry has been proposed as per pull request here
The new schema proposes to add the following new fields to the vulnerability data information
Scanner implementations can opt to send information corresponding to the above attributes for vulnerability items depending on whether they support collecting/deriving data for these attributes.
The pluggable scanner schema is also hence required to be modified in order to support sending these optional fields. The following changes are proposed in this Pull Request
application/vnd.scanner.adapter.vuln.report.harbor+json; version=1.1
for the enhanced version of theVulnerabilityItem
schema1.1
api/1_1
VulnerabilityItem
schema is now updated to expose these additional attributes