Merge pull request #1170 from lcarva/EC-892

Drop support for BASE_IMAGES_DIGESTS results

antora/docs/modules/ROOT/pages/release_policy.adoc

@@ -311,7 +311,7 @@ Confirm the `allowed_registry_prefixes` rule data was provided, since it's requi
 * Rule type: [rule-type-indicator failure]#FAILURE#
 * FAILURE message: `%s`
 * Code: `base_image_registries.allowed_registries_provided`
-* https://github.com/enterprise-contract/ec-policies/blob/{page-origin-refhash}/policy/release/base_image_registries.rego#L76[Source, window="_blank"]
+* https://github.com/enterprise-contract/ec-policies/blob/{page-origin-refhash}/policy/release/base_image_registries.rego#L71[Source, window="_blank"]
 
 [#base_image_registries__base_image_permitted]
 === link:#base_image_registries__base_image_permitted[Base image comes from permitted registry]
@@ -328,9 +328,9 @@ Verify that the base images used when building a container image come from a kno
 [#base_image_registries__base_image_info_found]
 === link:#base_image_registries__base_image_info_found[Base images provided]
 
-Verify the expected information was provided about which base images were used during the build process.The list of base images is a combination of two sources. One is extracted from the SLSA Provenance in the form of Tekton Task result called BASE_IMAGES_DIGESTS. The other comes from the components in the `formulation` attribute of any associated CycloneDX SBOMs.
+Verify the expected information was provided about which base images were used during the build process.The list of base images comes from the components in the `formulation` attribute of any associated CycloneDX SBOMs.
 
-*Solution*: Either a Tekton task must exist that emits a result named BASE_IMAGES_DIGESTS, or a CycloneDX SBOM must be associated with the image.
+*Solution*: Ensure a CycloneDX SBOM is associated with the image.
 
 * Rule type: [rule-type-indicator failure]#FAILURE#
 * FAILURE message: `Base images information is missing`

policy/release/base_image_registries.rego

@@ -46,16 +46,13 @@ deny contains result if {
 # title: Base images provided
 # description: >-
 #   Verify the expected information was provided about which base images were used during
-#   the build process.The list of base images is a combination of two sources. One is
-#   extracted from the SLSA Provenance in the form of Tekton Task result called
-#   BASE_IMAGES_DIGESTS. The other comes from the components in the `formulation` attribute
-#   of any associated CycloneDX SBOMs.
+#   the build process.The list of base images comes from the components in the `formulation`
+#   attribute of any associated CycloneDX SBOMs.
 # custom:
 #   short_name: base_image_info_found
 #   failure_msg: Base images information is missing
 #   solution: >-
-#     Either a Tekton task must exist that emits a result named BASE_IMAGES_DIGESTS, or a
-#     CycloneDX SBOM must be associated with the image.
+#     Ensure a CycloneDX SBOM is associated with the image.
 #   collections:
 #   - minimal
 #   - redhat
@@ -64,10 +61,8 @@ deny contains result if {
 #
 deny contains result if {
 	# Some images are built "from scratch" and not have any base images, e.g. UBI.
-	# This check distinguishes such images by simply ensuring that either the expected
-	# Task result exists regardless of its value, or at least one SBOM is attached to
-	# the image.
-	count(lib.results_named(lib.build_base_images_digests_result_name)) == 0
+	# This check distinguishes such images by simply ensuring that at least one SBOM
+	# is attached to the image.
 	count(sbom.cyclonedx_sboms) == 0
 
 	result := lib.result_helper(rego.metadata.chain(), [])
@@ -106,12 +101,6 @@ _image_ref_permitted(image_ref) if {
 	image.parse(image_ref).digest in allowed_digests
 }
 
-_base_images contains name if {
-	some _, image in lib.results_named(lib.build_base_images_digests_result_name)
-	some name in split(image.value, "\n")
-	name != ""
-}
-
 _base_images contains base_image if {
 	some s in sbom.cyclonedx_sboms
 	some formulation in s.formulation

policy/release/base_image_registries_test.rego

@@ -3,39 +3,9 @@ package policy.release.base_image_registries_test
 import rego.v1
 
 import data.lib
-import data.lib.tkn_test
-import data.lib_test
 import data.policy.release.base_image_registries
 
-mock_bundle := "registry.img/spam@sha256:4e388ab32b10dc8dbc7e28144f552830adc74787c1e2c0824032078a79f227fb"
-
 test_allowed_base_images if {
-	slsav1_task_with_result := tkn_test.slsav1_task_result(
-		"buildah-task-1",
-		[{
-			"name": lib.build_base_images_digests_result_name,
-			"type": "string",
-			"value": concat("\n", [
-				"registry.redhat.io/ubi7:latest@sha256:abc",
-				"docker.io/library/registry:latest@sha256:bcd",
-				"", # Verify trailing new line is ignored
-			]),
-		}],
-	)
-	attestations := [
-		lib_test.att_mock_helper_ref_plain_result(
-			lib.build_base_images_digests_result_name,
-			concat("\n", [
-				"registry.redhat.io/ubi7:latest@sha256:abc",
-				"docker.io/library/registry:latest@sha256:bcd",
-				"", # Verify trailing new line is ignored
-			]),
-			"buildah-task-1",
-			mock_bundle,
-		),
-		lib_test.mock_slsav1_attestation_with_tasks([tkn_test.slsav1_task_bundle(slsav1_task_with_result, mock_bundle)]),
-	]
-
 	sboms := [{"formulation": [
 		{"components": [{
 			"name": "registry.redhat.io/ubi7:latest@sha256:abc",
@@ -55,8 +25,7 @@ test_allowed_base_images if {
 		}]},
 	]}]
 
-	lib.assert_empty(base_image_registries.deny) with input.attestations as attestations
-		with lib.sbom.cyclonedx_sboms as sboms
+	lib.assert_empty(base_image_registries.deny) with lib.sbom.cyclonedx_sboms as sboms
 }
 
 test_allowed_base_images_from_snapshot if {
@@ -90,54 +59,10 @@ test_allowed_base_images_from_snapshot if {
 }
 
 test_empty_base_images_result if {
-	slsav1_task_with_result := tkn_test.slsav1_task_result(
-		"buildah-task-1",
-		[{
-			"name": lib.build_base_images_digests_result_name,
-			"type": "string",
-			"value": "",
-		}],
-	)
-
-	attestations := [
-		lib_test.att_mock_helper_ref_plain_result(
-			lib.build_base_images_digests_result_name,
-			"",
-			"buildah-task-1",
-			mock_bundle,
-		),
-		lib_test.mock_slsav1_attestation_with_tasks([tkn_test.slsav1_task_bundle(slsav1_task_with_result, mock_bundle)]),
-	]
-	lib.assert_empty(base_image_registries.deny) with input.attestations as attestations
+	lib.assert_empty(base_image_registries.deny) with lib.sbom.cyclonedx_sboms as [{}]
 }
 
 test_disallowed_base_images if {
-	slsav1_task_with_result := tkn_test.slsav1_task_result(
-		"buildah-task-1",
-		[{
-			"name": lib.build_base_images_digests_result_name,
-			"type": "string",
-			"value": concat("\n", [
-				"registry.redhat.io/ubi7:latest@sha256:abc1",
-				"dockery.io/busybox:latest@sha256:bcd1",
-				"registry.redhat.ioo/spam:latest@sha256:def1",
-			]),
-		}],
-	)
-	attestations := [
-		lib_test.att_mock_helper_ref_plain_result(
-			lib.build_base_images_digests_result_name,
-			concat("\n", [
-				"registry.redhat.io/ubi7:latest@sha256:abc2",
-				"dockery.io/busybox:latest@sha256:bcd2",
-				"registry.redhat.ioo/spam:latest@sha256:def2",
-			]),
-			"buildah-task-1",
-			mock_bundle,
-		),
-		lib_test.mock_slsav1_attestation_with_tasks([tkn_test.slsav1_task_bundle(slsav1_task_with_result, mock_bundle)]),
-	]
-
 	sboms := [{"formulation": [
 		{"components": [{
 			"name": "registry.redhat.yo/ubi7/3",
@@ -166,22 +91,6 @@ test_disallowed_base_images if {
 	]}]
 
 	expected := {
-		{
-			"code": "base_image_registries.base_image_permitted",
-			"msg": "Base image \"dockery.io/busybox:latest@sha256:bcd1\" is from a disallowed registry",
-		},
-		{
-			"code": "base_image_registries.base_image_permitted",
-			"msg": "Base image \"registry.redhat.ioo/spam:latest@sha256:def1\" is from a disallowed registry",
-		},
-		{
-			"code": "base_image_registries.base_image_permitted",
-			"msg": "Base image \"dockery.io/busybox:latest@sha256:bcd2\" is from a disallowed registry",
-		},
-		{
-			"code": "base_image_registries.base_image_permitted",
-			"msg": "Base image \"registry.redhat.ioo/spam:latest@sha256:def2\" is from a disallowed registry",
-		},
 		{
 			"code": "base_image_registries.base_image_permitted",
 			"msg": "Base image \"registry.redhat.yo/ubi7/3\" is from a disallowed registry",
@@ -195,8 +104,7 @@ test_disallowed_base_images if {
 			"msg": "Base image \"dockery.io/busybox/3\" is from a disallowed registry",
 		},
 	}
-	lib.assert_equal_results(base_image_registries.deny, expected) with input.attestations as attestations
-		with lib.sbom.cyclonedx_sboms as sboms
+	lib.assert_equal_results(base_image_registries.deny, expected) with lib.sbom.cyclonedx_sboms as sboms
 }
 
 test_disallowed_base_images_with_snapshot if {
@@ -302,32 +210,11 @@ test_sbom_base_image_selection if {
 }
 
 test_missing_result if {
-	slsav1_task_with_result := tkn_test.slsav1_task_bundle(
-		tkn_test.slsav1_task_result(
-			"buildah-task-1",
-			[{
-				"name": "SPAM_SPAM_SPAM",
-				"type": "string",
-				"value": "registry.redhat.io/ubi7:latest@sha256:abc",
-			}],
-		),
-		"registry.img/unacceptable@sha256:012",
-	)
-
-	attestations := [
-		lib_test.att_mock_helper_ref_plain_result(
-			"SPAM_SPAM_SPAM",
-			"registry.redhat.io/ubi7:latest@sha256:abc",
-			"buildah-task-1",
-			"registry.img/unacceptable@sha256:012",
-		),
-		lib_test.mock_slsav1_attestation_with_tasks([slsav1_task_with_result]),
-	]
 	expected := {{
 		"code": "base_image_registries.base_image_info_found",
 		"msg": "Base images information is missing",
 	}}
-	lib.assert_equal_results(base_image_registries.deny, expected) with input.attestations as attestations
+	lib.assert_equal_results(base_image_registries.deny, expected)
 }
 
 test_allowed_registries_provided if {

policy/release/lib/attestations.rego

@@ -39,8 +39,6 @@ task_test_image_result_name := "IMAGES_PROCESSED"
 
 java_sbom_component_count_result_name := "SBOM_JAVA_COMPONENTS_COUNT"
 
-build_base_images_digests_result_name := "BASE_IMAGES_DIGESTS"
-
 slsa_provenance_attestations := [att |
 	some att in input.attestations
 	att.statement.predicateType in {slsa_provenance_predicate_type_v1, slsa_provenance_predicate_type_v02}