Merge pull request #1508 from simonbaird/fix-sbom-match

simonbaird · web-flow · commit a2a6acd24e5a · 2025-09-08T15:16:37.000-04:00
Fix sbom purl matching for rpms (again)
diff --git a/policy/lib/sbom/rpm.rego b/policy/lib/sbom/rpm.rego
@@ -25,7 +25,7 @@ rpms_from_sbom(s) := entities if {
 		some pkg in s.packages
 		some ref in pkg.externalRefs
 		ref.referenceType == "purl"
-		ref.referenceCategory == "PACKAGE-MANAGER"
+		ref.referenceCategory in {"PACKAGE_MANAGER", "PACKAGE-MANAGER"}
 		purl := ref.referenceLocator
 		_is_rpmish(purl)
 		entity := {
diff --git a/policy/lib/sbom/rpm_test.rego b/policy/lib/sbom/rpm_test.rego
@@ -103,7 +103,7 @@ _spdx_package(purl, annotations) := {
 	"annotations": annotations,
 	"externalRefs": [{
 		"referenceType": "purl",
-		"referenceCategory": "PACKAGE-MANAGER",
+		"referenceCategory": "PACKAGE_MANAGER",
 		"referenceLocator": purl,
 	}],
 }
diff --git a/policy/release/pre_build_script_task/pre_build_script_task.rego b/policy/release/pre_build_script_task/pre_build_script_task.rego
@@ -152,7 +152,7 @@ _purls_from_sbom(s) := purls if {
 		some pkg in s.packages
 		some ref in pkg.externalRefs
 		ref.referenceType == "purl"
-		ref.referenceCategory in {"PACKAGE-MANAGER", "PACKAGE_MANAGER"}
+		ref.referenceCategory in {"PACKAGE_MANAGER", "PACKAGE-MANAGER"}
 	}
 	count(purls) > 0
 }
diff --git a/policy/release/rpm_packages/rpm_packages_test.rego b/policy/release/rpm_packages/rpm_packages_test.rego
@@ -120,16 +120,17 @@ _mock_blob(`"registry.local/cyclonedx-2@sha256:cyclonedx-2-digest"`) := json.mar
 _mock_blob(`"registry.local/spdx-1@sha256:spdx-1-digest"`) := json.marshal({"packages": [
 	{"externalRefs": [{
 		"referenceType": "purl",
-		"referenceCategory": "PACKAGE-MANAGER",
+		"referenceCategory": "PACKAGE_MANAGER",
 		"referenceLocator": "pkg:rpm/redhat/spam@1.0.0-1",
 	}]},
 	{"externalRefs": [{
 		"referenceType": "purl",
-		"referenceCategory": "PACKAGE-MANAGER",
+		"referenceCategory": "PACKAGE_MANAGER",
 		"referenceLocator": "pkg:rpm/redhat/bacon@1.0.0-2",
 	}]},
 	{"externalRefs": [{
 		"referenceType": "purl",
+		# Intentionally different since we match both PACKAGE_MANAGER and PACKAGE-MANAGER
 		"referenceCategory": "PACKAGE-MANAGER",
 		"referenceLocator": "pkg:rpm/redhat/ham@4.2.0-0",
 	}]},
@@ -138,16 +139,17 @@ _mock_blob(`"registry.local/spdx-1@sha256:spdx-1-digest"`) := json.marshal({"pac
 _mock_blob(`"registry.local/spdx-2@sha256:spdx-2-digest"`) := json.marshal({"packages": [
 	{"externalRefs": [{
 		"referenceType": "purl",
-		"referenceCategory": "PACKAGE-MANAGER",
+		"referenceCategory": "PACKAGE_MANAGER",
 		"referenceLocator": "pkg:rpm/redhat/spam@1.0.0-2",
 	}]},
 	{"externalRefs": [{
 		"referenceType": "purl",
-		"referenceCategory": "PACKAGE-MANAGER",
+		"referenceCategory": "PACKAGE_MANAGER",
 		"referenceLocator": "pkg:rpm/redhat/bacon@1.0.0-2",
 	}]},
 	{"externalRefs": [{
 		"referenceType": "purl",
+		# Intentionally different since we match both PACKAGE_MANAGER and PACKAGE-MANAGER
 		"referenceCategory": "PACKAGE-MANAGER",
 		"referenceLocator": "pkg:rpm/redhat/eggs@4.2.0-0",
 	}]},

Original file line number	Diff line number	Diff line change
`@@ -103,7 +103,7 @@ _spdx_package(purl, annotations) := {`
`103`	`103`	`"annotations": annotations,`
`104`	`104`	`"externalRefs": [{`
`105`	`105`	`"referenceType": "purl",`
`106`		`- "referenceCategory": "PACKAGE-MANAGER",`
	`106`	`+ "referenceCategory": "PACKAGE_MANAGER",`
`107`	`107`	`"referenceLocator": purl,`
`108`	`108`	`}],`
`109`	`109`	`}`
Original file line number	Diff line number	Diff line change
`@@ -152,7 +152,7 @@ _purls_from_sbom(s) := purls if {`
`152`	`152`	`some pkg in s.packages`
`153`	`153`	`some ref in pkg.externalRefs`
`154`	`154`	`ref.referenceType == "purl"`
`155`		`- ref.referenceCategory in {"PACKAGE-MANAGER", "PACKAGE_MANAGER"}`
	`155`	`+ ref.referenceCategory in {"PACKAGE_MANAGER", "PACKAGE-MANAGER"}`
`156`	`156`	`}`
`157`	`157`	`count(purls) > 0`
`158`	`158`	`}`