Skip to content

Commit 6eeaf71

Browse files
st3pentast3penta
committed
Discover SBOMs attached to images via OCI referrers and tags
Use the new ec.oci.image_referrers and ec.oci.image_tag_refs builtins to discover SBOMs attached directly to the image being validated. Referrers with recognized SBOM artifact types (CycloneDX, SPDX) and legacy cosign .sbom tag references are fetched and parsed alongside the existing SLSA Provenance-based discovery. Convert SBOM collection rules from arrays to sets for natural deduplication when the same SBOM is discovered via multiple methods. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Ref: https://redhat.atlassian.net/browse/EC-1655
1 parent 61ec982 commit 6eeaf71

File tree

4 files changed

+257
-1519
lines changed

4 files changed

+257
-1519
lines changed

go.mod

Lines changed: 19 additions & 33 deletions
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@ module github.com/conforma/policy
33
go 1.25.5
44

55
require (
6-
github.com/conforma/cli v0.8.108
6+
github.com/conforma/cli v0.9.2
77
github.com/google/addlicense v1.2.0
88
github.com/open-policy-agent/conftest v0.66.0
99
github.com/open-policy-agent/regal v0.37.0
@@ -14,15 +14,14 @@ require (
1414
require (
1515
cel.dev/expr v0.25.1 // indirect
1616
cloud.google.com/go v0.121.6 // indirect
17-
cloud.google.com/go/auth v0.17.0 // indirect
17+
cloud.google.com/go/auth v0.18.0 // indirect
1818
cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
1919
cloud.google.com/go/compute/metadata v0.9.0 // indirect
20-
cloud.google.com/go/firestore v1.18.0 // indirect
20+
cloud.google.com/go/firestore v1.20.0 // indirect
2121
cloud.google.com/go/iam v1.5.3 // indirect
2222
cloud.google.com/go/kms v1.23.2 // indirect
23-
cloud.google.com/go/longrunning v0.6.7 // indirect
24-
cloud.google.com/go/monitoring v1.24.2 // indirect
25-
cloud.google.com/go/spanner v1.86.1 // indirect
23+
cloud.google.com/go/longrunning v0.7.0 // indirect
24+
cloud.google.com/go/monitoring v1.24.3 // indirect
2625
cloud.google.com/go/storage v1.57.1 // indirect
2726
contrib.go.opencensus.io/exporter/ocagent v0.7.1-0.20200907061046-05415f1de66d // indirect
2827
contrib.go.opencensus.io/exporter/prometheus v0.4.2 // indirect
@@ -48,7 +47,6 @@ require (
4847
github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0 // indirect
4948
github.com/BurntSushi/toml v1.6.0 // indirect
5049
github.com/CycloneDX/cyclonedx-go v0.9.3 // indirect
51-
github.com/GoogleCloudPlatform/grpc-gcp-go/grpcgcp v1.5.3 // indirect
5250
github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.30.0 // indirect
5351
github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.54.0 // indirect
5452
github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.54.0 // indirect
@@ -81,7 +79,6 @@ require (
8179
github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
8280
github.com/arl/statsviz v0.7.2 // indirect
8381
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
84-
github.com/avast/retry-go/v4 v4.7.0 // indirect
8582
github.com/aws/aws-sdk-go v1.55.8 // indirect
8683
github.com/aws/aws-sdk-go-v2 v1.41.0 // indirect
8784
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.2 // indirect
@@ -121,6 +118,7 @@ require (
121118
github.com/chainguard-dev/git-urls v1.0.2 // indirect
122119
github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589 // indirect
123120
github.com/clbanning/mxj/v2 v2.7.0 // indirect
121+
github.com/clipperhouse/displaywidth v0.6.0 // indirect
124122
github.com/clipperhouse/stringish v0.1.1 // indirect
125123
github.com/clipperhouse/uax29/v2 v2.3.0 // indirect
126124
github.com/cloudflare/circl v1.6.1 // indirect
@@ -171,28 +169,25 @@ require (
171169
github.com/gdamore/encoding v1.0.1 // indirect
172170
github.com/gdamore/tcell v1.4.0 // indirect
173171
github.com/gdamore/tcell/v2 v2.9.0 // indirect
174-
github.com/globocom/go-buffer v1.2.2 // indirect
175172
github.com/go-akka/configuration v0.0.0-20200606091224-a002c0330665 // indirect
176-
github.com/go-chi/chi v4.1.2+incompatible // indirect
177-
github.com/go-chi/chi/v5 v5.2.3 // indirect
173+
github.com/go-chi/chi/v5 v5.2.4 // indirect
178174
github.com/go-errors/errors v1.5.1 // indirect
179175
github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
180176
github.com/go-git/go-billy/v5 v5.6.2 // indirect
181177
github.com/go-git/go-git/v5 v5.16.5 // indirect
182178
github.com/go-ini/ini v1.67.0 // indirect
183-
github.com/go-jose/go-jose/v3 v3.0.4 // indirect
184179
github.com/go-jose/go-jose/v4 v4.1.3 // indirect
185180
github.com/go-kit/log v0.2.1 // indirect
186181
github.com/go-logfmt/logfmt v0.6.0 // indirect
187182
github.com/go-logr/logr v1.4.3 // indirect
188183
github.com/go-logr/stdr v1.2.2 // indirect
189184
github.com/go-openapi/analysis v0.24.1 // indirect
190-
github.com/go-openapi/errors v0.22.5 // indirect
185+
github.com/go-openapi/errors v0.22.6 // indirect
191186
github.com/go-openapi/jsonpointer v0.22.4 // indirect
192187
github.com/go-openapi/jsonreference v0.21.4 // indirect
193188
github.com/go-openapi/loads v0.23.2 // indirect
194189
github.com/go-openapi/runtime v0.29.2 // indirect
195-
github.com/go-openapi/spec v0.22.2 // indirect
190+
github.com/go-openapi/spec v0.22.3 // indirect
196191
github.com/go-openapi/strfmt v0.25.0 // indirect
197192
github.com/go-openapi/swag v0.25.4 // indirect
198193
github.com/go-openapi/swag/cmdutils v0.25.4 // indirect
@@ -235,8 +230,8 @@ require (
235230
github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
236231
github.com/google/uuid v1.6.0 // indirect
237232
github.com/google/wire v0.6.0 // indirect
238-
github.com/googleapis/enterprise-certificate-proxy v0.3.7 // indirect
239-
github.com/googleapis/gax-go/v2 v2.15.0 // indirect
233+
github.com/googleapis/enterprise-certificate-proxy v0.3.9 // indirect
234+
github.com/googleapis/gax-go/v2 v2.16.0 // indirect
240235
github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 // indirect
241236
github.com/grafeas/grafeas v0.2.3 // indirect
242237
github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
@@ -278,7 +273,6 @@ require (
278273
github.com/jmespath/go-jmespath v0.4.1-0.20220621161143-b0104c826a24 // indirect
279274
github.com/joho/godotenv v1.5.1 // indirect
280275
github.com/jonboulle/clockwork v0.5.0 // indirect
281-
github.com/josharian/intern v1.0.0 // indirect
282276
github.com/json-iterator/go v1.1.12 // indirect
283277
github.com/jstemmer/go-junit-report v1.0.0 // indirect
284278
github.com/jstemmer/go-junit-report/v2 v2.1.0 // indirect
@@ -303,7 +297,6 @@ require (
303297
github.com/logrusorgru/aurora v2.0.3+incompatible // indirect
304298
github.com/lucasb-eyer/go-colorful v1.3.0 // indirect
305299
github.com/magiconair/properties v1.8.10 // indirect
306-
github.com/mailru/easyjson v0.9.0 // indirect
307300
github.com/mattn/go-colorable v0.1.14 // indirect
308301
github.com/mattn/go-isatty v0.0.20 // indirect
309302
github.com/mattn/go-runewidth v0.0.19 // indirect
@@ -332,12 +325,11 @@ require (
332325
github.com/oklog/ulid v1.3.1 // indirect
333326
github.com/olekukonko/cat v0.0.0-20250911104152-50322a0618f6 // indirect
334327
github.com/olekukonko/errors v1.1.0 // indirect
335-
github.com/olekukonko/ll v0.1.2 // indirect
336-
github.com/olekukonko/tablewriter v1.1.0 // indirect
328+
github.com/olekukonko/ll v0.1.3 // indirect
329+
github.com/olekukonko/tablewriter v1.1.2 // indirect
337330
github.com/open-policy-agent/opa v1.12.1 // indirect
338331
github.com/opencontainers/go-digest v1.0.0 // indirect
339332
github.com/opencontainers/image-spec v1.1.1 // indirect
340-
github.com/opentracing/opentracing-go v1.2.0 // indirect
341333
github.com/owenrumney/go-sarif/v2 v2.3.3 // indirect
342334
github.com/package-url/packageurl-go v0.1.3 // indirect
343335
github.com/pdevine/go-asciisprite v0.1.6 // indirect
@@ -359,14 +351,12 @@ require (
359351
github.com/protocolbuffers/txtpbfmt v0.0.0-20251016062345-16587c79cd91 // indirect
360352
github.com/qri-io/jsonpointer v0.1.1 // indirect
361353
github.com/rcrowley/go-metrics v0.0.0-20250401214520-65e299d6c5c9 // indirect
362-
github.com/rivo/uniseg v0.4.7 // indirect
363354
github.com/ryanuber/go-glob v1.0.0 // indirect
364355
github.com/sagikazarmark/locafero v0.12.0 // indirect
365356
github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 // indirect
366357
github.com/sassoftware/relic v7.2.1+incompatible // indirect
367358
github.com/secure-systems-lab/go-securesystemslib v0.10.0 // indirect
368359
github.com/segmentio/asm v1.2.1 // indirect
369-
github.com/segmentio/ksuid v1.0.4 // indirect
370360
github.com/sergi/go-diff v1.4.0 // indirect
371361
github.com/shibumi/go-pathspec v1.3.0 // indirect
372362
github.com/shopspring/decimal v1.4.0 // indirect
@@ -375,20 +365,17 @@ require (
375365
github.com/sigstore/cosign/v3 v3.0.4 // indirect
376366
github.com/sigstore/fulcio v1.8.4 // indirect
377367
github.com/sigstore/protobuf-specs v0.5.0 // indirect
378-
github.com/sigstore/rekor v1.4.3 // indirect
379-
github.com/sigstore/rekor-tiles v0.1.11 // indirect
368+
github.com/sigstore/rekor v1.5.0 // indirect
380369
github.com/sigstore/rekor-tiles/v2 v2.0.1 // indirect
381370
github.com/sigstore/sigstore v1.10.4 // indirect
382371
github.com/sigstore/sigstore-go v1.1.4 // indirect
383372
github.com/sigstore/sigstore/pkg/signature/kms/aws v1.10.3 // indirect
384373
github.com/sigstore/sigstore/pkg/signature/kms/azure v1.10.3 // indirect
385374
github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.10.3 // indirect
386375
github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.10.3 // indirect
387-
github.com/sigstore/timestamp-authority v1.2.9 // indirect
388376
github.com/sigstore/timestamp-authority/v2 v2.0.4 // indirect
389-
github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af // indirect
377+
github.com/sirupsen/logrus v1.9.4 // indirect
390378
github.com/skeema/knownhosts v1.3.2 // indirect
391-
github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect
392379
github.com/sourcegraph/jsonrpc2 v0.2.1 // indirect
393380
github.com/spdx/tools-golang v0.5.5 // indirect
394381
github.com/spf13/afero v1.15.0 // indirect
@@ -417,7 +404,6 @@ require (
417404
github.com/tonistiigi/go-csvvalue v0.0.0-20240814133006-030d3b2625d0 // indirect
418405
github.com/transparency-dev/formats v0.0.0-20251017110053-404c0d5b696c // indirect
419406
github.com/transparency-dev/merkle v0.0.2 // indirect
420-
github.com/transparency-dev/tessera v1.0.1-0.20251104110637-ba6c65c4ae73 // indirect
421407
github.com/tzrikka/xdg v1.3.2 // indirect
422408
github.com/ulikunitz/xz v0.5.15 // indirect
423409
github.com/valyala/fastjson v1.6.4 // indirect
@@ -473,16 +459,16 @@ require (
473459
golang.org/x/tools v0.40.0 // indirect
474460
golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da // indirect
475461
gomodules.xyz/jsonpatch/v2 v2.5.0 // indirect
476-
google.golang.org/api v0.258.0 // indirect
477-
google.golang.org/genproto v0.0.0-20250922171735-9219d122eba9 // indirect
462+
google.golang.org/api v0.260.0 // indirect
463+
google.golang.org/genproto v0.0.0-20251202230838-ff82c1b0f217 // indirect
478464
google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217 // indirect
479465
google.golang.org/genproto/googleapis/rpc v0.0.0-20260203192932-546029d2fa20 // indirect
480466
google.golang.org/grpc v1.78.0 // indirect
481467
google.golang.org/protobuf v1.36.11 // indirect
482468
gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect
483469
gopkg.in/evanphx/json-patch.v5 v5.9.0 // indirect
484470
gopkg.in/inf.v0 v0.9.1 // indirect
485-
gopkg.in/ini.v1 v1.67.0 // indirect
471+
gopkg.in/ini.v1 v1.67.1 // indirect
486472
gopkg.in/warnings.v0 v0.1.2 // indirect
487473
gopkg.in/yaml.v2 v2.4.0 // indirect
488474
gopkg.in/yaml.v3 v3.0.1 // indirect
@@ -502,7 +488,7 @@ require (
502488
sigs.k8s.io/kustomize/api v0.16.0 // indirect
503489
sigs.k8s.io/kustomize/kyaml v0.16.0 // indirect
504490
sigs.k8s.io/randfill v1.0.0 // indirect
505-
sigs.k8s.io/release-utils v0.12.2 // indirect
491+
sigs.k8s.io/release-utils v0.12.3 // indirect
506492
sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect
507493
sigs.k8s.io/yaml v1.6.0 // indirect
508494
)

0 commit comments

Comments
 (0)