Merge pull request #1202 from lcarva/EC-930

Ignore SBOM URLs for other images

policy/lib/sbom/sbom.rego

@@ -1,6 +1,7 @@
 package lib.sbom
 
 import data.lib
+import data.lib.image
 import data.lib.tekton
 import rego.v1
 
@@ -65,6 +66,12 @@ _fetch_oci_sbom := [sbom |
 	some attestation in lib.pipelinerun_attestations
 	some task in tekton.build_tasks(attestation)
 
+	# For multi-platform images, the same SLSA Provenance may describe all the platform specific
+	# images. Each will have its own SBOM. Only select the SBOM for the image being evaluated.
+	expected_image_digest := image.parse(input.image.ref).digest
+	image_digest := tekton.task_result(task, "IMAGE_DIGEST")
+	expected_image_digest == image_digest
+
 	blob_ref := tekton.task_result(task, "SBOM_BLOB_URL")
 	blob := ec.oci.blob(blob_ref)
 	sbom := json.unmarshal(blob)

policy/lib/sbom/sbom_test.rego

@@ -28,12 +28,12 @@ test_cyclonedx_sboms if {
 				{
 					"name": "IMAGE_DIGEST",
 					"type": "string",
-					"value": "sha256:f0cacc1a",
+					"value": "sha256:284e3029",
 				},
 				{
 					"name": "IMAGE_URL",
 					"type": "string",
-					"value": "registry.io/repository/image@sha256:baadf00d",
+					"value": "registry.io/repository/image:latest",
 				},
 				{
 					"name": "SBOM_BLOB_URL",
@@ -66,12 +66,12 @@ test_spdx_sboms if {
 				{
 					"name": "IMAGE_DIGEST",
 					"type": "string",
-					"value": "sha256:f0cacc1a",
+					"value": "sha256:284e3029",
 				},
 				{
 					"name": "IMAGE_URL",
 					"type": "string",
-					"value": "registry.io/repository/image@sha256:baadf00d",
+					"value": "registry.io/repository/image:latest",
 				},
 				{
 					"name": "SBOM_BLOB_URL",
@@ -118,7 +118,7 @@ test_cyclonedx_sboms_fallback_live_fetch if {
 		with ec.oci.image_files as mock_ec_oci_image_files(sbom._sbom_cyclonedx_image_path)
 }
 
-test_spdx_sboms_fallback__no_live_fetch if {
+test_spdx_sboms_fallback_no_live_fetch if {
 	image := json.remove(_spdx_image, ["files"])
 	expected := []
 	lib.assert_equal(sbom.spdx_sboms, expected) with input.attestations as []
@@ -127,6 +127,55 @@ test_spdx_sboms_fallback__no_live_fetch if {
 		with ec.oci.image_files as mock_ec_oci_image_files(sbom._sbom_spdx_image_path)
 }
 
+test_ignore_unrelated_sboms if {
+	attestations := [
+		{"statement": {"predicate": {
+			"buildType": lib.tekton_pipeline_run,
+			"buildConfig": {"tasks": [{"results": [
+				{
+					"name": "IMAGE_DIGEST",
+					"type": "string",
+					"value": "sha256:0000000",
+				},
+				{
+					"name": "IMAGE_URL",
+					"type": "string",
+					"value": "registry.io/repository/image:latest",
+				},
+				{
+					"name": "SBOM_BLOB_URL",
+					"type": "string",
+					"value": "registry.io/repository/image@sha256:f0cacc1a",
+				},
+			]}]},
+		}}},
+		{"statement": {"predicate": {
+			"buildType": lib.tekton_pipeline_run,
+			"buildConfig": {"tasks": [{"results": [
+				{
+					"name": "IMAGE_DIGEST",
+					"type": "string",
+					"value": "sha256:1111111",
+				},
+				{
+					"name": "IMAGE_URL",
+					"type": "string",
+					"value": "registry.io/repository/image:latest",
+				},
+				{
+					"name": "SBOM_BLOB_URL",
+					"type": "string",
+					"value": "registry.io/repository/image@sha256:f0cacc1b",
+				},
+			]}]},
+		}}},
+	]
+
+	lib.assert_equal(sbom.all_sboms, []) with input.attestations as attestations
+		with input.image as {"ref": "registry.io/repository/image@sha256:284e3029"}
+		with ec.oci.blob as ""
+}
+
 mock_ec_oci_cyclonedx_blob := `{"sbom": "from oci blob", "bomFormat": "CycloneDX"}`
 
 mock_ec_oci_spdx_blob := `{"sbom": "from oci blob", "SPDXID": "SPDXRef-DOCUMENT"}`