diff --git a/api/v2.0/legacy_swagger.yaml b/api/v2.0/legacy_swagger.yaml index 3f9867bd6..d0799a916 100644 --- a/api/v2.0/legacy_swagger.yaml +++ b/api/v2.0/legacy_swagger.yaml @@ -2533,38 +2533,38 @@ paths: description: User need to log in first. '403': description: User does not have permission to call this API - '/system/CVEWhitelist': + '/system/CVEAllowlist': get: - summary: Get the system level whitelist of CVE. - description: Get the system level whitelist of CVE. This API can be called by all authenticated users. + summary: Get the system level allowlist of CVE. + description: Get the system level allowlist of CVE. This API can be called by all authenticated users. tags: - Products - System responses: '200': - description: Successfully retrieved the CVE whitelist. + description: Successfully retrieved the CVE allowlist. schema: - $ref: "#/definitions/CVEWhitelist" + $ref: "#/definitions/CVEAllowlist" '401': description: User is not authenticated. '500': description: Unexpected internal errors. put: - summary: Update the system level whitelist of CVE. - description: This API overwrites the system level whitelist of CVE with the list in request body. Only system Admin + summary: Update the system level allowlist of CVE. + description: This API overwrites the system level allowlist of CVE with the list in request body. Only system Admin has permission to call this API. tags: - Products - System parameters: - in: body - name: whitelist - description: The whitelist with new content + name: allowlist + description: The allowlist with new content schema: - $ref: "#/definitions/CVEWhitelist" + $ref: "#/definitions/CVEAllowlist" responses: '200': - description: Successfully updated the CVE whitelist. + description: Successfully updated the CVE allowlist. '401': description: User is not authenticated. '403': @@ -3755,9 +3755,9 @@ definitions: metadata: description: The metadata of the project. $ref: '#/definitions/ProjectMetadata' - cve_whitelist: - description: The CVE whitelist of the project. - $ref: '#/definitions/CVEWhitelist' + cve_allowlist: + description: The CVE allowlist of the project. + $ref: '#/definitions/CVEAllowlist' count_limit: type: integer format: int64 @@ -3821,9 +3821,9 @@ definitions: metadata: description: The metadata of the project. $ref: '#/definitions/ProjectMetadata' - cve_whitelist: - description: The CVE whitelist of this project. - $ref: '#/definitions/CVEWhitelist' + cve_allowlist: + description: The CVE allowlist of this project. + $ref: '#/definitions/CVEAllowlist' ProjectMetadata: type: object properties: @@ -3842,10 +3842,10 @@ definitions: auto_scan: type: string description: 'Whether scan images automatically when pushing. The valid values are "true", "false".' - reuse_sys_cve_whitelist: + reuse_sys_cve_allowlist: type: string - description: 'Whether this project reuse the system level CVE whitelist as the whitelist of its own. The valid values are "true", "false". - If it is set to "true" the actual whitelist associate with this project, if any, will be ignored.' + description: 'Whether this project reuse the system level CVE allowlist as the allowlist of its own. The valid values are "true", "false". + If it is set to "true" the actual allowlist associate with this project, if any, will be ignored.' ProjectSummary: type: object properties: @@ -5056,26 +5056,26 @@ definitions: metadata: type: object description: The metadata of namespace - CVEWhitelist: + CVEAllowlist: type: object - description: The CVE Whitelist for system or project + description: The CVE Allowlist for system or project properties: id: type: integer - description: ID of the whitelist + description: ID of the allowlist project_id: type: integer - description: ID of the project which the whitelist belongs to. For system level whitelist this attribute is zero. + description: ID of the project which the allowlist belongs to. For system level allowlist this attribute is zero. expires_at: type: integer - description: the time for expiration of the whitelist, in the form of seconds since epoch. This is an optional attribute, if it's not set the CVE whitelist does not expire. + description: the time for expiration of the allowlist, in the form of seconds since epoch. This is an optional attribute, if it's not set the CVE allowlist does not expire. items: type: array items: - $ref: "#/definitions/CVEWhitelistItem" - CVEWhitelistItem: + $ref: "#/definitions/CVEAllowlistItem" + CVEAllowlistItem: type: object - description: The item in CVE whitelist + description: The item in CVE allowlist properties: cve_id: type: string diff --git a/docs/README.md b/docs/README.md index b2de015bd..308d60084 100644 --- a/docs/README.md +++ b/docs/README.md @@ -45,7 +45,7 @@ This section describes how to use and maintain Harbor after deployment. These da - [Scan All Images](administration/vulnerability-scanning/scan-all-images.md) - [Schedule Scans](administration/vulnerability-scanning/schedule-scans.md) - [Import Vulnerability Data to an Offline Harbor instance](administration/vulnerability-scanning/import-vulnerability-data.md) - - [Configure System-Wide CVE Whitelists](administration/vulnerability-scanning/configure-system-whitelist.md) + - [Configure System-Wide CVE Allowlists](administration/vulnerability-scanning/configure-system-allowlist.md) - [Garbage Collection](administration/garbage-collection/_index.md) - [Upgrade Harbor and Migrate Data](administration/upgrade/upgrade-migrate-data.md) - [Upgrading Harbor Deployed with Helm](administration/upgrade/helm-upgrade.md) @@ -63,7 +63,7 @@ This section describes how users with the developer, master, and project adminis - [Access and Search Project Logs](working-with-projects/access-project-logs.md) - [Create Robot Accounts](working-with-projects/create-robot-accounts.md) - [Configure Webhook Notifications](working-with-projects/configure-webhooks.md) - - [Configure a Per-Project CVE Whitelist](working-with-projects/configure-project-whitelist.md) + - [Configure a Per-Project CVE Allowlist](working-with-projects/configure-project-allowlist.md) - [Implementing Content Trust](working-with-projects/implementing-content-trust.md) - [Working with Images, Tags, and Helm Charts](working-with-projects/working-with-images.md) - [Pulling and Pushing Images](working-with-projects/pulling-pushing-images.md) @@ -87,4 +87,4 @@ This section describes how developers can build from Harbor source code, customi - [Registry Landscape](build-customize-contribute/registry-landscape.md) - [E2E Test Scripting Guide](build-customize-contribute/e2e_api_python_based_scripting_guide.md) -See also the list of [Articles from the Harbor Community](https://github.com/goharbor/harbor/blob/master/docs/README.md#articles-from-the-community). \ No newline at end of file +See also the list of [Articles from the Harbor Community](https://github.com/goharbor/harbor/blob/master/docs/README.md#articles-from-the-community). diff --git a/docs/administration/managing-users/user-permissions-by-role.md b/docs/administration/managing-users/user-permissions-by-role.md index 382734bab..0c1d37511 100644 --- a/docs/administration/managing-users/user-permissions-by-role.md +++ b/docs/administration/managing-users/user-permissions-by-role.md @@ -48,8 +48,8 @@ The following table depicts the various user permission levels in a project. | Add/Remove labels of helm chart version | | | ✓ | ✓ | ✓ | | See a list of project robots | | | | ✓ | ✓ | | Create/edit/delete project robots | | | | | ✓ | -| See configured CVE whitelist | ✓ | ✓ | ✓ | ✓ | ✓ | -| Create/edit/remove CVE whitelist | | | | | ✓ | +| See configured CVE allowlist | ✓ | ✓ | ✓ | ✓ | ✓ | +| Create/edit/remove CVE allowlist | | | | | ✓ | | Enable/disable webhooks | | | ✓ | ✓ | ✓ | | Create/delete tag retention rules | | | ✓ | ✓ | ✓ | | Enable/disable tag retention rules | | | ✓ | ✓ | ✓ | diff --git a/docs/administration/vulnerability-scanning/configure-system-whitelist.md b/docs/administration/vulnerability-scanning/configure-system-allowlist.md similarity index 55% rename from docs/administration/vulnerability-scanning/configure-system-whitelist.md rename to docs/administration/vulnerability-scanning/configure-system-allowlist.md index 9ba1c040c..03a97b26b 100644 --- a/docs/administration/vulnerability-scanning/configure-system-whitelist.md +++ b/docs/administration/vulnerability-scanning/configure-system-allowlist.md @@ -1,26 +1,26 @@ --- -title: Configure System-Wide CVE Whitelists +title: Configure System-Wide CVE Allowlists weight: 50 --- -When you run vulnerability scans, images that are subject to Common Vulnerabilities and Exposures (CVE) are identified. According to the severity of the CVE and your security settings, these images might not be permitted to run. As a Harbor system administrator, you can create whitelists of CVEs to ignore during vulnerability scanning. +When you run vulnerability scans, images that are subject to Common Vulnerabilities and Exposures (CVE) are identified. According to the severity of the CVE and your security settings, these images might not be permitted to run. As a Harbor system administrator, you can create allowlists of CVEs to ignore during vulnerability scanning. -You can set a system-wide CVE whitelist or you can set CVE whitelists on a per-project basis. For information about per-project CVE whitelists, see [Configure a Per-Project CVE Whitelist](../../working-with-projects/project-configuration/configure-project-whitelist.md). +You can set a system-wide CVE allowlist or you can set CVE allowlists on a per-project basis. For information about per-project CVE allowlists, see [Configure a Per-Project CVE Allowlist](../../working-with-projects/project-configuration/configure-project-allowlist.md). -System-wide CVE whitelists apply to all of the projects in a Harbor instance. +System-wide CVE allowlists apply to all of the projects in a Harbor instance. 1. Go to **Configuration** > **System Settings**. 1. Under **Deployment security**, click **Add**. - ![System-wide CVE whitelist](../../../img/cve-whitelist1.png) + ![System-wide CVE allowlist](../../../img/cve-allowlist1.png) 1. Enter the list of CVE IDs to ignore during vulnerability scanning. - ![Add system CVE whitelist](../../../img/cve-whitelist2.png) + ![Add system CVE allowlist](../../../img/cve-allowlist2.png) Either use a comma-separated list or newlines to add multiple CVE IDs to the list. 1. Click **Add** at the bottom of the window to add the list. -1. Optionally uncheck the **Never expires** checkbox and use the calendar selector to set an expiry date for the whitelist. - ![Add system CVEs](../../../img/cve-whitelist3.png) +1. Optionally uncheck the **Never expires** checkbox and use the calendar selector to set an expiry date for the allowlist. + ![Add system CVEs](../../../img/cve-allowlist3.png) 1. Click **Save** at the bottom of the page to save your settings. -After you have created a system whitelist, you can remove CVE IDs from the list by clicking the delete button next to it in the list. You can click **Add** to add more CVE IDs to the system whitelist. +After you have created a system allowlist, you can remove CVE IDs from the list by clicking the delete button next to it in the list. You can click **Add** to add more CVE IDs to the system allowlist. -![Add and remove system CVEs](../../../img/cve-whitelist4.png) +![Add and remove system CVEs](../../../img/cve-allowlist4.png) diff --git a/docs/build-customize-contribute/registry-landscape.md b/docs/build-customize-contribute/registry-landscape.md index e3e258156..7f7620483 100644 --- a/docs/build-customize-contribute/registry-landscape.md +++ b/docs/build-customize-contribute/registry-landscape.md @@ -31,5 +31,5 @@ Table updated on 10/21/2019 against Harbor 1.9. | Upstream Registry Proxy Cache | ✗ | ✓ | ✗ | ✗ | ✓ | ✓ | ✗ | | Vulnerability Scanning & Monitoring | ✓ | ✓ | ✓ | ✗ | ✗ | ✓ | partial | | Vulnerability Scanning Plugin Framework | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | -| Vulnerability Whitelisting | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | +| Vulnerability Allowlisting | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | | Webhooks | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | diff --git a/docs/build-customize-contribute/swagger.yaml b/docs/build-customize-contribute/swagger.yaml index e2a83c8ab..54dd695dd 100644 --- a/docs/build-customize-contribute/swagger.yaml +++ b/docs/build-customize-contribute/swagger.yaml @@ -3577,38 +3577,38 @@ paths: description: User need to log in first. '403': description: User does not have permission to call this API - '/system/CVEWhitelist': + '/system/CVEAllowlist': get: - summary: Get the system level whitelist of CVE. - description: Get the system level whitelist of CVE. This API can be called by all authenticated users. + summary: Get the system level allowlist of CVE. + description: Get the system level allowlist of CVE. This API can be called by all authenticated users. tags: - Products - System responses: '200': - description: Successfully retrieved the CVE whitelist. + description: Successfully retrieved the CVE allowlist. schema: - $ref: "#/definitions/CVEWhitelist" + $ref: "#/definitions/CVEAllowlist" '401': description: User is not authenticated. '500': description: Unexpected internal errors. put: - summary: Update the system level whitelist of CVE. - description: This API overwrites the system level whitelist of CVE with the list in request body. Only system Admin + summary: Update the system level allowlist of CVE. + description: This API overwrites the system level allowlist of CVE with the list in request body. Only system Admin has permission to call this API. tags: - Products - System parameters: - in: body - name: whitelist - description: The whitelist with new content + name: allowlist + description: The allowlist with new content schema: - $ref: "#/definitions/CVEWhitelist" + $ref: "#/definitions/CVEAllowlist" responses: '200': - description: Successfully updated the CVE whitelist. + description: Successfully updated the CVE allowlist. '401': description: User is not authenticated. '403': @@ -4458,9 +4458,9 @@ definitions: metadata: description: The metadata of the project. $ref: '#/definitions/ProjectMetadata' - cve_whitelist: - description: The CVE whitelist of the project. - $ref: '#/definitions/CVEWhitelist' + cve_allowlist: + description: The CVE allowlist of the project. + $ref: '#/definitions/CVEAllowlist' count_limit: type: integer format: int64 @@ -4510,9 +4510,9 @@ definitions: metadata: description: The metadata of the project. $ref: '#/definitions/ProjectMetadata' - cve_whitelist: - description: The CVE whitelist of this project. - $ref: '#/definitions/CVEWhitelist' + cve_allowlist: + description: The CVE allowlist of this project. + $ref: '#/definitions/CVEAllowlist' ProjectMetadata: type: object properties: @@ -4531,10 +4531,10 @@ definitions: auto_scan: type: string description: 'Whether scan images automatically when pushing. The valid values are "true", "false".' - reuse_sys_cve_whitelist: + reuse_sys_cve_allowlist: type: string - description: 'Whether this project reuse the system level CVE whitelist as the whitelist of its own. The valid values are "true", "false". - If it is set to "true" the actual whitelist associate with this project, if any, will be ignored.' + description: 'Whether this project reuse the system level CVE allowlist as the allowlist of its own. The valid values are "true", "false". + If it is set to "true" the actual allowlist associate with this project, if any, will be ignored.' ProjectSummary: type: object properties: @@ -6036,26 +6036,26 @@ definitions: metadata: type: object description: The metadata of namespace - CVEWhitelist: + CVEAllowlist: type: object - description: The CVE Whitelist for system or project + description: The CVE Allowlist for system or project properties: id: type: integer - description: ID of the whitelist + description: ID of the allowlist project_id: type: integer - description: ID of the project which the whitelist belongs to. For system level whitelist this attribute is zero. + description: ID of the project which the allowlist belongs to. For system level allowlist this attribute is zero. expires_at: type: integer - description: the time for expiration of the whitelist, in the form of seconds since epoch. This is an optional attribute, if it's not set the CVE whitelist does not expire. + description: the time for expiration of the allowlist, in the form of seconds since epoch. This is an optional attribute, if it's not set the CVE allowlist does not expire. items: type: array items: - $ref: "#/definitions/CVEWhitelistItem" - CVEWhitelistItem: + $ref: "#/definitions/CVEAllowlistItem" + CVEAllowlistItem: type: object - description: The item in CVE whitelist + description: The item in CVE allowlist properties: cve_id: type: string diff --git a/docs/img/cve-whitelist1.png b/docs/img/cve-allowlist1.png similarity index 100% rename from docs/img/cve-whitelist1.png rename to docs/img/cve-allowlist1.png diff --git a/docs/img/cve-whitelist2.png b/docs/img/cve-allowlist2.png similarity index 100% rename from docs/img/cve-whitelist2.png rename to docs/img/cve-allowlist2.png diff --git a/docs/img/cve-whitelist3.png b/docs/img/cve-allowlist3.png similarity index 100% rename from docs/img/cve-whitelist3.png rename to docs/img/cve-allowlist3.png diff --git a/docs/img/cve-whitelist4.png b/docs/img/cve-allowlist4.png similarity index 100% rename from docs/img/cve-whitelist4.png rename to docs/img/cve-allowlist4.png diff --git a/docs/img/cve-whitelist5.png b/docs/img/cve-allowlist5.png similarity index 100% rename from docs/img/cve-whitelist5.png rename to docs/img/cve-allowlist5.png diff --git a/docs/img/cve-whitelist6.png b/docs/img/cve-allowlist6.png similarity index 100% rename from docs/img/cve-whitelist6.png rename to docs/img/cve-allowlist6.png diff --git a/docs/working-with-projects/project-configuration/configure-project-allowlist.md b/docs/working-with-projects/project-configuration/configure-project-allowlist.md new file mode 100644 index 000000000..a17c73863 --- /dev/null +++ b/docs/working-with-projects/project-configuration/configure-project-allowlist.md @@ -0,0 +1,32 @@ +--- +title: Configure a Per-Project CVE Allowlist +weight: 50 +--- + +When you run vulnerability scans, images that are subject to Common Vulnerabilities and Exposures (CVE) are identified. According to the severity of the CVE and your security settings, these images might not be permitted to run. You can create allowlists of CVEs to ignore during vulnerability scanning. + +Harbor administrators can set a system-wide CVE allowlist. For information about site-wide CVE allowlists, see [Configure System-Wide CVE Allowlists](../../administration/vulnerability-scanning/configure-system-allowlist.md). By default, the system allowlist is applied to all projects. You can configure different CVE allowlists for individual projects, that override the system allowlist. + +1. Go to **Projects**, select a project, and select **Configuration**. +1. Under **CVE allowlist**, select **Project allowlist**. + + ![Project CVE allowlist](../../../img/cve-allowlist5.png) + +1. Optionally click **Copy From System** to add all of the CVE IDs from the system CVE allowlist to this project allowlist. +1. Click **Add** and enter a list of additional CVE IDs to ignore during vulnerability scanning of this project. + + ![Add project CVEs](../../../img/cve-allowlist6.png) + + Either use a comma-separated list or newlines to add multiple CVE IDs to the list. + +1. Click **Add** at the bottom of the window to add the CVEs to the project allowlist. +1. Optionally uncheck the **Never expires** checkbox and use the calendar selector to set an expiry date for the allowlist. +1. Click **Save** at the bottom of the page to save your settings. + +After you have created a project allowlist, you can remove CVE IDs from the list by clicking the delete button next to it in the list. You can click **Add** at any time to add more CVE IDs to this project allowlist. + +If CVEs are added to the system allowlist after you have created a project allowlist, click **Copy From System** to add the new entries from the system allowlist to the project allowlist. + +{{< note >}} +If CVEs are deleted from the system allowlist after you have created a project allowlist, and if you added the system allowlist to the project allowlist, you must manually remove the deleted CVEs from the project allowlist. If you click **Copy From System** after CVEs have been deleted from the system allowlist, the deleted CVEs are not automatically removed from the project allowlist. +{{< /note >}} diff --git a/docs/working-with-projects/project-configuration/configure-project-whitelist.md b/docs/working-with-projects/project-configuration/configure-project-whitelist.md deleted file mode 100644 index 9b53f11e9..000000000 --- a/docs/working-with-projects/project-configuration/configure-project-whitelist.md +++ /dev/null @@ -1,32 +0,0 @@ ---- -title: Configure a Per-Project CVE Whitelist -weight: 50 ---- - -When you run vulnerability scans, images that are subject to Common Vulnerabilities and Exposures (CVE) are identified. According to the severity of the CVE and your security settings, these images might not be permitted to run. You can create whitelists of CVEs to ignore during vulnerability scanning. - -Harbor administrators can set a system-wide CVE whitelist. For information about site-wide CVE whitelists, see [Configure System-Wide CVE Whitelists](../../administration/vulnerability-scanning/configure-system-whitelist.md). By default, the system whitelist is applied to all projects. You can configure different CVE whitelists for individual projects, that override the system whitelist. - -1. Go to **Projects**, select a project, and select **Configuration**. -1. Under **CVE whitelist**, select **Project whitelist**. - - ![Project CVE whitelist](../../../img/cve-whitelist5.png) - -1. Optionally click **Copy From System** to add all of the CVE IDs from the system CVE whitelist to this project whitelist. -1. Click **Add** and enter a list of additional CVE IDs to ignore during vulnerability scanning of this project. - - ![Add project CVEs](../../../img/cve-whitelist6.png) - - Either use a comma-separated list or newlines to add multiple CVE IDs to the list. - -1. Click **Add** at the bottom of the window to add the CVEs to the project whitelist. -1. Optionally uncheck the **Never expires** checkbox and use the calendar selector to set an expiry date for the whitelist. -1. Click **Save** at the bottom of the page to save your settings. - -After you have created a project whitelist, you can remove CVE IDs from the list by clicking the delete button next to it in the list. You can click **Add** at any time to add more CVE IDs to this project whitelist. - -If CVEs are added to the system whitelist after you have created a project whitelist, click **Copy From System** to add the new entries from the system whitelist to the project whitelist. - -{{< note >}} -If CVEs are deleted from the system whitelist after you have created a project whitelist, and if you added the system whitelist to the project whitelist, you must manually remove the deleted CVEs from the project whitelist. If you click **Copy From System** after CVEs have been deleted from the system whitelist, the deleted CVEs are not automatically removed from the project whitelist. -{{< /note >}} diff --git a/make/migrations/postgresql/0040_2.1.0_schema.up.sql b/make/migrations/postgresql/0040_2.1.0_schema.up.sql index dbe15d503..21703e6f8 100644 --- a/make/migrations/postgresql/0040_2.1.0_schema.up.sql +++ b/make/migrations/postgresql/0040_2.1.0_schema.up.sql @@ -1,4 +1,5 @@ ALTER TABLE project ADD COLUMN IF NOT EXISTS registry_id int; +ALTER TABLE IF EXISTS cve_whitelist RENAME TO cve_allowlist; CREATE TABLE IF NOT EXISTS execution ( id SERIAL NOT NULL, diff --git a/src/common/dao/cve_whitelist.go b/src/common/dao/cve_allowlist.go similarity index 70% rename from src/common/dao/cve_whitelist.go rename to src/common/dao/cve_allowlist.go index 7096f8673..68a6ee207 100644 --- a/src/common/dao/cve_whitelist.go +++ b/src/common/dao/cve_allowlist.go @@ -21,16 +21,16 @@ import ( "github.com/goharbor/harbor/src/lib/log" ) -// CreateCVEWhitelist creates the CVE whitelist -func CreateCVEWhitelist(l models.CVEWhitelist) (int64, error) { +// CreateCVEAllowlist creates the CVE allowlist +func CreateCVEAllowlist(l models.CVEAllowlist) (int64, error) { o := GetOrmer() itemsBytes, _ := json.Marshal(l.Items) l.ItemsText = string(itemsBytes) return o.Insert(&l) } -// UpdateCVEWhitelist Updates the vulnerability white list to DB -func UpdateCVEWhitelist(l models.CVEWhitelist) (int64, error) { +// UpdateCVEAllowlist Updates the vulnerability white list to DB +func UpdateCVEAllowlist(l models.CVEAllowlist) (int64, error) { o := GetOrmer() itemsBytes, _ := json.Marshal(l.Items) l.ItemsText = string(itemsBytes) @@ -38,22 +38,22 @@ func UpdateCVEWhitelist(l models.CVEWhitelist) (int64, error) { return id, err } -// GetCVEWhitelist Gets the CVE whitelist of the project based on the project ID in parameter -func GetCVEWhitelist(pid int64) (*models.CVEWhitelist, error) { +// GetCVEAllowlist Gets the CVE allowlist of the project based on the project ID in parameter +func GetCVEAllowlist(pid int64) (*models.CVEAllowlist, error) { o := GetOrmer() - qs := o.QueryTable(&models.CVEWhitelist{}) + qs := o.QueryTable(&models.CVEAllowlist{}) qs = qs.Filter("ProjectID", pid) - r := []*models.CVEWhitelist{} + r := []*models.CVEAllowlist{} _, err := qs.All(&r) if err != nil { - return nil, fmt.Errorf("failed to get CVE whitelist for project %d, error: %v", pid, err) + return nil, fmt.Errorf("failed to get CVE allowlist for project %d, error: %v", pid, err) } if len(r) == 0 { return nil, nil } else if len(r) > 1 { - log.Infof("Multiple CVE whitelists found for project %d, length: %d, returning first element.", pid, len(r)) + log.Infof("Multiple CVE allowlists found for project %d, length: %d, returning first element.", pid, len(r)) } - items := []models.CVEWhitelistItem{} + items := []models.CVEAllowlistItem{} err = json.Unmarshal([]byte(r[0].ItemsText), &items) if err != nil { log.Errorf("Failed to decode item list, err: %v, text: %s", err, r[0].ItemsText) diff --git a/src/common/dao/cve_whitelist_test.go b/src/common/dao/cve_allowlist_test.go similarity index 68% rename from src/common/dao/cve_whitelist_test.go rename to src/common/dao/cve_allowlist_test.go index 099409de5..8f1a17b2a 100644 --- a/src/common/dao/cve_whitelist_test.go +++ b/src/common/dao/cve_allowlist_test.go @@ -21,35 +21,35 @@ import ( "testing" ) -func TestUpdateAndGetCVEWhitelist(t *testing.T) { - require.Nil(t, ClearTable("cve_whitelist")) - l2, err := GetCVEWhitelist(5) +func TestUpdateAndGetCVEAllowlist(t *testing.T) { + require.Nil(t, ClearTable("cve_allowlist")) + l2, err := GetCVEAllowlist(5) assert.Nil(t, err) assert.Nil(t, l2) - longList := []models.CVEWhitelistItem{} + longList := []models.CVEAllowlistItem{} for i := 0; i < 50; i++ { - longList = append(longList, models.CVEWhitelistItem{CVEID: "CVE-1999-0067"}) + longList = append(longList, models.CVEAllowlistItem{CVEID: "CVE-1999-0067"}) } e := int64(1573254000) - in1 := models.CVEWhitelist{ProjectID: 3, Items: longList, ExpiresAt: &e} - _, err = UpdateCVEWhitelist(in1) + in1 := models.CVEAllowlist{ProjectID: 3, Items: longList, ExpiresAt: &e} + _, err = UpdateCVEAllowlist(in1) require.Nil(t, err) // assert.Equal(t, int64(1), n) - out1, err := GetCVEWhitelist(3) + out1, err := GetCVEAllowlist(3) require.Nil(t, err) assert.Equal(t, int64(3), out1.ProjectID) assert.Equal(t, longList, out1.Items) assert.Equal(t, e, *out1.ExpiresAt) - sysCVEs := []models.CVEWhitelistItem{ + sysCVEs := []models.CVEAllowlistItem{ {CVEID: "CVE-2019-10164"}, {CVEID: "CVE-2017-12345"}, } - in3 := models.CVEWhitelist{Items: sysCVEs} - _, err = UpdateCVEWhitelist(in3) + in3 := models.CVEAllowlist{Items: sysCVEs} + _, err = UpdateCVEAllowlist(in3) require.Nil(t, err) - require.Nil(t, ClearTable("cve_whitelist")) + require.Nil(t, ClearTable("cve_allowlist")) } diff --git a/src/common/models/base.go b/src/common/models/base.go index d60952d5c..cc919da1c 100644 --- a/src/common/models/base.go +++ b/src/common/models/base.go @@ -36,6 +36,6 @@ func init() { new(NotificationJob), new(ProjectBlob), new(ArtifactAndBlob), - new(CVEWhitelist), + new(CVEAllowlist), ) } diff --git a/src/common/models/cve_whitelist.go b/src/common/models/cve_allowlist.go similarity index 73% rename from src/common/models/cve_whitelist.go rename to src/common/models/cve_allowlist.go index 90badb372..9b1883324 100644 --- a/src/common/models/cve_whitelist.go +++ b/src/common/models/cve_allowlist.go @@ -16,29 +16,29 @@ package models import "time" -// CVEWhitelist defines the data model for a CVE whitelist -type CVEWhitelist struct { +// CVEAllowlist defines the data model for a CVE allowlist +type CVEAllowlist struct { ID int64 `orm:"pk;auto;column(id)" json:"id"` ProjectID int64 `orm:"column(project_id)" json:"project_id"` ExpiresAt *int64 `orm:"column(expires_at)" json:"expires_at,omitempty"` - Items []CVEWhitelistItem `orm:"-" json:"items"` + Items []CVEAllowlistItem `orm:"-" json:"items"` ItemsText string `orm:"column(items)" json:"-"` CreationTime time.Time `orm:"column(creation_time);auto_now_add" json:"creation_time"` UpdateTime time.Time `orm:"column(update_time);auto_now" json:"update_time"` } -// CVEWhitelistItem defines one item in the CVE whitelist -type CVEWhitelistItem struct { +// CVEAllowlistItem defines one item in the CVE allowlist +type CVEAllowlistItem struct { CVEID string `json:"cve_id"` } // TableName ... -func (c *CVEWhitelist) TableName() string { - return "cve_whitelist" +func (c *CVEAllowlist) TableName() string { + return "cve_allowlist" } -// CVESet returns the set of CVE id of the items in the whitelist to help filter the vulnerability list -func (c *CVEWhitelist) CVESet() map[string]struct{} { +// CVESet returns the set of CVE id of the items in the allowlist to help filter the vulnerability list +func (c *CVEAllowlist) CVESet() map[string]struct{} { r := map[string]struct{}{} for _, it := range c.Items { r[it.CVEID] = struct{}{} @@ -46,8 +46,8 @@ func (c *CVEWhitelist) CVESet() map[string]struct{} { return r } -// IsExpired returns whether the whitelist is expired -func (c *CVEWhitelist) IsExpired() bool { +// IsExpired returns whether the allowlist is expired +func (c *CVEAllowlist) IsExpired() bool { if c.ExpiresAt == nil { return false } diff --git a/src/common/models/cve_whitelist_test.go b/src/common/models/cve_allowlist_test.go similarity index 85% rename from src/common/models/cve_whitelist_test.go rename to src/common/models/cve_allowlist_test.go index cb47e7021..9d5c87b71 100644 --- a/src/common/models/cve_whitelist_test.go +++ b/src/common/models/cve_allowlist_test.go @@ -21,38 +21,38 @@ import ( "time" ) -func TestCVEWhitelist_All(t *testing.T) { +func TestCVEAllowlist_All(t *testing.T) { future := int64(4411494000) now := time.Now().Unix() cases := []struct { - input CVEWhitelist + input CVEAllowlist cveset map[string]struct{} expired bool }{ { - input: CVEWhitelist{ + input: CVEAllowlist{ ID: 1, ProjectID: 0, - Items: []CVEWhitelistItem{}, + Items: []CVEAllowlistItem{}, }, cveset: map[string]struct{}{}, expired: false, }, { - input: CVEWhitelist{ + input: CVEAllowlist{ ID: 1, ProjectID: 0, - Items: []CVEWhitelistItem{}, + Items: []CVEAllowlistItem{}, ExpiresAt: &now, }, cveset: map[string]struct{}{}, expired: true, }, { - input: CVEWhitelist{ + input: CVEAllowlist{ ID: 2, ProjectID: 3, - Items: []CVEWhitelistItem{ + Items: []CVEAllowlistItem{ {CVEID: "CVE-1999-0067"}, {CVEID: "CVE-2016-7654321"}, }, diff --git a/src/common/models/pro_meta.go b/src/common/models/pro_meta.go index 9c8565747..af00df3cb 100644 --- a/src/common/models/pro_meta.go +++ b/src/common/models/pro_meta.go @@ -25,7 +25,7 @@ const ( ProMetaPreventVul = "prevent_vul" // prevent vulnerable images from being pulled ProMetaSeverity = "severity" ProMetaAutoScan = "auto_scan" - ProMetaReuseSysCVEWhitelist = "reuse_sys_cve_whitelist" + ProMetaReuseSysCVEAllowlist = "reuse_sys_cve_allowlist" ) // ProjectMetadata holds the metadata of a project. diff --git a/src/common/models/project.go b/src/common/models/project.go index dbb6bcc41..21aa3c31d 100644 --- a/src/common/models/project.go +++ b/src/common/models/project.go @@ -44,7 +44,7 @@ type Project struct { RepoCount int64 `orm:"-" json:"repo_count"` ChartCount uint64 `orm:"-" json:"chart_count"` Metadata map[string]string `orm:"-" json:"metadata"` - CVEWhitelist CVEWhitelist `orm:"-" json:"cve_whitelist"` + CVEAllowlist CVEAllowlist `orm:"-" json:"cve_allowlist"` RegistryID int64 `orm:"column(registry_id)" json:"registry_id"` } @@ -93,9 +93,9 @@ func (p *Project) VulPrevented() bool { return isTrue(prevent) } -// ReuseSysCVEWhitelist ... -func (p *Project) ReuseSysCVEWhitelist() bool { - r, ok := p.GetMetadata(ProMetaReuseSysCVEWhitelist) +// ReuseSysCVEAllowlist ... +func (p *Project) ReuseSysCVEAllowlist() bool { + r, ok := p.GetMetadata(ProMetaReuseSysCVEAllowlist) if !ok { return true } @@ -177,7 +177,7 @@ type ProjectRequest struct { Name string `json:"project_name"` Public *int `json:"public"` // deprecated, reserved for project creation in replication Metadata map[string]string `json:"metadata"` - CVEWhitelist CVEWhitelist `json:"cve_whitelist"` + CVEAllowlist CVEAllowlist `json:"cve_allowlist"` StorageLimit *int64 `json:"storage_limit,omitempty"` RegistryID int64 `json:"registry_id"` diff --git a/src/controller/event/handler/webhook/chart/chart_test.go b/src/controller/event/handler/webhook/chart/chart_test.go index b600926ba..545290fde 100644 --- a/src/controller/event/handler/webhook/chart/chart_test.go +++ b/src/controller/event/handler/webhook/chart/chart_test.go @@ -46,7 +46,7 @@ func TestChartPreprocessHandler_Handle(t *testing.T) { models.ProMetaEnableContentTrust: "true", models.ProMetaPreventVul: "true", models.ProMetaSeverity: "Low", - models.ProMetaReuseSysCVEWhitelist: "false", + models.ProMetaReuseSysCVEAllowlist: "false", }, }) defer func(id int64) { diff --git a/src/controller/project/controller.go b/src/controller/project/controller.go index cd9475cc1..bb63f4c84 100644 --- a/src/controller/project/controller.go +++ b/src/controller/project/controller.go @@ -22,7 +22,7 @@ import ( "github.com/goharbor/harbor/src/lib/errors" "github.com/goharbor/harbor/src/lib/log" "github.com/goharbor/harbor/src/pkg/project" - "github.com/goharbor/harbor/src/pkg/scan/whitelist" + "github.com/goharbor/harbor/src/pkg/scan/allowlist" ) var ( @@ -45,14 +45,14 @@ func NewController() Controller { return &controller{ projectMgr: project.Mgr, metaMgr: metamgr.NewDefaultProjectMetadataManager(), - whitelistMgr: whitelist.NewDefaultManager(), + allowlistMgr: allowlist.NewDefaultManager(), } } type controller struct { projectMgr project.Manager metaMgr metamgr.ProjectMetadataManager - whitelistMgr whitelist.Manager + allowlistMgr allowlist.Manager } func (c *controller) Get(ctx context.Context, projectID int64, options ...Option) (*models.Project, error) { @@ -114,23 +114,23 @@ func (c *controller) assembleProject(ctx context.Context, p *models.Project, opt } } - if opts.CVEWhitelist { - if p.ReuseSysCVEWhitelist() { - wl, err := c.whitelistMgr.GetSys() + if opts.CVEAllowlist { + if p.ReuseSysCVEAllowlist() { + wl, err := c.allowlistMgr.GetSys() if err != nil { - log.Errorf("get system CVE whitelist failed, error: %v", err) + log.Errorf("get system CVE allowlist failed, error: %v", err) return nil, err } wl.ProjectID = p.ProjectID - p.CVEWhitelist = *wl + p.CVEAllowlist = *wl } else { - wl, err := c.whitelistMgr.Get(p.ProjectID) + wl, err := c.allowlistMgr.Get(p.ProjectID) if err != nil { return nil, err } - p.CVEWhitelist = *wl + p.CVEAllowlist = *wl } } diff --git a/src/controller/project/options.go b/src/controller/project/options.go index 7e0fc4b5f..0dce02338 100644 --- a/src/controller/project/options.go +++ b/src/controller/project/options.go @@ -19,14 +19,14 @@ type Option func(*Options) // Options options used by `Get` method of `Controller` type Options struct { - CVEWhitelist bool // get project with cve whitelist + CVEAllowlist bool // get project with cve allowlist Metadata bool // get project with metadata } -// CVEWhitelist set CVEWhitelist for the Options -func CVEWhitelist(whitelist bool) Option { +// CVEAllowlist set CVEAllowlist for the Options +func CVEAllowlist(allowlist bool) Option { return func(opts *Options) { - opts.CVEWhitelist = whitelist + opts.CVEAllowlist = allowlist } } diff --git a/src/controller/scan/checker.go b/src/controller/scan/checker.go index 856e77431..584b5fe1f 100644 --- a/src/controller/scan/checker.go +++ b/src/controller/scan/checker.go @@ -87,10 +87,10 @@ func (c *checker) IsScannable(ctx context.Context, art *artifact.Artifact) (bool // hasCapability returns true when scanner has capability for the artifact // See https://github.com/goharbor/pluggable-scanner-spec/issues/2 to get more info func hasCapability(r *models.Registration, a *artifact.Artifact) bool { - // use whitelist here because currently only docker image is supported by the scanner + // use allowlist here because currently only docker image is supported by the scanner // https://github.com/goharbor/pluggable-scanner-spec/issues/2 - whitelist := []string{image.ArtifactTypeImage} - for _, t := range whitelist { + allowlist := []string{image.ArtifactTypeImage} + for _, t := range allowlist { if a.Type == t { return r.HasCapability(a.ManifestMediaType) } diff --git a/src/core/api/harborapi_test.go b/src/core/api/harborapi_test.go index df1f7b66b..9a26506f3 100644 --- a/src/core/api/harborapi_test.go +++ b/src/core/api/harborapi_test.go @@ -134,7 +134,7 @@ func init() { beego.Router("/api/system/gc/:id([0-9]+)/log", &GCAPI{}, "get:GetLog") beego.Router("/api/system/gc/schedule", &GCAPI{}, "get:Get;put:Put;post:Post") beego.Router("/api/system/scanAll/schedule", &ScanAllAPI{}, "get:Get;put:Put;post:Post") - beego.Router("/api/system/CVEWhitelist", &SysCVEWhitelistAPI{}, "get:Get;put:Put") + beego.Router("/api/system/CVEAllowlist", &SysCVEAllowlistAPI{}, "get:Get;put:Put") beego.Router("/api/system/oidc/ping", &OIDCAPI{}, "post:Ping") beego.Router("/api/projects/:pid([0-9]+)/robots/", &RobotAPI{}, "post:Post;get:List") diff --git a/src/core/api/project.go b/src/core/api/project.go index b1df3d2c3..8ce9556b2 100644 --- a/src/core/api/project.go +++ b/src/core/api/project.go @@ -513,7 +513,7 @@ func (p *ProjectAPI) Put() { if err := p.ProjectMgr.Update(p.project.ProjectID, &models.Project{ Metadata: req.Metadata, - CVEWhitelist: req.CVEWhitelist, + CVEAllowlist: req.CVEAllowlist, }); err != nil { p.ParseAndHandleError(fmt.Sprintf("failed to update project %d", p.project.ProjectID), err) diff --git a/src/core/api/sys_cve_whitelist.go b/src/core/api/sys_cve_allowlist.go similarity index 74% rename from src/core/api/sys_cve_whitelist.go rename to src/core/api/sys_cve_allowlist.go index 50882bb96..9c609006d 100644 --- a/src/core/api/sys_cve_whitelist.go +++ b/src/core/api/sys_cve_allowlist.go @@ -19,18 +19,18 @@ import ( "fmt" "github.com/goharbor/harbor/src/common/models" "github.com/goharbor/harbor/src/lib/log" - "github.com/goharbor/harbor/src/pkg/scan/whitelist" + "github.com/goharbor/harbor/src/pkg/scan/allowlist" "net/http" ) -// SysCVEWhitelistAPI Handles the requests to manage system level CVE whitelist -type SysCVEWhitelistAPI struct { +// SysCVEAllowlistAPI Handles the requests to manage system level CVE allowlist +type SysCVEAllowlistAPI struct { BaseController - manager whitelist.Manager + manager allowlist.Manager } // Prepare validates the request initially -func (sca *SysCVEWhitelistAPI) Prepare() { +func (sca *SysCVEAllowlistAPI) Prepare() { sca.BaseController.Prepare() if !sca.SecurityCtx.IsAuthenticated() { sca.SendUnAuthorizedError(errors.New("Unauthorized")) @@ -42,11 +42,11 @@ func (sca *SysCVEWhitelistAPI) Prepare() { sca.SendForbiddenError(errors.New(msg)) return } - sca.manager = whitelist.NewDefaultManager() + sca.manager = allowlist.NewDefaultManager() } -// Get handles the GET request to retrieve the system level CVE whitelist -func (sca *SysCVEWhitelistAPI) Get() { +// Get handles the GET request to retrieve the system level CVE allowlist +func (sca *SysCVEAllowlistAPI) Get() { l, err := sca.manager.GetSys() if err != nil { sca.SendInternalServerError(err) @@ -55,23 +55,23 @@ func (sca *SysCVEWhitelistAPI) Get() { sca.WriteJSONData(l) } -// Put handles the PUT request to update the system level CVE whitelist -func (sca *SysCVEWhitelistAPI) Put() { - var l models.CVEWhitelist +// Put handles the PUT request to update the system level CVE allowlist +func (sca *SysCVEAllowlistAPI) Put() { + var l models.CVEAllowlist if err := sca.DecodeJSONReq(&l); err != nil { log.Errorf("Failed to decode JSON array from request") sca.SendBadRequestError(err) return } if l.ProjectID != 0 { - msg := fmt.Sprintf("Non-zero project ID for system CVE whitelist: %d.", l.ProjectID) + msg := fmt.Sprintf("Non-zero project ID for system CVE allowlist: %d.", l.ProjectID) log.Error(msg) sca.SendBadRequestError(errors.New(msg)) return } if err := sca.manager.SetSys(l); err != nil { - if whitelist.IsInvalidErr(err) { - log.Errorf("Invalid CVE whitelist: %v", err) + if allowlist.IsInvalidErr(err) { + log.Errorf("Invalid CVE allowlist: %v", err) sca.SendBadRequestError(err) return } diff --git a/src/core/api/sys_cve_whitelist_test.go b/src/core/api/sys_cve_allowlist_test.go similarity index 86% rename from src/core/api/sys_cve_whitelist_test.go rename to src/core/api/sys_cve_allowlist_test.go index 6580721e1..c2aa4c12d 100644 --- a/src/core/api/sys_cve_whitelist_test.go +++ b/src/core/api/sys_cve_allowlist_test.go @@ -19,8 +19,8 @@ import ( "testing" ) -func TestSysCVEWhitelistAPIGet(t *testing.T) { - url := "/api/system/CVEWhitelist" +func TestSysCVEAllowlistAPIGet(t *testing.T) { + url := "/api/system/CVEAllowlist" cases := []*codeCheckingCase{ // 401 { @@ -43,8 +43,8 @@ func TestSysCVEWhitelistAPIGet(t *testing.T) { runCodeCheckingCases(t, cases...) } -func TestSysCVEWhitelistAPIPut(t *testing.T) { - url := "/api/system/CVEWhitelist" +func TestSysCVEAllowlistAPIPut(t *testing.T) { + url := "/api/system/CVEAllowlist" s := int64(1573254000) cases := []*codeCheckingCase{ // 401 @@ -79,9 +79,9 @@ func TestSysCVEWhitelistAPIPut(t *testing.T) { request: &testingRequest{ method: http.MethodPut, url: url, - bodyJSON: models.CVEWhitelist{ + bodyJSON: models.CVEAllowlist{ ExpiresAt: &s, - Items: []models.CVEWhitelistItem{ + Items: []models.CVEAllowlistItem{ {CVEID: "CVE-2019-12310"}, }, ProjectID: 2, @@ -95,9 +95,9 @@ func TestSysCVEWhitelistAPIPut(t *testing.T) { request: &testingRequest{ method: http.MethodPut, url: url, - bodyJSON: models.CVEWhitelist{ + bodyJSON: models.CVEAllowlist{ ExpiresAt: &s, - Items: []models.CVEWhitelistItem{ + Items: []models.CVEAllowlistItem{ {CVEID: "CVE-2019-12310"}, {CVEID: "CVE-2019-12310"}, }, @@ -111,9 +111,9 @@ func TestSysCVEWhitelistAPIPut(t *testing.T) { request: &testingRequest{ method: http.MethodPut, url: url, - bodyJSON: models.CVEWhitelist{ + bodyJSON: models.CVEAllowlist{ ExpiresAt: &s, - Items: []models.CVEWhitelistItem{ + Items: []models.CVEAllowlistItem{ {CVEID: "CVE-2019-12310"}, {CVEID: "RHSA-2019:2237"}, }, diff --git a/src/core/promgr/promgr.go b/src/core/promgr/promgr.go index 08ae0dbc9..75ea4e041 100644 --- a/src/core/promgr/promgr.go +++ b/src/core/promgr/promgr.go @@ -16,7 +16,7 @@ package promgr import ( "fmt" - "github.com/goharbor/harbor/src/pkg/scan/whitelist" + "github.com/goharbor/harbor/src/pkg/scan/allowlist" "strconv" "github.com/goharbor/harbor/src/common/models" @@ -47,7 +47,7 @@ type defaultProjectManager struct { pmsDriver pmsdriver.PMSDriver metaMgrEnabled bool // if metaMgrEnabled is enabled, metaMgr will be used to CURD metadata metaMgr metamgr.ProjectMetadataManager - whitelistMgr whitelist.Manager + allowlistMgr allowlist.Manager } // NewDefaultProjectManager returns an instance of defaultProjectManager, @@ -60,7 +60,7 @@ func NewDefaultProjectManager(driver pmsdriver.PMSDriver, metaMgrEnabled bool) P } if metaMgrEnabled { mgr.metaMgr = metamgr.NewDefaultProjectMetadataManager() - mgr.whitelistMgr = whitelist.NewDefaultManager() + mgr.allowlistMgr = allowlist.NewDefaultManager() } return mgr } @@ -82,11 +82,11 @@ func (d *defaultProjectManager) Get(projectIDOrName interface{}) (*models.Projec for k, v := range meta { project.Metadata[k] = v } - wl, err := d.whitelistMgr.Get(project.ProjectID) + wl, err := d.allowlistMgr.Get(project.ProjectID) if err != nil { return nil, err } - project.CVEWhitelist = *wl + project.CVEAllowlist = *wl } return project, nil } @@ -96,7 +96,7 @@ func (d *defaultProjectManager) Create(project *models.Project) (int64, error) { return 0, err } if d.metaMgrEnabled { - d.whitelistMgr.CreateEmpty(id) + d.allowlistMgr.CreateEmpty(id) if len(project.Metadata) > 0 { if err = d.metaMgr.Add(id, project.Metadata); err != nil { log.Errorf("failed to add metadata for project %s: %v", project.Name, err) @@ -132,7 +132,7 @@ func (d *defaultProjectManager) Update(projectIDOrName interface{}, project *mod } // TODO transaction? if d.metaMgrEnabled { - if err := d.whitelistMgr.Set(pro.ProjectID, project.CVEWhitelist); err != nil { + if err := d.allowlistMgr.Set(pro.ProjectID, project.CVEAllowlist); err != nil { return err } if len(project.Metadata) > 0 { @@ -195,7 +195,7 @@ func (d *defaultProjectManager) List(query *models.ProjectQueryParam) (*models.P project.Metadata = meta } } - // the whitelist is not populated deliberately + // the allowlist is not populated deliberately return result, nil } diff --git a/src/pkg/scan/allowlist/manager.go b/src/pkg/scan/allowlist/manager.go new file mode 100644 index 000000000..c26a644e2 --- /dev/null +++ b/src/pkg/scan/allowlist/manager.go @@ -0,0 +1,92 @@ +// Copyright Project Harbor Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package allowlist + +import ( + "github.com/goharbor/harbor/src/common/dao" + "github.com/goharbor/harbor/src/common/models" + "github.com/goharbor/harbor/src/jobservice/logger" + "github.com/goharbor/harbor/src/lib/log" +) + +// Manager defines the interface of CVE allowlist manager, it support both system level and project level allowlists +type Manager interface { + // CreateEmpty creates empty allowlist for given project + CreateEmpty(projectID int64) error + // Set sets the allowlist for given project (create or update) + Set(projectID int64, list models.CVEAllowlist) error + // Get gets the allowlist for given project + Get(projectID int64) (*models.CVEAllowlist, error) + // SetSys sets system level allowlist + SetSys(list models.CVEAllowlist) error + // GetSys gets system level allowlist + GetSys() (*models.CVEAllowlist, error) +} + +type defaultManager struct{} + +// CreateEmpty creates empty allowlist for given project +func (d *defaultManager) CreateEmpty(projectID int64) error { + l := models.CVEAllowlist{ + ProjectID: projectID, + Items: []models.CVEAllowlistItem{}, + } + _, err := dao.CreateCVEAllowlist(l) + if err != nil { + logger.Errorf("Failed to create empty CVE allowlist for project: %d, error: %v", projectID, err) + } + return err +} + +// Set sets the allowlist for given project (create or update) +func (d *defaultManager) Set(projectID int64, list models.CVEAllowlist) error { + list.ProjectID = projectID + if err := Validate(list); err != nil { + return err + } + _, err := dao.UpdateCVEAllowlist(list) + return err +} + +// Get gets the allowlist for given project +func (d *defaultManager) Get(projectID int64) (*models.CVEAllowlist, error) { + wl, err := dao.GetCVEAllowlist(projectID) + if err != nil { + return nil, err + } + + if wl == nil { + log.Debugf("No CVE allowlist found for project %d, returning empty list.", projectID) + wl = &models.CVEAllowlist{ProjectID: projectID, Items: []models.CVEAllowlistItem{}} + } else if wl.Items == nil { + wl.Items = []models.CVEAllowlistItem{} + } + return wl, nil +} + +// SetSys sets the system level allowlist +func (d *defaultManager) SetSys(list models.CVEAllowlist) error { + return d.Set(0, list) +} + +// GetSys gets the system level allowlist +func (d *defaultManager) GetSys() (*models.CVEAllowlist, error) { + return d.Get(0) +} + +// NewDefaultManager return a new instance of defaultManager +func NewDefaultManager() Manager { + return &defaultManager{} +} diff --git a/src/pkg/scan/whitelist/manager_test.go b/src/pkg/scan/allowlist/manager_test.go similarity index 98% rename from src/pkg/scan/whitelist/manager_test.go rename to src/pkg/scan/allowlist/manager_test.go index 1071323b3..77dd63a9b 100644 --- a/src/pkg/scan/whitelist/manager_test.go +++ b/src/pkg/scan/allowlist/manager_test.go @@ -1,4 +1,4 @@ -package whitelist +package allowlist import ( "github.com/goharbor/harbor/src/common/dao" diff --git a/src/pkg/scan/whitelist/validator.go b/src/pkg/scan/allowlist/validator.go similarity index 88% rename from src/pkg/scan/whitelist/validator.go rename to src/pkg/scan/allowlist/validator.go index a736d3390..89416cc70 100644 --- a/src/pkg/scan/whitelist/validator.go +++ b/src/pkg/scan/allowlist/validator.go @@ -12,7 +12,7 @@ // See the License for the specific language governing permissions and // limitations under the License. -package whitelist +package allowlist import ( "fmt" @@ -42,8 +42,8 @@ func IsInvalidErr(err error) bool { const cveIDPattern = `^CVE-\d{4}-\d+$` -// Validate help validates the CVE whitelist, to ensure the CVE ID is valid and there's no duplication -func Validate(wl models.CVEWhitelist) error { +// Validate help validates the CVE allowlist, to ensure the CVE ID is valid and there's no duplication +func Validate(wl models.CVEAllowlist) error { m := map[string]struct{}{} // re := regexp.MustCompile(cveIDPattern) for _, it := range wl.Items { @@ -52,7 +52,7 @@ func Validate(wl models.CVEWhitelist) error { // return &invalidErr{fmt.Sprintf("invalid CVE ID: %s", it.CVEID)} // } if _, ok := m[it.CVEID]; ok { - return &invalidErr{fmt.Sprintf("duplicate CVE ID in whitelist: %s", it.CVEID)} + return &invalidErr{fmt.Sprintf("duplicate CVE ID in allowlist: %s", it.CVEID)} } m[it.CVEID] = struct{}{} } diff --git a/src/pkg/scan/whitelist/validator_test.go b/src/pkg/scan/allowlist/validator_test.go similarity index 84% rename from src/pkg/scan/whitelist/validator_test.go rename to src/pkg/scan/allowlist/validator_test.go index 1566ee0ce..687cb4c51 100644 --- a/src/pkg/scan/whitelist/validator_test.go +++ b/src/pkg/scan/allowlist/validator_test.go @@ -12,7 +12,7 @@ // See the License for the specific language governing permissions and // limitations under the License. -package whitelist +package allowlist import ( "fmt" @@ -48,24 +48,24 @@ func TestIsInvalidErr(t *testing.T) { func TestValidate(t *testing.T) { cases := []struct { - l models.CVEWhitelist + l models.CVEAllowlist noError bool }{ { - l: models.CVEWhitelist{ + l: models.CVEAllowlist{ Items: nil, }, noError: true, }, { - l: models.CVEWhitelist{ - Items: []models.CVEWhitelistItem{}, + l: models.CVEAllowlist{ + Items: []models.CVEAllowlistItem{}, }, noError: true, }, { - l: models.CVEWhitelist{ - Items: []models.CVEWhitelistItem{ + l: models.CVEAllowlist{ + Items: []models.CVEAllowlistItem{ {CVEID: "breakit"}, {CVEID: "breakit"}, }, @@ -73,8 +73,8 @@ func TestValidate(t *testing.T) { noError: false, }, { - l: models.CVEWhitelist{ - Items: []models.CVEWhitelistItem{ + l: models.CVEAllowlist{ + Items: []models.CVEAllowlistItem{ {CVEID: "CVE-2014-456132"}, {CVEID: "CVE-2014-7654321"}, }, @@ -82,8 +82,8 @@ func TestValidate(t *testing.T) { noError: true, }, { - l: models.CVEWhitelist{ - Items: []models.CVEWhitelistItem{ + l: models.CVEAllowlist{ + Items: []models.CVEAllowlistItem{ {CVEID: "CVE-2014-456132"}, {CVEID: "CVE-2014-456132"}, {CVEID: "CVE-2014-7654321"}, diff --git a/src/pkg/scan/report/summary.go b/src/pkg/scan/report/summary.go index ac1a984ae..9f54d3f39 100644 --- a/src/pkg/scan/report/summary.go +++ b/src/pkg/scan/report/summary.go @@ -24,7 +24,7 @@ import ( "github.com/goharbor/harbor/src/pkg/scan/vuln" ) -// CVESet defines the CVE whitelist with a hash set way for easy query. +// CVESet defines the CVE allowlist with a hash set way for easy query. type CVESet map[string]struct{} // Contains checks whether the specified CVE is in the set or not. @@ -39,16 +39,16 @@ type Options struct { // If it is set, the returned report will contains artifact digest for the vulnerabilities ArtifactDigest string // If it is set, the returned summary will not count the CVEs in the list in. - CVEWhitelist CVESet + CVEAllowlist CVESet } // Option for getting the report w/ summary with func template way. type Option func(options *Options) -// WithCVEWhitelist is an option of setting CVE whitelist. -func WithCVEWhitelist(set *CVESet) Option { +// WithCVEAllowlist is an option of setting CVE allowlist. +func WithCVEAllowlist(set *CVESet) Option { return func(options *Options) { - options.CVEWhitelist = *set + options.CVEAllowlist = *set } } @@ -127,7 +127,7 @@ func GenerateNativeSummary(r *scan.Report, options ...Option) (interface{}, erro if sum.Duration < 0 { sum.Duration = 0 } - if len(ops.CVEWhitelist) > 0 { + if len(ops.CVEAllowlist) > 0 { sum.CVEBypassed = make([]string, 0) } @@ -170,11 +170,11 @@ func GenerateNativeSummary(r *scan.Report, options ...Option) (interface{}, erro overallSev := vuln.None for _, v := range rp.Vulnerabilities { - if len(ops.CVEWhitelist) > 0 && ops.CVEWhitelist.Contains(v.ID) { - // If whitelist is set, then check if we need to bypass it + if len(ops.CVEAllowlist) > 0 && ops.CVEAllowlist.Contains(v.ID) { + // If allowlist is set, then check if we need to bypass it // Reduce the total vsum.Total-- - // Append the by passed CVEs specified in the whitelist + // Append the by passed CVEs specified in the allowlist sum.CVEBypassed = append(sum.CVEBypassed, v.ID) continue @@ -199,7 +199,7 @@ func GenerateNativeSummary(r *scan.Report, options ...Option) (interface{}, erro sum.Summary = vsum // Override the overall severity of the filtered list if needed. - if len(ops.CVEWhitelist) > 0 { + if len(ops.CVEAllowlist) > 0 { sum.Severity = overallSev } diff --git a/src/pkg/scan/report/summary_test.go b/src/pkg/scan/report/summary_test.go index 70f4cc77c..dd40525a6 100644 --- a/src/pkg/scan/report/summary_test.go +++ b/src/pkg/scan/report/summary_test.go @@ -111,7 +111,7 @@ func (suite *SummaryTestSuite) TestSummaryGenerateSummaryWithOptions() { cveSet := make(CVESet) cveSet["2019-0980-0909"] = struct{}{} - summaries, err := GenerateSummary(suite.r, WithCVEWhitelist(&cveSet)) + summaries, err := GenerateSummary(suite.r, WithCVEAllowlist(&cveSet)) require.NoError(suite.T(), err) require.NotNil(suite.T(), summaries) diff --git a/src/pkg/scan/vuln/severity.go b/src/pkg/scan/vuln/severity.go index ebcbb524e..75c39bbdc 100644 --- a/src/pkg/scan/vuln/severity.go +++ b/src/pkg/scan/vuln/severity.go @@ -21,7 +21,7 @@ import ( const ( // None - only used to mark the overall severity of the scanned artifacts, // means no vulnerabilities attached with the artifacts, - // (might be bypassed by the CVE whitelist). + // (might be bypassed by the CVE allowlist). None Severity = "None" // Unknown - either a security problem that has not been assigned to a priority yet or // a priority that the scanner did not recognize. diff --git a/src/pkg/scan/whitelist/manager.go b/src/pkg/scan/whitelist/manager.go deleted file mode 100644 index 7778ba63f..000000000 --- a/src/pkg/scan/whitelist/manager.go +++ /dev/null @@ -1,92 +0,0 @@ -// Copyright Project Harbor Authors -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package whitelist - -import ( - "github.com/goharbor/harbor/src/common/dao" - "github.com/goharbor/harbor/src/common/models" - "github.com/goharbor/harbor/src/jobservice/logger" - "github.com/goharbor/harbor/src/lib/log" -) - -// Manager defines the interface of CVE whitelist manager, it support both system level and project level whitelists -type Manager interface { - // CreateEmpty creates empty whitelist for given project - CreateEmpty(projectID int64) error - // Set sets the whitelist for given project (create or update) - Set(projectID int64, list models.CVEWhitelist) error - // Get gets the whitelist for given project - Get(projectID int64) (*models.CVEWhitelist, error) - // SetSys sets system level whitelist - SetSys(list models.CVEWhitelist) error - // GetSys gets system level whitelist - GetSys() (*models.CVEWhitelist, error) -} - -type defaultManager struct{} - -// CreateEmpty creates empty whitelist for given project -func (d *defaultManager) CreateEmpty(projectID int64) error { - l := models.CVEWhitelist{ - ProjectID: projectID, - Items: []models.CVEWhitelistItem{}, - } - _, err := dao.CreateCVEWhitelist(l) - if err != nil { - logger.Errorf("Failed to create empty CVE whitelist for project: %d, error: %v", projectID, err) - } - return err -} - -// Set sets the whitelist for given project (create or update) -func (d *defaultManager) Set(projectID int64, list models.CVEWhitelist) error { - list.ProjectID = projectID - if err := Validate(list); err != nil { - return err - } - _, err := dao.UpdateCVEWhitelist(list) - return err -} - -// Get gets the whitelist for given project -func (d *defaultManager) Get(projectID int64) (*models.CVEWhitelist, error) { - wl, err := dao.GetCVEWhitelist(projectID) - if err != nil { - return nil, err - } - - if wl == nil { - log.Debugf("No CVE whitelist found for project %d, returning empty list.", projectID) - wl = &models.CVEWhitelist{ProjectID: projectID, Items: []models.CVEWhitelistItem{}} - } else if wl.Items == nil { - wl.Items = []models.CVEWhitelistItem{} - } - return wl, nil -} - -// SetSys sets the system level whitelist -func (d *defaultManager) SetSys(list models.CVEWhitelist) error { - return d.Set(0, list) -} - -// GetSys gets the system level whitelist -func (d *defaultManager) GetSys() (*models.CVEWhitelist, error) { - return d.Get(0) -} - -// NewDefaultManager return a new instance of defaultManager -func NewDefaultManager() Manager { - return &defaultManager{} -} diff --git a/src/portal/src/i18n/lang/en-us-lang.json b/src/portal/src/i18n/lang/en-us-lang.json index 49eae0a18..d99663a19 100644 --- a/src/portal/src/i18n/lang/en-us-lang.json +++ b/src/portal/src/i18n/lang/en-us-lang.json @@ -1208,24 +1208,24 @@ "TIP_REPO": "A repository name is broken up into path components. A component of a repository name must be at least one lowercase, alpha-numeric characters, optionally separated by periods, dashes or underscores. More strictly, it must match the regular expression [a-z0-9]+(?:[._-][a-z0-9]+)*.If a repository name has two or more path components, they must be separated by a forward slash ('/').The total length of a repository name, including slashes, must be less the 256 characters.", "TIP_TAG": "A tag is a label applied to a Docker image in a repository. Tags are how various images in a repository are distinguished from each other.It need to match Regex: (`[\\w][\\w.-]{0,127}`)" }, - "CVE_WHITELIST": { + "CVE_ALLOWLIST": { "DEPLOYMENT_SECURITY": "Deployment security", - "CVE_WHITELIST": "CVE whitelist", - "SYS_WHITELIST_EXPLAIN": "System whitelist allows vulnerabilities in this list to be ignored when calculating the vulnerability of an image.", - "ADD_SYS": "Add CVE IDs to the system whitelist", - "WARNING_SYS": "The system CVE whitelist has expired. You can enable the whitelist by extending the expiration date.", - "WARNING_PRO": "The project CVE whitelist has expired. You can enable the whitelist by extending the expiration date.", + "CVE_ALLOWLIST": "CVE allowlist", + "SYS_ALLOWLIST_EXPLAIN": "System allowlist allows vulnerabilities in this list to be ignored when calculating the vulnerability of an image.", + "ADD_SYS": "Add CVE IDs to the system allowlist", + "WARNING_SYS": "The system CVE allowlist has expired. You can enable the allowlist by extending the expiration date.", + "WARNING_PRO": "The project CVE allowlist has expired. You can enable the allowlist by extending the expiration date.", "ADD": "ADD", "ENTER": "Enter CVE ID(s)", "HELP": "Separator: commas or newline characters", "NONE": "None", "EXPIRES_AT": "Expires at", "NEVER_EXPIRES": "Never expires", - "PRO_WHITELIST_EXPLAIN": "Project whitelist allows vulnerabilities in this list to be ignored in this project when pushing and pulling images.", - "PRO_OR_SYS": "You can either use the default whitelist configured at the system level or click on 'Project whitelist' to create a new whitelist", - "MERGE_INTO": "Add individual CVE IDs before clicking 'COPY FROM SYSTEM' to add system whitelist as well.", - "SYS_WHITELIST": "System whitelist", - "PRO_WHITELIST": "Project whitelist", + "PRO_ALLOWLIST_EXPLAIN": "Project allowlist allows vulnerabilities in this list to be ignored in this project when pushing and pulling images.", + "PRO_OR_SYS": "You can either use the default allowlist configured at the system level or click on 'Project allowlist' to create a new allowlist", + "MERGE_INTO": "Add individual CVE IDs before clicking 'COPY FROM SYSTEM' to add system allowlist as well.", + "SYS_ALLOWLIST": "System allowlist", + "PRO_ALLOWLIST": "Project allowlist", "ADD_SYSTEM": "COPY FROM SYSTEM" }, "TAG_RETENTION": { diff --git a/src/portal/src/i18n/lang/es-es-lang.json b/src/portal/src/i18n/lang/es-es-lang.json index 64e12dfdf..375008ec1 100644 --- a/src/portal/src/i18n/lang/es-es-lang.json +++ b/src/portal/src/i18n/lang/es-es-lang.json @@ -1206,24 +1206,24 @@ "TIP_REPO": "A repository name is broken up into path components. A component of a repository name must be at least one lowercase, alpha-numeric characters, optionally separated by periods, dashes or underscores. More strictly, it must match the regular expression [a-z0-9]+(?:[._-][a-z0-9]+)*.If a repository name has two or more path components, they must be separated by a forward slash ('/').The total length of a repository name, including slashes, must be less the 256 characters.", "TIP_TAG": "A tag is a label applied to a Docker image in a repository. Tags are how various images in a repository are distinguished from each other.It need to match Regex: (`[\\w][\\w.-]{0,127}`)" }, - "CVE_WHITELIST": { + "CVE_ALLOWLIST": { "DEPLOYMENT_SECURITY": "Deployment security", - "CVE_WHITELIST": "CVE whitelist", - "SYS_WHITELIST_EXPLAIN": "System whitelist allows vulnerabilities in this list to be ignored when calculating the vulnerability of an image.", - "ADD_SYS": "Add CVE IDs to the system whitelist", - "WARNING_SYS": "The system CVE whitelist has expired. You can enable the whitelist by extending the expiration date.", - "WARNING_PRO": "The project CVE whitelist has expired. You can enable the whitelist by extending the expiration date.", + "CVE_ALLOWLIST": "CVE allowlist", + "SYS_ALLOWLIST_EXPLAIN": "System allowlist allows vulnerabilities in this list to be ignored when calculating the vulnerability of an image.", + "ADD_SYS": "Add CVE IDs to the system allowlist", + "WARNING_SYS": "The system CVE allowlist has expired. You can enable the allowlist by extending the expiration date.", + "WARNING_PRO": "The project CVE allowlist has expired. You can enable the allowlist by extending the expiration date.", "ADD": "ADD", "ENTER": "Enter CVE ID(s)", "HELP": "Separator: commas or newline characters", "NONE": "None", "EXPIRES_AT": "Expires at", "NEVER_EXPIRES": "Never expires", - "PRO_WHITELIST_EXPLAIN": "Project whitelist allows vulnerabilities in this list to be ignored in this project when pushing and pulling images.", - "PRO_OR_SYS": "You can either use the default whitelist configured at the system level or click on 'Project whitelist' to create a new whitelist", - "MERGE_INTO": "Add individual CVE IDs before clicking 'COPY FROM SYSTEM' to add system whitelist as well.", - "SYS_WHITELIST": "System whitelist", - "PRO_WHITELIST": "Project whitelist", + "PRO_ALLOWLIST_EXPLAIN": "Project allowlist allows vulnerabilities in this list to be ignored in this project when pushing and pulling images.", + "PRO_OR_SYS": "You can either use the default allowlist configured at the system level or click on 'Project allowlist' to create a new allowlist", + "MERGE_INTO": "Add individual CVE IDs before clicking 'COPY FROM SYSTEM' to add system allowlist as well.", + "SYS_ALLOWLIST": "System allowlist", + "PRO_ALLOWLIST": "Project allowlist", "ADD_SYSTEM": "COPY FROM SYSTEM" }, "TAG_RETENTION": { diff --git a/src/portal/src/i18n/lang/fr-fr-lang.json b/src/portal/src/i18n/lang/fr-fr-lang.json index a2cb37123..f30003282 100644 --- a/src/portal/src/i18n/lang/fr-fr-lang.json +++ b/src/portal/src/i18n/lang/fr-fr-lang.json @@ -1176,24 +1176,24 @@ "TIP_REPO": "A repository name is broken up into path components. A component of a repository name must be at least one lowercase, alpha-numeric characters, optionally separated by periods, dashes or underscores. More strictly, it must match the regular expression [a-z0-9]+(?:[._-][a-z0-9]+)*.If a repository name has two or more path components, they must be separated by a forward slash ('/').The total length of a repository name, including slashes, must be less the 256 characters.", "TIP_TAG": "A tag is a label applied to a Docker image in a repository. Tags are how various images in a repository are distinguished from each other.It need to match Regex: (`[\\w][\\w.-]{0,127}`)" }, - "CVE_WHITELIST": { + "CVE_ALLOWLIST": { "DEPLOYMENT_SECURITY": "Deployment security", - "CVE_WHITELIST": "CVE whitelist", - "SYS_WHITELIST_EXPLAIN": "System whitelist allows vulnerabilities in this list to be ignored when calculating the vulnerability of an image.", - "ADD_SYS": "Add CVE IDs to the system whitelist", - "WARNING_SYS": "The system CVE whitelist has expired. You can enable the whitelist by extending the expiration date.", - "WARNING_PRO": "The project CVE whitelist has expired. You can enable the whitelist by extending the expiration date.", + "CVE_ALLOWLIST": "CVE allowlist", + "SYS_ALLOWLIST_EXPLAIN": "System allowlist allows vulnerabilities in this list to be ignored when calculating the vulnerability of an image.", + "ADD_SYS": "Add CVE IDs to the system allowlist", + "WARNING_SYS": "The system CVE allowlist has expired. You can enable the allowlist by extending the expiration date.", + "WARNING_PRO": "The project CVE allowlist has expired. You can enable the allowlist by extending the expiration date.", "ADD": "ADD", "ENTER": "Enter CVE ID(s)", "HELP": "Separator: commas or newline characters", "NONE": "None", "EXPIRES_AT": "Expires at", "NEVER_EXPIRES": "Never expires", - "PRO_WHITELIST_EXPLAIN": "Project whitelist allows vulnerabilities in this list to be ignored in this project when pushing and pulling images.", - "PRO_OR_SYS": "You can either use the default whitelist configured at the system level or click on 'Project whitelist' to create a new whitelist", - "MERGE_INTO": "Add individual CVE IDs before clicking 'COPY FROM SYSTEM' to add system whitelist as well.", - "SYS_WHITELIST": "System whitelist", - "PRO_WHITELIST": "Project whitelist", + "PRO_ALLOWLIST_EXPLAIN": "Project allowlist allows vulnerabilities in this list to be ignored in this project when pushing and pulling images.", + "PRO_OR_SYS": "You can either use the default allowlist configured at the system level or click on 'Project allowlist' to create a new allowlist", + "MERGE_INTO": "Add individual CVE IDs before clicking 'COPY FROM SYSTEM' to add system allowlist as well.", + "SYS_ALLOWLIST": "System allowlist", + "PRO_ALLOWLIST": "Project allowlist", "ADD_SYSTEM": "COPY FROM SYSTEM" }, "TAG_RETENTION": { diff --git a/src/portal/src/i18n/lang/pt-br-lang.json b/src/portal/src/i18n/lang/pt-br-lang.json index 03a51c2b8..ebc099a4c 100644 --- a/src/portal/src/i18n/lang/pt-br-lang.json +++ b/src/portal/src/i18n/lang/pt-br-lang.json @@ -1204,24 +1204,24 @@ "TIP_REPO": "A repository name is broken up into path components. A component of a repository name must be at least one lowercase, alpha-numeric characters, optionally separated by periods, dashes or underscores. More strictly, it must match the regular expression [a-z0-9]+(?:[._-][a-z0-9]+)*.If a repository name has two or more path components, they must be separated by a forward slash ('/').The total length of a repository name, including slashes, must be less the 256 characters.", "TIP_TAG": "A tag is a label applied to a Docker image in a repository. Tags are how various images in a repository are distinguished from each other.It need to match Regex: (`[\\w][\\w.-]{0,127}`)" }, - "CVE_WHITELIST": { + "CVE_ALLOWLIST": { "DEPLOYMENT_SECURITY": "Deployment security", - "CVE_WHITELIST": "CVE whitelist", - "SYS_WHITELIST_EXPLAIN": "System whitelist allows vulnerabilities in this list to be ignored when calculating the vulnerability of an image.", - "ADD_SYS": "Add CVE IDs to the system whitelist", - "WARNING_SYS": "The system CVE whitelist has expired. You can enable the whitelist by extending the expiration date.", - "WARNING_PRO": "The project CVE whitelist has expired. You can enable the whitelist by extending the expiration date.", + "CVE_ALLOWLIST": "CVE allowlist", + "SYS_ALLOWLIST_EXPLAIN": "System allowlist allows vulnerabilities in this list to be ignored when calculating the vulnerability of an image.", + "ADD_SYS": "Add CVE IDs to the system allowlist", + "WARNING_SYS": "The system CVE allowlist has expired. You can enable the allowlist by extending the expiration date.", + "WARNING_PRO": "The project CVE allowlist has expired. You can enable the allowlist by extending the expiration date.", "ADD": "ADD", "ENTER": "Enter CVE ID(s)", "HELP": "Separator: commas or newline characters", "NONE": "None", "EXPIRES_AT": "Expires at", "NEVER_EXPIRES": "Never expires", - "PRO_WHITELIST_EXPLAIN": "Project whitelist allows vulnerabilities in this list to be ignored in this project when pushing and pulling images.", - "PRO_OR_SYS": "You can either use the default whitelist configured at the system level or click on 'Project whitelist' to create a new whitelist", - "MERGE_INTO": "Add individual CVE IDs before clicking 'COPY FROM SYSTEM' to add system whitelist as well.", - "SYS_WHITELIST": "System whitelist", - "PRO_WHITELIST": "Project whitelist", + "PRO_ALLOWLIST_EXPLAIN": "Project allowlist allows vulnerabilities in this list to be ignored in this project when pushing and pulling images.", + "PRO_OR_SYS": "You can either use the default allowlist configured at the system level or click on 'Project allowlist' to create a new allowlist", + "MERGE_INTO": "Add individual CVE IDs before clicking 'COPY FROM SYSTEM' to add system allowlist as well.", + "SYS_ALLOWLIST": "System allowlist", + "PRO_ALLOWLIST": "Project allowlist", "ADD_SYSTEM": "COPY FROM SYSTEM" }, "TAG_RETENTION": { diff --git a/src/portal/src/i18n/lang/tr-tr-lang.json b/src/portal/src/i18n/lang/tr-tr-lang.json index 1c9db368e..7112c4ee0 100644 --- a/src/portal/src/i18n/lang/tr-tr-lang.json +++ b/src/portal/src/i18n/lang/tr-tr-lang.json @@ -1208,10 +1208,10 @@ "TIP_REPO": "Bir depo adı yol bileşenlerine bölünmüştür. Depo adının bir bileşeni, isteğe bağlı olarak nokta, kısa çizgi veya alt çizgi ile ayrılmış en az bir küçük harf, alfa sayısal karakterler olmalıdır. Daha kesin olarak, [a-z0-9] + (?: [._-] [a-z0-9] +) * normal ifadesiyle eşleşmelidir. Eğer bir depo adı iki veya daha fazla yol bileşenine sahipse, eğik çizgi ile ayrılmış ('/').Eğik çizgi içeren bir depo adının toplam uzunluğu, 256 karakterden az olmalıdır.", "TIP_TAG": "Etiket, bir depodaki Docker imajına uygulanan bir etikettir. Etiketler, bir depodaki çeşitli imajların birbirlerinden nasıl ayırt edildikleridir. Regex ile eşleşmesi gerekir: (`[\\ w] [\\ w .-] {0,127}`)" }, - "CVE_WHITELIST": { + "CVE_ALLOWLIST": { "DEPLOYMENT_SECURITY": "Dağıtım güvenliği", - "CVE_WHITELIST": "CVE beyaz listesi", - "SYS_WHITELIST_EXPLAIN": "Sistem beyaz listesi, bir görüntünün güvenlik açığını hesaplarken bu listedeki güvenlik açıklarının göz ardı edilmesine izin verir.", + "CVE_ALLOWLIST": "CVE beyaz listesi", + "SYS_ALLOWLIST_EXPLAIN": "Sistem beyaz listesi, bir görüntünün güvenlik açığını hesaplarken bu listedeki güvenlik açıklarının göz ardı edilmesine izin verir.", "ADD_SYS": "Sistemin beyaz listesine CVE kimlikleri ekle", "WARNING_SYS": "Sistem CVE beyaz listesinin süresi doldu. Beyaz listeyi son kullanma tarihini uzatarak etkinleştirebilirsiniz.", "WARNING_PRO": "Proje CVE beyaz listesinin süresi doldu. Beyaz listeyi son kullanma tarihini uzatarak etkinleştirebilirsiniz.", @@ -1221,11 +1221,11 @@ "NONE": "Hiç", "EXPIRES_AT": "Sonunda sona eriyor", "NEVER_EXPIRES": "Hiçbir zaman sona ermez", - "PRO_WHITELIST_EXPLAIN": "Proje beyaz listesi, görüntüleri iterken ve çekerken bu listedeki güvenlik açıklarının bu projede göz ardı edilmesine izin verir.", + "PRO_ALLOWLIST_EXPLAIN": "Proje beyaz listesi, görüntüleri iterken ve çekerken bu listedeki güvenlik açıklarının bu projede göz ardı edilmesine izin verir.", "PRO_OR_SYS": "Sistemin beyaz listesini olduğu gibi kullanın veya yeni bir beyaz liste oluşturmak için “Proje beyaz listesini” seçin.", "MERGE_INTO": "Sistemin beyaz listesini bu projeye dahil edin, bireysel CVE ID'leri ekleyin.", - "SYS_WHITELIST": "Sistem beyaz listesi", - "PRO_WHITELIST": "Proje beyaz listesi", + "SYS_ALLOWLIST": "Sistem beyaz listesi", + "PRO_ALLOWLIST": "Proje beyaz listesi", "ADD_SYSTEM": "SİSTEM EKLE" }, "TAG_RETENTION": { diff --git a/src/portal/src/i18n/lang/zh-cn-lang.json b/src/portal/src/i18n/lang/zh-cn-lang.json index 769304854..5e015fc9c 100644 --- a/src/portal/src/i18n/lang/zh-cn-lang.json +++ b/src/portal/src/i18n/lang/zh-cn-lang.json @@ -1205,25 +1205,25 @@ "TIP_REPO": "镜像仓库名被分解为路径组件。仓库名必须至少有一个小写字母、字母数字字符,可选句点、破折号或下划线分隔。严格意义上说,它必须匹配正则表达式[a-z0-9]+(?[.-][a-z0-9]+)*.如果仓库名有两个或多个路径组件,则它们必须用正斜杠('/')分隔。包括斜杠在内的仓库名的总长度必须小于256个字符。", "TIP_TAG": "Tag 是应用于存储库中的 Docker 映像的一种标签,它用于区分多种镜像。它需要匹配 Regex:([\\w][\\w.-]{0,127})" }, - "CVE_WHITELIST": { + "CVE_ALLOWLIST": { "DEPLOYMENT_SECURITY": "部署安全性", - "CVE_WHITELIST": "CVE白名单", - "SYS_WHITELIST_EXPLAIN": "在计算镜像的的安全性漏洞时,在系统的CVE白名单中的漏洞将会被忽略。", - "ADD_SYS": "可添加一条或多条CVE ID至系统的CVE白名单中", - "WARNING_SYS": "系统的CVE白名单已过期. 请延长有效期以使白名单生效", - "WARNING_PRO": "该项目的CVE白名单已过期. 请延长有效期以使白名单生效", + "CVE_ALLOWLIST": "CVE特赦名单", + "SYS_ALLOWLIST_EXPLAIN": "在计算镜像的的安全性漏洞时,在系统的CVE特赦名单中的漏洞将会被忽略。", + "ADD_SYS": "可添加一条或多条CVE ID至系统的CVE特赦名单中", + "WARNING_SYS": "系统的CVE特赦名单已过期. 请延长有效期以使特赦名单生效", + "WARNING_PRO": "该项目的CVE特赦名单已过期. 请延长有效期以使特赦名单生效", "ADD": "添加", "ENTER": "输入一条或多条CVE ID", "HELP": "CVE ID之间请用英文逗号隔开或者换行", "NONE": "无", "EXPIRES_AT": "有效期至", "NEVER_EXPIRES": "永不过期", - "PRO_WHITELIST_EXPLAIN": "在推送和拉取镜像时,在项目的CVE白名单中的漏洞将会被忽略", - "PRO_OR_SYS": "您可以选择使用系统的CVE白名单作为该项目的白名单,也可勾选“启用项目白名单”项来建立该项目自己的CVE白名单,", - "MERGE_INTO": "您可以点击“复制系统白名单”项将系统白名单合并至该项目白名单中,并可为该项目白名单添加特有的CVE IDs", - "SYS_WHITELIST": "启用系统白名单", - "PRO_WHITELIST": "启用项目白名单", - "ADD_SYSTEM": "复制系统白名单" + "PRO_ALLOWLIST_EXPLAIN": "在推送和拉取镜像时,在项目的CVE特赦名单中的漏洞将会被忽略", + "PRO_OR_SYS": "您可以选择使用系统的CVE特赦名单作为该项目的特赦名单,也可勾选“启用项目特赦名单”项来建立该项目自己的CVE特赦名单,", + "MERGE_INTO": "您可以点击“复制系统特赦名单”项将系统特赦名单合并至该项目特赦名单中,并可为该项目特赦名单添加特有的CVE IDs", + "SYS_ALLOWLIST": "启用系统特赦名单", + "PRO_ALLOWLIST": "启用项目特赦名单", + "ADD_SYSTEM": "复制系统特赦名单" }, "TAG_RETENTION": { "TAG_RETENTION": "Tag保留", diff --git a/src/portal/src/i18n/lang/zh-tw-lang.json b/src/portal/src/i18n/lang/zh-tw-lang.json index 49ad0fa9d..20369fd98 100644 --- a/src/portal/src/i18n/lang/zh-tw-lang.json +++ b/src/portal/src/i18n/lang/zh-tw-lang.json @@ -1192,25 +1192,25 @@ "TIP_REPO": "鏡像倉庫名被分解為路徑組件。倉庫名必須至少有一個小寫字母、字母數字字符,可選句點、破折號或下劃線分隔。嚴格意義上說,它必須匹配正規表達式[a- z0-9]+(?[.-][a-z0-9]+)*.如果倉庫名有兩個或多個路徑組件,則它們必須用正斜杠('/')分隔。包括斜槓在內的倉庫名的總長度必須小於256個字符。", "TIP_TAG": "Tag 是應用於存儲庫中的Docker 映像的一種標籤,它用於區分多種鏡像。它需要匹配Regex:([\\w][\\w.-]{0,127}) " }, - "CVE_WHITELIST":{ + "CVE_ALLOWLIST":{ "DEPLOYMENT_SECURITY": "部署安全性", - "CVE_WHITELIST": "CVE白名單", - "SYS_WHITELIST_EXPLAIN": "在計算鏡像的的安全性漏洞時,在系統的CVE白名單中的漏洞將會被忽略。", - "ADD_SYS": "可添加一條或多條CVE ID至系統的CVE白名單中", - "WARNING_SYS": "系統的CVE白名單已過期. 請延長有效期以使白名單生效", - "WARNING_PRO": "該項目的CVE白名單已過期. 請延長有效期以使白名單生效", + "CVE_ALLOWLIST": "CVE特赦名單", + "SYS_ALLOWLIST_EXPLAIN": "在計算鏡像的的安全性漏洞時,在系統的CVE特赦名單中的漏洞將會被忽略。", + "ADD_SYS": "可添加一條或多條CVE ID至系統的CVE特赦名單中", + "WARNING_SYS": "系統的CVE特赦名單已過期. 請延長有效期以使特赦名單生效", + "WARNING_PRO": "該項目的CVE特赦名單已過期. 請延長有效期以使特赦名單生效", "ADD":"添加", "ENTER": "輸入一條或多條CVE ID", "HELP": "CVE ID之間請用英文逗號隔開或者換行", "NONE":"無", "EXPIRES_AT": "有效期至", "NEVER_EXPIRES": "永不過期", - "PRO_WHITELIST_EXPLAIN": "在推送和拉取鏡像時,在項目的CVE白名單中的漏洞將會被忽略", - "PRO_OR_SYS": "您可以選擇使用系統的CVE白名單作為該項目的白名單,也可勾選“啟用項目白名單”項來建立該項目自己的CVE白名單,", - "MERGE_INTO": "您可以點擊“複製系統白名單”項將系統白名單合併至該項目白名單中,並可為該項目白名單添加特有的CVE IDs", - "SYS_WHITELIST": "啟用系統白名單", - "PRO_WHITELIST": "啟用項目白名單", - "ADD_SYSTEM": "複製系統白名單" + "PRO_ALLOWLIST_EXPLAIN": "在推送和拉取鏡像時,在項目的CVE特赦名單中的漏洞將會被忽略", + "PRO_OR_SYS": "您可以選擇使用系統的CVE特赦名單作為該項目的特赦名單,也可勾選“啟用項目特赦名單”項來建立該項目自己的CVE特赦名單,", + "MERGE_INTO": "您可以點擊“複製系統特赦名單”項將系統特赦名單合併至該項目特赦名單中,並可為該項目特赦名單添加特有的CVE IDs", + "SYS_ALLOWLIST": "啟用系統特赦名單", + "PRO_ALLOWLIST": "啟用項目特赦名單", + "ADD_SYSTEM": "複製系統特赦名單" }, "TAG_RETENTION":{ "TAG_RETENTION":"標籤保留", diff --git a/src/portal/src/lib/components/config/registry-config.component.spec.ts b/src/portal/src/lib/components/config/registry-config.component.spec.ts index 488be554a..373d93b1a 100644 --- a/src/portal/src/lib/components/config/registry-config.component.spec.ts +++ b/src/portal/src/lib/components/config/registry-config.component.spec.ts @@ -19,7 +19,7 @@ import { ScanningResultDefaultService, SystemInfoService, SystemInfoDefaultService, - SystemInfo, SystemCVEWhitelist + SystemInfo, SystemCVEAllowlist } from '../../services'; import { Configuration } from './config'; import { of } from 'rxjs'; @@ -57,7 +57,7 @@ describe('RegistryConfigComponent (inline template)', () => { "harbor_version": "v1.1.1-rc1-160-g565110d", "next_scan_all": 0 }; - let mockSystemWhitelist: SystemCVEWhitelist = { + let mockSystemAllowlist: SystemCVEAllowlist = { "expires_at": 1561996800, "id": 1, "items": [], @@ -96,7 +96,7 @@ describe('RegistryConfigComponent (inline template)', () => { systemInfoService = fixture.debugElement.injector.get(SystemInfoService); spy = spyOn(cfgService, 'getConfigurations').and.returnValue(of(mockConfig)); spySystemInfo = spyOn(systemInfoService, 'getSystemInfo').and.returnValue(of(mockSystemInfo)); - spySystemInfo = spyOn(systemInfoService, 'getSystemWhitelist').and.returnValue(of(mockSystemWhitelist)); + spySystemInfo = spyOn(systemInfoService, 'getSystemAllowlist').and.returnValue(of(mockSystemAllowlist)); fixture.detectChanges(); }); diff --git a/src/portal/src/lib/components/config/system/system-settings.component.html b/src/portal/src/lib/components/config/system/system-settings.component.html index 9baa1ef8b..0bc96d757 100644 --- a/src/portal/src/lib/components/config/system/system-settings.component.html +++ b/src/portal/src/lib/components/config/system/system-settings.component.html @@ -74,49 +74,49 @@
- +
- {{'CVE_WHITELIST.CVE_WHITELIST'|translate}} + {{'CVE_ALLOWLIST.CVE_ALLOWLIST'|translate}}
- {{'CVE_WHITELIST.SYS_WHITELIST_EXPLAIN'|translate}} + {{'CVE_ALLOWLIST.SYS_ALLOWLIST_EXPLAIN'|translate}}
- {{'CVE_WHITELIST.ADD_SYS'|translate}} + {{'CVE_ALLOWLIST.ADD_SYS'|translate}}
- {{'CVE_WHITELIST.WARNING_SYS'|translate}} + {{'CVE_ALLOWLIST.WARNING_SYS'|translate}}
+ class="btn btn-link">{{'CVE_ALLOWLIST.ADD'|translate}}
- - - {{'CVE_WHITELIST.HELP'|translate}} + {{'CVE_ALLOWLIST.HELP'|translate}}
- +
-