Skip to content

Commit 27fe61d

Browse files
committed
Fixes to annotations
Add solution to deny_unpermitted_urls rule Move custom collections to rules from package and some minor cleanups.
1 parent d471a1a commit 27fe61d

5 files changed

Lines changed: 32 additions & 28 deletions

File tree

antora/docs/modules/ROOT/pages/packages/release_maven_repos.adoc

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -13,11 +13,13 @@ Each Maven package listed in an SBOM must specify the repository URL that it com
1313

1414
Each Maven package listed in an SBOM must specify the repository URL that it comes from, and that URL must be present in the list of known and permitted Maven repositories. If no URL is specified, the package is assumed to come from Maven Central.
1515

16+
*Solution*: The Maven artifact originates from an untrusted or unpermitted repository. To resolve this, ensure the dependency is sourced from a repository defined in the 'allowed_maven_repositories' list in your policy configuration. If the repository is internal, add its URL to the allowed list in rule_data.
17+
1618
* Rule type: [rule-type-indicator failure]#FAILURE#
1719
* FAILURE message: `%s`
1820
* Code: `maven_repos.deny_unpermitted_urls`
1921
* Effective from: `2026-05-10T00:00:00Z`
20-
* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/maven_repos/maven_repos.rego#L41[Source, window="_blank"]
22+
* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/maven_repos/maven_repos.rego#L36[Source, window="_blank"]
2123

2224
[#maven_repos__policy_data_missing]
2325
=== link:#maven_repos__policy_data_missing[Policy data validation]
@@ -29,4 +31,4 @@ Ensures the required allowed_maven_repositories list is provided.
2931
* Rule type: [rule-type-indicator failure]#FAILURE#
3032
* FAILURE message: `Policy data is missing the required "%s" list`
3133
* Code: `maven_repos.policy_data_missing`
32-
* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/maven_repos/maven_repos.rego#L23[Source, window="_blank"]
34+
* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/maven_repos/maven_repos.rego#L17[Source, window="_blank"]

antora/docs/modules/ROOT/pages/release_policy.adoc

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -105,7 +105,7 @@ a| Include the set of policy rules required for Red Hat products.
105105

106106
Rules included:
107107

108-
* xref:packages/release_maven_repos.adoc#maven_repos_package[All maven artifacts have known repository URLs: All maven artifacts have known repository URLs]
108+
* xref:packages/release_maven_repos.adoc#maven_repos__policy_data_missing[All maven artifacts have known repository URLs: Policy data validation]
109109
* xref:packages/release_attestation_type.adoc#attestation_type__deprecated_policy_attestation_format[Attestation type: Deprecated policy attestation format]
110110
* xref:packages/release_attestation_type.adoc#attestation_type__known_attestation_type[Attestation type: Known attestation type found]
111111
* xref:packages/release_attestation_type.adoc#attestation_type__known_attestation_types_provided[Attestation type: Known attestation types provided]
@@ -243,7 +243,8 @@ a| Ruleset for validating artifacts built via Red Hat Maven repositories.
243243

244244
Rules included:
245245

246-
* xref:packages/release_maven_repos.adoc#maven_repos_package[All maven artifacts have known repository URLs: All maven artifacts have known repository URLs]
246+
* xref:packages/release_maven_repos.adoc#maven_repos__deny_unpermitted_urls[All maven artifacts have known repository URLs: Known Repository URLs]
247+
* xref:packages/release_maven_repos.adoc#maven_repos__policy_data_missing[All maven artifacts have known repository URLs: Policy data validation]
247248

248249
| [#redhat_rpms]`redhat_rpms`
249250
a| Include the set of policy rules required for building Red Hat RPMs.

policy/lib/sbom/maven_test.rego

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,8 +2,6 @@ package lib.sbom_test
22

33
import data.lib
44
import data.lib.sbom
5-
import future.keywords.if
6-
import future.keywords.in
75

86
test_cyclonedx_maven_extraction if {
97
mock_components := [{

policy/release/maven_repos/maven_repos.rego

Lines changed: 12 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -5,18 +5,12 @@
55
# comes from, and that URL must be present in the list of known and permitted
66
# Maven repositories. If no URL is specified, the package is assumed to come
77
# from Maven Central.
8-
# custom:
9-
# collections:
10-
# - redhat
11-
# - redhat_maven
12-
#
138
package release.maven_repos
149

15-
import future.keywords.contains
16-
import future.keywords.if
17-
import future.keywords.in
10+
import rego.v1
1811

1912
import data.lib
13+
import data.lib.metadata
2014
import data.lib.rule_data
2115
import data.lib.sbom
2216

@@ -31,8 +25,9 @@ import data.lib.sbom
3125
# provided to the policy, and that it contains a list of authorized
3226
# repository URLs.
3327
# collections:
28+
# - redhat
29+
# - redhat_maven
3430
# - policy_data
35-
# severity: failure
3631
deny contains result if {
3732
some key in _rule_data_errors
3833
result := lib.result_helper(rego.metadata.chain(), [key])
@@ -45,15 +40,20 @@ deny contains result if {
4540
# comes from, and that URL must be present in the list of known and permitted
4641
# Maven repositories. If no URL is specified, the package is assumed to come
4742
# from Maven Central.
48-
# scope: rule
4943
# custom:
5044
# short_name: deny_unpermitted_urls
5145
# failure_msg: '%s'
46+
# solution: >-
47+
# The Maven artifact originates from an untrusted or unpermitted repository.
48+
# To resolve this, ensure the dependency is sourced from a repository defined
49+
# in the 'allowed_maven_repositories' list in your policy configuration.
50+
# If the repository is internal, add its URL to the allowed list in rule_data.
5251
# effective_on: 2026-05-10T00:00:00Z
52+
# collections:
53+
# - redhat_maven
5354
deny contains result if {
5455
some err in _repo_url_errors
55-
base := lib.result_helper(rego.metadata.chain(), [err.msg])
56-
result := object.union(base, {"term": err.purl})
56+
result := metadata.result_helper_with_term(rego.metadata.chain(), [err.msg], err.purl)
5757
}
5858

5959
_repo_url_errors contains err if {

policy/release/maven_repos/maven_repos_test.rego

Lines changed: 13 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,8 @@
11
package release.maven_repos_test
22

3-
import data.lib
3+
import data.lib.assertions
44
import data.lib.sbom
55
import data.release.maven_repos
6-
import future.keywords.if
76

87
mock_data := {"allowed_maven_repositories": [
98
"https://repo.maven.apache.org/maven2/",
@@ -17,7 +16,7 @@ test_cyclonedx_permitted if {
1716
"externalRefs": [{"type": "distribution", "url": "https://repo.maven.apache.org/maven2/"}],
1817
}]}
1918

20-
lib.assertions.assert_empty(maven_repos.deny) with data.rule_data as mock_data
19+
assertions.assert_empty(maven_repos.deny) with data.rule_data as mock_data
2120
with sbom.cyclonedx_sboms as [cdx_input]
2221
}
2322

@@ -31,7 +30,7 @@ test_spdx_permitted if {
3130
}],
3231
}]}
3332

34-
lib.assertions.assert_empty(maven_repos.deny) with data.rule_data as mock_data
33+
assertions.assert_empty(maven_repos.deny) with data.rule_data as mock_data
3534
with sbom.spdx_sboms as [spdx_input]
3635
}
3736

@@ -42,7 +41,7 @@ test_default_maven_central_pass if {
4241
"externalRefs": [],
4342
}]}
4443

45-
lib.assertions.assert_empty(maven_repos.deny) with data.rule_data as mock_data
44+
assertions.assert_empty(maven_repos.deny) with data.rule_data as mock_data
4645
with sbom.cyclonedx_sboms as [cdx_input]
4746
}
4847

@@ -63,11 +62,12 @@ test_default_cdx_fail if {
6362
expected := {{
6463
"code": "release.maven_repos.deny_unpermitted_urls",
6564
"msg": expected_msg,
65+
"collections": ["redhat_maven"],
6666
"effective_on": "2026-05-10T00:00:00Z",
6767
"term": "pkg:maven/org.base/no-url@1.0",
6868
}}
6969

70-
lib.assertions.assert_equal(maven_repos.deny, expected) with data.rule_data as restricted_data
70+
assertions.assert_equal(maven_repos.deny, expected) with data.rule_data as restricted_data
7171
with sbom.cyclonedx_sboms as [mock_cdx]
7272
}
7373

@@ -86,11 +86,11 @@ test_spdx_default_fail if {
8686
test_missing_rule_data if {
8787
expected := {{
8888
"code": "release.maven_repos.policy_data_missing",
89-
"collections": ["policy_data"],
89+
"collections": ["redhat", "redhat_maven", "policy_data"],
9090
"effective_on": "2022-01-01T00:00:00Z",
9191
"msg": "Policy data is missing the required \"allowed_maven_repositories\" list",
9292
}}
93-
lib.assertions.assert_equal(maven_repos.deny, expected) with data.rule_data as {}
93+
assertions.assert_equal(maven_repos.deny, expected) with data.rule_data as {}
9494
}
9595

9696
test_get_effective_url_provided if {
@@ -170,12 +170,14 @@ test_repo_url_errors_collision_from_mixed_sources if {
170170
{
171171
"code": "release.maven_repos.deny_unpermitted_urls",
172172
"effective_on": "2026-05-10T00:00:00Z",
173+
"collections": ["redhat_maven"],
173174
"msg": "Package \"pkg:maven/org.example/shared@1.0\" (source: \"https://untrusted-cdx.com\") is not in the permitted list",
174175
"term": "pkg:maven/org.example/shared@1.0",
175176
},
176177
{
177178
"code": "release.maven_repos.deny_unpermitted_urls",
178179
"effective_on": "2026-05-10T00:00:00Z",
180+
"collections": ["redhat_maven"],
179181
"msg": "Package \"pkg:maven/org.example/shared@1.0\" (source: \"https://untrusted-spdx.com\") is not in the permitted list",
180182
"term": "pkg:maven/org.example/shared@1.0",
181183
},
@@ -185,7 +187,7 @@ test_repo_url_errors_collision_from_mixed_sources if {
185187
with sbom.spdx_sboms as [mock_spdx]
186188
with data.rule_data as mock_data
187189

188-
lib.assertions.assert_equal(expected, result)
190+
assertions.assert_equal(expected, result)
189191
}
190192

191193
test_repo_url_errors_mixed_permitted_and_unpermitted if {
@@ -204,6 +206,7 @@ test_repo_url_errors_mixed_permitted_and_unpermitted if {
204206
expected := {{
205207
"code": "release.maven_repos.deny_unpermitted_urls",
206208
"effective_on": "2026-05-10T00:00:00Z",
209+
"collections": ["redhat_maven"],
207210
"msg": "Package \"pkg:maven/org.example/shared@1.0\" (source: \"https://untrusted-spdx.com\") is not in the permitted list",
208211
"term": "pkg:maven/org.example/shared@1.0",
209212
}}
@@ -212,5 +215,5 @@ test_repo_url_errors_mixed_permitted_and_unpermitted if {
212215
with sbom.spdx_sboms as [mock_spdx]
213216
with data.rule_data as mock_data
214217

215-
lib.assertions.assert_equal(expected, result)
218+
assertions.assert_equal(expected, result)
216219
}

0 commit comments

Comments
 (0)