refactor: vuln filtering logic

Sypher845 · Sypher845 · commit a744965bfa39 · 2026-03-20T03:39:17.000+05:30
Signed-off-by: Sypher845 &lt;suyashpatil845@gmail.com&gt;
diff --git a/cmd/harbor/root/vulnerability/list.go b/cmd/harbor/root/vulnerability/list.go
@@ -16,6 +16,7 @@ package vulnerability
 import (
 	"fmt"
 
+	"github.com/goharbor/go-client/pkg/sdk/v2.0/models"
 	"github.com/goharbor/harbor-cli/pkg/api"
 	"github.com/goharbor/harbor-cli/pkg/utils"
 	vulnlist "github.com/goharbor/harbor-cli/pkg/views/vulnerability/list"
@@ -42,24 +43,24 @@ func ListVulnerabilitiesCommand() *cobra.Command {
 				return fmt.Errorf("page size should be less than or equal to 100")
 			}
 
-			response, err := api.ListVulnerabilities(opts)
+			allVulnerabilities, hasNext, err := fetchVulnerabilities(opts)
 			if err != nil {
 				return fmt.Errorf("failed to list vulnerabilities: %v", utils.ParseHarborErrorMsg(err))
 			}
 
-			if len(response.Payload) == 0 {
+			if len(allVulnerabilities) == 0 {
 				log.Info("No vulnerabilities found")
 				return nil
 			}
 
 			formatFlag := viper.GetString("output-format")
 			if formatFlag != "" {
-				err = utils.PrintFormat(response.Payload, formatFlag)
+				err = utils.PrintFormat(allVulnerabilities, formatFlag)
 				if err != nil {
 					return err
 				}
 			} else {
-				vulnlist.ViewVulnerabilityList(response.Payload)
+				vulnlist.ViewVulnerabilityList(allVulnerabilities, hasNext)
 			}
 
 			return nil
@@ -71,7 +72,7 @@ func ListVulnerabilitiesCommand() *cobra.Command {
 	flags.Int64VarP(&opts.PageSize, "page-size", "", 10, "Size of per page")
 	flags.StringVarP(&opts.Q, "query", "q", "", "Filter vulnerabilities with a ',' separated query string like exact k=v and range k=[min~max]")
 	flags.StringVarP(&opts.CVEID, "cve-id", "", "", "Filter by exact CVE ID")
-	flags.StringVarP(&opts.CVSSScore, "cvss-score", "", "", "Filter by CVSS v3 score range (e.g. [7.0~10.0])")
+	flags.StringVarP(&opts.CVSSScore, "cvss-score", "", "", "Filter by CVSS v3 score range (e.g. 7.0~10.0) or exact score (e.g. 7.0)")
 	flags.StringVarP(&opts.Severity, "severity", "", "", "Filter by severity level")
 	flags.StringVarP(&opts.Repository, "repository", "", "", "Filter by exact repository name")
 	flags.StringVarP(&opts.ProjectName, "project-name", "", "", "Filter by exact project name")
@@ -83,3 +84,33 @@ func ListVulnerabilitiesCommand() *cobra.Command {
 
 	return cmd
 }
+
+func fetchVulnerabilities(opts api.ListVulnerabilityOptions) ([]*models.VulnerabilityItem, bool, error) {
+	var allVuln []*models.VulnerabilityItem
+	if opts.PageSize == 0 {
+		log.Debug("Page size is 0, will fetch all vulnerabilities")
+		opts.PageSize = 100
+		opts.Page = 1
+		for {
+			response, err := api.ListVulnerabilities(opts)
+			if err != nil {
+				return nil, false, fmt.Errorf("failed to list vulnerabilities: %v", utils.ParseHarborErrorMsg(err))
+			}
+			if len(response.Payload) == 0 {
+				break
+			}
+			allVuln = append(allVuln, response.Payload...)
+			opts.Page++
+			if opts.Page > 10 {
+				return allVuln, true, nil
+			}
+		}
+	} else {
+		response, err := api.ListVulnerabilities(opts)
+		if err != nil {
+			return nil, false, fmt.Errorf("failed to list vulnerabilities: %v", utils.ParseHarborErrorMsg(err))
+		}
+		allVuln = append(allVuln, response.Payload...)
+	}
+	return allVuln, false, nil
+}
diff --git a/doc/cli-docs/harbor-vulnerability-list.md b/doc/cli-docs/harbor-vulnerability-list.md
@@ -26,7 +26,7 @@ harbor vulnerability list [flags]
 
 ```sh
       --cve-id string         Filter by exact CVE ID
-      --cvss-score string     Filter by CVSS v3 score range (e.g. [7.0~10.0])
+      --cvss-score string     Filter by CVSS v3 score range (e.g. 7.0~10.0) or exact score (e.g. 7.0)
       --digest string         Filter by exact artifact digest
       --exclude string        Exclude vulnerabilities using a ',' separated query string (e.g., k=v or k=[min~max])
       --fixable               Only show fixable vulnerabilities
diff --git a/doc/man-docs/man1/harbor-vulnerability-list.1 b/doc/man-docs/man1/harbor-vulnerability-list.1
@@ -19,7 +19,7 @@ List vulnerabilities from Harbor Security Hub
 
 .PP
 \fB--cvss-score\fP=""
-	Filter by CVSS v3 score range (e.g. [7.0~10.0])
+	Filter by CVSS v3 score range (e.g. 7.0~10.0) or exact score (e.g. 7.0)
 
 .PP
 \fB--digest\fP=""
diff --git a/pkg/api/vulnerability_handler.go b/pkg/api/vulnerability_handler.go
@@ -55,8 +55,55 @@ func ListVulnerabilities(opts ...ListVulnerabilityOptions) (*securityhub.ListVul
 	if err != nil {
 		return nil, err
 	}
-
 	listFlags.WithTag = true
+
+	if listFlags.Fixable || listFlags.Exclude != "" {
+		excludeMap := parseVulnerabilityExcludeMap(listFlags.Exclude)
+		var res []*models.VulnerabilityItem
+		start := int((listFlags.Page - 1) * listFlags.PageSize)
+		end := int(listFlags.Page * listFlags.PageSize)
+		count := 0
+		for page := int64(1); count < end; page++ {
+			response, err := client.Securityhub.ListVulnerabilities(ctx, &securityhub.ListVulnerabilitiesParams{
+				Page:     &page,
+				PageSize: &listFlags.PageSize,
+				Q:        &q,
+				WithTag:  &listFlags.WithTag,
+			})
+			if err != nil {
+				return nil, err
+			}
+			if len(response.Payload) == 0 {
+				break
+			}
+
+			response.Payload = filterVulnerabilities(
+				response.Payload,
+				listFlags.Fixable,
+				listFlags.Exclude != "",
+				excludeMap,
+			)
+
+			for _, vul := range response.Payload {
+				if count >= start && count < end {
+					res = append(res, vul)
+				}
+				count++
+				if count >= end {
+					break
+				}
+			}
+		}
+		if len(res) == 0 {
+			return &securityhub.ListVulnerabilitiesOK{
+				Payload: nil,
+			}, nil
+		}
+		return &securityhub.ListVulnerabilitiesOK{
+			Payload: res,
+		}, nil
+	}
+
 	response, err := client.Securityhub.ListVulnerabilities(ctx, &securityhub.ListVulnerabilitiesParams{
 		Page:     &listFlags.Page,
 		PageSize: &listFlags.PageSize,
@@ -66,40 +113,10 @@ func ListVulnerabilities(opts ...ListVulnerabilityOptions) (*securityhub.ListVul
 	if err != nil {
 		return nil, err
 	}
-
-	if listFlags.Fixable {
-		response.Payload = slices.DeleteFunc(response.Payload, func(vul *models.VulnerabilityItem) bool {
-			return vul.FixedVersion == ""
-		})
-	}
-
-	if listFlags.Exclude != "" {
-		excludeMap := make(map[string]string)
-		for _, query := range strings.Split(listFlags.Exclude, ",") {
-			parts := strings.SplitN(strings.TrimSpace(query), "=", 2)
-			if len(parts) == 2 {
-				excludeMap[strings.TrimSpace(parts[0])] = strings.TrimSpace(parts[1])
-			}
-		}
-
-		response.Payload = slices.DeleteFunc(response.Payload, func(vul *models.VulnerabilityItem) bool {
-			if val, ok := excludeMap["cve_id"]; ok && vul.CVEID == val {
-				return true
-			}
-			if val, ok := excludeMap["severity"]; ok && strings.EqualFold(vul.Severity, val) {
-				return true
-			}
-			if val, ok := excludeMap["package"]; ok && vul.Package == val {
-				return true
-			}
-			if val, ok := excludeMap["repository_name"]; ok && vul.RepositoryName == val {
-				return true
-			}
-			if val, ok := excludeMap["digest"]; ok && vul.Digest == val {
-				return true
-			}
-			return false
-		})
+	if len(response.Payload) == 0 {
+		response.Payload = nil
+		response.XTotalCount = 0
+		return response, nil
 	}
 
 	return response, nil
@@ -111,9 +128,31 @@ func buildVulnerabilityQuery(opts ListVulnerabilityOptions) (string, error) {
 		queries = append(queries, fmt.Sprintf("cve_id=%s", opts.CVEID))
 	}
 	if opts.CVSSScore != "" {
-		queries = append(queries, fmt.Sprintf("cvss_score_v3=%s", opts.CVSSScore))
+		cvssRange := opts.CVSSScore
+		if strings.Contains(cvssRange, "~") {
+			parts := strings.Split(cvssRange, "~")
+			if len(parts) == 2 {
+				cvssRange = fmt.Sprintf("[%s~%s]", parts[0], parts[1])
+			} else {
+				return "", fmt.Errorf("invalid cvss score range: %s. Expected format: min~max", cvssRange)
+			}
+		} else {
+			cvssRange = fmt.Sprintf("[%s~%s]", opts.CVSSScore, opts.CVSSScore)
+		}
+		queries = append(queries, fmt.Sprintf("cvss_score_v3=%s", cvssRange))
 	}
 	if opts.Severity != "" {
+		allowedSeverities := map[string]bool{
+			"Critical": true,
+			"High":     true,
+			"Medium":   true,
+			"Low":      true,
+			"n/a":      true,
+			"None":     true,
+		}
+		if !allowedSeverities[opts.Severity] {
+			return "", fmt.Errorf("invalid severity value: %s. Allowed values are: Low, Medium, High, Critical, n/a, None", opts.Severity)
+		}
 		queries = append(queries, fmt.Sprintf("severity=%s", opts.Severity))
 	}
 	if opts.Repository != "" {
@@ -136,8 +175,55 @@ func buildVulnerabilityQuery(opts ListVulnerabilityOptions) (string, error) {
 		queries = append(queries, fmt.Sprintf("digest=%s", opts.Digest))
 	}
 	if opts.Q != "" {
+		// FIXME: Q parameter needs to be converted to standard query format
+		// This will be addressed in draft PR #731
 		queries = append(queries, opts.Q)
 	}
 
 	return strings.Join(queries, ","), nil
 }
+
+func parseVulnerabilityExcludeMap(exclude string) map[string]string {
+	excludeMap := make(map[string]string)
+	for _, query := range strings.Split(exclude, ",") {
+		parts := strings.SplitN(strings.TrimSpace(query), "=", 2)
+		if len(parts) == 2 {
+			excludeMap[strings.TrimSpace(parts[0])] = strings.TrimSpace(parts[1])
+		}
+	}
+	return excludeMap
+}
+
+func filterVulnerabilities(
+	payload []*models.VulnerabilityItem,
+	fixable bool,
+	excludeProvided bool,
+	excludeMap map[string]string,
+) []*models.VulnerabilityItem {
+	return slices.DeleteFunc(payload, func(vul *models.VulnerabilityItem) bool {
+		if fixable && vul.FixedVersion == "" {
+			return true
+		}
+
+		if !excludeProvided {
+			return false
+		}
+
+		if val, ok := excludeMap["cve_id"]; ok && vul.CVEID == val {
+			return true
+		}
+		if val, ok := excludeMap["severity"]; ok && vul.Severity == val {
+			return true
+		}
+		if val, ok := excludeMap["package"]; ok && vul.Package == val {
+			return true
+		}
+		if val, ok := excludeMap["repository_name"]; ok && vul.RepositoryName == val {
+			return true
+		}
+		if val, ok := excludeMap["digest"]; ok && vul.Digest == val {
+			return true
+		}
+		return false
+	})
+}
diff --git a/pkg/views/vulnerability/list/view.go b/pkg/views/vulnerability/list/view.go
@@ -21,25 +21,24 @@ import (
 	"github.com/charmbracelet/bubbles/table"
 	"github.com/charmbracelet/x/ansi"
 	"github.com/goharbor/go-client/pkg/sdk/v2.0/models"
-	"github.com/goharbor/harbor-cli/pkg/api"
+	"github.com/goharbor/harbor-cli/pkg/utils"
 	"github.com/goharbor/harbor-cli/pkg/views/base/tablelist"
 )
 
 var columns = []table.Column{
 	{Title: "CVE ID", Width: tablelist.WidthL},
 	{Title: "Description", Width: tablelist.WidthXXL},
-	{Title: "Project", Width: tablelist.WidthM},
-	{Title: "Repository", Width: tablelist.WidthM},
+	{Title: "Repository", Width: tablelist.WidthL},
 	{Title: "Digest", Width: tablelist.WidthM},
-	{Title: "Tags", Width: tablelist.WidthS},
+	{Title: "Tags", Width: tablelist.WidthM},
 	{Title: "CVSSV3", Width: tablelist.WidthS},
 	{Title: "Severity", Width: tablelist.WidthS},
 	{Title: "Package", Width: tablelist.WidthM},
 	{Title: "Version", Width: tablelist.WidthM},
 	{Title: "Fixed", Width: tablelist.WidthM},
 }
 
-func ViewVulnerabilityList(vulnerabilities []*models.VulnerabilityItem) {
+func ViewVulnerabilityList(vulnerabilities []*models.VulnerabilityItem, hasNext bool) {
 	if vulnerabilities == nil {
 		fmt.Println("No vulnerabilities found")
 		return
@@ -54,15 +53,9 @@ func ViewVulnerabilityList(vulnerabilities []*models.VulnerabilityItem) {
 		}
 
 		cveLinks[vulnerability.CVEID] = link
-		projectName := strconv.FormatInt(vulnerability.ProjectID, 10)
-		project, err := api.GetProject(projectName, true)
-		if err == nil && project.Payload != nil {
-			projectName = project.Payload.Name
-		}
 		rows = append(rows, table.Row{
 			vulnerability.CVEID,
 			vulnerability.Desc,
-			projectName,
 			vulnerability.RepositoryName,
 			vulnerability.Digest,
 			strings.Join(vulnerability.Tags, ", "),
@@ -83,4 +76,21 @@ func ViewVulnerabilityList(vulnerabilities []*models.VulnerabilityItem) {
 	}
 
 	fmt.Println(tableOutput)
+	if hasNext {
+		var hintURL string
+		if cfg, err := utils.GetCurrentHarborConfig(); err == nil {
+			for _, cred := range cfg.Credentials {
+				if cred.Name == cfg.CurrentCredentialName {
+					hintURL = strings.TrimRight(cred.ServerAddress, "/") + "/harbor/interrogation-services/security-hub"
+					break
+				}
+			}
+		}
+
+		if hintURL != "" {
+			fmt.Printf("More results at: %s%s%s\n", ansi.SetHyperlink(hintURL), hintURL, ansi.ResetHyperlink())
+		} else {
+			fmt.Println("More results available in the Harbor web console")
+		}
+	}
 }
