Skip to content

feat/vuln list command #748

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Sypher845 wants to merge 7 commits into
base: main
Choose a base branch
from
Open

feat/vuln list command #748

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
982a216
feat(api): add vuln list handler for Security Hub endpoint
Sypher845 Mar 16, 2026
317cae0
feat(vuln): vuln list command and view
Sypher845 Mar 16, 2026
8eb543c
docs: cli and man page docs for vuln list command
Sypher845 Mar 16, 2026
a744965
refactor: vuln filtering logic
Sypher845 Mar 19, 2026
86b2cf3
refractor: add 'all' flag to fetch all vuln upto 1000
Sypher845 Mar 20, 2026
12051ea
chore(vuln): remove raw --query flag
Sypher845 Mar 24, 2026
013e125
refactor(vuln): improve vulnerability list filtering flow
Sypher845 Mar 26, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions cmd/harbor/root/vulnerability/cmd.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ func Vulnerability() *cobra.Command {

cmd.AddCommand(
GetVulnerabilitySummaryCommand(),
ListVulnerabilitiesCommand(),
)

return cmd
Expand Down
123 changes: 123 additions & 0 deletions cmd/harbor/root/vulnerability/list.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,123 @@
// Copyright Project Harbor Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package vulnerability

import (
"fmt"

"github.com/goharbor/go-client/pkg/sdk/v2.0/models"
"github.com/goharbor/harbor-cli/pkg/api"
"github.com/goharbor/harbor-cli/pkg/utils"
vulnlist "github.com/goharbor/harbor-cli/pkg/views/vulnerability/list"
log "github.com/sirupsen/logrus"
"github.com/spf13/cobra"
"github.com/spf13/viper"
)

func ListVulnerabilitiesCommand() *cobra.Command {
var opts api.ListVulnerabilityOptions

cmd := &cobra.Command{
Use: "list",
Short: "List vulnerabilities in Security Hub",
Long: "List vulnerabilities from Harbor Security Hub",
Example: ` harbor vulnerability list`,
Args: cobra.NoArgs,
RunE: func(cmd *cobra.Command, args []string) error {
if opts.Page < 1 {
return fmt.Errorf("page number must be greater than or equal to 1")
}

if opts.PageSize <= 0 || opts.PageSize > 100 {
return fmt.Errorf("page size must be greater than 0 and less than or equal to 100")
}

allVulnerabilities, hasNext, err := fetchVulnerabilities(opts)
if err != nil {
return fmt.Errorf("failed to list vulnerabilities: %v", utils.ParseHarborErrorMsg(err))
}

if len(allVulnerabilities) == 0 {
log.Info("No vulnerabilities found")
return nil
}

formatFlag := viper.GetString("output-format")
if formatFlag != "" {
err = utils.PrintFormat(allVulnerabilities, formatFlag)
if err != nil {
return err
}
} else {
vulnlist.ViewVulnerabilityList(allVulnerabilities, hasNext)
}

return nil
},
}

flags := cmd.Flags()
flags.Int64VarP(&opts.Page, "page", "", 1, "Page number")
flags.Int64VarP(&opts.PageSize, "page-size", "", 10, "Size of per page")
flags.StringVarP(&opts.CVEID, "cve-id", "", "", "Filter by exact CVE ID")
flags.StringVarP(&opts.CVSSScore, "cvss-score", "", "", "Filter by CVSS v3 score range (e.g. 7.0~10.0) or exact score (e.g. 7.0)")
flags.StringVarP(&opts.Severity, "severity", "", "", "Filter by severity level")
flags.StringVarP(&opts.Repository, "repository", "", "", "Filter by exact repository name")
flags.StringVarP(&opts.ProjectName, "project-name", "", "", "Filter by exact project name")
flags.StringVarP(&opts.Package, "package", "", "", "Filter by exact package name")
flags.StringVarP(&opts.Tag, "tag", "", "", "Filter by exact artifact tag")
flags.StringVarP(&opts.Digest, "digest", "", "", "Filter by exact artifact digest")
Comment on lines +70 to +80
Copy link
Copy Markdown
Contributor

@NucleoFusion NucleoFusion Mar 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bupd @qcserestipy
Should we have this many flags? would it be better to just have the Q param?
And since I am planning a PR on adding validKeys and usage to the query param about how it works in #731 .

Cause managing the current BuildQuery function takes the flags and just creates the full query, so integrating these two would be a little unintuitive.
And then also another problem is the individual flags are rigid, no support for exact/fuzzy switch, and there are also the Q params rigidity, like the params dont allow/follow 2 exact matching, they only do one. Using the Q would also allow or and and.

Copy link
Copy Markdown
Contributor Author

@Sypher845 Sypher845 Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

one thing to note, the SecurityHub API doesn't actually suport the fuzzy match, union and intersection for vuln fields.

flags.StringVarP(&opts.Exclude, "exclude", "", "", "Exclude vulnerabilities using a ',' separated query string (e.g., k=v or k=[min~max])")
flags.BoolVarP(&opts.Fixable, "fixable", "", false, "Only show fixable vulnerabilities")
flags.BoolVarP(&opts.All, "all", "", false, "Show all vulnerabilities (up to 1000)")

return cmd
}

func fetchVulnerabilities(opts api.ListVulnerabilityOptions) ([]*models.VulnerabilityItem, bool, error) {
if opts.All {
var allVulnerabilities []*models.VulnerabilityItem

log.Debug("Fetching all vulnerabilities")
opts.PageSize = 100
opts.Page = 1

for {
vulnerabilities, err := api.ListVulnerabilities(opts)
if err != nil {
return nil, false, err
}

if len(vulnerabilities) == 0 {
break
}

allVulnerabilities = append(allVulnerabilities, vulnerabilities...)
opts.Page++

if opts.Page > 10 {
return allVulnerabilities, true, nil
}
}

return allVulnerabilities, false, nil
}

vulnerabilities, err := api.ListVulnerabilities(opts)
if err != nil {
return nil, false, err
}

return vulnerabilities, false, nil
}
55 changes: 55 additions & 0 deletions doc/cli-docs/harbor-vulnerability-list.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
---
title: harbor vulnerability list
weight: 90
---
## harbor vulnerability list

### Description

##### List vulnerabilities in Security Hub

### Synopsis

List vulnerabilities from Harbor Security Hub

```sh
harbor vulnerability list [flags]
```

### Examples

```sh
harbor vulnerability list
```

### Options

```sh
--all Show all vulnerabilities (up to 1000)
--cve-id string Filter by exact CVE ID
--cvss-score string Filter by CVSS v3 score range (e.g. 7.0~10.0) or exact score (e.g. 7.0)
--digest string Filter by exact artifact digest
--exclude string Exclude vulnerabilities using a ',' separated query string (e.g., k=v or k=[min~max])
--fixable Only show fixable vulnerabilities
-h, --help help for list
--package string Filter by exact package name
--page int Page number (default 1)
--page-size int Size of per page (default 10)
--project-name string Filter by exact project name
--repository string Filter by exact repository name
--severity string Filter by severity level
--tag string Filter by exact artifact tag
```

### Options inherited from parent commands

```sh
-c, --config string config file (default is $HOME/.config/harbor-cli/config.yaml)
-o, --output-format string Output format. One of: json|yaml
-v, --verbose verbose output
```

### SEE ALSO

* [harbor vulnerability](harbor-vulnerability.md) - Manage vulnerabilities in Security Hub

1 change: 1 addition & 0 deletions doc/cli-docs/harbor-vulnerability.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,5 +35,6 @@ List vulnerabilities and view vulnerability summary from Harbor Security Hub
### SEE ALSO

* [harbor](harbor.md) - Official Harbor CLI
* [harbor vulnerability list](harbor-vulnerability-list.md) - List vulnerabilities in Security Hub
* [harbor vulnerability summary](harbor-vulnerability-summary.md) - Get Security Hub vulnerability summary

93 changes: 93 additions & 0 deletions doc/man-docs/man1/harbor-vulnerability-list.1
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,93 @@
.nh
.TH "HARBOR" "1" "Harbor Community" "Harbor User Manuals"

.SH NAME
harbor-vulnerability-list - List vulnerabilities in Security Hub


.SH SYNOPSIS
\fBharbor vulnerability list [flags]\fP


.SH DESCRIPTION
List vulnerabilities from Harbor Security Hub


.SH OPTIONS
\fB--all\fP[=false]
Show all vulnerabilities (up to 1000)

.PP
\fB--cve-id\fP=""
Filter by exact CVE ID

.PP
\fB--cvss-score\fP=""
Filter by CVSS v3 score range (e.g. 7.0~10.0) or exact score (e.g. 7.0)

.PP
\fB--digest\fP=""
Filter by exact artifact digest

.PP
\fB--exclude\fP=""
Exclude vulnerabilities using a ',' separated query string (e.g., k=v or k=[min~max])

.PP
\fB--fixable\fP[=false]
Only show fixable vulnerabilities

.PP
\fB-h\fP, \fB--help\fP[=false]
help for list

.PP
\fB--package\fP=""
Filter by exact package name

.PP
\fB--page\fP=1
Page number

.PP
\fB--page-size\fP=10
Size of per page

.PP
\fB--project-name\fP=""
Filter by exact project name

.PP
\fB--repository\fP=""
Filter by exact repository name

.PP
\fB--severity\fP=""
Filter by severity level

.PP
\fB--tag\fP=""
Filter by exact artifact tag


.SH OPTIONS INHERITED FROM PARENT COMMANDS
\fB-c\fP, \fB--config\fP=""
config file (default is $HOME/.config/harbor-cli/config.yaml)

.PP
\fB-o\fP, \fB--output-format\fP=""
Output format. One of: json|yaml

.PP
\fB-v\fP, \fB--verbose\fP[=false]
verbose output


.SH EXAMPLE
.EX
harbor vulnerability list
.EE


.SH SEE ALSO
\fBharbor-vulnerability(1)\fP
2 changes: 1 addition & 1 deletion doc/man-docs/man1/harbor-vulnerability.1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,4 +38,4 @@ List vulnerabilities and view vulnerability summary from Harbor Security Hub


.SH SEE ALSO
\fBharbor(1)\fP, \fBharbor-vulnerability-summary(1)\fP
\fBharbor(1)\fP, \fBharbor-vulnerability-list(1)\fP, \fBharbor-vulnerability-summary(1)\fP
17 changes: 17 additions & 0 deletions pkg/api/types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,3 +81,20 @@ type GetMemberOptions struct {
ID int64
ProjectNameOrID string
}

type ListVulnerabilityOptions struct {
CVEID string
CVSSScore string
Severity string
Repository string
ProjectName string
Package string
Tag string
Digest string
Exclude string
WithTag bool
Fixable bool
All bool
Page int64
PageSize int64
}
Loading
Loading