Harbor: API can trigger scan but how do i get the report_id ?
Using Harbor API V2.0.. Curls from swagger....
When i run a simple scan.. no _report_id_ is returned just a 201 . created..
How do i find the _report_id_ generated by the scanner
For the call /projects/{project_name}/repositories/{repository_name}/artifacts/{reference}/scan/{report_id}/log
Where do i get the report_id parameter from?
My test curls >>
curl -v -X POST "https://harbor-host/api/v2.0/projects/my-project/repositories/my-repository/artifacts/v1.0.0/scan" \
-H "accept: application/json" \
-H "X-Request-Id: MyCorrelationId" \
-H "X-Harbor-CSRF-Token: crsf-token-43783487" \
-H "Accept: application/vnd.scanner.adapter.vuln.report.harbor+json; version=1.0"
curl -v -X GET "https://harbor-host/api/v2.0/projects/my-project/repositories/my-repository/artifacts/v1.0.0/scan/{{ WHERE DO I GET THE REPOR_ID FROM }} /log" \
-H "accept: text/plain" \
-H "X-Request-Id: MyCorrelationId" \
-H "X-Harbor-CSRF-Token: crsf-token-43783487"
pingcrosby
All 3 comments
There's a query parameter named with_scan_overview when you get a list of artifacts of single artifact (demonstrated the latter below).
Using GET /api/v2.0/projects/library/repositories/centos/artifacts/7?page=1&page_size=10&with_tag=true&with_label=false&with_scan_overview=true&with_signature=false&with_immutable_status=false in the API explorer targetting a centos:7 image I replicated from docker hub, I get this back:
{
"addition_links": {
"vulnerabilities": {
"absolute": false,
"href": "/api/v2.0/projects/library/repositories/centos/artifacts/sha256:19a79828ca2e505eaee0ff38c2f3fd9901f4826737295157cc5212b7a372cd2b/additions/vulnerabilities"
}
},
"digest": "sha256:19a79828ca2e505eaee0ff38c2f3fd9901f4826737295157cc5212b7a372cd2b",
"id": 59,
"labels": null,
"manifest_media_type": "application/vnd.docker.distribution.manifest.list.v2+json",
"media_type": "application/vnd.docker.distribution.manifest.list.v2+json",
"project_id": 1,
"pull_time": "2020-09-17T11:40:26.359Z",
"push_time": "2020-09-16T00:00:45.441Z",
"references": [
{
"child_digest": "sha256:fe2347002c630d5d61bf2f28f21246ad1c21cc6fd343e70b4cf1e5102f8711a9",
"child_id": 52,
"parent_id": 59,
"platform": {
"OsFeatures": null,
"architecture": "amd64",
"os": "linux"
},
"urls": null
},
{
"child_digest": "sha256:9fd67116449f225c6ef60d769b5219cf3daa831c5a0a6389bbdd7c952b7b352d",
"child_id": 54,
"parent_id": 59,
"platform": {
"OsFeatures": null,
"architecture": "arm",
"os": "linux",
"variant": "v7"
},
"urls": null
},
{
"child_digest": "sha256:26255e69c5323b022338c61441c9adbed40ca86a6216ba98597cb24449841bc0",
"child_id": 55,
"parent_id": 59,
"platform": {
"OsFeatures": null,
"architecture": "arm64",
"os": "linux",
"variant": "v8"
},
"urls": null
},
{
"child_digest": "sha256:c76869e8a0b163b0da363bb1e4650822f138c6c8abdf267344c570ee47044129",
"child_id": 56,
"parent_id": 59,
"platform": {
"OsFeatures": null,
"architecture": "386",
"os": "linux"
},
"urls": null
},
{
"child_digest": "sha256:1d5e13acc3c26c3a35eb3eb95e40817b3410cc46cca1965f7a1257711b679ecf",
"child_id": 58,
"parent_id": 59,
"platform": {
"OsFeatures": null,
"architecture": "ppc64le",
"os": "linux"
},
"urls": null
}
],
"repository_id": 5,
"scan_overview": {
"application/vnd.scanner.adapter.vuln.report.harbor+json; version=1.0": {
"complete_percent": 100,
"duration": 156,
"end_time": "2020-09-16T00:02:55.910Z",
"report_id": "YzFiNjczZDAtYTY2Zi00ZTRmLTg2ZjktMzBkMTg1MmViMTM1fDJkYTE1ZmYyLWUxMzktNDhkMC1hMzliLTIwNWYwOTc0MzYwMnxhYzFmMTkzYS05YTEwLTQxZDgtYmNhYS0wYjlhNGVjNjRjOGJ8ZTkzZDgwZDUtNTE5OC00N2YxLTgyNDUtNjE2MWJlMWI5ZmZmfDEzNDA1N2ExLTg5ODktNDI0Ny05NjI2LWYyNTlhYzhhOWZmZg==",
"scan_status": "Success",
"severity": "High",
"start_time": "2020-09-16T00:00:19.596Z",
"summary": {
"fixable": 66,
"summary": {
"High": 21,
"Low": 13,
"Medium": 32
},
"total": 66
}
}
},
"size": 410220372,
"tags": [
{
"artifact_id": 59,
"id": 10,
"immutable": false,
"name": "7",
"pull_time": "2020-09-17T11:40:26.359Z",
"push_time": "2020-09-16T00:00:45.481Z",
"repository_id": 5,
"signed": false
}
],
"type": "IMAGE"
}
Assuming you saved the result of the query to a variable named result, it's just result["scan_overview"]["application/vnd.scanner.adapter.vuln.report.harbor+json; version=1.0"]["report_id"]. The second key isn't documented in the API and could theoretically change unexpectedly (not sure where the value actually comes from), so if I was using python, it'd be something like:
overview = result["scan_overview"]
report_id = overview[list(overview.keys())[0]]["report_id"]
# use report_id here
The key here is to set is_scan_overview=true otherwise the object is missing from the result.
mattdowdell
on 18 Sep 2020
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
![stale[bot] picture](https://avatars3.githubusercontent.com/in/1724?v=4&s=40)
stale[bot]
on 24 Dec 2020
Closed because mattdowdell answered this question.
heww
on 5 Jan 2021
Related issues
andrewtchin
路
3Comments
adomenech73
路
3Comments
cedvan
路
3Comments
levchik
路
4Comments
mramanathan
路
3Comments
Most helpful comment
There's a query parameter named
with_scan_overviewwhen you get a list of artifacts of single artifact (demonstrated the latter below).Using
GET /api/v2.0/projects/library/repositories/centos/artifacts/7?page=1&page_size=10&with_tag=true&with_label=false&with_scan_overview=true&with_signature=false&with_immutable_status=falsein the API explorer targetting a centos:7 image I replicated from docker hub, I get this back:Assuming you saved the result of the query to a variable named
result, it's justresult["scan_overview"]["application/vnd.scanner.adapter.vuln.report.harbor+json; version=1.0"]["report_id"]. The second key isn't documented in the API and could theoretically change unexpectedly (not sure where the value actually comes from), so if I was using python, it'd be something like:The key here is to set
is_scan_overview=trueotherwise the object is missing from the result.