fix: ignore gpg-pubkey package (#312)

This rpm is never signed. It delivers the public key used to validate all other packages. It is present in the sbom, but the container catalog gets confused when it is present. As an unsigned rpm, it displays it as "excluded" from security scans. Rather than claim that it is signed, let's exclude it from the manifest uploaded to pyxis. Signed-off-by: Ralph Bean <[email protected]>
konflux-ci · Nov 18, 2024 · 1fed977 · 1fed977
1 parent 45f7d5f
commit 1fed977
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 0 deletions.
diff --git a/pyxis/test_upload_rpm_data.py b/pyxis/test_upload_rpm_data.py
@@ -102,6 +102,14 @@
             }
         ]
     },
+    {  # with redhat namespace, but special gpg-pubkey rpm
+        "externalRefs": [
+            {
+                "referenceType": "purl",
+                "referenceLocator": "pkg:rpm/redhat/gpg-pubkey@abcd-efgh?arch=noarch",
+            }
+        ]
+    },
 ]
 
 

diff --git a/pyxis/test_upload_rpm_data_cyclonedx.py b/pyxis/test_upload_rpm_data_cyclonedx.py
@@ -51,6 +51,9 @@
     {  # with redhat namespace, but no publisher
         "purl": "pkg:rpm/redhat/[email protected]?arch=noarch",
     },
+    {  # with redhat namespace, but special gpg-pubkey rpm
+        "purl": "pkg:rpm/redhat/gpg-pubkey@abcd-efgh?arch=noarch",
+    },
 ]
 
 

diff --git a/pyxis/upload_rpm_data.py b/pyxis/upload_rpm_data.py
@@ -32,6 +32,7 @@
 import pyxis
 
 LOGGER = logging.getLogger("upload_rpm_data")
+IGNORED_PACKAGES = ["gpg-pubkey"]
 
 
 def upload_container_rpm_data_with_retry(
@@ -237,6 +238,8 @@ def construct_rpm_items_and_content_sets(
             purl_dict = PackageURL.from_string(externalRef["referenceLocator"]).to_dict()
             if purl_dict["type"] != "rpm":
                 continue
+            if purl_dict["name"] in IGNORED_PACKAGES:
+                continue
             rpm_item = {
                 "name": purl_dict["name"],
                 "summary": purl_dict["name"],

diff --git a/pyxis/upload_rpm_data_cyclonedx.py b/pyxis/upload_rpm_data_cyclonedx.py
@@ -32,6 +32,7 @@
 import pyxis
 
 LOGGER = logging.getLogger("upload_rpm_data")
+IGNORED_PACKAGES = ["gpg-pubkey"]
 
 
 def upload_container_rpm_data_with_retry(
@@ -258,6 +259,8 @@ def construct_rpm_items_and_content_sets(
         if "purl" in component:
             purl_dict = PackageURL.from_string(component["purl"]).to_dict()
             if purl_dict["type"] == "rpm":
+                if purl_dict["name"] in IGNORED_PACKAGES:
+                    continue
                 rpm_item = {
                     "name": purl_dict["name"],
                     "summary": purl_dict["name"],