Upstream
/
harbor
mirror of https://github.com/goharbor/harbor.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Replace all whitelist with allowlist 

Signed-off-by: AllForNothing <sshijun@vmware.com>
This commit is contained in:
AllForNothing 2020-06-22 10:34:03 +08:00
parent 202916e396
commit fff6f7529a
78 changed files with 763 additions and 762 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
api/v2.0/legacy_swagger.yaml
View File

@ -2533,38 +2533,38 @@ paths:
description: User need to log in first.
'403':
description: User does not have permission to call this API
'/system/CVEWhitelist':
'/system/CVEAllowlist':
get:
summary: Get the system level whitelist of CVE.
description: Get the system level whitelist of CVE. This API can be called by all authenticated users.
summary: Get the system level allowlist of CVE.
description: Get the system level allowlist of CVE. This API can be called by all authenticated users.
tags:
- Products
- System
responses:
'200':
description: Successfully retrieved the CVE whitelist.
description: Successfully retrieved the CVE allowlist.
schema:
$ref: "#/definitions/CVEWhitelist"
$ref: "#/definitions/CVEAllowlist"
'401':
description: User is not authenticated.
'500':
description: Unexpected internal errors.
put:
summary: Update the system level whitelist of CVE.
description: This API overwrites the system level whitelist of CVE with the list in request body. Only system Admin
summary: Update the system level allowlist of CVE.
description: This API overwrites the system level allowlist of CVE with the list in request body. Only system Admin
has permission to call this API.
tags:
- Products
- System
parameters:
- in: body
name: whitelist
description: The whitelist with new content
name: allowlist
description: The allowlist with new content
schema:
$ref: "#/definitions/CVEWhitelist"
$ref: "#/definitions/CVEAllowlist"
responses:
'200':
description: Successfully updated the CVE whitelist.
description: Successfully updated the CVE allowlist.
'401':
description: User is not authenticated.
'403':
@ -3755,9 +3755,9 @@ definitions:
metadata:
description: The metadata of the project.
$ref: '#/definitions/ProjectMetadata'
cve_whitelist:
description: The CVE whitelist of the project.
$ref: '#/definitions/CVEWhitelist'
cve_allowlist:
description: The CVE allowlist of the project.
$ref: '#/definitions/CVEAllowlist'
count_limit:
type: integer
format: int64
@ -3821,9 +3821,9 @@ definitions:
metadata:
description: The metadata of the project.
$ref: '#/definitions/ProjectMetadata'
cve_whitelist:
description: The CVE whitelist of this project.
$ref: '#/definitions/CVEWhitelist'
cve_allowlist:
description: The CVE allowlist of this project.
$ref: '#/definitions/CVEAllowlist'
ProjectMetadata:
type: object
properties:
@ -3842,10 +3842,10 @@ definitions:
auto_scan:
type: string
description: 'Whether scan images automatically when pushing. The valid values are "true", "false".'
reuse_sys_cve_whitelist:
reuse_sys_cve_allowlist:
type: string
description: 'Whether this project reuse the system level CVE whitelist as the whitelist of its own. The valid values are "true", "false".
If it is set to "true" the actual whitelist associate with this project, if any, will be ignored.'
description: 'Whether this project reuse the system level CVE allowlist as the allowlist of its own. The valid values are "true", "false".
If it is set to "true" the actual allowlist associate with this project, if any, will be ignored.'
ProjectSummary:
type: object
properties:
@ -5056,26 +5056,26 @@ definitions:
metadata:
type: object
description: The metadata of namespace
CVEWhitelist:
CVEAllowlist:
type: object
description: The CVE Whitelist for system or project
description: The CVE Allowlist for system or project
properties:
id:
type: integer
description: ID of the whitelist
description: ID of the allowlist
project_id:
type: integer
description: ID of the project which the whitelist belongs to. For system level whitelist this attribute is zero.
description: ID of the project which the allowlist belongs to. For system level allowlist this attribute is zero.
expires_at:
type: integer
description: the time for expiration of the whitelist, in the form of seconds since epoch. This is an optional attribute, if it's not set the CVE whitelist does not expire.
description: the time for expiration of the allowlist, in the form of seconds since epoch. This is an optional attribute, if it's not set the CVE allowlist does not expire.
items:
type: array
items:
$ref: "#/definitions/CVEWhitelistItem"
CVEWhitelistItem:
$ref: "#/definitions/CVEAllowlistItem"
CVEAllowlistItem:
type: object
description: The item in CVE whitelist
description: The item in CVE allowlist
properties:
cve_id:
type: string

6
docs/README.md
View File

@ -45,7 +45,7 @@ This section describes how to use and maintain Harbor after deployment. These da
- [Scan All Images](administration/vulnerability-scanning/scan-all-images.md)
- [Schedule Scans](administration/vulnerability-scanning/schedule-scans.md)
- [Import Vulnerability Data to an Offline Harbor instance](administration/vulnerability-scanning/import-vulnerability-data.md)
- [Configure System-Wide CVE Whitelists](administration/vulnerability-scanning/configure-system-whitelist.md)
- [Configure System-Wide CVE Allowlists](administration/vulnerability-scanning/configure-system-allowlist.md)
- [Garbage Collection](administration/garbage-collection/_index.md)
- [Upgrade Harbor and Migrate Data](administration/upgrade/upgrade-migrate-data.md)
- [Upgrading Harbor Deployed with Helm](administration/upgrade/helm-upgrade.md)
@ -63,7 +63,7 @@ This section describes how users with the developer, master, and project adminis
- [Access and Search Project Logs](working-with-projects/access-project-logs.md)
- [Create Robot Accounts](working-with-projects/create-robot-accounts.md)
- [Configure Webhook Notifications](working-with-projects/configure-webhooks.md)
- [Configure a Per-Project CVE Whitelist](working-with-projects/configure-project-whitelist.md)
- [Configure a Per-Project CVE Allowlist](working-with-projects/configure-project-allowlist.md)
- [Implementing Content Trust](working-with-projects/implementing-content-trust.md)
- [Working with Images, Tags, and Helm Charts](working-with-projects/working-with-images.md)
- [Pulling and Pushing Images](working-with-projects/pulling-pushing-images.md)
@ -87,4 +87,4 @@ This section describes how developers can build from Harbor source code, customi
- [Registry Landscape](build-customize-contribute/registry-landscape.md)
- [E2E Test Scripting Guide](build-customize-contribute/e2e_api_python_based_scripting_guide.md)
See also the list of [Articles from the Harbor Community](https://github.com/goharbor/harbor/blob/master/docs/README.md#articles-from-the-community).
See also the list of [Articles from the Harbor Community](https://github.com/goharbor/harbor/blob/master/docs/README.md#articles-from-the-community).

4
docs/administration/managing-users/user-permissions-by-role.md
View File

@ -48,8 +48,8 @@ The following table depicts the various user permission levels in a project.
| Add/Remove labels of helm chart version | | | ✓ | ✓ | ✓ |
| See a list of project robots | | | | ✓ | ✓ |
| Create/edit/delete project robots | | | | | ✓ |
| See configured CVE whitelist | ✓ | ✓ | ✓ | ✓ | ✓ |
| Create/edit/remove CVE whitelist | | | | | ✓ |
| See configured CVE allowlist | ✓ | ✓ | ✓ | ✓ | ✓ |
| Create/edit/remove CVE allowlist | | | | | ✓ |
| Enable/disable webhooks | | | ✓ | ✓ | ✓ |
| Create/delete tag retention rules | | | ✓ | ✓ | ✓ |
| Enable/disable tag retention rules | | | ✓ | ✓ | ✓ |

20
docs/administration/vulnerability-scanning/configure-system-whitelist.md → docs/administration/vulnerability-scanning/configure-system-allowlist.md
View File

@ -1,26 +1,26 @@
---
title: Configure System-Wide CVE Whitelists
title: Configure System-Wide CVE Allowlists
weight: 50
---
When you run vulnerability scans, images that are subject to Common Vulnerabilities and Exposures (CVE) are identified. According to the severity of the CVE and your security settings, these images might not be permitted to run. As a Harbor system administrator, you can create whitelists of CVEs to ignore during vulnerability scanning.
When you run vulnerability scans, images that are subject to Common Vulnerabilities and Exposures (CVE) are identified. According to the severity of the CVE and your security settings, these images might not be permitted to run. As a Harbor system administrator, you can create allowlists of CVEs to ignore during vulnerability scanning.
You can set a system-wide CVE whitelist or you can set CVE whitelists on a per-project basis. For information about per-project CVE whitelists, see [Configure a Per-Project CVE Whitelist](../../working-with-projects/project-configuration/configure-project-whitelist.md).
You can set a system-wide CVE allowlist or you can set CVE allowlists on a per-project basis. For information about per-project CVE allowlists, see [Configure a Per-Project CVE Allowlist](../../working-with-projects/project-configuration/configure-project-allowlist.md).
System-wide CVE whitelists apply to all of the projects in a Harbor instance.
System-wide CVE allowlists apply to all of the projects in a Harbor instance.
1. Go to **Configuration** > **System Settings**.
1. Under **Deployment security**, click **Add**.
![System-wide CVE whitelist](../../../img/cve-whitelist1.png)
![System-wide CVE allowlist](../../../img/cve-allowlist1.png)
1. Enter the list of CVE IDs to ignore during vulnerability scanning.
![Add system CVE whitelist](../../../img/cve-whitelist2.png)
![Add system CVE allowlist](../../../img/cve-allowlist2.png)
Either use a comma-separated list or newlines to add multiple CVE IDs to the list.
1. Click **Add** at the bottom of the window to add the list.
1. Optionally uncheck the **Never expires** checkbox and use the calendar selector to set an expiry date for the whitelist.
![Add system CVEs](../../../img/cve-whitelist3.png)
1. Optionally uncheck the **Never expires** checkbox and use the calendar selector to set an expiry date for the allowlist.
![Add system CVEs](../../../img/cve-allowlist3.png)
1. Click **Save** at the bottom of the page to save your settings.
After you have created a system whitelist, you can remove CVE IDs from the list by clicking the delete button next to it in the list. You can click **Add** to add more CVE IDs to the system whitelist.
After you have created a system allowlist, you can remove CVE IDs from the list by clicking the delete button next to it in the list. You can click **Add** to add more CVE IDs to the system allowlist.
![Add and remove system CVEs](../../../img/cve-whitelist4.png)
![Add and remove system CVEs](../../../img/cve-allowlist4.png)

2
docs/build-customize-contribute/registry-landscape.md
View File

@ -31,5 +31,5 @@ Table updated on 10/21/2019 against Harbor 1.9.
| Upstream Registry Proxy Cache | ✗ | ✓ | ✗ | ✗ | ✓ | ✓ | ✗ |
| Vulnerability Scanning & Monitoring | ✓ | ✓ | ✓ | ✗ | ✗ | ✓ | partial |
| Vulnerability Scanning Plugin Framework | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ |
| Vulnerability Whitelisting | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ |
| Vulnerability Allowlisting | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ |
| Webhooks | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |

56
docs/build-customize-contribute/swagger.yaml
View File

@ -3577,38 +3577,38 @@ paths:
description: User need to log in first.
'403':
description: User does not have permission to call this API
'/system/CVEWhitelist':
'/system/CVEAllowlist':
get:
summary: Get the system level whitelist of CVE.
description: Get the system level whitelist of CVE. This API can be called by all authenticated users.
summary: Get the system level allowlist of CVE.
description: Get the system level allowlist of CVE. This API can be called by all authenticated users.
tags:
- Products
- System
responses:
'200':
description: Successfully retrieved the CVE whitelist.
description: Successfully retrieved the CVE allowlist.
schema:
$ref: "#/definitions/CVEWhitelist"
$ref: "#/definitions/CVEAllowlist"
'401':
description: User is not authenticated.
'500':
description: Unexpected internal errors.
put:
summary: Update the system level whitelist of CVE.
description: This API overwrites the system level whitelist of CVE with the list in request body. Only system Admin
summary: Update the system level allowlist of CVE.
description: This API overwrites the system level allowlist of CVE with the list in request body. Only system Admin
has permission to call this API.
tags:
- Products
- System
parameters:
- in: body
name: whitelist
description: The whitelist with new content
name: allowlist
description: The allowlist with new content
schema:
$ref: "#/definitions/CVEWhitelist"
$ref: "#/definitions/CVEAllowlist"
responses:
'200':
description: Successfully updated the CVE whitelist.
description: Successfully updated the CVE allowlist.
'401':
description: User is not authenticated.
'403':
@ -4458,9 +4458,9 @@ definitions:
metadata:
description: The metadata of the project.
$ref: '#/definitions/ProjectMetadata'
cve_whitelist:
description: The CVE whitelist of the project.
$ref: '#/definitions/CVEWhitelist'
cve_allowlist:
description: The CVE allowlist of the project.
$ref: '#/definitions/CVEAllowlist'
count_limit:
type: integer
format: int64
@ -4510,9 +4510,9 @@ definitions:
metadata:
description: The metadata of the project.
$ref: '#/definitions/ProjectMetadata'
cve_whitelist:
description: The CVE whitelist of this project.
$ref: '#/definitions/CVEWhitelist'
cve_allowlist:
description: The CVE allowlist of this project.
$ref: '#/definitions/CVEAllowlist'
ProjectMetadata:
type: object
properties:
@ -4531,10 +4531,10 @@ definitions:
auto_scan:
type: string
description: 'Whether scan images automatically when pushing. The valid values are "true", "false".'
reuse_sys_cve_whitelist:
reuse_sys_cve_allowlist:
type: string
description: 'Whether this project reuse the system level CVE whitelist as the whitelist of its own. The valid values are "true", "false".
If it is set to "true" the actual whitelist associate with this project, if any, will be ignored.'
description: 'Whether this project reuse the system level CVE allowlist as the allowlist of its own. The valid values are "true", "false".
If it is set to "true" the actual allowlist associate with this project, if any, will be ignored.'
ProjectSummary:
type: object
properties:
@ -6036,26 +6036,26 @@ definitions:
metadata:
type: object
description: The metadata of namespace
CVEWhitelist:
CVEAllowlist:
type: object
description: The CVE Whitelist for system or project
description: The CVE Allowlist for system or project
properties:
id:
type: integer
description: ID of the whitelist
description: ID of the allowlist
project_id:
type: integer
description: ID of the project which the whitelist belongs to. For system level whitelist this attribute is zero.
description: ID of the project which the allowlist belongs to. For system level allowlist this attribute is zero.
expires_at:
type: integer
description: the time for expiration of the whitelist, in the form of seconds since epoch. This is an optional attribute, if it's not set the CVE whitelist does not expire.
description: the time for expiration of the allowlist, in the form of seconds since epoch. This is an optional attribute, if it's not set the CVE allowlist does not expire.
items:
type: array
items:
$ref: "#/definitions/CVEWhitelistItem"
CVEWhitelistItem:
$ref: "#/definitions/CVEAllowlistItem"
CVEAllowlistItem:
type: object
description: The item in CVE whitelist
description: The item in CVE allowlist
properties:
cve_id:
type: string

0
docs/img/cve-whitelist1.png → docs/img/cve-allowlist1.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 55 KiB

After

Width:  |  Height:  |  Size: 55 KiB

0
docs/img/cve-whitelist2.png → docs/img/cve-allowlist2.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 24 KiB

After

Width:  |  Height:  |  Size: 24 KiB

0
docs/img/cve-whitelist3.png → docs/img/cve-allowlist3.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 10 KiB

After

Width:  |  Height:  |  Size: 10 KiB

0
docs/img/cve-whitelist4.png → docs/img/cve-allowlist4.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 4.8 KiB

After

Width:  |  Height:  |  Size: 4.8 KiB

0
docs/img/cve-whitelist5.png → docs/img/cve-allowlist5.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 82 KiB

After

Width:  |  Height:  |  Size: 82 KiB

0
docs/img/cve-whitelist6.png → docs/img/cve-allowlist6.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 14 KiB

After

Width:  |  Height:  |  Size: 14 KiB

32
docs/working-with-projects/project-configuration/configure-project-allowlist.md Normal file
View File

@ -0,0 +1,32 @@
---
title: Configure a Per-Project CVE Allowlist
weight: 50
---
When you run vulnerability scans, images that are subject to Common Vulnerabilities and Exposures (CVE) are identified. According to the severity of the CVE and your security settings, these images might not be permitted to run. You can create allowlists of CVEs to ignore during vulnerability scanning.
Harbor administrators can set a system-wide CVE allowlist. For information about site-wide CVE allowlists, see [Configure System-Wide CVE Allowlists](../../administration/vulnerability-scanning/configure-system-allowlist.md). By default, the system allowlist is applied to all projects. You can configure different CVE allowlists for individual projects, that override the system allowlist.
1. Go to **Projects**, select a project, and select **Configuration**.
1. Under **CVE allowlist**, select **Project allowlist**.
![Project CVE allowlist](../../../img/cve-allowlist5.png)
1. Optionally click **Copy From System** to add all of the CVE IDs from the system CVE allowlist to this project allowlist.
1. Click **Add** and enter a list of additional CVE IDs to ignore during vulnerability scanning of this project.
![Add project CVEs](../../../img/cve-allowlist6.png)
Either use a comma-separated list or newlines to add multiple CVE IDs to the list.
1. Click **Add** at the bottom of the window to add the CVEs to the project allowlist.
1. Optionally uncheck the **Never expires** checkbox and use the calendar selector to set an expiry date for the allowlist.
1. Click **Save** at the bottom of the page to save your settings.
After you have created a project allowlist, you can remove CVE IDs from the list by clicking the delete button next to it in the list. You can click **Add** at any time to add more CVE IDs to this project allowlist.
If CVEs are added to the system allowlist after you have created a project allowlist, click **Copy From System** to add the new entries from the system allowlist to the project allowlist.
{{< note >}}
If CVEs are deleted from the system allowlist after you have created a project allowlist, and if you added the system allowlist to the project allowlist, you must manually remove the deleted CVEs from the project allowlist. If you click **Copy From System** after CVEs have been deleted from the system allowlist, the deleted CVEs are not automatically removed from the project allowlist.
{{< /note >}}

32
docs/working-with-projects/project-configuration/configure-project-whitelist.md
View File

@ -1,32 +0,0 @@
---
title: Configure a Per-Project CVE Whitelist
weight: 50
---
When you run vulnerability scans, images that are subject to Common Vulnerabilities and Exposures (CVE) are identified. According to the severity of the CVE and your security settings, these images might not be permitted to run. You can create whitelists of CVEs to ignore during vulnerability scanning.
Harbor administrators can set a system-wide CVE whitelist. For information about site-wide CVE whitelists, see [Configure System-Wide CVE Whitelists](../../administration/vulnerability-scanning/configure-system-whitelist.md). By default, the system whitelist is applied to all projects. You can configure different CVE whitelists for individual projects, that override the system whitelist.
1. Go to **Projects**, select a project, and select **Configuration**.
1. Under **CVE whitelist**, select **Project whitelist**.
![Project CVE whitelist](../../../img/cve-whitelist5.png)
1. Optionally click **Copy From System** to add all of the CVE IDs from the system CVE whitelist to this project whitelist.
1. Click **Add** and enter a list of additional CVE IDs to ignore during vulnerability scanning of this project.
![Add project CVEs](../../../img/cve-whitelist6.png)
Either use a comma-separated list or newlines to add multiple CVE IDs to the list.
1. Click **Add** at the bottom of the window to add the CVEs to the project whitelist.
1. Optionally uncheck the **Never expires** checkbox and use the calendar selector to set an expiry date for the whitelist.
1. Click **Save** at the bottom of the page to save your settings.
After you have created a project whitelist, you can remove CVE IDs from the list by clicking the delete button next to it in the list. You can click **Add** at any time to add more CVE IDs to this project whitelist.
If CVEs are added to the system whitelist after you have created a project whitelist, click **Copy From System** to add the new entries from the system whitelist to the project whitelist.
{{< note >}}
If CVEs are deleted from the system whitelist after you have created a project whitelist, and if you added the system whitelist to the project whitelist, you must manually remove the deleted CVEs from the project whitelist. If you click **Copy From System** after CVEs have been deleted from the system whitelist, the deleted CVEs are not automatically removed from the project whitelist.
{{< /note >}}

1
make/migrations/postgresql/0040_2.1.0_schema.up.sql
View File

@ -1,4 +1,5 @@
ALTER TABLE project ADD COLUMN IF NOT EXISTS registry_id int;
ALTER TABLE IF EXISTS cve_whitelist RENAME TO cve_allowlist;
CREATE TABLE IF NOT EXISTS execution (
id SERIAL NOT NULL,

22
src/common/dao/cve_whitelist.go → src/common/dao/cve_allowlist.go
View File

@ -21,16 +21,16 @@ import (
"github.com/goharbor/harbor/src/lib/log"
)
// CreateCVEWhitelist creates the CVE whitelist
func CreateCVEWhitelist(l models.CVEWhitelist) (int64, error) {
// CreateCVEAllowlist creates the CVE allowlist
func CreateCVEAllowlist(l models.CVEAllowlist) (int64, error) {
o := GetOrmer()
itemsBytes, _ := json.Marshal(l.Items)
l.ItemsText = string(itemsBytes)
return o.Insert(&l)
}
// UpdateCVEWhitelist Updates the vulnerability white list to DB
func UpdateCVEWhitelist(l models.CVEWhitelist) (int64, error) {
// UpdateCVEAllowlist Updates the vulnerability white list to DB
func UpdateCVEAllowlist(l models.CVEAllowlist) (int64, error) {
o := GetOrmer()
itemsBytes, _ := json.Marshal(l.Items)
l.ItemsText = string(itemsBytes)
@ -38,22 +38,22 @@ func UpdateCVEWhitelist(l models.CVEWhitelist) (int64, error) {
return id, err
}
// GetCVEWhitelist Gets the CVE whitelist of the project based on the project ID in parameter
func GetCVEWhitelist(pid int64) (*models.CVEWhitelist, error) {
// GetCVEAllowlist Gets the CVE allowlist of the project based on the project ID in parameter
func GetCVEAllowlist(pid int64) (*models.CVEAllowlist, error) {
o := GetOrmer()
qs := o.QueryTable(&models.CVEWhitelist{})
qs := o.QueryTable(&models.CVEAllowlist{})
qs = qs.Filter("ProjectID", pid)
r := []*models.CVEWhitelist{}
r := []*models.CVEAllowlist{}
_, err := qs.All(&r)
if err != nil {
return nil, fmt.Errorf("failed to get CVE whitelist for project %d, error: %v", pid, err)
return nil, fmt.Errorf("failed to get CVE allowlist for project %d, error: %v", pid, err)
}
if len(r) == 0 {
return nil, nil
} else if len(r) > 1 {
log.Infof("Multiple CVE whitelists found for project %d, length: %d, returning first element.", pid, len(r))
log.Infof("Multiple CVE allowlists found for project %d, length: %d, returning first element.", pid, len(r))
}
items := []models.CVEWhitelistItem{}
items := []models.CVEAllowlistItem{}
err = json.Unmarshal([]byte(r[0].ItemsText), &items)
if err != nil {
log.Errorf("Failed to decode item list, err: %v, text: %s", err, r[0].ItemsText)

24
src/common/dao/cve_whitelist_test.go → src/common/dao/cve_allowlist_test.go
View File

@ -21,35 +21,35 @@ import (
"testing"
)
func TestUpdateAndGetCVEWhitelist(t *testing.T) {
require.Nil(t, ClearTable("cve_whitelist"))
l2, err := GetCVEWhitelist(5)
func TestUpdateAndGetCVEAllowlist(t *testing.T) {
require.Nil(t, ClearTable("cve_allowlist"))
l2, err := GetCVEAllowlist(5)
assert.Nil(t, err)
assert.Nil(t, l2)
longList := []models.CVEWhitelistItem{}
longList := []models.CVEAllowlistItem{}
for i := 0; i < 50; i++ {
longList = append(longList, models.CVEWhitelistItem{CVEID: "CVE-1999-0067"})
longList = append(longList, models.CVEAllowlistItem{CVEID: "CVE-1999-0067"})
}
e := int64(1573254000)
in1 := models.CVEWhitelist{ProjectID: 3, Items: longList, ExpiresAt: &e}
_, err = UpdateCVEWhitelist(in1)
in1 := models.CVEAllowlist{ProjectID: 3, Items: longList, ExpiresAt: &e}
_, err = UpdateCVEAllowlist(in1)
require.Nil(t, err)
// assert.Equal(t, int64(1), n)
out1, err := GetCVEWhitelist(3)
out1, err := GetCVEAllowlist(3)
require.Nil(t, err)
assert.Equal(t, int64(3), out1.ProjectID)
assert.Equal(t, longList, out1.Items)
assert.Equal(t, e, *out1.ExpiresAt)
sysCVEs := []models.CVEWhitelistItem{
sysCVEs := []models.CVEAllowlistItem{
{CVEID: "CVE-2019-10164"},
{CVEID: "CVE-2017-12345"},
}
in3 := models.CVEWhitelist{Items: sysCVEs}
_, err = UpdateCVEWhitelist(in3)
in3 := models.CVEAllowlist{Items: sysCVEs}
_, err = UpdateCVEAllowlist(in3)
require.Nil(t, err)
require.Nil(t, ClearTable("cve_whitelist"))
require.Nil(t, ClearTable("cve_allowlist"))
}

2
src/common/models/base.go
View File

@ -36,6 +36,6 @@ func init() {
new(NotificationJob),
new(ProjectBlob),
new(ArtifactAndBlob),
new(CVEWhitelist),
new(CVEAllowlist),
)
}

22
src/common/models/cve_whitelist.go → src/common/models/cve_allowlist.go
View File

@ -16,29 +16,29 @@ package models
import "time"
// CVEWhitelist defines the data model for a CVE whitelist
type CVEWhitelist struct {
// CVEAllowlist defines the data model for a CVE allowlist
type CVEAllowlist struct {
ID int64 `orm:"pk;auto;column(id)" json:"id"`
ProjectID int64 `orm:"column(project_id)" json:"project_id"`
ExpiresAt *int64 `orm:"column(expires_at)" json:"expires_at,omitempty"`
Items []CVEWhitelistItem `orm:"-" json:"items"`
Items []CVEAllowlistItem `orm:"-" json:"items"`
ItemsText string `orm:"column(items)" json:"-"`
CreationTime time.Time `orm:"column(creation_time);auto_now_add" json:"creation_time"`
UpdateTime time.Time `orm:"column(update_time);auto_now" json:"update_time"`
}
// CVEWhitelistItem defines one item in the CVE whitelist
type CVEWhitelistItem struct {
// CVEAllowlistItem defines one item in the CVE allowlist
type CVEAllowlistItem struct {
CVEID string `json:"cve_id"`
}
// TableName ...
func (c *CVEWhitelist) TableName() string {
return "cve_whitelist"
func (c *CVEAllowlist) TableName() string {
return "cve_allowlist"
}
// CVESet returns the set of CVE id of the items in the whitelist to help filter the vulnerability list
func (c *CVEWhitelist) CVESet() map[string]struct{} {
// CVESet returns the set of CVE id of the items in the allowlist to help filter the vulnerability list
func (c *CVEAllowlist) CVESet() map[string]struct{} {
r := map[string]struct{}{}
for _, it := range c.Items {
r[it.CVEID] = struct{}{}
@ -46,8 +46,8 @@ func (c *CVEWhitelist) CVESet() map[string]struct{} {
return r
}
// IsExpired returns whether the whitelist is expired
func (c *CVEWhitelist) IsExpired() bool {
// IsExpired returns whether the allowlist is expired
func (c *CVEAllowlist) IsExpired() bool {
if c.ExpiresAt == nil {
return false
}

16
src/common/models/cve_whitelist_test.go → src/common/models/cve_allowlist_test.go
View File

@ -21,38 +21,38 @@ import (
"time"
)
func TestCVEWhitelist_All(t *testing.T) {
func TestCVEAllowlist_All(t *testing.T) {
future := int64(4411494000)
now := time.Now().Unix()
cases := []struct {
input CVEWhitelist
input CVEAllowlist
cveset map[string]struct{}
expired bool
}{
{
input: CVEWhitelist{
input: CVEAllowlist{
ID: 1,
ProjectID: 0,
Items: []CVEWhitelistItem{},
Items: []CVEAllowlistItem{},
},
cveset: map[string]struct{}{},
expired: false,
},
{
input: CVEWhitelist{
input: CVEAllowlist{
ID: 1,
ProjectID: 0,
Items: []CVEWhitelistItem{},
Items: []CVEAllowlistItem{},
ExpiresAt: &now,
},
cveset: map[string]struct{}{},
expired: true,
},
{
input: CVEWhitelist{
input: CVEAllowlist{
ID: 2,
ProjectID: 3,
Items: []CVEWhitelistItem{
Items: []CVEAllowlistItem{
{CVEID: "CVE-1999-0067"},
{CVEID: "CVE-2016-7654321"},
},

2
src/common/models/pro_meta.go
View File

@ -25,7 +25,7 @@ const (
ProMetaPreventVul = "prevent_vul" // prevent vulnerable images from being pulled
ProMetaSeverity = "severity"
ProMetaAutoScan = "auto_scan"
ProMetaReuseSysCVEWhitelist = "reuse_sys_cve_whitelist"
ProMetaReuseSysCVEAllowlist = "reuse_sys_cve_allowlist"
)
// ProjectMetadata holds the metadata of a project.

10
src/common/models/project.go
View File

@ -44,7 +44,7 @@ type Project struct {
RepoCount int64 `orm:"-" json:"repo_count"`
ChartCount uint64 `orm:"-" json:"chart_count"`
Metadata map[string]string `orm:"-" json:"metadata"`
CVEWhitelist CVEWhitelist `orm:"-" json:"cve_whitelist"`
CVEAllowlist CVEAllowlist `orm:"-" json:"cve_allowlist"`
RegistryID int64 `orm:"column(registry_id)" json:"registry_id"`
}
@ -93,9 +93,9 @@ func (p *Project) VulPrevented() bool {
return isTrue(prevent)
}
// ReuseSysCVEWhitelist ...
func (p *Project) ReuseSysCVEWhitelist() bool {
r, ok := p.GetMetadata(ProMetaReuseSysCVEWhitelist)
// ReuseSysCVEAllowlist ...
func (p *Project) ReuseSysCVEAllowlist() bool {
r, ok := p.GetMetadata(ProMetaReuseSysCVEAllowlist)
if !ok {
return true
}
@ -177,7 +177,7 @@ type ProjectRequest struct {
Name string `json:"project_name"`
Public *int `json:"public"` // deprecated, reserved for project creation in replication
Metadata map[string]string `json:"metadata"`
CVEWhitelist CVEWhitelist `json:"cve_whitelist"`
CVEAllowlist CVEAllowlist `json:"cve_allowlist"`
StorageLimit *int64 `json:"storage_limit,omitempty"`
RegistryID int64 `json:"registry_id"`

2
src/controller/event/handler/webhook/chart/chart_test.go
View File

@ -46,7 +46,7 @@ func TestChartPreprocessHandler_Handle(t *testing.T) {
models.ProMetaEnableContentTrust: "true",
models.ProMetaPreventVul: "true",
models.ProMetaSeverity: "Low",
models.ProMetaReuseSysCVEWhitelist: "false",
models.ProMetaReuseSysCVEAllowlist: "false",
},
})
defer func(id int64) {

20
src/controller/project/controller.go
View File

@ -22,7 +22,7 @@ import (
"github.com/goharbor/harbor/src/lib/errors"
"github.com/goharbor/harbor/src/lib/log"
"github.com/goharbor/harbor/src/pkg/project"
"github.com/goharbor/harbor/src/pkg/scan/whitelist"
"github.com/goharbor/harbor/src/pkg/scan/allowlist"
)
var (
@ -45,14 +45,14 @@ func NewController() Controller {
return &controller{
projectMgr: project.Mgr,
metaMgr: metamgr.NewDefaultProjectMetadataManager(),
whitelistMgr: whitelist.NewDefaultManager(),
allowlistMgr: allowlist.NewDefaultManager(),
}
}
type controller struct {
projectMgr project.Manager
metaMgr metamgr.ProjectMetadataManager
whitelistMgr whitelist.Manager
allowlistMgr allowlist.Manager
}
func (c *controller) Get(ctx context.Context, projectID int64, options ...Option) (*models.Project, error) {
@ -114,23 +114,23 @@ func (c *controller) assembleProject(ctx context.Context, p *models.Project, opt
}
}
if opts.CVEWhitelist {
if p.ReuseSysCVEWhitelist() {
wl, err := c.whitelistMgr.GetSys()
if opts.CVEAllowlist {
if p.ReuseSysCVEAllowlist() {
wl, err := c.allowlistMgr.GetSys()
if err != nil {
log.Errorf("get system CVE whitelist failed, error: %v", err)
log.Errorf("get system CVE allowlist failed, error: %v", err)
return nil, err
}
wl.ProjectID = p.ProjectID
p.CVEWhitelist = *wl
p.CVEAllowlist = *wl
} else {
wl, err := c.whitelistMgr.Get(p.ProjectID)
wl, err := c.allowlistMgr.Get(p.ProjectID)
if err != nil {
return nil, err
}
p.CVEWhitelist = *wl
p.CVEAllowlist = *wl
}
}

8
src/controller/project/options.go
View File

@ -19,14 +19,14 @@ type Option func(*Options)
// Options options used by `Get` method of `Controller`
type Options struct {
CVEWhitelist bool // get project with cve whitelist
CVEAllowlist bool // get project with cve allowlist
Metadata bool // get project with metadata
}
// CVEWhitelist set CVEWhitelist for the Options
func CVEWhitelist(whitelist bool) Option {
// CVEAllowlist set CVEAllowlist for the Options
func CVEAllowlist(allowlist bool) Option {
return func(opts *Options) {
opts.CVEWhitelist = whitelist
opts.CVEAllowlist = allowlist
}
}

6
src/controller/scan/checker.go
View File

@ -87,10 +87,10 @@ func (c *checker) IsScannable(ctx context.Context, art *artifact.Artifact) (bool
// hasCapability returns true when scanner has capability for the artifact
// See https://github.com/goharbor/pluggable-scanner-spec/issues/2 to get more info
func hasCapability(r *models.Registration, a *artifact.Artifact) bool {
// use whitelist here because currently only docker image is supported by the scanner
// use allowlist here because currently only docker image is supported by the scanner
// https://github.com/goharbor/pluggable-scanner-spec/issues/2
whitelist := []string{image.ArtifactTypeImage}
for _, t := range whitelist {
allowlist := []string{image.ArtifactTypeImage}
for _, t := range allowlist {
if a.Type == t {
return r.HasCapability(a.ManifestMediaType)
}

2
src/core/api/harborapi_test.go
View File

@ -134,7 +134,7 @@ func init() {
beego.Router("/api/system/gc/:id([0-9]+)/log", &GCAPI{}, "get:GetLog")
beego.Router("/api/system/gc/schedule", &GCAPI{}, "get:Get;put:Put;post:Post")
beego.Router("/api/system/scanAll/schedule", &ScanAllAPI{}, "get:Get;put:Put;post:Post")
beego.Router("/api/system/CVEWhitelist", &SysCVEWhitelistAPI{}, "get:Get;put:Put")
beego.Router("/api/system/CVEAllowlist", &SysCVEAllowlistAPI{}, "get:Get;put:Put")
beego.Router("/api/system/oidc/ping", &OIDCAPI{}, "post:Ping")
beego.Router("/api/projects/:pid([0-9]+)/robots/", &RobotAPI{}, "post:Post;get:List")

2
src/core/api/project.go
View File

@ -513,7 +513,7 @@ func (p *ProjectAPI) Put() {
if err := p.ProjectMgr.Update(p.project.ProjectID,
&models.Project{
Metadata: req.Metadata,
CVEWhitelist: req.CVEWhitelist,
CVEAllowlist: req.CVEAllowlist,
}); err != nil {
p.ParseAndHandleError(fmt.Sprintf("failed to update project %d",
p.project.ProjectID), err)

28
src/core/api/sys_cve_whitelist.go → src/core/api/sys_cve_allowlist.go
View File

@ -19,18 +19,18 @@ import (
"fmt"
"github.com/goharbor/harbor/src/common/models"
"github.com/goharbor/harbor/src/lib/log"
"github.com/goharbor/harbor/src/pkg/scan/whitelist"
"github.com/goharbor/harbor/src/pkg/scan/allowlist"
"net/http"
)
// SysCVEWhitelistAPI Handles the requests to manage system level CVE whitelist
type SysCVEWhitelistAPI struct {
// SysCVEAllowlistAPI Handles the requests to manage system level CVE allowlist
type SysCVEAllowlistAPI struct {
BaseController
manager whitelist.Manager
manager allowlist.Manager
}
// Prepare validates the request initially
func (sca *SysCVEWhitelistAPI) Prepare() {
func (sca *SysCVEAllowlistAPI) Prepare() {
sca.BaseController.Prepare()
if !sca.SecurityCtx.IsAuthenticated() {
sca.SendUnAuthorizedError(errors.New("Unauthorized"))
@ -42,11 +42,11 @@ func (sca *SysCVEWhitelistAPI) Prepare() {
sca.SendForbiddenError(errors.New(msg))
return
}
sca.manager = whitelist.NewDefaultManager()
sca.manager = allowlist.NewDefaultManager()
}
// Get handles the GET request to retrieve the system level CVE whitelist
func (sca *SysCVEWhitelistAPI) Get() {
// Get handles the GET request to retrieve the system level CVE allowlist
func (sca *SysCVEAllowlistAPI) Get() {
l, err := sca.manager.GetSys()
if err != nil {
sca.SendInternalServerError(err)
@ -55,23 +55,23 @@ func (sca *SysCVEWhitelistAPI) Get() {
sca.WriteJSONData(l)
}
// Put handles the PUT request to update the system level CVE whitelist
func (sca *SysCVEWhitelistAPI) Put() {
var l models.CVEWhitelist
// Put handles the PUT request to update the system level CVE allowlist
func (sca *SysCVEAllowlistAPI) Put() {
var l models.CVEAllowlist
if err := sca.DecodeJSONReq(&l); err != nil {
log.Errorf("Failed to decode JSON array from request")
sca.SendBadRequestError(err)
return
}
if l.ProjectID != 0 {
msg := fmt.Sprintf("Non-zero project ID for system CVE whitelist: %d.", l.ProjectID)
msg := fmt.Sprintf("Non-zero project ID for system CVE allowlist: %d.", l.ProjectID)
log.Error(msg)
sca.SendBadRequestError(errors.New(msg))
return
}
if err := sca.manager.SetSys(l); err != nil {
if whitelist.IsInvalidErr(err) {
log.Errorf("Invalid CVE whitelist: %v", err)
if allowlist.IsInvalidErr(err) {
log.Errorf("Invalid CVE allowlist: %v", err)
sca.SendBadRequestError(err)
return
}

20
src/core/api/sys_cve_whitelist_test.go → src/core/api/sys_cve_allowlist_test.go
View File

@ -19,8 +19,8 @@ import (
"testing"
)
func TestSysCVEWhitelistAPIGet(t *testing.T) {
url := "/api/system/CVEWhitelist"
func TestSysCVEAllowlistAPIGet(t *testing.T) {
url := "/api/system/CVEAllowlist"
cases := []*codeCheckingCase{
// 401
{
@ -43,8 +43,8 @@ func TestSysCVEWhitelistAPIGet(t *testing.T) {
runCodeCheckingCases(t, cases...)
}
func TestSysCVEWhitelistAPIPut(t *testing.T) {
url := "/api/system/CVEWhitelist"
func TestSysCVEAllowlistAPIPut(t *testing.T) {
url := "/api/system/CVEAllowlist"
s := int64(1573254000)
cases := []*codeCheckingCase{
// 401
@ -79,9 +79,9 @@ func TestSysCVEWhitelistAPIPut(t *testing.T) {
request: &testingRequest{
method: http.MethodPut,
url: url,
bodyJSON: models.CVEWhitelist{
bodyJSON: models.CVEAllowlist{
ExpiresAt: &s,
Items: []models.CVEWhitelistItem{
Items: []models.CVEAllowlistItem{
{CVEID: "CVE-2019-12310"},
},
ProjectID: 2,
@ -95,9 +95,9 @@ func TestSysCVEWhitelistAPIPut(t *testing.T) {
request: &testingRequest{
method: http.MethodPut,
url: url,
bodyJSON: models.CVEWhitelist{
bodyJSON: models.CVEAllowlist{
ExpiresAt: &s,
Items: []models.CVEWhitelistItem{
Items: []models.CVEAllowlistItem{
{CVEID: "CVE-2019-12310"},
{CVEID: "CVE-2019-12310"},
},
@ -111,9 +111,9 @@ func TestSysCVEWhitelistAPIPut(t *testing.T) {
request: &testingRequest{
method: http.MethodPut,
url: url,
bodyJSON: models.CVEWhitelist{
bodyJSON: models.CVEAllowlist{
ExpiresAt: &s,
Items: []models.CVEWhitelistItem{
Items: []models.CVEAllowlistItem{
{CVEID: "CVE-2019-12310"},
{CVEID: "RHSA-2019:2237"},
},

16
src/core/promgr/promgr.go
View File

@ -16,7 +16,7 @@ package promgr
import (
"fmt"
"github.com/goharbor/harbor/src/pkg/scan/whitelist"
"github.com/goharbor/harbor/src/pkg/scan/allowlist"
"strconv"
"github.com/goharbor/harbor/src/common/models"
@ -47,7 +47,7 @@ type defaultProjectManager struct {
pmsDriver pmsdriver.PMSDriver
metaMgrEnabled bool // if metaMgrEnabled is enabled, metaMgr will be used to CURD metadata
metaMgr metamgr.ProjectMetadataManager
whitelistMgr whitelist.Manager
allowlistMgr allowlist.Manager
}
// NewDefaultProjectManager returns an instance of defaultProjectManager,
@ -60,7 +60,7 @@ func NewDefaultProjectManager(driver pmsdriver.PMSDriver, metaMgrEnabled bool) P
}
if metaMgrEnabled {
mgr.metaMgr = metamgr.NewDefaultProjectMetadataManager()
mgr.whitelistMgr = whitelist.NewDefaultManager()
mgr.allowlistMgr = allowlist.NewDefaultManager()
}
return mgr
}
@ -82,11 +82,11 @@ func (d *defaultProjectManager) Get(projectIDOrName interface{}) (*models.Projec
for k, v := range meta {
project.Metadata[k] = v
}
wl, err := d.whitelistMgr.Get(project.ProjectID)
wl, err := d.allowlistMgr.Get(project.ProjectID)
if err != nil {
return nil, err
}
project.CVEWhitelist = *wl
project.CVEAllowlist = *wl
}
return project, nil
}
@ -96,7 +96,7 @@ func (d *defaultProjectManager) Create(project *models.Project) (int64, error) {
return 0, err
}
if d.metaMgrEnabled {
d.whitelistMgr.CreateEmpty(id)
d.allowlistMgr.CreateEmpty(id)
if len(project.Metadata) > 0 {
if err = d.metaMgr.Add(id, project.Metadata); err != nil {
log.Errorf("failed to add metadata for project %s: %v", project.Name, err)
@ -132,7 +132,7 @@ func (d *defaultProjectManager) Update(projectIDOrName interface{}, project *mod
}
// TODO transaction?
if d.metaMgrEnabled {
if err := d.whitelistMgr.Set(pro.ProjectID, project.CVEWhitelist); err != nil {
if err := d.allowlistMgr.Set(pro.ProjectID, project.CVEAllowlist); err != nil {
return err
}
if len(project.Metadata) > 0 {
@ -195,7 +195,7 @@ func (d *defaultProjectManager) List(query *models.ProjectQueryParam) (*models.P
project.Metadata = meta
}
}
// the whitelist is not populated deliberately
// the allowlist is not populated deliberately
return result, nil
}

92
src/pkg/scan/allowlist/manager.go Normal file
View File

@ -0,0 +1,92 @@
// Copyright Project Harbor Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package allowlist
import (
"github.com/goharbor/harbor/src/common/dao"
"github.com/goharbor/harbor/src/common/models"
"github.com/goharbor/harbor/src/jobservice/logger"
"github.com/goharbor/harbor/src/lib/log"
)
// Manager defines the interface of CVE allowlist manager, it support both system level and project level allowlists
type Manager interface {
// CreateEmpty creates empty allowlist for given project
CreateEmpty(projectID int64) error
// Set sets the allowlist for given project (create or update)
Set(projectID int64, list models.CVEAllowlist) error
// Get gets the allowlist for given project
Get(projectID int64) (*models.CVEAllowlist, error)
// SetSys sets system level allowlist
SetSys(list models.CVEAllowlist) error
// GetSys gets system level allowlist
GetSys() (*models.CVEAllowlist, error)
}
type defaultManager struct{}
// CreateEmpty creates empty allowlist for given project
func (d *defaultManager) CreateEmpty(projectID int64) error {
l := models.CVEAllowlist{
ProjectID: projectID,
Items: []models.CVEAllowlistItem{},
}
_, err := dao.CreateCVEAllowlist(l)
if err != nil {
logger.Errorf("Failed to create empty CVE allowlist for project: %d, error: %v", projectID, err)
}
return err
}
// Set sets the allowlist for given project (create or update)
func (d *defaultManager) Set(projectID int64, list models.CVEAllowlist) error {
list.ProjectID = projectID
if err := Validate(list); err != nil {
return err
}
_, err := dao.UpdateCVEAllowlist(list)
return err
}
// Get gets the allowlist for given project
func (d *defaultManager) Get(projectID int64) (*models.CVEAllowlist, error) {
wl, err := dao.GetCVEAllowlist(projectID)
if err != nil {
return nil, err
}
if wl == nil {
log.Debugf("No CVE allowlist found for project %d, returning empty list.", projectID)
wl = &models.CVEAllowlist{ProjectID: projectID, Items: []models.CVEAllowlistItem{}}
} else if wl.Items == nil {
wl.Items = []models.CVEAllowlistItem{}
}
return wl, nil
}
// SetSys sets the system level allowlist
func (d *defaultManager) SetSys(list models.CVEAllowlist) error {
return d.Set(0, list)
}
// GetSys gets the system level allowlist
func (d *defaultManager) GetSys() (*models.CVEAllowlist, error) {
return d.Get(0)
}
// NewDefaultManager return a new instance of defaultManager
func NewDefaultManager() Manager {
return &defaultManager{}
}

2
src/pkg/scan/whitelist/manager_test.go → src/pkg/scan/allowlist/manager_test.go
View File

@ -1,4 +1,4 @@
package whitelist
package allowlist
import (
"github.com/goharbor/harbor/src/common/dao"

8
src/pkg/scan/whitelist/validator.go → src/pkg/scan/allowlist/validator.go
View File

@ -12,7 +12,7 @@
// See the License for the specific language governing permissions and
// limitations under the License.
package whitelist
package allowlist
import (
"fmt"
@ -42,8 +42,8 @@ func IsInvalidErr(err error) bool {
const cveIDPattern = `^CVE-\d{4}-\d+$`
// Validate help validates the CVE whitelist, to ensure the CVE ID is valid and there's no duplication
func Validate(wl models.CVEWhitelist) error {
// Validate help validates the CVE allowlist, to ensure the CVE ID is valid and there's no duplication
func Validate(wl models.CVEAllowlist) error {
m := map[string]struct{}{}
// re := regexp.MustCompile(cveIDPattern)
for _, it := range wl.Items {
@ -52,7 +52,7 @@ func Validate(wl models.CVEWhitelist) error {
// return &invalidErr{fmt.Sprintf("invalid CVE ID: %s", it.CVEID)}
// }
if _, ok := m[it.CVEID]; ok {
return &invalidErr{fmt.Sprintf("duplicate CVE ID in whitelist: %s", it.CVEID)}
return &invalidErr{fmt.Sprintf("duplicate CVE ID in allowlist: %s", it.CVEID)}
}
m[it.CVEID] = struct{}{}
}

22
src/pkg/scan/whitelist/validator_test.go → src/pkg/scan/allowlist/validator_test.go
View File

@ -12,7 +12,7 @@
// See the License for the specific language governing permissions and
// limitations under the License.
package whitelist
package allowlist
import (
"fmt"
@ -48,24 +48,24 @@ func TestIsInvalidErr(t *testing.T) {
func TestValidate(t *testing.T) {
cases := []struct {
l models.CVEWhitelist
l models.CVEAllowlist
noError bool
}{
{
l: models.CVEWhitelist{
l: models.CVEAllowlist{
Items: nil,
},
noError: true,
},
{
l: models.CVEWhitelist{
Items: []models.CVEWhitelistItem{},
l: models.CVEAllowlist{
Items: []models.CVEAllowlistItem{},
},
noError: true,
},
{
l: models.CVEWhitelist{
Items: []models.CVEWhitelistItem{
l: models.CVEAllowlist{
Items: []models.CVEAllowlistItem{
{CVEID: "breakit"},
{CVEID: "breakit"},
},
@ -73,8 +73,8 @@ func TestValidate(t *testing.T) {
noError: false,
},
{
l: models.CVEWhitelist{
Items: []models.CVEWhitelistItem{
l: models.CVEAllowlist{
Items: []models.CVEAllowlistItem{
{CVEID: "CVE-2014-456132"},
{CVEID: "CVE-2014-7654321"},
},
@ -82,8 +82,8 @@ func TestValidate(t *testing.T) {
noError: true,
},
{
l: models.CVEWhitelist{
Items: []models.CVEWhitelistItem{
l: models.CVEAllowlist{
Items: []models.CVEAllowlistItem{
{CVEID: "CVE-2014-456132"},
{CVEID: "CVE-2014-456132"},
{CVEID: "CVE-2014-7654321"},

20
src/pkg/scan/report/summary.go
View File

@ -24,7 +24,7 @@ import (
"github.com/goharbor/harbor/src/pkg/scan/vuln"
)
// CVESet defines the CVE whitelist with a hash set way for easy query.
// CVESet defines the CVE allowlist with a hash set way for easy query.
type CVESet map[string]struct{}
// Contains checks whether the specified CVE is in the set or not.
@ -39,16 +39,16 @@ type Options struct {
// If it is set, the returned report will contains artifact digest for the vulnerabilities
ArtifactDigest string
// If it is set, the returned summary will not count the CVEs in the list in.
CVEWhitelist CVESet
CVEAllowlist CVESet
}
// Option for getting the report w/ summary with func template way.
type Option func(options *Options)
// WithCVEWhitelist is an option of setting CVE whitelist.
func WithCVEWhitelist(set *CVESet) Option {
// WithCVEAllowlist is an option of setting CVE allowlist.
func WithCVEAllowlist(set *CVESet) Option {
return func(options *Options) {
options.CVEWhitelist = *set
options.CVEAllowlist = *set
}
}
@ -127,7 +127,7 @@ func GenerateNativeSummary(r *scan.Report, options ...Option) (interface{}, erro
if sum.Duration < 0 {
sum.Duration = 0
}
if len(ops.CVEWhitelist) > 0 {
if len(ops.CVEAllowlist) > 0 {
sum.CVEBypassed = make([]string, 0)
}
@ -170,11 +170,11 @@ func GenerateNativeSummary(r *scan.Report, options ...Option) (interface{}, erro
overallSev := vuln.None
for _, v := range rp.Vulnerabilities {
if len(ops.CVEWhitelist) > 0 && ops.CVEWhitelist.Contains(v.ID) {
// If whitelist is set, then check if we need to bypass it
if len(ops.CVEAllowlist) > 0 && ops.CVEAllowlist.Contains(v.ID) {
// If allowlist is set, then check if we need to bypass it
// Reduce the total
vsum.Total--
// Append the by passed CVEs specified in the whitelist
// Append the by passed CVEs specified in the allowlist
sum.CVEBypassed = append(sum.CVEBypassed, v.ID)
continue
@ -199,7 +199,7 @@ func GenerateNativeSummary(r *scan.Report, options ...Option) (interface{}, erro
sum.Summary = vsum
// Override the overall severity of the filtered list if needed.
if len(ops.CVEWhitelist) > 0 {
if len(ops.CVEAllowlist) > 0 {
sum.Severity = overallSev
}

2
src/pkg/scan/report/summary_test.go
View File

@ -111,7 +111,7 @@ func (suite *SummaryTestSuite) TestSummaryGenerateSummaryWithOptions() {
cveSet := make(CVESet)
cveSet["2019-0980-0909"] = struct{}{}
summaries, err := GenerateSummary(suite.r, WithCVEWhitelist(&cveSet))
summaries, err := GenerateSummary(suite.r, WithCVEAllowlist(&cveSet))
require.NoError(suite.T(), err)
require.NotNil(suite.T(), summaries)

2
src/pkg/scan/vuln/severity.go
View File

@ -21,7 +21,7 @@ import (
const (
// None - only used to mark the overall severity of the scanned artifacts,
// means no vulnerabilities attached with the artifacts,
// (might be bypassed by the CVE whitelist).
// (might be bypassed by the CVE allowlist).
None Severity = "None"
// Unknown - either a security problem that has not been assigned to a priority yet or
// a priority that the scanner did not recognize.

92
src/pkg/scan/whitelist/manager.go
View File

@ -1,92 +0,0 @@
// Copyright Project Harbor Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package whitelist
import (
"github.com/goharbor/harbor/src/common/dao"
"github.com/goharbor/harbor/src/common/models"
"github.com/goharbor/harbor/src/jobservice/logger"
"github.com/goharbor/harbor/src/lib/log"
)
// Manager defines the interface of CVE whitelist manager, it support both system level and project level whitelists
type Manager interface {
// CreateEmpty creates empty whitelist for given project
CreateEmpty(projectID int64) error
// Set sets the whitelist for given project (create or update)
Set(projectID int64, list models.CVEWhitelist) error
// Get gets the whitelist for given project
Get(projectID int64) (*models.CVEWhitelist, error)
// SetSys sets system level whitelist
SetSys(list models.CVEWhitelist) error
// GetSys gets system level whitelist
GetSys() (*models.CVEWhitelist, error)
}
type defaultManager struct{}
// CreateEmpty creates empty whitelist for given project
func (d *defaultManager) CreateEmpty(projectID int64) error {
l := models.CVEWhitelist{
ProjectID: projectID,
Items: []models.CVEWhitelistItem{},
}
_, err := dao.CreateCVEWhitelist(l)
if err != nil {
logger.Errorf("Failed to create empty CVE whitelist for project: %d, error: %v", projectID, err)
}
return err
}
// Set sets the whitelist for given project (create or update)
func (d *defaultManager) Set(projectID int64, list models.CVEWhitelist) error {
list.ProjectID = projectID
if err := Validate(list); err != nil {
return err
}
_, err := dao.UpdateCVEWhitelist(list)
return err
}
// Get gets the whitelist for given project
func (d *defaultManager) Get(projectID int64) (*models.CVEWhitelist, error) {
wl, err := dao.GetCVEWhitelist(projectID)
if err != nil {
return nil, err
}
if wl == nil {
log.Debugf("No CVE whitelist found for project %d, returning empty list.", projectID)
wl = &models.CVEWhitelist{ProjectID: projectID, Items: []models.CVEWhitelistItem{}}
} else if wl.Items == nil {
wl.Items = []models.CVEWhitelistItem{}
}
return wl, nil
}
// SetSys sets the system level whitelist
func (d *defaultManager) SetSys(list models.CVEWhitelist) error {
return d.Set(0, list)
}
// GetSys gets the system level whitelist
func (d *defaultManager) GetSys() (*models.CVEWhitelist, error) {
return d.Get(0)
}
// NewDefaultManager return a new instance of defaultManager
func NewDefaultManager() Manager {
return &defaultManager{}
}

22
src/portal/src/i18n/lang/en-us-lang.json
View File

@ -1208,24 +1208,24 @@
"TIP_REPO": "A repository name is broken up into path components. A component of a repository name must be at least one lowercase, alpha-numeric characters, optionally separated by periods, dashes or underscores. More strictly, it must match the regular expression [a-z0-9]+(?:[._-][a-z0-9]+)*.If a repository name has two or more path components, they must be separated by a forward slash ('/').The total length of a repository name, including slashes, must be less the 256 characters.",
"TIP_TAG": "A tag is a label applied to a Docker image in a repository. Tags are how various images in a repository are distinguished from each other.It need to match Regex: (`[\\w][\\w.-]{0,127}`)"
},
"CVE_WHITELIST": {
"CVE_ALLOWLIST": {
"DEPLOYMENT_SECURITY": "Deployment security",
"CVE_WHITELIST": "CVE whitelist",
"SYS_WHITELIST_EXPLAIN": "System whitelist allows vulnerabilities in this list to be ignored when calculating the vulnerability of an image.",
"ADD_SYS": "Add CVE IDs to the system whitelist",
"WARNING_SYS": "The system CVE whitelist has expired. You can enable the whitelist by extending the expiration date.",
"WARNING_PRO": "The project CVE whitelist has expired. You can enable the whitelist by extending the expiration date.",
"CVE_ALLOWLIST": "CVE allowlist",
"SYS_ALLOWLIST_EXPLAIN": "System allowlist allows vulnerabilities in this list to be ignored when calculating the vulnerability of an image.",
"ADD_SYS": "Add CVE IDs to the system allowlist",
"WARNING_SYS": "The system CVE allowlist has expired. You can enable the allowlist by extending the expiration date.",
"WARNING_PRO": "The project CVE allowlist has expired. You can enable the allowlist by extending the expiration date.",
"ADD": "ADD",
"ENTER": "Enter CVE ID(s)",
"HELP": "Separator: commas or newline characters",
"NONE": "None",
"EXPIRES_AT": "Expires at",
"NEVER_EXPIRES": "Never expires",
"PRO_WHITELIST_EXPLAIN": "Project whitelist allows vulnerabilities in this list to be ignored in this project when pushing and pulling images.",
"PRO_OR_SYS": "You can either use the default whitelist configured at the system level or click on 'Project whitelist' to create a new whitelist",
"MERGE_INTO": "Add individual CVE IDs before clicking 'COPY FROM SYSTEM' to add system whitelist as well.",
"SYS_WHITELIST": "System whitelist",
"PRO_WHITELIST": "Project whitelist",
"PRO_ALLOWLIST_EXPLAIN": "Project allowlist allows vulnerabilities in this list to be ignored in this project when pushing and pulling images.",
"PRO_OR_SYS": "You can either use the default allowlist configured at the system level or click on 'Project allowlist' to create a new allowlist",
"MERGE_INTO": "Add individual CVE IDs before clicking 'COPY FROM SYSTEM' to add system allowlist as well.",
"SYS_ALLOWLIST": "System allowlist",
"PRO_ALLOWLIST": "Project allowlist",
"ADD_SYSTEM": "COPY FROM SYSTEM"
},
"TAG_RETENTION": {

22
src/portal/src/i18n/lang/es-es-lang.json
View File

@ -1206,24 +1206,24 @@
"TIP_REPO": "A repository name is broken up into path components. A component of a repository name must be at least one lowercase, alpha-numeric characters, optionally separated by periods, dashes or underscores. More strictly, it must match the regular expression [a-z0-9]+(?:[._-][a-z0-9]+)*.If a repository name has two or more path components, they must be separated by a forward slash ('/').The total length of a repository name, including slashes, must be less the 256 characters.",
"TIP_TAG": "A tag is a label applied to a Docker image in a repository. Tags are how various images in a repository are distinguished from each other.It need to match Regex: (`[\\w][\\w.-]{0,127}`)"
},
"CVE_WHITELIST": {
"CVE_ALLOWLIST": {
"DEPLOYMENT_SECURITY": "Deployment security",
"CVE_WHITELIST": "CVE whitelist",
"SYS_WHITELIST_EXPLAIN": "System whitelist allows vulnerabilities in this list to be ignored when calculating the vulnerability of an image.",
"ADD_SYS": "Add CVE IDs to the system whitelist",
"WARNING_SYS": "The system CVE whitelist has expired. You can enable the whitelist by extending the expiration date.",
"WARNING_PRO": "The project CVE whitelist has expired. You can enable the whitelist by extending the expiration date.",
"CVE_ALLOWLIST": "CVE allowlist",
"SYS_ALLOWLIST_EXPLAIN": "System allowlist allows vulnerabilities in this list to be ignored when calculating the vulnerability of an image.",
"ADD_SYS": "Add CVE IDs to the system allowlist",
"WARNING_SYS": "The system CVE allowlist has expired. You can enable the allowlist by extending the expiration date.",
"WARNING_PRO": "The project CVE allowlist has expired. You can enable the allowlist by extending the expiration date.",
"ADD": "ADD",
"ENTER": "Enter CVE ID(s)",
"HELP": "Separator: commas or newline characters",
"NONE": "None",
"EXPIRES_AT": "Expires at",
"NEVER_EXPIRES": "Never expires",
"PRO_WHITELIST_EXPLAIN": "Project whitelist allows vulnerabilities in this list to be ignored in this project when pushing and pulling images.",
"PRO_OR_SYS": "You can either use the default whitelist configured at the system level or click on 'Project whitelist' to create a new whitelist",
"MERGE_INTO": "Add individual CVE IDs before clicking 'COPY FROM SYSTEM' to add system whitelist as well.",
"SYS_WHITELIST": "System whitelist",
"PRO_WHITELIST": "Project whitelist",
"PRO_ALLOWLIST_EXPLAIN": "Project allowlist allows vulnerabilities in this list to be ignored in this project when pushing and pulling images.",
"PRO_OR_SYS": "You can either use the default allowlist configured at the system level or click on 'Project allowlist' to create a new allowlist",
"MERGE_INTO": "Add individual CVE IDs before clicking 'COPY FROM SYSTEM' to add system allowlist as well.",
"SYS_ALLOWLIST": "System allowlist",
"PRO_ALLOWLIST": "Project allowlist",
"ADD_SYSTEM": "COPY FROM SYSTEM"
},
"TAG_RETENTION": {

22
src/portal/src/i18n/lang/fr-fr-lang.json
View File

@ -1176,24 +1176,24 @@
"TIP_REPO": "A repository name is broken up into path components. A component of a repository name must be at least one lowercase, alpha-numeric characters, optionally separated by periods, dashes or underscores. More strictly, it must match the regular expression [a-z0-9]+(?:[._-][a-z0-9]+)*.If a repository name has two or more path components, they must be separated by a forward slash ('/').The total length of a repository name, including slashes, must be less the 256 characters.",
"TIP_TAG": "A tag is a label applied to a Docker image in a repository. Tags are how various images in a repository are distinguished from each other.It need to match Regex: (`[\\w][\\w.-]{0,127}`)"
},
"CVE_WHITELIST": {
"CVE_ALLOWLIST": {
"DEPLOYMENT_SECURITY": "Deployment security",
"CVE_WHITELIST": "CVE whitelist",
"SYS_WHITELIST_EXPLAIN": "System whitelist allows vulnerabilities in this list to be ignored when calculating the vulnerability of an image.",
"ADD_SYS": "Add CVE IDs to the system whitelist",
"WARNING_SYS": "The system CVE whitelist has expired. You can enable the whitelist by extending the expiration date.",
"WARNING_PRO": "The project CVE whitelist has expired. You can enable the whitelist by extending the expiration date.",
"CVE_ALLOWLIST": "CVE allowlist",
"SYS_ALLOWLIST_EXPLAIN": "System allowlist allows vulnerabilities in this list to be ignored when calculating the vulnerability of an image.",
"ADD_SYS": "Add CVE IDs to the system allowlist",
"WARNING_SYS": "The system CVE allowlist has expired. You can enable the allowlist by extending the expiration date.",
"WARNING_PRO": "The project CVE allowlist has expired. You can enable the allowlist by extending the expiration date.",
"ADD": "ADD",
"ENTER": "Enter CVE ID(s)",
"HELP": "Separator: commas or newline characters",
"NONE": "None",
"EXPIRES_AT": "Expires at",
"NEVER_EXPIRES": "Never expires",
"PRO_WHITELIST_EXPLAIN": "Project whitelist allows vulnerabilities in this list to be ignored in this project when pushing and pulling images.",
"PRO_OR_SYS": "You can either use the default whitelist configured at the system level or click on 'Project whitelist' to create a new whitelist",
"MERGE_INTO": "Add individual CVE IDs before clicking 'COPY FROM SYSTEM' to add system whitelist as well.",
"SYS_WHITELIST": "System whitelist",
"PRO_WHITELIST": "Project whitelist",
"PRO_ALLOWLIST_EXPLAIN": "Project allowlist allows vulnerabilities in this list to be ignored in this project when pushing and pulling images.",
"PRO_OR_SYS": "You can either use the default allowlist configured at the system level or click on 'Project allowlist' to create a new allowlist",
"MERGE_INTO": "Add individual CVE IDs before clicking 'COPY FROM SYSTEM' to add system allowlist as well.",
"SYS_ALLOWLIST": "System allowlist",
"PRO_ALLOWLIST": "Project allowlist",
"ADD_SYSTEM": "COPY FROM SYSTEM"
},
"TAG_RETENTION": {

22
src/portal/src/i18n/lang/pt-br-lang.json
View File

@ -1204,24 +1204,24 @@
"TIP_REPO": "A repository name is broken up into path components. A component of a repository name must be at least one lowercase, alpha-numeric characters, optionally separated by periods, dashes or underscores. More strictly, it must match the regular expression [a-z0-9]+(?:[._-][a-z0-9]+)*.If a repository name has two or more path components, they must be separated by a forward slash ('/').The total length of a repository name, including slashes, must be less the 256 characters.",
"TIP_TAG": "A tag is a label applied to a Docker image in a repository. Tags are how various images in a repository are distinguished from each other.It need to match Regex: (`[\\w][\\w.-]{0,127}`)"
},
"CVE_WHITELIST": {
"CVE_ALLOWLIST": {
"DEPLOYMENT_SECURITY": "Deployment security",
"CVE_WHITELIST": "CVE whitelist",
"SYS_WHITELIST_EXPLAIN": "System whitelist allows vulnerabilities in this list to be ignored when calculating the vulnerability of an image.",
"ADD_SYS": "Add CVE IDs to the system whitelist",
"WARNING_SYS": "The system CVE whitelist has expired. You can enable the whitelist by extending the expiration date.",
"WARNING_PRO": "The project CVE whitelist has expired. You can enable the whitelist by extending the expiration date.",
"CVE_ALLOWLIST": "CVE allowlist",
"SYS_ALLOWLIST_EXPLAIN": "System allowlist allows vulnerabilities in this list to be ignored when calculating the vulnerability of an image.",
"ADD_SYS": "Add CVE IDs to the system allowlist",
"WARNING_SYS": "The system CVE allowlist has expired. You can enable the allowlist by extending the expiration date.",
"WARNING_PRO": "The project CVE allowlist has expired. You can enable the allowlist by extending the expiration date.",
"ADD": "ADD",
"ENTER": "Enter CVE ID(s)",
"HELP": "Separator: commas or newline characters",
"NONE": "None",
"EXPIRES_AT": "Expires at",
"NEVER_EXPIRES": "Never expires",
"PRO_WHITELIST_EXPLAIN": "Project whitelist allows vulnerabilities in this list to be ignored in this project when pushing and pulling images.",
"PRO_OR_SYS": "You can either use the default whitelist configured at the system level or click on 'Project whitelist' to create a new whitelist",
"MERGE_INTO": "Add individual CVE IDs before clicking 'COPY FROM SYSTEM' to add system whitelist as well.",
"SYS_WHITELIST": "System whitelist",
"PRO_WHITELIST": "Project whitelist",
"PRO_ALLOWLIST_EXPLAIN": "Project allowlist allows vulnerabilities in this list to be ignored in this project when pushing and pulling images.",
"PRO_OR_SYS": "You can either use the default allowlist configured at the system level or click on 'Project allowlist' to create a new allowlist",
"MERGE_INTO": "Add individual CVE IDs before clicking 'COPY FROM SYSTEM' to add system allowlist as well.",
"SYS_ALLOWLIST": "System allowlist",
"PRO_ALLOWLIST": "Project allowlist",
"ADD_SYSTEM": "COPY FROM SYSTEM"
},
"TAG_RETENTION": {

12
src/portal/src/i18n/lang/tr-tr-lang.json
View File

@ -1208,10 +1208,10 @@
"TIP_REPO": "Bir depo adı yol bileşenlerine bölünmüştür. Depo adının bir bileşeni, isteğe bağlı olarak nokta, kısa çizgi veya alt çizgi ile ayrılmış en az bir küçük harf, alfa sayısal karakterler olmalıdır. Daha kesin olarak, [a-z0-9] + (?: [._-] [a-z0-9] +) * normal ifadesiyle eşleşmelidir. Eğer bir depo adı iki veya daha fazla yol bileşenine sahipse, eğik çizgi ile ayrılmış ('/').Eğik çizgi içeren bir depo adının toplam uzunluğu, 256 karakterden az olmalıdır.",
"TIP_TAG": "Etiket, bir depodaki Docker imajına uygulanan bir etikettir. Etiketler, bir depodaki çeşitli imajların birbirlerinden nasıl ayırt edildikleridir. Regex ile eşleşmesi gerekir: (`[\\ w] [\\ w .-] {0,127}`)"
},
"CVE_WHITELIST": {
"CVE_ALLOWLIST": {
"DEPLOYMENT_SECURITY": "Dağıtım güvenliği",
"CVE_WHITELIST": "CVE beyaz listesi",
"SYS_WHITELIST_EXPLAIN": "Sistem beyaz listesi, bir görüntünün güvenlik açığını hesaplarken bu listedeki güvenlik açıklarının göz ardı edilmesine izin verir.",
"CVE_ALLOWLIST": "CVE beyaz listesi",
"SYS_ALLOWLIST_EXPLAIN": "Sistem beyaz listesi, bir görüntünün güvenlik açığını hesaplarken bu listedeki güvenlik açıklarının göz ardı edilmesine izin verir.",
"ADD_SYS": "Sistemin beyaz listesine CVE kimlikleri ekle",
"WARNING_SYS": "Sistem CVE beyaz listesinin süresi doldu. Beyaz listeyi son kullanma tarihini uzatarak etkinleştirebilirsiniz.",
"WARNING_PRO": "Proje CVE beyaz listesinin süresi doldu. Beyaz listeyi son kullanma tarihini uzatarak etkinleştirebilirsiniz.",
@ -1221,11 +1221,11 @@
"NONE": "Hiç",
"EXPIRES_AT": "Sonunda sona eriyor",
"NEVER_EXPIRES": "Hiçbir zaman sona ermez",
"PRO_WHITELIST_EXPLAIN": "Proje beyaz listesi, görüntüleri iterken ve çekerken bu listedeki güvenlik açıklarının bu projede göz ardı edilmesine izin verir.",
"PRO_ALLOWLIST_EXPLAIN": "Proje beyaz listesi, görüntüleri iterken ve çekerken bu listedeki güvenlik açıklarının bu projede göz ardı edilmesine izin verir.",
"PRO_OR_SYS": "Sistemin beyaz listesini olduğu gibi kullanın veya yeni bir beyaz liste oluşturmak için “Proje beyaz listesini” seçin.",
"MERGE_INTO": "Sistemin beyaz listesini bu projeye dahil edin, bireysel CVE ID'leri ekleyin.",
"SYS_WHITELIST": "Sistem beyaz listesi",
"PRO_WHITELIST": "Proje beyaz listesi",
"SYS_ALLOWLIST": "Sistem beyaz listesi",
"PRO_ALLOWLIST": "Proje beyaz listesi",
"ADD_SYSTEM": "SİSTEM EKLE"
},
"TAG_RETENTION": {

24
src/portal/src/i18n/lang/zh-cn-lang.json
View File

@ -1205,25 +1205,25 @@
"TIP_REPO": "镜像仓库名被分解为路径组件。仓库名必须至少有一个小写字母、字母数字字符,可选句点、破折号或下划线分隔。严格意义上说,它必须匹配正则表达式[a-z0-9]+(?[.-][a-z0-9]+)*.如果仓库名有两个或多个路径组件,则它们必须用正斜杠('/')分隔。包括斜杠在内的仓库名的总长度必须小于256个字符。",
"TIP_TAG": "Tag 是应用于存储库中的 Docker 映像的一种标签,它用于区分多种镜像。它需要匹配 Regex([\\w][\\w.-]{0,127})"
},
"CVE_WHITELIST": {
"CVE_ALLOWLIST": {
"DEPLOYMENT_SECURITY": "部署安全性",
"CVE_WHITELIST": "CVE白名单",
"SYS_WHITELIST_EXPLAIN": "在计算镜像的的安全性漏洞时在系统的CVE名单中的漏洞将会被忽略。",
"ADD_SYS": "可添加一条或多条CVE ID至系统的CVE名单中",
"WARNING_SYS": "系统的CVE白名单已过期. 请延长有效期以使白名单生效",
"WARNING_PRO": "该项目的CVE白名单已过期. 请延长有效期以使白名单生效",
"CVE_ALLOWLIST": "CVE特赦名单",
"SYS_ALLOWLIST_EXPLAIN": "在计算镜像的的安全性漏洞时在系统的CVE特赦名单中的漏洞将会被忽略。",
"ADD_SYS": "可添加一条或多条CVE ID至系统的CVE特赦名单中",
"WARNING_SYS": "系统的CVE特赦名单已过期. 请延长有效期以使特赦名单生效",
"WARNING_PRO": "该项目的CVE特赦名单已过期. 请延长有效期以使特赦名单生效",
"ADD": "添加",
"ENTER": "输入一条或多条CVE ID",
"HELP": "CVE ID之间请用英文逗号隔开或者换行",
"NONE": "无",
"EXPIRES_AT": "有效期至",
"NEVER_EXPIRES": "永不过期",
"PRO_WHITELIST_EXPLAIN": "在推送和拉取镜像时在项目的CVE名单中的漏洞将会被忽略",
"PRO_OR_SYS": "您可以选择使用系统的CVE白名单作为该项目的白名单也可勾选“启用项目白名单”项来建立该项目自己的CVE白名单,",
"MERGE_INTO": "您可以点击“复制系统白名单”项将系统白名单合并至该项目白名单中,并可为该项目白名单添加特有的CVE IDs",
"SYS_WHITELIST": "启用系统白名单",
"PRO_WHITELIST": "启用项目白名单",
"ADD_SYSTEM": "复制系统名单"
"PRO_ALLOWLIST_EXPLAIN": "在推送和拉取镜像时在项目的CVE特赦名单中的漏洞将会被忽略",
"PRO_OR_SYS": "您可以选择使用系统的CVE特赦名单作为该项目的特赦名单也可勾选“启用项目特赦名单”项来建立该项目自己的CVE特赦名单,",
"MERGE_INTO": "您可以点击“复制系统特赦名单”项将系统特赦名单合并至该项目特赦名单中,并可为该项目特赦名单添加特有的CVE IDs",
"SYS_ALLOWLIST": "启用系统特赦名单",
"PRO_ALLOWLIST": "启用项目特赦名单",
"ADD_SYSTEM": "复制系统特赦名单"
},
"TAG_RETENTION": {
"TAG_RETENTION": "Tag保留",

24
src/portal/src/i18n/lang/zh-tw-lang.json
View File

@ -1192,25 +1192,25 @@
"TIP_REPO": "鏡像倉庫名被分解為路徑組件。倉庫名必須至少有一個小寫字母、字母數字字符,可選句點、破折號或下劃線分隔。嚴格意義上說,它必須匹配正規表達式[a- z0-9]+(?[.-][a-z0-9]+)*.如果倉庫名有兩個或多個路徑組件,則它們必須用正斜杠('/')分隔。包括斜槓在內的倉庫名的總長度必須小於256個字符。",
"TIP_TAG": "Tag 是應用於存儲庫中的Docker 映像的一種標籤,它用於區分多種鏡像。它需要匹配Regex([\\w][\\w.-]{0,127}) "
},
"CVE_WHITELIST":{
"CVE_ALLOWLIST":{
"DEPLOYMENT_SECURITY": "部署安全性",
"CVE_WHITELIST": "CVE白名單",
"SYS_WHITELIST_EXPLAIN": "在計算鏡像的的安全性漏洞時,在系統的CVE名單中的漏洞將會被忽略。",
"ADD_SYS": "可添加一條或多條CVE ID至系統的CVE名單中",
"WARNING_SYS": "系統的CVE白名單已過期. 請延長有效期以使白名單生效",
"WARNING_PRO": "該項目的CVE白名單已過期. 請延長有效期以使白名單生效",
"CVE_ALLOWLIST": "CVE特赦名單",
"SYS_ALLOWLIST_EXPLAIN": "在計算鏡像的的安全性漏洞時,在系統的CVE特赦名單中的漏洞將會被忽略。",
"ADD_SYS": "可添加一條或多條CVE ID至系統的CVE特赦名單中",
"WARNING_SYS": "系統的CVE特赦名單已過期. 請延長有效期以使特赦名單生效",
"WARNING_PRO": "該項目的CVE特赦名單已過期. 請延長有效期以使特赦名單生效",
"ADD":"添加",
"ENTER": "輸入一條或多條CVE ID",
"HELP": "CVE ID之間請用英文逗號隔開或者換行",
"NONE":"無",
"EXPIRES_AT": "有效期至",
"NEVER_EXPIRES": "永不過期",
"PRO_WHITELIST_EXPLAIN": "在推送和拉取鏡像時,在項目的CVE名單中的漏洞將會被忽略",
"PRO_OR_SYS": "您可以選擇使用系統的CVE白名單作為該項目的白名單,也可勾選“啟用項目白名單”項來建立該項目自己的CVE白名單,",
"MERGE_INTO": "您可以點擊“複製系統白名單”項將系統白名單合併至該項目白名單中,並可為該項目白名單添加特有的CVE IDs",
"SYS_WHITELIST": "啟用系統白名單",
"PRO_WHITELIST": "啟用項目白名單",
"ADD_SYSTEM": "複製系統名單"
"PRO_ALLOWLIST_EXPLAIN": "在推送和拉取鏡像時,在項目的CVE特赦名單中的漏洞將會被忽略",
"PRO_OR_SYS": "您可以選擇使用系統的CVE特赦名單作為該項目的特赦名單,也可勾選“啟用項目特赦名單”項來建立該項目自己的CVE特赦名單,",
"MERGE_INTO": "您可以點擊“複製系統特赦名單”項將系統特赦名單合併至該項目特赦名單中,並可為該項目特赦名單添加特有的CVE IDs",
"SYS_ALLOWLIST": "啟用系統特赦名單",
"PRO_ALLOWLIST": "啟用項目特赦名單",
"ADD_SYSTEM": "複製系統特赦名單"
},
"TAG_RETENTION":{
"TAG_RETENTION":"標籤保留",

6
src/portal/src/lib/components/config/registry-config.component.spec.ts
View File

@ -19,7 +19,7 @@ import {
ScanningResultDefaultService,
SystemInfoService,
SystemInfoDefaultService,
SystemInfo, SystemCVEWhitelist
SystemInfo, SystemCVEAllowlist
} from '../../services';
import { Configuration } from './config';
import { of } from 'rxjs';
@ -57,7 +57,7 @@ describe('RegistryConfigComponent (inline template)', () => {
"harbor_version": "v1.1.1-rc1-160-g565110d",
"next_scan_all": 0
};
let mockSystemWhitelist: SystemCVEWhitelist = {
let mockSystemAllowlist: SystemCVEAllowlist = {
"expires_at": 1561996800,
"id": 1,
"items": [],
@ -96,7 +96,7 @@ describe('RegistryConfigComponent (inline template)', () => {
systemInfoService = fixture.debugElement.injector.get(SystemInfoService);
spy = spyOn(cfgService, 'getConfigurations').and.returnValue(of(mockConfig));
spySystemInfo = spyOn(systemInfoService, 'getSystemInfo').and.returnValue(of(mockSystemInfo));
spySystemInfo = spyOn(systemInfoService, 'getSystemWhitelist').and.returnValue(of(mockSystemWhitelist));
spySystemInfo = spyOn(systemInfoService, 'getSystemAllowlist').and.returnValue(of(mockSystemAllowlist));
fixture.detectChanges();
});

40
src/portal/src/lib/components/config/system/system-settings.component.html
View File

@ -74,49 +74,49 @@
<div class="clr-form-control d-f">
<label for="systemWhitelist"
class="clr-control-label">{{'CVE_WHITELIST.DEPLOYMENT_SECURITY'|translate}}</label>
<label for="systemAllowlist"
class="clr-control-label">{{'CVE_ALLOWLIST.DEPLOYMENT_SECURITY'|translate}}</label>
<div class="form-content">
<div class="font-size-13">
<div class="mt-05">
<span class="title font-size-13">{{'CVE_WHITELIST.CVE_WHITELIST'|translate}}</span>
<span class="title font-size-13">{{'CVE_ALLOWLIST.CVE_ALLOWLIST'|translate}}</span>
</div>
<div class="mt-05">
<span>{{'CVE_WHITELIST.SYS_WHITELIST_EXPLAIN'|translate}}</span>
<span>{{'CVE_ALLOWLIST.SYS_ALLOWLIST_EXPLAIN'|translate}}</span>
</div>
<div class="mt-05">
<span>{{'CVE_WHITELIST.ADD_SYS'|translate}}</span>
<span>{{'CVE_ALLOWLIST.ADD_SYS'|translate}}</span>
</div>
<div class="mt-05" *ngIf="hasExpired">
<span class="label label-warning">{{'CVE_WHITELIST.WARNING_SYS'|translate}}</span>
<span class="label label-warning">{{'CVE_ALLOWLIST.WARNING_SYS'|translate}}</span>
</div>
</div>
<div class="clr-row width-90per">
<div class="position-relative pl-05">
<div>
<button id="show-add-modal-button" (click)="showAddModal=!showAddModal"
class="btn btn-link">{{'CVE_WHITELIST.ADD'|translate}}</button>
class="btn btn-link">{{'CVE_ALLOWLIST.ADD'|translate}}</button>
</div>
<div class="add-modal add-modal-dark" *ngIf="showAddModal">
<clr-icon (click)="showAddModal=false" class="float-lg-right margin-top-4"
shape="window-close"></clr-icon>
<div>
<clr-textarea-container class="flex-direction-column">
<label>{{'CVE_WHITELIST.ENTER'|translate}}</label>
<textarea id="whitelist-textarea" class="w-100 font-italic" clrTextarea [(ngModel)]="cveIds"
<label>{{'CVE_ALLOWLIST.ENTER'|translate}}</label>
<textarea id="allowlist-textarea" class="w-100 font-italic" clrTextarea [(ngModel)]="cveIds"
name="cveIds"></textarea>
<clr-control-helper>{{'CVE_WHITELIST.HELP'|translate}}</clr-control-helper>
<clr-control-helper>{{'CVE_ALLOWLIST.HELP'|translate}}</clr-control-helper>
</clr-textarea-container>
</div>
<div>
<button id="add-to-system" [disabled]="isDisabled()" (click)="addToSystemWhitelist()"
class="btn btn-link">{{'CVE_WHITELIST.ADD'|translate}}</button>
<button id="add-to-system" [disabled]="isDisabled()" (click)="addToSystemAllowlist()"
class="btn btn-link">{{'CVE_ALLOWLIST.ADD'|translate}}</button>
</div>
</div>
<ul class="whitelist-window">
<li *ngIf="systemWhitelist?.items?.length<1" class="none">{{'CVE_WHITELIST.NONE'|translate}}
<ul class="allowlist-window">
<li *ngIf="systemAllowlist?.items?.length<1" class="none">{{'CVE_ALLOWLIST.NONE'|translate}}
</li>
<li *ngFor="let item of systemWhitelist?.items;let i = index;">
<li *ngFor="let item of systemAllowlist?.items;let i = index;">
<a href="javascript:void(0)" (click)="goToDetail(item.cve_id)">{{item.cve_id}}</a>
<a class="float-lg-right" href="javascript:void(0)" (click)="deleteItem(i)">
<clr-icon shape="times-circle"></clr-icon>
@ -127,9 +127,9 @@
<div class="clr-col padding-top-8">
<div class="clr-row expire-data">
<label class="bottom-line clr-col-4"
for="expires">{{'CVE_WHITELIST.EXPIRES_AT'|translate}}</label>
for="expires">{{'CVE_ALLOWLIST.EXPIRES_AT'|translate}}</label>
<div>
<input #dateInput placeholder="{{'CVE_WHITELIST.NEVER_EXPIRES'|translate}}" readonly
<input #dateInput placeholder="{{'CVE_ALLOWLIST.NEVER_EXPIRES'|translate}}" readonly
type="date" [(clrDate)]="expiresDate" newFormLayout="true">
</div>
</div>
@ -139,7 +139,7 @@
<input [checked]="neverExpires" [(ngModel)]="neverExpires" type="checkbox" clrCheckbox
name="neverExpires" id="neverExpires" />
<label>
{{'CVE_WHITELIST.NEVER_EXPIRES'|translate}}
{{'CVE_ALLOWLIST.NEVER_EXPIRES'|translate}}
</label>
</clr-checkbox-wrapper>
</div>
@ -167,10 +167,10 @@
</form>
<div>
<button type="button" id="config_system_save" class="btn btn-primary" (click)="save()"
[disabled]="(!isValid() || !hasChanges()) && (!hasWhitelistChanged) || inProgress">{{'BUTTON.SAVE'
[disabled]="(!isValid() || !hasChanges()) && (!hasAllowlistChanged) || inProgress">{{'BUTTON.SAVE'
| translate}}</button>
<button type="button" id="config_system_cancel" class="btn btn-outline" (click)="cancel()"
[disabled]="(!isValid() || !hasChanges()) && (!hasWhitelistChanged) || inProgress">{{'BUTTON.CANCEL'
[disabled]="(!isValid() || !hasChanges()) && (!hasAllowlistChanged) || inProgress">{{'BUTTON.CANCEL'
| translate}}</button>
</div>
<confirmation-dialog #cfgConfirmationDialog (confirmAction)="confirmCancel($event)"></confirmation-dialog>

2
src/portal/src/lib/components/config/system/system-settings.component.scss
View File

@ -50,7 +50,7 @@
margin-top: 4px;
}
.whitelist-window {
.allowlist-window {
border: 1px solid #ccc;
border-radius: 3px;
padding: 12px;

14
src/portal/src/lib/components/config/system/system-settings.component.spec.ts
View File

@ -14,7 +14,7 @@ describe('SystemSettingsComponent', () => {
const config: IServiceConfig = {
baseEndpoint: CURRENT_BASE_HREF + "/testing"
};
const mockedWhitelist = {
const mockedAllowlist = {
id: 1,
project_id: 1,
expires_at: null,
@ -23,13 +23,13 @@ describe('SystemSettingsComponent', () => {
]
};
const fakedSystemInfoService = {
getSystemWhitelist() {
return of(mockedWhitelist);
getSystemAllowlist() {
return of(mockedAllowlist);
},
getSystemInfo() {
return of({});
},
updateSystemWhitelist() {
updateSystemAllowlist() {
return of(true);
}
};
@ -65,7 +65,7 @@ describe('SystemSettingsComponent', () => {
expect(component).toBeTruthy();
});
it('cancel button should works', () => {
component.systemWhitelist.items.push({cve_id: 'CVE-2019-456'});
component.systemAllowlist.items.push({cve_id: 'CVE-2019-456'});
const readOnly: HTMLElement = fixture.nativeElement.querySelector('#repoReadOnly');
readOnly.click();
fixture.detectChanges();
@ -75,13 +75,13 @@ describe('SystemSettingsComponent', () => {
expect(component.confirmationDlg.opened).toBeTruthy();
});
it('save button should works', () => {
component.systemWhitelist.items[0].cve_id = 'CVE-2019-789';
component.systemAllowlist.items[0].cve_id = 'CVE-2019-789';
const readOnly: HTMLElement = fixture.nativeElement.querySelector('#repoReadOnly');
readOnly.click();
fixture.detectChanges();
const save: HTMLButtonElement = fixture.nativeElement.querySelector('#config_system_save');
save.click();
fixture.detectChanges();
expect(component.systemWhitelistOrigin.items[0].cve_id).toEqual('CVE-2019-789');
expect(component.systemAllowlistOrigin.items[0].cve_id).toEqual('CVE-2019-789');
});
});

76
src/portal/src/lib/components/config/system/system-settings.component.ts
View File

@ -20,7 +20,7 @@ import {ConfirmationDialogComponent} from '../../confirmation-dialog/confirmatio
import {ConfirmationState, ConfirmationTargets} from '../../../entities/shared.const';
import {ConfirmationAcknowledgement} from '../../confirmation-dialog/confirmation-state-message';
import {
ConfigurationService, SystemCVEWhitelist, SystemInfo, SystemInfoService, VulnerabilityItem
ConfigurationService, SystemCVEAllowlist, SystemInfo, SystemInfoService, VulnerabilityItem
} from '../../../services';
import {forkJoin} from "rxjs";
@ -42,8 +42,8 @@ export class SystemSettingsComponent implements OnChanges, OnInit {
private originalConfig: Configuration;
downloadLink: string;
robotTokenExpiration: string;
systemWhitelist: SystemCVEWhitelist;
systemWhitelistOrigin: SystemCVEWhitelist;
systemAllowlist: SystemCVEAllowlist;
systemAllowlistOrigin: SystemCVEAllowlist;
cveIds: string;
showAddModal: boolean = false;
systemInfo: SystemInfo;
@ -139,14 +139,14 @@ export class SystemSettingsComponent implements OnChanges, OnInit {
*/
public save(): void {
let changes = this.getChanges();
if (!isEmpty(changes) || !compareValue(this.systemWhitelistOrigin, this.systemWhitelist)) {
if (!isEmpty(changes) || !compareValue(this.systemAllowlistOrigin, this.systemAllowlist)) {
this.onGoing = true;
let observables = [];
if (!isEmpty(changes)) {
observables.push(this.configService.saveConfigurations(changes));
}
if (!compareValue(this.systemWhitelistOrigin, this.systemWhitelist)) {
observables.push(this.systemInfoService.updateSystemWhitelist(this.systemWhitelist));
if (!compareValue(this.systemAllowlistOrigin, this.systemAllowlist)) {
observables.push(this.systemInfoService.updateSystemAllowlist(this.systemAllowlist));
}
forkJoin(observables).subscribe(result => {
this.onGoing = false;
@ -163,8 +163,8 @@ export class SystemSettingsComponent implements OnChanges, OnInit {
this.reloadSystemConfig.emit();
}
if (!compareValue(this.systemWhitelistOrigin, this.systemWhitelist)) {
this.systemWhitelistOrigin = clone(this.systemWhitelist);
if (!compareValue(this.systemAllowlistOrigin, this.systemAllowlist)) {
this.systemAllowlistOrigin = clone(this.systemAllowlist);
}
this.errorHandler.info('CONFIG.SAVE_SUCCESS');
}, error => {
@ -212,8 +212,8 @@ export class SystemSettingsComponent implements OnChanges, OnInit {
let changes = this.getChanges();
this.reset(changes);
this.initRobotToken();
if (!compareValue(this.systemWhitelistOrigin, this.systemWhitelist)) {
this.systemWhitelist = clone(this.systemWhitelistOrigin);
if (!compareValue(this.systemAllowlistOrigin, this.systemAllowlist)) {
this.systemAllowlist = clone(this.systemAllowlistOrigin);
}
}
}
@ -231,7 +231,7 @@ export class SystemSettingsComponent implements OnChanges, OnInit {
*/
public cancel(): void {
let changes = this.getChanges();
if (!isEmpty(changes) || !compareValue(this.systemWhitelistOrigin, this.systemWhitelist)) {
if (!isEmpty(changes) || !compareValue(this.systemAllowlistOrigin, this.systemAllowlist)) {
let msg = new ConfirmationMessage(
'CONFIG.CONFIRM_TITLE',
'CONFIG.CONFIRM_SUMMARY',
@ -257,7 +257,7 @@ export class SystemSettingsComponent implements OnChanges, OnInit {
ngOnInit() {
this.initRobotToken();
this.getSystemWhitelist();
this.getSystemAllowlist();
this.getSystemInfo();
}
@ -266,22 +266,22 @@ export class SystemSettingsComponent implements OnChanges, OnInit {
.subscribe(systemInfo => this.systemInfo = systemInfo
, error => this.errorHandler.error(error));
}
getSystemWhitelist() {
getSystemAllowlist() {
this.onGoing = true;
this.systemInfoService.getSystemWhitelist()
.subscribe((systemWhitelist) => {
this.systemInfoService.getSystemAllowlist()
.subscribe((systemAllowlist) => {
this.onGoing = false;
if (!systemWhitelist.items) {
systemWhitelist.items = [];
if (!systemAllowlist.items) {
systemAllowlist.items = [];
}
if (!systemWhitelist.expires_at) {
systemWhitelist.expires_at = null;
if (!systemAllowlist.expires_at) {
systemAllowlist.expires_at = null;
}
this.systemWhitelist = systemWhitelist;
this.systemWhitelistOrigin = clone(systemWhitelist);
this.systemAllowlist = systemAllowlist;
this.systemAllowlistOrigin = clone(systemAllowlist);
}, error => {
this.onGoing = false;
console.error('An error occurred during getting systemWhitelist');
console.error('An error occurred during getting systemAllowlist');
// this.errorHandler.error(error);
}
);
@ -307,13 +307,13 @@ export class SystemSettingsComponent implements OnChanges, OnInit {
}
deleteItem(index: number) {
this.systemWhitelist.items.splice(index, 1);
this.systemAllowlist.items.splice(index, 1);
}
addToSystemWhitelist() {
// remove duplication and add to systemWhitelist
addToSystemAllowlist() {
// remove duplication and add to systemAllowlist
let map = {};
this.systemWhitelist.items.forEach(item => {
this.systemAllowlist.items.forEach(item => {
map[item.cve_id] = true;
});
this.cveIds.split(/[\n,]+/).forEach(id => {
@ -321,7 +321,7 @@ export class SystemSettingsComponent implements OnChanges, OnInit {
cveObj.cve_id = id.trim();
if (!map[cveObj.cve_id]) {
map[cveObj.cve_id] = true;
this.systemWhitelist.items.push(cveObj);
this.systemAllowlist.items.push(cveObj);
}
});
// clear modal and close modal
@ -329,8 +329,8 @@ export class SystemSettingsComponent implements OnChanges, OnInit {
this.showAddModal = false;
}
get hasWhitelistChanged(): boolean {
return !compareValue(this.systemWhitelistOrigin, this.systemWhitelist);
get hasAllowlistChanged(): boolean {
return !compareValue(this.systemAllowlistOrigin, this.systemAllowlist);
}
isDisabled(): boolean {
@ -339,34 +339,34 @@ export class SystemSettingsComponent implements OnChanges, OnInit {
}
get expiresDate() {
if (this.systemWhitelist && this.systemWhitelist.expires_at) {
return new Date(this.systemWhitelist.expires_at * ONE_THOUSAND);
if (this.systemAllowlist && this.systemAllowlist.expires_at) {
return new Date(this.systemAllowlist.expires_at * ONE_THOUSAND);
}
return null;
}
set expiresDate(date) {
if (this.systemWhitelist && date) {
this.systemWhitelist.expires_at = Math.floor(date.getTime() / ONE_THOUSAND);
if (this.systemAllowlist && date) {
this.systemAllowlist.expires_at = Math.floor(date.getTime() / ONE_THOUSAND);
}
}
get neverExpires(): boolean {
return !(this.systemWhitelist && this.systemWhitelist.expires_at);
return !(this.systemAllowlist && this.systemAllowlist.expires_at);
}
set neverExpires(flag) {
if (flag) {
this.systemWhitelist.expires_at = null;
this.systemAllowlist.expires_at = null;
this.systemInfoService.resetDateInput(this.dateInput);
} else {
this.systemWhitelist.expires_at = Math.floor(new Date().getTime() / ONE_THOUSAND);
this.systemAllowlist.expires_at = Math.floor(new Date().getTime() / ONE_THOUSAND);
}
}
get hasExpired(): boolean {
if (this.systemWhitelistOrigin && this.systemWhitelistOrigin.expires_at) {
return new Date().getTime() > this.systemWhitelistOrigin.expires_at * ONE_THOUSAND;
if (this.systemAllowlistOrigin && this.systemAllowlistOrigin.expires_at) {
return new Date().getTime() > this.systemAllowlistOrigin.expires_at * ONE_THOUSAND;
}
return false;
}

82
src/portal/src/lib/components/project-policy-config/project-policy-config.component.html
View File

@ -57,77 +57,77 @@
</clr-control-helper>
</clr-checkbox-container>
<div *ngIf="systemInfo" class="clr-form-control" [class.clr-form-control-disabled]="!hasChangeConfigRole">
<label for="systemWhitelist" class="clr-control-label">{{'CVE_WHITELIST.CVE_WHITELIST'|translate}}</label>
<label for="systemAllowlist" class="clr-control-label">{{'CVE_ALLOWLIST.CVE_ALLOWLIST'|translate}}</label>
<div class="w-100 clr-control-container">
<div class="config-subtext">
<div>
<span>{{'CVE_WHITELIST.PRO_WHITELIST_EXPLAIN'|translate}}</span>
<span>{{'CVE_ALLOWLIST.PRO_ALLOWLIST_EXPLAIN'|translate}}</span>
</div>
<div>
<span>{{'CVE_WHITELIST.PRO_OR_SYS'|translate}}</span>
<span>{{'CVE_ALLOWLIST.PRO_OR_SYS'|translate}}</span>
</div>
<div>
<span>{{'CVE_WHITELIST.MERGE_INTO'|translate}}</span>
<span>{{'CVE_ALLOWLIST.MERGE_INTO'|translate}}</span>
</div>
<div *ngIf="hasExpired">
<span *ngIf="isUseSystemWhitelist()"
class="label label-warning">{{'CVE_WHITELIST.WARNING_SYS'|translate}}</span>
<span *ngIf="!isUseSystemWhitelist()"
class="label label-warning">{{'CVE_WHITELIST.WARNING_PRO'|translate}}</span>
<span *ngIf="isUseSystemAllowlist()"
class="label label-warning">{{'CVE_ALLOWLIST.WARNING_SYS'|translate}}</span>
<span *ngIf="!isUseSystemAllowlist()"
class="label label-warning">{{'CVE_ALLOWLIST.WARNING_PRO'|translate}}</span>
</div>
</div>
<clr-radio-container clrInline>
<clr-radio-wrapper>
<input id="use-system" [attr.disabled]="!hasChangeConfigRole?'disabled':null" type="radio" clrRadio
name="systemWhitelistOrProjectWhitelist" required value="true"
[(ngModel)]="systemWhitelistOrProjectWhitelist" />
<label>{{'CVE_WHITELIST.SYS_WHITELIST'|translate}}</label>
name="systemAllowlistOrProjectAllowlist" required value="true"
[(ngModel)]="systemAllowlistOrProjectAllowlist" />
<label>{{'CVE_ALLOWLIST.SYS_ALLOWLIST'|translate}}</label>
</clr-radio-wrapper>
<clr-radio-wrapper>
<input id="use-project" [attr.disabled]="!hasChangeConfigRole?'disabled':null" type="radio" clrRadio
name="systemWhitelistOrProjectWhitelist" required value="false"
[(ngModel)]="systemWhitelistOrProjectWhitelist" />
<label>{{'CVE_WHITELIST.PRO_WHITELIST'|translate}}</label>
name="systemAllowlistOrProjectAllowlist" required value="false"
[(ngModel)]="systemAllowlistOrProjectAllowlist" />
<label>{{'CVE_ALLOWLIST.PRO_ALLOWLIST'|translate}}</label>
</clr-radio-wrapper>
</clr-radio-container>
<div class="clr-row width-90per">
<div class="clr-col position-relative col-flex-grow-0 ">
<div>
<button id="show-add-modal" [disabled]="isUseSystemWhitelist() || !hasChangeConfigRole"
<button id="show-add-modal" [disabled]="isUseSystemAllowlist() || !hasChangeConfigRole"
(click)="showAddModal=!showAddModal"
class="btn btn-link">{{'CVE_WHITELIST.ADD'|translate}}</button>
<button id="add-system" [disabled]="isUseSystemWhitelist() || !hasChangeConfigRole"
class="btn btn-link">{{'CVE_ALLOWLIST.ADD'|translate}}</button>
<button id="add-system" [disabled]="isUseSystemAllowlist() || !hasChangeConfigRole"
(click)="addSystem()"
class="btn btn-link ml-1">{{'CVE_WHITELIST.ADD_SYSTEM'|translate}}</button>
class="btn btn-link ml-1">{{'CVE_ALLOWLIST.ADD_SYSTEM'|translate}}</button>
</div>
<div class="add-modal add-modal-dark" *ngIf="showAddModal && !isUseSystemWhitelist()">
<div class="add-modal add-modal-dark" *ngIf="showAddModal && !isUseSystemAllowlist()">
<clr-icon (click)="showAddModal=false" class="float-lg-right margin-top-4"
shape="window-close"></clr-icon>
<div>
<clr-textarea-container class="flex-direction-column">
<label>{{'CVE_WHITELIST.ENTER'|translate}}</label>
<textarea id="whitelist-textarea" class="w-100" clrTextarea [(ngModel)]="cveIds"
<label>{{'CVE_ALLOWLIST.ENTER'|translate}}</label>
<textarea id="allowlist-textarea" class="w-100" clrTextarea [(ngModel)]="cveIds"
name="cveIds"></textarea>
<clr-control-helper>{{'CVE_WHITELIST.HELP'|translate}}</clr-control-helper>
<clr-control-helper>{{'CVE_ALLOWLIST.HELP'|translate}}</clr-control-helper>
</clr-textarea-container>
</div>
<div>
<button id="add-to-whitelist" [disabled]="isDisabled()"
(click)="addToProjectWhitelist()"
class="btn btn-link">{{'CVE_WHITELIST.ADD'|translate}}</button>
<button id="add-to-allowlist" [disabled]="isDisabled()"
(click)="addToProjectAllowlist()"
class="btn btn-link">{{'CVE_ALLOWLIST.ADD'|translate}}</button>
</div>
</div>
<ul class="whitelist-window" *ngIf="isUseSystemWhitelist()">
<li *ngIf="systemWhitelist?.items?.length<1" class="none">{{'CVE_WHITELIST.NONE'|translate}}
<ul class="allowlist-window" *ngIf="isUseSystemAllowlist()">
<li *ngIf="systemAllowlist?.items?.length<1" class="none">{{'CVE_ALLOWLIST.NONE'|translate}}
</li>
<li *ngFor="let item of systemWhitelist?.items">
<li *ngFor="let item of systemAllowlist?.items">
<a href="javascript:void(0)" (click)="goToDetail(item.cve_id)">{{item.cve_id}}</a>
</li>
</ul>
<ul class="whitelist-window" *ngIf="!isUseSystemWhitelist()">
<li class="none" *ngIf="projectWhitelist?.items?.length<1">
{{'CVE_WHITELIST.NONE'|translate}}</li>
<li *ngFor="let item of projectWhitelist?.items;let i = index;">
<ul class="allowlist-window" *ngIf="!isUseSystemAllowlist()">
<li class="none" *ngIf="projectAllowlist?.items?.length<1">
{{'CVE_ALLOWLIST.NONE'|translate}}</li>
<li *ngFor="let item of projectAllowlist?.items;let i = index;">
<a href="javascript:void(0)" (click)="goToDetail(item.cve_id)">{{item.cve_id}}</a>
<a class="float-lg-right" href="javascript:void(0)" (click)="deleteItem(i)">
<clr-icon shape="times-circle"></clr-icon>
@ -138,25 +138,25 @@
<div class="clr-col padding-top-16 pl-2">
<div class="clr-row expire-data">
<label for="expires"
class="bottom-line bottom-line-project-config clr-col-3">{{'CVE_WHITELIST.EXPIRES_AT'|translate}}</label>
class="bottom-line bottom-line-project-config clr-col-3">{{'CVE_ALLOWLIST.EXPIRES_AT'|translate}}</label>
<div class="underline">
<input #dateSystemInput readonly type="date" [(clrDate)]="systemExpiresDate">
<input [disabled]="!hasChangeConfigRole" *ngIf="!isUseSystemWhitelist()" #dateInput
placeholder="{{'CVE_WHITELIST.NEVER_EXPIRES'|translate}}" readonly type="date"
<input [disabled]="!hasChangeConfigRole" *ngIf="!isUseSystemAllowlist()" #dateInput
placeholder="{{'CVE_ALLOWLIST.NEVER_EXPIRES'|translate}}" readonly type="date"
[(clrDate)]="expiresDate" newFormLayout="true">
<input clrInput [disabled]="!hasChangeConfigRole" *ngIf="isUseSystemWhitelist()"
placeholder="{{'CVE_WHITELIST.NEVER_EXPIRES'|translate}}" readonly type="text"
<input clrInput [disabled]="!hasChangeConfigRole" *ngIf="isUseSystemAllowlist()"
placeholder="{{'CVE_ALLOWLIST.NEVER_EXPIRES'|translate}}" readonly type="text"
value="{{systemExpiresDateString}}">
</div>
</div>
<div class="clr-row">
<label for="expires" class="clr-col-3"></label>
<clr-checkbox-wrapper>
<input [disabled]="isUseSystemWhitelist() || !hasChangeConfigRole"
<input [disabled]="isUseSystemAllowlist() || !hasChangeConfigRole"
[checked]="neverExpires" [(ngModel)]="neverExpires" type="checkbox" clrCheckbox
name="neverExpires" id="neverExpires" />
<label>
{{'CVE_WHITELIST.NEVER_EXPIRES'|translate}}
{{'CVE_ALLOWLIST.NEVER_EXPIRES'|translate}}
</label>
</clr-checkbox-wrapper>
</div>
@ -165,10 +165,10 @@
</div>
</div>
<button type="button" class="btn btn-primary" (click)="save()"
[disabled]="((!isValid() || !hasChanges()) && !hasWhitelistChanged) || !hasChangeConfigRole">{{'BUTTON.SAVE'
[disabled]="((!isValid() || !hasChanges()) && !hasAllowlistChanged) || !hasChangeConfigRole">{{'BUTTON.SAVE'
| translate}}</button>
<button type="button" class="btn btn-outline" (click)="cancel()"
[disabled]="((!isValid() || !hasChanges()) && !hasWhitelistChanged) || !hasChangeConfigRole">{{'BUTTON.CANCEL'
[disabled]="((!isValid() || !hasChanges()) && !hasAllowlistChanged) || !hasChangeConfigRole">{{'BUTTON.CANCEL'
| translate}}</button>
<confirmation-dialog #cfgConfirmationDialog (confirmAction)="confirmCancel($event)"></confirmation-dialog>
</section>

2
src/portal/src/lib/components/project-policy-config/project-policy-config.component.scss
View File

@ -10,7 +10,7 @@
margin-top: 4px;
}
.whitelist-window {
.allowlist-window {
border: 1px solid #ccc;
border-radius: 3px;
padding: 12px;

8
src/portal/src/lib/components/project-policy-config/project-policy-config.component.spec.ts
View File

@ -6,7 +6,7 @@ import { ProjectPolicyConfigComponent } from './project-policy-config.component'
import { SharedModule } from '../../utils/shared/shared.module';
import { ProjectService } from '../../services/project.service';
import { SERVICE_CONFIG, IServiceConfig} from '../../entities/service.config';
import {SystemCVEWhitelist, SystemInfo} from '../../services/interface';
import {SystemCVEAllowlist, SystemInfo} from '../../services/interface';
import { Project } from './project';
import { UserPermissionService } from '../../services/permission.service';
import { of } from 'rxjs';
@ -74,7 +74,7 @@ const mockProjectPolicies: Project[] | any[] = [
}
}
];
const mockSystemWhitelist: SystemCVEWhitelist = {
const mockSystemAllowlist: SystemCVEAllowlist = {
"expires_at": 1561996800,
"id": 1,
"items": [],
@ -94,8 +94,8 @@ const systemInfoService = {
getSystemInfo() {
return of(mockSystemInfo[0]);
},
getSystemWhitelist() {
return of(mockSystemWhitelist);
getSystemAllowlist() {
return of(mockSystemAllowlist);
}
};

150
src/portal/src/lib/components/project-policy-config/project-policy-config.component.ts
View File

@ -3,7 +3,7 @@ import {Component, ElementRef, Input, OnInit, ViewChild} from '@angular/core';
import {compareValue, clone} from '../../utils/utils';
import {ProjectService} from '../../services/project.service';
import {ErrorHandler} from '../../utils/error-handler/error-handler';
import {State, SystemCVEWhitelist} from '../../services/interface';
import {State, SystemCVEAllowlist} from '../../services/interface';
import {ConfirmationState, ConfirmationTargets} from '../../entities/shared.const';
import {ConfirmationMessage} from '../confirmation-dialog/confirmation-message';
@ -76,17 +76,17 @@ export class ProjectPolicyConfigComponent implements OnInit {
{severity: 'low', severityLevel: 'VULNERABILITY.SEVERITY.LOW'},
{severity: 'none', severityLevel: 'VULNERABILITY.SEVERITY.NONE'},
];
userSystemWhitelist: boolean = true;
userSystemAllowlist: boolean = true;
showAddModal: boolean = false;
systemWhitelist: SystemCVEWhitelist;
systemAllowlist: SystemCVEAllowlist;
cveIds: string;
systemExpiresDate: Date;
systemExpiresDateString: string;
userProjectWhitelist = false;
systemWhitelistOrProjectWhitelist: string;
systemWhitelistOrProjectWhitelistOrigin: string;
projectWhitelist;
projectWhitelistOrigin;
userProjectAllowlist = false;
systemAllowlistOrProjectAllowlist: string;
systemAllowlistOrProjectAllowlistOrigin: string;
projectAllowlist;
projectAllowlistOrigin;
constructor(
private errorHandler: ErrorHandler,
@ -114,16 +114,16 @@ export class ProjectPolicyConfigComponent implements OnInit {
// retrive project level policy data
this.retrieve();
this.getPermission();
this.getSystemWhitelist();
this.getSystemAllowlist();
}
getSystemWhitelist() {
this.systemInfoService.getSystemWhitelist()
.subscribe((systemWhitelist) => {
if (systemWhitelist) {
this.systemWhitelist = systemWhitelist;
if (this.systemWhitelist.expires_at) {
this.systemExpiresDate = new Date(this.systemWhitelist.expires_at * ONE_THOUSAND);
getSystemAllowlist() {
this.systemInfoService.getSystemAllowlist()
.subscribe((systemAllowlist) => {
if (systemAllowlist) {
this.systemAllowlist = systemAllowlist;
if (this.systemAllowlist.expires_at) {
this.systemExpiresDate = new Date(this.systemAllowlist.expires_at * ONE_THOUSAND);
setTimeout( () => {
this.systemExpiresDateString = this.dateSystemInput.nativeElement.value;
}, 100);
@ -151,27 +151,27 @@ export class ProjectPolicyConfigComponent implements OnInit {
response => {
this.orgProjectPolicy.initByProject(response);
this.projectPolicy.initByProject(response);
// get projectWhitelist
if (!response.cve_whitelist) {
response.cve_whitelist = {
// get projectAllowlist
if (!response.cve_allowlist) {
response.cve_allowlist = {
items: [],
expires_at: null
};
}
if (!response.cve_whitelist['items']) {
response.cve_whitelist['items'] = [];
if (!response.cve_allowlist['items']) {
response.cve_allowlist['items'] = [];
}
if (!response.cve_whitelist['expires_at']) {
response.cve_whitelist['expires_at'] = null;
if (!response.cve_allowlist['expires_at']) {
response.cve_allowlist['expires_at'] = null;
}
if (!response.metadata.reuse_sys_cve_whitelist) {
response.metadata.reuse_sys_cve_whitelist = "true";
if (!response.metadata.reuse_sys_cve_allowlist) {
response.metadata.reuse_sys_cve_allowlist = "true";
}
if (response && response.cve_whitelist) {
this.projectWhitelist = clone(response.cve_whitelist);
this.projectWhitelistOrigin = clone(response.cve_whitelist);
this.systemWhitelistOrProjectWhitelist = response.metadata.reuse_sys_cve_whitelist;
this.systemWhitelistOrProjectWhitelistOrigin = response.metadata.reuse_sys_cve_whitelist;
if (response && response.cve_allowlist) {
this.projectAllowlist = clone(response.cve_allowlist);
this.projectAllowlistOrigin = clone(response.cve_allowlist);
this.systemAllowlistOrProjectAllowlist = response.metadata.reuse_sys_cve_allowlist;
this.systemAllowlistOrProjectAllowlistOrigin = response.metadata.reuse_sys_cve_allowlist;
}
}, error => this.errorHandler.error(error));
}
@ -193,15 +193,15 @@ export class ProjectPolicyConfigComponent implements OnInit {
}
save() {
if (!this.hasChanges() && !this.hasWhitelistChanged) {
if (!this.hasChanges() && !this.hasAllowlistChanged) {
return;
}
this.onGoing = true;
this.projectService.updateProjectPolicy(
this.projectId,
this.projectPolicy,
this.systemWhitelistOrProjectWhitelist,
this.projectWhitelist)
this.systemAllowlistOrProjectAllowlist,
this.projectAllowlist)
.subscribe(() => {
this.onGoing = false;
this.translate.get('CONFIG.SAVE_SUCCESS').subscribe((res: string) => {
@ -233,49 +233,49 @@ export class ProjectPolicyConfigComponent implements OnInit {
if (ack && ack.source === ConfirmationTargets.CONFIG &&
ack.state === ConfirmationState.CONFIRMED) {
this.reset();
if (this.hasWhitelistChanged) {
this.projectWhitelist = clone(this.projectWhitelistOrigin);
this.systemWhitelistOrProjectWhitelist = this.systemWhitelistOrProjectWhitelistOrigin;
if (this.hasAllowlistChanged) {
this.projectAllowlist = clone(this.projectAllowlistOrigin);
this.systemAllowlistOrProjectAllowlist = this.systemAllowlistOrProjectAllowlistOrigin;
}
}
}
isUseSystemWhitelist(): boolean {
return this.systemWhitelistOrProjectWhitelist === 'true';
isUseSystemAllowlist(): boolean {
return this.systemAllowlistOrProjectAllowlist === 'true';
}
deleteItem(index: number) {
this.projectWhitelist.items.splice(index, 1);
this.projectAllowlist.items.splice(index, 1);
}
addSystem() {
this.showAddModal = false;
if (!(this.systemWhitelist && this.systemWhitelist.items && this.systemWhitelist.items.length > 0)) {
if (!(this.systemAllowlist && this.systemAllowlist.items && this.systemAllowlist.items.length > 0)) {
return;
}
if (this.projectWhitelist && !this.projectWhitelist.items) {
this.projectWhitelist.items = [];
if (this.projectAllowlist && !this.projectAllowlist.items) {
this.projectAllowlist.items = [];
}
// remove duplication and add to projectWhitelist
// remove duplication and add to projectAllowlist
let map = {};
this.projectWhitelist.items.forEach(item => {
this.projectAllowlist.items.forEach(item => {
map[item.cve_id] = true;
});
this.systemWhitelist.items.forEach(item => {
this.systemAllowlist.items.forEach(item => {
if (!map[item.cve_id]) {
map[item.cve_id] = true;
this.projectWhitelist.items.push(item);
this.projectAllowlist.items.push(item);
}
});
}
addToProjectWhitelist() {
if (this.projectWhitelist && !this.projectWhitelist.items) {
this.projectWhitelist.items = [];
addToProjectAllowlist() {
if (this.projectAllowlist && !this.projectAllowlist.items) {
this.projectAllowlist.items = [];
}
// remove duplication and add to projectWhitelist
// remove duplication and add to projectAllowlist
let map = {};
this.projectWhitelist.items.forEach(item => {
this.projectAllowlist.items.forEach(item => {
map[item.cve_id] = true;
});
this.cveIds.split(/[\n,]+/).forEach(id => {
@ -283,7 +283,7 @@ export class ProjectPolicyConfigComponent implements OnInit {
cveObj.cve_id = id.trim();
if (!map[cveObj.cve_id]) {
map[cveObj.cve_id] = true;
this.projectWhitelist.items.push(cveObj);
this.projectAllowlist.items.push(cveObj);
}
});
// clear modal and close modal
@ -291,9 +291,9 @@ export class ProjectPolicyConfigComponent implements OnInit {
this.showAddModal = false;
}
get hasWhitelistChanged(): boolean {
return !(compareValue(this.projectWhitelist, this.projectWhitelistOrigin)
&& this.systemWhitelistOrProjectWhitelistOrigin === this.systemWhitelistOrProjectWhitelist);
get hasAllowlistChanged(): boolean {
return !(compareValue(this.projectAllowlist, this.projectAllowlistOrigin)
&& this.systemAllowlistOrProjectAllowlistOrigin === this.systemAllowlistOrProjectAllowlist);
}
isDisabled(): boolean {
@ -302,34 +302,34 @@ export class ProjectPolicyConfigComponent implements OnInit {
}
get expiresDate() {
if (this.systemWhitelistOrProjectWhitelist === 'true') {
if (this.systemWhitelist && this.systemWhitelist.expires_at) {
return new Date(this.systemWhitelist.expires_at * ONE_THOUSAND);
if (this.systemAllowlistOrProjectAllowlist === 'true') {
if (this.systemAllowlist && this.systemAllowlist.expires_at) {
return new Date(this.systemAllowlist.expires_at * ONE_THOUSAND);
}
} else {
if (this.projectWhitelist && this.projectWhitelist.expires_at) {
return new Date(this.projectWhitelist.expires_at * ONE_THOUSAND);
if (this.projectAllowlist && this.projectAllowlist.expires_at) {
return new Date(this.projectAllowlist.expires_at * ONE_THOUSAND);
}
}
return null;
}
set expiresDate(date) {
if (this.systemWhitelistOrProjectWhitelist === 'false') {
if (this.projectWhitelist && date) {
this.projectWhitelist.expires_at = Math.floor(date.getTime() / ONE_THOUSAND);
if (this.systemAllowlistOrProjectAllowlist === 'false') {
if (this.projectAllowlist && date) {
this.projectAllowlist.expires_at = Math.floor(date.getTime() / ONE_THOUSAND);
}
}
}
get neverExpires(): boolean {
if (this.systemWhitelistOrProjectWhitelist === 'true') {
if (this.systemWhitelist && this.systemWhitelist.expires_at) {
return !(this.systemWhitelist && this.systemWhitelist.expires_at);
if (this.systemAllowlistOrProjectAllowlist === 'true') {
if (this.systemAllowlist && this.systemAllowlist.expires_at) {
return !(this.systemAllowlist && this.systemAllowlist.expires_at);
}
} else {
if (this.projectWhitelist && this.projectWhitelist.expires_at) {
return !(this.projectWhitelist && this.projectWhitelist.expires_at);
if (this.projectAllowlist && this.projectAllowlist.expires_at) {
return !(this.projectAllowlist && this.projectAllowlist.expires_at);
}
}
return true;
@ -337,21 +337,21 @@ export class ProjectPolicyConfigComponent implements OnInit {
set neverExpires(flag) {
if (flag) {
this.projectWhitelist.expires_at = null;
this.projectAllowlist.expires_at = null;
this.systemInfoService.resetDateInput(this.dateInput);
} else {
this.projectWhitelist.expires_at = Math.floor(new Date().getTime() / ONE_THOUSAND);
this.projectAllowlist.expires_at = Math.floor(new Date().getTime() / ONE_THOUSAND);
}
}
get hasExpired(): boolean {
if (this.systemWhitelistOrProjectWhitelist === 'true') {
if (this.systemWhitelist && this.systemWhitelist.expires_at) {
return new Date().getTime() > this.systemWhitelist.expires_at * ONE_THOUSAND;
if (this.systemAllowlistOrProjectAllowlist === 'true') {
if (this.systemAllowlist && this.systemAllowlist.expires_at) {
return new Date().getTime() > this.systemAllowlist.expires_at * ONE_THOUSAND;
}
} else {
if (this.projectWhitelistOrigin && this.projectWhitelistOrigin.expires_at) {
return new Date().getTime() > this.projectWhitelistOrigin.expires_at * ONE_THOUSAND;
if (this.projectAllowlistOrigin && this.projectAllowlistOrigin.expires_at) {
return new Date().getTime() > this.projectAllowlistOrigin.expires_at * ONE_THOUSAND;
}
}
return false;

4
src/portal/src/lib/components/project-policy-config/project.ts
View File

@ -18,9 +18,9 @@ export class Project {
prevent_vul: string | boolean;
severity: string;
auto_scan: string | boolean;
reuse_sys_cve_whitelist?: string;
reuse_sys_cve_allowlist?: string;
};
cve_whitelist?: object;
cve_allowlist?: object;
constructor () {
this.metadata.public = false;
this.metadata.enable_content_trust = false;

2
src/portal/src/lib/services/interface.ts
View File

@ -439,7 +439,7 @@ export interface ProjectRootInterface {
VALUE: number;
LABEL: string;
}
export interface SystemCVEWhitelist {
export interface SystemCVEAllowlist {
id: number;
project_id: number;
expires_at: number;

12
src/portal/src/lib/services/project.service.ts
View File

@ -47,8 +47,8 @@ export abstract class ProjectService {
abstract updateProjectPolicy(
projectId: number | string,
projectPolicy: ProjectPolicy,
reuseSysCVEVWhitelist: string,
projectWhitelist: object
reuseSysCVEVAllowlist: string,
projectAllowlist: object
): Observable<any>;
/**
@ -109,8 +109,8 @@ export class ProjectDefaultService extends ProjectService {
public updateProjectPolicy(
projectId: number | string,
projectPolicy: ProjectPolicy,
reuseSysCVEVWhitelist: string,
projectWhitelist: object
reuseSysCVEVAllowlist: string,
projectAllowlist: object
): any {
let baseUrl: string = this.config.projectBaseEndpoint
? this.config.projectBaseEndpoint
@ -125,9 +125,9 @@ export class ProjectDefaultService extends ProjectService {
prevent_vul: projectPolicy.PreventVulImg ? "true" : "false",
severity: projectPolicy.PreventVulImgSeverity,
auto_scan: projectPolicy.ScanImgOnPush ? "true" : "false",
reuse_sys_cve_whitelist: reuseSysCVEVWhitelist
reuse_sys_cve_allowlist: reuseSysCVEVAllowlist
},
cve_whitelist: projectWhitelist
cve_allowlist: projectAllowlist
},
HTTP_JSON_OPTIONS
)

22
src/portal/src/lib/services/system-info.service.ts
View File

@ -2,7 +2,7 @@ import {ElementRef, Inject, Injectable} from '@angular/core';
import { HttpClient } from '@angular/common/http';
import { map, catchError } from "rxjs/operators";
import { Observable, throwError as observableThrowError } from "rxjs";
import {SystemCVEWhitelist, SystemInfo} from './interface';
import {SystemCVEAllowlist, SystemInfo} from './interface';
import { SERVICE_CONFIG, IServiceConfig } from '../entities/service.config';
import { CURRENT_BASE_HREF, HTTP_GET_OPTIONS, HTTP_JSON_OPTIONS } from "../utils/utils";
@ -19,14 +19,14 @@ export abstract class SystemInfoService {
*/
abstract getSystemInfo(): Observable<SystemInfo>;
/**
* get system CEVWhitelist
* get system CEVAllowlist
*/
abstract getSystemWhitelist(): Observable<SystemCVEWhitelist>;
abstract getSystemAllowlist(): Observable<SystemCVEAllowlist>;
/**
* update systemCVEWhitelist
* @param systemCVEWhitelist
* update systemCVEAllowlist
* @param systemCVEAllowlist
*/
abstract updateSystemWhitelist(systemCVEWhitelist: SystemCVEWhitelist): Observable<any>;
abstract updateSystemAllowlist(systemCVEAllowlist: SystemCVEAllowlist): Observable<any>;
/**
* set null to the date type input
* @param ref
@ -47,13 +47,13 @@ export class SystemInfoDefaultService extends SystemInfoService {
.pipe(map(systemInfo => systemInfo as SystemInfo)
, catchError(error => observableThrowError(error)));
}
public getSystemWhitelist(): Observable<SystemCVEWhitelist> {
return this.http.get(CURRENT_BASE_HREF + "/system/CVEWhitelist", HTTP_GET_OPTIONS)
.pipe(map(systemCVEWhitelist => systemCVEWhitelist as SystemCVEWhitelist)
public getSystemAllowlist(): Observable<SystemCVEAllowlist> {
return this.http.get(CURRENT_BASE_HREF + "/system/CVEAllowlist", HTTP_GET_OPTIONS)
.pipe(map(systemCVEAllowlist => systemCVEAllowlist as SystemCVEAllowlist)
, catchError(error => observableThrowError(error)));
}
public updateSystemWhitelist(systemCVEWhitelist: SystemCVEWhitelist): Observable<any> {
return this.http.put(CURRENT_BASE_HREF + "/system/CVEWhitelist", JSON.stringify(systemCVEWhitelist), HTTP_JSON_OPTIONS)
public updateSystemAllowlist(systemCVEAllowlist: SystemCVEAllowlist): Observable<any> {
return this.http.put(CURRENT_BASE_HREF + "/system/CVEAllowlist", JSON.stringify(systemCVEAllowlist), HTTP_JSON_OPTIONS)
.pipe(map(response => response)
, catchError(error => observableThrowError(error)));
}

16
src/server/middleware/vulnerable/vulnerable.go
View File

@ -59,7 +59,7 @@ func Middleware() func(http.Handler) http.Handler {
return err
}
proj, err := projectController.Get(ctx, art.ProjectID, project.CVEWhitelist(true))
proj, err := projectController.Get(ctx, art.ProjectID, project.CVEAllowlist(true))
if err != nil {
logger.Errorf("get the project %d failed, error: %v", art.ProjectID, err)
return err
@ -91,8 +91,8 @@ func Middleware() func(http.Handler) http.Handler {
return nil
}
whitelist := report.CVESet(proj.CVEWhitelist.CVESet())
summaries, err := scanController.GetSummary(ctx, art, []string{v1.MimeTypeNativeReport}, report.WithCVEWhitelist(&whitelist))
allowlist := report.CVESet(proj.CVEAllowlist.CVESet())
summaries, err := scanController.GetSummary(ctx, art, []string{v1.MimeTypeNativeReport}, report.WithCVEAllowlist(&allowlist))
if err != nil {
logger.Errorf("get vulnerability summary of the artifact %s@%s failed, error: %v", art.RepositoryName, art.Digest, err)
return err
@ -114,11 +114,11 @@ func Middleware() func(http.Handler) http.Handler {
}
if art.IsImageIndex() {
// artifact is image index, skip the checking when it is in the whitelist
skippingWhitelist := []string{image.ArtifactTypeImage, cnab.ArtifactTypeCNAB}
for _, t := range skippingWhitelist {
// artifact is image index, skip the checking when it is in the allowlist
skippingAllowlist := []string{image.ArtifactTypeImage, cnab.ArtifactTypeCNAB}
for _, t := range skippingAllowlist {
if art.Type == t {
logger.Debugf("artifact %s@%s is image index and its type is %s in skipping whitelist, "+
logger.Debugf("artifact %s@%s is image index and its type is %s in skipping allowlist, "+
"skip the vulnerability prevention checking", art.RepositoryName, art.Digest, art.Type)
return nil
}
@ -145,7 +145,7 @@ func Middleware() func(http.Handler) http.Handler {
thing = "vulnerabilities"
}
msg := fmt.Sprintf(`current image with %d %s cannot be pulled due to configured policy in 'Prevent images with vulnerability severity of "%s" or higher from running.' `+
`To continue with pull, please contact your project administrator to exempt matched vulnerabilities through configuring the CVE whitelist.`,
`To continue with pull, please contact your project administrator to exempt matched vulnerabilities through configuring the CVE allowlist.`,
summary.Summary.Total, thing, projectSeverity)
return errors.New(nil).WithCode(errors.PROJECTPOLICYVIOLATION).WithMessage(msg)
}

2
src/server/v2.0/route/legacy.go
View File

@ -58,7 +58,7 @@ func registerLegacyRoutes() {
beego.Router("/api/"+version+"/system/gc/:id([0-9]+)/log", &api.GCAPI{}, "get:GetLog")
beego.Router("/api/"+version+"/system/gc/schedule", &api.GCAPI{}, "get:Get;put:Put;post:Post")
beego.Router("/api/"+version+"/system/scanAll/schedule", &api.ScanAllAPI{}, "get:Get;put:Put;post:Post")
beego.Router("/api/"+version+"/system/CVEWhitelist", &api.SysCVEWhitelistAPI{}, "get:Get;put:Put")
beego.Router("/api/"+version+"/system/CVEAllowlist", &api.SysCVEAllowlistAPI{}, "get:Get;put:Put")
beego.Router("/api/"+version+"/system/oidc/ping", &api.OIDCAPI{}, "post:Ping")
beego.Router("/api/"+version+"/replication/adapters", &api.ReplicationAdapterAPI{}, "get:List")

6
tests/apitests/python/library/project.py
View File

@ -77,9 +77,9 @@ class Project(base.Base):
base._assert_status_code(200, status_code)
return data
def update_project(self, project_id, expect_status_code=200, metadata=None, cve_whitelist=None, **kwargs):
def update_project(self, project_id, expect_status_code=200, metadata=None, cve_allowlist=None, **kwargs):
client = self._get_client(**kwargs)
project = swagger_client.ProjectReq(metadata=metadata, cve_whitelist=cve_whitelist)
project = swagger_client.ProjectReq(metadata=metadata, cve_allowlist=cve_allowlist)
try:
_, sc, _ = client.projects_project_id_put_with_http_info(project_id, project)
except ApiException as e:
@ -225,4 +225,4 @@ class Project(base.Base):
client = self._get_client(**kwargs)
_, status_code, _ = client.projects_project_id_robots_robot_id_delete_with_http_info(project_id, robot_id)
base._assert_status_code(expect_status_code, status_code)
base._assert_status_code(200, status_code)
base._assert_status_code(200, status_code)

14
tests/apitests/python/library/system.py
View File

@ -174,20 +174,20 @@ class System(base.Base):
if deleted_files_count == 0:
raise Exception(r"Get blobs eligible for deletion count is {}, while we expect more than 1.".format(deleted_files_count))
def set_cve_whitelist(self, expires_at=None, expected_status_code=200, *cve_ids, **kwargs):
def set_cve_allowlist(self, expires_at=None, expected_status_code=200, *cve_ids, **kwargs):
client = self._get_client(**kwargs)
cve_list = [swagger_client.CVEWhitelistItem(cve_id=c) for c in cve_ids]
whitelist = swagger_client.CVEWhitelist(expires_at=expires_at, items=cve_list)
cve_list = [swagger_client.CVEAllowlistItem(cve_id=c) for c in cve_ids]
allowlist = swagger_client.CVEAllowlist(expires_at=expires_at, items=cve_list)
try:
r = client.system_cve_whitelist_put_with_http_info(whitelist=whitelist, _preload_content=False)
r = client.system_cve_allowlist_put_with_http_info(allowlist=allowlist, _preload_content=False)
except Exception as e:
base._assert_status_code(expected_status_code, e.status)
else:
base._assert_status_code(expected_status_code, r[1])
def get_cve_whitelist(self, **kwargs):
def get_cve_allowlist(self, **kwargs):
client = self._get_client(**kwargs)
return client.system_cve_whitelist_get()
return client.system_cve_allowlist_get()
def get_project_quota(self, reference, reference_id, **kwargs):
params={}
@ -197,4 +197,4 @@ class System(base.Base):
client = self._get_client(**kwargs)
data, status_code, _ = client.quotas_get_with_http_info(**params)
base._assert_status_code(200, status_code)
return data
return data

60
tests/apitests/python/test_project_level_cve_whitelist.py → tests/apitests/python/test_project_level_cve_allowlist.py
View File

@ -9,23 +9,23 @@ from library.project import Project
from library.user import User
class TestProjectCVEWhitelist(unittest.TestCase):
class TestProjectCVEAllowlist(unittest.TestCase):
"""
Test case:
Project Level CVE Whitelist
Project Level CVE Allowlist
Setup:
1.Admin creates project(PA)
2.Create user(RA)
3.Add user(RA) as a guest of project(PA)
Test Steps:
1. User(RA) reads the project(PA), verify the "reuse_sys_cve_whitelist" is empty in the metadata, and the CVE whitelist is empty
2. User(RA) updates the project CVE whitelist, verify it fails with Forbidden error.
1. User(RA) reads the project(PA), verify the "reuse_sys_cve_allowlist" is empty in the metadata, and the CVE allowlist is empty
2. User(RA) updates the project CVE allowlist, verify it fails with Forbidden error.
3. Admin user updates User(RA) as project admin.
4. User(RA) updates the project CVE whitelist with expiration date and one item in the items list.
5. User(RA) reads the project(PA), verify the CVE whitelist is updated as step 4
6. User(RA) updates the project CVE whitelist removes expiration date and clean the items.
7. User(RA) reads the project(PA), verify the CVE whitelist is updated as step 6
8. User(RA) updates the project metadata to set "reuse_sys_cve_whitelist" to true.
4. User(RA) updates the project CVE allowlist with expiration date and one item in the items list.
5. User(RA) reads the project(PA), verify the CVE allowlist is updated as step 4
6. User(RA) updates the project CVE allowlist removes expiration date and clean the items.
7. User(RA) reads the project(PA), verify the CVE allowlist is updated as step 6
8. User(RA) updates the project metadata to set "reuse_sys_cve_allowlist" to true.
9. User(RA) reads the project(PA) verify the project metadata is updated.
Tear Down:
1. Remove User(RA) from project(PA) as member
@ -55,40 +55,40 @@ class TestProjectCVEWhitelist(unittest.TestCase):
self.project.delete_project(self.project_pa_id,**ADMIN_CLIENT)
self.user.delete_user(self.user_ra_id, **ADMIN_CLIENT)
def testProjectLevelCVEWhitelist(self):
# User(RA) reads the project(PA), verify the "reuse_sys_cve_whitelist" is empty in the metadata,
# and the CVE whitelist is empty
def testProjectLevelCVEAllowlist(self):
# User(RA) reads the project(PA), verify the "reuse_sys_cve_allowlist" is empty in the metadata,
# and the CVE allowlist is empty
p = self.project.get_project(self.project_pa_id, **self.USER_RA_CLIENT)
self.assertIsNone(p.metadata.reuse_sys_cve_whitelist)
self.assertEqual(0, len(p.cve_whitelist.items))
self.assertIsNone(p.metadata.reuse_sys_cve_allowlist)
self.assertEqual(0, len(p.cve_allowlist.items))
# User(RA) updates the project CVE whitelist, verify it fails with Forbidden error.
item_list = [swagger_client.CVEWhitelistItem(cve_id="CVE-2019-12310")]
# User(RA) updates the project CVE allowlist, verify it fails with Forbidden error.
item_list = [swagger_client.CVEAllowlistItem(cve_id="CVE-2019-12310")]
exp = int(time.time()) + 1000
wl = swagger_client.CVEWhitelist(expires_at=exp, items=item_list)
self.project.update_project(self.project_pa_id, cve_whitelist=wl, expect_status_code=403, **self.USER_RA_CLIENT)
wl = swagger_client.CVEAllowlist(expires_at=exp, items=item_list)
self.project.update_project(self.project_pa_id, cve_allowlist=wl, expect_status_code=403, **self.USER_RA_CLIENT)
# Admin user updates User(RA) as project admin.
self.project.update_project_member_role(self.project_pa_id,self.member_id, 1, **ADMIN_CLIENT)
# User(RA) updates the project CVE whitelist with expiration date and one item in the items list.
self.project.update_project(self.project_pa_id, cve_whitelist=wl, **self.USER_RA_CLIENT)
# User(RA) updates the project CVE allowlist with expiration date and one item in the items list.
self.project.update_project(self.project_pa_id, cve_allowlist=wl, **self.USER_RA_CLIENT)
p = self.project.get_project(self.project_pa_id, **self.USER_RA_CLIENT)
self.assertEqual("CVE-2019-12310", p.cve_whitelist.items[0].cve_id)
self.assertEqual(exp, p.cve_whitelist.expires_at)
self.assertEqual("CVE-2019-12310", p.cve_allowlist.items[0].cve_id)
self.assertEqual(exp, p.cve_allowlist.expires_at)
# User(RA) updates the project CVE whitelist with empty items list
wl2 = swagger_client.CVEWhitelist(items=[])
self.project.update_project(self.project_pa_id, cve_whitelist=wl2, **self.USER_RA_CLIENT)
# User(RA) updates the project CVE allowlist with empty items list
wl2 = swagger_client.CVEAllowlist(items=[])
self.project.update_project(self.project_pa_id, cve_allowlist=wl2, **self.USER_RA_CLIENT)
p = self.project.get_project(self.project_pa_id, **self.USER_RA_CLIENT)
self.assertEqual(0, len(p.cve_whitelist.items))
self.assertIsNone(p.cve_whitelist.expires_at)
self.assertEqual(0, len(p.cve_allowlist.items))
self.assertIsNone(p.cve_allowlist.expires_at)
# User(RA) updates the project metadata to set "reuse_sys_cve_whitelist" to true.
meta = swagger_client.ProjectMetadata(reuse_sys_cve_whitelist="true")
# User(RA) updates the project metadata to set "reuse_sys_cve_allowlist" to true.
meta = swagger_client.ProjectMetadata(reuse_sys_cve_allowlist="true")
self.project.update_project(self.project_pa_id, metadata=meta, **self.USER_RA_CLIENT)
p = self.project.get_project(self.project_pa_id, **self.USER_RA_CLIENT)
self.assertEqual("true", p.metadata.reuse_sys_cve_whitelist)
self.assertEqual("true", p.metadata.reuse_sys_cve_allowlist)
if __name__ == '__main__':

54
tests/apitests/python/test_sys_cve_whitelists.py → tests/apitests/python/test_sys_cve_allowlists.py
View File

@ -9,22 +9,22 @@ from library.user import User
from library.system import System
class TestSysCVEWhitelist(unittest.TestCase):
class TestSysCVEAllowlist(unittest.TestCase):
"""
Test case:
System Level CVE Whitelist
System Level CVE Allowlist
Setup:
Create user(RA)
Test Steps:
1. User(RA) reads the system level CVE whitelist and it's empty.
2. User(RA) updates the system level CVE whitelist, verify it's failed.
1. User(RA) reads the system level CVE allowlist and it's empty.
2. User(RA) updates the system level CVE allowlist, verify it's failed.
3. Update user(RA) to system admin
4. User(RA) updates the system level CVE whitelist, verify it's successful.
5. User(RA) reads the system level CVE whitelist, verify the CVE list is updated.
6. User(RA) updates the expiration date of system level CVE whitelist.
7. User(RA) reads the system level CVE whitelist, verify the expiration date is updated.
4. User(RA) updates the system level CVE allowlist, verify it's successful.
5. User(RA) reads the system level CVE allowlist, verify the CVE list is updated.
6. User(RA) updates the expiration date of system level CVE allowlist.
7. User(RA) reads the system level CVE allowlist, verify the expiration date is updated.
Tear Down:
1. Clear the system level CVE whitelist.
1. Clear the system level CVE allowlist.
2. Delete User(RA)
"""
def setUp(self):
@ -39,35 +39,35 @@ class TestSysCVEWhitelist(unittest.TestCase):
password=user_ra_password)
self.user_ra_id = int(user_ra_id)
def testSysCVEWhitelist(self):
# 1. User(RA) reads the system level CVE whitelist and it's empty.
wl = self.system.get_cve_whitelist(**self.USER_RA_CLIENT)
self.assertEqual(0, len(wl.items), "The initial system level CVE whitelist is not empty: %s" % wl.items)
# 2. User(RA) updates the system level CVE whitelist, verify it's failed.
def testSysCVEAllowlist(self):
# 1. User(RA) reads the system level CVE allowlist and it's empty.
wl = self.system.get_cve_allowlist(**self.USER_RA_CLIENT)
self.assertEqual(0, len(wl.items), "The initial system level CVE allowlist is not empty: %s" % wl.items)
# 2. User(RA) updates the system level CVE allowlist, verify it's failed.
cves = ['CVE-2019-12310']
self.system.set_cve_whitelist(None, 403, *cves, **self.USER_RA_CLIENT)
self.system.set_cve_allowlist(None, 403, *cves, **self.USER_RA_CLIENT)
# 3. Update user(RA) to system admin
self.user.update_user_role_as_sysadmin(self.user_ra_id, True, **ADMIN_CLIENT)
# 4. User(RA) updates the system level CVE whitelist, verify it's successful.
self.system.set_cve_whitelist(None, 200, *cves, **self.USER_RA_CLIENT)
# 5. User(RA) reads the system level CVE whitelist, verify the CVE list is updated.
expect_wl = [swagger_client.CVEWhitelistItem(cve_id='CVE-2019-12310')]
wl = self.system.get_cve_whitelist(**self.USER_RA_CLIENT)
# 4. User(RA) updates the system level CVE allowlist, verify it's successful.
self.system.set_cve_allowlist(None, 200, *cves, **self.USER_RA_CLIENT)
# 5. User(RA) reads the system level CVE allowlist, verify the CVE list is updated.
expect_wl = [swagger_client.CVEAllowlistItem(cve_id='CVE-2019-12310')]
wl = self.system.get_cve_allowlist(**self.USER_RA_CLIENT)
self.assertIsNone(wl.expires_at)
self.assertEqual(expect_wl, wl.items)
# 6. User(RA) updates the expiration date of system level CVE whitelist.
# 6. User(RA) updates the expiration date of system level CVE allowlist.
exp = int(time.time()) + 3600
self.system.set_cve_whitelist(exp, 200, *cves, **self.USER_RA_CLIENT)
# 7. User(RA) reads the system level CVE whitelist, verify the expiration date is updated.
wl = self.system.get_cve_whitelist(**self.USER_RA_CLIENT)
self.system.set_cve_allowlist(exp, 200, *cves, **self.USER_RA_CLIENT)
# 7. User(RA) reads the system level CVE allowlist, verify the expiration date is updated.
wl = self.system.get_cve_allowlist(**self.USER_RA_CLIENT)
self.assertEqual(exp, wl.expires_at)
def tearDown(self):
print("TearDown: Clearing the Whitelist")
self.system.set_cve_whitelist(**ADMIN_CLIENT)
print("TearDown: Clearing the Allowlist")
self.system.set_cve_allowlist(**ADMIN_CLIENT)
print("TearDown: Deleting user: %d" % self.user_ra_id)
self.user.delete_user(self.user_ra_id, **ADMIN_CLIENT)
if __name__ == '__main__':
unittest.main()
unittest.main()

4
tests/resources/Harbor-Pages/Configuration.robot
View File

@ -316,14 +316,14 @@ Switch To GC History
Retry Element Click xpath=${gc_log_xpath}
Retry Wait Until Page Contains Job
Add Items To System CVE Whitelist
Add Items To System CVE Allowlist
[Arguments] ${cve_id}
Retry Element Click ${configuration_system_wl_add_btn}
Retry Text Input ${configuration_system_wl_textarea} ${cve_id}
Retry Element Click ${configuration_system_wl_add_confirm_btn}
Retry Element Click ${config_system_save_button_xpath}
Delete Top Item In System CVE Whitelist
Delete Top Item In System CVE Allowlist
[Arguments] ${count}=1
:FOR ${idx} IN RANGE 1 ${count}
\ Retry Element Click ${configuration_system_wl_delete_a_cve_id_icon}

4
tests/resources/Harbor-Pages/Configuration_Elements.robot
View File

@ -33,8 +33,8 @@ ${gc_log_details_xpath} //*[@id='clr-dg-row26']/clr-dg-cell[6]/a
${configuration_system_tabsheet_id} //*[@id='config-system']
${configuration_project_quotas_tabsheet_id} //*[@id='config-quotas']
${configuration_system_wl_add_btn} //*[@id='show-add-modal-button']
${configuration_system_wl_textarea} //*[@id='whitelist-textarea']
${configuration_system_wl_textarea} //*[@id='allowlist-textarea']
${configuration_system_wl_add_confirm_btn} //*[@id='add-to-system']
${configuration_system_wl_delete_a_cve_id_icon} //system-settings/form/section//ul/li[1]/a[2]/clr-icon
${configuration_sys_repo_readonly_chb_id} //*[@id='repo_read_only_lbl']
${checkbox_delete_untagged_artifacts} //gc-config//clr-toggle-wrapper/label[contains(@for,'delete_untagged')]
${checkbox_delete_untagged_artifacts} //gc-config//clr-toggle-wrapper/label[contains(@for,'delete_untagged')]

18
tests/resources/Harbor-Pages/Project-Config.robot
View File

@ -53,33 +53,33 @@ Prevent Running Should Be Selected
Auto Scan Should Be Selected
Checkbox Should Be Selected //hbr-project-policy-config//input[@name='scan-image-on-push']
Select System CVE Whitelist
Select System CVE Allowlist
Retry Element Click ${project_config_system_wl_radio_input}
Select Prject CVE Whitelist
Select Prject CVE Allowlist
Retry Element Click ${project_config_project_wl_radio_input}
Add System CVE Whitelist to Project CVE Whitelist By Add System Button Click
Add System CVE Allowlist to Project CVE Allowlist By Add System Button Click
Goto Project Config
Select Prject CVE Whitelist
Select Prject CVE Allowlist
Retry Element Click ${project_configuration_wl_project_add_system_btn}
Retry Element Click ${project_config_save_btn}
Set Project To Project Level CVE Whitelist
Set Project To Project Level CVE Allowlist
Goto Project Config
Select Prject CVE Whitelist
Select Prject CVE Allowlist
Retry Element Click ${project_config_save_btn}
Add Items to Project CVE Whitelist
Add Items to Project CVE Allowlist
[Arguments] ${cve_id}
Goto Project Config
Select Prject CVE Whitelist
Select Prject CVE Allowlist
Retry Element Click ${project_config_project_wl_add_btn}
Retry Text Input ${configuration_system_wl_textarea} ${cve_id}
Retry Element Click ${project_config_project_wl_add_confirm_btn}
Retry Element Click ${project_config_save_btn}
Delete Top Item In Project CVE Whitelist
Delete Top Item In Project CVE Allowlist
[Arguments]
Goto Project Config
Retry Element Click ${project_configuration_wl_delete_a_cve_id_icon}

10
tests/resources/Harbor-Pages/Project_Elements.robot
View File

@ -65,12 +65,12 @@ ${project_config_prevent_vulnerable_images_from_running_checkbox} xpath=//input
${project_config_severity_select} xpath=//select[@id='severity']
${project_config_public_checkbox_label} xpath=//*[@id="clr-wrapper-public"]/div/clr-checkbox-wrapper/label
${project_config_prevent_vulenrability_checkbox_label} xpath=//*[@id='prevent-vulenrability-image']//clr-checkbox-wrapper//label
${project_config_system_wl_radio_input} xpath=//clr-radio-wrapper//label[contains(.,'System whitelist')]
${project_config_project_wl_radio_input} xpath=//clr-radio-wrapper//label[contains(.,'Project whitelist')]
${project_config_system_wl_radio_input_id} systemWhitelistOrProjectWhitelist
${project_config_project_wl_radio_input_id} systemWhitelistOrProjectWhitelist
${project_config_system_wl_radio_input} xpath=//clr-radio-wrapper//label[contains(.,'System allowlist')]
${project_config_project_wl_radio_input} xpath=//clr-radio-wrapper//label[contains(.,'Project allowlist')]
${project_config_system_wl_radio_input_id} systemAllowlistOrProjectAllowlist
${project_config_project_wl_radio_input_id} systemAllowlistOrProjectAllowlist
${project_config_project_wl_add_btn} xpath=//*[@id='show-add-modal']
${project_config_project_wl_add_confirm_btn} xpath=//*[@id='add-to-whitelist']
${project_config_project_wl_add_confirm_btn} xpath=//*[@id='add-to-allowlist']
${project_config_save_btn} xpath=//hbr-project-policy-config//button[contains(.,'SAVE')]
${project_add_count_quota_input_text_id} xpath=//*[@id='create_project_count_limit']
${project_add_storage_quota_input_text_id} xpath=//*[@id='create_project_storage_limit']

12
tests/resources/Harbor-Pages/Verify.robot
View File

@ -352,9 +352,9 @@ Verify System Setting
Robot Account Token Must Be Match @{robot_token}[0]
Close Browser
Verify Project-level Whitelist
Verify Project-level Allowlist
[Arguments] ${json}
Log To Console "Verify Project-level Whitelist..."
Log To Console "Verify Project-level Allowlist..."
@{project}= Get Value From Json ${json} $.projects.[*].name
Init Chrome Driver
Sign In Harbor ${HARBOR_URL} ${HARBOR_ADMIN} ${HARBOR_PASSWORD}
@ -363,8 +363,8 @@ Verify Project-level Whitelist
\ ${has_image} Set Variable If @{out_has_image}[0] == ${true} ${true} ${false}
\ Go Into Project ${project} has_image=${has_image}
\ Switch To Project Configuration
\ @{is_reuse_sys_cve_whitelist}= Get Value From Json ${json} $.projects[?(@.name=${project})].configuration.reuse_sys_cve_whitelist
\ Run Keyword If "@{is_reuse_sys_cve_whitelist}[0]" == "true" Retry Wait Element Should Be Disabled ${project_config_project_wl_add_btn}
\ @{is_reuse_sys_cve_allowlist}= Get Value From Json ${json} $.projects[?(@.name=${project})].configuration.reuse_sys_cve_allowlist
\ Run Keyword If "@{is_reuse_sys_cve_allowlist}[0]" == "true" Retry Wait Element Should Be Disabled ${project_config_project_wl_add_btn}
\ ... ELSE Retry Wait Element ${project_config_project_wl_add_btn}
\ @{cve_ids}= Get Value From Json ${json} $.projects[?(@.name=${project})].configuration.cve
\ Loop Verifiy CVE_IDs @{cve_ids}
@ -376,9 +376,9 @@ Loop Verifiy CVE_IDs
:For ${cve_id} In @{cve_ids}
\ Page Should Contain ${cve_id}
Verify System Setting Whitelist
Verify System Setting Allowlist
[Arguments] ${json}
Log To Console "Verify Verify System Setting Whitelist..."
Log To Console "Verify Verify System Setting Allowlist..."
@{cve_ids}= Get Value From Json ${json} $.configuration..cve..id
Init Chrome Driver
Sign In Harbor ${HARBOR_URL} ${HARBOR_ADMIN} ${HARBOR_PASSWORD}

32
tests/resources/TestCaseBody.robot
View File

@ -223,8 +223,8 @@ Helm3 CLI Push Without Sign In Harbor
Retry Double Keywords When Error Go Into Chart Version ${harbor_chart_name} Retry Wait Until Page Contains ${harbor_chart_version}
Capture Page Screenshot
#Important Note: All CVE IDs in CVE Whitelist cases must unique!
Body Of Verfiy System Level CVE Whitelist
#Important Note: All CVE IDs in CVE Allowlist cases must unique!
Body Of Verfiy System Level CVE Allowlist
[Arguments] ${image_argument} ${sha256_argument} ${most_cve_list} ${single_cve}
[Tags] run-once
Init Chrome Driver
@ -248,17 +248,17 @@ Body Of Verfiy System Level CVE Whitelist
Sign In Harbor ${HARBOR_URL} ${HARBOR_ADMIN} ${HARBOR_PASSWORD}
Switch To Configure
Switch To Configuration System Setting
# Add Items To System CVE Whitelist CVE-2019-19317\nCVE-2019-19646 \nCVE-2019-5188 \nCVE-2019-20387 \nCVE-2019-17498 \nCVE-2019-20372 \nCVE-2019-19244 \nCVE-2019-19603 \nCVE-2019-19880 \nCVE-2019-19923 \nCVE-2019-19925 \nCVE-2019-19926 \nCVE-2019-19959 \nCVE-2019-20218 \nCVE-2019-19232 \nCVE-2019-19234 \nCVE-2019-19645
Add Items To System CVE Whitelist ${most_cve_list}
# Add Items To System CVE Allowlist CVE-2019-19317\nCVE-2019-19646 \nCVE-2019-5188 \nCVE-2019-20387 \nCVE-2019-17498 \nCVE-2019-20372 \nCVE-2019-19244 \nCVE-2019-19603 \nCVE-2019-19880 \nCVE-2019-19923 \nCVE-2019-19925 \nCVE-2019-19926 \nCVE-2019-19959 \nCVE-2019-20218 \nCVE-2019-19232 \nCVE-2019-19234 \nCVE-2019-19645
Add Items To System CVE Allowlist ${most_cve_list}
Cannot Pull Image ${ip} ${signin_user} ${signin_pwd} project${d} ${image} tag=${sha256} err_msg=cannot be pulled due to configured policy
# Add Items To System CVE Whitelist CVE-2019-18276
Add Items To System CVE Whitelist ${single_cve}
# Add Items To System CVE Allowlist CVE-2019-18276
Add Items To System CVE Allowlist ${single_cve}
Pull Image ${ip} ${signin_user} ${signin_pwd} project${d} ${image} tag=${sha256}
Delete Top Item In System CVE Whitelist count=6
Delete Top Item In System CVE Allowlist count=6
Cannot Pull Image ${ip} ${signin_user} ${signin_pwd} project${d} ${image} tag=${sha256} err_msg=cannot be pulled due to configured policy
Close Browser
Body Of Verfiy Project Level CVE Whitelist
Body Of Verfiy Project Level CVE Allowlist
[Arguments] ${image_argument} ${sha256_argument} ${most_cve_list} ${single_cve}
[Tags] run-once
Init Chrome Driver
@ -278,15 +278,15 @@ Body Of Verfiy Project Level CVE Whitelist
Go Into Repo project${d}/${image}
Scan Repo ${sha256} Succeed
Go Into Project project${d}
Add Items to Project CVE Whitelist ${most_cve_list}
Add Items to Project CVE Allowlist ${most_cve_list}
Cannot Pull Image ${ip} ${signin_user} ${signin_pwd} project${d} ${image} tag=${sha256}
Add Items to Project CVE Whitelist ${single_cve}
Add Items to Project CVE Allowlist ${single_cve}
Pull Image ${ip} ${signin_user} ${signin_pwd} project${d} ${image} tag=${sha256}
Delete Top Item In Project CVE Whitelist
Delete Top Item In Project CVE Allowlist
Cannot Pull Image ${ip} ${signin_user} ${signin_pwd} project${d} ${image} tag=${sha256}
Close Browser
Body Of Verfiy Project Level CVE Whitelist By Quick Way of Add System
Body Of Verfiy Project Level CVE Allowlist By Quick Way of Add System
[Arguments] ${image_argument} ${sha256_argument} ${cve_list}
[Tags] run-once
Init Chrome Driver
@ -298,7 +298,7 @@ Body Of Verfiy Project Level CVE Whitelist By Quick Way of Add System
Sign In Harbor ${HARBOR_URL} ${HARBOR_ADMIN} ${HARBOR_PASSWORD}
Switch To Configure
Switch To Configuration System Setting
Add Items To System CVE Whitelist ${cve_list}
Add Items To System CVE Allowlist ${cve_list}
Logout Harbor
Sign In Harbor ${HARBOR_URL} ${signin_user} ${signin_pwd}
Create An New Project And Go Into Project project${d}
@ -310,8 +310,8 @@ Body Of Verfiy Project Level CVE Whitelist By Quick Way of Add System
Scan Repo ${sha256} Succeed
Pull Image ${ip} ${signin_user} ${signin_pwd} project${d} ${image} tag=${sha256}
Go Into Project project${d}
Set Project To Project Level CVE Whitelist
Set Project To Project Level CVE Allowlist
Cannot Pull Image ${ip} ${signin_user} ${signin_pwd} project${d} ${image} tag=${sha256}
Add System CVE Whitelist to Project CVE Whitelist By Add System Button Click
Add System CVE Allowlist to Project CVE Allowlist By Add System Button Click
Pull Image ${ip} ${signin_user} ${signin_pwd} project${d} ${image} tag=${sha256}
Close Browser
Close Browser

8
tests/robot-cases/Group0-BAT/API_DB.robot
View File

@ -78,13 +78,13 @@ Test Case - Project Quota
[Tags] quota
Harbor API Test ./tests/apitests/python/test_project_quota.py
Test Case - System Level CVE Whitelist
Test Case - System Level CVE Allowlist
[Tags] sys_cve
Harbor API Test ./tests/apitests/python/test_sys_cve_whitelists.py
Harbor API Test ./tests/apitests/python/test_sys_cve_allowlists.py
Test Case - Project Level CVE Whitelist
Test Case - Project Level CVE Allowlist
[Tags] pro_cve
Harbor API Test ./tests/apitests/python/test_project_level_cve_whitelist.py
Harbor API Test ./tests/apitests/python/test_project_level_cve_allowlist.py
Test Case - Tag Retention
[Tags] tag_retention

16
tests/robot-cases/Group1-Nightly/Clair.robot
View File

@ -102,15 +102,15 @@ Test Case - Project Level Image Serverity Policy
Navigate To Projects
Go Into Project project${d}
Set Vulnerabilty Serverity 3
Cannot Pull Image ${ip} ${HARBOR_ADMIN} ${HARBOR_PASSWORD} project${d} ${image} tag=${sha256} err_msg=To continue with pull, please contact your project administrator to exempt matched vulnerabilities through configuring the CVE whitelist
Cannot Pull Image ${ip} ${HARBOR_ADMIN} ${HARBOR_PASSWORD} project${d} ${image} tag=${sha256} err_msg=To continue with pull, please contact your project administrator to exempt matched vulnerabilities through configuring the CVE allowlist
Close Browser
#Important Note: All CVE IDs in CVE Whitelist cases must unique!
Test Case - Verfiy System Level CVE Whitelist
Body Of Verfiy System Level CVE Whitelist mariadb b5e273ed46d2b5a1c96bf8f3ae37aa5e90c6c481e7f7ae66744610d7df79cbd1 CVE-2019-13050\nCVE-2018-19591\nCVE-2018-11236\nCVE-2018-11237\nCVE-2019-13627\nCVE-2018-20839\nCVE-2019-2923\nCVE-2019-2922\nCVE-2019-2911\nCVE-2019-2914\nCVE-2019-2924\nCVE-2019-2910\nCVE-2019-2938\nCVE-2019-2993\nCVE-2019-2974\nCVE-2019-2960\nCVE-2019-2948\nCVE-2019-2946 CVE-2019-2969
#Important Note: All CVE IDs in CVE Allowlist cases must unique!
Test Case - Verfiy System Level CVE Allowlist
Body Of Verfiy System Level CVE Allowlist mariadb b5e273ed46d2b5a1c96bf8f3ae37aa5e90c6c481e7f7ae66744610d7df79cbd1 CVE-2019-13050\nCVE-2018-19591\nCVE-2018-11236\nCVE-2018-11237\nCVE-2019-13627\nCVE-2018-20839\nCVE-2019-2923\nCVE-2019-2922\nCVE-2019-2911\nCVE-2019-2914\nCVE-2019-2924\nCVE-2019-2910\nCVE-2019-2938\nCVE-2019-2993\nCVE-2019-2974\nCVE-2019-2960\nCVE-2019-2948\nCVE-2019-2946 CVE-2019-2969
Test Case - Verfiy Project Level CVE Whitelist
Body Of Verfiy Project Level CVE Whitelist mariadb b5e273ed46d2b5a1c96bf8f3ae37aa5e90c6c481e7f7ae66744610d7df79cbd1 CVE-2019-13050\nCVE-2018-19591\nCVE-2018-11236\nCVE-2018-11237\nCVE-2019-13627\nCVE-2018-20839\nCVE-2019-2923\nCVE-2019-2922\nCVE-2019-2911\nCVE-2019-2914\nCVE-2019-2924\nCVE-2019-2910\nCVE-2019-2938\nCVE-2019-2993\nCVE-2019-2974\nCVE-2019-2960\nCVE-2019-2948\nCVE-2019-2946 CVE-2019-2969
Test Case - Verfiy Project Level CVE Allowlist
Body Of Verfiy Project Level CVE Allowlist mariadb b5e273ed46d2b5a1c96bf8f3ae37aa5e90c6c481e7f7ae66744610d7df79cbd1 CVE-2019-13050\nCVE-2018-19591\nCVE-2018-11236\nCVE-2018-11237\nCVE-2019-13627\nCVE-2018-20839\nCVE-2019-2923\nCVE-2019-2922\nCVE-2019-2911\nCVE-2019-2914\nCVE-2019-2924\nCVE-2019-2910\nCVE-2019-2938\nCVE-2019-2993\nCVE-2019-2974\nCVE-2019-2960\nCVE-2019-2948\nCVE-2019-2946 CVE-2019-2969
Test Case - Verfiy Project Level CVE Whitelist By Quick Way of Add System
Body Of Verfiy Project Level CVE Whitelist By Quick Way of Add System mariadb b5e273ed46d2b5a1c96bf8f3ae37aa5e90c6c481e7f7ae66744610d7df79cbd1 CVE-2019-13050\nCVE-2018-19591\nCVE-2018-11236\nCVE-2018-11237\nCVE-2019-13627\nCVE-2018-20839\nCVE-2019-2923\nCVE-2019-2922\nCVE-2019-2911\nCVE-2019-2914\nCVE-2019-2924\nCVE-2019-2910\nCVE-2019-2938\nCVE-2019-2993\nCVE-2019-2974\nCVE-2019-2960\nCVE-2019-2948\nCVE-2019-2946\nCVE-2019-2969
Test Case - Verfiy Project Level CVE Allowlist By Quick Way of Add System
Body Of Verfiy Project Level CVE Allowlist By Quick Way of Add System mariadb b5e273ed46d2b5a1c96bf8f3ae37aa5e90c6c481e7f7ae66744610d7df79cbd1 CVE-2019-13050\nCVE-2018-19591\nCVE-2018-11236\nCVE-2018-11237\nCVE-2019-13627\nCVE-2018-20839\nCVE-2019-2923\nCVE-2019-2922\nCVE-2019-2911\nCVE-2019-2914\nCVE-2019-2924\nCVE-2019-2910\nCVE-2019-2938\nCVE-2019-2993\nCVE-2019-2974\nCVE-2019-2960\nCVE-2019-2948\nCVE-2019-2946\nCVE-2019-2969

16
tests/robot-cases/Group1-Nightly/Trivy.robot
View File

@ -106,15 +106,15 @@ Test Case - Project Level Image Serverity Policy
Navigate To Projects
Go Into Project project${d}
Set Vulnerabilty Serverity 3
Cannot Pull Image ${ip} ${HARBOR_ADMIN} ${HARBOR_PASSWORD} project${d} ${image} tag=${sha256} err_msg=To continue with pull, please contact your project administrator to exempt matched vulnerabilities through configuring the CVE whitelist
Cannot Pull Image ${ip} ${HARBOR_ADMIN} ${HARBOR_PASSWORD} project${d} ${image} tag=${sha256} err_msg=To continue with pull, please contact your project administrator to exempt matched vulnerabilities through configuring the CVE allowlist
Close Browser
#Important Note: All CVE IDs in CVE Whitelist cases must unique!
Test Case - Verfiy System Level CVE Whitelist
Body Of Verfiy System Level CVE Whitelist goharbor/harbor-portal 2cb6a1c24dd6b88f11fd44ccc6560cb7be969f8ac5f752802c99cae6bcd592bb CVE-2019-19317\nCVE-2019-19646 \nCVE-2019-5188 \nCVE-2019-20387 \nCVE-2019-17498 \nCVE-2019-20372 \nCVE-2019-19244 \nCVE-2019-19603 \nCVE-2019-19880 \nCVE-2019-19923 \nCVE-2019-19925 \nCVE-2019-19926 \nCVE-2019-19959 \nCVE-2019-20218 \nCVE-2019-19232 \nCVE-2019-19234 \nCVE-2019-19645 CVE-2019-18276
#Important Note: All CVE IDs in CVE Allowlist cases must unique!
Test Case - Verfiy System Level CVE Allowlist
Body Of Verfiy System Level CVE Allowlist goharbor/harbor-portal 2cb6a1c24dd6b88f11fd44ccc6560cb7be969f8ac5f752802c99cae6bcd592bb CVE-2019-19317\nCVE-2019-19646 \nCVE-2019-5188 \nCVE-2019-20387 \nCVE-2019-17498 \nCVE-2019-20372 \nCVE-2019-19244 \nCVE-2019-19603 \nCVE-2019-19880 \nCVE-2019-19923 \nCVE-2019-19925 \nCVE-2019-19926 \nCVE-2019-19959 \nCVE-2019-20218 \nCVE-2019-19232 \nCVE-2019-19234 \nCVE-2019-19645 CVE-2019-18276
Test Case - Verfiy Project Level CVE Whitelist
Body Of Verfiy Project Level CVE Whitelist goharbor/harbor-portal 2cb6a1c24dd6b88f11fd44ccc6560cb7be969f8ac5f752802c99cae6bcd592bb CVE-2019-19317\nCVE-2019-19646 \nCVE-2019-5188 \nCVE-2019-20387 \nCVE-2019-17498 \nCVE-2019-20372 \nCVE-2019-19244 \nCVE-2019-19603 \nCVE-2019-19880 \nCVE-2019-19923 \nCVE-2019-19925 \nCVE-2019-19926 \nCVE-2019-19959 \nCVE-2019-20218 \nCVE-2019-19232 \nCVE-2019-19234 \nCVE-2019-19645 CVE-2019-18276
Test Case - Verfiy Project Level CVE Allowlist
Body Of Verfiy Project Level CVE Allowlist goharbor/harbor-portal 2cb6a1c24dd6b88f11fd44ccc6560cb7be969f8ac5f752802c99cae6bcd592bb CVE-2019-19317\nCVE-2019-19646 \nCVE-2019-5188 \nCVE-2019-20387 \nCVE-2019-17498 \nCVE-2019-20372 \nCVE-2019-19244 \nCVE-2019-19603 \nCVE-2019-19880 \nCVE-2019-19923 \nCVE-2019-19925 \nCVE-2019-19926 \nCVE-2019-19959 \nCVE-2019-20218 \nCVE-2019-19232 \nCVE-2019-19234 \nCVE-2019-19645 CVE-2019-18276
Test Case - Verfiy Project Level CVE Whitelist By Quick Way of Add System
Body Of Verfiy Project Level CVE Whitelist By Quick Way of Add System goharbor/harbor-portal 2cb6a1c24dd6b88f11fd44ccc6560cb7be969f8ac5f752802c99cae6bcd592bb CVE-2019-19317\nCVE-2019-19646 \nCVE-2019-5188 \nCVE-2019-20387 \nCVE-2019-17498 \nCVE-2019-20372 \nCVE-2019-19244 \nCVE-2019-19603 \nCVE-2019-19880 \nCVE-2019-19923 \nCVE-2019-19925 \nCVE-2019-19926 \nCVE-2019-19959 \nCVE-2019-20218 \nCVE-2019-19232 \nCVE-2019-19234 \nCVE-2019-19645 \nCVE-2019-18276
Test Case - Verfiy Project Level CVE Allowlist By Quick Way of Add System
Body Of Verfiy Project Level CVE Allowlist By Quick Way of Add System goharbor/harbor-portal 2cb6a1c24dd6b88f11fd44ccc6560cb7be969f8ac5f752802c99cae6bcd592bb CVE-2019-19317\nCVE-2019-19646 \nCVE-2019-5188 \nCVE-2019-20387 \nCVE-2019-17498 \nCVE-2019-20372 \nCVE-2019-19244 \nCVE-2019-19603 \nCVE-2019-19880 \nCVE-2019-19923 \nCVE-2019-19925 \nCVE-2019-19926 \nCVE-2019-19959 \nCVE-2019-20218 \nCVE-2019-19232 \nCVE-2019-19234 \nCVE-2019-19645 \nCVE-2019-18276

6
tests/robot-cases/Group3-Upgrade/data.json
View File

@ -236,7 +236,7 @@
"auto_scan":"true",
"prevent_vul":"true",
"severity":"high",
"reuse_sys_cve_whitelist":"false",
"reuse_sys_cve_allowlist":"false",
"deployment_security":{
"cve":[
{
@ -367,7 +367,7 @@
"auto_scan":"false",
"prevent_vul":"true",
"severity":"medium",
"reuse_sys_cve_whitelist":"true",
"reuse_sys_cve_allowlist":"true",
"deployment_security":{
"cve":[
]
@ -375,4 +375,4 @@
}
}
]
}
}

6
tests/robot-cases/Group3-Upgrade/feature_map.json
View File

@ -129,7 +129,7 @@
"version":"1.10"
}
],
"add_sys_whitelist":[
"add_sys_allowlist":[
{
"branch":1,
"version":"1.9"
@ -139,7 +139,7 @@
"version":"1.10"
}
],
"update_project_setting_whitelist":[
"update_project_setting_allowlist":[
{
"branch":1,
"version":"1.9"
@ -199,4 +199,4 @@
"version":"1.10"
}
]
}
}

12
tests/robot-cases/Group3-Upgrade/prepare.py
View File

@ -155,7 +155,7 @@ class HarborAPI:
request(url+"projects/"+projectid+"", 'put', **body)
@get_feature_branch
def add_sys_whitelist(self, cve_id_list, **kwargs):
def add_sys_allowlist(self, cve_id_list, **kwargs):
cve_id_str = ""
if kwargs["branch"] == 1:
for index, cve_id in enumerate(cve_id_list["cve"]):
@ -168,7 +168,7 @@ class HarborAPI:
raise Exception(r"Error: Feature {} has no branch {}.".format(sys._getframe().f_code.co_name, branch))
@get_feature_branch
def update_project_setting_whitelist(self, project, reuse_sys_cve_whitelist, cve_id_list, **kwargs):
def update_project_setting_allowlist(self, project, reuse_sys_cve_whitelist, cve_id_list, **kwargs):
r = request(url+"projects?name="+project+"", 'get')
projectid = str(r.json()[0]['project_id'])
cve_id_str = ""
@ -475,8 +475,8 @@ def do_data_creation():
project["configuration"]["auto_scan"])
for project in data["projects"]:
harborAPI.update_project_setting_whitelist(project["name"],
project["configuration"]["reuse_sys_cve_whitelist"],
harborAPI.update_project_setting_allowlist(project["name"],
project["configuration"]["reuse_sys_cve_allowlist"],
project["configuration"]["deployment_security"], version=args.version)
harborAPI.update_interrogation_services(data["interrogation_services"]["cron"], version=args.version)
@ -490,6 +490,6 @@ def do_data_creation():
float(data["configuration"]["token"]),
float(data["configuration"]["robot_token"])*60*24)
harborAPI.add_sys_whitelist(data["configuration"]["deployment_security"], version=args.version)
harborAPI.add_sys_allowlist(data["configuration"]["deployment_security"], version=args.version)
do_data_creation()
do_data_creation()

10
tests/robot-cases/Group3-Upgrade/verify.robot
View File

@ -29,7 +29,7 @@ Test Case - Upgrade Verify
Run Keyword Verify Project ${data}
Run Keyword Verify Member Exist ${data}
Run Keyword Verify Robot Account Exist ${data}
Run Keyword Verify Project-level Whitelist ${data}
Run Keyword Verify Project-level Allowlist ${data}
Run Keyword Verify Webhook ${data}
Run Keyword Verify Tag Retention Rule ${data}
Run Keyword Verify User System Admin Role ${data}
@ -38,7 +38,7 @@ Test Case - Upgrade Verify
Run Keyword Verify Project Setting ${data}
Run Keyword Verify Interrogation Services ${data}
Run Keyword Verify System Setting ${data}
Run Keyword Verify System Setting Whitelist ${data}
Run Keyword Verify System Setting Allowlist ${data}
Run Keyword Verify Image Tag ${data}
Run Keyword Verify Trivy Is Default Scanner
@ -49,7 +49,7 @@ Test Case - Upgrade Verify
Run Keyword Verify Project ${data}
Run Keyword Verify Member Exist ${data}
Run Keyword Verify Robot Account Exist ${data}
Run Keyword Verify Project-level Whitelist ${data}
Run Keyword Verify Project-level Allowlist ${data}
Run Keyword Verify Webhook ${data}
Run Keyword Verify Tag Retention Rule ${data}
Run Keyword Verify Tag Immutability Rule ${data}
@ -59,6 +59,6 @@ Test Case - Upgrade Verify
Run Keyword Verify Project Setting ${data}
Run Keyword Verify Interrogation Services ${data}
Run Keyword Verify System Setting ${data}
Run Keyword Verify System Setting Whitelist ${data}
Run Keyword Verify System Setting Allowlist ${data}
Run Keyword Verify Image Tag ${data}
Run Keyword Verify Clair Is Default Scanner
Run Keyword Verify Clair Is Default Scanner