"/accessories"-API should return actual OCI 1.1 artifactType of the artifact

[ChristianCiach]

Is your feature request related to a problem? Please describe.

When listing the accessories of an artifact by using the /accessories endpoint of the API, the results currently do not contain the actual artifactType of the artifact as specified by the OCI 1.1 image spec. The Accessory model used by Harbor has a type attribute, but the value can only be one of a few predefined constants, severely limiting its usefulness.

Describe the solution you'd like
Instead of the fallback subject.accessory type, I would like to see the actual artifactType as returned by the Referrers-API as the accessory type. Since this would be a (slightly) breaking change, as an alternative we could add a new artifact_type attribute to the Accessory model.

Also, it should be possible to query only the artifacts of a specific artifactType. Since Harbor v2.12 there is a new endpoint to query all artifacts of a project that have a given artifact_type, but this only works for the whole project, not when listing the accessories of a given repository. For this, I currently have to query the Referrer-API directly:

curl 'https://localhost/v2/{project}/{repo}/referrers/{digest}?artifactType=example/artifact-type'

In summary:

• The /accessories endpoint should return the actual artifactType of the OCI 1.1 artifact.
• The /accessories endpoint should support to query by a specific artifactType.

[wy65701436]

hi @ChristianCiach thanks for reporting this issue.

Let me clarify: the OCI distribution specification is defined for all v2 APIs, while the /accessories endpoint is specific to the Harbor API and is defined solely for use with the Harbor UI/CLI.

If you call the referers API, which is defined in the Distribution 1.1 specification, you will receive a response that includes the artifact_type, like this:

{
    "schemaVersion": 2,
    "mediaType": "application/vnd.oci.image.index.v1+json",
    "manifests": [
        {
            "mediaType": "application/vnd.oci.image.manifest.v1+json",
            "digest": "sha256:a012de24c611dc8f4e752dd7993cfcda4c7e5844fa3c8e31e297b28dbbddb54a",
            "size": 766,
            "annotations": {
                "created": "2024-12-23T04:49:15Z",
                "created-by": "Harbor",
                "org.opencontainers.artifact.created": "2024-12-23T04:49:15Z",
                "org.opencontainers.artifact.description": "SPDX JSON SBOM"
            },
            "artifactType": "application/vnd.goharbor.harbor.sbom.v1"
        }

]

}

[ChristianCiach]

Let me clarify: the OCI distribution specification is defined for all v2 APIs, while the /accessories endpoint is specific to the Harbor API and is defined solely for use with the Harbor UI/CLI.

Yes, that's why I am currently using the Referrers-API directly, but I still think the /accessories endpoint should include the artifactType of the accessory. I see two use-cases for this:

• Harbor-UI should display the actual OCI 1.1 artifactType for artifact accessories #21345
• We have a CronJob that regularly scans a Harbor project for images with missing SBOMs and Signatures. The scanned project contains thousands of images, and currently I have to query the Referrers-API for every single artifact. I already call the /artifacts-Endpoint with ?with_accessory=true to retrieve the list of artifacts, so including the artifactType to the Accessories-model would save me tens-of-thousands of API-Requests to the Referrers-API with each run of the cronjob.