Skip to content

Commit e656cc5

Browse files
committed
Fixes to annotations
Add solution to deny_unpermitted_urls rule Move custom collections to rules from package Remove 'redhat' collection from rules specific to maven and some minor cleanups.
1 parent d471a1a commit e656cc5

5 files changed

Lines changed: 37 additions & 35 deletions

File tree

antora/docs/modules/ROOT/pages/packages/release_maven_repos.adoc

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -13,11 +13,13 @@ Each Maven package listed in an SBOM must specify the repository URL that it com
1313

1414
Each Maven package listed in an SBOM must specify the repository URL that it comes from, and that URL must be present in the list of known and permitted Maven repositories. If no URL is specified, the package is assumed to come from Maven Central.
1515

16+
*Solution*: The Maven artifact originates from an untrusted or unpermitted repository. To resolve this, ensure the dependency is sourced from a repository defined in the 'allowed_maven_repositories' list in your policy configuration. If the repository is internal, add its URL to the allowed list in rule_data.
17+
1618
* Rule type: [rule-type-indicator failure]#FAILURE#
1719
* FAILURE message: `%s`
1820
* Code: `maven_repos.deny_unpermitted_urls`
1921
* Effective from: `2026-05-10T00:00:00Z`
20-
* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/maven_repos/maven_repos.rego#L41[Source, window="_blank"]
22+
* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/maven_repos/maven_repos.rego#L35[Source, window="_blank"]
2123

2224
[#maven_repos__policy_data_missing]
2325
=== link:#maven_repos__policy_data_missing[Policy data validation]
@@ -29,4 +31,4 @@ Ensures the required allowed_maven_repositories list is provided.
2931
* Rule type: [rule-type-indicator failure]#FAILURE#
3032
* FAILURE message: `Policy data is missing the required "%s" list`
3133
* Code: `maven_repos.policy_data_missing`
32-
* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/maven_repos/maven_repos.rego#L23[Source, window="_blank"]
34+
* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/maven_repos/maven_repos.rego#L17[Source, window="_blank"]

antora/docs/modules/ROOT/pages/release_policy.adoc

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -105,7 +105,6 @@ a| Include the set of policy rules required for Red Hat products.
105105

106106
Rules included:
107107

108-
* xref:packages/release_maven_repos.adoc#maven_repos_package[All maven artifacts have known repository URLs: All maven artifacts have known repository URLs]
109108
* xref:packages/release_attestation_type.adoc#attestation_type__deprecated_policy_attestation_format[Attestation type: Deprecated policy attestation format]
110109
* xref:packages/release_attestation_type.adoc#attestation_type__known_attestation_type[Attestation type: Known attestation type found]
111110
* xref:packages/release_attestation_type.adoc#attestation_type__known_attestation_types_provided[Attestation type: Known attestation types provided]
@@ -243,7 +242,8 @@ a| Ruleset for validating artifacts built via Red Hat Maven repositories.
243242

244243
Rules included:
245244

246-
* xref:packages/release_maven_repos.adoc#maven_repos_package[All maven artifacts have known repository URLs: All maven artifacts have known repository URLs]
245+
* xref:packages/release_maven_repos.adoc#maven_repos__deny_unpermitted_urls[All maven artifacts have known repository URLs: Known Repository URLs]
246+
* xref:packages/release_maven_repos.adoc#maven_repos__policy_data_missing[All maven artifacts have known repository URLs: Policy data validation]
247247

248248
| [#redhat_rpms]`redhat_rpms`
249249
a| Include the set of policy rules required for building Red Hat RPMs.

policy/lib/sbom/maven_test.rego

Lines changed: 7 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,7 @@
11
package lib.sbom_test
22

3-
import data.lib
3+
import data.lib.assertions
44
import data.lib.sbom
5-
import future.keywords.if
6-
import future.keywords.in
75

86
test_cyclonedx_maven_extraction if {
97
mock_components := [{
@@ -20,13 +18,13 @@ test_cyclonedx_maven_extraction if {
2018

2119
result := sbom.packages with sbom.cyclonedx_sboms as [_cyclonedx_sbom(mock_components)]
2220

23-
lib.assertions.assert_equal(expected, result)
21+
assertions.assert_equal(expected, result)
2422
}
2523

2624
test_cyclonedx_ignores_non_maven if {
2725
mock_components := [{"name": "react", "purl": "pkg:npm/react@18.2.0"}]
2826

29-
lib.assertions.assert_empty(sbom.packages) with sbom.cyclonedx_sboms as [_cyclonedx_sbom(mock_components)]
27+
assertions.assert_empty(sbom.packages) with sbom.cyclonedx_sboms as [_cyclonedx_sbom(mock_components)]
3028
}
3129

3230
test_cyclonedx_empty_repo_url if {
@@ -44,7 +42,7 @@ test_cyclonedx_empty_repo_url if {
4442

4543
result := sbom.packages with sbom.cyclonedx_sboms as [_cyclonedx_sbom(mock_components)]
4644

47-
lib.assertions.assert_equal(expected, result)
45+
assertions.assert_equal(expected, result)
4846
}
4947

5048
test_spdx_maven_extraction if {
@@ -65,7 +63,7 @@ test_spdx_maven_extraction if {
6563

6664
result := sbom.packages with sbom.spdx_sboms as [_spdx_sbom(mock_packages)]
6765

68-
lib.assertions.assert_equal(expected, result)
66+
assertions.assert_equal(expected, result)
6967
}
7068

7169
test_combined_sources if {
@@ -100,7 +98,7 @@ test_combined_sources if {
10098
result := sbom.packages with sbom.cyclonedx_sboms as [_cyclonedx_sbom(mock_cdx)]
10199
with sbom.spdx_sboms as [_spdx_sbom(mock_spdx)]
102100

103-
lib.assertions.assert_equal(expected, result)
101+
assertions.assert_equal(expected, result)
104102
}
105103

106104
test_cyclonedx_multiple_repo_capture if {
@@ -128,7 +126,7 @@ test_cyclonedx_multiple_repo_capture if {
128126

129127
result := sbom.packages with sbom.cyclonedx_sboms as [_cyclonedx_sbom(mock_components)]
130128

131-
lib.assertions.assert_equal(expected, result)
129+
assertions.assert_equal(expected, result)
132130
}
133131

134132
_cyclonedx_sbom(components) := {"components": components}

policy/release/maven_repos/maven_repos.rego

Lines changed: 11 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -5,18 +5,12 @@
55
# comes from, and that URL must be present in the list of known and permitted
66
# Maven repositories. If no URL is specified, the package is assumed to come
77
# from Maven Central.
8-
# custom:
9-
# collections:
10-
# - redhat
11-
# - redhat_maven
12-
#
138
package release.maven_repos
149

15-
import future.keywords.contains
16-
import future.keywords.if
17-
import future.keywords.in
10+
import rego.v1
1811

1912
import data.lib
13+
import data.lib.metadata
2014
import data.lib.rule_data
2115
import data.lib.sbom
2216

@@ -31,8 +25,8 @@ import data.lib.sbom
3125
# provided to the policy, and that it contains a list of authorized
3226
# repository URLs.
3327
# collections:
28+
# - redhat_maven
3429
# - policy_data
35-
# severity: failure
3630
deny contains result if {
3731
some key in _rule_data_errors
3832
result := lib.result_helper(rego.metadata.chain(), [key])
@@ -45,15 +39,20 @@ deny contains result if {
4539
# comes from, and that URL must be present in the list of known and permitted
4640
# Maven repositories. If no URL is specified, the package is assumed to come
4741
# from Maven Central.
48-
# scope: rule
4942
# custom:
5043
# short_name: deny_unpermitted_urls
5144
# failure_msg: '%s'
45+
# solution: >-
46+
# The Maven artifact originates from an untrusted or unpermitted repository.
47+
# To resolve this, ensure the dependency is sourced from a repository defined
48+
# in the 'allowed_maven_repositories' list in your policy configuration.
49+
# If the repository is internal, add its URL to the allowed list in rule_data.
5250
# effective_on: 2026-05-10T00:00:00Z
51+
# collections:
52+
# - redhat_maven
5353
deny contains result if {
5454
some err in _repo_url_errors
55-
base := lib.result_helper(rego.metadata.chain(), [err.msg])
56-
result := object.union(base, {"term": err.purl})
55+
result := metadata.result_helper_with_term(rego.metadata.chain(), [err.msg], err.purl)
5756
}
5857

5958
_repo_url_errors contains err if {

policy/release/maven_repos/maven_repos_test.rego

Lines changed: 13 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,8 @@
11
package release.maven_repos_test
22

3-
import data.lib
3+
import data.lib.assertions
44
import data.lib.sbom
55
import data.release.maven_repos
6-
import future.keywords.if
76

87
mock_data := {"allowed_maven_repositories": [
98
"https://repo.maven.apache.org/maven2/",
@@ -17,7 +16,7 @@ test_cyclonedx_permitted if {
1716
"externalRefs": [{"type": "distribution", "url": "https://repo.maven.apache.org/maven2/"}],
1817
}]}
1918

20-
lib.assertions.assert_empty(maven_repos.deny) with data.rule_data as mock_data
19+
assertions.assert_empty(maven_repos.deny) with data.rule_data as mock_data
2120
with sbom.cyclonedx_sboms as [cdx_input]
2221
}
2322

@@ -31,7 +30,7 @@ test_spdx_permitted if {
3130
}],
3231
}]}
3332

34-
lib.assertions.assert_empty(maven_repos.deny) with data.rule_data as mock_data
33+
assertions.assert_empty(maven_repos.deny) with data.rule_data as mock_data
3534
with sbom.spdx_sboms as [spdx_input]
3635
}
3736

@@ -42,7 +41,7 @@ test_default_maven_central_pass if {
4241
"externalRefs": [],
4342
}]}
4443

45-
lib.assertions.assert_empty(maven_repos.deny) with data.rule_data as mock_data
44+
assertions.assert_empty(maven_repos.deny) with data.rule_data as mock_data
4645
with sbom.cyclonedx_sboms as [cdx_input]
4746
}
4847

@@ -63,11 +62,12 @@ test_default_cdx_fail if {
6362
expected := {{
6463
"code": "release.maven_repos.deny_unpermitted_urls",
6564
"msg": expected_msg,
65+
"collections": ["redhat_maven"],
6666
"effective_on": "2026-05-10T00:00:00Z",
6767
"term": "pkg:maven/org.base/no-url@1.0",
6868
}}
6969

70-
lib.assertions.assert_equal(maven_repos.deny, expected) with data.rule_data as restricted_data
70+
assertions.assert_equal(maven_repos.deny, expected) with data.rule_data as restricted_data
7171
with sbom.cyclonedx_sboms as [mock_cdx]
7272
}
7373

@@ -86,11 +86,11 @@ test_spdx_default_fail if {
8686
test_missing_rule_data if {
8787
expected := {{
8888
"code": "release.maven_repos.policy_data_missing",
89-
"collections": ["policy_data"],
89+
"collections": ["redhat_maven", "policy_data"],
9090
"effective_on": "2022-01-01T00:00:00Z",
9191
"msg": "Policy data is missing the required \"allowed_maven_repositories\" list",
9292
}}
93-
lib.assertions.assert_equal(maven_repos.deny, expected) with data.rule_data as {}
93+
assertions.assert_equal(maven_repos.deny, expected) with data.rule_data as {}
9494
}
9595

9696
test_get_effective_url_provided if {
@@ -170,12 +170,14 @@ test_repo_url_errors_collision_from_mixed_sources if {
170170
{
171171
"code": "release.maven_repos.deny_unpermitted_urls",
172172
"effective_on": "2026-05-10T00:00:00Z",
173+
"collections": ["redhat_maven"],
173174
"msg": "Package \"pkg:maven/org.example/shared@1.0\" (source: \"https://untrusted-cdx.com\") is not in the permitted list",
174175
"term": "pkg:maven/org.example/shared@1.0",
175176
},
176177
{
177178
"code": "release.maven_repos.deny_unpermitted_urls",
178179
"effective_on": "2026-05-10T00:00:00Z",
180+
"collections": ["redhat_maven"],
179181
"msg": "Package \"pkg:maven/org.example/shared@1.0\" (source: \"https://untrusted-spdx.com\") is not in the permitted list",
180182
"term": "pkg:maven/org.example/shared@1.0",
181183
},
@@ -185,7 +187,7 @@ test_repo_url_errors_collision_from_mixed_sources if {
185187
with sbom.spdx_sboms as [mock_spdx]
186188
with data.rule_data as mock_data
187189

188-
lib.assertions.assert_equal(expected, result)
190+
assertions.assert_equal(expected, result)
189191
}
190192

191193
test_repo_url_errors_mixed_permitted_and_unpermitted if {
@@ -204,6 +206,7 @@ test_repo_url_errors_mixed_permitted_and_unpermitted if {
204206
expected := {{
205207
"code": "release.maven_repos.deny_unpermitted_urls",
206208
"effective_on": "2026-05-10T00:00:00Z",
209+
"collections": ["redhat_maven"],
207210
"msg": "Package \"pkg:maven/org.example/shared@1.0\" (source: \"https://untrusted-spdx.com\") is not in the permitted list",
208211
"term": "pkg:maven/org.example/shared@1.0",
209212
}}
@@ -212,5 +215,5 @@ test_repo_url_errors_mixed_permitted_and_unpermitted if {
212215
with sbom.spdx_sboms as [mock_spdx]
213216
with data.rule_data as mock_data
214217

215-
lib.assertions.assert_equal(expected, result)
218+
assertions.assert_equal(expected, result)
216219
}

0 commit comments

Comments
 (0)