Support multiple repository URLs per Maven package

Update the Maven SBOM library to process all repository URLs found in
a component's external references instead of only the first match.
This aligns with SPDX and CycloneDX schemas which allow 0..N
external references per package.

Author: cmarulas

antora/docs/modules/ROOT/pages/packages/release_maven_repos.adoc

@@ -11,21 +11,22 @@ Each Maven package listed in an SBOM must specify the repository URL that it com
 [#maven_repos__deny_unpermitted_urls]
 === link:#maven_repos__deny_unpermitted_urls[Known Repository URLs]
 
-
+Each Maven package listed in an SBOM must specify the repository URL that it comes from, and that URL must be present in the list of known and permitted Maven repositories. If no URL is specified, the package is assumed to come from Maven Central.
 
 * Rule type: [rule-type-indicator failure]#FAILURE#
 * FAILURE message: `%s`
 * Code: `maven_repos.deny_unpermitted_urls`
 * Effective from: `2026-05-10T00:00:00Z`
-* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/maven_repos/maven_repos.rego#L34[Source, window="_blank"]
+* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/maven_repos/maven_repos.rego#L40[Source, window="_blank"]
 
 [#maven_repos__policy_data_missing]
-=== link:#maven_repos__policy_data_missing[Missing Policy Data]
+=== link:#maven_repos__policy_data_missing[Policy data validation]
 
+Ensures the required allowed_maven_repositories list is provided.
 
+*Solution*: Ensure that 'allowed_maven_repositories' is defined in the rule_data provided to the policy, and that it contains a list of authorized repository URLs.
 
 * Rule type: [rule-type-indicator failure]#FAILURE#
-* FAILURE message: `Policy data is missing the required %q list`
+* FAILURE message: `Policy data is missing the required "%s" list`
 * Code: `maven_repos.policy_data_missing`
-* Effective from: `2026-05-10T00:00:00Z`
 * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/maven_repos/maven_repos.rego#L22[Source, window="_blank"]

antora/docs/modules/ROOT/pages/release_policy.adoc

@@ -71,6 +71,7 @@ a| Include policy rules responsible for validating rule data.
 
 Rules included:
 
+* xref:packages/release_maven_repos.adoc#maven_repos__policy_data_missing[All maven artifacts have known repository URLs: Policy data validation]        
 * xref:packages/release_attestation_type.adoc#attestation_type__known_attestation_types_provided[Attestation type: Known attestation types provided]        
 * xref:packages/release_base_image_registries.adoc#base_image_registries__allowed_registries_provided[Base image checks: Allowed base image registry prefixes list was provided]        
 * xref:packages/release_buildah_build_task.adoc#buildah_build_task__disallowed_platform_patterns_pattern[Buildah build task: disallowed_platform_patterns format]        

antora/docs/modules/ROOT/partials/release_policy_nav.adoc

@@ -11,7 +11,7 @@
 ** Release Rules
 *** xref:packages/release_maven_repos.adoc[All maven artifacts have known repository URLs]
 **** xref:packages/release_maven_repos.adoc#maven_repos__deny_unpermitted_urls[Known Repository URLs]
-**** xref:packages/release_maven_repos.adoc#maven_repos__policy_data_missing[Missing Policy Data]
+**** xref:packages/release_maven_repos.adoc#maven_repos__policy_data_missing[Policy data validation]
 *** xref:packages/release_attestation_type.adoc[Attestation type]
 **** xref:packages/release_attestation_type.adoc#attestation_type__deprecated_policy_attestation_format[Deprecated policy attestation format]
 **** xref:packages/release_attestation_type.adoc#attestation_type__known_attestation_type[Known attestation type found]

policy/lib/sbom/maven.rego

@@ -1,58 +1,66 @@
-package lib.sbom.maven
+# METADATA
+# title: Maven Package Extraction
+# description: >-
+#   Extracts Maven packages and their repository URLs from both CycloneDX
+#   and SPDX SBOM formats.
+package lib.sbom
 
 import future.keywords.contains
 import future.keywords.if
 import future.keywords.in
 
-import data.lib.cyclonedx
-import data.lib.spdx
-
-# All Maven packages found in the SBOM, regardless of format.
-# Each package contains at least: 'purl', 'name', and 'repository_url'.
+# This rule merges with 'packages' defined in other files
+# under the same package (e.g., rpm.rego)
 packages contains pkg if {
-	some p in _cyclonedx_maven_packages
-	pkg := p
+	some pkg in _cyclonedx_maven_packages
 }
 
 packages contains pkg if {
-	some p in _spdx_maven_packages
-	pkg := p
+	some pkg in _spdx_maven_packages
 }
 
 _cyclonedx_maven_packages contains pkg if {
-	some component in cyclonedx.packages
+	some s in cyclonedx_sboms
+	some component in s.components
+
 	startswith(component.purl, "pkg:maven/")
 
+	repos := {ref.url |
+		some ref in component.externalRefs
+		ref.type in ["distribution", "artifact-repository"]
+	}
+
+	final_repos := _empty_to_default(repos)
+
+	some repo_url in final_repos
 	pkg := {
 		"purl": component.purl,
 		"name": component.name,
-		"repository_url": _extract_cdx_repo(component),
+		"repository_url": repo_url,
 	}
 }
 
-_extract_cdx_repo(component) := url if {
-	some ref in component.externalRefs
-	ref.type in ["distribution", "artifact-repository"]
-	url := ref.url
-}
-
-else := ""
-
 _spdx_maven_packages contains pkg if {
-	some item in spdx.packages
+	some s in spdx_sboms
+	some item in s.packages
+
 	startswith(item.purl, "pkg:maven/")
 
+	repos := {ref.referenceLocator |
+		some ref in item.externalRefs
+		ref.referenceType in ["distribution", "repository"]
+	}
+
+	final_repos := _empty_to_default(repos)
+
+	some repo_url in final_repos
 	pkg := {
 		"purl": item.purl,
 		"name": item.name,
-		"repository_url": _extract_spdx_repo(item),
+		"repository_url": repo_url,
 	}
 }
 
-_extract_spdx_repo(item) := url if {
-	some ref in item.externalRefs
-	ref.referenceType in ["distribution", "repository"]
-	url := ref.referenceLocator
-}
-
-else := ""
+_empty_to_default(repo_set) := repo_set if {
+	count(repo_set) > 0
+} else := {""}

policy/lib/sbom/maven_test.rego

@@ -1,14 +1,17 @@
-package lib.sbom.maven_test
+package lib.sbom_test
 
+import data.lib.sbom
 import future.keywords.if
 import future.keywords.in
 
-import data.lib.sbom.maven
-
 test_cyclonedx_maven_extraction if {
-	mock_cdx := [{"name": "auth-lib", "purl": "pkg:maven/org.example/auth@1.0", "externalRefs": [{"type": "distribution", "url": "https://repo.maven.apache.org/maven2/"}]}]
+	mock_components := [{
+		"name": "auth-lib",
+		"purl": "pkg:maven/org.example/auth@1.0",
+		"externalRefs": [{"type": "distribution", "url": "https://repo.maven.apache.org/maven2/"}],
+	}]
 
-	res := maven.packages with data.lib.cyclonedx.packages as mock_cdx
+	res := sbom.packages with sbom.cyclonedx_sboms as [_cyclonedx_sbom(mock_components)]
 
 	res == {{
 		"name": "auth-lib",
@@ -18,21 +21,28 @@ test_cyclonedx_maven_extraction if {
 }
 
 test_cyclonedx_ignores_non_maven if {
-	mock_cdx := [{"name": "react", "purl": "pkg:npm/react@18.2.0"}]
-	res := maven.packages with data.lib.cyclonedx.packages as mock_cdx
+	mock_components := [{"name": "react", "purl": "pkg:npm/react@18.2.0"}]
+
+	res := sbom.packages with sbom.cyclonedx_sboms as [_cyclonedx_sbom(mock_components)]
+
 	count(res) == 0
 }
 
 test_cyclonedx_empty_repo_url if {
-	mock_cdx := [{"name": "no-repo", "purl": "pkg:maven/org.example/no-repo@1.0", "externalRefs": []}]
-	res := maven.packages with data.lib.cyclonedx.packages as mock_cdx
+	mock_components := [{
+		"name": "no-repo",
+		"purl": "pkg:maven/org.example/no-repo@1.0",
+		"externalRefs": [],
+	}]
+
+	res := sbom.packages with sbom.cyclonedx_sboms as [_cyclonedx_sbom(mock_components)]
 
 	some pkg in res
 	pkg.repository_url == ""
 }
 
 test_spdx_maven_extraction if {
-	mock_spdx := [{
+	mock_packages := [{
 		"name": "data-service",
 		"purl": "pkg:maven/org.example/data@2.5",
 		"externalRefs": [{
@@ -41,7 +51,7 @@ test_spdx_maven_extraction if {
 		}],
 	}]
 
-	res := maven.packages with data.lib.spdx.packages as mock_spdx
+	res := sbom.packages with sbom.spdx_sboms as [_spdx_sbom(mock_packages)]
 
 	res == {{
 		"name": "data-service",
@@ -50,25 +60,45 @@ test_spdx_maven_extraction if {
 	}}
 }
 
-test_spdx_empty_repo_url if {
+test_combined_sources if {
+	mock_cdx := [{
+		"name": "cdx-pkg",
+		"purl": "pkg:maven/cdx/pkg@1",
+		"externalRefs": [{"type": "distribution", "url": "url1"}],
+	}]
+
 	mock_spdx := [{
-		"name": "no-ref",
-		"purl": "pkg:maven/org.example/no-ref@1.0",
-		"externalRefs": [{"referenceType": "other", "referenceLocator": "ignore-me"}],
+		"name": "spdx-pkg",
+		"purl": "pkg:maven/spdx/pkg@1",
+		"externalRefs": [{
+			"referenceType": "repository",
+			"referenceLocator": "url2",
+		}],
 	}]
 
-	res := maven.packages with data.lib.spdx.packages as mock_spdx
+	res := sbom.packages with sbom.cyclonedx_sboms as [_cyclonedx_sbom(mock_cdx)]
+		with sbom.spdx_sboms as [_spdx_sbom(mock_spdx)]
 
-	some pkg in res
-	pkg.repository_url == ""
+	count(res) == 2
 }
 
-test_combined_sources if {
-	mock_cdx := [{"name": "cdx-pkg", "purl": "pkg:maven/cdx/pkg@1"}]
-	mock_spdx := [{"name": "spdx-pkg", "purl": "pkg:maven/spdx/pkg@1"}]
+test_cyclonedx_multiple_repo_capture if {
+	mock_components := [{
+		"name": "multi-repo-lib",
+		"purl": "pkg:maven/org.example/multi@1.0",
+		"externalRefs": [
+			{"type": "distribution", "url": "https://repo-a.com"},
+			{"type": "artifact-repository", "url": "https://repo-b.com"},
+		],
+	}]
 
-	res := maven.packages with data.lib.cyclonedx.packages as mock_cdx
-		with data.lib.spdx.packages as mock_spdx
+	pkg_list := sbom.packages with sbom.cyclonedx_sboms as [_cyclonedx_sbom(mock_components)]
 
-	count(res) == 2
+	count(pkg_list) == 2
+	urls := {p.repository_url | some p in pkg_list}
+	urls == {"https://repo-a.com", "https://repo-b.com"}
 }
+
+_cyclonedx_sbom(components) := {"components": components}
+
+_spdx_sbom(packages) := {"packages": packages}

policy/release/maven_repos/maven_repos.rego

@@ -17,22 +17,33 @@ import future.keywords.if
 import future.keywords.in
 
 import data.lib
-import data.lib.sbom.maven
+import data.lib.sbom
 
 # METADATA
-# title: Missing Policy Data
-# scope: rule
+# title: Policy data validation
+# description: Ensures the required allowed_maven_repositories list is provided.
 # custom:
-#    short_name: policy_data_missing
-#    failure_msg: 'Policy data is missing the required %q list'
-#    effective_on: 2026-05-10T00:00:00Z
+#   short_name: policy_data_missing
+#   failure_msg: Policy data is missing the required "%s" list
+#   solution: >-
+#     Ensure that 'allowed_maven_repositories' is defined in the rule_data
+#     provided to the policy, and that it contains a list of authorized
+#     repository URLs.
+#   collections:
+#     - policy_data
+#   severity: failure
 deny contains result if {
 	some key in _rule_data_errors
 	result := lib.result_helper(rego.metadata.chain(), [key])
 }
 
 # METADATA
 # title: Known Repository URLs
+# description: >-
+#   Each Maven package listed in an SBOM must specify the repository URL that it
+#   comes from, and that URL must be present in the list of known and permitted
+#   Maven repositories. If no URL is specified, the package is assumed to come
+#   from Maven Central.
 # scope: rule
 # custom:
 #    short_name: deny_unpermitted_urls
@@ -45,7 +56,7 @@ deny contains result if {
 }
 
 _repo_url_errors[purl] := msg if {
-	some pkg in maven.packages
+	some pkg in sbom.packages
 	purl := pkg.purl
 	source := _get_effective_url(pkg.repository_url)
 	not _url_is_permitted(source)