File containing the security issue (target) is not stored

[idlefella]

What steps did you take and what happened:

When running the trivy image scanner directly against an image the output contains the path to the file containing the issue (Results->Target), e.g.:

{
  "SchemaVersion": 2,
  "ArtifactName": "harbor.suvanet.ch/butterfly-intern/mlp/openshift-jenkins-slave-aio:v1.4.6",
  "ArtifactType": "container_image",
  "Metadata": [],
  "Results": [
    {
      "Target": "usr/local/bin/yq",
      "Class": "lang-pkgs",
      "Type": "gobinary",
      "Vulnerabilities": [
      ]
   }]
}

So in this case the yq binary located at usr/local/bin/yq.

That Target/Path to the file is missing in the output of the REST API from harbor:

{
    "application/vnd.security.vulnerability.report; version=1.1": {
        "generated_at": "2023-05-28T01:11:39.336454209Z",
        "scanner": {
            "name": "Trivy",
            "vendor": "Aqua Security",
            "version": "v0.35.0"
        },
        "severity": "Critical",
        "vulnerabilities": [
            {
                "id": "CVE-2021-44716",
                "package": "golang.org/x/net",
                "version": "v0.0.0-20201110031124-69a78807bb2b",
                "fix_version": "0.0.0-20211209124913-491a49abca63",
                "severity": "High",
                "description": "net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.",
                "links": [
                    "https://avd.aquasec.com/nvd/cve-2021-44716"
                ],
                "artifact_digests": [
                    "sha256:81e6c22620a3d439f03538702996e2d571f8cbcc9b44380f6f98f3b00ad80d5b"
                ],
                "preferred_cvss": {
                    "score_v3": null,
                    "score_v2": null,
                    "vector_v3": "",
                    "vector_v2": ""
                },
                "cwe_ids": [
                    "CWE-400"
                ],
                "vendor_attributes": {
                    "CVSS": {
                        "nvd": {
                            "V2Score": 5,
                            "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
                            "V3Score": 7.5,
                            "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
                        },
                        "redhat": {
                            "V3Score": 7.5,
                            "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
                        }
                    }
                }
            }

What did you expect to happen:

The REST API from harbor should report the Target/Path to file containing the vulnerability as reported by trivy.

Anything else you would like to add:

Unfortunately I wasn't able to test with the latest version of harbor, but the demo server at https://demo.goharbor.io/ doesn't report the target either.

Environment:

• Harbor version: v2.6.3
• Harbor Scanner Adapter for Trivy version: v0.30.6
• Harbor installation process (Installer script, Helm chart, etc.): unknown