Add allowed package sources policy #1212
Conversation
Signed-off-by: Jan Koscielniak <[email protected]>
kosciCZ
force-pushed
the
add-allowed-package-sources
branch
from
e55ca4a
to
b68cef6
Compare
|
@ralphbean could I get your eyes on this as general concept as well as the |
| @@ -266,3 +266,5 @@ rule_data_attributes_key := "disallowed_attributes" | |||
| rule_data_allowed_external_references_key := "allowed_external_references" | |||
|
|
|||
| rule_data_disallowed_external_references_key := "disallowed_external_references" | |||
|
|
|||
| rule_data_allowed_package_sources_key := "allowed_package_sources" | |||
There was a problem hiding this comment.
See the rule_data_errors rules above. Let's add a new one that verifies the consistency of this new rule data key. This helps us determine if the rule data provided has any problems.
| # METADATA | ||
| # title: Allowed package sources | ||
| # description: >- | ||
| # Confirm the CycloneDX SBOM packages fetched by Cachi2 that define externalReferences |
There was a problem hiding this comment.
This is a bit hard to read. Let's try to make it nicer since it's user-facing, consider:
For each of the components fetched by Cachi2 which define
externalReferencesof typedistribution, verify they are allowed based on theallowed_package_sourcesrule data key. By default,allowed_package_sourcesis empty which means no components with such references are allowed.
(We should call them components, not packages, as per the CycloneDX spec.)
| # of type `distribution` | ||
| properties.name == "cachi2:found_by" | ||
| properties.value == "cachi2" | ||
| reference.type == "distribution" |
There was a problem hiding this comment.
This should probably go right after some reference in .... There's no need to iterate over properties if the reference type has an unexpected value.
| some reference in component.externalReferences | ||
| some properties in component.properties | ||
|
|
||
| parsed_purl := ec.purl.parse(component.purl) |
There was a problem hiding this comment.
Let's do this after the filtering below to avoid having to parse PURLs unnecessarily.
| patterns := _get_purl_allowed_patterns(parsed_purl.type, allowed_data) | ||
|
|
||
| distribution_url := object.get(reference, "url", "") | ||
| matches := _url_matches_any_pattern(distribution_url, patterns) |
There was a problem hiding this comment.
Let's remove the else from _url_matches_any_pattern and change this line to:
not _url_matches_any_pattern(distribution_url, patterns)which means we can also remove matches == false
| # only progress past this point if no matches were found | ||
| matches == false | ||
|
|
||
| id := component.purl |
There was a problem hiding this comment.
We learned the other day that purl is actually an optional attribute. I think it's ok to do this here because you have already accessed earlier on in the rule, and presumably if there isn't a purl defined, this rule doesn't make sense for that component.
To make things safer(?) for the future, consider purl := component.purl earlier in rule and just use purl throughout.
| # collections: | ||
| # - redhat | ||
| # - policy_data | ||
| # effective_on: 2024-11-30T00:00:00Z |
There was a problem hiding this comment.
Let's set this to a month from now.
|
|
||
| parsed_purl := ec.purl.parse(component.purl) | ||
|
|
||
| # only look at components fetched by cachi2 that define an externalReferences |
There was a problem hiding this comment.
I do wonder if this rule can be a bit more data driven. For example, what if we allowed the rule data to be something like this:
- type: maven
properties:
- name: cachi2:found_by
value: cachi2
reference:
type: distribution
allowed_references:
- ".*apache.org.*"
- ".*example.com.*"Or some variation of that. WDYT?
| @@ -148,6 +148,63 @@ deny contains result if { | |||
| result := lib.result_helper_with_term(rego.metadata.chain(), [id, reference.url, reference.type, msg], id) | |||
| } | |||
|
|
|||
| # METADATA | |||
There was a problem hiding this comment.
We also need corresponding changes in sbom_spdx.rego 😭
This adds a new
allowed_package_sourcespolicy that can gate content fetched by cachi2. This rule take a lot from theallowed_external_references, but makes it specific to content fetched by cachi2, because it is not uncommon for dependencies fetched by other means to define externalReferences of typedistribution. Cachi2 currently produces the mentioned external reference only for packages fetched with the generic fetcher (docs WIP) that always produces apkg:genericpurl, but it is possible it will be extended to other package managers supported by cachi2 as well.The rule data for this policy are structured as a list of regex patterns for a given purl type. Examples in tests.
Finally, this is my first contribution to EC (and rego) so please excuse any antipatterns I might have invented, feedback very much welcomed.
Resolves ISV-5342