diff --git a/policy/lib/sbom/sbom.rego b/policy/lib/sbom/sbom.rego index 6ec2afaf..26173951 100644 --- a/policy/lib/sbom/sbom.rego +++ b/policy/lib/sbom/sbom.rego @@ -1,6 +1,7 @@ package lib.sbom import data.lib +import data.lib.image import data.lib.tekton import rego.v1 @@ -65,6 +66,12 @@ _fetch_oci_sbom := [sbom | some attestation in lib.pipelinerun_attestations some task in tekton.build_tasks(attestation) + # For multi-platform images, the same SLSA Provenance may describe all the platform specific + # images. Each will have its own SBOM. Only select the SBOM for the image being evaluated. + expected_image_digest := image.parse(input.image.ref).digest + image_digest := tekton.task_result(task, "IMAGE_DIGEST") + expected_image_digest == image_digest + blob_ref := tekton.task_result(task, "SBOM_BLOB_URL") blob := ec.oci.blob(blob_ref) sbom := json.unmarshal(blob) diff --git a/policy/lib/sbom/sbom_test.rego b/policy/lib/sbom/sbom_test.rego index dcdd972a..fe1f67d7 100644 --- a/policy/lib/sbom/sbom_test.rego +++ b/policy/lib/sbom/sbom_test.rego @@ -28,12 +28,12 @@ test_cyclonedx_sboms if { { "name": "IMAGE_DIGEST", "type": "string", - "value": "sha256:f0cacc1a", + "value": "sha256:284e3029", }, { "name": "IMAGE_URL", "type": "string", - "value": "registry.io/repository/image@sha256:baadf00d", + "value": "registry.io/repository/image:latest", }, { "name": "SBOM_BLOB_URL", @@ -66,12 +66,12 @@ test_spdx_sboms if { { "name": "IMAGE_DIGEST", "type": "string", - "value": "sha256:f0cacc1a", + "value": "sha256:284e3029", }, { "name": "IMAGE_URL", "type": "string", - "value": "registry.io/repository/image@sha256:baadf00d", + "value": "registry.io/repository/image:latest", }, { "name": "SBOM_BLOB_URL", @@ -118,7 +118,7 @@ test_cyclonedx_sboms_fallback_live_fetch if { with ec.oci.image_files as mock_ec_oci_image_files(sbom._sbom_cyclonedx_image_path) } -test_spdx_sboms_fallback__no_live_fetch if { +test_spdx_sboms_fallback_no_live_fetch if { image := json.remove(_spdx_image, ["files"]) expected := [] lib.assert_equal(sbom.spdx_sboms, expected) with input.attestations as [] @@ -127,6 +127,55 @@ test_spdx_sboms_fallback__no_live_fetch if { with ec.oci.image_files as mock_ec_oci_image_files(sbom._sbom_spdx_image_path) } +test_ignore_unrelated_sboms if { + attestations := [ + {"statement": {"predicate": { + "buildType": lib.tekton_pipeline_run, + "buildConfig": {"tasks": [{"results": [ + { + "name": "IMAGE_DIGEST", + "type": "string", + "value": "sha256:0000000", + }, + { + "name": "IMAGE_URL", + "type": "string", + "value": "registry.io/repository/image:latest", + }, + { + "name": "SBOM_BLOB_URL", + "type": "string", + "value": "registry.io/repository/image@sha256:f0cacc1a", + }, + ]}]}, + }}}, + {"statement": {"predicate": { + "buildType": lib.tekton_pipeline_run, + "buildConfig": {"tasks": [{"results": [ + { + "name": "IMAGE_DIGEST", + "type": "string", + "value": "sha256:1111111", + }, + { + "name": "IMAGE_URL", + "type": "string", + "value": "registry.io/repository/image:latest", + }, + { + "name": "SBOM_BLOB_URL", + "type": "string", + "value": "registry.io/repository/image@sha256:f0cacc1b", + }, + ]}]}, + }}}, + ] + + lib.assert_equal(sbom.all_sboms, []) with input.attestations as attestations + with input.image as {"ref": "registry.io/repository/image@sha256:284e3029"} + with ec.oci.blob as "" +} + mock_ec_oci_cyclonedx_blob := `{"sbom": "from oci blob", "bomFormat": "CycloneDX"}` mock_ec_oci_spdx_blob := `{"sbom": "from oci blob", "SPDXID": "SPDXRef-DOCUMENT"}`