Merge pull request #1257 from lcarva/EC-1059

Allow list of RPM repo IDs to be extended

antora/docs/modules/ROOT/pages/release_policy.adoc

@@ -1008,14 +1008,14 @@ Each RPM package listed in an SBOM must specify the repository id that it comes
 * FAILURE message: `RPM repo id check failed: %s`
 * Code: `rpm_repos.ids_known`
 * Effective from: `2024-11-10T00:00:00Z`
-* https://github.com/enterprise-contract/ec-policies/blob/{page-origin-refhash}/policy/release/rpm_repos/rpm_repos.rego#L34[Source, window="_blank"]
+* https://github.com/enterprise-contract/ec-policies/blob/{page-origin-refhash}/policy/release/rpm_repos/rpm_repos.rego#L36[Source, window="_blank"]
 
 [#rpm_repos__rule_data_provided]
 === link:#rpm_repos__rule_data_provided[Known repo id list provided]
 
 A list of known and permitted repository ids should be available in the rule data.
 
-*Solution*: Include a data source that provides a list of known repository ids under the 'known_rpm_repositories' key under the top level 'rule_data' key.
+*Solution*: Include a data source that provides a list of known repository ids under the 'known_rpm_repositories' key under the top level 'rule_data' key. This list can extended with the 'extra_rpm_repositories' rule data key. The contents of both lists are combined.
 
 * Rule type: [rule-type-indicator failure]#FAILURE#
 * FAILURE message: `Rule data '%s' has unexpected format: %s`

policy/release/rpm_repos/rpm_repos.rego

@@ -21,7 +21,9 @@ import data.lib.json as j
 #   failure_msg: "Rule data '%s' has unexpected format: %s"
 #   solution: >-
 #     Include a data source that provides a list of known repository ids under the
-#     'known_rpm_repositories' key under the top level 'rule_data' key.
+#     'known_rpm_repositories' key under the top level 'rule_data' key. This list can
+#     extended with the 'extra_rpm_repositories' rule data key. The contents of both
+#     lists are combined.
 #   collections:
 #   - redhat
 #   - policy_data
@@ -62,7 +64,9 @@ _rule_data_errors contains error if {
 			"$schema": "http://json-schema.org/draft-07/schema#",
 			"type": "array",
 			"items": {"type": "string"},
-			"uniqueItems": true,
+			# The list of repo IDs is a combination of two different lists which are often managed
+			# by different people. It's ok if those overlap.
+			"uniqueItems": false,
 			"minItems": 1,
 		},
 	)
@@ -181,10 +185,18 @@ _is_rpmish(purl) if {
 	startswith(purl, "pkg:rpmmod/")
 }
 
-_known_repo_ids := lib.rule_data(_rule_data_key)
+_known_repo_ids := combined if {
+	extra := lib.rule_data(_rule_data_extras_key)
+	known := lib.rule_data(_rule_data_key)
+	combined := array.concat(extra, known)
+} else := known if {
+	known := lib.rule_data(_rule_data_key)
+}
 
 _rule_data_key := "known_rpm_repositories"
 
+_rule_data_extras_key := "extra_rpm_repositories"
+
 # Converts a list of purl objects, as returned by
 # all_purls_with_repo_ids, back into a list of purl strings
 _plain_purls(purl_objs) := {purl_obj.purl | some purl_obj in purl_objs}

policy/release/rpm_repos/rpm_repos_test.rego

@@ -74,6 +74,22 @@ test_repo_id_all_known if {
 	) with lib.sbom.all_sboms as fake_spdx_sboms with data.rule_data.known_rpm_repositories as fake_repo_id_list
 }
 
+test_repo_id_all_known_with_extras if {
+	rule_data := {
+		"known_rpm_repositories": array.slice(fake_repo_id_list, 1, count(fake_repo_id_list)),
+		"extra_rpm_repositories": array.slice(fake_repo_id_list, 0, 1),
+	}
+	lib.assert_equal(
+		{p1, p2, p7},
+		rpm_repos._plain_purls(rpm_repos.all_c2_purls_with_known_repo_ids),
+	) with lib.sbom.all_sboms as fake_cyclonedx_sboms with data.rule_data as rule_data
+
+	lib.assert_equal(
+		{p1, p2, p7},
+		rpm_repos._plain_purls(rpm_repos.all_c2_purls_with_known_repo_ids),
+	) with lib.sbom.all_sboms as fake_spdx_sboms with data.rule_data as rule_data
+}
+
 test_repo_id_purls_missing_repo_ids if {
 	expected := {
 		{