Confirm all rpms in sboms have a known repo id #1135
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #1135 +/- ##
==========================================
Coverage 100.00% 100.00%
==========================================
Files 115 117 +2
Lines 5894 6010 +116
==========================================
+ Hits 5894 6010 +116
|
simonbaird
force-pushed
the
repoid-checks
branch
4 times, most recently
from
35a11a7 to
4e28682
Compare
|
I might tinker with the annotations a little more, but I think it's ready for review. |
|
I'll make a few changes. Moving to draft for a bit. |
policy/release/repo_ids.rego
Outdated
| # Checks that all RPMs listed in the SBOM have a valid and known | ||
| # repository id. | ||
| # | ||
| package policy.release.repo_ids |
There was a problem hiding this comment.
I wonder if this should be rpm_repo_ids since the repository terminology is very ambiguous.
Also not sure if ids need to be in the name. I can imagine this package doing something with rpm repos which is not necessarily related to their ids.
There was a problem hiding this comment.
Revised in latest version. See if you like it.
policy/release/repo_ids.rego
Outdated
| # description: >- | ||
| # A list of valid and known repository ids should be available in the data. | ||
| # custom: | ||
| # short_name: rpm_repo_ids_list_provided |
There was a problem hiding this comment.
The juxtaposition of package name and short name make this repetitive, repo_ids.rpm_repo_ids_list_provided. With my previous comment in mind, consider something like this rpm_repo.known_ids_list_provided.
policy/release/repo_ids.rego
Outdated
| # solution: >- | ||
| # Ensure every rpm is from a known and accepted repository and that the data in the SBOM | ||
| # correctly records that. | ||
| # # Todo: Until the sbom generation is upated, this will always fail, |
There was a problem hiding this comment.
We should enable this when that change is released and there's a new Task users can upgrade to. Let's use effective_on to give users ~30 days to make the upgrade.
There was a problem hiding this comment.
Will do in a future PR.
policy/release/repo_ids.rego
Outdated
| import data.lib | ||
|
|
||
| # METADATA | ||
| # title: Known repo id list provided |
There was a problem hiding this comment.
This can probably be merged with rpm_repo_ids_valid.
There was a problem hiding this comment.
Still open to persuasion, but I think I preferred them separate.
policy/release/repo_ids.rego
Outdated
| } | ||
|
|
||
| # Avoid including thousands of bad purls in the violation reason | ||
| max_bad_purls := 10 |
There was a problem hiding this comment.
This seems oddly specific. Let all the failures show up so users can tackle them as needed.
There was a problem hiding this comment.
Are you worried about showing (say) 5000 violations?
There was a problem hiding this comment.
Because every purl is malformed? That seems like a bigger problem.
There was a problem hiding this comment.
My thinking is: if you do have this problem, it's better if we don't add a 9000 screen EC task log on top of problem pile. 😁
simonbaird
force-pushed
the
repoid-checks
branch
from
4e28682 to
cd28756
Compare
|
Still draft, but nearly there. |
simonbaird
force-pushed
the
repoid-checks
branch
from
cd28756 to
883f4e7
Compare
The one exception is coverage, since the coverage numbers only make sence if you run all the tests. I also changed the ordering of targets for the sake of tidiness. Quality-of-life tweak while doing some TDD for... Ref: https://issues.redhat.com/browse/EC-742
I want to use this in the next commit. (As mentioned in the comments, I think it can make some code a little more readable in some cases.)
simonbaird
force-pushed
the
repoid-checks
branch
from
883f4e7 to
ed2aef0
Compare
|
The latest version has a different way of limiting the number of violations, as discussed post standup today. |
|
Moved out of draft. |
simonbaird
force-pushed
the
repoid-checks
branch
2 times, most recently
from
10574f9 to
7e78f51
Compare
For all components in all sboms that are rpms, require they have a repository_id value in their purl, and require that the repository_id value is in in the big list of known repository_ids. Includes a bit of extra work to limit the number of violations produced, since I'm expecting there to be either none of many hundreds. As mentioned in a Todo in the comments, this is not yet added to the redhat collection, but it will be added soon in an upcoming PR. Ref: https://issues.redhat.com/browse/EC-848
simonbaird
force-pushed
the
repoid-checks
branch
from
7e78f51 to
7ccc545
Compare
|
Things not in this PR:
|
Note that we can't enable this now, since the sboms that Konflux creates don't yet have repo ids, so I didn't add the one relevant check to the
redhatcollection in this PR.Ref: EC-848