Merge pull request #1557 from brunoapimentel/rebrand-cachi2

Rebrand cachi2 in the 'Allowed package sources' rego

Author: simonbaird

antora/docs/modules/ROOT/pages/packages/release_sbom_cyclonedx.adoc

@@ -35,12 +35,12 @@ Confirm the CycloneDX SBOM contains only packages with explicitly allowed extern
 [#sbom_cyclonedx__allowed_package_sources]
 === link:#sbom_cyclonedx__allowed_package_sources[Allowed package sources]
 
-For each of the components fetched by Cachi2 which define externalReferences of type distribution, verify they are allowed based on the allowed_package_sources rule data key. By default, allowed_package_sources is empty, which means no components with such references are allowed.
+For each of the components fetched by Hermeto which define externalReferences of type distribution, verify they are allowed based on the allowed_package_sources rule data key. By default, allowed_package_sources is empty, which means no components with such references are allowed.
 
 *Solution*: Update the image to not use a package from a disallowed source.
 
 * Rule type: [rule-type-indicator failure]#FAILURE#
-* FAILURE message: `Package %s fetched by cachi2 was sourced from %q which is not allowed`
+* FAILURE message: `Package %s fetched by Hermeto was sourced from %q which is not allowed`
 * Code: `sbom_cyclonedx.allowed_package_sources`
 * Effective from: `2024-12-15T00:00:00Z`
 * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/sbom_cyclonedx/sbom_cyclonedx.rego#L154[Source, window="_blank"]

antora/docs/modules/ROOT/pages/packages/release_sbom_spdx.adoc

@@ -35,12 +35,12 @@ Confirm the SPDX SBOM contains only packages with explicitly allowed external re
 [#sbom_spdx__allowed_package_sources]
 === link:#sbom_spdx__allowed_package_sources[Allowed package sources]
 
-For each of the packages fetched by Cachi2 which define externalReferences, verify they are allowed based on the allowed_package_sources rule data key. By default, allowed_package_sources is empty, which means no components with such references are allowed.
+For each of the packages fetched by Hermeto which define externalReferences, verify they are allowed based on the allowed_package_sources rule data key. By default, allowed_package_sources is empty, which means no components with such references are allowed.
 
 *Solution*: Update the image to not use a package from a disallowed source.
 
 * Rule type: [rule-type-indicator failure]#FAILURE#
-* FAILURE message: `Package %s fetched by cachi2 was sourced from %q which is not allowed`
+* FAILURE message: `Package %s fetched by Hermeto was sourced from %q which is not allowed`
 * Code: `sbom_spdx.allowed_package_sources`
 * Effective from: `2025-02-17T00:00:00Z`
 * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/sbom_spdx/sbom_spdx.rego#L170[Source, window="_blank"]
@@ -80,7 +80,7 @@ Confirm the SPDX SBOM contains only packages without disallowed attributes. By d
 * FAILURE message: `Package %s has the attribute %q set%s`
 * Code: `sbom_spdx.disallowed_package_attributes`
 * Effective from: `2025-02-04T00:00:00Z`
-* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/sbom_spdx/sbom_spdx.rego#L215[Source, window="_blank"]
+* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/sbom_spdx/sbom_spdx.rego#L216[Source, window="_blank"]
 
 [#sbom_spdx__disallowed_package_external_references]
 === link:#sbom_spdx__disallowed_package_external_references[Disallowed package external references]

policy/release/sbom_cyclonedx/sbom_cyclonedx.rego

@@ -154,13 +154,13 @@ deny contains result if {
 # METADATA
 # title: Allowed package sources
 # description: >-
-#   For each of the components fetched by Cachi2 which define externalReferences of type
+#   For each of the components fetched by Hermeto which define externalReferences of type
 #   distribution, verify they are allowed based on the allowed_package_sources rule data
 #   key. By default, allowed_package_sources is empty, which means no components with such
 #   references are allowed.
 # custom:
 #   short_name: allowed_package_sources
-#   failure_msg: Package %s fetched by cachi2 was sourced from %q which is not allowed
+#   failure_msg: Package %s fetched by Hermeto was sourced from %q which is not allowed
 #   solution: Update the image to not use a package from a disallowed source.
 #   collections:
 #   - redhat
@@ -175,10 +175,11 @@ deny contains result if {
 	some reference in component.externalReferences
 	reference.type == "distribution"
 
-	# only look at components fetched by cachi2
+	# only look at components fetched by Hermeto
+	# cachi2 is kept here for backwards compatibility
 	some properties in component.properties
-	properties.name == "cachi2:found_by"
-	properties.value == "cachi2"
+	properties.name in {"hermeto:found_by", "cachi2:found_by"}
+	properties.value in {"hermeto", "cachi2"}
 
 	purl := component.purl
 	parsed_purl := ec.purl.parse(purl)

policy/release/sbom_cyclonedx/sbom_cyclonedx_test.rego

@@ -193,7 +193,7 @@ test_allowed_package_sources if {
 		"code": "sbom_cyclonedx.allowed_package_sources",
 		"term": "pkg:generic/openssl@1.1.10g?download_url=https://openssl.org/source/openssl-1.1.0g.tar.gz",
 		# regal ignore:line-length
-		"msg": `Package pkg:generic/openssl@1.1.10g?download_url=https://openssl.org/source/openssl-1.1.0g.tar.gz fetched by cachi2 was sourced from "https://openssl.org/source/openssl-1.1.0g.tar.gz" which is not allowed`,
+		"msg": `Package pkg:generic/openssl@1.1.10g?download_url=https://openssl.org/source/openssl-1.1.0g.tar.gz fetched by Hermeto was sourced from "https://openssl.org/source/openssl-1.1.0g.tar.gz" which is not allowed`,
 	}}
 
 	att := json.patch(_sbom_attestation, [
@@ -205,8 +205,8 @@ test_allowed_package_sources if {
 				"name": "openssl",
 				"purl": "pkg:generic/openssl@1.1.10g?download_url=https://openssl.org/source/openssl-1.1.0g.tar.gz",
 				"properties": [{
-					"name": "cachi2:found_by",
-					"value": "cachi2",
+					"name": "hermeto:found_by",
+					"value": "hermeto",
 				}],
 				"externalReferences": [{"type": "distribution", "url": "https://openssl.org/source/openssl-1.1.0g.tar.gz"}],
 			},
@@ -219,8 +219,8 @@ test_allowed_package_sources if {
 				"name": "batik-anim",
 				"purl": "pkg:maven/org.apache.xmlgraphics/batik-anim@1.9.1?type=pom",
 				"properties": [{
-					"name": "cachi2:found_by",
-					"value": "cachi2",
+					"name": "hermeto:found_by",
+					"value": "hermeto",
 				}],
 				# regal ignore:line-length
 				"externalReferences": [{"type": "distribution", "url": "https://repo.maven.apache.org/maven2/org/apache/xmlgraphics/batik-anim/1.9.1/batik-anim-1.9.1.pom"}],
@@ -256,7 +256,7 @@ test_allowed_package_sources_no_rule_defined if {
 		"code": "sbom_cyclonedx.allowed_package_sources",
 		"term": "pkg:maven/org.apache.xmlgraphics/batik-anim@1.9.1?type=pom",
 		# regal ignore:line-length
-		"msg": `Package pkg:maven/org.apache.xmlgraphics/batik-anim@1.9.1?type=pom fetched by cachi2 was sourced from "https://repo.maven.apache.org/maven2/org/apache/xmlgraphics/batik-anim/1.9.1/batik-anim-1.9.1.pom" which is not allowed`,
+		"msg": `Package pkg:maven/org.apache.xmlgraphics/batik-anim@1.9.1?type=pom fetched by Hermeto was sourced from "https://repo.maven.apache.org/maven2/org/apache/xmlgraphics/batik-anim/1.9.1/batik-anim-1.9.1.pom" which is not allowed`,
 	}}
 
 	att := json.patch(_sbom_attestation, [{
@@ -267,8 +267,8 @@ test_allowed_package_sources_no_rule_defined if {
 			"name": "batik-anim",
 			"purl": "pkg:maven/org.apache.xmlgraphics/batik-anim@1.9.1?type=pom",
 			"properties": [{
-				"name": "cachi2:found_by",
-				"value": "cachi2",
+				"name": "hermeto:found_by",
+				"value": "hermeto",
 			}],
 			# regal ignore:line-length
 			"externalReferences": [{"type": "distribution", "url": "https://repo.maven.apache.org/maven2/org/apache/xmlgraphics/batik-anim/1.9.1/batik-anim-1.9.1.pom"}],

policy/release/sbom_spdx/sbom_spdx.rego

@@ -170,13 +170,13 @@ deny contains result if {
 # METADATA
 # title: Allowed package sources
 # description: >-
-#   For each of the packages fetched by Cachi2 which define externalReferences,
+#   For each of the packages fetched by Hermeto which define externalReferences,
 #   verify they are allowed based on the allowed_package_sources rule data
 #   key. By default, allowed_package_sources is empty, which means no components with such
 #   references are allowed.
 # custom:
 #   short_name: allowed_package_sources
-#   failure_msg: Package %s fetched by cachi2 was sourced from %q which is not allowed
+#   failure_msg: Package %s fetched by Hermeto was sourced from %q which is not allowed
 #   solution: Update the image to not use a package from a disallowed source.
 #   collections:
 #   - redhat
@@ -187,11 +187,12 @@ deny contains result if {
 	some s in sbom.spdx_sboms
 	some pkg in s.packages
 
-	# only look at components fetched by cachi2
+	# only look at components fetched by Hermeto
+	# cachi2 is kept here for backwards compatibility
 	some annotation in pkg.annotations
 	properties := json.unmarshal(annotation.comment)
-	properties.name == "cachi2:found_by"
-	properties.value == "cachi2"
+	properties.name in {"hermeto:found_by", "cachi2:found_by"}
+	properties.value in {"hermeto", "cachi2"}
 
 	some externalref in pkg.externalRefs
 

policy/release/sbom_spdx/sbom_spdx_test.rego

@@ -158,7 +158,7 @@ test_allowed_package_sources if {
 		"code": "sbom_spdx.allowed_package_sources",
 		"term": "pkg:generic/openssl@1.1.10g?download_url=https://openssl.org/source/openssl-1.1.0g.tar.gz",
 		# regal ignore:line-length
-		"msg": `Package pkg:generic/openssl@1.1.10g?download_url=https://openssl.org/source/openssl-1.1.0g.tar.gz fetched by cachi2 was sourced from "https://openssl.org/source/openssl-1.1.0g.tar.gz" which is not allowed`,
+		"msg": `Package pkg:generic/openssl@1.1.10g?download_url=https://openssl.org/source/openssl-1.1.0g.tar.gz fetched by Hermeto was sourced from "https://openssl.org/source/openssl-1.1.0g.tar.gz" which is not allowed`,
 	}}
 
 	att := json.patch(_sbom_attestation, [
@@ -175,8 +175,8 @@ test_allowed_package_sources if {
 					"referenceLocator": "pkg:generic/openssl@1.1.10g?download_url=https://openssl.org/source/openssl-1.1.0g.tar.gz",
 				}],
 				"annotations": [{
-					"annotator": "Tool: cachi2:jsonencoded",
-					"comment": "{\"name\":\"cachi2:found_by\",\"value\":\"cachi2\"}",
+					"annotator": "Tool: hermeto:jsonencoded",
+					"comment": "{\"name\":\"hermeto:found_by\",\"value\":\"hermeto\"}",
 					"annotationDate": "2024-12-09T12:00:00Z",
 					"annotationType": "OTHER",
 				}],
@@ -197,8 +197,8 @@ test_allowed_package_sources if {
 					"referenceLocator": "pkg:maven/org.apache.xmlgraphics/batik-anim@1.9.1?type=pom&download_url=https://repo.maven.apache.org/maven2/org/apache/xmlgraphics/batik-anim/1.9.1/batik-anim-1.9.1.pom",
 				}],
 				"annotations": [{
-					"annotator": "Tool: cachi2:jsonencoded",
-					"comment": "{\"name\":\"cachi2:found_by\",\"value\":\"cachi2\"}",
+					"annotator": "Tool: hermeto:jsonencoded",
+					"comment": "{\"name\":\"hermeto:found_by\",\"value\":\"hermeto\"}",
 					"annotationDate": "2024-12-09T12:00:00Z",
 					"annotationType": "OTHER",
 				}],
@@ -218,7 +218,7 @@ test_allowed_package_sources if {
 					"referenceLocator": "pkg:generic/unrelated?download_url=https://irrelevant.org",
 				}],
 				"annotations": [{
-					"annotator": "Tool: cachi2:jsonencoded",
+					"annotator": "Tool: hermeto:jsonencoded",
 					"comment": "{\"name\":\"irrelevant\",\"value\":\"im-irrelevant\"}",
 					"annotationDate": "2024-12-09T12:00:00Z",
 					"annotationType": "OTHER",