Skip to content

feat/vuln list command#748

Open
Sypher845 wants to merge 3 commits intogoharbor:mainfrom
Sypher845:feat/vuln-list-command
Open

feat/vuln list command#748
Sypher845 wants to merge 3 commits intogoharbor:mainfrom
Sypher845:feat/vuln-list-command

Conversation

@Sypher845
Copy link
Contributor

@Sypher845 Sypher845 commented Mar 16, 2026

Note: This is the secoond PR for the isue #723

Description

The PR adds the new harbor vuln list command. A command that displays the list of vulnerabilities along with filtering from the Security Hub.

image

Command usage

  • harbor vuln list (No filters)
    Kooha-2026-03-17-04-14-39
    The CVE-IDs are hyperlinked to aquasec website (provided by the api)

  • harbor vuln list --query "k=v , , , k=[min~max]" : Using query flag based filtering
    Kooha-2026-03-17-04-22-05

  • harbor vuln list (flags based filtering) : Using flags for filtering
    Kooha-2026-03-17-04-27-36

  • harbor vuln list --fixable: Show only fixable vulnerabilities (cli side)
    Kooha-2026-03-17-04-29-26

  • harbor vuln list --exclude : woks oppposite of query flag (cli side)
    Kooha-2026-03-17-04-37-00

Type of Change

  • Bug fix
  • New feature
  • Refactor
  • Documentation update
  • Chore / maintenance

@Sypher845
feat(api): add vuln list handler for Security Hub endpoint
5c9d48c 
Signed-off-by: Sypher845 <suyashpatil845@gmail.com>
@Sypher845
feat(vuln): vuln list command and view
1fba039 
Signed-off-by: Sypher845 <suyashpatil845@gmail.com>
@Sypher845
docs: cli and man page docs for vuln list command
2dc9c47 
Signed-off-by: Sypher845 <suyashpatil845@gmail.com>
@codecov
Copy link

codecov bot commented Mar 16, 2026

Codecov Report

❌ Patch coverage is 0% with 143 lines in your changes missing coverage. Please review.
✅ Project coverage is 7.39%. Comparing base (60ad0bd) to head (2dc9c47).
⚠️ Report is 115 commits behind head on main.

Files with missing lines Patch % Lines
pkg/api/vulnerability_handler.go 0.00% 66 Missing ⚠️
cmd/harbor/root/vulnerability/list.go 0.00% 42 Missing ⚠️
pkg/views/vulnerability/list/view.go 0.00% 34 Missing ⚠️
cmd/harbor/root/vulnerability/cmd.go 0.00% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff            @@
##             main    #748      +/-   ##
=========================================
- Coverage   10.99%   7.39%   -3.60%     
=========================================
  Files         173     267      +94     
  Lines        8671   13315    +4644     
=========================================
+ Hits          953     985      +32     
- Misses       7612   12219    +4607     
- Partials      106     111       +5

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

NucleoFusion
NucleoFusion suggested changes Mar 17, 2026
View reviewed changes
pkg/api/vulnerability_handler.go
Comment on lines +113 to +115
if opts.CVSSScore != "" {
queries = append(queries, fmt.Sprintf("cvss_score_v3=%s", opts.CVSSScore))
}
Copy link
Contributor

@NucleoFusion NucleoFusion Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CVSS Score is a range match, not an exact match as per the docs

cve_id(exact match)
cvss_score_v3(range condition)
severity(exact match)
status(exact match)
repository_name(exact match)
project_id(exact match)
package(exact match)
tag(exact match)
digest(exact match)

This is the format k3=[min~max]

Copy link
Contributor Author

@Sypher845 Sypher845 Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

so if the users inputs just a particular number , we convret it to [val~val], is this the thing wanted?

Copy link
Contributor

@NucleoFusion NucleoFusion Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, I would find out a way to make a range. maybe have the flag be a string and tell in the help that the format is min:max or you can think of something better.
If we can have range, we should have range

Copy link
Contributor Author

@Sypher845 Sypher845 Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Currently i have implemented the string one , [min~max], will look for something better

pkg/api/vulnerability_handler.go
Comment on lines +116 to +118
if opts.Severity != "" {
queries = append(queries, fmt.Sprintf("severity=%s", opts.Severity))
}
Copy link
Contributor

@NucleoFusion NucleoFusion Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Check if severity is right or not, because severity can only be a handful of strings.
And harbor wont return an error, it will just return empty array.

pkg/api/vulnerability_handler.go
Comment on lines +138 to +140
if opts.Q != "" {
queries = append(queries, opts.Q)
}
Copy link
Contributor

@NucleoFusion NucleoFusion Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add a FIXME here,
And reference this in my draft PR #731.
This needs to be in the standard query format, but I plan to make changes to that, so you need not do it rn. But make a reference in the codebase (a FIXME comment saying what) and in the PR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@NucleoFusion NucleoFusion NucleoFusion requested changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Sypher845 @NucleoFusion