diff --git a/acceptance/examples/redhat_manifests.rego b/acceptance/examples/redhat_manifests.rego deleted file mode 100644 index 639272183..000000000 --- a/acceptance/examples/redhat_manifests.rego +++ /dev/null @@ -1,25 +0,0 @@ -package main - -import future.keywords.contains -import future.keywords.if -import future.keywords.in - -# METADATA -# title: Red Hat manifests exist -# custom: -# short_name: redhat_manifests -# failure_msg: Missing Red Hat manifests -deny contains err(rego.metadata.rule()) if { - wanted := { - "root/buildinfo/content_manifests/sbom-purl.json", - "root/buildinfo/content_manifests/sbom-cyclonedx.json", - } - found := {name | some name, content in input.image.files} - missing := wanted - found - count(missing) > 0 -} - -err(meta) := { - "code": sprintf("main.%s", [meta.custom.short_name]), - "msg": meta.custom.failure_msg, -} diff --git a/acceptance/examples/redhat_sbom_cyclonedx.json b/acceptance/examples/redhat_sbom_cyclonedx.json deleted file mode 100644 index 52ab23b9c..000000000 --- a/acceptance/examples/redhat_sbom_cyclonedx.json +++ /dev/null @@ -1,122 +0,0 @@ -{ - "bomFormat": "CycloneDX", - "specVersion": "1.4", - "serialNumber": "urn:uuid:00c4ffbc-0010-41d5-894a-c0404f691594", - "version": 1, - "metadata": { - "timestamp": "2023-07-14T18:44:55Z", - "tools": [ - { - "vendor": "anchore", - "name": "syft", - "version": "0.47.0" - } - ], - "component": { - "bom-ref": "7ec463778bb0fefe", - "type": "file", - "name": "/var/lib/containers/storage/vfs/dir/d698970a5f3bc0524df49e6ccb4c6845e5183b8ccb95a1a77b43284752de9e19" - } - }, - "components": [ - { - "bom-ref": "pkg:rpm/rhel/elfutils-default-yama-scope@0.186-1.el8?arch=noarch&upstream=elfutils-0.186-1.el8.src.rpm&distro=rhel-8.6&package-id=c064acc6509932eb", - "type": "library", - "publisher": "Red Hat, Inc.", - "name": "elfutils-default-yama-scope", - "version": "0.186-1.el8", - "cpe": "cpe:2.3:a:elfutils-default-yama-scope:elfutils-default-yama-scope:0.186-1.el8:*:*:*:*:*:*:*", - "purl": "pkg:rpm/rhel/elfutils-default-yama-scope@0.186-1.el8?arch=noarch&upstream=elfutils-0.186-1.el8.src.rpm&distro=rhel-8.6", - "properties": [ - { - "name": "syft:package:foundBy", - "value": "rpmdb-cataloger" - }, - { - "name": "syft:package:metadataType", - "value": "RpmdbMetadata" - }, - { - "name": "syft:package:type", - "value": "rpm" - }, - { - "name": "syft:cpe23", - "value": "cpe:2.3:a:elfutils-default-yama-scope:elfutils_default_yama_scope:0.186-1.el8:*:*:*:*:*:*:*" - }, - { - "name": "syft:cpe23", - "value": "cpe:2.3:a:elfutils_default_yama_scope:elfutils-default-yama-scope:0.186-1.el8:*:*:*:*:*:*:*" - }, - { - "name": "syft:cpe23", - "value": "cpe:2.3:a:elfutils_default_yama_scope:elfutils_default_yama_scope:0.186-1.el8:*:*:*:*:*:*:*" - }, - { - "name": "syft:cpe23", - "value": "cpe:2.3:a:elfutils-default-yama:elfutils-default-yama-scope:0.186-1.el8:*:*:*:*:*:*:*" - }, - { - "name": "syft:cpe23", - "value": "cpe:2.3:a:elfutils-default-yama:elfutils_default_yama_scope:0.186-1.el8:*:*:*:*:*:*:*" - }, - { - "name": "syft:cpe23", - "value": "cpe:2.3:a:elfutils_default_yama:elfutils-default-yama-scope:0.186-1.el8:*:*:*:*:*:*:*" - }, - { - "name": "syft:cpe23", - "value": "cpe:2.3:a:elfutils_default_yama:elfutils_default_yama_scope:0.186-1.el8:*:*:*:*:*:*:*" - }, - { - "name": "syft:cpe23", - "value": "cpe:2.3:a:elfutils-default:elfutils-default-yama-scope:0.186-1.el8:*:*:*:*:*:*:*" - }, - { - "name": "syft:cpe23", - "value": "cpe:2.3:a:elfutils-default:elfutils_default_yama_scope:0.186-1.el8:*:*:*:*:*:*:*" - }, - { - "name": "syft:cpe23", - "value": "cpe:2.3:a:elfutils_default:elfutils-default-yama-scope:0.186-1.el8:*:*:*:*:*:*:*" - }, - { - "name": "syft:cpe23", - "value": "cpe:2.3:a:elfutils_default:elfutils_default_yama_scope:0.186-1.el8:*:*:*:*:*:*:*" - }, - { - "name": "syft:cpe23", - "value": "cpe:2.3:a:elfutils:elfutils-default-yama-scope:0.186-1.el8:*:*:*:*:*:*:*" - }, - { - "name": "syft:cpe23", - "value": "cpe:2.3:a:elfutils:elfutils_default_yama_scope:0.186-1.el8:*:*:*:*:*:*:*" - }, - { - "name": "syft:cpe23", - "value": "cpe:2.3:a:redhat:elfutils-default-yama-scope:0.186-1.el8:*:*:*:*:*:*:*" - }, - { - "name": "syft:cpe23", - "value": "cpe:2.3:a:redhat:elfutils_default_yama_scope:0.186-1.el8:*:*:*:*:*:*:*" - }, - { - "name": "syft:location:0:path", - "value": "var/lib/rpm/Packages" - }, - { - "name": "syft:metadata:release", - "value": "1.el8" - }, - { - "name": "syft:metadata:size", - "value": "1810" - }, - { - "name": "syft:metadata:sourceRpm", - "value": "elfutils-0.186-1.el8.src.rpm" - } - ] - } - ] - } \ No newline at end of file diff --git a/acceptance/examples/redhat_sbom_purl.json b/acceptance/examples/redhat_sbom_purl.json deleted file mode 100644 index fb8852e89..000000000 --- a/acceptance/examples/redhat_sbom_purl.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "image_contents": { - "dependencies": [ - { - "purl": "pkg:rpm/rhel/elfutils-default-yama-scope@0.186-1.el8?arch=noarch&upstream=elfutils-0.186-1.el8.src.rpm&distro=rhel-8.6" - }, - { - "purl": "pkg:rpm/rhel/gdb-gdbserver@8.2-18.el8?arch=x86_64&upstream=gdb-8.2-18.el8.src.rpm&distro=rhel-8.6" - } - ] - } -} \ No newline at end of file diff --git a/features/__snapshots__/validate_image.snap b/features/__snapshots__/validate_image.snap index 6028c975f..31c81575e 100755 --- a/features/__snapshots__/validate_image.snap +++ b/features/__snapshots__/validate_image.snap @@ -3107,281 +3107,6 @@ Error: success criteria not met } --- -[Red Hat manifests:stdout - 1] -{ - "success": true, - "components": [ - { - "name": "Unnamed", - "containerImage": "${REGISTRY}/acceptance/image@sha256:${REGISTRY_acceptance/image:latest_DIGEST}", - "source": {}, - "successes": [ - { - "msg": "Pass", - "metadata": { - "code": "builtin.attestation.signature_check" - } - }, - { - "msg": "Pass", - "metadata": { - "code": "builtin.attestation.syntax_check" - } - }, - { - "msg": "Pass", - "metadata": { - "code": "builtin.image.signature_check" - } - }, - { - "msg": "Pass", - "metadata": { - "code": "main.redhat_manifests" - } - } - ], - "success": true, - "signatures": [ - { - "keyid": "", - "sig": "${IMAGE_SIGNATURE_acceptance/image}" - } - ], - "attestations": [ - { - "type": "https://in-toto.io/Statement/v0.1", - "predicateType": "https://slsa.dev/provenance/v0.2", - "predicateBuildType": "https://tekton.dev/attestations/chains/pipelinerun@v2", - "signatures": [ - { - "keyid": "", - "sig": "${ATTESTATION_SIGNATURE_acceptance/image}" - } - ] - } - ] - } - ], - "key": "${known_PUBLIC_KEY_JSON}", - "policy": { - "sources": [ - { - "policy": [ - "git::https://${GITHOST}/git/redhat-manifests.git" - ] - } - ], - "publicKey": "${known_PUBLIC_KEY}" - }, - "ec-version": "${EC_VERSION}", - "effective-time": "${TIMESTAMP}" -} ---- - -[Red Hat manifests:stderr - 1] - ---- - -[Red Hat manifests:${TMPDIR}/input.json - 1] -{ - "attestations": [ - { - "statement": { - "_type": "https://in-toto.io/Statement/v0.1", - "predicateType": "https://slsa.dev/provenance/v0.2", - "subject": [ - { - "name": "acceptance/image", - "digest": { - "sha256": "${REGISTRY_acceptance/image:latest_DIGEST}" - } - } - ], - "predicate": { - "builder": { - "id": "https://tekton.dev/chains/v2" - }, - "buildType": "https://tekton.dev/attestations/chains/pipelinerun@v2", - "invocation": { - "configSource": {} - } - } - }, - "signatures": [ - { - "keyid": "", - "sig": "${ATTESTATION_SIGNATURE_acceptance/image}" - } - ] - } - ], - "image": { - "ref": "${REGISTRY}/acceptance/image@sha256:${REGISTRY_acceptance/image:latest_DIGEST}", - "signatures": [ - { - "keyid": "", - "sig": "${IMAGE_SIGNATURE_acceptance/image}" - } - ], - "config": { - "Labels": { - "org.opencontainers.image.title": "acceptance/image", - "vendor": "Red Hat, Inc." - } - }, - "files": { - "root/buildinfo/content_manifests/sbom-cyclonedx.json": { - "bomFormat": "CycloneDX", - "components": [ - { - "bom-ref": "pkg:rpm/rhel/elfutils-default-yama-scope@0.186-1.el8?arch=noarch\u0026upstream=elfutils-0.186-1.el8.src.rpm\u0026distro=rhel-8.6\u0026package-id=c064acc6509932eb", - "cpe": "cpe:2.3:a:elfutils-default-yama-scope:elfutils-default-yama-scope:0.186-1.el8:*:*:*:*:*:*:*", - "name": "elfutils-default-yama-scope", - "properties": [ - { - "name": "syft:package:foundBy", - "value": "rpmdb-cataloger" - }, - { - "name": "syft:package:metadataType", - "value": "RpmdbMetadata" - }, - { - "name": "syft:package:type", - "value": "rpm" - }, - { - "name": "syft:cpe23", - "value": "cpe:2.3:a:elfutils-default-yama-scope:elfutils_default_yama_scope:0.186-1.el8:*:*:*:*:*:*:*" - }, - { - "name": "syft:cpe23", - "value": "cpe:2.3:a:elfutils_default_yama_scope:elfutils-default-yama-scope:0.186-1.el8:*:*:*:*:*:*:*" - }, - { - "name": "syft:cpe23", - "value": "cpe:2.3:a:elfutils_default_yama_scope:elfutils_default_yama_scope:0.186-1.el8:*:*:*:*:*:*:*" - }, - { - "name": "syft:cpe23", - "value": "cpe:2.3:a:elfutils-default-yama:elfutils-default-yama-scope:0.186-1.el8:*:*:*:*:*:*:*" - }, - { - "name": "syft:cpe23", - "value": "cpe:2.3:a:elfutils-default-yama:elfutils_default_yama_scope:0.186-1.el8:*:*:*:*:*:*:*" - }, - { - "name": "syft:cpe23", - "value": "cpe:2.3:a:elfutils_default_yama:elfutils-default-yama-scope:0.186-1.el8:*:*:*:*:*:*:*" - }, - { - "name": "syft:cpe23", - "value": "cpe:2.3:a:elfutils_default_yama:elfutils_default_yama_scope:0.186-1.el8:*:*:*:*:*:*:*" - }, - { - "name": "syft:cpe23", - "value": "cpe:2.3:a:elfutils-default:elfutils-default-yama-scope:0.186-1.el8:*:*:*:*:*:*:*" - }, - { - "name": "syft:cpe23", - "value": "cpe:2.3:a:elfutils-default:elfutils_default_yama_scope:0.186-1.el8:*:*:*:*:*:*:*" - }, - { - "name": "syft:cpe23", - "value": "cpe:2.3:a:elfutils_default:elfutils-default-yama-scope:0.186-1.el8:*:*:*:*:*:*:*" - }, - { - "name": "syft:cpe23", - "value": "cpe:2.3:a:elfutils_default:elfutils_default_yama_scope:0.186-1.el8:*:*:*:*:*:*:*" - }, - { - "name": "syft:cpe23", - "value": "cpe:2.3:a:elfutils:elfutils-default-yama-scope:0.186-1.el8:*:*:*:*:*:*:*" - }, - { - "name": "syft:cpe23", - "value": "cpe:2.3:a:elfutils:elfutils_default_yama_scope:0.186-1.el8:*:*:*:*:*:*:*" - }, - { - "name": "syft:cpe23", - "value": "cpe:2.3:a:redhat:elfutils-default-yama-scope:0.186-1.el8:*:*:*:*:*:*:*" - }, - { - "name": "syft:cpe23", - "value": "cpe:2.3:a:redhat:elfutils_default_yama_scope:0.186-1.el8:*:*:*:*:*:*:*" - }, - { - "name": "syft:location:0:path", - "value": "var/lib/rpm/Packages" - }, - { - "name": "syft:metadata:release", - "value": "1.el8" - }, - { - "name": "syft:metadata:size", - "value": "1810" - }, - { - "name": "syft:metadata:sourceRpm", - "value": "elfutils-0.186-1.el8.src.rpm" - } - ], - "publisher": "Red Hat, Inc.", - "purl": "pkg:rpm/rhel/elfutils-default-yama-scope@0.186-1.el8?arch=noarch\u0026upstream=elfutils-0.186-1.el8.src.rpm\u0026distro=rhel-8.6", - "type": "library", - "version": "0.186-1.el8" - } - ], - "metadata": { - "component": { - "bom-ref": "7ec463778bb0fefe", - "name": "/var/lib/containers/storage/vfs/dir/d698970a5f3bc0524df49e6ccb4c6845e5183b8ccb95a1a77b43284752de9e19", - "type": "file" - }, - "timestamp": "${TIMESTAMP}", - "tools": [ - { - "name": "syft", - "vendor": "anchore", - "version": "0.47.0" - } - ] - }, - "serialNumber": "urn:uuid:00c4ffbc-0010-41d5-894a-c0404f691594", - "specVersion": "1.4", - "version": 1 - }, - "root/buildinfo/content_manifests/sbom-purl.json": { - "image_contents": { - "dependencies": [ - { - "purl": "pkg:rpm/rhel/elfutils-default-yama-scope@0.186-1.el8?arch=noarch\u0026upstream=elfutils-0.186-1.el8.src.rpm\u0026distro=rhel-8.6" - }, - { - "purl": "pkg:rpm/rhel/gdb-gdbserver@8.2-18.el8?arch=x86_64\u0026upstream=gdb-8.2-18.el8.src.rpm\u0026distro=rhel-8.6" - } - ] - } - } - }, - "source": {} - }, - "snapshot": { - "application": "", - "components": [ - { - "name": "Unnamed", - "containerImage": "${REGISTRY}/acceptance/image", - "source": {} - } - ], - "artifacts": {} - } -} ---- - [Unsupported policies:stdout - 1] --- diff --git a/features/validate_image.feature b/features/validate_image.feature index 3ed0acb30..8f7d3380b 100644 --- a/features/validate_image.feature +++ b/features/validate_image.feature @@ -924,26 +924,6 @@ Feature: evaluate enterprise contract And the output should match the snapshot And the "${TMPDIR}/input.json" file should match the snapshot - Scenario: Red Hat manifests - Given a key pair named "known" - And an image named "acceptance/image" containing a layer with: - | root/buildinfo/content_manifests/sbom-cyclonedx.json | examples/redhat_sbom_cyclonedx.json | - | root/buildinfo/content_manifests/sbom-purl.json | examples/redhat_sbom_purl.json | - And the image "acceptance/image" has labels: - | vendor | Red Hat, Inc. | - And a valid image signature of "acceptance/image" image signed by the "known" key - And a valid attestation of "acceptance/image" signed by the "known" key - And a git repository named "redhat-manifests" with - | main.rego | examples/redhat_manifests.rego | - And policy configuration named "policy" with specification - """ - {"sources": [{"policy": ["git::https://${GITHOST}/git/redhat-manifests.git"]}]} - """ - When ec command is run with "validate image --image ${REGISTRY}/acceptance/image --policy acceptance/policy --public-key ${known_PUBLIC_KEY} --ignore-rekor --show-successes --output=json --output=policy-input=${TMPDIR}/input.json" - Then the exit status should be 0 - And the output should match the snapshot - And the "${TMPDIR}/input.json" file should match the snapshot - Scenario: Unsupported policies Given a key pair named "known" Given an image named "acceptance/image" diff --git a/internal/evaluation_target/application_snapshot_image/application_snapshot_image.go b/internal/evaluation_target/application_snapshot_image/application_snapshot_image.go index 5cc67c79a..3a5e58e66 100644 --- a/internal/evaluation_target/application_snapshot_image/application_snapshot_image.go +++ b/internal/evaluation_target/application_snapshot_image/application_snapshot_image.go @@ -132,10 +132,7 @@ func (a *ApplicationSnapshotImage) FetchParentImageConfig(ctx context.Context) e func (a *ApplicationSnapshotImage) FetchImageFiles(ctx context.Context) error { var err error - extractors := []files.Extractor{ - files.OLMManifest{}, - files.RedHatManifest{}, - } + extractors := []files.Extractor{files.OLMManifest{}} a.files, err = files.ImageFiles(ctx, a.reference, extractors) return err } diff --git a/internal/fetchers/oci/files/files_test.go b/internal/fetchers/oci/files/files_test.go index 4063b14fc..208e1d80d 100644 --- a/internal/fetchers/oci/files/files_test.go +++ b/internal/fetchers/oci/files/files_test.go @@ -60,7 +60,7 @@ func TestImageManifests(t *testing.T) { ctx := oci.WithClient(context.Background(), &client) - extractors := []Extractor{OLMManifest{}, RedHatManifest{}} + extractors := []Extractor{OLMManifest{}} files, err := ImageFiles(ctx, ref, extractors) assert.NoError(t, err) @@ -86,7 +86,7 @@ func TestDoesntFetchLayersForUnsupported(t *testing.T) { ctx := oci.WithClient(context.Background(), &client) - extractors := []Extractor{OLMManifest{}, RedHatManifest{}} + extractors := []Extractor{OLMManifest{}} files, err := ImageFiles(ctx, ref, extractors) assert.NoError(t, err) diff --git a/internal/fetchers/oci/files/rhmanifest.go b/internal/fetchers/oci/files/rhmanifest.go deleted file mode 100644 index 1764fca48..000000000 --- a/internal/fetchers/oci/files/rhmanifest.go +++ /dev/null @@ -1,47 +0,0 @@ -// Copyright The Enterprise Contract Contributors -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. -// -// SPDX-License-Identifier: Apache-2.0 - -package files - -import ( - v1 "github.com/google/go-containerregistry/pkg/v1" -) - -const ( - redHatVendorLabelName = "vendor" - redHatVendorLabelValue = "Red Hat, Inc." - redHatManifestPath = "root/buildinfo/content_manifests" -) - -type RedHatManifest struct{} - -func (RedHatManifest) Matcher(img v1.Image) (Matcher, error) { - if img == nil { - return nil, nil - } - - config, err := img.ConfigFile() - if err != nil { - return nil, err - } - - if vendor := config.Config.Labels[redHatVendorLabelName]; vendor == redHatVendorLabelValue { - matcher := PathMatcher{redHatManifestPath} - return matcher.Match, nil - } - - return nil, nil -} diff --git a/internal/fetchers/oci/files/rhmanifest_test.go b/internal/fetchers/oci/files/rhmanifest_test.go deleted file mode 100644 index e3533773b..000000000 --- a/internal/fetchers/oci/files/rhmanifest_test.go +++ /dev/null @@ -1,102 +0,0 @@ -// Copyright The Enterprise Contract Contributors -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. -// -// SPDX-License-Identifier: Apache-2.0 - -//go:build unit - -package files - -import ( - "archive/tar" - "errors" - "fmt" - "testing" - - v1 "github.com/google/go-containerregistry/pkg/v1" - "github.com/google/go-containerregistry/pkg/v1/empty" - "github.com/google/go-containerregistry/pkg/v1/fake" - "github.com/google/go-containerregistry/pkg/v1/mutate" - "github.com/stretchr/testify/require" -) - -func TestRedHatManifest(t *testing.T) { - malformedImage := fake.FakeImage{} - kaboom := errors.New("kaboom!") - malformedImage.ConfigFileReturns(nil, kaboom) - - matchingPaths := []string{ - fmt.Sprintf("%s/sbom-purl.json", redHatManifestPath), - fmt.Sprintf("%s/sbom-cyclonedx.json", redHatManifestPath), - } - - allPaths := append(matchingPaths, - "path/sbom-purl.json", - fmt.Sprintf("nested/%s/sbom-cyclonedx.json", redHatManifestPath), - fmt.Sprintf("%ssbom.json", redHatManifestPath), - ) - - cases := []struct { - name string - img v1.Image - err error - expected []string - }{ - {name: "nil"}, - {name: "empty image", img: empty.Image}, - {name: "empty config", img: mustCreateImage(v1.Config{})}, - {name: "missing vendor label", img: mustCreateImage(v1.Config{ - Labels: map[string]string{"x": "y"}, - })}, - {name: "Red Hat image", img: mustCreateImage(v1.Config{ - Labels: map[string]string{redHatVendorLabelName: redHatVendorLabelValue}, - }), expected: matchingPaths}, - {name: "Non Red Hat image", img: mustCreateImage(v1.Config{ - Labels: map[string]string{redHatVendorLabelName: "Pink Scarf, Inc."}, - })}, - {name: "malformed image", img: &malformedImage, err: kaboom}, - } - - for _, c := range cases { - t.Run(c.name, func(t *testing.T) { - matcher, err := RedHatManifest{}.Matcher(c.img) - if c.err != nil { - require.Equal(t, c.err, err) - require.Nil(t, matcher) - } else { - require.NoError(t, err) - } - if len(c.expected) == 0 { - require.Nil(t, matcher) - return - } - - var actual []string - for _, p := range allPaths { - if matcher(&tar.Header{Name: p}) { - actual = append(actual, p) - } - } - require.Equal(t, c.expected, actual) - }) - } -} - -func mustCreateImage(cfg v1.Config) v1.Image { - image, err := mutate.Config(empty.Image, cfg) - if err != nil { - panic(err) - } - return image -}