Merge pull request #1469 from st3penta/missing-parent-manifest

st3penta · web-flow · commit d0710d372e38 · 2025-08-18T10:27:20.000+02:00
Make 'inaccessible_parent_*' rules logic clearer
diff --git a/antora/docs/modules/ROOT/pages/packages/release_labels.adoc b/antora/docs/modules/ROOT/pages/packages/release_labels.adoc
@@ -66,7 +66,7 @@ The parent image config is not accessible.
 * Rule type: [rule-type-indicator failure]#FAILURE#
 * FAILURE message: `Image config of the image %q, parent of image %q is inaccessible`
 * Code: `labels.inaccessible_parent_config`
-* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/labels/labels.rego#L199[Source, window="_blank"]
+* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/labels/labels.rego#L200[Source, window="_blank"]
 
 [#labels__inaccessible_parent_manifest]
 === link:#labels__inaccessible_parent_manifest[Inaccessible parent image manifest]
diff --git a/policy/release/labels/labels.rego b/policy/release/labels/labels.rego
@@ -192,6 +192,7 @@ deny contains result if {
 #   - redhat
 #
 deny contains result if {
+	_has_parent
 	is_null(_parent.manifest)
 	result := lib.result_helper(rego.metadata.chain(), [_parent.ref, input.image.ref])
 }
@@ -210,6 +211,7 @@ deny contains result if {
 #   - redhat
 #
 deny contains result if {
+	_has_parent
 	parent_ref := image.parse(_parent.ref)
 	is_null(_config(parent_ref.repo, _parent.manifest))
 	result := lib.result_helper(rego.metadata.chain(), [_parent.ref, input.image.ref])
@@ -235,11 +237,24 @@ _image_labels := labels if {
 	}
 }
 
+_has_parent if {
+	image_manifest := ec.oci.image_manifest(input.image.ref)
+
+	raw_name := image_manifest.annotations["org.opencontainers.image.base.name"]
+	raw_name != ""
+
+	digest := image_manifest.annotations["org.opencontainers.image.base.digest"]
+	digest != ""
+}
+
 _parent := {"ref": ref, "manifest": manifest, "config": config} if {
 	image_manifest := ec.oci.image_manifest(input.image.ref)
 
 	raw_name := image_manifest.annotations["org.opencontainers.image.base.name"]
+	raw_name != ""
+
 	digest := image_manifest.annotations["org.opencontainers.image.base.digest"]
+	digest != ""
 
 	# Sometimes the name annotation is a ref including a digest, likely the
 	# digest of the image index. Make sure that digest gets removed.
diff --git a/policy/release/labels/labels_test.rego b/policy/release/labels/labels_test.rego
@@ -403,7 +403,7 @@ test_parent_image_manifest_inaccessible if {
 	ref := _test_ref_patches(array.concat(
 		_add_annotations({
 			"org.opencontainers.image.base.name": "fail",
-			"org.opencontainers.image.base.digest": "",
+			"org.opencontainers.image.base.digest": "fake_digest",
 		}),
 		[_config(_add_labels({
 			"name": "test-image",
@@ -415,7 +415,7 @@ test_parent_image_manifest_inaccessible if {
 
 	expected := {{
 		"code": "labels.inaccessible_parent_manifest",
-		"msg": sprintf(`Manifest of the image "fail@", parent of image %q is inaccessible`, [ref]),
+		"msg": sprintf(`Manifest of the image "fail@fake_digest", parent of image %q is inaccessible`, [ref]),
 	}}
 
 	lib.assert_equal_results(labels.deny, expected) with input.image.ref as ref
