diff --git a/policy/release/rpm_repos.rego b/policy/release/rpm_repos.rego index b20361aa4..0005182f7 100644 --- a/policy/release/rpm_repos.rego +++ b/policy/release/rpm_repos.rego @@ -106,7 +106,9 @@ all_rpm_purls contains purl if { some component in sbom.components purl := component.purl - # I'm assuming this is faster than parsing it and checking the type + # I'm assuming this is faster than parsing it and checking the type. + # It would be more correct to match exactly "pkg:rpm/" and "pkg:rpmmod/" + # but I think this is good enough. startswith(purl, "pkg:rpm") } diff --git a/policy/release/rpm_repos_test.rego b/policy/release/rpm_repos_test.rego index 795a27aca..9f711b8e7 100644 --- a/policy/release/rpm_repos_test.rego +++ b/policy/release/rpm_repos_test.rego @@ -74,7 +74,7 @@ test_repo_id_purls_missing_repo_ids if { }, } - lib.assert_equal_results(expected, rpm_repos.deny) with rpm_repos._all_sboms as [fake_sbom({p1, p2, p4, p5, p6})] + lib.assert_equal_results(expected, rpm_repos.deny) with rpm_repos._all_sboms as [fake_sbom({p1, p2, p4, p5, p6, p7})] with data.rule_data.known_rpm_repositories as fake_repo_id_list } @@ -140,7 +140,11 @@ fake_sboms := [fake_sbom({p1, p2, p3, p4, p5, p6})] fake_sbom(fake_purls) := {"components": [{"purl": p} | some p in fake_purls]} -fake_repo_id_list := ["rhel-23-for-spam-9-rpms", "rhel-42-for-bacon-12-rpms"] +fake_repo_id_list := [ + "rhel-23-for-spam-9-rpms", + "rhel-42-for-bacon-12-rpms", + "rhel-8-for-x86_64-appstream-eus-rpms__8_DOT_6", +] p1 := "pkg:rpm/redhat/spam@1.2.3?arch=amd64&repository_id=rhel-23-for-spam-9-rpms" @@ -153,3 +157,6 @@ p4 := "pkg:rpm/redhat/spam@1.2.3?arch=amd64&pastry_id=puff" p5 := "pkg:rpm_borken" p6 := "pkg:golang/gitplanet.com/bacon@1.2.3?arch=amd64" + +# regal ignore:line-length +p7 := "pkg:rpmmod/redhat/squid@4%3A8040020210420090912%3A522a0ee4?arch=ppc64le&repository_id=rhel-8-for-x86_64-appstream-eus-rpms__8_DOT_6"