Skip to content

Commit 92a6957

Browse files
authored
Merge pull request #1708 from joejstuart/EC-1725
feat(EC-1725): Validate proxy URLs against approved patterns in SBOMs
2 parents 42af9ff + 45b3a0c commit 92a6957

14 files changed

Lines changed: 539 additions & 135 deletions

File tree

acceptance/samples/policy-input-golden-container.json

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -688,6 +688,7 @@
688688
"ENTITLEMENT_SECRET": "etc-pki-entitlement",
689689
"HERMETIC": "true",
690690
"IMAGE": "quay.io/redhat-user-workloads/rhtap-contract-tenant/golden-container/golden-container:d11c0ada39f18f631ff4f54beafa72a9b62dcd7c-arm64",
691+
"enable-hermeto-proxy": "true",
691692
"IMAGE_APPEND_PLATFORM": "false",
692693
"IMAGE_EXPIRES_AFTER": "",
693694
"LABELS": [],

antora/docs/modules/ROOT/pages/packages/release_hermetic_task.adoc

Lines changed: 2 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@ Verify that hermetic build tasks have the enable-hermeto-proxy parameter set to
1919
* FAILURE message: `Task '%s' is hermetic but does not have the enable-hermeto-proxy parameter set to true`
2020
* Code: `hermetic_task.hermeto_proxy_enabled`
2121
* Effective from: `2026-06-01T00:00:00Z`
22-
* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/hermetic_task/hermetic_task.rego#L59[Source, window="_blank"]
22+
* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/hermetic_task/hermetic_task.rego#L41[Source, window="_blank"]
2323

2424
[#hermetic_task__hermetic]
2525
=== link:#hermetic_task__hermetic[Task called with hermetic param set]
@@ -31,14 +31,4 @@ Verify the task in the PipelineRun attestation was invoked with the proper param
3131
* Rule type: [rule-type-indicator failure]#FAILURE#
3232
* FAILURE message: `Task '%s' was not invoked with the hermetic parameter set`
3333
* Code: `hermetic_task.hermetic`
34-
* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/hermetic_task/hermetic_task.rego#L20[Source, window="_blank"]
35-
36-
[#hermetic_task__proxy_rule_data_format]
37-
=== link:#hermetic_task__proxy_rule_data_format[proxy_enabled_purl_types format]
38-
39-
Confirm the `proxy_enabled_purl_types` and `allowed_proxy_url_patterns` rule data match the expected format.
40-
41-
* Rule type: [rule-type-indicator failure]#FAILURE#
42-
* FAILURE message: `%s`
43-
* Code: `hermetic_task.proxy_rule_data_format`
44-
* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/hermetic_task/hermetic_task.rego#L42[Source, window="_blank"]
34+
* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/hermetic_task/hermetic_task.rego#L19[Source, window="_blank"]

antora/docs/modules/ROOT/pages/packages/release_sbom_cyclonedx.adoc

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -45,6 +45,19 @@ For each of the components fetched by Hermeto which define externalReferences of
4545
* Effective from: `2024-12-15T00:00:00Z`
4646
* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/sbom_cyclonedx/sbom_cyclonedx.rego#L225[Source, window="_blank"]
4747

48+
[#sbom_cyclonedx__allowed_proxy_urls]
49+
=== link:#sbom_cyclonedx__allowed_proxy_urls[Allowed proxy URLs]
50+
51+
For components with externalReferences of type distribution, verify proxy URLs match at least one pattern from allowed_proxy_url_patterns for the component's PURL type. Only PURL types listed in proxy_enabled_purl_types are checked. The "proxy_enabled_purl_types" rule data key is a list of PURL type strings (e.g. ["maven", "npm"]). The "allowed_proxy_url_patterns" rule data key is an object mapping each PURL type string to a list of regular expression patterns (e.g. {"maven": ["^https://proxy\\.example\\.com/maven/.*"]}). Components with a URL of "NOASSERTION" are skipped. If a PURL type is listed in proxy_enabled_purl_types but has no entry in allowed_proxy_url_patterns, all components of that type are denied.
52+
53+
*Solution*: Ensure the proxy URL matches one of the patterns defined in the allowed_proxy_url_patterns rule data for the given PURL type.
54+
55+
* Rule type: [rule-type-indicator failure]#FAILURE#
56+
* FAILURE message: `Package %s has proxy URL %q which does not match any allowed pattern for PURL type %q`
57+
* Code: `sbom_cyclonedx.allowed_proxy_urls`
58+
* Effective from: `2026-06-01T00:00:00Z`
59+
* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/sbom_cyclonedx/sbom_cyclonedx.rego#L269[Source, window="_blank"]
60+
4861
[#sbom_cyclonedx__disallowed_package_attributes]
4962
=== link:#sbom_cyclonedx__disallowed_package_attributes[Disallowed package attributes]
5063

antora/docs/modules/ROOT/pages/packages/release_sbom_spdx.adoc

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -45,6 +45,19 @@ For each of the packages fetched by Hermeto which define externalReferences, ver
4545
* Effective from: `2025-02-17T00:00:00Z`
4646
* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/sbom_spdx/sbom_spdx.rego#L171[Source, window="_blank"]
4747

48+
[#sbom_spdx__allowed_proxy_urls]
49+
=== link:#sbom_spdx__allowed_proxy_urls[Allowed proxy URLs]
50+
51+
For packages with a PURL type listed in proxy_enabled_purl_types, verify the downloadLocation matches at least one pattern from allowed_proxy_url_patterns. The "proxy_enabled_purl_types" rule data key is a list of PURL type strings (e.g. ["maven", "npm"]). The "allowed_proxy_url_patterns" rule data key is an object mapping each PURL type string to a list of regular expression patterns (e.g. {"maven": ["^https://proxy\\.example\\.com/maven/.*"]}). Packages with downloadLocation set to "NOASSERTION" are skipped. If a PURL type is listed in proxy_enabled_purl_types but has no entry in allowed_proxy_url_patterns, all packages of that type are denied.
52+
53+
*Solution*: Ensure the proxy URL matches one of the patterns defined in the allowed_proxy_url_patterns rule data for the given PURL type.
54+
55+
* Rule type: [rule-type-indicator failure]#FAILURE#
56+
* FAILURE message: `Package %s has proxy URL %q which does not match any allowed pattern for PURL type %q`
57+
* Code: `sbom_spdx.allowed_proxy_urls`
58+
* Effective from: `2026-06-01T00:00:00Z`
59+
* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/sbom_spdx/sbom_spdx.rego#L255[Source, window="_blank"]
60+
4861
[#sbom_spdx__contains_files]
4962
=== link:#sbom_spdx__contains_files[Contains files]
5063

antora/docs/modules/ROOT/pages/release_policy.adoc

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -77,13 +77,13 @@ Rules included:
7777
* xref:packages/release_cve.adoc#cve__rule_data_provided[CVE checks: Rule data provided]
7878
* xref:packages/release_external_parameters.adoc#external_parameters__pipeline_run_params_provided[External parameters: PipelineRun params provided]
7979
* xref:packages/release_github_certificate.adoc#github_certificate__rule_data_provided[GitHub Certificate Checks: Rule data provided]
80-
* xref:packages/release_hermetic_task.adoc#hermetic_task__proxy_rule_data_format[Hermetic task: proxy_enabled_purl_types format]
8180
* xref:packages/release_labels.adoc#labels__rule_data_provided[Labels: Rule data provided]
8281
* xref:packages/release_olm.adoc#olm__required_olm_features_annotations_provided[OLM: Required OLM feature annotations list provided]
8382
* xref:packages/release_rpm_repos.adoc#rpm_repos__rule_data_provided[RPM Repos: Known repo id list provided]
8483
* xref:packages/release_rpm_signature.adoc#rpm_signature__rule_data_provided[RPM Signature: Rule data provided]
8584
* xref:packages/release_sbom_cyclonedx.adoc#sbom_cyclonedx__allowed_package_external_references[SBOM CycloneDX: Allowed package external references]
8685
* xref:packages/release_sbom_cyclonedx.adoc#sbom_cyclonedx__allowed_package_sources[SBOM CycloneDX: Allowed package sources]
86+
* xref:packages/release_sbom_cyclonedx.adoc#sbom_cyclonedx__allowed_proxy_urls[SBOM CycloneDX: Allowed proxy URLs]
8787
* xref:packages/release_sbom_cyclonedx.adoc#sbom_cyclonedx__disallowed_package_attributes[SBOM CycloneDX: Disallowed package attributes]
8888
* xref:packages/release_sbom_cyclonedx.adoc#sbom_cyclonedx__disallowed_package_external_references[SBOM CycloneDX: Disallowed package external references]
8989
* xref:packages/release_sbom.adoc#sbom__disallowed_packages_provided[SBOM: Disallowed packages list is provided]
@@ -92,6 +92,7 @@ Rules included:
9292
* xref:packages/release_slsa_source_correlated.adoc#slsa_source_correlated__rule_data_provided[SLSA - Verification model - Source: Rule data provided]
9393
* xref:packages/release_sbom_spdx.adoc#sbom_spdx__allowed_package_external_references[SPDX SBOM: Allowed package external references]
9494
* xref:packages/release_sbom_spdx.adoc#sbom_spdx__allowed_package_sources[SPDX SBOM: Allowed package sources]
95+
* xref:packages/release_sbom_spdx.adoc#sbom_spdx__allowed_proxy_urls[SPDX SBOM: Allowed proxy URLs]
9596
* xref:packages/release_sbom_spdx.adoc#sbom_spdx__disallowed_package_attributes[SPDX SBOM: Disallowed package attributes]
9697
* xref:packages/release_sbom_spdx.adoc#sbom_spdx__disallowed_package_external_references[SPDX SBOM: Disallowed package external references]
9798
* xref:packages/release_schedule.adoc#schedule__rule_data_provided[Schedule related checks: Rule data provided]
@@ -124,7 +125,6 @@ Rules included:
124125
* xref:packages/release_cve.adoc#cve__rule_data_provided[CVE checks: Rule data provided]
125126
* xref:packages/release_hermetic_task.adoc#hermetic_task__hermeto_proxy_enabled[Hermetic task: Hermetic build task has Sonatype proxy enabled]
126127
* xref:packages/release_hermetic_task.adoc#hermetic_task__hermetic[Hermetic task: Task called with hermetic param set]
127-
* xref:packages/release_hermetic_task.adoc#hermetic_task__proxy_rule_data_format[Hermetic task: proxy_enabled_purl_types format]
128128
* xref:packages/release_labels.adoc#labels__deprecated_labels[Labels: Deprecated labels]
129129
* xref:packages/release_labels.adoc#labels__disallowed_inherited_labels[Labels: Disallowed inherited labels]
130130
* xref:packages/release_labels.adoc#labels__inaccessible_config[Labels: Inaccessible image config]
@@ -164,6 +164,7 @@ Rules included:
164164
* xref:packages/release_sbom_cyclonedx.adoc#sbom_cyclonedx__allowed[SBOM CycloneDX: Allowed]
165165
* xref:packages/release_sbom_cyclonedx.adoc#sbom_cyclonedx__allowed_package_external_references[SBOM CycloneDX: Allowed package external references]
166166
* xref:packages/release_sbom_cyclonedx.adoc#sbom_cyclonedx__allowed_package_sources[SBOM CycloneDX: Allowed package sources]
167+
* xref:packages/release_sbom_cyclonedx.adoc#sbom_cyclonedx__allowed_proxy_urls[SBOM CycloneDX: Allowed proxy URLs]
167168
* xref:packages/release_sbom_cyclonedx.adoc#sbom_cyclonedx__disallowed_package_attributes[SBOM CycloneDX: Disallowed package attributes]
168169
* xref:packages/release_sbom_cyclonedx.adoc#sbom_cyclonedx__disallowed_package_external_references[SBOM CycloneDX: Disallowed package external references]
169170
* xref:packages/release_sbom_cyclonedx.adoc#sbom_cyclonedx__cdx_supported_version[SBOM CycloneDX: Supported Version]
@@ -191,6 +192,7 @@ Rules included:
191192
* xref:packages/release_sbom_spdx.adoc#sbom_spdx__allowed[SPDX SBOM: Allowed]
192193
* xref:packages/release_sbom_spdx.adoc#sbom_spdx__allowed_package_external_references[SPDX SBOM: Allowed package external references]
193194
* xref:packages/release_sbom_spdx.adoc#sbom_spdx__allowed_package_sources[SPDX SBOM: Allowed package sources]
195+
* xref:packages/release_sbom_spdx.adoc#sbom_spdx__allowed_proxy_urls[SPDX SBOM: Allowed proxy URLs]
194196
* xref:packages/release_sbom_spdx.adoc#sbom_spdx__disallowed_package_attributes[SPDX SBOM: Disallowed package attributes]
195197
* xref:packages/release_sbom_spdx.adoc#sbom_spdx__disallowed_package_external_references[SPDX SBOM: Disallowed package external references]
196198
* xref:packages/release_sbom_spdx.adoc#sbom_spdx__valid[SPDX SBOM: Valid]
@@ -258,6 +260,7 @@ Rules included:
258260
* xref:packages/release_sbom_cyclonedx.adoc#sbom_cyclonedx__allowed[SBOM CycloneDX: Allowed]
259261
* xref:packages/release_sbom_cyclonedx.adoc#sbom_cyclonedx__allowed_package_external_references[SBOM CycloneDX: Allowed package external references]
260262
* xref:packages/release_sbom_cyclonedx.adoc#sbom_cyclonedx__allowed_package_sources[SBOM CycloneDX: Allowed package sources]
263+
* xref:packages/release_sbom_cyclonedx.adoc#sbom_cyclonedx__allowed_proxy_urls[SBOM CycloneDX: Allowed proxy URLs]
261264
* xref:packages/release_sbom_cyclonedx.adoc#sbom_cyclonedx__disallowed_package_attributes[SBOM CycloneDX: Disallowed package attributes]
262265
* xref:packages/release_sbom_cyclonedx.adoc#sbom_cyclonedx__disallowed_package_external_references[SBOM CycloneDX: Disallowed package external references]
263266
* xref:packages/release_sbom_cyclonedx.adoc#sbom_cyclonedx__cdx_supported_version[SBOM CycloneDX: Supported Version]
@@ -280,6 +283,7 @@ Rules included:
280283
* xref:packages/release_sbom_spdx.adoc#sbom_spdx__allowed[SPDX SBOM: Allowed]
281284
* xref:packages/release_sbom_spdx.adoc#sbom_spdx__allowed_package_external_references[SPDX SBOM: Allowed package external references]
282285
* xref:packages/release_sbom_spdx.adoc#sbom_spdx__allowed_package_sources[SPDX SBOM: Allowed package sources]
286+
* xref:packages/release_sbom_spdx.adoc#sbom_spdx__allowed_proxy_urls[SPDX SBOM: Allowed proxy URLs]
283287
* xref:packages/release_sbom_spdx.adoc#sbom_spdx__disallowed_package_attributes[SPDX SBOM: Disallowed package attributes]
284288
* xref:packages/release_sbom_spdx.adoc#sbom_spdx__disallowed_package_external_references[SPDX SBOM: Disallowed package external references]
285289
* xref:packages/release_sbom_spdx.adoc#sbom_spdx__valid[SPDX SBOM: Valid]

antora/docs/modules/ROOT/partials/release_policy_nav.adoc

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -46,7 +46,6 @@
4646
*** xref:packages/release_hermetic_task.adoc[Hermetic task]
4747
**** xref:packages/release_hermetic_task.adoc#hermetic_task__hermeto_proxy_enabled[Hermetic build task has Sonatype proxy enabled]
4848
**** xref:packages/release_hermetic_task.adoc#hermetic_task__hermetic[Task called with hermetic param set]
49-
**** xref:packages/release_hermetic_task.adoc#hermetic_task__proxy_rule_data_format[proxy_enabled_purl_types format]
5049
*** xref:packages/release_labels.adoc[Labels]
5150
**** xref:packages/release_labels.adoc#labels__deprecated_labels[Deprecated labels]
5251
**** xref:packages/release_labels.adoc#labels__disallowed_inherited_labels[Disallowed inherited labels]
@@ -106,6 +105,7 @@
106105
**** xref:packages/release_sbom_cyclonedx.adoc#sbom_cyclonedx__allowed[Allowed]
107106
**** xref:packages/release_sbom_cyclonedx.adoc#sbom_cyclonedx__allowed_package_external_references[Allowed package external references]
108107
**** xref:packages/release_sbom_cyclonedx.adoc#sbom_cyclonedx__allowed_package_sources[Allowed package sources]
108+
**** xref:packages/release_sbom_cyclonedx.adoc#sbom_cyclonedx__allowed_proxy_urls[Allowed proxy URLs]
109109
**** xref:packages/release_sbom_cyclonedx.adoc#sbom_cyclonedx__disallowed_package_attributes[Disallowed package attributes]
110110
**** xref:packages/release_sbom_cyclonedx.adoc#sbom_cyclonedx__disallowed_package_external_references[Disallowed package external references]
111111
**** xref:packages/release_sbom_cyclonedx.adoc#sbom_cyclonedx__cdx_supported_version[Supported Version]
@@ -137,6 +137,7 @@
137137
**** xref:packages/release_sbom_spdx.adoc#sbom_spdx__allowed[Allowed]
138138
**** xref:packages/release_sbom_spdx.adoc#sbom_spdx__allowed_package_external_references[Allowed package external references]
139139
**** xref:packages/release_sbom_spdx.adoc#sbom_spdx__allowed_package_sources[Allowed package sources]
140+
**** xref:packages/release_sbom_spdx.adoc#sbom_spdx__allowed_proxy_urls[Allowed proxy URLs]
140141
**** xref:packages/release_sbom_spdx.adoc#sbom_spdx__contains_files[Contains files]
141142
**** xref:packages/release_sbom_spdx.adoc#sbom_spdx__contains_packages[Contains packages]
142143
**** xref:packages/release_sbom_spdx.adoc#sbom_spdx__disallowed_package_attributes[Disallowed package attributes]

policy/lib/sbom/sbom.rego

Lines changed: 48 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -347,6 +347,54 @@ rule_data_errors contains error if {
347347
}
348348
}
349349

350+
# Verify proxy_enabled_purl_types is a list of unique strings.
351+
rule_data_errors contains error if {
352+
some e in j.validate_schema(
353+
rule_data.get("proxy_enabled_purl_types"),
354+
{
355+
"$schema": "http://json-schema.org/draft-07/schema#",
356+
"type": "array",
357+
"items": {"type": "string"},
358+
"uniqueItems": true,
359+
},
360+
)
361+
error := {
362+
"message": sprintf("Rule data proxy_enabled_purl_types has unexpected format: %s", [e.message]),
363+
"severity": e.severity,
364+
}
365+
}
366+
367+
# Verify allowed_proxy_url_patterns is an object mapping strings to arrays of strings.
368+
rule_data_errors contains error if {
369+
some e in j.validate_schema(
370+
rule_data.get("allowed_proxy_url_patterns"),
371+
{
372+
"$schema": "http://json-schema.org/draft-07/schema#",
373+
"type": "object",
374+
"additionalProperties": {
375+
"type": "array",
376+
"items": {"type": "string"},
377+
"uniqueItems": true,
378+
},
379+
},
380+
)
381+
error := {
382+
"message": sprintf("Rule data allowed_proxy_url_patterns has unexpected format: %s", [e.message]),
383+
"severity": e.severity,
384+
}
385+
}
386+
387+
# Verify items in allowed_proxy_url_patterns are valid regular expressions.
388+
rule_data_errors contains error if {
389+
some purl_type, patterns in rule_data.get("allowed_proxy_url_patterns")
390+
some pattern in patterns
391+
not regex.is_valid(pattern)
392+
error := {
393+
"message": sprintf("%q is not a valid regular expression for PURL type %q", [pattern, purl_type]),
394+
"severity": "failure",
395+
}
396+
}
397+
350398
rule_data_packages_key := "disallowed_packages"
351399

352400
rule_data_attributes_key := "disallowed_attributes"

policy/release/hermetic_task/hermetic_task.rego

Lines changed: 0 additions & 66 deletions
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,6 @@ package hermetic_task
1212
import rego.v1
1313

1414
import data.lib
15-
import data.lib.json as j
1615
import data.lib.metadata
1716
import data.lib.rule_data
1817
import data.lib.tekton
@@ -39,23 +38,6 @@ deny contains result if {
3938
result := metadata.result_helper(rego.metadata.chain(), [tekton.task_name(not_hermetic_task)])
4039
}
4140

42-
# METADATA
43-
# title: proxy_enabled_purl_types format
44-
# description: >-
45-
# Confirm the `proxy_enabled_purl_types` and `allowed_proxy_url_patterns`
46-
# rule data match the expected format.
47-
# custom:
48-
# short_name: proxy_rule_data_format
49-
# failure_msg: "%s"
50-
# collections:
51-
# - redhat
52-
# - policy_data
53-
#
54-
deny contains result if {
55-
some error in _rule_data_errors
56-
result := metadata.result_helper_with_severity(rego.metadata.chain(), [error.message], error.severity)
57-
}
58-
5941
# METADATA
6042
# title: Hermetic build task has Sonatype proxy enabled
6143
# description: >-
@@ -107,51 +89,3 @@ _task_is_hermetic(task) if {
10789
_task_has_proxy_enabled(task) if {
10890
tekton.task_param(task, "enable-hermeto-proxy") == "true"
10991
}
110-
111-
# Verify proxy_enabled_purl_types is a list of unique strings.
112-
_rule_data_errors contains error if {
113-
some e in j.validate_schema(
114-
rule_data.get("proxy_enabled_purl_types"),
115-
{
116-
"$schema": "http://json-schema.org/draft-07/schema#",
117-
"type": "array",
118-
"items": {"type": "string"},
119-
"uniqueItems": true,
120-
},
121-
)
122-
error := {
123-
"message": sprintf("Rule data proxy_enabled_purl_types has unexpected format: %s", [e.message]),
124-
"severity": e.severity,
125-
}
126-
}
127-
128-
# Verify allowed_proxy_url_patterns is an object mapping strings to arrays of strings.
129-
_rule_data_errors contains error if {
130-
some e in j.validate_schema(
131-
rule_data.get("allowed_proxy_url_patterns"),
132-
{
133-
"$schema": "http://json-schema.org/draft-07/schema#",
134-
"type": "object",
135-
"additionalProperties": {
136-
"type": "array",
137-
"items": {"type": "string"},
138-
"uniqueItems": true,
139-
},
140-
},
141-
)
142-
error := {
143-
"message": sprintf("Rule data allowed_proxy_url_patterns has unexpected format: %s", [e.message]),
144-
"severity": e.severity,
145-
}
146-
}
147-
148-
# Verify items in allowed_proxy_url_patterns are valid regular expressions.
149-
_rule_data_errors contains error if {
150-
some purl_type, patterns in rule_data.get("allowed_proxy_url_patterns")
151-
some pattern in patterns
152-
not regex.is_valid(pattern)
153-
error := {
154-
"message": sprintf("%q is not a valid regular expression for PURL type %q", [pattern, purl_type]),
155-
"severity": "failure",
156-
}
157-
}

0 commit comments

Comments
 (0)