SBOM Integration

[magnonta]

Problem Summary

Harbor recognizes SBOM attachments as accessories but fails to process and display SBOM content in the UI. While Harbor successfully detects SBOM artifacts and creates the SBOM tab with download functionality, it only displays metadata information (artifact type, size, creation time) but does not process or display the actual SBOM content (packages, dependencies, components). The SBOM tab shows empty package tables with "View Log" errors instead of the expected package listing.

🔧 Environment Details

• Harbor Version: v2.12.2-ad93aa4c (8gears Container Registry - Harbor-based service)
• Azure DevOps: YAML pipeline with Azure Key Vault integration
• Container Registry: Harbor (registry.lcp.ai)
• Tools Used:
  • Cosign: v2.4.1 (Harbor compatibility) + v3.x (latest) tested
  • Syft: latest (SBOM generation)
  • ORAS: v1.2.0 (OCI artifact management)
  • Docker Buildx: latest with BuildKit

Current Status

Working:

• SBOM generation in SPDX and CycloneDX formats
• Container signing with Azure Key Vault
• SBOM attachment recognized by Harbor (creates SBOM tab)
• Accessory creation (subject accessories visible)
• SBOM download functionality available
• Metadata display: Harbor shows artifact type, size, creation time, media type
• Accessory detection: Harbor correctly identifies artifacts as SBOM accessories

Not Working:

• SBOM content processing: Harbor doesn't parse the actual SBOM data
• Package table population: No packages/components displayed in SBOM tab
• Dependency visualization: No dependency information shown
• Component analysis: Harbor shows only metadata, not actual SBOM content
• Proper integration with Harbor's SBOM processor

Methods Attempted

1. Simple ORAS Attach (GitHub Issue #21276 Method)

Reference: #21276

oras attach --artifact-type application/vnd.goharbor.harbor.sbom.v1 \
  "$IMAGE_REF" \
  sbom.spdx.json \
  --disable-path-validation

Result: ✅ Attachment successful, ❌ Content not processed

2. Cosign Native SBOM Attachment

# Tested with both Cosign v2.4.1 and v3.x
cosign attach sbom --sbom sbom.spdx.json "$IMAGE_REF"

Result: ✅ Creates SBOM tab and accessory, ❌ Content not displayed (consistent across both versions)

3. Cosign Attestations

# Tested with both Cosign v2.4.1 and v3.x
cosign attest --key $(COSIGN_KEY) \
  --predicate sbom.spdx.json \
  --type spdxjson \
  "$IMAGE_REF" -y

Result: ✅ Attestation created in transparency log, ❌ Harbor doesn't process attestation content (consistent across both versions)

4. ORAS with Harbor Config Media Type

oras push "$ARTIFACT_REF" \
  --config config.json:application/vnd.goharbor.harbor.sbom.v1 \
  sbom.spdx.json:application/spdx+json

Issue: ORAS v1.2.0 doesn't support --config flag
Result: ❌ Command failed

5. Harbor-Wrapped SBOM Format

{
  "sbom_format": "spdx",
  "sbom_version": "2.3", 
  "created_time": "timestamp",
  "image_ref": "image@digest",
  "sbom_content": { /* SPDX content */ }
}

Result: ✅ Attachment successful, ❌ Content still not processed

6. Harbor Security Report Format

{
  "scanner": {
    "name": "syft",
    "vendor": "anchore",
    "version": "latest"
  },
  "sbom": {
    "sbom_format": "spdx-json",
    "sbom_version": "2.3",
    "package_count": X,
    "content": { /* SPDX content */ }
  }
}

Media Type: application/vnd.security.vulnerability.report+json
Result: To be tested

Harbor Source Code Analysis

Based on Harbor source code analysis:

Subject Middleware (src/server/middleware/subject/subject.go)

• Detects accessories via manifest subject field
• Uses config media type for classification: application/vnd.goharbor.harbor.sbom.v1

SBOM Processor (src/pkg/accessory/model/subject/sbom.go)

• Processes SBOM accessories for UI display
• Expected to parse SBOM content and populate package tables

GenAccessoryArt Function (src/pkg/accessory/dao/util.go)

• Generates accessory artifacts with proper subject references
• Critical for Harbor's internal SBOM processing pipeline

Issue Analysis

The problem appears to be in Harbor's SBOM content processing pipeline:

1. Accessory Detection: ✅ Working (Harbor creates SBOM tab)
2. Metadata Processing: ✅ Working (shows artifact info, size, media type)
3. Content Parsing: ❌ Failing (Harbor doesn't read/parse SBOM JSON content)
4. Package Extraction: ❌ Failing (no packages extracted from SBOM)
5. UI Integration: ❌ Shows "View Log" errors instead of package tables

Key Issue: Harbor treats SBOM as a generic binary artifact, displaying only external metadata (OCI manifest annotations, artifact properties) but not parsing the internal SBOM structure (packages, components, dependencies) that should populate the SBOM tab content.

Version Note: This issue occurs on Harbor v2.12.2-ad93aa4c with both Cosign v2.4.1 and v3.x versions tested. It's possible that full SBOM content processing was introduced in a later Harbor version (v2.13+), and the current version only supports SBOM accessory detection without content parsing. The issue is consistent across different Cosign versions, suggesting it's a Harbor-side processing limitation rather than a tool compatibility issue.

Evidence Screenshots

Harbor UI shows:

• SBOM tab created with download button
• Subject accessory of 387.06KiB attached
• Metadata correctly displayed: artifact type application/vnd.goharbor.harbor.sbom.v1, size, timestamps
• Content missing: Package table empty with "View Log" error indicators
• Accessories view working: Proper artifact structure visible in Artifacts view
• Download functional: SBOM file can be downloaded and contains valid JSON
• SBOM structure intact: Downloaded SBOM contains proper SPDX/CycloneDX package data

🚀 Requests for Harbor Team

1. Documentation: Clear specification of expected SBOM format for Harbor v2.12.2+
2. Examples: Working examples of SBOM attachment that properly displays content (not just metadata)
3. Debug Information: How to debug SBOM processing failures and content parsing issues
4. Media Type Clarification: Correct media types for SBOM content processing vs metadata display
5. API Documentation: Harbor scanner API integration for SBOM processing
6. Content Parser: Details on how Harbor's SBOM processor extracts package information from SBOM JSON
7. Processing Pipeline: Documentation of the complete flow from accessory detection to content display
8. Version Compatibility: Confirm if Harbor v2.12.2 fully supports SBOM content processing or if it's a v2.13+ feature

Related Issues

• Harbor SBOM attached with oras is not recognized #21276: SBOM attachment method (partially working)
• Harbor SBOM Documentation: Missing comprehensive integration guide
• OCI Referrers API: Integration with Harbor's accessory system

Complete Pipeline Implementation

Full Azure DevOps pipeline implementation available showing all attempted methods:

• Syft SBOM generation (SPDX + CycloneDX)
• Cosign signing and attestation
• Multiple ORAS attachment strategies
• Harbor-specific format attempts

Expected Outcome

Harbor should:

1. Recognize SBOM attachments (✅ Currently working)
2. Process SBOM content (❌ Currently failing)
3. Display package information in SBOM tab UI (❌ Currently failing)
4. Enable vulnerability scanning of SBOM packages (🔄 Dependent on content processing)

Images evidence