replications function sync some error image

[vndroid]

Expected behavior and actual behavior:
In the new v2.10 version, The replications function has a bug now. It replicates some error unknow image.

Result:

Why?

Steps to reproduce the problem:

Config:

Versions:
Please specify the versions of the following systems.

• harbor version: [v2.10.0-6abb4eab]
• docker engine version: [v25.0.3]
• docker-compose version: [v2.24.6]

Additional context:

• Harbor config files: You can get them by packaging harbor.yml and files in the same directory, including subdirectory.
• Log files: You can get them by package the /var/log/harbor/ .

[Vad1mo]

I can reproduce that in our demo environment.

It looks like to be a signatures

see.

docker pull demo.goharbor.io/dockerhub/postgres@sha256:61015780063be263c7b98142d12e61b9c43989abb986c2766ac22044e114293b
demo.goharbor.io/dockerhub/postgres@sha256:61015780063be263c7b98142d12e61b9c43989abb986c2766ac22044e114293b: Pulling from dockerhub/postgres
unsupported media type application/vnd.in-toto+json

[Vad1mo]

I think on Habor side we should address this particualar problem and future problems that we are going to see in the future.
Goal is to disply such information accordingly.

[MinerYang]

Harbor treats SBOM as an accessory only when it follows the distribution-spec 1.1 standard which image manifest contains the Subject field indicates whose SBOM it is. Otherwise, image manifest without Subject fields will treat as normal image without associate to any other images and read the the arch from the config layer directly.

However, docker currently use application/vnd.in-toto+json at the layer content and assert subject digest in it as below , also have this in index.manifests[0].annotations to track the associations
https://docs.docker.com/build/attestations/attestation-storage/#attestation-manifest which not consistent with Harbor.

1. image index

cat 13/13865d4d6102dfb8b46055c1f5ab41b000f00e2695ae5512f6ebb56b1fb8fffb/data | jq '.manifests[1]'
{
  "annotations": {
    "vnd.docker.reference.digest": "sha256:d713b425436e91da0c2d45ed2a63f2ed0809f94759537bccb939c17055a1b2de",
    "vnd.docker.reference.type": "attestation-manifest"
  },
  "digest": "sha256:61015780063be263c7b98142d12e61b9c43989abb986c2766ac22044e114293b",
  "mediaType": "application/vnd.oci.image.manifest.v1+json",
  "platform": {
    "architecture": "unknown",
    "os": "unknown"
  },
  "size": 840
}

2. attestation manifest

cat 61/61015780063be263c7b98142d12e61b9c43989abb986c2766ac22044e114293b/data
{
  "schemaVersion": 2,
  "mediaType": "application/vnd.oci.image.manifest.v1+json",
  "config": {
    "mediaType": "application/vnd.oci.image.config.v1+json",
    "digest": "sha256:7f15e8ed3db65816b810657e8c4ad5defb3506b10a24b27b47a843bbe5100368",
    "size": 241
  },
  "layers": [
    {
      "mediaType": "application/vnd.in-toto+json",
      "digest": "sha256:72948b605242cdafe3f83ff2c92bb08783aac234ebdea97f88a63715699bc7d5",
      "size": 806188,
      "annotations": {
        "in-toto.io/predicate-type": "https://spdx.dev/Document"
      }
    },
    {
      "mediaType": "application/vnd.in-toto+json",
      "digest": "sha256:74a8d5d93846e09e8f128e2eb536a7d4e885468f5257c7c67c95b821eaf77831",
      "size": 36913,
      "annotations": {
        "in-toto.io/predicate-type": "https://slsa.dev/provenance/v0.2"
      }
    }
  ]
}

3. image config

cat 7f/7f15e8ed3db65816b810657e8c4ad5defb3506b10a24b27b47a843bbe5100368/data | jq
{
  "architecture": "unknown",
  "os": "unknown",
  "config": {},
  "rootfs": {
    "type": "layers",
    "diff_ids": [
      "sha256:72948b605242cdafe3f83ff2c92bb08783aac234ebdea97f88a63715699bc7d5",
      "sha256:74a8d5d93846e09e8f128e2eb536a7d4e885468f5257c7c67c95b821eaf77831"
    ]
  }
}

4. layer content

 cat 72/72948b605242cdafe3f83ff2c92bb08783aac234ebdea97f88a63715699bc7d5/data  | jq '.subject[0]'
{
  "name": "pkg:docker/postgres@14.10-alpine3.18?platform=linux%2Famd64",
  "digest": {
    "sha256": "d713b425436e91da0c2d45ed2a63f2ed0809f94759537bccb939c17055a1b2de"
  }
}