Skip to content

Commit acd3b8a

Browse files
committed
fix: resolve unification conflict in repo violations
Switches violation reporting to a set-based structure to handle duplicate PURLs across multiple SBOM sources. fixes coderabbit review: #1696 (comment)
1 parent 6d11233 commit acd3b8a

2 files changed

Lines changed: 71 additions & 5 deletions

File tree

policy/release/maven_repos/maven_repos.rego

Lines changed: 9 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -49,17 +49,21 @@ deny contains result if {
4949
# short_name: deny_unpermitted_urls
5050
# failure_msg: '%s'
5151
# effective_on: 2026-05-10T00:00:00Z
52+
5253
deny contains result if {
53-
some purl, msg in _repo_url_errors
54-
base := lib.result_helper(rego.metadata.chain(), [msg])
55-
result := object.union(base, {"term": purl})
54+
some err in _repo_url_errors
55+
base := lib.result_helper(rego.metadata.chain(), [err.msg])
56+
result := object.union(base, {"term": err.purl})
5657
}
5758

58-
_repo_url_errors[pkg.purl] := msg if {
59+
_repo_url_errors contains err if {
5960
some pkg in sbom.packages
6061
source := _get_effective_url(pkg.repository_url)
6162
not _url_is_permitted(source)
62-
msg := sprintf("Package %q (source: %q) is not in the permitted list", [pkg.purl, source])
63+
err := {
64+
"purl": pkg.purl,
65+
"msg": sprintf("Package %q (source: %q) is not in the permitted list", [pkg.purl, source]),
66+
}
6367
}
6468

6569
_get_effective_url(url) := url if {

policy/release/maven_repos/maven_repos_test.rego

Lines changed: 62 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -152,3 +152,65 @@ test_spdx_multiple_refs_behavior if {
152152
urls := {p.repository_url | some p in pkg_list}
153153
urls == {"https://primary.repo.com", "https://mirror.repo.com"}
154154
}
155+
156+
test_repo_url_errors_collision_from_mixed_sources if {
157+
mock_cdx := {"components": [{
158+
"name": "shared-lib",
159+
"purl": "pkg:maven/org.example/shared@1.0",
160+
"externalRefs": [{"type": "distribution", "url": "https://untrusted-cdx.com"}],
161+
}]}
162+
163+
mock_spdx := {"packages": [{
164+
"name": "shared-lib",
165+
"purl": "pkg:maven/org.example/shared@1.0",
166+
"externalRefs": [{"referenceType": "repository", "referenceLocator": "https://untrusted-spdx.com"}],
167+
}]}
168+
169+
expected := {
170+
{
171+
"code": "release.maven_repos.deny_unpermitted_urls",
172+
"effective_on": "2026-05-10T00:00:00Z",
173+
"msg": "Package \"pkg:maven/org.example/shared@1.0\" (source: \"https://untrusted-cdx.com\") is not in the permitted list",
174+
"term": "pkg:maven/org.example/shared@1.0",
175+
},
176+
{
177+
"code": "release.maven_repos.deny_unpermitted_urls",
178+
"effective_on": "2026-05-10T00:00:00Z",
179+
"msg": "Package \"pkg:maven/org.example/shared@1.0\" (source: \"https://untrusted-spdx.com\") is not in the permitted list",
180+
"term": "pkg:maven/org.example/shared@1.0",
181+
},
182+
}
183+
184+
result := maven_repos.deny with sbom.cyclonedx_sboms as [mock_cdx]
185+
with sbom.spdx_sboms as [mock_spdx]
186+
with data.rule_data as mock_data
187+
188+
lib.assert_equal(expected, result)
189+
}
190+
191+
test_repo_url_errors_mixed_permitted_and_unpermitted if {
192+
mock_cdx := {"components": [{
193+
"name": "shared-lib",
194+
"purl": "pkg:maven/org.example/shared@1.0",
195+
"externalRefs": [{"type": "distribution", "url": "https://repo.maven.apache.org/maven2/"}],
196+
}]}
197+
198+
mock_spdx := {"packages": [{
199+
"name": "shared-lib",
200+
"purl": "pkg:maven/org.example/shared@1.0",
201+
"externalRefs": [{"referenceType": "repository", "referenceLocator": "https://untrusted-spdx.com"}],
202+
}]}
203+
204+
expected := {{
205+
"code": "release.maven_repos.deny_unpermitted_urls",
206+
"effective_on": "2026-05-10T00:00:00Z",
207+
"msg": "Package \"pkg:maven/org.example/shared@1.0\" (source: \"https://untrusted-spdx.com\") is not in the permitted list",
208+
"term": "pkg:maven/org.example/shared@1.0",
209+
}}
210+
211+
result := maven_repos.deny with sbom.cyclonedx_sboms as [mock_cdx]
212+
with sbom.spdx_sboms as [mock_spdx]
213+
with data.rule_data as mock_data
214+
215+
lib.assert_equal(expected, result)
216+
}

0 commit comments

Comments
 (0)