-
Notifications
You must be signed in to change notification settings - Fork 61
Expand file tree
/
Copy pathrule_data.yml
More file actions
301 lines (279 loc) · 10.6 KB
/
Copy pathrule_data.yml
File metadata and controls
301 lines (279 loc) · 10.6 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
---
# IMPORTANT: Policy rule packages that utilize data from this document should have an explicit
# policy rule which defines the expected behavior when the data is not provided.
rule_data:
allowed_registry_prefixes:
- registry.access.redhat.com/
- registry.redhat.io/
- quay.io/konflux-ci/yq
- quay.io/konflux-ci/bazel5-ubi8
- quay.io/konflux-ci/bazel6-ubi9
- quay.io/konflux-ci/bazel7-ubi9
- quay.io/konflux-ci/operator-sdk-builder
- quay.io/konflux-ci/yarn3-nodejs20-ubi9-minimal
- quay.io/konflux-ci/yarn4-nodejs22-ubi9-minimal
- quay.io/konflux-ci/git-clone
- brew.registry.redhat.io/rh-osbs/openshift-golang-builder
- brew.registry.redhat.io/rh-osbs/openshift-ose-operator-registry-rhel9
- brew.registry.redhat.io/rh-osbs/rhacm2-nodejs-parent
allowed_olm_image_registry_prefixes:
- registry.access.redhat.com/
- registry.redhat.io/
allowed_step_image_registry_prefixes:
- quay.io/konflux-ci/
- registry.access.redhat.com/
- registry.redhat.io/
# Allow prelight images to be used in rhtap / konflux
# Documentation link: https://github.com/redhat-openshift-ecosystem/openshift-preflight/blob/main/docs/RECIPES.md
- quay.io/opdev/preflight
- quay.io/redhat-services-prod/sast/coverity
- quay.io/redhat-services-prod/mos-lpsre-tenant/package-operator-internal
# Number of days before a version of the Task expires that warnings are reported
# See https://conforma.dev/docs/policy/packages/release_trusted_task.html#trusted_task__current
task_expiry_warning_days: 14
allowed_java_component_sources:
- none
pipeline_run_params:
- git-repo
- git-revision
- output-image
# See also the additional default rule data values defined in
# https://github.com/enterprise-contract/ec-policies/blob/main/policy/lib/rule_data.rego
# https://conforma.dev/docs/policy/packages/release_hermetic_task.html
# If more build or run-script tasks are created they should be added to this list
required_hermetic_tasks:
- buildah
- buildah-min
- buildah-oci-ta
- buildah-remote
- buildah-remote-oci-ta
- build-paketo-builder-oci-ta
- run-script-oci-ta
- sast-coverity-check
- sast-coverity-check-oci-ta
# https://conforma.dev/docs/policy/packages/release_labels.html#labels__deprecated_labels
deprecated_labels:
- name: INSTALL
replacement: install
- name: Architecture
replacement: architecture
- name: BZComponent
replacement: com.redhat.component
- name: Name
replacement: name
- name: RUN
replacement: run
- name: Release
replacement: release
- name: UNINSTALL
replacement: uninstall
- name: Version
replacement: version
# https://conforma.dev/docs/policy/packages/release_labels.html#labels__required_labels
required_labels:
- name: com.redhat.component
description: The Bugzilla component name where bugs against this container should be reported by users.
- name: description
description: Detailed description of the image.
- name: distribution-scope
description: >-
Scope of intended distribution of the image.
(private/authoritative-source-only/restricted/public).
- name: io.k8s.description
description: Description of the container displayed in Kubernetes.
- name: name
description: Name of the Image or Container.
- name: release
description: Release Number for this version.
- name: url
description: A URL where the user can find more information about the image.
- name: vcs-ref
description: >-
A 'reference' within the version control repository;
e.g. a git commit, or a subversion branch.
- name: vcs-type
description: >-
The type of version control used by the container source.
Generally one of git, hg, svn, bzr, cvs
- name: vendor
description: Name of the vendor.
values:
- 'Red Hat, Inc.'
- name: version
description: Version of the image.
- name: org.opencontainers.image.created
description: >-
The creation timestamp of the image. This label must always be set by the Konflux build task for on-prem product releases. The policy must also support reproducible builds by allowing users to override the timestamp using the SOURCE_DATE_EPOCH environment variable.
effective_on: "2026-06-07T00:00:00Z"
- name: cpe
description: >-
The CPE (Common Platform Enumeration) identifier for the product, e.g., cpe:/a:redhat:openshift_gitops:1.16::el8. This label is required for on-prem product releases.
effective_on: "2026-06-07T00:00:00Z"
# https://enterprisecontract.dev/docs/ec-policies/release_policy.html#labels__optional_labels
optional_labels:
- name: maintainer
description: >-
The name and email of the maintainer (usually the submitter).
Should contain `@redhat.com` or `Red Hat`.
- name: summary
description: A short description of the image.
# https://conforma.dev/docs/policy/packages/release_labels.html#labels__disallowed_inherited_labels
disallowed_inherited_labels:
- name: description
- name: io.k8s.description
- name: io.k8s.display-name
- name: io.openshift.tags
- name: summary
- name: name
effective_on: "2024-04-13T00:00:00Z"
- name: com.redhat.component
effective_on: "2024-04-13T00:00:00Z"
# https://conforma.dev/docs/policy/packages/release_labels.html#labels__required_labels
fbc_required_labels: []
# https://conforma.dev/docs/policy/packages/release_labels.html#labels__optional_labels
fbc_optional_labels: []
# https://conforma.dev/docs/policy/packages/release_labels.html#labels__disallowed_inherited_labels
fbc_disallowed_inherited_labels: []
# https://conforma.dev/docs/policy/packages/release_test.html
informative_tests:
- ecosystem-cert-preflight-checks
- fips-operator-bundle-check
- fips-operator-bundle-check-oci-ta
- coverity-availability-check
- coverity-availability-check-oci-ta
- sast-coverity-check
- sast-coverity-check-oci-ta
- sast-shell-check
- sast-shell-check-oci-ta
- sast-snyk-check
- sast-snyk-check-oci-ta
- sast-unicode-check
- sast-unicode-check-oci-ta
disallowed_packages:
# Disallow hashicorp packages with restrictive licenses.
- purl: pkg:golang/github.com/hashicorp/terraform
format: semverv
# https://github.com/hashicorp/terraform/blob/91488b334e230398765438dce7e90b7db9af0dac/LICENSE#L7
min: v1.6.0
- purl: pkg:golang/github.com/hashicorp/consul
format: semverv
# https://github.com/hashicorp/consul/blob/3a78446114577cb14b2af5039ef4b3e61218404e/LICENSE#L7
min: v1.17.0
exceptions:
# The api submodule has a different license.
- subpath: api
- purl: pkg:golang/github.com/hashicorp/vault
format: semverv
# https://github.com/hashicorp/vault/blob/8a46bee76887523a006410d1e865f5365e709851/LICENSE#L7
min: v1.15.0
exceptions:
# The api and sdk submodules have a different license.
- subpath: api
- subpath: sdk
- purl: pkg:golang/github.com/hashicorp/vagrant
format: semverv
# https://github.com/hashicorp/vagrant/blob/ac6374cd11a51b6992a5dc981bf617db74b4ca7d/LICENSE#L7
# Actually 2.4.1.dev but that's not a valid semver. This could be interpreted as the pre-release
# version of 2.4.1. In an abundance of caution, restrict starting at the previous patch release.
min: v2.4.0
- purl: pkg:golang/github.com/hashicorp/nomad
format: semverv
# https://github.com/hashicorp/nomad/blob/340c9ebd4755c0ab2325aa92c243b344d7956db3/LICENSE#L7
min: v1.7.0
- purl: pkg:golang/github.com/hashicorp/packer
format: semverv
# https://github.com/hashicorp/packer/blob/2241b1fba7253732fdb59284c57b376ae8ad0dff/LICENSE#L7
min: v1.10.0
- purl: pkg:golang/github.com/hashicorp/waypoint
format: semverv
# https://github.com/hashicorp/waypoint/blob/b81cf848b44f57b95cb2e9766839582cc625d9c2/LICENSE#L7C40-L7C46
min: v0.12.0
- purl: pkg:golang/github.com/hashicorp/boundary
format: semverv
# https://github.com/hashicorp/boundary/blob/99529108280ffd55ceefa3f6375a2e57ebeb6a33/LICENSE#L7
min: v0.14.0
- purl: pkg:golang/github.com/hashicorp/vault-csi-provider
format: semverv
# https://github.com/hashicorp/vault-csi-provider/blob/d1c8c8c5b29e2e15ecf66fb9d2823b9fe84051b4/LICENSE#L7C56-L7C56
min: v1.4.1
- purl: pkg:golang/github.com/hashicorp/vault-secrets-operator
format: semverv
# https://github.com/hashicorp/vault-secrets-operator/blob/d462e563feeefbf10dc0637834f08e82e1d3f0c1/LICENSE#L7
min: v0.2.0
# No binary python/ruby deps
# https://conforma.dev/docs/policy/packages/release_sbom_cyclonedx.html#sbom_cyclonedx__disallowed_package_attributes
disallowed_attributes:
- name: cachi2:bundler:package:binary
value: "true"
- name: cachi2:pip:package:binary
value: "true"
- name: hermeto:bundler:package:binary
value: "true"
- name: hermeto:pip:package:binary
value: "true"
# No releases on Fridays and weekends
# https://conforma.dev/docs/policy/packages/release_schedule.html#schedule__weekday_restriction
disallowed_weekdays:
- friday
- saturday
- sunday
# No releases during year-end shutdown
# https://conforma.dev/docs/policy/packages/release_schedule.html#schedule__date_restriction
# Todo: It would be better if the applicable Conforma check could match any year, so we wouldn't
# need to add each year's dates here.
disallowed_dates:
# EOY 2028
- 2028-12-23
- 2028-12-24
- 2028-12-25
- 2028-12-26
- 2028-12-27
- 2028-12-28
- 2028-12-29
- 2028-12-30
- 2028-12-31
- 2029-01-01
# EOY 2027
- 2027-12-23
- 2027-12-24
- 2027-12-25
- 2027-12-26
- 2027-12-27
- 2027-12-28
- 2027-12-29
- 2027-12-30
- 2027-12-31
- 2028-01-01
# EOY 2026
- 2026-12-23
- 2026-12-24
- 2026-12-25
- 2026-12-26
- 2026-12-27
- 2026-12-28
- 2026-12-29
- 2026-12-30
- 2026-12-31
- 2027-01-01
# Usage: https://conforma.dev/docs/policy/packages/release_olm.html#olm__required_olm_features_annotations_provided
required_olm_features_annotations:
- features.operators.openshift.io/disconnected
- features.operators.openshift.io/fips-compliant
- features.operators.openshift.io/proxy-aware
- features.operators.openshift.io/tls-profiles
- features.operators.openshift.io/token-auth-aws
- features.operators.openshift.io/token-auth-azure
- features.operators.openshift.io/token-auth-gcp
disallowed_platform_patterns:
- .*root.*
# List of keys: https://access.redhat.com/security/team/key
allowed_rpm_signature_keys:
# release key 2
- 199e2f91fd431d51
# Thresholds are one day shorter than the time periods for grade C in:
# https://access.redhat.com/articles/2803031
cve_leeway:
critical: 6
high: 29
allowed_rpm_build_pipelines:
- build-rpm-package