Merge pull request #1700 from simonbaird/ec1708-remove-rpm-checks

simonbaird · web-flow · commit 6ddb8f6c239e · 2026-03-20T14:12:05.000-04:00
Remove cve &amp; test checks from redhat_rpms
diff --git a/antora/docs/modules/ROOT/pages/packages/release_cve.adoc b/antora/docs/modules/ROOT/pages/packages/release_cve.adoc
@@ -41,7 +41,7 @@ The SLSA Provenance attestation for the image is inspected to ensure CVEs that h
 * Rule type: [rule-type-indicator failure]#FAILURE#
 * FAILURE message: `Found %q vulnerability of %s security level`
 * Code: `cve.cve_blockers`
-* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/cve/cve.rego#L114[Source, window="_blank"]
+* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/cve/cve.rego#L113[Source, window="_blank"]
 
 [#cve__unpatched_cve_blockers]
 === link:#cve__unpatched_cve_blockers[Blocking unpatched CVE check]
@@ -53,7 +53,7 @@ The SLSA Provenance attestation for the image is inspected to ensure CVEs that d
 * Rule type: [rule-type-indicator failure]#FAILURE#
 * FAILURE message: `Found %q unpatched vulnerability of %s security level`
 * Code: `cve.unpatched_cve_blockers`
-* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/cve/cve.rego#L148[Source, window="_blank"]
+* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/cve/cve.rego#L147[Source, window="_blank"]
 
 [#cve__cve_results_found]
 === link:#cve__cve_results_found[CVE scan results found]
@@ -65,7 +65,7 @@ Confirm that clair-scan task results are present in the SLSA Provenance attestat
 * Rule type: [rule-type-indicator failure]#FAILURE#
 * FAILURE message: `Clair CVE scan results were not found`
 * Code: `cve.cve_results_found`
-* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/cve/cve.rego#L185[Source, window="_blank"]
+* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/cve/cve.rego#L183[Source, window="_blank"]
 
 [#cve__cve_warnings]
 === link:#cve__cve_warnings[Non-blocking CVE check]
@@ -89,7 +89,7 @@ The SLSA Provenance attestation for the image is inspected to ensure CVEs that d
 * Rule type: [rule-type-indicator warning]#WARNING#
 * WARNING message: `Found %q non-blocking unpatched vulnerability of %s security level`
 * Code: `cve.unpatched_cve_warnings`
-* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/cve/cve.rego#L86[Source, window="_blank"]
+* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/cve/cve.rego#L85[Source, window="_blank"]
 
 [#cve__rule_data_provided]
 === link:#cve__rule_data_provided[Rule data provided]
@@ -101,4 +101,4 @@ Confirm the expected rule data keys have been provided in the expected format. T
 * Rule type: [rule-type-indicator failure]#FAILURE#
 * FAILURE message: `%s`
 * Code: `cve.rule_data_provided`
-* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/cve/cve.rego#L212[Source, window="_blank"]
+* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/cve/cve.rego#L209[Source, window="_blank"]
diff --git a/antora/docs/modules/ROOT/pages/packages/release_test.adoc b/antora/docs/modules/ROOT/pages/packages/release_test.adoc
@@ -19,7 +19,7 @@ Ensure that task producing the IMAGES_PROCESSED result contains the digests of t
 * FAILURE message: `Test '%s' did not process image with digest '%s'.`
 * Code: `test.test_all_images`
 * Effective from: `2024-05-29T00:00:00Z`
-* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/test/test.rego#L240[Source, window="_blank"]
+* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/test/test.rego#L233[Source, window="_blank"]
 
 [#test__no_failed_informative_tests]
 === link:#test__no_failed_informative_tests[No informative tests failed]
@@ -43,7 +43,7 @@ Produce a violation if any tests have their result set to "ERROR". The result ty
 * Rule type: [rule-type-indicator failure]#FAILURE#
 * FAILURE message: `The Task %q from the build Pipeline reports a test erred`
 * Code: `test.no_erred_tests`
-* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/test/test.rego#L170[Source, window="_blank"]
+* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/test/test.rego#L166[Source, window="_blank"]
 
 [#test__no_failed_tests]
 === link:#test__no_failed_tests[No tests failed]
@@ -55,7 +55,7 @@ Produce a violation if any non-informative tests have their result set to "FAILE
 * Rule type: [rule-type-indicator failure]#FAILURE#
 * FAILURE message: `The Task %q from the build Pipeline reports a failed test`
 * Code: `test.no_failed_tests`
-* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/test/test.rego#L145[Source, window="_blank"]
+* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/test/test.rego#L142[Source, window="_blank"]
 
 [#test__no_test_warnings]
 === link:#test__no_test_warnings[No tests produced warnings]
@@ -80,7 +80,7 @@ Produce a violation if any tests have their result set to "SKIPPED". A skipped r
 * FAILURE message: `The Task %q from the build Pipeline reports a test was skipped`
 * Code: `test.no_skipped_tests`
 * Effective from: `2023-12-08T00:00:00Z`
-* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/test/test.rego#L193[Source, window="_blank"]
+* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/test/test.rego#L188[Source, window="_blank"]
 
 [#test__test_results_known]
 === link:#test__test_results_known[No unsupported test result values found]
@@ -92,7 +92,7 @@ Ensure all test data result values are in the set of known/supported result valu
 * Rule type: [rule-type-indicator failure]#FAILURE#
 * FAILURE message: `The Task %q from the build Pipeline has an unsupported test result %q`
 * Code: `test.test_results_known`
-* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/test/test.rego#L112[Source, window="_blank"]
+* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/test/test.rego#L110[Source, window="_blank"]
 
 [#test__rule_data_provided]
 === link:#test__rule_data_provided[Rule data provided]
@@ -104,7 +104,7 @@ Confirm the expected rule data keys have been provided in the expected format. T
 * Rule type: [rule-type-indicator failure]#FAILURE#
 * FAILURE message: `%s`
 * Code: `test.rule_data_provided`
-* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/test/test.rego#L220[Source, window="_blank"]
+* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/test/test.rego#L214[Source, window="_blank"]
 
 [#test__test_data_found]
 === link:#test__test_data_found[Test data found in task results]
@@ -128,4 +128,4 @@ Each test result is expected to have a `results` key. Verify that the `results`
 * Rule type: [rule-type-indicator failure]#FAILURE#
 * FAILURE message: `Found tests without results`
 * Code: `test.test_results_found`
-* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/test/test.rego#L89[Source, window="_blank"]
+* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/test/test.rego#L88[Source, window="_blank"]
diff --git a/antora/docs/modules/ROOT/pages/release_policy.adoc b/antora/docs/modules/ROOT/pages/release_policy.adoc
@@ -242,10 +242,6 @@ Rules included:
 * xref:packages/release_attestation_type.adoc#attestation_type__known_attestation_type[Attestation type: Known attestation type found]        
 * xref:packages/release_attestation_type.adoc#attestation_type__known_attestation_types_provided[Attestation type: Known attestation types provided]        
 * xref:packages/release_attestation_type.adoc#attestation_type__pipelinerun_attestation_found[Attestation type: PipelineRun attestation found]        
-* xref:packages/release_cve.adoc#cve__unpatched_cve_blockers[CVE checks: Blocking unpatched CVE check]        
-* xref:packages/release_cve.adoc#cve__cve_results_found[CVE checks: CVE scan results found]        
-* xref:packages/release_cve.adoc#cve__cve_warnings[CVE checks: Non-blocking CVE check]        
-* xref:packages/release_cve.adoc#cve__rule_data_provided[CVE checks: Rule data provided]        
 * xref:packages/release_git_branch.adoc#git_branch__git_branch[Git branch checks: Builds have a trusted target branch]        
 * xref:packages/release_provenance_materials.adoc#provenance_materials__git_clone_source_matches_provenance[Provenance Materials: Git clone source matches materials provenance]        
 * xref:packages/release_provenance_materials.adoc#provenance_materials__git_clone_task_found[Provenance Materials: Git clone task found]        
@@ -292,14 +288,6 @@ Rules included:
 * xref:packages/release_tasks.adoc#tasks__required_tasks_list_provided[Tasks: Required tasks list was provided]        
 * xref:packages/release_tasks.adoc#tasks__successful_pipeline_tasks[Tasks: Successful pipeline tasks]        
 * xref:packages/release_tasks.adoc#tasks__unsupported[Tasks: Task version unsupported]        
-* xref:packages/release_test.adoc#test__test_all_images[Test: Image digest is present in IMAGES_PROCESSED result]        
-* xref:packages/release_test.adoc#test__no_erred_tests[Test: No tests erred]        
-* xref:packages/release_test.adoc#test__no_failed_tests[Test: No tests failed]        
-* xref:packages/release_test.adoc#test__no_skipped_tests[Test: No tests were skipped]        
-* xref:packages/release_test.adoc#test__test_results_known[Test: No unsupported test result values found]        
-* xref:packages/release_test.adoc#test__rule_data_provided[Test: Rule data provided]        
-* xref:packages/release_test.adoc#test__test_data_found[Test: Test data found in task results]        
-* xref:packages/release_test.adoc#test__test_results_found[Test: Test data includes results key]        
 * xref:packages/release_trusted_task.adoc#trusted_task__data_format[Trusted Task checks: Data format]        
 * xref:packages/release_trusted_task.adoc#trusted_task__pinned[Trusted Task checks: Task references are pinned]        
 * xref:packages/release_trusted_task.adoc#trusted_task__tagged[Trusted Task checks: Task references are tagged]        
diff --git a/policy/release/cve/cve.rego b/policy/release/cve/cve.rego
@@ -71,7 +71,6 @@ import data.lib.json as j
 #   collections:
 #   - minimal
 #   - redhat
-#   - redhat_rpms
 #   depends_on:
 #   - cve.cve_results_found
 #
@@ -165,7 +164,6 @@ deny contains result if {
 #   collections:
 #   - minimal
 #   - redhat
-#   - redhat_rpms
 #   depends_on:
 #   - cve.cve_results_found
 #
@@ -196,7 +194,6 @@ deny contains result if {
 #   collections:
 #   - minimal
 #   - redhat
-#   - redhat_rpms
 #   depends_on:
 #   - attestation_type.known_attestation_type
 #
@@ -222,7 +219,6 @@ deny contains result if {
 #   collections:
 #   - minimal
 #   - redhat
-#   - redhat_rpms
 #   - policy_data
 #
 deny contains result if {
diff --git a/policy/release/test/test.rego b/policy/release/test/test.rego
@@ -74,7 +74,6 @@ warn contains result if {
 #     Confirm at least one task in the build pipeline contains a result named TEST_OUTPUT.
 #   collections:
 #   - redhat
-#   - redhat_rpms
 #   depends_on:
 #   - attestation_type.known_attestation_type
 #
@@ -99,7 +98,6 @@ deny contains result if {
 #     named 'result'. For a TEST_OUTPUT result to be valid, this key must exist.
 #   collections:
 #   - redhat
-#   - redhat_rpms
 #   depends_on:
 #   - test.test_data_found
 #
@@ -121,7 +119,6 @@ deny contains result if {
 #     xref:cli:ROOT:configuration.adoc#_data_sources[data source].
 #   collections:
 #   - redhat
-#   - redhat_rpms
 #   depends_on:
 #   - test.test_data_found
 #
@@ -157,7 +154,6 @@ deny contains result if {
 #     should be available in the logs for the build Pipeline.
 #   collections:
 #   - redhat
-#   - redhat_rpms
 #   depends_on:
 #   - test.test_data_found
 #
@@ -181,7 +177,6 @@ deny contains result if {
 #     should be available in the logs for the build Pipeline.
 #   collections:
 #   - redhat
-#   - redhat_rpms
 #   depends_on:
 #   - test.test_data_found
 #
@@ -207,7 +202,6 @@ deny contains result if {
 #     information about the test should be available in the logs for the build Pipeline.
 #   collections:
 #   - redhat
-#   - redhat_rpms
 #   depends_on:
 #   - test.test_data_found
 #   effective_on: 2023-12-08T00:00:00Z
@@ -229,7 +223,6 @@ deny contains result if {
 #   solution: If provided, ensure the rule data is in the expected format.
 #   collections:
 #   - redhat
-#   - redhat_rpms
 #   - policy_data
 #
 deny contains result if {
@@ -251,7 +244,6 @@ deny contains result if {
 #     `IMAGES_PROCESSED` result.
 #   collections:
 #   - redhat
-#   - redhat_rpms
 #   effective_on: 2024-05-29T00:00:00Z
 #
 deny contains result if {
