Skip to content

Commit

Permalink
Merge pull request #1127 from lcarva/EC-822
Browse files Browse the repository at this point in the history
Tweaks to fetching CycloneDX SBOM
  • Loading branch information
lcarva authored Sep 6, 2024
2 parents b94bd21 + f80804c commit 7b17eb7
Show file tree
Hide file tree
Showing 2 changed files with 55 additions and 14 deletions.
29 changes: 20 additions & 9 deletions policy/lib/sbom.rego
Original file line number Diff line number Diff line change
Expand Up @@ -4,15 +4,24 @@ import data.lib
import data.lib.tkn
import rego.v1

cyclonedx_sboms := array.concat(
array.concat(_cyclonedx_sboms_from_image, _cyclonedx_sboms_from_attestations),
_cyclonedx_sboms_from_oci,
)

_cyclonedx_sboms_from_image := [sbom |
some path in ["root/buildinfo/content_manifests/sbom-cyclonedx.json"]
sbom := input.image.files[path]
]
# cyclonedx_sboms returns a list of SBOMs associated with the image being validated. It will first
# try to find them as references in the SLSA Provenance attestation and as an SBOM attestation. If
# an SBOM is not found in those locations, then it will attempt to retrieve the SBOM from within the
# image's filesystem. This fallback exists for legacy purposes and support for it will be removed
# soon.
default cyclonedx_sboms := []

cyclonedx_sboms := sboms if {
sboms := array.concat(_cyclonedx_sboms_from_attestations, _cyclonedx_sboms_from_oci)
count(sboms) > 0
} else := _cyclonedx_sboms_from_image

_cyclonedx_sboms_from_image := [sbom] if {
sbom := input.image.files[_sbom_image_path]
} else := [sbom] if {
input.image.config.Labels.vendor == "Red Hat, Inc."
sbom := ec.oci.image_files(input.image.ref, [_sbom_image_path])[_sbom_image_path]
}

_cyclonedx_sboms_from_attestations := [sbom |
some att in input.attestations
Expand All @@ -32,3 +41,5 @@ _cyclonedx_sboms_from_oci := [sbom |

sbom := json.unmarshal(blob)
]

_sbom_image_path := "root/buildinfo/content_manifests/sbom-cyclonedx.json"
40 changes: 35 additions & 5 deletions policy/lib/sbom_test.rego
Original file line number Diff line number Diff line change
Expand Up @@ -36,14 +36,44 @@ test_cyclonedx_sboms if {
]}]},
}}},
]
image := {"files": {
"root/buildinfo/content_manifests/sbom-cyclonedx.json": "sbom from image",
"root/foo": "not an sbom",
}}
expected := ["sbom from image", "sbom from attestation", {"sbom": "from oci blob"}]
expected := ["sbom from attestation", {"sbom": "from oci blob"}]
lib.assert_equal(sbom.cyclonedx_sboms, expected) with input.attestations as attestations
with input.image as _image
with ec.oci.blob as mock_ec_oci_blob
}

test_cyclonedx_sboms_fallback_prefetched if {
attestations := [{"statement": {
"predicateType": "https://example.org/boom",
"predicate": "not an sbom",
}}]
expected := ["sbom from image"]
lib.assert_equal(sbom.cyclonedx_sboms, expected) with input.attestations as attestations
with input.image as _image
with ec.oci.blob as mock_ec_oci_blob
}

test_cyclonedx_sboms_fallback_live_fetch if {
image := json.remove(_image, ["files"])
expected := [{"sbom": "from live image"}]
lib.assert_equal(sbom.cyclonedx_sboms, expected) with input.attestations as []
with input.image as image
with ec.oci.blob as mock_ec_oci_blob
with ec.oci.image_files as mock_ec_oci_image_files
}

mock_ec_oci_blob("registry.io/repository/image@sha256:f0cacc1a") := `{"sbom": "from oci blob"}`

mock_ec_oci_image_files(
"registry.io/repository/image@sha256:284e3029",
["root/buildinfo/content_manifests/sbom-cyclonedx.json"],
) := {sbom._sbom_image_path: {"sbom": "from live image"}}

_image := {
"ref": "registry.io/repository/image@sha256:284e3029",
"files": {
"root/buildinfo/content_manifests/sbom-cyclonedx.json": "sbom from image",
"root/foo": "not an sbom",
},
"config": {"Labels": {"vendor": "Red Hat, Inc."}},
}

0 comments on commit 7b17eb7

Please sign in to comment.