v2.11.0
Known issue
- known issue #20412 Harbor supports only one signature for each artifact been replicated to destination Harbor which is signed by legacy cosign. If you want to replicated multiple signatures for a subject image, please using oci-1.1 mode(cosign v2.2.1+) for signing.
- known issue #20565 Issue with SBOM generation in Harbor v2.11.0 when using external Reverse Proxy (HTTP 404)
- known issue #20691 LDAP handshake failure with LDAP server has old TLS_RSA_* cipher suites. Workaround: add env variable GODEBUG="tlsrsakex=1" to common/config/core/env file and restart Harbor.
Tips
- Best practice for image singing with Notation v1.2.0 in Harbor
What's Changed
Exciting New Features 🎉
SBOM Generation and Management
Harbor now provides robust support for generating Software Bill of Materials (SBOM) either manually or automatically. Users can conveniently view, download, and replicate SBOMs across different instances of Harbor.
When
Automatically generate SBOM on push
is enabled and there are massive concurrent push to that project, users may need to enable asynchronously updating project quota by settingcore.quotaUpdateProvider: redis
(values.yaml for harbor-helm) or setting core.quota_update_provider: redis (harbor.yml
for installation via docker-compose) so that it can reduce the overall resource consumption, like db connection, cpu usage and memory usage.
Supporting OCI Distribution Spec v1.1.0 🎉
Harbor now fully supports OCI Distribution Spec v1.1.0
Integration with VolcEngine Registry
Users can now seamlessly replicate images to and from the VolcEngine registry, enhancing interoperability and flexibility within the Harbor ecosystem.
Korean UI Translation
The user interface of Harbor has been enriched with the addition of Korean language support, ensuring a more inclusive and accessible experience for Korean-speaking users.
Enhancement 🚀
- skip transaction for POST /service/token by @liubin in #19339
- Updated internationalisation : fr-fr by @tostt in #19915
Component updates ⬆️
- Bump github.com/go-openapi/errors from 0.19.6 to 0.20.4 in /src by @dependabot in #19697
- bump golang 1.21.5 & fix golangci-lint error by @MinerYang in #19722
- Bump golang.org/x/crypto from 0.14.0 to 0.17.0 in /src by @dependabot in #19729
- Bump github.com/coreos/go-oidc/v3 from 3.7.0 to 3.9.0 in /src by @dependabot in #19701
- Bump github.com/prometheus/client_golang from 1.14.0 to 1.17.0 in /src by @dependabot in #19699
- Bump github.com/bmatcuk/doublestar from 1.1.1 to 1.3.4 in /src by @dependabot in #19698
- Fix project metadata validate bug by @YangJiao0817 in #19746
- Bump go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux from 0.45.0 to 0.46.1 in /src by @dependabot in #19727
- add description in scanner page by @ShengqiWang in #19733
- Fix OpenAPI Specification structural error by @blueswen in #19782
- update project-SelectScanner modal Default field css by @ShengqiWang in #19753
- Bump up PostgreSQL from 14 to 15 by @YangJiao0817 in #19789
- fix invalid links in harbor.yml.tmpl by @microyahoo in #19786
- Bump golang.org/x/time from 0.4.0 to 0.5.0 in /src by @dependabot in #19767
- Bump github.com/golang-jwt/jwt/v4 from 4.4.2 to 4.5.0 in /src by @dependabot in #19766
- Bump github.com/cloudevents/sdk-go/v2 from 2.13.0 to 2.14.0 in /src by @dependabot in #19764
- Add quota permissions to robot account by @YangJiao0817 in #19799
- Bump gopkg.in/h2non/gock.v1 from 1.0.16 to 1.1.2 in /src by @dependabot in #19765
- Bump github.com/go-openapi/runtime from 0.19.20 to 0.26.2 in /src by @dependabot in #19763
- add repository read permission to limitedGuest by @tpoxa in #19757
- registryctl/api/registry/blob: fix dropped test error by @alrs in #19721
- Remove robot account update quota permission by @YangJiao0817 in #19819
- Cache image list with digest key by @stonezdj in #19801
- Add verification that robot account duration is not 0 by @YangJiao0817 in #19829
- fix artifact page bug by @ShengqiWang in #19807
- Log ensureArtifact ConflictErr by @LiuShuaiyi in #19294
- Fixing typo for About UI by @hasonhai in #19840
- Update isValidDuration function by @YangJiao0817 in #19843
- fix label select bugs by @ShengqiWang in #19850
- Bump k8s.io/client-go from 0.26.2 to 0.29.0 in /src by @dependabot in #19813
- Bump github.com/vmihailenco/msgpack/v5 from 5.0.0-rc.2 to 5.4.1 in /src by @dependabot in #19810
- Bump github.com/go-openapi/swag from 0.22.4 to 0.22.7 in /src by @dependabot in #19809
- feat: add auto_sbom_generation for SBOM auto generation on pushing a … by @zyyw in #19869
- add v6 port for nginx and portal config by @MinerYang in #19868
- add ip_family config in harbor.yml by @MinerYang in #19934
- Bump github.com/aws/aws-sdk-go from 1.34.28 to 1.50.5 in /src by @dependabot in #19920
- Bump github.com/go-openapi/errors from 0.20.4 to 0.21.0 in /src by @dependabot in #19890
- Bump github.com/go-ldap/ldap/v3 from 3.2.4 to 3.4.6 in /src by @dependabot in #19889
- Bump vite and @angular-devkit/build-angular in /src/portal by @dependabot in #19945
- remove ipfamily config migrate jinja in 2.9 and 2.10 by @MinerYang in #19949
- feat: enable configuration of skip_java_db_update by @zyyw in #19996
- [Token/JWT] Update to golang-jwt v5.2.0 by @an-toine in #19802
- Remove redundant file package-lock.json under src folder by @AllForNothing in #20007
- Limit url to local site by @stonezdj in #20013
- Bump go.opentelemetry.io/otel from 1.21.0 to 1.23.1 in /src by @dependabot in #19972
- Bump github.com/go-openapi/strfmt from 0.21.8 to 0.22.0 in /src by @dependabot in #19955
- Bump github.com/google/uuid from 1.3.1 to 1.6.0 in /src by @dependabot in #19954
- Limit url to local path by @stonezdj in #20025
- Bump helm.sh/helm/v3 from 3.11.3 to 3.14.2 in /src by @dependabot in #20017
- Bump github.com/aws/aws-sdk-go from 1.50.5 to 1.50.24 in /src by @dependabot in #20018
- Move strong_ssl_ciphers to top level in harbor.yml by @stonezdj in #19914
- Check if the internal_tls_config is not null when get strong_ssl_ciph… by @stonezdj in #20032
- add sbom settings for project by @wy65701436 in #20069
- update referrers api by @wy65701436 in #20068
- fix: typos by @testwill in #20106
- Update swagger.yaml bad request permission: helm-chart:read by @jm-nab in #20094
- Update support for artifactType for both manifest and index by @MinerYang in #20030
- Update deletion for index type of accessory by @MinerYang in #20073
- add type for scanner metadata by @wy65701436 in #20108
- panic due to mark retention task error by @stonezdj in #20161
- chore: fix function names by @majorteach in #20159
- ScanAll should only log an error when an error occurs by @twhiteman in #20087
- Bump github.com/tencentcloud/tencentcloud-sdk-go from 1.0.62 to 3.0.233+incompatible in /src by @dependabot in #20035
- Bump golang.org/x/sync from 0.3.0 to 0.6.0 in /src by @dependabot in #20036
- Bump github.com/go-jose/go-jose/v3 from 3.0.1 to 3.0.3 in /src by @dependabot in #20104
- Bump github.com/cloudevents/sdk-go/v2 from 2.14.0 to 2.15.2 in /src by @dependabot in #20099
- Bump golang.org/x/net from 0.17.0 to 0.22.0 in /src by @dependabot in #20113
- Bump github.com/jackc/pgx/v4 from 4.18.1 to 4.18.3 in /src by @dependabot in #20139
- Bump google.golang.org/protobuf from 1.31.0 to 1.33.0 in /src by @dependabot in #20124
- Bump github.com/docker/docker from 24.0.7+incompatible to 24.0.9+incompatible in /src by @dependabot in #20147
- Bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp from 1.21.0 to 1.24.0 in /src by @dependabot in #20037
- fix image name extraction by @tkatkov in #18992
- fix: typo by @testwill in #20190
- bump golang 1.21.8 on main by @MinerYang in #20197
- fix: close file by @testwill in #20189
- Update GenAccessoryArt API to generate valid accessory for SBOM by @stonezdj in #20214
- fix: test robot account permission by @zyyw in #20240
- update artifact_type column alteration by @MinerYang in #20239
- Allow empty path in redirect_url by @stonezdj in #20238
- fix: close blob io ReadCloser by @testwill in #20225
- add stop sbom scanning API by @wy65701436 in #20200
- update referrer manifest descriptor size by @MinerYang in #20207
- adopt cosign with oci-spec 1.1 by @MinerYang in #20245
- Updated internationalisation : fr-fr by @tostt in #20179
- feat: expose
trivy.timeout
to configure the duration to wait for scan completion by @zyyw in #20257 - bump golang to 1.22.2 by @MinerYang in #20256
- Bump k8s.io/api from 0.29.0 to 0.29.3 in /src by @dependabot in #20205
- Bump github.com/coreos/go-oidc/v3 from 3.9.0 to 3.10.0 in /src by @dependabot in #20202
- Bump golang.org/x/oauth2 from 0.15.0 to 0.19.0 in /src by @dependabot in #20247
- Sending signals by closing the channel by @Iceber in #17917
- Bump go.uber.org/ratelimit from 0.2.0 to 0.3.1 in /src by @dependabot in #20204
- fix: update the image reference format for audit log when pulling image by @zyyw in #20278
- fix issue 20269 by @wy65701436 in #20274
- fix: update TRIVYVERSION=v0.50.1 && TRIVYADAPTERVERSION=v0.31.0 by @zyyw in #20285
- Rename scan request type by @stonezdj in #20288
- skip to log scan sbom accessory for sbom accessory by @stonezdj in #20290
- refactor: update controller.go by @eltociear in #20297
- SBOM UI feature implementation by @xuelichao in #19946
- Allow generate sbom in proxy cache project by @stonezdj in #20298
- Add enableCapabilities to extraAttrs for stop by @stonezdj in #20299
- Set default capability for old scanners by @stonezdj in #20306
- Wrong values shown for the columns of support_sbom and support_vulnerability in scanner list by @xuelichao in #20308
- add prepare migration script for 2.11.0 by @MinerYang in #20315
- Log and skip adapter ping error when retrieve adapter capability by @stonezdj in #20314
- Add 422 in the swagger.yaml by @stonezdj in #20344
- fix: update image reference to @\ in audit log when pushing & deleting images by @zyyw in #20348
- Add scanner info and report_id to sbom_overview on listing artifact by @stonezdj in #20358
- Fix UI bugs by @xuelichao in #20364
- Delete scan_report when accessory is removed by @stonezdj in #20365
- Bump golang.org/x/net from 0.22.0 to 0.24.0 in /src by @dependabot in #20318
- Bump github.com/golang-migrate/migrate/v4 from 4.16.2 to 4.17.1 in /src by @dependabot in #20317
- Bump go.opentelemetry.io/otel/sdk from 1.24.0 to 1.26.0 in /src by @dependabot in #20370
- Bump github.com/cenkalti/backoff/v4 from 4.2.1 to 4.3.0 in /src by @dependabot in #20316
- Add scan type in webhook event by @stonezdj in #20363
- do not delete accessory relationship while still referenced by @MinerYang in #20360
- Rename harbor.sbom to sbom.harbor by @stonezdj in #20359
- Bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp from 1.24.0 to 1.26.0 in /src by @dependabot in #20374
- Bump k8s.io/api from 0.29.3 to 0.30.0 in /src by @dependabot in #20375
- Bump github.com/gorilla/csrf from 1.6.2 to 1.7.2 in /src by @dependabot in #20376
- Bump github.com/go-asn1-ber/asn1-ber from 1.5.5 to 1.5.6 in /src by @dependabot in #20372
- Bump helm.sh/helm/v3 from 3.14.2 to 3.14.4 in /src by @dependabot in #20373
- fix update TRIVYVERSION=v0.50.4 & TRIVYADAPTERVERSION=v0.31.1 by @zyyw in #20390
- fix: enale stop_scan for ci by @zyyw in #20378
- Update scan job request log for enabled_capabilities by @MinerYang in #20414
- fix issue 20407 by @wy65701436 in #20416
- Skip scan in-toto sbom artifact by @stonezdj in #20415
- fix issue 19928 by @wy65701436 in #20409
- chore(deps): bump github.com/golang-jwt/jwt/v5 from 5.2.0 to 5.2.1 in /src by @dependabot in #20397
- chore(deps): bump go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux from 0.46.1 to 0.51.0 in /src by @dependabot in #20394
- chore(deps): bump github.com/go-openapi/strfmt from 0.22.0 to 0.23.0 in /src by @dependabot in #20396
- add membership=true back for gitlab replication adapter by @zyyw in #20400
- Display status in sbom_overview for image index by @stonezdj in #20425
- Add additional link for sboms by @stonezdj in #20423
- bump golang 1.22.3 by @MinerYang in #20433
- Initialize execution Manager in Report Assembler by @stonezdj in #20437
- Fix-20459 Wrong sbom status displayed in UI by @xuelichao in #20464
- bump up trivy and trivy-adapter version by @zyyw in #20468
- [cherry-pick] Add sbom_report table to store sbom related information by @stonezdj in #20482
- [cherry-pick] Separate the execution vendor type sbom from image_scan by @stonezdj in #20508
- [cherry-pick] Fix tooltip issue related to SBOM.Details by @stonezdj in #20511
- [cherry-pick] fix 20496 by @wy65701436 in #20509
- tls support for pushing sbom by @wy65701436 in #20515
- [cherry-pick] fix 20518 by @wy65701436 in #20522
- [cherry-pick] fix http client to push sbom accessory by @wy65701436 in #20528
- [cherry-pick] Response an error message when there is incomplete sbom generate job by @stonezdj in #20527
- [cherry-pick] No sbom_overview when sbom is deleted by @stonezdj in #20534
- Fixes-20537 SBOM tab should not exist when the artifact is helm package by @xuelichao in #20539
- [cherry-pick] Adjust the query by UUID sql so that it can use the idx_task_extra_at… by @stonezdj in #20546
Docs update 🗄️
- Fix docker version to 20.10.10 by @YangJiao0817 in #19751
- revise the tags of Interrogation Services by @xuelichao in #20049
- Add two columns to display capability type for scanner by @xuelichao in #20111
Other Changes
- Bump actions/stale from 8.0.0 to 9.0.0 by @dependabot in #19689
- Update Robot Account Test Case by @YangJiao0817 in #19710
- Bump github/codeql-action from 2 to 3 by @dependabot in #19714
- Bump google-github-actions/setup-gcloud from 1 to 2 by @dependabot in #19696
- Add notation replication test case by @YangJiao0817 in #19738
- Add multi-tier accessory replication test cases by @YangJiao0817 in #19730
- Add quota permissions testcase by @YangJiao0817 in #19822
- deprecate gosec in makefile by @wy65701436 in #19828
- Bump kentaro-m/auto-assign-action from 1.2.5 to 1.2.6 by @dependabot in #19824
- Update replication rule filter label xpath by @YangJiao0817 in #19895
- fix: cve export label filter xpath by @zyyw in #19931
- add UI test for project quota sorting by @zyyw in #19935
- Bump codecov/codecov-action from 3 to 4 by @dependabot in #19936
- Bump kentaro-m/auto-assign-action from 1.2.6 to 2.0.0 by @dependabot in #19929
- update retry of get_scan_data_export_execution from 5 to 15 by @zyyw in #19959
- fix: scanner tab change by @zyyw in #20128
- Bump softprops/action-gh-release from 1 to 2 by @dependabot in #20115
- delete membership=0 in getProjectsByName by @prima101112 in #20153
- feat: add api test case for quota sorting by @zyyw in #20209
- fix: update e2e test engine images by @zyyw in #20223
- feat: add test case for customizing OIDC provider name by @zyyw in #20287
- feat: add tc for limited guest of a project to get repository by @zyyw in #20311
- fix: fresh scanner list when updating scanner by @zyyw in #20366
- fix: update nightly test case for verifying audit log of image digest by @zyyw in #20354
- fix: update to