Merge pull request #277 from smith-xyz/gh-272

fix: skipped os scan errors for certified distributions

Author: openshift-merge-bot[bot]

config.toml

@@ -1,4 +1,16 @@
-certified_distributions = []
+certified_distributions = [
+  "Red Hat Enterprise Linux release 8.4 (Ootpa)",
+  "Red Hat Enterprise Linux release 8.5 (Ootpa)",
+  "Red Hat Enterprise Linux release 8.6 (Ootpa)",
+  "Red Hat Enterprise Linux release 8.7 (Ootpa)",
+  "Red Hat Enterprise Linux release 8.9 (Ootpa)",
+  "Red Hat Enterprise Linux release 8.10 (Ootpa)",
+  "Red Hat Enterprise Linux release 9.0 (Plow)",
+  "Red Hat Enterprise Linux release 9.2 (Plow)",
+  "Red Hat Enterprise Linux release 9.4 (Plow)",
+  "Red Hat Enterprise Linux release 9.5 (Plow)",
+  "Red Hat Enterprise Linux release 9.6 (Plow)",
+]
 
 # List of directories to ignore. This is a prefix match,
 # i.e. everything under a matched directory is ignored.
@@ -132,16 +144,16 @@ files = ["/usr/lib/dracut/modules.d/30ignition/ignition"]
 [[rpm.valgrind.ignore]]
 error = "ErrNotDynLinked"
 files = [
-    "/usr/libexec/valgrind/cachegrind-amd64-linux",
-    "/usr/libexec/valgrind/callgrind-amd64-linux",
-    "/usr/libexec/valgrind/dhat-amd64-linux",
-    "/usr/libexec/valgrind/drd-amd64-linux",
-    "/usr/libexec/valgrind/exp-bbv-amd64-linux",
-    "/usr/libexec/valgrind/helgrind-amd64-linux",
-    "/usr/libexec/valgrind/lackey-amd64-linux",
-    "/usr/libexec/valgrind/massif-amd64-linux",
-    "/usr/libexec/valgrind/memcheck-amd64-linux",
-    "/usr/libexec/valgrind/none-amd64-linux"
+  "/usr/libexec/valgrind/cachegrind-amd64-linux",
+  "/usr/libexec/valgrind/callgrind-amd64-linux",
+  "/usr/libexec/valgrind/dhat-amd64-linux",
+  "/usr/libexec/valgrind/drd-amd64-linux",
+  "/usr/libexec/valgrind/exp-bbv-amd64-linux",
+  "/usr/libexec/valgrind/helgrind-amd64-linux",
+  "/usr/libexec/valgrind/lackey-amd64-linux",
+  "/usr/libexec/valgrind/massif-amd64-linux",
+  "/usr/libexec/valgrind/memcheck-amd64-linux",
+  "/usr/libexec/valgrind/none-amd64-linux",
 ]
 
 [[payload.openshift-enterprise-pod-container.ignore]]

dist/releases/4.12/config.toml

@@ -1,3 +1,12 @@
+# RHCOS transport image - ignore OS certification check
+# The rhel-coreos tag is used to transport the base OS image that OpenShift nodes run on.
+# This image doesn't have typical component metadata and isn't a layered product.
+# The RHCOS team uses OpenShift releases as a transport mechanism for this base OS.
+# This issue was resolved in OpenShift 4.19+ but affects earlier versions.
+[[tag.rhel-coreos.ignore]]
+error = "ErrOSNotCertified"
+tags = ["rhel-coreos"]
+
 [[payload.openshift-enterprise-operator-sdk-container.ignore]]
 error = "ErrGoMissingSymbols"
 files = ["/usr/lib/golang/pkg/tool/linux_amd64/cgo"]

dist/releases/4.13/config.toml

@@ -1,3 +1,12 @@
+# RHCOS transport image - ignore OS certification check
+# The rhel-coreos tag is used to transport the base OS image that OpenShift nodes run on.
+# This image doesn't have typical component metadata and isn't a layered product.
+# The RHCOS team uses OpenShift releases as a transport mechanism for this base OS.
+# This issue was resolved in OpenShift 4.19+ but affects earlier versions.
+[[tag.rhel-coreos.ignore]]
+error = "ErrOSNotCertified"
+tags = ["rhel-coreos"]
+
 [[payload.ose-network-interface-bond-cni-container.ignore]]
 error = "ErrLibcryptoSoMissing"
 files = [

dist/releases/4.14/config.toml

@@ -1,3 +1,12 @@
+# RHCOS transport image - ignore OS certification check
+# The rhel-coreos tag is used to transport the base OS image that OpenShift nodes run on.
+# This image doesn't have typical component metadata and isn't a layered product.
+# The RHCOS team uses OpenShift releases as a transport mechanism for this base OS.
+# This issue was resolved in OpenShift 4.19+ but affects earlier versions.
+[[tag.rhel-coreos.ignore]]
+error = "ErrOSNotCertified"
+tags = ["rhel-coreos"]
+
 [[payload.ose-network-interface-bond-cni-container.ignore]]
 error = "ErrLibcryptoSoMissing"
 files = ["/bondcni/bond", "/bondcni/rhel9/bond"]

dist/releases/4.15/config.toml

@@ -1,3 +1,12 @@
+# RHCOS transport image - ignore OS certification check
+# The rhel-coreos tag is used to transport the base OS image that OpenShift nodes run on.
+# This image doesn't have typical component metadata and isn't a layered product.
+# The RHCOS team uses OpenShift releases as a transport mechanism for this base OS.
+# This issue was resolved in OpenShift 4.19+ but affects earlier versions.
+[[tag.rhel-coreos.ignore]]
+error = "ErrOSNotCertified"
+tags = ["rhel-coreos"]
+
 [[payload.ose-network-interface-bond-cni-container.ignore]]
 error = "ErrLibcryptoSoMissing"
 files = ["/bondcni/bond", "/bondcni/rhel9/bond"]

dist/releases/4.16/config.toml

@@ -1,14 +1,16 @@
-certified_distributions = [
-  "Red Hat Enterprise Linux release 9.2 (Plow)",
-  "Red Hat Enterprise Linux release 9.4 (Plow)",
-  "Red Hat Enterprise Linux release 9.6 (Plow)",
-  "Red Hat Enterprise Linux release 8.10 (Ootpa)",
-]
-
 [[payload.ubi9-container.ignore]]
 error = "ErrOSNotCertified"
 tags = ["rhel-coreos-extensions"]
 
+# RHCOS transport image - ignore OS certification check
+# The rhel-coreos tag is used to transport the base OS image that OpenShift nodes run on.
+# This image doesn't have typical component metadata and isn't a layered product.
+# The RHCOS team uses OpenShift releases as a transport mechanism for this base OS.
+# This issue was resolved in OpenShift 4.19+ but affects earlier versions.
+[[tag.rhel-coreos.ignore]]
+error = "ErrOSNotCertified"
+tags = ["rhel-coreos"]
+
 [[payload.ose-network-interface-bond-cni-container.ignore]]
 error = "ErrLibcryptoSoMissing"
 files = ["/bondcni/bond", "/bondcni/rhel9/bond"]

dist/releases/4.17/config.toml

@@ -1,3 +1,12 @@
+# RHCOS transport image - ignore OS certification check
+# The rhel-coreos tag is used to transport the base OS image that OpenShift nodes run on.
+# This image doesn't have typical component metadata and isn't a layered product.
+# The RHCOS team uses OpenShift releases as a transport mechanism for this base OS.
+# This issue was resolved in OpenShift 4.19+ but affects earlier versions.
+[[tag.rhel-coreos.ignore]]
+error = "ErrOSNotCertified"
+tags = ["rhel-coreos"]
+
 [[payload.ose-network-interface-bond-cni-container.ignore]]
 error = "ErrLibcryptoSoMissing"
 files = ["/bondcni/bond", "/bondcni/rhel9/bond"]

dist/releases/4.18/config.toml

@@ -1,3 +1,12 @@
+# RHCOS transport image - ignore OS certification check
+# The rhel-coreos tag is used to transport the base OS image that OpenShift nodes run on.
+# This image doesn't have typical component metadata and isn't a layered product.
+# The RHCOS team uses OpenShift releases as a transport mechanism for this base OS.
+# This issue was resolved in OpenShift 4.19+ but affects earlier versions.
+[[tag.rhel-coreos.ignore]]
+error = "ErrOSNotCertified"
+tags = ["rhel-coreos"]
+
 [[payload.ose-network-interface-bond-cni-container.ignore]]
 error = "ErrLibcryptoSoMissing"
 files = ["/bondcni/bond", "/bondcni/rhel9/bond"]

internal/scan/scan.go

@@ -370,23 +370,14 @@ func walkDirScan(ctx context.Context, cfg *types.Config, tag *v1.TagReference, c
 	results := types.NewScanResults()
 
 	certifiedDistributions := cfg.GetCertifiedDistributions()
-	if len(certifiedDistributions) > 0 {
+
+	if len(certifiedDistributions) > 0 && !cfg.ShouldIgnoreOSValidation(tag, component, types.ErrOSNotCertified) {
 		// Check the operating system release against a known list of certified
 		// distributions. Here we're primarily concerned about warning against
 		// operating systems that haven't been certified, yet.
 		osInfo := validations.ValidateOS(cfg, mountPath)
 		osScanResult := types.NewScanResult().SetOS(osInfo).SetComponent(component).SetTag(tag)
-		if component != nil && osScanResult.Error != nil {
-			if i, ok := cfg.PayloadIgnores[component.Component]; ok {
-				if tag != nil {
-					if !i.ErrIgnores.IgnoreTag(tag.Name, osScanResult.Error.Error) {
-						results.Append(osScanResult)
-					}
-				}
-			}
-		} else {
-			results.Append(osScanResult)
-		}
+		results.Append(osScanResult)
 	}
 
 	// does the image contain openssl