Harbor-UI should display the actual OCI 1.1 artifactType for artifact accessories

[ChristianCiach]

Is your feature request related to a problem? Please describe.

We are using true OCI artifacts to attach SBOMs and vulnerability scan results to our images by using the Referrers-API as specified by the OCI Distribution spec 1.1. In the OCI Image spec 1.1, the artifactType is a new top-level attribute of the artifact manifest.

Unfortunately, Harbor doesn't show the artifact-type of an artifact when using the UI. Example screenshot:

As you can see, the type of the attachments is always showing as subject.accessory, which isn't very helpful. The true types of the shown artifacts are trivy-sbom/cyclonedx and trivy-vuln/results. The actual types are shown neither in the listing of the accessories, nor when showing the artifact details of an accessory!

Describe the solution you'd like

I think the fallback type subject.accessory used by Harbor is mostly useless. It should instead show the actual artifactType of the artifact, if available. Alternatively we could introduce a new column named Artifact type, but this could be problematic since there is not a lot of horizontal space available.

The artifact type should also be displayed when viewing the details of the artifact by clicking on a specific accessory.

This proposal probably depends on an addition to the accessories-API as described here:

• "/accessories"-API should return actual OCI 1.1 artifactType of the artifact #21344

[wy65701436]

The artifactType is an attribute defined in the OCI specification, specifically for the referers API. Are you asking if you'd like to see the artifactType of the pushed accessory displayed in the Harbor UI? And can you show us the use case?

By the way, the type of accessory is defined within Harbor itself. By default, it is set to subject.accessory. However, when Harbor recognizes the pushed accessory — such as a signature generated by Notary or Cosign — it will be displayed as subject.signature, subject.sbom, and so on.

[ChristianCiach]

Are you asking if you'd like to see the artifactType of the pushed accessory displayed in the Harbor UI? And can you show us the use case?

Yes, that is exactly what I am asking for :) For the use-case: As shown in the screenshot above, there is currently no way to see in the UI what the type of a accessory is. For example, if a project maintainer wants to delete the attached trivy vulnerability results (e.g. to let an external process re-generate the trivy results), how can the maintainer possibly know which artifact to delete? Is it sha256:aaae98e5? Or is it sha256:ea79518e? There is no way to know without using external tools like oras or regctl.

However, when Harbor recognizes the pushed accessory — such as a signature generated by Notary or Cosign — it will be displayed as subject.signature, subject.sbom, and so on.

Yes, but this is limited to the few types that Harbor natively recognizes. As a true OCI 1.1 compatible registry, the artifactType should be first-class attribute, not only some implementation detail that Harbor maps to a limited set of predefined types.

[ChristianCiach]

For comparison, the Zot registry has a tab called "Referred by" which shows the artifact-type as the "Type" attribute: