Skip to content

Error on my custom scanner try to post sbom at the PostScan #434

Open
Open
Error on my custom scanner try to post sbom at the PostScan#434
@vincent-philippe

Description

@vincent-philippe
vincent-philippe
opened on Mar 23, 2026

"Originally reported in goharbor/harbor#23014 by me"

Describe my issue

I want to add a custom scanner using hybrid : syft for sbom; trivy for vulnerabilities.

Syft appears to find more package in the sbom since it search for binaries in the image, so that's the reason we want to use it.

Here's the configuration of my new scanner :

Name Endpoint Health Enabled Authorization Vulnerability SBOM Description
Syft http://syft-adapter:8080 Healthy Enabled None Supported Supported Hybrid scanner : Syft for SBOM ; Trivy for Vulnerabilties
🧰 Harbor Interrogation Services Configuration for this scanner 
Scanner:
    Name:Syft+Trivy
    Vendor:Anchore+Aqua
    Version:syft:v1.19.0 trivy:0.69.3
Capabilities:
    0:
        Consumes Mime Types:[application/vnd.oci.image.manifest.v1+json , application/vnd.docker.distribution.manifest.v2+json]
        Produces Mime Types:[application/vnd.security.sbom.report+json; version=1.0 , application/vnd.cyclonedx+json , application/spdx+json]
        Type: SBOM
    1:
        Consumes Mime Types:[application/vnd.oci.image.manifest.v1+json , application/vnd.docker.distribution.manifest.v2+json]
        Produces Mime Types:[application/vnd.security.vulnerability.report; version=1.1 , application/vnd.scanner.adapter.vuln.report.harbor+json; version=1.0]
        Type: Vulnerability
    Properties
        harbor.scanner-adapter/scanner-type:os-package-vulnerability
        harbor.scanner-adapter/vulnerability-databases-updated-at:
🐳 Docker configuration for scanner services 
  syft-adapter:
    container_name: syft-adapter
    image: registry.git..fr/<MY_COMPANY_NAME>/devops/harbor-syft-adapter:latest
    restart: always
    cap_drop:
      - ALL
    depends_on:
      - log
    networks:
      - harbor
    environment:
      - SYFT_TIMEOUT=600
      - TRIVY_TIMEOUT=600
      - SYFT_VERSION=v1.19.0
      - TRIVY_VERSION=0.69.3
      - SCANNER_TRIVY_SKIP_UPDATE=true
      - SCANNER_TRIVY_SKIP_JAVA_DB_UPDATE=true
      - SCANNER_TRIVY_OFFLINE_SCAN=false
      - SCANNER_TRIVY_IGNORE_UNFIXED=false
      - SCANNER_TRIVY_INSECURE=false
      - SCANNER_TRIVY_SEVERITY=UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
      - SCANNER_TRIVY_VULN_TYPE=os,library
    volumes:
      - type: bind
        source: /data/harbor/data/trivy-adapter/trivy/db
        target: /root/.cache/trivy/db
        read_only: true
      - type: bind
        source: /data/harbor/data/trivy-adapter/trivy/java-db
        target: /root/.cache/trivy/java-db
        read_only: true
      - /var/run/docker.sock:/var/run/docker.sock
  trivy-adapter:
    container_name: trivy-adapter
    image: goharbor/trivy-adapter-photon:v2.14.2
    restart: always
    cap_drop:
      - ALL
    depends_on:
      - log
      - redis
    networks:
      - harbor
    volumes:
      - type: bind
        source: /data/harbor/data/trivy-adapter/trivy
        target: /home/scanner/.cache/trivy
      - type: bind
        source: /data/harbor/data/trivy-adapter/reports
        target: /home/scanner/.cache/reports
      - type: bind
        source: ./common/config/shared/trust-certificates
        target: /harbor_cust_cert
    logging:
      driver: "syslog"
      options:
        syslog-address: "tcp://localhost:1514"
        tag: "trivy-adapter"
    env_file:
      ./common/config/trivy-adapter/env
🗄️ Some evidence on the db that show artifact accessory 
SELECT * FROM artifact_accessory LIMIT 1;
registry=# SELECT * FROM artifact_accessory WHERE subject_artifact_repo = '<NAME_OF_MY_COMPANY>/sauron/api' LIMIT 1;
 id  | artifact_id | subject_artifact_id |    type     | size |                                 digest                                  |       creation_time        |                  
       subject_artifact_digest                         | subject_artifact_repo 
-----+-------------+---------------------+-------------+------+-------------------------------------------------------------------------+----------------------------+------------------
-------------------------------------------------------+-----------------------
 240 |         471 |                 469 | sbom.harbor | 1040 | sha256:fcefd326213b989b2cd0dee7ec6181afca54abe9d7c615cf59239dfb13920e90 | 2026-03-19 09:20:26.918181 | sha256:b07f85224b
c5c030fc28565575fe086754c1fa0d5a374b6b29c3bf3a4bb0b17a | '<NAME_OF_MY_COMPANY>/sauron/api
(1 row)

registry=# SELECT * FROM sbom_report WHERE CAST(report AS VARCHAR) like '%<NAME_OF_MY_COMPANY>\/sauron\/api%';                                                                                                                                                              report                                                                                                                           
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------------------------
 id  |                 uuid                 | artifact_id |          registration_uuid           |       mime_type       |      media_type       |                                      
                                                                                                                        report                                                          
                                                                                                     
-----+--------------------------------------+-------------+--------------------------------------+-----------------------+-----------------------+--------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------
 358 | 2774f024-0f08-4945-8a95-dadfe2788ffb |         469 | 4b7d6b72-22b7-11f1-8b6d-5265ac2ef9fe | application/spdx+json | application/spdx+json | {"duration":48,"end_time":"2026-03-19
T09:20:26.964706263Z","sbom_digest":"sha256:fcefd326213b989b2cd0dee7ec6181afca54abe9d7c615cf59239dfb13920e90","sbom_repository":"<MY_COMPANY_NAME>/sauron/api","scan_status":"Success","scanner":{
"name":"Syft","vendor":"Anchore","version":"v1.19.0"},"start_time":"2026-03-19T09:19:38.894926815Z"}
(1 row)
🗞️ Some logs of the syft adapter started on the harbror instance : 
syft-adapter  | INFO:     Started server process [1]
syft-adapter  | INFO:     Waiting for application startup.
syft-adapter  | INFO:     Application startup complete.
syft-adapter  | INFO:     Uvicorn running on http://0.0.0.0:8080 (Press CTRL+C to quit)
syft-adapter  | INFO:     172.18.0.9:43724 - "GET /api/v1/metadata HTTP/1.1" 200 OK
syft-adapter  | INFO:     127.0.0.1:41940 - "GET /healthz HTTP/1.1" 200 OK
syft-adapter  | INFO:     127.0.0.1:43288 - "GET /healthz HTTP/1.1" 200 OK
syft-adapter  | INFO:     127.0.0.1:42208 - "GET /healthz HTTP/1.1" 200 OK
syft-adapter  | INFO:     127.0.0.1:56092 - "GET /healthz HTTP/1.1" 200 OK
🗞️ Some logs of the syft adapter treating scan : 
syft-adapter       | INFO:     172.18.0.9:50010 - "GET /api/v1/metadata HTTP/1.1" 200 OK
registry           | 172.18.0.9 - - [19/Mar/2026:09:19:36 +0000] "GET / HTTP/1.1" 200 0 "" "Go-http-client/1.1"
harbor-portal      | 172.18.0.9 - - [19/Mar/2026:09:19:36 +0000] "GET / HTTP/1.1" 200 785 "-" "Go-http-client/1.1"
registryctl        | 172.18.0.9 - - [19/Mar/2026:09:19:36 +0000] "GET /api/health HTTP/1.1" 200 9
harbor-jobservice  | 2026-03-19T09:19:38Z [INFO] [/jobservice/worker/cworker/c_worker.go:77]: Job incoming: {"name":"IMAGE_SCAN","id":"49702c511a9666c0f9861ded","t":1773911974,"args":null}
harbor-jobservice  | 2026-03-19T09:19:38Z [INFO] [/jobservice/worker/cworker/c_worker.go:77]: Job incoming: {"name":"IMAGE_SCAN","id":"7d8c1ea3b0709fc3c5e955dd","t":1773911974,"args":null}
harbor-jobservice  | 2026-03-19T09:19:38Z [INFO] [/pkg/config/rest/rest.go:47]: get configuration from url: http://core:8080/api/v2.0/internalconfig
harbor-jobservice  | 2026-03-19T09:19:38Z [INFO] [/pkg/config/rest/rest.go:47]: get configuration from url: http://core:8080/api/v2.0/internalconfig
harbor-jobservice  | 2026-03-19T09:19:38Z [INFO] [/pkg/config/rest/rest.go:47]: get configuration from url: http://core:8080/api/v2.0/internalconfig
harbor-jobservice  | 2026-03-19T09:19:38Z [INFO] [/pkg/config/rest/rest.go:47]: get configuration from url: http://core:8080/api/v2.0/internalconfig
harbor-jobservice  | 2026-03-19T09:19:38Z [INFO] [/pkg/scan/job.go:396]: {
harbor-jobservice  |   "uuid": "4b7d6b72-22b7-11f1-8b6d-5265ac2ef9fe",
harbor-jobservice  |   "name": "Syft",
harbor-jobservice  |   "description": "Syft scanner specif to SBOM binary based analysis",
harbor-jobservice  |   "url": "http://syft-adapter:8080",
harbor-jobservice  |   "disabled": false,
harbor-jobservice  |   "is_default": false,
harbor-jobservice  |   "health": "healthy",
harbor-jobservice  |   "auth": "",
harbor-jobservice  |   "access_credential": "[HIDDEN]",
harbor-jobservice  |   "skip_certVerify": false,
harbor-jobservice  |   "use_internal_addr": true,
harbor-jobservice  |   "adapter": "Syft+Trivy",
harbor-jobservice  |   "vendor": "Anchore+Aqua",
harbor-jobservice  |   "version": "syft:v1.19.0 trivy:0.69.3",
harbor-jobservice  |   "create_time": "2026-03-18T10:43:26.606801Z",
harbor-jobservice  |   "update_time": "2026-03-18T14:37:08.733957Z"
harbor-jobservice  | }
harbor-jobservice  | 2026-03-19T09:19:38Z [INFO] [/pkg/scan/job.go:396]: {
harbor-jobservice  |   "registry": {
harbor-jobservice  |     "url": "http://core:8080",
harbor-jobservice  |     "authorization": "[HIDDEN]",
harbor-jobservice  |     "insecure": false
harbor-jobservice  |   },
harbor-jobservice  |   "artifact": {
harbor-jobservice  |     "namespace_id": 2,
harbor-jobservice  |     "repository": "<NAME_OF_MY_COMPANY>/sauron/api",
harbor-jobservice  |     "tag": "v1.0.5",
harbor-jobservice  |     "digest": "sha256:b07f85224bc5c030fc28565575fe086754c1fa0d5a374b6b29c3bf3a4bb0b17a",
harbor-jobservice  |     "mime_type": "application/vnd.docker.distribution.manifest.v2+json",
harbor-jobservice  |     "size": 310382174
harbor-jobservice  |   },
harbor-jobservice  |   "enabled_capabilities": [
harbor-jobservice  |     {
harbor-jobservice  |       "type": "vulnerability",
harbor-jobservice  |       "produces_mime_types": [
harbor-jobservice  |         "application/vnd.security.vulnerability.report; version=1.1"
harbor-jobservice  |       ],
harbor-jobservice  |       "parameters": null
harbor-jobservice  |     }
harbor-jobservice  |   ]
harbor-jobservice  | }
harbor-jobservice  | 2026-03-19T09:19:38Z [INFO] [/pkg/scan/job.go:172]: Report mime types: [application/vnd.security.vulnerability.report; version=1.1 application/vnd.scanner.adapter.vuln.report.harbor+json; version=1.0]
harbor-jobservice  | 2026-03-19T09:19:38Z [INFO] [/pkg/scan/job.go:396]: {
harbor-jobservice  |   "uuid": "4b7d6b72-22b7-11f1-8b6d-5265ac2ef9fe",
harbor-jobservice  |   "name": "Syft",
harbor-jobservice  |   "description": "Syft scanner specif to SBOM binary based analysis",
harbor-jobservice  |   "url": "http://syft-adapter:8080",
harbor-jobservice  |   "disabled": false,
harbor-jobservice  |   "is_default": false,
harbor-jobservice  |   "health": "healthy",
harbor-jobservice  |   "auth": "",
harbor-jobservice  |   "access_credential": "[HIDDEN]",
harbor-jobservice  |   "skip_certVerify": false,
harbor-jobservice  |   "use_internal_addr": true,
harbor-jobservice  |   "adapter": "Syft+Trivy",
harbor-jobservice  |   "vendor": "Anchore+Aqua",
harbor-jobservice  |   "version": "syft:v1.19.0 trivy:0.69.3",
harbor-jobservice  |   "create_time": "2026-03-18T10:43:26.606801Z",
harbor-jobservice  |   "update_time": "2026-03-18T14:37:08.733957Z"
harbor-jobservice  | }
harbor-jobservice  | 2026-03-19T09:19:38Z [INFO] [/pkg/scan/job.go:396]: {
harbor-jobservice  |   "registry": {
harbor-jobservice  |     "url": "http://core:8080",
harbor-jobservice  |     "authorization": "[HIDDEN]",
harbor-jobservice  |     "insecure": false
harbor-jobservice  |   },
harbor-jobservice  |   "artifact": {
harbor-jobservice  |     "namespace_id": 2,
harbor-jobservice  |     "repository": "<NAME_OF_MY_COMPANY>/sauron/api",
harbor-jobservice  |     "tag": "v1.0.5",
harbor-jobservice  |     "digest": "sha256:b07f85224bc5c030fc28565575fe086754c1fa0d5a374b6b29c3bf3a4bb0b17a",
harbor-jobservice  |     "mime_type": "application/vnd.docker.distribution.manifest.v2+json",
harbor-jobservice  |     "size": 310382174
harbor-jobservice  |   },
harbor-jobservice  |   "enabled_capabilities": [
harbor-jobservice  |     {
harbor-jobservice  |       "type": "sbom",
harbor-jobservice  |       "produces_mime_types": [
harbor-jobservice  |         "application/vnd.security.sbom.report+json; version=1.0"
harbor-jobservice  |       ],
harbor-jobservice  |       "parameters": {
harbor-jobservice  |         "sbom_media_types": [
harbor-jobservice  |           "application/spdx+json"
harbor-jobservice  |         ]
harbor-jobservice  |       }
harbor-jobservice  |     }
harbor-jobservice  |   ]
harbor-jobservice  | }
harbor-jobservice  | 2026-03-19T09:19:38Z [INFO] [/pkg/scan/job.go:172]: Report mime types: [application/vnd.security.sbom.report+json; version=1.0 application/vnd.cyclonedx+json application/spdx+json]
syft-adapter       | INFO:app.main:Scan request: registry.url='http://core:8080' authorization_present=True capabilities=['vulnerability']
syft-adapter       | INFO:app.main:Scan request: registry.url='http://core:8080' authorization_present=True capabilities=['sbom']
syft-adapter       | INFO:app.main:Scan submitted: scan_id=66d41b27-c3d9-409b-97f7-a389cf317c27 type=vulnerability artifact=<NAME_OF_MY_COMPANY>/sauron/api@sha256:b07f85224bc5c030fc28565575fe086754c1fa0d5a374b6b29c3bf3a4bb0b17a
syft-adapter       | INFO:     172.18.0.11:39304 - "POST /api/v1/scan HTTP/1.1" 202 Accepted
syft-adapter       | INFO:app.main:Running trivy cmd: trivy image --format json --quiet --image-src remote --severity UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL --vuln-type os,library --insecure --skip-db-update --skip-java-db-update core:8080/<NAME_OF_MY_COMPANY>/sauron/api@sha256:b07f85224bc5c030fc28565575fe086754c1fa0d5a374b6b29c3bf3a4bb0b17a
harbor-jobservice  | 2026-03-19T09:19:38Z [INFO] [/pkg/scan/job.go:229]: Get report for mime type: application/vnd.security.vulnerability.report; version=1.1
harbor-jobservice  | 2026-03-19T09:19:38Z [INFO] [/pkg/scan/job.go:229]: Get report for mime type: application/vnd.scanner.adapter.vuln.report.harbor+json; version=1.0
syft-adapter       | INFO:app.main:Scan submitted: scan_id=b332bd02-c1a9-44b6-85df-38b04a7750ea type=sbom artifact=<NAME_OF_MY_COMPANY>/sauron/api@sha256:b07f85224bc5c030fc28565575fe086754c1fa0d5a374b6b29c3bf3a4bb0b17a
syft-adapter       | INFO:app.main:Running syft on core:8080/<NAME_OF_MY_COMPANY>/sauron/api@sha256:b07f85224bc5c030fc28565575fe086754c1fa0d5a374b6b29c3bf3a4bb0b17a
syft-adapter       | INFO:     172.18.0.11:39318 - "POST /api/v1/scan HTTP/1.1" 202 Accepted
harbor-jobservice  | 2026-03-19T09:19:38Z [INFO] [/pkg/scan/job.go:229]: Get report for mime type: application/spdx+json
harbor-jobservice  | 2026-03-19T09:19:38Z [INFO] [/pkg/scan/job.go:229]: Get report for mime type: application/vnd.security.sbom.report+json; version=1.0
harbor-jobservice  | 2026-03-19T09:19:38Z [INFO] [/pkg/scan/job.go:229]: Get report for mime type: application/vnd.cyclonedx+json
registry           | time="2026-03-19T09:19:39.134509934Z" level=info msg="authorized request" go.version=go1.24.11 http.request.host="core:8080" http.request.id=644f97c5-c564-42e2-8e93-f00b8e2f82b9 http.request.method=GET http.request.remoteaddr=172.18.0.8 http.request.uri="/v2/<NAME_OF_MY_COMPANY>/sauron/api/manifests/sha256:b07f85224bc5c030fc28565575fe086754c1fa0d5a374b6b29c3bf3a4bb0b17a" http.request.useragent="trivy/0.69.3" vars.name="<NAME_OF_MY_COMPANY>/sauron/api" vars.reference="sha256:b07f85224bc5c030fc28565575fe086754c1fa0d5a374b6b29c3bf3a4bb0b17a"

Logs showing error on the scan

harbor-jobservice  | 2026-03-19T09:19:40Z [INFO] [/pkg/scan/job.go:255]: Report with mime type application/vnd.scanner.adapter.vuln.report.harbor+json; version=1.0 is not ready yet, retry after 5 seconds
harbor-jobservice  | 2026-03-19T09:19:50Z [INFO] [/pkg/scan/job.go:255]: Report with mime type application/vnd.security.vulnerability.report; version=1.1 is not ready yet, retry after 5 seconds
harbor-jobservice  | 2026-03-19T09:19:50Z [INFO] [/pkg/scan/job.go:255]: Report with mime type application/vnd.cyclonedx+json is not ready yet, retry after 5 seconds
syft-adapter       | INFO:     172.18.0.11:52980 - "GET /api/v1/scan/66d41b27-c3d9-409b-97f7-a389cf317c27/report HTTP/1.1" 200 OK
registry           | ::1 - - [19/Mar/2026:09:19:56 +0000] "GET / HTTP/1.1" 200 0 "" "curl/8.16.0"
syft-adapter       | INFO:     172.18.0.11:52964 - "GET /api/v1/scan/66d41b27-c3d9-409b-97f7-a389cf317c27/report HTTP/1.1" 200 OK
registry           | 172.18.0.9 - - [19/Mar/2026:09:19:56 +0000] "GET / HTTP/1.1" 200 0 "" "Go-http-client/1.1"
harbor-portal      | 172.18.0.9 - - [19/Mar/2026:09:19:56 +0000] "GET / HTTP/1.1" 200 785 "-" "Go-http-client/1.1"
syft-adapter       | INFO:     172.18.0.11:52986 - "GET /api/v1/scan/b332bd02-c1a9-44b6-85df-38b04a7750ea/report?sbom_media_type=application%2Fspdx%2Bjson HTTP/1.1" 302 Found
registryctl        | 172.18.0.9 - - [19/Mar/2026:09:19:56 +0000] "GET /api/health HTTP/1.1" 200 9
syft-adapter       | INFO:     172.18.0.11:52992 - "GET /api/v1/scan/b332bd02-c1a9-44b6-85df-38b04a7750ea/report?sbom_media_type=application%2Fspdx%2Bjson HTTP/1.1" 302 Found
syft-adapter       | INFO:     172.18.0.11:52996 - "GET /api/v1/scan/b332bd02-c1a9-44b6-85df-38b04a7750ea/report?sbom_media_type=application%2Fspdx%2Bjson HTTP/1.1" 302 Found
harbor-jobservice  | 2026-03-19T09:19:56Z [INFO] [/pkg/scan/job.go:255]: Report with mime type application/spdx+json is not ready yet, retry after 5 seconds
harbor-jobservice  | 2026-03-19T09:19:56Z [INFO] [/pkg/scan/job.go:255]: Report with mime type application/vnd.security.sbom.report+json; version=1.0 is not ready yet, retry after 5 seconds
harbor-jobservice  | 2026-03-19T09:19:56Z [INFO] [/pkg/scan/job.go:255]: Report with mime type application/vnd.cyclonedx+json is not ready yet, retry after 5 seconds
harbor-core        | 2026-03-19T09:19:56Z [INFO] [/pkg/task/dao/execution.go:507]: scanned out 2 executions with outdate status, refresh status to db
harbor-core        | 2026-03-19T09:19:56Z [INFO] [/pkg/task/dao/execution.go:548]: refresh outdate execution status done, 2 succeed, 0 failed
harbor-jobservice  | 2026-03-19T09:19:58Z [INFO] [/pkg/scan/postprocessors/report_converters.go:198][report="7be607c3-8e36-47be-8801-f6b0468c6ca2" scanner="4b7d6b72-22b7-11f1-8b6d-5265ac2ef9fe" vulnerabilityRecords="3034"]: Converted vulnerability records to the new schema
harbor-jobservice  | 2026-03-19T09:19:59Z [INFO] [/pkg/scan/postprocessors/report_converters.go:198][report="cccbed2e-cde4-473d-a123-b3a6b0f5a68b" scanner="4b7d6b72-22b7-11f1-8b6d-5265ac2ef9fe" vulnerabilityRecords="3034"]: Converted vulnerability records to the new schema
harbor-jobservice  | 2026-03-19T09:19:59Z [INFO] [/jobservice/runner/redis.go:152]: Job 'IMAGE_SCAN:7d8c1ea3b0709fc3c5e955dd' exit with success
registry           | time="2026-03-19T09:19:59.226867343Z" level=info msg="response completed" go.version=go1.24.11 http.request.host="core:8080" http.request.id=e9417e31-d241-441a-8150-52498eda9a8d http.request.method=GET http.request.remoteaddr=172.18.0.8 http.request.uri="/v2/<NAME_OF_MY_COMPANY>/sauron/api/blobs/sha256:6b54ec5e1ddf0cad6bf0822070fbd56c9968841d63402fdf14b58b05589b1924" http.request.useragent="go-containerregistry/v0.20.3" http.response.contenttype="application/octet-stream" http.response.duration=1.253089259s http.response.status=200 http.response.written=48938674 
registry           | 172.18.0.9 - - [19/Mar/2026:09:19:57 +0000] "GET /v2/<NAME_OF_MY_COMPANY>/sauron/api/blobs/sha256:6b54ec5e1ddf0cad6bf0822070fbd56c9968841d63402fdf14b58b05589b1924 HTTP/1.1" 200 48938674 "" "go-containerregistry/v0.20.3"
syft-adapter       | INFO:     172.18.0.11:42888 - "GET /api/v1/scan/b332bd02-c1a9-44b6-85df-38b04a7750ea/report?sbom_media_type=application%2Fspdx%2Bjson HTTP/1.1" 302 Found
syft-adapter       | INFO:     172.18.0.11:42896 - "GET /api/v1/scan/b332bd02-c1a9-44b6-85df-38b04a7750ea/report?sbom_media_type=application%2Fspdx%2Bjson HTTP/1.1" 302 Found
syft-adapter       | INFO:     172.18.0.11:42902 - "GET /api/v1/scan/b332bd02-c1a9-44b6-85df-38b04a7750ea/report?sbom_media_type=application%2Fspdx%2Bjson HTTP/1.1" 302 Found
harbor-jobservice  | 2026-03-19T09:20:01Z [INFO] [/pkg/scan/job.go:255]: Report with mime type application/vnd.security.sbom.report+json; version=1.0 is not ready yet, retry after 5 seconds
harbor-jobservice  | 2026-03-19T09:20:01Z [INFO] [/pkg/scan/job.go:255]: Report with mime type application/spdx+json is not ready yet, retry after 5 seconds
harbor-jobservice  | 2026-03-19T09:20:01Z [INFO] [/pkg/scan/job.go:255]: Report with mime type application/vnd.cyclonedx+json is not ready yet, retry after 5 seconds
syft-adapter       | INFO:app.main:SBOM OCI artifact pushed: digest=sha256:65e26f09c19f9c80b33dec9f064e82d4d43a40bf0c93040424f2c59a9bb5e516 repo=<NAME_OF_MY_COMPANY>/sauron/api
harbor-core        | 2026-03-19T09:20:24Z [ERROR] [/controller/event/handler/internal/artifact.go:264]: scan artifact <NAME_OF_MY_COMPANY>/sauron/api@sha256:65e26f09c19f9c80b33dec9f064e82d4d43a40bf0c93040424f2c59a9bb5e516 failed, error: the configured scanner Syft does not support scanning artifact with mime type application/vnd.oci.image.manifest.v1+json
harbor-core        | 2026-03-19T09:20:26Z [ERROR] [/controller/event/handler/internal/artifact.go:264]: scan artifact <NAME_OF_MY_COMPANY>/sauron/api@sha256:fcefd326213b989b2cd0dee7ec6181afca54abe9d7c615cf59239dfb13920e90 failed, error: the configured scanner Syft does not support scanning artifact with mime type application/vnd.oci.image.manifest.v1+json
harbor-jobservice  | 2026-03-19T09:20:26Z [ERROR] [/pkg/scan/sbom/sbom.go:106]: error when create accessory from image Get "https://core:8080/v2/": http: server gave HTTP response to HTTPS client
harbor-jobservice  | 2026-03-19T09:20:26Z [ERROR] [/pkg/scan/job.go:307]: handler failed at PostScan, report 2774f024-0f08-4945-8a95-dadfe2788ffb, error Get "https://core:8080/v2/": http: server gave HTTP response to HTTPS client
harbor-jobservice  | 2026-03-19T09:20:26Z [ERROR] [/jobservice/runner/redis.go:123]: Job 'IMAGE_SCAN:49702c511a9666c0f9861ded' exit with error: run error: Get "https://core:8080/v2/": http: server gave HTTP response to HTTPS client
harbor-portal      | 127.0.0.1 - - [19/Mar/2026:09:20:27 +0000] "GET / HTTP/1.1" 200 785 "-" "curl/8.16.0"
harbor-jobservice  | 2026-03-19T09:20:27Z [INFO] [/jobservice/worker/cworker/reaper.go:134]: Start: reap outdated job stats
harbor-jobservice  | 2026-03-19T09:20:27Z [INFO] [/jobservice/worker/cworker/reaper.go:223]: End: reap outdated job stats

Main error seems to be at PostScan :

harbor-jobservice  | 2026-03-19T09:20:26Z [ERROR] [/pkg/scan/job.go:307]: handler failed at PostScan, report 2774f024-0f08-4945-8a95-dadfe2788ffb, error Get "https://core:8080/v2/": http: server gave HTTP response to HTTPS client
harbor-jobservice  | 2026-03-19T09:20:26Z [ERROR] [/jobservice/runner/redis.go:123]: Job 'IMAGE_SCAN:49702c511a9666c0f9861ded' exit with error: run error: Get "https://core:8080/v2/": http: server gave HTTP response to HTTPS client

I can't really know what I'm doing wrong but the SBOM never get avaialble trhough the UI...

Image

The vulnerability scan worked though !

Image

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions