Add the rpm repo id check to the redhat collection

Because this check will fail for a image that was not built with the latest version of cachi2, the effective on date was set 30 days out. Hopefully most people would have their Konflux tekton task bundle refs updated by then. See also: - https://github.com/containerbuildsystem/cachi2/releases/tag/0.11.0 - konflux-ci/build-definitions@ef11db2 Ref: https://issues.redhat.com/browse/EC-876
enterprise-contract · Oct 10, 2024 · 568b152 · 568b152
1 parent ce24a1d
commit 568b152
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 4 deletions.
diff --git a/antora/docs/modules/ROOT/pages/release_policy.adoc b/antora/docs/modules/ROOT/pages/release_policy.adoc
@@ -144,6 +144,7 @@ Rules included:
 * xref:release_policy.adoc#provenance_materials__git_clone_source_matches_provenance[Provenance Materials: Git clone source matches materials provenance]
 * xref:release_policy.adoc#provenance_materials__git_clone_task_found[Provenance Materials: Git clone task found]
 * xref:release_policy.adoc#quay_expiration__expires_label[Quay expiration: Expires label]
+* xref:release_policy.adoc#rpm_repos__ids_known[RPM Repos: All rpms have known repo ids]
 * xref:release_policy.adoc#rpm_repos__rule_data_provided[RPM Repos: Known repo id list provided]
 * xref:release_policy.adoc#rpm_signature__allowed[RPM Signature: Allowed RPM signature key]
 * xref:release_policy.adoc#rpm_signature__result_format[RPM Signature: Result format]
@@ -1040,6 +1041,7 @@ Each RPM package listed in an SBOM must specify the repository id that it comes
 * Rule type: [rule-type-indicator failure]#FAILURE#
 * FAILURE message: `RPM repo id check failed: %s`
 * Code: `rpm_repos.ids_known`
+* Effective from: `2024-11-10T00:00:00Z`
 * https://github.com/enterprise-contract/ec-policies/blob/{page-origin-refhash}/policy/release/rpm_repos.rego#L33[Source, window="_blank"]
 
 [#rpm_repos__rule_data_provided]

diff --git a/policy/release/rpm_repos.rego b/policy/release/rpm_repos.rego
@@ -41,10 +41,9 @@ deny contains result if {
 #   solution: >-
 #     Ensure every rpm comes from a known and permitted repository, and that the data in the
 #     SBOM correctly records that.
-#   # Todo: Until the sbom generation is upated this will always fail, so don't include it
-#   # in the redhat collection yet. See https://issues.redhat.com/browse/STONEBLD-2638
-#   #collections:
-#   #- redhat
+#   collections:
+#   - redhat
+#   effective_on: "2024-11-10T00:00:00Z"
 #
 deny contains result if {
 	# Don't bother with this unless we have valid rule data