Discussion : Vulnerability Dashboard Command

[Sypher845]

What it does?

Harbor has a Security Hub that tracks vulnerabilities across all scanned artifacts. The vulnerability command will allow users to view vulnerability data from the terminal.

It uses the go-client's Securityhub.ListVulnerabilities() and Securityhub.GetSecuritySummary() methods.

Proposed Approach

The following is a proposed structure for the command

• Commands

Command	What it does
harbor vulnerability summary	Retrieve the vulnerability summary of the system
harbor vulnerability list	Lists individual vulnerabilities

• summary command and its flags

Shows a vulnerability overview across all artifacts.

Flag	Description
--with-dangerous-artifact	Include top 5 most dangerous artifacts
--with-dangerous-cve	Include top 5 most dangerous CVEs

• summary command CLI output

The following output will appear when both flags are used. I am also experimenting with making the progress bar colorful.

$ harbor vuln summary --with-dangerous-artifact  --with-dangerous-cve

2 artifact(s), 2 scanned, 0 not scanned

Total Vulnerabilities: 360  (Fixable: 281)

  Critical   ███░░░░░░░░░░░░░░░░░░░░░░░░░░░   40
  High       ██████████░░░░░░░░░░░░░░░░░░░░  125
  Medium     █████████████░░░░░░░░░░░░░░░░░  161
  Low        ██░░░░░░░░░░░░░░░░░░░░░░░░░░░░   25
  Unknown    █░░░░░░░░░░░░░░░░░░░░░░░░░░░░░    9
  None       ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░    0

Top 5 Most Dangerous Artifacts
┌──────────────────────────────────────────────────────────────────────────────────────┐
│  Project…  Repository                Digest            Critical  High      Medium    │
│ ──────────────────────────────────────────────────────────────────────────────────── │
│  8         library/nginx             sha256:8269a7352  39        125       161       │
│  .         .                         .                 .         .         .         |
│  .         .                         .                 .         .         .         │
└──────────────────────────────────────────────────────────────────────────────────────┘

Top 5 Most Dangerous CVEs
┌────────────────────────────────────────────────────────────────────┐
│  CVE ID            Severity  CVSS3     Package           Version   │
│ ────────────────────────────────────────────────────────────────── │
│  CVE-2022-37434    Critical  9.8       zlib1g            1:1.2.1   │
│  .                 .         .         .                 .         │
│  .                 .         .         .                 .         │
│  .                 .         .         .                 .         │
│  .                 .         .         .                 .         │
└────────────────────────────────────────────────────────────────────┘

• list command flags

Lists individual vulnerabilities with filtering and pagination.

Pagination & output:

Flag	Default	Description
--page	1	Page number
--page-size	10	Results per page
--tune-count	false	Ignore total count when > 1000
--with-tag	false	Include tag info in results
--detail	false	Show full details (needs --cve-id)
-q / --query		Raw Security Hub query string

Filter flags :

Flag	Description
--cve-id	Filter by CVE ID
--severity	Filter by severity
--repository-name	Filter by repository
--project-id	Filter by project ID
--package	Filter by package name
--tag	Filter by artifact tag
--digest	Filter by digest
--cvss-score-v3-range	CVSS v3 range, e.g. 7.0~10.0

• list command CLI oytput

Default list view:

$ harbor vuln list 

┌──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│  Project…  Repository           Digest            CVE ID            Severity  CVSS V3   Package       Version   Fixed    │
│ ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── │
│  8         library/nginx        sha256:8269a7352  CVE-2022-22822    Critical  9.8       libexpat1     2.2.6-2   2.2.6-2  │
│  .         .                    .                 .                 .         .         .             .         .        │
│  .         .                    .                 .                 .         .         .             .         .        │
│  .         .                    .                 .                 .         .         .             .         .        │
└──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘

Detail view (--cve-id + --detail):

$ harbor vuln list --cve-id CVE-2022-23219 --detail

VULNERABILITY 1
┌──────────────────────────────────────────────────────────────────────────────────────────────────┐
│  Attribute                         Value                                                         │
│ ──────────────────────────────────────────────────────────────────────────────────────────────── │
│  CVE ID                            CVE-2022-23219                                                │
│  Severity                          Critical                                                      │
│  CVSS V3                           9.8                                                           │
│  Project ID                        8                                                             │
│  Repository                        library/nginx                                                 │
│  Tag                               -                                                             │
│  Digest                            sha256:8269a7352a7dad1f8b3dc83284f195bac72027dd50279422d363…  │
│  Package                           libc-bin                                                      │
│  Version                           2.28-10                                                       │
│  Fixed Version                     2.28-10+deb10u2                                               │
│  Description                       The deprecated compatibility function clnt_create in the su.. │
│  Links                             https://avd.aquasec.com/nvd/cve-2022-23219                    │
└──────────────────────────────────────────────────────────────────────────────────────────────────┘

---

Please have a look and suggest any required changes in the structure of the command.

[NucleoFusion]

That's a pretty nice layout, though I have some clarifications.

• How much filtering does the --query flag already handle? When we split it into the fuzzy, exact, range and more
• Is it possible to make the summary (dashboard) interactive? Via a TUI?
  • I was thinking having an interactive CVE list, and then when clicked it expanded and showed all details?
    @qcserestipy @bupd What are your thoughts? Would an interactive TUI be better?

[bupd]

An interactive TUI would be better

[NucleoFusion]

I was thinking of something along this line?
Like having everything show as a table, your metrics look good.
We can have options for rescan and filtering and stuff
Search can fuzzy search (tui-side, not api)
And on click we can expand or show a popup about details
(popup would be easier - overlay package - managing scroll with a list while also having expanding elements are hard, speaking from experience lol)

@Sypher845 lmk if you have any bubbletea questions, I have been building TUIs for over a year now with it.

[Sypher845]

@NucleoFusion @bupd

• For the --query flag, the supported api side conditions:
  cvss_score_v3(range condition)
  cve_id(exact match)
  severity(exact match)
  repository_name(exact match)
  project_id(exact match)
  package(exact match)
  tag(exact match)
  digest(exact match)
• For the interactive popup-overlay , i will have to look into it and things will be more clear while implementing.
  i will ping you if i have some questions.
• Also just to confirm , popup overlay will be for the list command and also for the summary command?

[NucleoFusion]

for the summary, the list command should be the default list we have in all commands.
And not a TUI, so that we have something for jq parsing and normal tasks

[qcserestipy]

Looks nice. I aggree also with @NucleoFusion that a Tui where you can expand or collapse different fields would be nice.

[Sypher845]

@bupd @qcserestipy
can we have this structure

• harbor vuln dashboard : This will be a TUI having 2 page, we can switch between the pages with a key toggle
  1. for summary (vuln count and distribution , top 5 dangerous artifacts, CVEs)
  2. for vuln list and filtering(cli side)
• harbor vuln list : default table view for the vulnerabilities with flags used for filtering

[NucleoFusion]

@bupd @qcserestipy can we have this structure

• harbor vuln dashboard : This will be a TUI having 2 page, we can switch between the pages with a key toggle

  1. for summary (vuln count and distribution , top 5 dangerous artifacts, CVEs)
  2. for vuln list and filtering(cli side)

• harbor vuln list : default table view for the vulnerabilities with flags used for filtering

To extend this, we can reuse the --output-fornat flags for when we may need to show the vuln summary (severity distribution, top 5) as a normal text.
Like showing in JSON/YAML format