Skip to content

Commit ad609d3

Browse files
committed
fix: resolve unification conflict in repo violations
Switches violation reporting to a set-based structure to handle duplicate PURLs across multiple SBOM sources. fixes coderabbit review: #1696 (comment)
1 parent f3bddff commit ad609d3

3 files changed

Lines changed: 84 additions & 18 deletions

File tree

policy/lib/sbom/maven_test.rego

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -20,13 +20,13 @@ test_cyclonedx_maven_extraction if {
2020

2121
result := sbom.packages with sbom.cyclonedx_sboms as [_cyclonedx_sbom(mock_components)]
2222

23-
lib.assert_equal(expected, result)
23+
lib.assertions.assert_equal(expected, result)
2424
}
2525

2626
test_cyclonedx_ignores_non_maven if {
2727
mock_components := [{"name": "react", "purl": "pkg:npm/react@18.2.0"}]
2828

29-
lib.assert_empty(sbom.packages) with sbom.cyclonedx_sboms as [_cyclonedx_sbom(mock_components)]
29+
lib.assertions.assert_empty(sbom.packages) with sbom.cyclonedx_sboms as [_cyclonedx_sbom(mock_components)]
3030
}
3131

3232
test_cyclonedx_empty_repo_url if {
@@ -44,7 +44,7 @@ test_cyclonedx_empty_repo_url if {
4444

4545
result := sbom.packages with sbom.cyclonedx_sboms as [_cyclonedx_sbom(mock_components)]
4646

47-
lib.assert_equal(expected, result)
47+
lib.assertions.assert_equal(expected, result)
4848
}
4949

5050
test_spdx_maven_extraction if {
@@ -65,7 +65,7 @@ test_spdx_maven_extraction if {
6565

6666
result := sbom.packages with sbom.spdx_sboms as [_spdx_sbom(mock_packages)]
6767

68-
lib.assert_equal(expected, result)
68+
lib.assertions.assert_equal(expected, result)
6969
}
7070

7171
test_combined_sources if {
@@ -100,7 +100,7 @@ test_combined_sources if {
100100
result := sbom.packages with sbom.cyclonedx_sboms as [_cyclonedx_sbom(mock_cdx)]
101101
with sbom.spdx_sboms as [_spdx_sbom(mock_spdx)]
102102

103-
lib.assert_equal(expected, result)
103+
lib.assertions.assert_equal(expected, result)
104104
}
105105

106106
test_cyclonedx_multiple_repo_capture if {
@@ -128,7 +128,7 @@ test_cyclonedx_multiple_repo_capture if {
128128

129129
result := sbom.packages with sbom.cyclonedx_sboms as [_cyclonedx_sbom(mock_components)]
130130

131-
lib.assert_equal(expected, result)
131+
lib.assertions.assert_equal(expected, result)
132132
}
133133

134134
_cyclonedx_sbom(components) := {"components": components}

policy/release/maven_repos/maven_repos.rego

Lines changed: 11 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,7 @@ import future.keywords.if
1717
import future.keywords.in
1818

1919
import data.lib
20+
import data.lib.rule_data
2021
import data.lib.sbom
2122

2223
# METADATA
@@ -50,30 +51,33 @@ deny contains result if {
5051
# failure_msg: '%s'
5152
# effective_on: 2026-05-10T00:00:00Z
5253
deny contains result if {
53-
some purl, msg in _repo_url_errors
54-
base := lib.result_helper(rego.metadata.chain(), [msg])
55-
result := object.union(base, {"term": purl})
54+
some err in _repo_url_errors
55+
base := lib.result_helper(rego.metadata.chain(), [err.msg])
56+
result := object.union(base, {"term": err.purl})
5657
}
5758

58-
_repo_url_errors[pkg.purl] := msg if {
59+
_repo_url_errors contains err if {
5960
some pkg in sbom.packages
6061
source := _get_effective_url(pkg.repository_url)
6162
not _url_is_permitted(source)
62-
msg := sprintf("Package %q (source: %q) is not in the permitted list", [pkg.purl, source])
63+
err := {
64+
"purl": pkg.purl,
65+
"msg": sprintf("Package %q (source: %q) is not in the permitted list", [pkg.purl, source]),
66+
}
6367
}
6468

6569
_get_effective_url(url) := url if {
6670
url != ""
6771
} else := "https://repo.maven.apache.org/maven2/"
6872

6973
_url_is_permitted(url) if {
70-
permitted := lib.rule_data("allowed_maven_repositories")
74+
permitted := rule_data.get("allowed_maven_repositories")
7175
url in permitted
7276
}
7377

7478
_rule_data_errors contains key if {
7579
key := "allowed_maven_repositories"
76-
data_list := lib.rule_data(key)
80+
data_list := rule_data.get(key)
7781
_is_invalid_data(data_list)
7882
}
7983

policy/release/maven_repos/maven_repos_test.rego

Lines changed: 67 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,7 @@ test_cyclonedx_permitted if {
1717
"externalRefs": [{"type": "distribution", "url": "https://repo.maven.apache.org/maven2/"}],
1818
}]}
1919

20-
lib.assert_empty(maven_repos.deny) with data.rule_data as mock_data
20+
lib.assertions.assert_empty(maven_repos.deny) with data.rule_data as mock_data
2121
with sbom.cyclonedx_sboms as [cdx_input]
2222
}
2323

@@ -31,7 +31,7 @@ test_spdx_permitted if {
3131
}],
3232
}]}
3333

34-
lib.assert_empty(maven_repos.deny) with data.rule_data as mock_data
34+
lib.assertions.assert_empty(maven_repos.deny) with data.rule_data as mock_data
3535
with sbom.spdx_sboms as [spdx_input]
3636
}
3737

@@ -42,7 +42,7 @@ test_default_maven_central_pass if {
4242
"externalRefs": [],
4343
}]}
4444

45-
lib.assert_empty(maven_repos.deny) with data.rule_data as mock_data
45+
lib.assertions.assert_empty(maven_repos.deny) with data.rule_data as mock_data
4646
with sbom.cyclonedx_sboms as [cdx_input]
4747
}
4848

@@ -67,7 +67,7 @@ test_default_cdx_fail if {
6767
"term": "pkg:maven/org.base/no-url@1.0",
6868
}}
6969

70-
lib.assert_equal(maven_repos.deny, expected) with data.rule_data as restricted_data
70+
lib.assertions.assert_equal(maven_repos.deny, expected) with data.rule_data as restricted_data
7171
with sbom.cyclonedx_sboms as [mock_cdx]
7272
}
7373

@@ -90,7 +90,7 @@ test_missing_rule_data if {
9090
"effective_on": "2022-01-01T00:00:00Z",
9191
"msg": "Policy data is missing the required \"allowed_maven_repositories\" list",
9292
}}
93-
lib.assert_equal(maven_repos.deny, expected) with data.rule_data as {}
93+
lib.assertions.assert_equal(maven_repos.deny, expected) with data.rule_data as {}
9494
}
9595

9696
test_get_effective_url_provided if {
@@ -152,3 +152,65 @@ test_spdx_multiple_refs_behavior if {
152152
urls := {p.repository_url | some p in pkg_list}
153153
urls == {"https://primary.repo.com", "https://mirror.repo.com"}
154154
}
155+
156+
test_repo_url_errors_collision_from_mixed_sources if {
157+
mock_cdx := {"components": [{
158+
"name": "shared-lib",
159+
"purl": "pkg:maven/org.example/shared@1.0",
160+
"externalRefs": [{"type": "distribution", "url": "https://untrusted-cdx.com"}],
161+
}]}
162+
163+
mock_spdx := {"packages": [{
164+
"name": "shared-lib",
165+
"purl": "pkg:maven/org.example/shared@1.0",
166+
"externalRefs": [{"referenceType": "repository", "referenceLocator": "https://untrusted-spdx.com"}],
167+
}]}
168+
169+
expected := {
170+
{
171+
"code": "release.maven_repos.deny_unpermitted_urls",
172+
"effective_on": "2026-05-10T00:00:00Z",
173+
"msg": "Package \"pkg:maven/org.example/shared@1.0\" (source: \"https://untrusted-cdx.com\") is not in the permitted list",
174+
"term": "pkg:maven/org.example/shared@1.0",
175+
},
176+
{
177+
"code": "release.maven_repos.deny_unpermitted_urls",
178+
"effective_on": "2026-05-10T00:00:00Z",
179+
"msg": "Package \"pkg:maven/org.example/shared@1.0\" (source: \"https://untrusted-spdx.com\") is not in the permitted list",
180+
"term": "pkg:maven/org.example/shared@1.0",
181+
},
182+
}
183+
184+
result := maven_repos.deny with sbom.cyclonedx_sboms as [mock_cdx]
185+
with sbom.spdx_sboms as [mock_spdx]
186+
with data.rule_data as mock_data
187+
188+
lib.assertions.assert_equal(expected, result)
189+
}
190+
191+
test_repo_url_errors_mixed_permitted_and_unpermitted if {
192+
mock_cdx := {"components": [{
193+
"name": "shared-lib",
194+
"purl": "pkg:maven/org.example/shared@1.0",
195+
"externalRefs": [{"type": "distribution", "url": "https://repo.maven.apache.org/maven2/"}],
196+
}]}
197+
198+
mock_spdx := {"packages": [{
199+
"name": "shared-lib",
200+
"purl": "pkg:maven/org.example/shared@1.0",
201+
"externalRefs": [{"referenceType": "repository", "referenceLocator": "https://untrusted-spdx.com"}],
202+
}]}
203+
204+
expected := {{
205+
"code": "release.maven_repos.deny_unpermitted_urls",
206+
"effective_on": "2026-05-10T00:00:00Z",
207+
"msg": "Package \"pkg:maven/org.example/shared@1.0\" (source: \"https://untrusted-spdx.com\") is not in the permitted list",
208+
"term": "pkg:maven/org.example/shared@1.0",
209+
}}
210+
211+
result := maven_repos.deny with sbom.cyclonedx_sboms as [mock_cdx]
212+
with sbom.spdx_sboms as [mock_spdx]
213+
with data.rule_data as mock_data
214+
215+
lib.assertions.assert_equal(expected, result)
216+
}

0 commit comments

Comments
 (0)