lcarva/rules.rego

## rules.rego
package blobby

import future.keywords.contains
import future.keywords.if
import future.keywords.in


# METADATA
# title: Fetch Blob
# description: Just a fetch blob from the OCI registry.
# custom:
#   short_name: fetch_blob
#   failure_msg: failure is %q
deny contains result if {
	bad_purl := "pkg:maven/org.jboss.spec.javax.xml.bind/jboss-jaxb-api_2.3_spec@2.0.0.Final"
	found := [purl |
		some component in _sbom().components
		purl := component.purl
		purl == bad_purl
	]
	count(found) > 0
	result := {
		"code": "blobby.fetch_blob",
		"msg": sprintf("failure is %q", [concat(", ", found)])
	}
}

_sbom() := sbom if {
	some att in input.attestations
	some task in att.statement.predicate.buildConfig.tasks
	task.name == "build-container"
	some result in task.results
	result.name == "IMAGE_SBOM_URL"
	ref := result.value

	value := ec.fetch_oci_blob(ref)
	json.is_valid(value)
	sbom := json.unmarshal(value)
}
	package blobby

	import future.keywords.contains
	import future.keywords.if
	import future.keywords.in


	# METADATA
	# title: Fetch Blob
	# description: Just a fetch blob from the OCI registry.
	# custom:
	# short_name: fetch_blob
	# failure_msg: failure is %q
	deny contains result if {
	bad_purl := "pkg:maven/org.jboss.spec.javax.xml.bind/jboss-jaxb-api_2.3_spec@2.0.0.Final"
	found := [purl \|
	some component in _sbom().components
	purl := component.purl
	purl == bad_purl
	]
	count(found) > 0
	result := {
	"code": "blobby.fetch_blob",
	"msg": sprintf("failure is %q", [concat(", ", found)])
	}
	}

	_sbom() := sbom if {
	some att in input.attestations
	some task in att.statement.predicate.buildConfig.tasks
	task.name == "build-container"
	some result in task.results
	result.name == "IMAGE_SBOM_URL"
	ref := result.value

	value := ec.fetch_oci_blob(ref)
	json.is_valid(value)
	sbom := json.unmarshal(value)
	}