v2.10.0-rc2

What's Changed

Exciting New Features 🎉

Robot Account Full Access

Delivers a user-friendly tutorial that walks you through the creation of a new robot. With a simple click, you can seamlessly customize permission sets at both system and project levels.

• Add full permissions for the robot account by @AllForNothing in #19507
• subject: fix missing media type recognition for nydus by @imeoer in #19453

Supporting OCI Distribution Spec v1.1.0-rc3

Harbor now supports OCI Distribution Spec v1.1.0-rc3

• change Referrers Content-Type to application/vnd.oci.image.index.v1+json by @MinerYang in #19212
• support accessory in either order by @wy65701436 in #19375

Additional Features

Quota Sorting

Enable storage sorting in the quota management page

• Add quota sorting to the project quotas list by @AllForNothing in #19576

Allow customization of the OIDC provider name

• Add oidc provider name to systeminfo API by @stonezdj in #19575
• Show OIDC provider name on the OIDC login button by @AllForNothing in #19581

Enable support for large-size blobs

Harbor now facilitates uploads of layers up to 128GB by default, with configurable options if required.

• fix: increase beego max memory and upload size by @chlins in #19578

Ensure audit logs comply with GDPR regulations for data privacy.

• Feature: GDPR compliant audit logs by @tpoxa in #17396

Enhancement 🚀

• feat: enhance the replication webhook payload by @chlins in #19433
• fix: Accessibility - change color for WCAG AA by @SphinxKnight in #19472
• perf: optimize the trigger retention API by @chlins in #19533
• Add a placeholder to the cards for the security-hub by @AllForNothing in #19536
• perf: optimize the performance of accessory query by @chlins in #19557

Component updates ⬆️

• Add label's description as tooltip by @Nhqml in #19421
• fix: privileges member successfully typo by @testwill in #19091
• fix: add storage_limit check by @zyyw in #19095
• fix: cron string validation by @zyyw in #19071
• ignore spaces for vulnerability filters by @AllForNothing in #19180
• Update zh-tw (Traditional Chinese) locale by @PeterDaveHello in #19161
• chore: fix incorrect otel timeout in harbor yaml template by @chlins in #19120
• Update the max length for the filters by @AllForNothing in #19194
• Filter artifact without CVE from top 5 dangerous artifacts by @stonezdj in #19187
• log: change log level to reduce the noise logs by @chlins in #19146
• Wrong artifact scanned count by @stonezdj in #19198
• fix: support customize cache db for business by @chlins in #19182
• fix gc dry run issue by @wy65701436 in #19208
• Add new uri path to ShouldNotReuseRoute array by @AllForNothing in #19217
• Refine total artifact and scanned artifact by @stonezdj in #19228
• i18n: fix typo for CONFIRM_SECRET by @liubin in #19140
• Add a tooltip for the page title of security hub by @AllForNothing in #19231
• change JOB_ID to Task_ID by @lengrongfu in #19127
• fix typo in ROADMAP.md by @liubin in #19247
• Delete unused code by @liubin in #19061
• exporter: add field alias for count(*) func by @liubin in #18840
• Switch to a new chart library by @AllForNothing in #19262
• Remove job status track information from redis after stop by @stonezdj in #19227
• remove chart-museum related to logic by @lengrongfu in #18722
• fix storage.redirect.disable migrate template error by @MinerYang in #19335
• Upgrade UI packages by @AllForNothing in #19330
• Remove duplicated sort fields from order by clause by @liubin in #19347
• fix user resource by @wy65701436 in #19366
• update default processor for unknwon type config by @MinerYang in #19372
• Hide version property if the value is undefined by @AllForNothing in #19395
• feat(i18n): update french translations by @Nhqml in #19418
• bump golang to 1.20.10 by @MinerYang in #19430
• Change fixed_version to package_version in query dangerous CVE sql by @stonezdj in #19397
• fix issue 19392 by @wy65701436 in #19437
• fix: bump up TRIVYVERSION=v0.46.0 && TRIVYADAPTERVERSION=v0.30.17 by @zyyw in #19446
• Update the style for operation-component by @AllForNothing in #19445
• bump golang.org/x/net to v0.17.0 && go.opentelemetry.io/contrib by @MinerYang in #19461
• Use batch to list the job id in the job queue to avoid crash redis by @stonezdj in #19444
• Delete tag retention rule and tag immutable rule when deleting project by @stonezdj in #19390
• bump go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/m… by @MinerYang in #19477
• Not allow comma for the user name by @AllForNothing in #19501
• bump golang to 1.21.3 by @MinerYang in #19504
• Add a tooltip for the replication rule by @AllForNothing in #19509
• Replace comma in username to avoid casbin issue by @stonezdj in #19505
• Update the style for severity by @AllForNothing in #19525
• Remove vendor folder from harbor code base by @reasonerjt in #19508
• fix: bump up TRIVYVERSION=v0.46.1 && TRIVYADAPTERVERSION=v0.30.18 by @zyyw in #19500
• Skip to validate username when update user profile by @stonezdj in #19552
• Update UI package to clear security alerts by @AllForNothing in #19553
• Delete project member when delete project by @stonezdj in #19523
• add permission api by @wy65701436 in #19543
• Allow POST method to request service/token in readonly mode by @stonezdj in #19556
• 19559 cannot see full label easily by @jmichot-exotec in #19564
• fix: sorting quota by @zyyw in #19538
• Avoid menu closure when filtering labels by @AllForNothing in #19561
• Correct loop condition for replication tasks by @AllForNothing in #19570
• Return empty result when no scanner configured by @stonezdj in #19577
• bump golang to 1.21.4 by @MinerYang in #19601
• add permission validation for robot creating and updating. by @wy65701436 in #19598
• add prepare migration script for 2.10 by @MinerYang in #19600
• Update the permission scope by @AllForNothing in #19603
• fix system label resource by @wy65701436 in #19621
• Bump golang.org/x/time from 0.0.0-20220210224613-90d013bbcef8 to 0.4.0 in /src by @dependabot in #19541
• fix robot account access issue by @wy65701436 in #19627
• fix: update TRIVYVERSION=v0.47.0 && TRIVYADAPTERVERSION=v0.30.19 by @zyyw in #19624
• Bump github.com/coreos/go-oidc/v3 from 3.0.0 to 3.7.0 in /src by @dependabot in #19542
• Update the name checking for the robot account by @AllForNothing in #19645
• fix 2.10 prepare migration version by @MinerYang in #19665
• fix: upgrade google.golang.org/grpc by @zyyw in #19648
• Update the style for the robot acccount ui by @AllForNothing in https://...

v2.10.0-rc1

What's Changed

Exciting New Features 🎉

Robot Account Full Access

Delivers a user-friendly tutorial that walks you through the creation of a new robot. With a simple click, you can seamlessly customize permission sets at both system and project levels.

• Add full permissions for the robot account by @AllForNothing in #19507
• subject: fix missing media type recognition for nydus by @imeoer in #19453

Supporting OCI Distribution Spec v1.1.0-rc3

Harbor now supports OCI Distribution Spec v1.1.0-rc3

• change Referrers Content-Type to application/vnd.oci.image.index.v1+json by @MinerYang in #19212
• support accessory in either order by @wy65701436 in #19375

Additional Features

Quota Sorting

Enable storage sorting in the quota management page

• Add quota sorting to the project quotas list by @AllForNothing in #19576

Allow customization of the OIDC provider name

• Add oidc provider name to systeminfo API by @stonezdj in #19575

Enable support for large-size blobs

Harbor now facilitates uploads of layers up to 128GB by default, with configurable options if required.

• Show OIDC provider name on the OIDC login button by @AllForNothing in #19581

Ensure audit logs comply with GDPR regulations for data privacy.

• Feature: GDPR compliant audit logs by @tpoxa in #17396

• fix: increase beego max memory and upload size by @chlins in #19578

Enhancement 🚀

• feat: enhance the replication webhook payload by @chlins in #19433
• fix: Accessibility - change color for WCAG AA by @SphinxKnight in #19472
• perf: optimize the trigger retention API by @chlins in #19533
• Add a placeholder to the cards for the security-hub by @AllForNothing in #19536
• perf: optimize the performance of accessory query by @chlins in #19557

Component updates ⬆️

• Add label's description as tooltip by @Nhqml in #19421
• fix: privileges member successfully typo by @testwill in #19091
• fix: add storage_limit check by @zyyw in #19095
• fix: cron string validation by @zyyw in #19071
• ignore spaces for vulnerability filters by @AllForNothing in #19180
• Update zh-tw (Traditional Chinese) locale by @PeterDaveHello in #19161
• chore: fix incorrect otel timeout in harbor yaml template by @chlins in #19120
• Update the max length for the filters by @AllForNothing in #19194
• Filter artifact without CVE from top 5 dangerous artifacts by @stonezdj in #19187
• log: change log level to reduce the noise logs by @chlins in #19146
• Wrong artifact scanned count by @stonezdj in #19198
• fix: support customize cache db for business by @chlins in #19182
• fix gc dry run issue by @wy65701436 in #19208
• Add new uri path to ShouldNotReuseRoute array by @AllForNothing in #19217
• Refine total artifact and scanned artifact by @stonezdj in #19228
• i18n: fix typo for CONFIRM_SECRET by @liubin in #19140
• Add a tooltip for the page title of security hub by @AllForNothing in #19231
• change JOB_ID to Task_ID by @lengrongfu in #19127
• fix typo in ROADMAP.md by @liubin in #19247
• Delete unused code by @liubin in #19061
• exporter: add field alias for count(*) func by @liubin in #18840
• Switch to a new chart library by @AllForNothing in #19262
• Remove job status track information from redis after stop by @stonezdj in #19227
• remove chart-museum related to logic by @lengrongfu in #18722
• fix storage.redirect.disable migrate template error by @MinerYang in #19335
• Upgrade UI packages by @AllForNothing in #19330
• Remove duplicated sort fields from order by clause by @liubin in #19347
• fix user resource by @wy65701436 in #19366
• update default processor for unknwon type config by @MinerYang in #19372
• Hide version property if the value is undefined by @AllForNothing in #19395
• feat(i18n): update french translations by @Nhqml in #19418
• bump golang to 1.20.10 by @MinerYang in #19430
• Change fixed_version to package_version in query dangerous CVE sql by @stonezdj in #19397
• fix issue 19392 by @wy65701436 in #19437
• fix: bump up TRIVYVERSION=v0.46.0 && TRIVYADAPTERVERSION=v0.30.17 by @zyyw in #19446
• Update the style for operation-component by @AllForNothing in #19445
• bump golang.org/x/net to v0.17.0 && go.opentelemetry.io/contrib by @MinerYang in #19461
• Use batch to list the job id in the job queue to avoid crash redis by @stonezdj in #19444
• Delete tag retention rule and tag immutable rule when deleting project by @stonezdj in #19390
• bump go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/m… by @MinerYang in #19477
• Not allow comma for the user name by @AllForNothing in #19501
• bump golang to 1.21.3 by @MinerYang in #19504
• Add a tooltip for the replication rule by @AllForNothing in #19509
• Replace comma in username to avoid casbin issue by @stonezdj in #19505
• Update the style for severity by @AllForNothing in #19525
• Remove vendor folder from harbor code base by @reasonerjt in #19508
• fix: bump up TRIVYVERSION=v0.46.1 && TRIVYADAPTERVERSION=v0.30.18 by @zyyw in #19500
• Skip to validate username when update user profile by @stonezdj in #19552
• Update UI package to clear security alerts by @AllForNothing in #19553
• Delete project member when delete project by @stonezdj in #19523
• add permission api by @wy65701436 in #19543
• Allow POST method to request service/token in readonly mode by @stonezdj in #19556
• 19559 cannot see full label easily by @jmichot-exotec in #19564
• fix: sorting quota by @zyyw in #19538
• Avoid menu closure when filtering labels by @AllForNothing in #19561
• Correct loop condition for replication tasks by @AllForNothing in #19570
• Return empty result when no scanner configured by @stonezdj in #19577
• bump golang to 1.21.4 by @MinerYang in #19601
• add permission validation for robot creating and updating. by @wy65701436 in #19598
• add prepare migration script for 2.10 by @MinerYang in #19600
• Update the permission scope by @AllForNothing in #19603
• fix system label resource by @wy65701436 in #19621
• Bump golang.org/x/time from 0.0.0-20220210224613-90d013bbcef8 to 0.4.0 in /src by @dependabot in #19541
• fix robot account access issue by @wy65701436 in #19627
• fix: update TRIVYVERSION=v0.47.0 && TRIVYADAPTERVERSION=v0.30.19 by @zyyw in #19624
• Bump github.com/coreos/go-oidc/v3 from 3.0.0 to 3.7.0 in /src by @dependabot in #19542
• Update the name checking for the robot account by @AllForNothing in #19645
• fix 2.10 prepare migration version by @MinerYang in #19665
• fix: upgrade google.golang.org/grpc by @zyyw in #19648
• Update the style for the robot acccount ui by @AllForNothing in https:...

v2.7.4

Known issue

• Due to the change of querying for listing tasks of scan by this PR, vulnerability scan report that's done in v2.7.4 cannot be retrieved in v2.8.0, but it's still available in v2.8.1 (applied the same logic in this PR) and onwards. Please do not upgrade from v2.7.4 to v2.8.0, instead, directly upgrading to v2.8.1 or v2.9.0.

What's Changed

Component updates ⬆️

• feat: bump up golang-runtime from 1.19.3 to 1.21.4; upgrade MOCKERY_VERSION; upgrade golangci-lint; fix mock issue by @zyyw in #19608
• fix: bump TRIVYVERSION=v0.46.1 & TRIVYADAPTERVERSION=v0.30.18 by @zyyw in #19607
• fix: upgrade dependency library version and run \go mod vendor\ by @zyyw in #19613
• fix: upgrade github.com/gorilla/mux/otelmux to v0.44.0 by @zyyw in #19620

Other Changes

• Refresh base images on release-2.7.0 by @YangJiao0817 in #19644

Full Changelog: v2.7.3...v2.7.4

v2.7.4-rc1

What's Changed

Component updates ⬆️

• feat: bump up golang-runtime from 1.19.3 to 1.21.4; upgrade MOCKERY_VERSION; upgrade golangci-lint; fix mock issue by @zyyw in #19608
• fix: bump TRIVYVERSION=v0.46.1 & TRIVYADAPTERVERSION=v0.30.18 by @zyyw in #19607
• fix: upgrade dependency library version and run \go mod vendor\ by @zyyw in #19613
• fix: upgrade github.com/gorilla/mux/otelmux to v0.44.0 by @zyyw in #19620

Other Changes

• Refresh base images on release-2.7.0 by @YangJiao0817 in #19644

Full Changelog: v2.7.3...v2.7.4-rc1

v2.9.1

Known issue

• known issue #19912 will affect nginx component of offline-installer when specify strong_cipher.enabled in harbor.yml but not been rendered in config file properly. Impact version are v2.9.0, v2.9.1, v2.9.2, v2.10.0. Will fixed in v2.10.1. if you do need set strong_cipher, please refer to manually-add-strong-cipher

What's Changed

Component updates ⬆️

• (cherry-pick) Remove job status track information from redis after stop the job in the queue by @stonezdj in #19307
• (cherry-pick) fix storage.redirect.disable migrate template error release-2.9.0 by @MinerYang in #19336
• [Cherry-pick]Hide version property if the value is undefined by @AllForNothing in #19396
• (cherry-pick) Change fixed_version to package_version by @stonezdj in #19432
• [cherry-pick]bump golang to 1.20.10 by @MinerYang in #19431
• fix: bump up TRIVYVERSION=v0.46.0 && TRIVYADAPTERVERSION=v0.30.17 by @zyyw in #19447
• [cherry-pick] Use batch to list the job id in the job queue to avoid crash redis by @stonezdj in #19455
• bump golang.org/x/net to v0.17.0 && go.opentelemetry.io/contrib on release-2.9.0 by @MinerYang in #19460
• bump go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/m… by @MinerYang in #19476
• bump golang to 1.21.3 on release-2.9.0 by @MinerYang in #19503
• fix: bump up TRIVYVERSION=v0.46.1 && TRIVYADAPTERVERSION=v0.30.18 by @zyyw in #19499
• update ut mock anything by @MinerYang in #19506
• bump google.golang.org/grpc by @MinerYang in #19513

Other Changes

• [cherry-pick]Refactor unstable test cases by @YangJiao0817 in #19351
• [cherry-pick]Add security hub API test case by @YangJiao0817 in #19377
• [cherry-pick]Add security hub UI test case by @YangJiao0817 in #19449
• Bump up version to v2.9.1 by @YangJiao0817 in #19451
• [cherry-pick]Add GC accessory API test case by @YangJiao0817 in #19463
• [cherry-pick]Add GC accessory UI test case by @YangJiao0817 in #19471
• Refresh base images on release-2.9.0 by @YangJiao0817 in #19475
• [cherry-pick]Add GC details and GC workers API test case by @YangJiao0817 in #19483
• [cherry-pick]Add GC details and GC workers UI test case by @YangJiao0817 in #19488
• [cherry-pick]Add banner message API test case by @YangJiao0817 in #19514

Full Changelog: v2.9.0...v2.9.1

v2.9.1-rc1

What's Changed

Component updates ⬆️

• (cherry-pick) Remove job status track information from redis after stop the job in the queue by @stonezdj in #19307
• (cherry-pick) fix storage.redirect.disable migrate template error release-2.9.0 by @MinerYang in #19336
• [Cherry-pick]Hide version property if the value is undefined by @AllForNothing in #19396
• (cherry-pick) Change fixed_version to package_version by @stonezdj in #19432
• [cherry-pick]bump golang to 1.20.10 by @MinerYang in #19431
• fix: bump up TRIVYVERSION=v0.46.0 && TRIVYADAPTERVERSION=v0.30.17 by @zyyw in #19447
• [cherry-pick] Use batch to list the job id in the job queue to avoid crash redis by @stonezdj in #19455
• bump golang.org/x/net to v0.17.0 && go.opentelemetry.io/contrib on release-2.9.0 by @MinerYang in #19460
• bump go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/m… by @MinerYang in #19476
• bump golang to 1.21.3 on release-2.9.0 by @MinerYang in #19503
• fix: bump up TRIVYVERSION=v0.46.1 && TRIVYADAPTERVERSION=v0.30.18 by @zyyw in #19499
• update ut mock anything by @MinerYang in #19506
• bump google.golang.org/grpc by @MinerYang in #19513

Other Changes

• [cherry-pick]Refactor unstable test cases by @YangJiao0817 in #19351
• [cherry-pick]Add security hub API test case by @YangJiao0817 in #19377
• [cherry-pick]Add security hub UI test case by @YangJiao0817 in #19449
• Bump up version to v2.9.1 by @YangJiao0817 in #19451
• [cherry-pick]Add GC accessory API test case by @YangJiao0817 in #19463
• [cherry-pick]Add GC accessory UI test case by @YangJiao0817 in #19471
• Refresh base images on release-2.9.0 by @YangJiao0817 in #19475
• [cherry-pick]Add GC details and GC workers API test case by @YangJiao0817 in #19483
• [cherry-pick]Add GC details and GC workers UI test case by @YangJiao0817 in #19488
• [cherry-pick]Add banner message API test case by @YangJiao0817 in #19514

Full Changelog: v2.9.0...v2.9.1-rc1

v2.7.3

Known issue

• Due to the change of querying for listing tasks of scan by this PR, vulnerability scan report that's done in v2.7.3 cannot be retrieved in v2.8.0, but it's still available in v2.8.1 (applied the same logic in this PR) and onwards. Please do not upgrade from v2.7.3 to v2.8.0, instead, directly upgrading to v2.8.1 or v2.9.0.

What's Changed

Component updates ⬆️

• [cherry-pick] fix: improve the performance of list artifacts by @chlins in #18632
• bump golang 1.19.9 on release-2.7.0 by @MinerYang in #18650
• (cherry-pick) Use subtle.ConstantTimeCompare instead of compare directly by @stonezdj in #18711
• set tag pull time for proxy cache by @wy65701436 in #18742
• (cherry-pick) Return error when proxy cache get too many request error(429) by @stonezdj in #18751
• Changed logic search projects in gitlab adapter for 2.7.0 by @lxShaDoWxl in #18784
• [cherry-pick][2.7] fix: add retry on the caller of v2DeleteManifest instead within v2DeleteManifest by @dkulchinsky in #18802
• [Cherry-pick] fix: bump-up TRIVYVERSION=v0.43.0 and TRIVYADAPTERVERSION=v0.30.14 by @zyyw in #18995
• [cherry-pick]fix accessory import issue by @wy65701436 in #19056
• fix: TRIVYVERSION=v0.44.0 && TRIVYADAPTERVERSION=v0.30.15 by @zyyw in #19089
• [Cherry-pick]Convert the string �\ to number 0 by @AllForNothing in #19082
• [cherry-pick] fix: fix replication list projects with pure numberic name by @chlins in #19093
• bump go1.19.12 on release-2.7.0 base on ph4 by @MinerYang in #19162
• [cherry-pick] refactor: migrate the redis command keys to scan by @chlins in #19148
• [cherry-pick] chore: fix incorrect otel timeout in harbor yaml template by @chlins in #19121
• [cherry-pick] fix: support customize cache db for business by @chlins in #19189
• (cherry-pick) Remove job status track information from redis after stop the job in the queue by @stonezdj in #19306
• bump goharbor/golang 1.19.13 on release-2.7.0 by @MinerYang in #19324
• fix: bump up TRIVYVERSION=v0.45.0 && TRIVYADAPTERVERSION=v0.30.16 by @zyyw in #19329

Other Changes

• [cherry-pick]Fix setup-gcloud fails when building package by @YangJiao0817 in #18684
• [cherry-pick]Fix APITEST_DB_PROXY_CACHE x509 by @YangJiao0817 in #18980
• [cherry-pick]Bump up setup-gcloud to 430.0.0 by @YangJiao0817 in #19119
• [Cherry-pick]Add new uri path to ShouldNotReuseRoute array by @AllForNothing in #19220

Full Changelog: v2.7.2...v2.7.3

v2.7.3-rc1

What's Changed

Component updates ⬆️

• [cherry-pick] fix: improve the performance of list artifacts by @chlins in #18632
• bump golang 1.19.9 on release-2.7.0 by @MinerYang in #18650
• (cherry-pick) Use subtle.ConstantTimeCompare instead of compare directly by @stonezdj in #18711
• set tag pull time for proxy cache by @wy65701436 in #18742
• (cherry-pick) Return error when proxy cache get too many request error(429) by @stonezdj in #18751
• Changed logic search projects in gitlab adapter for 2.7.0 by @lxShaDoWxl in #18784
• [cherry-pick][2.7] fix: add retry on the caller of v2DeleteManifest instead within v2DeleteManifest by @dkulchinsky in #18802
• [Cherry-pick] fix: bump-up TRIVYVERSION=v0.43.0 and TRIVYADAPTERVERSION=v0.30.14 by @zyyw in #18995
• [cherry-pick]fix accessory import issue by @wy65701436 in #19056
• fix: TRIVYVERSION=v0.44.0 && TRIVYADAPTERVERSION=v0.30.15 by @zyyw in #19089
• [Cherry-pick]Convert the string �\ to number 0 by @AllForNothing in #19082
• [cherry-pick] fix: fix replication list projects with pure numberic name by @chlins in #19093
• bump go1.19.12 on release-2.7.0 base on ph4 by @MinerYang in #19162
• [cherry-pick] refactor: migrate the redis command keys to scan by @chlins in #19148
• [cherry-pick] chore: fix incorrect otel timeout in harbor yaml template by @chlins in #19121
• [cherry-pick] fix: support customize cache db for business by @chlins in #19189
• (cherry-pick) Remove job status track information from redis after stop the job in the queue by @stonezdj in #19306
• bump goharbor/golang 1.19.13 on release-2.7.0 by @MinerYang in #19324
• fix: bump up TRIVYVERSION=v0.45.0 && TRIVYADAPTERVERSION=v0.30.16 by @zyyw in #19329

Other Changes

• [cherry-pick]Fix setup-gcloud fails when building package by @YangJiao0817 in #18684
• [cherry-pick]Fix APITEST_DB_PROXY_CACHE x509 by @YangJiao0817 in #18980
• [cherry-pick]Bump up setup-gcloud to 430.0.0 by @YangJiao0817 in #19119
• [Cherry-pick]Add new uri path to ShouldNotReuseRoute array by @AllForNothing in #19220

Full Changelog: v2.7.2...v2.7.3-rc1

v2.9.0

Known issue

• There's a known issue #19320 that occurs when running harbor.yml migrate script with the specific storage_service.redirect.disable configuration. Impact version would be Harbor v2.8 and v2.9, for example migrate from v2.7.X to v2.8.Y or v2.7.X to v2.9.Z. Please refer to this comment as a workaround.

What's Changed

Exciting New Features 🎉

Security Hub

Admin users can now access valuable security insights, which include the number of scanned and unscanned artifacts, identification of dangerous artifacts and CVEs, and advanced search capabilities for vulnerabilities using multiple combined conditions.

• Add Security Hub UI by @AllForNothing in #18942
• Update table scan_report and extract cvss_v3_score from vendor attribute by @stonezdj in #18854
• Add vulnerability search API by @stonezdj in #18924
• Add security hub summary API by @stonezdj in #18872
• Create index in vulnerability_record table by @stonezdj in #18949

GC Enhancements

Improved visibility with detailed GC execution history and enable parallel deletion for faster GC triggers.

• Add worker parameter for GC by @AllForNothing in #18882
• Add more details in gc history by @wy65701436 in #18779
• Add multiple deletions of GC by @wy65701436 in #18855

Supporting OCI Distribution Spec v1.1.0-rc2

Harbor now supports OCI Distribution Spec v1.1.0-rc2 and added support for Notation signature and Nydus conversion as referrers.

• Support OCI-Subject header by @wy65701436 in #18885
• Add notation support by @wy65701436 in #18909
• Enable notary v2 policy checker by @wy65701436 in #18927
• Add Notation UI for deployment security by @AllForNothing in #18952
• Support nydus as an accessory by @wy65701436 in #18953

Additional Features

Customized banner message

Admins can now set a customized banner message displayed on top of Harbor web pages.

• Add customized banner message UI by @AllForNothing in #18827

Quota Update Provider

Introduced a new mechanism utilizing Redis for optimistic locking during quota updates when pushing images. Refer to the documentation at https://github.com/goharbor/perf/wiki/Quota-Update for instructions on enabling and utilizing this feature.

• feat: Optimize quota checking when pushing images by @lengrongfu in #17392
• perf: introduce update quota by redis by @chlins in #18871
• feat: add the configuration for quota update provider by @chlins in #18928

Deprecations ❌

Removal of Notary

Starting with version v2.9.0, Harbor no longer includes Notary in either the user interface or the backend. Please navigate to this page for details.

• Remove notary test cases by @YangJiao0817 in #18620
• Remove notary UI by @AllForNothing in #18666
• Remove the notary from the backend by @wy65701436 in #18668

Known issue

• Harbor v2.9.0 Online/Offline Installer and Docker Version Compatibility
  If you install Harbor v2.9.0 using an online/offline installer with Docker version lower than 20.10.10, you may encounter an issue where the Harbor database container fails to start. This issue is being tracked at (#19141). For more detailed information about this specific problem, you can visit this page (timescale/timescaledb-docker-ha#260). To avoid this issue, we recommend ensuring that your Docker version is equal to or greater than 20.10.10 when using Harbor v2.9.0 with the online/offline installer.

Breaking Changes

• As of Harbor v2.9.0, only PostgreSQL >= 12 is supported for external databases. Before upgrading, you should make sure that your external databases are using a supported version of PostgreSQL.
• Different API behavior in Harbor version 2.9 vs. prior versions: Users with limited_guest role are not able to query the repository endpoint by id #19709

Enhancement 🚀

• Fix message prompt under the header by @AllForNothing in #18613
• fix: improve the performance of list artifacts by @chlins in #18610
• Improve repo_read_only header on the UI by @AllForNothing in #18729
• Add a text to explain the time window for GC by @AllForNothing in #18735
• Add a tooltip for slack notification by @AllForNothing in #18787
• 【UT】add unit test for collector system info by @lengrongfu in #18717
• Add Details column for gc history by @AllForNothing in #18797
• Add Podman push command to the UI by @AllForNothing in #18810
• Add new client Podman to the pull command by @AllForNothing in #18857

Component updates ⬆️

• fix: fix error bitsize of jobservice reaper scan locks by @chlins in #18487
• bump golang 1.20.3 on main by @MinerYang in #18492
• feat: update TRIVYVERSION=v0.39.0 & TRIVYADAPTERVERSION=v0.30.10 by @zyyw in #18501
• Rewords quota definitions based on user input by @OrlinVasilev in #18512
• Synchronize text modification of quota tooltip to all the i18n files by @AllForNothing in #18518
• GC: correctly handle manifest unknown (404) condition in v2DeleteManifest retry loop by @dkulchinsky in #18386
• Change the permissions of the *.go file from 0755 to 0644 by @Iceber in #17919
• feat: log with trace ID by @pgillich in #18181
• Fix typos in common.sh by @Maxi-Mega in #18151
• bump golang.org/x/net && helm.sh/helm/v3 on main by @MinerYang in #18545
• Update position to vertical-align for copy button by @AllForNothing in #18563
• Add missing i18n key-value for helm chart by @AllForNothing in #18578
• Allow redis password using safe special characters by @MinerYang in #18566
• add goheader linter settings by @MinerYang in #18503
• fix: link to Github's rate limiting documentation. by @perjahn in #18588
• fix: error log use wrong variable err by @dyf991645 in #18602
• Upgrade the internal PostgreSQL to 14 in 2.9.0 by @YangJiao0817 in #18612
• Improve zh-tw (Traditional Chinese) locale by @PeterDaveHello in #18608
• bump golang 1.20.4 on main by @MinerYang in #18647
• fix: sweep executions of image scan job by @chlins in #18649
• fix: cherry pick the migration sql by @chlins in #18644
• chore: replace github.com/ghodss/yaml with sigs.k8s.io/yaml by @Juneezee in #18606
• Bump kentaro-m/auto-assign-action from 1.2.4 to 1.2.5 by @dependabot in #18263
• Changed logic search projects in gitlab adapter by @lxShaDoWxl in #18529
• bump up github.com/distribution/distribution v2.8.2 by @MinerYang in #18687
• fix: add retry on the caller of v2DeleteManifest instead within v2DeleteManifest by @zyyw in #18662
• Fix the channel that never receives a value by @iAklis in #18139
• Use subtle.ConstantTimeCompare instead of compare directly by @stonezdj in #18697
• Upgrade Angular and Clarity to the latest version by @AllForNothing in #18709
• chore: bump registry release to 2.8.2 by @davidspek in #18685
• Add support for TLSv1.3 in nginx configurations by @malmor in #18659
• set tag pull time for proxy cache by @wy65701436 in #18731
• http2 enabled and ciphers changed to get an A+ rating instead of B fr… by @mcsage in #16990
• Return error when proxy cache get too many request error(429) by @stonezdj in #18728
• 【optimization】Use URL.Redacted method repleace redacted by @lengrongfu in https://gi...

v2.9.0-rc3

Known issue

• There's a known issue #19320 that occurs when running harbor.yml migrate script with the specific storage_service.redirect.disable configuration. Impact version would be Harbor v2.8 and v2.9, for example migrate from v2.7.X to v2.8.Y or v2.7.X to v2.9.Z. Please refer to this comment as a workaround.

What's Changed

Exciting New Features 🎉

• Update table scan_report and extract cvss_v3_score from vendor attribute by @stonezdj in #18854
• Add costomized banner message UI by @AllForNothing in #18827
• Add worker parameter for GC by @AllForNothing in #18882
• add notation support by @wy65701436 in #18909
• enable notary v2 policy checker by @wy65701436 in #18927
• Add vulnerability search API by @stonezdj in #18924
• Add Notation UI for deployment security by @AllForNothing in #18952
• Add Security Hub UI by @AllForNothing in #18942
• support nydus as a accessory by @wy65701436 in #18953

Enhancement 🚀

• Fix message prompt under the header by @AllForNothing in #18613
• fix: improve the performance of list artifacts by @chlins in #18610
• Improve repo_read_only header on the UI by @AllForNothing in #18729
• Add a text to explain the time window for GC by @AllForNothing in #18735
• add more details in gc history by @wy65701436 in #18779
• feat: Optimize quota checking when pushing images by @lengrongfu in #17392
• Add a tooltip for slack notification by @AllForNothing in #18787
• 【UT】add unit test for collector system info by @lengrongfu in #18717
• Add Details column for gc history by @AllForNothing in #18797
• Add Podman push command to the UI by @AllForNothing in #18810
• Add new client Podman to the pull command by @AllForNothing in #18857
• add multiple deletion of GC by @wy65701436 in #18855
• perf: introduce update quota by redis by @chlins in #18871
• Add security hub summary API by @stonezdj in #18872
• Create index in vulnerability_record table by @stonezdj in #18949
• feat: add the configuration for quota update provider by @chlins in #18928

Component updates ⬆️

• fix: fix error bitsize of jobservice reaper scan locks by @chlins in #18487
• bump golang 1.20.3 on main by @MinerYang in #18492
• feat: update TRIVYVERSION=v0.39.0 & TRIVYADAPTERVERSION=v0.30.10 by @zyyw in #18501
• Reword quota definitions based on user input by @OrlinVasilev in #18512
• Synchronize text modification of quota tooltip to all the i18n files by @AllForNothing in #18518
• GC: correctly handle manifest unknown (404) condition in v2DeleteManifest retry loop by @dkulchinsky in #18386
• Change the permissions of the *.go file from 0755 to 0644 by @Iceber in #17919
• feat: log with trace ID by @pgillich in #18181
• Fix typos in common.sh by @Maxi-Mega in #18151
• bump golang.org/x/net && helm.sh/helm/v3 on main by @MinerYang in #18545
• Update position to vertical-align for copy button by @AllForNothing in #18563
• Add missing i18n key-value for helm chart by @AllForNothing in #18578
• Allow redis password using safe special characters by @MinerYang in #18566
• add goheader linter settings by @MinerYang in #18503
• fix: link to Github's rate limiting documentation. by @perjahn in #18588
• fix: error log use wrong variable err by @dyf991645 in #18602
• Upgrade the internal PostgreSQL to 14 in 2.9.0 by @YangJiao0817 in #18612
• Improve zh-tw (Traditional Chinese) locale by @PeterDaveHello in #18608
• bump golang 1.20.4 on main by @MinerYang in #18647
• fix: sweep executions of image scan job by @chlins in #18649
• fix: cherry pick the migration sql by @chlins in #18644
• chore: replace github.com/ghodss/yaml with sigs.k8s.io/yaml by @Juneezee in #18606
• Bump kentaro-m/auto-assign-action from 1.2.4 to 1.2.5 by @dependabot in #18263
• Changed logic search projects in gitlab adapter by @lxShaDoWxl in #18529
• bump up github.com/distribution/distribution v2.8.2 by @MinerYang in #18687
• fix: add retry on the caller of v2DeleteManifest instead within v2DeleteManifest by @zyyw in #18662
• Fix the channel that never receives a value by @iAklis in #18139
• Use subtle.ConstantTimeCompare instead of compare directly by @stonezdj in #18697
• Upgrade Angular and Clarity to the latest version by @AllForNothing in #18709
• chore: bump registry release to 2.8.2 by @davidspek in #18685
• Add support for TLSv1.3 in nginx configurations by @malmor in #18659
• set tag pull time for proxy cache by @wy65701436 in #18731
• http2 enabled and ciphers changed to get an A+ rating instead of B fr… by @mcsage in #16990
• Return error when proxy cache get too many request error(429) by @stonezdj in #18728
• 【optimization】Use URL.Redacted method repleace redacted by @lengrongfu in #18716
• Fix syntax errors in comments by @lishaokai1995 in #18746
• add strong_ssl_ciphers for nginx https jinja template by @MinerYang in #18748
• fix: import optimization by @testwill in #18727
• fix invalid access action by @orblazer in #18188
• Fix: fix function name in comments by @cuishuang in #18726
• fix: clean up scan executions and reports after deleting artifact by @chlins in #18693
• Remove wrong format for boolean value in api definition by @sll552 in #18783
• fix: add checkpoint when enqueue scan tasks for scan all by @chlins in #18680
• Update/improve grafana dashboard by @mac-chaffee in #16661
• fix: optimize the mechanism of quota refresh by @chlins in #18795
• Update the text for the oidc cli secret tooltip by @AllForNothing in #18814
• jobservice: add DB to job logger config by @liubin in #18821
• jobservice: update readme by @liubin in #18849
• refactor: migrate the redis command keys to scan by @chlins in #18825
• Add unit test for hidden columns by @AllForNothing in #18873
• support OCI-Subject header by @wy65701436 in #18885
• Correct the hidden property for clrDgHideableColumn by @AllForNothing in #18890
• API: update ScannerRegistration.properties.url format by @liubin in #18799
• chore: upgrade golang-migrate to v4.16.2 by @chlins in #18879
• fix: add password/secret length check to be <= 128 by @zyyw in #18916
• update icons by @vndroid in #18767
• Log warning message when current user is freeze by @stonezdj in #18937
• fix: correct the operator in the webhook payload by @chlins in #18906
• Update the regex for policy name and the tooltip message by @AllForNothing in #18947
• fix: replication policy cron setting - the 1st field must be 0; the Minutes field cannot be ADOPTERS.md CHANGELOG.md CODEOWNERS CONTRI...