Don't always skip vuln check when artifact is not scannable

[reasonerjt]

fixes #22143

This commit makes update to the vulnerable policy middleware. So that it will skip the sheck only when the artifact is not scannable AND it does not have a scan report.

Thank you for contributing to Harbor!

Comprehensive Summary of your change

Issue being fixed

Fixes #22143

Please indicate you've done the following:

• Well Written Title and Summary of the PR
• Label the PR as needed. "release-note/ignore-for-release, release-note/new-feature, release-note/update, release-note/enhancement, release-note/community, release-note/breaking-change, release-note/docs, release-note/infra, release-note/deprecation"
• Accepted the DCO. Commits without the DCO will delay acceptance.
• Made sure tests are passing and test coverage is added if needed.
• Considered the docs impact and opened a new docs issue or PR with docs changes if needed in website repository.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 65.88%. Comparing base (c8c11b4) to head (ad36c9c).
Report is 518 commits behind head on main.

Additional details and impacted files

@@             Coverage Diff             @@
##             main   #22187       +/-   ##
===========================================
+ Coverage   45.36%   65.88%   +20.51%     
===========================================
  Files         244     1072      +828     
  Lines       13333   115792   +102459     
  Branches     2719     2925      +206     
===========================================
+ Hits         6049    76292    +70243     
- Misses       6983    35273    +28290     
- Partials      301     4227     +3926     

Flag	Coverage Δ
unittests	65.88% <100.00%> (+20.51%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
src/server/middleware/vulnerable/vulnerable.go	93.25% <100.00%> (ø)

... and 985 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Copilot]

Pull Request Overview

This PR fixes the vulnerability policy middleware to properly handle artifacts that are not scannable but may have existing scan reports. The key change is to only skip vulnerability checks when an artifact is both not scannable AND does not have a scan report, rather than always skipping when not scannable.

• Restructures the vulnerability checking logic to first attempt to get scan results, then check scannability only if no report exists
• Updates existing tests and adds new test cases to cover the scenario where artifacts are not scannable but have existing scan reports
• Improves the middleware to handle cases where scanners may be disconnected but previous scan data is available

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
src/server/middleware/vulnerable/vulnerable.go	Restructures vulnerability checking logic to prioritize existing scan reports over scannability status
src/server/middleware/vulnerable/vulnerable_test.go	Updates existing tests and adds new test cases for non-scannable artifacts with and without scan reports

[Copilot]

[nitpick] The variables allowlist and projectSeverity are now declared before they are needed. Consider moving their declarations closer to their first usage to improve code readability and reduce cognitive load.

Suggested change

	allowlist := proj.CVEAllowlist.CVESet()
	projectSeverity := vuln.ParseSeverityVersion3(proj.Severity())
	allowlist := proj.CVEAllowlist.CVESet()
	projectSeverity := vuln.ParseSeverityVersion3(proj.Severity())

[Copilot]

The indentation appears inconsistent. The if !scannable { block should be properly aligned with the surrounding code structure.

[chlins]

lgtm

[wy65701436]

lgtm