Skip to content

Comments

Fix severity handling for images with no vulnerabilities#31

Open
Malka123456 wants to merge 1 commit intogoharbor:mainfrom
Malka123456:bugfix/no-severity-unknown
Open

Fix severity handling for images with no vulnerabilities#31
Malka123456 wants to merge 1 commit intogoharbor:mainfrom
Malka123456:bugfix/no-severity-unknown

Conversation

@Malka123456
Copy link

@Malka123456 Malka123456 commented Aug 20, 2025

Fixes issue #20 from the Pluggable Scanner Spec.

Sets severity to "unknown" for images with no vulnerabilities.

Fixes a logging error in cmd/scanner-trivy.

Updates ensure consistent scanner report output and API compliance.

@Malka123456
Fix severity handling for images with no vulnerabilities
282a63d 
Signed-off-by: Malka123456 <malka988276@gmail.com>
@Malka123456 Malka123456 force-pushed the bugfix/no-severity-unknown branch from b9865ec to 282a63d Compare August 20, 2025 12:26
@Malka123456
Copy link
Author

Malka123456 commented Aug 21, 2025
edited
Loading

Hi @Vad1mo ,
I’ve worked on fixing issue goharbor/pluggable-scanner-spec#20 into the pluggable scanner-spec. After analyzing the issue, I found that the root cause is in harbor-scanner-trivy, where an empty string "" is returned when no severity is detected. This behavior is not allowed, so I updated the code to return "unknown" instead of an empty string when no severity is scanned.

I would really appreciate any suggestions for improvement, and I’m happy to make further changes based on your feedback.

Thank you for your time and review!

@reasonerjt
Copy link

reasonerjt commented Aug 25, 2025

Sets severity to "unknown" for images with no vulnerabilities.

I don't think it's right. unknown normally means it has vuln but the severity is unknown. Let me double check the spec and talk to other maintainers.

@Malka123456
Copy link
Author

Malka123456 commented Aug 25, 2025

You’re right — I was thinking the same. Currently, harbor-scanner-trivy does not support the Negligible severity, even though it exists in the pluggable-scanner-spec. The issue also suggested returning Negligible instead of "" when no severity is found.

In my opinion, it would make sense to add support for Negligible in harbor-scanner-trivy for consistency with the spec. What do you think about aligning it this way?

@reasonerjt
Copy link

reasonerjt commented Aug 26, 2025

@Malka123456 I think "Negligible" is also a severity level, and putting it at the artifact/image level means there ARE CVEs, but the highest severity is "Negligible".

May I know what the problem would be if the image has severity as "" if there's no CVE at all?

@Malka123456
Copy link
Author

Malka123456 commented Aug 26, 2025
edited
Loading

@reasonerjt , Thanks for clarifying. The concern with using an empty string ("") is that it’s not a valid enum value in the goharbor/pluggable-scanner-spec#20 .

That’s why returning "" could cause inconsistencies or issues when clients strictly validate against the spec. In this case, using Negligible (which is already defined in the spec) would be more consistent and spec-compliant.

@reasonerjt
Copy link

reasonerjt commented Oct 27, 2025

@Malka123456
Sorry for the late response, I think it's a situation that was not very carefully thought about when the spec was written.
IMO it's acceptable to use an empty string to indicate that there's no CVE of the image as the value of "severity"
Let me check with developers who have more experience with the history of the spec.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Malka123456 @reasonerjt