Known issue

• known issue #20056 requires a user to be a member of a project in the source (GitLab) registry when doing pull-based replication from GitLab registry to Harbor registry. Even if it is a public project in GitLab registry, a user has to be a member of that project and then performs replication. Affected versions are v2.10.x, v2.9.x.

What's Changed

Exciting New Features 🎉

SBOM Generation and Management:

Harbor now provides robust support for generating Software Bill of Materials (SBOM) either manually or automatically. Users can conveniently view, download, and replicate SBOMs across different instances of Harbor.

Supporting OCI Distribution Spec v1.1.0 🎉

Harbor now fully supports OCI Distribution Spec v1.1.0

Integration with VolcEngine Registry:

Users can now seamlessly replicate images to and from the VolcEngine registry, enhancing interoperability and flexibility within the Harbor ecosystem.

Korean UI Translation:

The user interface of Harbor has been enriched with the addition of Korean language support, ensuring a more inclusive and accessible experience for Korean-speaking users.

Enhancement 🚀

• skip transaction for POST /service/token by @liubin in https://github.com/goharbor/harbor/pull/19339
• Updated internationalisation : fr-fr by @tostt in https://github.com/goharbor/harbor/pull/19915

Component updates ⬆️

• Bump github.com/go-openapi/errors from 0.19.6 to 0.20.4 in /src by @dependabot in https://github.com/goharbor/harbor/pull/19697
• bump golang 1.21.5 & fix golangci-lint error by @MinerYang in https://github.com/goharbor/harbor/pull/19722
• Bump golang.org/x/crypto from 0.14.0 to 0.17.0 in /src by @dependabot in https://github.com/goharbor/harbor/pull/19729
• Bump github.com/coreos/go-oidc/v3 from 3.7.0 to 3.9.0 in /src by @dependabot in https://github.com/goharbor/harbor/pull/19701
• Bump github.com/prometheus/client_golang from 1.14.0 to 1.17.0 in /src by @dependabot in https://github.com/goharbor/harbor/pull/19699
• Bump github.com/bmatcuk/doublestar from 1.1.1 to 1.3.4 in /src by @dependabot in https://github.com/goharbor/harbor/pull/19698
• Fix project metadata validate bug by @YangJiao0817 in https://github.com/goharbor/harbor/pull/19746
• Bump go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux from 0.45.0 to 0.46.1 in /src by @dependabot in https://github.com/goharbor/harbor/pull/19727
• add description in scanner page by @ShengqiWang in https://github.com/goharbor/harbor/pull/19733
• Fix OpenAPI Specification structural error by @blueswen in https://github.com/goharbor/harbor/pull/19782
• update project-SelectScanner modal Default field css by @ShengqiWang in https://github.com/goharbor/harbor/pull/19753
• Bump up PostgreSQL from 14 to 15 by @YangJiao0817 in https://github.com/goharbor/harbor/pull/19789
• fix invalid links in harbor.yml.tmpl by @microyahoo in https://github.com/goharbor/harbor/pull/19786
• Bump golang.org/x/time from 0.4.0 to 0.5.0 in /src by @dependabot in https://github.com/goharbor/harbor/pull/19767
• Bump github.com/golang-jwt/jwt/v4 from 4.4.2 to 4.5.0 in /src by @dependabot in https://github.com/goharbor/harbor/pull/19766
• Bump github.com/cloudevents/sdk-go/v2 from 2.13.0 to 2.14.0 in /src by @dependabot in https://github.com/goharbor/harbor/pull/19764
• Add quota permissions to robot account by @YangJiao0817 in https://github.com/goharbor/harbor/pull/19799
• Bump gopkg.in/h2non/gock.v1 from 1.0.16 to 1.1.2 in /src by @dependabot in https://github.com/goharbor/harbor/pull/19765
• Bump github.com/go-openapi/runtime from 0.19.20 to 0.26.2 in /src by @dependabot in https://github.com/goharbor/harbor/pull/19763
• add repository read permission to limitedGuest by @tpoxa in https://github.com/goharbor/harbor/pull/19757
• registryctl/api/registry/blob: fix dropped test error by @alrs in https://github.com/goharbor/harbor/pull/19721
• Remove robot account update quota permission by @YangJiao0817 in https://github.com/goharbor/harbor/pull/19819
• Cache image list with digest key by @stonezdj in https://github.com/goharbor/harbor/pull/19801
• Add verification that robot account duration is not 0 by @YangJiao0817 in https://github.com/goharbor/harbor/pull/19829
• fix artifact page bug by @ShengqiWang in https://github.com/goharbor/harbor/pull/19807
• Log ensureArtifact ConflictErr by @LiuShuaiyi in https://github.com/goharbor/harbor/pull/19294
• Fixing typo for About UI by @hasonhai in https://github.com/goharbor/harbor/pull/19840
• Update isValidDuration function by @YangJiao0817 in https://github.com/goharbor/harbor/pull/19843
• fix label select bugs by @ShengqiWang in https://github.com/goharbor/harbor/pull/19850
• Bump k8s.io/client-go from 0.26.2 to 0.29.0 in /src by @dependabot in https://github.com/goharbor/harbor/pull/19813
• Bump github.com/vmihailenco/msgpack/v5 from 5.0.0-rc.2 to 5.4.1 in /src by @dependabot in https://github.com/goharbor/harbor/pull/19810
• Bump github.com/go-openapi/swag from 0.22.4 to 0.22.7 in /src by @dependabot in https://github.com/goharbor/harbor/pull/19809
• feat: add auto_sbom_generation for SBOM auto generation on pushing a … by @zyyw in https://github.com/goharbor/harbor/pull/19869
• add v6 port for nginx and portal config by @MinerYang in https://github.com/goharbor/harbor/pull/19868
• add ip_family config in harbor.yml by @MinerYang in https://github.com/goharbor/harbor/pull/19934
• Bump github.com/aws/aws-sdk-go from 1.34.28 to 1.50.5 in /src by @dependabot in https://github.com/goharbor/harbor/pull/19920
• Bump github.com/go-openapi/errors from 0.20.4 to 0.21.0 in /src by @dependabot in https://github.com/goharbor/harbor/pull/19890
• Bump github.com/go-ldap/ldap/v3 from 3.2.4 to 3.4.6 in /src by @dependabot in https://github.com/goharbor/harbor/pull/19889
• Bump vite and @angular-devkit/build-angular in /src/portal by @dependabot in https://github.com/goharbor/harbor/pull/19945
• remove ipfamily config migrate jinja in 2.9 and 2.10 by @MinerYang in https://github.com/goharbor/harbor/pull/19949
• feat: enable configuration of skip_java_db_update by @zyyw in https://github.com/goharbor/harbor/pull/19996
• [Token/JWT] Update to golang-jwt v5.2.0 by @an-toine in https://github.com/goharbor/harbor/pull/19802
• Remove redundant file package-lock.json under src folder by @AllForNothing in https://github.com/goharbor/harbor/pull/20007
• Limit url to local site by @stonezdj in https://github.com/goharbor/harbor/pull/20013
• Bump go.opentelemetry.io/otel from 1.21.0 to 1.23.1 in /src by @dependabot in https://github.com/goharbor/harbor/pull/19972
• Bump github.com/go-openapi/strfmt from 0.21.8 to 0.22.0 in /src by @dependabot in https://github.com/goharbor/harbor/pull/19955
• Bump github.com/google/uuid from 1.3.1 to 1.6.0 in /src by @dependabot in https://github.com/goharbor/harbor/pull/19954
• Limit url to local path by @stonezdj in https://github.com/goharbor/harbor/pull/20025
• Bump helm.sh/helm/v3 from 3.11.3 to 3.14.2 in /src by @dependabot in https://github.com/goharbor/harbor/pull/20017
• Bump github.com/aws/aws-sdk-go from 1.50.5 to 1.50.24 in /src by @dependabot in https://github.com/goharbor/harbor/pull/20018
• Move strong_ssl_ciphers to top level in harbor.yml by @stonezdj in https://github.com/goharbor/harbor/pull/19914
• Check if the internal_tls_config is not null when get strong_ssl_ciph… by @stonezdj in https://github.com/goharbor/harbor/pull/20032
• add sbom settings for project by @wy65701436 in https://github.com/goharbor/harbor/pull/20069
• update referrers api by @wy65701436 in https://github.com/goharbor/harbor/pull/20068
• fix: typos by @testwill in https://github.com/goharbor/harbor/pull/20106
• Update swagger.yaml bad request permission: helm-chart:read by @jm-nab in https://github.com/goharbor/harbor/pull/20094
• Update support for artifactType for both manifest and index by @MinerYang in https://github.com/goharbor/harbor/pull/20030
• Update deletion for index type of accessory by @MinerYang in https://github.com/goharbor/harbor/pull/20073
• add type for scanner metadata by @wy65701436 in https://github.com/goharbor/harbor/pull/20108
• panic due to mark retention task error by @stonezdj in https://github.com/goharbor/harbor/pull/20161
• chore: fix function names by @majorteach in https://github.com/goharbor/harbor/pull/20159
• ScanAll should only log an error when an error occurs by @twhiteman in https://github.com/goharbor/harbor/pull/20087
• Bump github.com/tencentcloud/tencentcloud-sdk-go from 1.0.62 to 3.0.233+incompatible in /src by @dependabot in https://github.com/goharbor/harbor/pull/20035
• Bump golang.org/x/sync from 0.3.0 to 0.6.0 in /src by @dependabot in https://github.com/goharbor/harbor/pull/20036
• Bump github.com/go-jose/go-jose/v3 from 3.0.1 to 3.0.3 in /src by @dependabot in https://github.com/goharbor/harbor/pull/20104
• Bump github.com/cloudevents/sdk-go/v2 from 2.14.0 to 2.15.2 in /src by @dependabot in https://github.com/goharbor/harbor/pull/20099
• Bump golang.org/x/net from 0.17.0 to 0.22.0 in /src by @dependabot in https://github.com/goharbor/harbor/pull/20113
• Bump github.com/jackc/pgx/v4 from 4.18.1 to 4.18.3 in /src by @dependabot in https://github.com/goharbor/harbor/pull/20139
• Bump google.golang.org/protobuf from 1.31.0 to 1.33.0 in /src by @dependabot in https://github.com/goharbor/harbor/pull/20124
• Bump github.com/docker/docker from 24.0.7+incompatible to 24.0.9+incompatible in /src by @dependabot in https://github.com/goharbor/harbor/pull/20147
• Bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp from 1.21.0 to 1.24.0 in /src by @dependabot in https://github.com/goharbor/harbor/pull/20037
• fix image name extraction by @tkatkov in https://github.com/goharbor/harbor/pull/18992
• fix: typo by @testwill in https://github.com/goharbor/harbor/pull/20190
• bump golang 1.21.8 on main by @MinerYang in https://github.com/goharbor/harbor/pull/20197
• fix: close file by @testwill in https://github.com/goharbor/harbor/pull/20189
• Update GenAccessoryArt API to generate valid accessory for SBOM by @stonezdj in https://github.com/goharbor/harbor/pull/20214
• fix: test robot account permission by @zyyw in https://github.com/goharbor/harbor/pull/20240
• update artifact_type column alteration by @MinerYang in https://github.com/goharbor/harbor/pull/20239
• Allow empty path in redirect_url by @stonezdj in https://github.com/goharbor/harbor/pull/20238
• fix: close blob io ReadCloser by @testwill in https://github.com/goharbor/harbor/pull/20225
• add stop sbom scanning API by @wy65701436 in https://github.com/goharbor/harbor/pull/20200
• update referrer manifest descriptor size by @MinerYang in https://github.com/goharbor/harbor/pull/20207
• adopt cosign with oci-spec 1.1 by @MinerYang in https://github.com/goharbor/harbor/pull/20245
• Updated internationalisation : fr-fr by @tostt in https://github.com/goharbor/harbor/pull/20179
• feat: expose trivy.timeout to configure the duration to wait for scan completion by @zyyw in https://github.com/goharbor/harbor/pull/20257
• bump golang to 1.22.2 by @MinerYang in https://github.com/goharbor/harbor/pull/20256
• Bump k8s.io/api from 0.29.0 to 0.29.3 in /src by @dependabot in https://github.com/goharbor/harbor/pull/20205
• Bump github.com/coreos/go-oidc/v3 from 3.9.0 to 3.10.0 in /src by @dependabot in https://github.com/goharbor/harbor/pull/20202
• Bump golang.org/x/oauth2 from 0.15.0 to 0.19.0 in /src by @dependabot in https://github.com/goharbor/harbor/pull/20247
• Sending signals by closing the channel by @Iceber in https://github.com/goharbor/harbor/pull/17917
• Bump go.uber.org/ratelimit from 0.2.0 to 0.3.1 in /src by @dependabot in https://github.com/goharbor/harbor/pull/20204
• fix: update the image reference format for audit log when pulling image by @zyyw in https://github.com/goharbor/harbor/pull/20278
• fix issue 20269 by @wy65701436 in https://github.com/goharbor/harbor/pull/20274
• fix: update TRIVYVERSION=v0.50.1 && TRIVYADAPTERVERSION=v0.31.0 by @zyyw in https://github.com/goharbor/harbor/pull/20285
• Rename scan request type by @stonezdj in https://github.com/goharbor/harbor/pull/20288
• skip to log scan sbom accessory for sbom accessory by @stonezdj in https://github.com/goharbor/harbor/pull/20290
• refactor: update controller.go by @eltociear in https://github.com/goharbor/harbor/pull/20297
• SBOM UI feature implementation by @xuelichao in https://github.com/goharbor/harbor/pull/19946
• Allow generate sbom in proxy cache project by @stonezdj in https://github.com/goharbor/harbor/pull/20298
• Add enableCapabilities to extraAttrs for stop by @stonezdj in https://github.com/goharbor/harbor/pull/20299
• Set default capability for old scanners by @stonezdj in https://github.com/goharbor/harbor/pull/20306
• Wrong values shown for the columns of support_sbom and support_vulnerability in scanner list by @xuelichao in https://github.com/goharbor/harbor/pull/20308
• add prepare migration script for 2.11.0 by @MinerYang in https://github.com/goharbor/harbor/pull/20315
• Log and skip adapter ping error when retrieve adapter capability by @stonezdj in https://github.com/goharbor/harbor/pull/20314
• Add 422 in the swagger.yaml by @stonezdj in https://github.com/goharbor/harbor/pull/20344
• fix: update image reference to @\ in audit log when pushing & deleting images by @zyyw in https://github.com/goharbor/harbor/pull/20348
• Add scanner info and report_id to sbom_overview on listing artifact by @stonezdj in https://github.com/goharbor/harbor/pull/20358
• Fix UI bugs by @xuelichao in https://github.com/goharbor/harbor/pull/20364
• Delete scan_report when accessory is removed by @stonezdj in https://github.com/goharbor/harbor/pull/20365
• Bump golang.org/x/net from 0.22.0 to 0.24.0 in /src by @dependabot in https://github.com/goharbor/harbor/pull/20318
• Bump github.com/golang-migrate/migrate/v4 from 4.16.2 to 4.17.1 in /src by @dependabot in https://github.com/goharbor/harbor/pull/20317
• Bump go.opentelemetry.io/otel/sdk from 1.24.0 to 1.26.0 in /src by @dependabot in https://github.com/goharbor/harbor/pull/20370
• Bump github.com/cenkalti/backoff/v4 from 4.2.1 to 4.3.0 in /src by @dependabot in https://github.com/goharbor/harbor/pull/20316
• Add scan type in webhook event by @stonezdj in https://github.com/goharbor/harbor/pull/20363
• do not delete accessory relationship while still referenced by @MinerYang in https://github.com/goharbor/harbor/pull/20360
• Rename harbor.sbom to sbom.harbor by @stonezdj in https://github.com/goharbor/harbor/pull/20359
• Bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp from 1.24.0 to 1.26.0 in /src by @dependabot in https://github.com/goharbor/harbor/pull/20374
• Bump k8s.io/api from 0.29.3 to 0.30.0 in /src by @dependabot in https://github.com/goharbor/harbor/pull/20375
• Bump github.com/gorilla/csrf from 1.6.2 to 1.7.2 in /src by @dependabot in https://github.com/goharbor/harbor/pull/20376
• Bump github.com/go-asn1-ber/asn1-ber from 1.5.5 to 1.5.6 in /src by @dependabot in https://github.com/goharbor/harbor/pull/20372
• Bump helm.sh/helm/v3 from 3.14.2 to 3.14.4 in /src by @dependabot in https://github.com/goharbor/harbor/pull/20373
• fix update TRIVYVERSION=v0.50.4 & TRIVYADAPTERVERSION=v0.31.1 by @zyyw in https://github.com/goharbor/harbor/pull/20390
• fix: enale stop_scan for ci by @zyyw in https://github.com/goharbor/harbor/pull/20378
• Update scan job request log for enabled_capabilities by @MinerYang in https://github.com/goharbor/harbor/pull/20414
• fix issue 20407 by @wy65701436 in https://github.com/goharbor/harbor/pull/20416
• Skip scan in-toto sbom artifact by @stonezdj in https://github.com/goharbor/harbor/pull/20415
• fix issue 19928 by @wy65701436 in https://github.com/goharbor/harbor/pull/20409
• chore(deps): bump github.com/golang-jwt/jwt/v5 from 5.2.0 to 5.2.1 in /src by @dependabot in https://github.com/goharbor/harbor/pull/20397
• chore(deps): bump go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux from 0.46.1 to 0.51.0 in /src by @dependabot in https://github.com/goharbor/harbor/pull/20394
• chore(deps): bump github.com/go-openapi/strfmt from 0.22.0 to 0.23.0 in /src by @dependabot in https://github.com/goharbor/harbor/pull/20396
• add membership=true back for gitlab replication adapter by @zyyw in https://github.com/goharbor/harbor/pull/20400
• Display status in sbom_overview for image index by @stonezdj in https://github.com/goharbor/harbor/pull/20425
• Add additional link for sboms by @stonezdj in https://github.com/goharbor/harbor/pull/20423
• bump golang 1.22.3 by @MinerYang in https://github.com/goharbor/harbor/pull/20433
• Initialize execution Manager in Report Assembler by @stonezdj in https://github.com/goharbor/harbor/pull/20437
• Fix-20459 Wrong sbom status displayed in UI by @xuelichao in https://github.com/goharbor/harbor/pull/20464
• bump up trivy and trivy-adapter version by @zyyw in https://github.com/goharbor/harbor/pull/20468
• [cherry-pick] Add sbom_report table to store sbom related information by @stonezdj in https://github.com/goharbor/harbor/pull/20482
• [cherry-pick] Separate the execution vendor type sbom from image_scan by @stonezdj in https://github.com/goharbor/harbor/pull/20508
• [cherry-pick] Fix tooltip issue related to SBOM.Details by @stonezdj in https://github.com/goharbor/harbor/pull/20511
• [cherry-pick] fix 20496 by @wy65701436 in https://github.com/goharbor/harbor/pull/20509
• tls support for pushing sbom by @wy65701436 in https://github.com/goharbor/harbor/pull/20515
• [cherry-pick] fix 20518 by @wy65701436 in https://github.com/goharbor/harbor/pull/20522
• [cherry-pick] fix http client to push sbom accessory by @wy65701436 in https://github.com/goharbor/harbor/pull/20528
• [cherry-pick] Response an error message when there is incomplete sbom generate job by @stonezdj in https://github.com/goharbor/harbor/pull/20527
• [cherry-pick] No sbom_overview when sbom is deleted by @stonezdj in https://github.com/goharbor/harbor/pull/20534
• Fixes-20537 SBOM tab should not exist when the artifact is helm package by @xuelichao in https://github.com/goharbor/harbor/pull/20539
• [cherry-pick] Adjust the query by UUID sql so that it can use the idx_task_extra_at… by @stonezdj in https://github.com/goharbor/harbor/pull/20546

Docs update 🗄️

• Fix docker version to 20.10.10 by @YangJiao0817 in https://github.com/goharbor/harbor/pull/19751
• revise the tags of Interrogation Services by @xuelichao in https://github.com/goharbor/harbor/pull/20049
• Add two columns to display capability type for scanner by @xuelichao in https://github.com/goharbor/harbor/pull/20111

Other Changes

• Bump actions/stale from 8.0.0 to 9.0.0 by @dependabot in https://github.com/goharbor/harbor/pull/19689
• Update Robot Account Test Case by @YangJiao0817 in https://github.com/goharbor/harbor/pull/19710
• Bump github/codeql-action from 2 to 3 by @dependabot in https://github.com/goharbor/harbor/pull/19714
• Bump google-github-actions/setup-gcloud from 1 to 2 by @dependabot in https://github.com/goharbor/harbor/pull/19696
• Add notation replication test case by @YangJiao0817 in https://github.com/goharbor/harbor/pull/19738
• Add multi-tier accessory replication test cases by @YangJiao0817 in https://github.com/goharbor/harbor/pull/19730
• Add quota permissions testcase by @YangJiao0817 in https://github.com/goharbor/harbor/pull/19822
• deprecate gosec in makefile by @wy65701436 in https://github.com/goharbor/harbor/pull/19828
• Bump kentaro-m/auto-assign-action from 1.2.5 to 1.2.6 by @dependabot in https://github.com/goharbor/harbor/pull/19824
• Update replication rule filter label xpath by @YangJiao0817 in https://github.com/goharbor/harbor/pull/19895
• fix: cve export label filter xpath by @zyyw in https://github.com/goharbor/harbor/pull/19931
• add UI test for project quota sorting by @zyyw in https://github.com/goharbor/harbor/pull/19935
• Bump codecov/codecov-action from 3 to 4 by @dependabot in https://github.com/goharbor/harbor/pull/19936
• Bump kentaro-m/auto-assign-action from 1.2.6 to 2.0.0 by @dependabot in https://github.com/goharbor/harbor/pull/19929
• update retry of get_scan_data_export_execution from 5 to 15 by @zyyw in https://github.com/goharbor/harbor/pull/19959
• fix: scanner tab change by @zyyw in https://github.com/goharbor/harbor/pull/20128
• Bump softprops/action-gh-release from 1 to 2 by @dependabot in https://github.com/goharbor/harbor/pull/20115
• delete membership=0 in getProjectsByName by @prima101112 in https://github.com/goharbor/harbor/pull/20153
• feat: add api test case for quota sorting by @zyyw in https://github.com/goharbor/harbor/pull/20209
• fix: update e2e test engine images by @zyyw in https://github.com/goharbor/harbor/pull/20223
• feat: add test case for customizing OIDC provider name by @zyyw in https://github.com/goharbor/harbor/pull/20287
• feat: add tc for limited guest of a project to get repository by @zyyw in https://github.com/goharbor/harbor/pull/20311
• fix: fresh scanner list when updating scanner by @zyyw in https://github.com/goharbor/harbor/pull/20366
• fix: update nightly test case for verifying audit log of image digest by @zyyw in https://github.com/goharbor/harbor/pull/20354
• fix: update to