403 Forbidden when calling Export CVE endpoint with Bot Account

[buumi]

Expected behavior and actual behavior:
I create a Robot account with the required permissions (system permissions: Export CVE [Create + Read] and project permissions: Artifact Addition [Read]) to perform Export CVE operation. I call endpoint api/v2.0/export/cve using the built-in Swagger tool. I expect to get response code 2xx but instead get error 403 Forbidden.

Steps to reproduce the problem:

1. Create instance level Bot user with system permissions Export CVE (Create, Read) and project permission Artifact Addition (Read)
2. Call endpoint like this

curl -X 'POST' \
  'https://yourharborurl.com/api/v2.0/export/cve' \
  -H 'accept: application/json' \
  -H 'X-Scan-Data-Type: application/vnd.security.vulnerability.report; version=1.1' \
  -H 'authorization: Basic <base64 encoded user:pass>' \
  -H 'Content-Type: application/json' \
  -H 'X-Harbor-CSRF-Token: <CSRF token>' \
  -d '{
  "job_name": "test",
  "projects": [ 7 ]
}'

OR using built-in Swagger API authenticated as the created bot user

3. Get 403 Forbidden back
   

When using the same endpoint using my own account it works as expected and returns back 2xx with the execution ID.

Versions:

• Harbor version: v2.12.0-9da38ae0
• Kubernetes v1.30.4
• Helm chart version 1.16.0

Additional context:

• Log files: I enabled DEBUG logging and I can see the following entry inside harbor-core deployment when trying to execute the API call:

2024-12-12T14:38:35Z [DEBUG] [/server/middleware/log/log.go:31]: attach request id 13943fbdee88540fa27bd36b9eb6e683 to the logger for the request POST /api/v2.0/export/cve
2024-12-12T14:38:35Z [DEBUG] [/server/middleware/artifactinfo/artifact_info.go:55]: In artifact info middleware, url: /api/v2.0/export/cve
2024-12-12T14:38:35Z [INFO] [/server/middleware/security/robot.go:71][requestID="13943fbdee88540fa27bd36b9eb6e683"]: a robot security context generated for request POST /api/v2.0/export/cve
2024/12/12 14:38:35 Model:
2024/12/12 14:38:35 r.r: sub, obj, act
2024/12/12 14:38:35 p.p: sub, obj, act, eft
2024/12/12 14:38:35 e.e: some(where (p_eft == allow)) && !some(where (p_eft == deny))
2024/12/12 14:38:35 m.m: g(r_sub, p_sub) && keyMatch2(r_obj, p_obj) && (r_act == p_act || p_act == '*')
2024/12/12 14:38:35 g.g: _, _
2024/12/12 14:38:35 Policy:
2024/12/12 14:38:35 p: sub, obj, act, eft: [[robot-bug-report-test /project/7/artifact-addition read allow] [robot-bug-report-test /project/7 read allow] [robot-bug-report-test /project/7/label read allow] [robot-bug-report-test /project/7/label list allow] [robot-bug-report-test /project/7/repository list allow] [robot-bug-report-test /project/7/repository pull allow] [robot-bug-report-test /project/7/scan read allow] [robot-bug-report-test /project/7/scanner read allow] [robot-bug-report-test /project/7/tag list allow] [robot-bug-report-test /project/7/artifact read allow] [robot-bug-report-test /project/7/artifact list allow] [robot-bug-report-test /project/7/artifact-addition read allow] [robot-bug-report-test /project/7/accessory list allow]]
2024/12/12 14:38:35 g: _, _: []
2024/12/12 14:38:35 Role links for: g
2024/12/12 14:38:35 
2024/12/12 14:38:35 Request: robot-bug-report-test, /project/7/export-cve, create ---> false
2024-12-12T14:38:35Z [DEBUG] [/lib/http/error.go:62]: {"errors":[{"code":"FORBIDDEN","message":"forbidden"}]}