feat(docs): Some SBOM policies (#1125)

jiparis · web-flow · commit 5dc73d6a98d7 · 2024-07-29T22:10:07.000+02:00
Signed-off-by: Jose I. Paris &lt;jiparis@chainloop.dev&gt;
diff --git a/docs/examples/policies/sbom/cyclonedx-banned-licenses.yaml b/docs/examples/policies/sbom/cyclonedx-banned-licenses.yaml
@@ -0,0 +1,38 @@
+# Copyright 2024 The Chainloop Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: workflowcontract.chainloop.dev/v1
+kind: Policy
+metadata:
+  name: cyclonedx-banned-licenses
+  description: Checks that components don't have banned licenses
+  annotations:
+    category: sbom
+spec:
+  type: SBOM_CYCLONEDX_JSON
+  embedded: |
+    package main
+    
+    import rego.v1
+  
+    banned_licenses := ["GPL-2.0", "GPL-3.0"]
+    
+    deny contains ref if {
+      some i
+      comp := input.components[i]
+      some j
+      license := comp.licenses[j].license
+      license.name == banned_licenses[_]
+      ref := sprintf("Forbidden license %v for %v (%v)", [license.name, comp.name, comp["bom-ref"]])
+    }
diff --git a/docs/examples/policies/sbom/cyclonedx-banned-packages.yaml b/docs/examples/policies/sbom/cyclonedx-banned-packages.yaml
@@ -0,0 +1,55 @@
+# Copyright 2024 The Chainloop Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: workflowcontract.chainloop.dev/v1
+kind: Policy
+metadata:
+  name: cyclonedx-banned-packages
+  description: Checks that there are no banned packages in the SBOM.
+  annotations:
+    category: sbom
+spec:
+  type: SBOM_CYCLONEDX_JSON
+  embedded: |
+    package main
+    
+    import rego.v1
+    
+    # It supports packages with version. When specified, requires it to be semver, and would also fail when version is lower
+    banned_packages := ["log4j@2.14.1"]
+
+    # deny all versions
+    deny contains ref if {
+      some i
+      comp := input.components[i]
+      some j
+      banned := banned_packages[j]
+      nv := split(banned, "@")
+      not nv[1]
+      comp.name == nv[0]
+      ref := sprintf("Banned package: %v", [comp.name])
+    }
+
+    # deny specific versions
+    deny contains ref if {
+      some i
+      comp := input.components[i]
+      some j
+      banned := banned_packages[j]
+      nv := split(banned, "@")
+      comp.name == nv[0]
+      result := semver.compare(comp.version, nv[1])
+      result <= 0
+      ref := sprintf("Banned package: %v %v", [comp.name, comp.version])
+    }
diff --git a/docs/examples/policies/sbom/cyclonedx-freshness.yaml b/docs/examples/policies/sbom/cyclonedx-freshness.yaml
@@ -0,0 +1,42 @@
+# Copyright 2024 The Chainloop Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: workflowcontract.chainloop.dev/v1
+kind: Policy
+metadata:
+  name: cyclonedx-required-packages
+  description: Checks that SBOM has a maximum of 30 days old
+  annotations:
+    category: sbom
+spec:
+  type: SBOM_CYCLONEDX_JSON
+  embedded: |
+    package main
+    
+    import rego.v1
+  
+    limit := 30
+    
+    nanosecs_per_second = (1000 * 1000) * 1000
+    
+    nanosecs_per_day = ((24 * 60) * 60) * nanosecs_per_second
+    
+    maximum_age = limit * nanosecs_per_day
+    
+    deny contains msg if {
+      sbom_ns = time.parse_rfc3339_ns(input.metadata.timestamp)
+      exceeding = time.now_ns() - (sbom_ns + maximum_age)
+      exceeding > 0
+      msg := sprintf("SBOM created at: %s which is too old (freshness limit set to %d days)", [input.metadata.timestamp, limit])
+    }
diff --git a/docs/examples/policies/sbom/cyclonedx-licenses.yaml b/docs/examples/policies/sbom/cyclonedx-licenses.yaml
@@ -12,23 +12,24 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# Checks that all components have a license
 apiVersion: workflowcontract.chainloop.dev/v1
 kind: Policy
 metadata:
   name: cyclonedx-licenses
+  description: Checks for components without licenses
+  annotations:
+    category: sbom
 spec:
   type: SBOM_CYCLONEDX_JSON
   embedded: |
     package main
     
-    deny[msg] {
-      count(without_license) > 0
-      msg := "SBOM has components without licenses"
-    }
-      
-    without_license = {comp.purl |
+    import rego.v1
+
+    deny contains ref if {
       some i
       comp := input.components[i]
       not comp.licenses
+      # log name and bom-ref fields
+      ref := sprintf("Missing licenses for %v (%v)", [comp.name, comp["bom-ref"]])
     }
diff --git a/docs/examples/policies/sbom/cyclonedx-required-packages.yaml b/docs/examples/policies/sbom/cyclonedx-required-packages.yaml
@@ -0,0 +1,43 @@
+# Copyright 2024 The Chainloop Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: workflowcontract.chainloop.dev/v1
+kind: Policy
+metadata:
+  name: cyclonedx-required-packages
+  description: Checks that SBOM contains required packages
+  annotations:
+    category: sbom
+spec:
+  type: SBOM_CYCLONEDX_JSON
+  embedded: |
+    package main
+    
+    import rego.v1
+    
+    required_packages := {"glibc", "libcrypto3"}
+      
+    deny contains msg if {
+      count(all_matches) != count(required_packages)
+      missing := required_packages - all_matches
+      some i
+      msg := sprintf("missing package: %v", [missing[i]])
+    }
+      
+    all_matches contains name if {
+      some i
+      comp := input.components[i]
+      comp.name == required_packages[_]
+      name := comp.name
+    }
diff --git a/docs/examples/policies/sbom/sbom-present.yaml b/docs/examples/policies/sbom/sbom-present.yaml
@@ -16,6 +16,9 @@ apiVersion: workflowcontract.chainloop.dev/v1
 kind: Policy
 metadata:
   name: sbom-present
+  description: Checks a SBOM is present in the attestation materials
+  annotations:
+    category: sbom
 spec:
   type: ATTESTATION
   embedded: |
diff --git a/docs/examples/policies/sbom/spdx-sbom-syft.yaml b/docs/examples/policies/sbom/spdx-sbom-syft.yaml
@@ -16,14 +16,15 @@ apiVersion: workflowcontract.chainloop.dev/v1
 kind: Policy
 metadata:
   name: made-with-syft
+  description: Verifies that the SPDX was created with Syft
+  annotations:
+    category: sbom
 spec:
   type: SBOM_SPDX_JSON
   embedded: |
     package main
 
     import future.keywords.in
-
-    # Verifies that the SPDX was created with Syft
     
     deny[msg] {
       not made_with_syft
