Harbor Scanner Adapter Release Notes - Version 1.4.1

Harbor Scanner Adapter v1.4.1

Fixes

• The “Fixed in Version” field for vulnerabilities is no longer empty. The scanner adapter v1.4.1 now provides the information so that Harbor can display it.

  Further details regarding the “Fixed in version” field of vulnerabilities in Harbor and what can be expected from the bug fix in v1.4.1:

  When an image is scanned for vulnerabilities, Harbor stores the detected vulnerabilities in a database table. Bindings between the image and its vulnerabilities are stored in another database table.

  If another scanned image has some vulnerability that already exists in the database, that image is also bound to that existing vulnerability. Even if the new scan provides some updated information (like fixed in version)about the vulnerability, the vulnerability info in the Harbor database is not updated.

  This has the consequence that the “fixed in version” field may still be unpopulated even if harbor-scanner-adapter v1.4.1 provides that value.

  Example:

  Image A has vulnerabilities X and Y and is scanned in a deployment with harbor-scanner-adapter v1.4.0 (or earlier). Result: Image A’s vulnerabilities X and Y will have an empty “fixed in version” value in Harbor.

  The same deployment is later updated to use harbor-scanner-adapter v.1.4.1. Image A is rescanned. Result: Image A’s vulnerabilities X and Y will still have an empty “fixed in version” value in Harbor. Image B, which has vulnerabilities X and Z, and is next scanned in Harbor. Result: Image B’s vulnerability X will have an empty “fixed in version” value. Image B’s vulnerability Z will have “fixed in version” populated (if it had a non-empty value).

Changelog

https://github.com/anchore/harbor-scanner-adapter/releases/tag/v1.4.1

Last modified December 3, 2024