From 011e1993c1f508f3803c16ac3ea3ae85d6c1d67f Mon Sep 17 00:00:00 2001 From: Simon Baird Date: Tue, 24 Mar 2026 15:17:23 -0400 Subject: [PATCH] Increase regal line length lint limit to 200 Previous (default) limit was 120 iiuc. Co-authored-by: Claude Code --- .regal/config.yaml | 1 + .../ROOT/pages/packages/release_olm.adoc | 6 +- .../pages/packages/release_sbom_spdx.adoc | 10 +- checks/annotations_test.rego | 3 - .../build_labels/build_labels_test.rego | 1 - policy/lib/sbom/sbom.rego | 2 - policy/lib/sbom/sbom_test.rego | 5 +- policy/lib/tekton/pipeline_test.rego | 2 - policy/lib/tekton/recorded_att_test.rego | 17 ---- policy/lib/tekton/refs_test.rego | 15 --- policy/lib/tekton/task_results_test.rego | 5 - policy/lib/tekton/task_test.rego | 5 - policy/lib/tekton/trusted.rego | 2 - policy/lib/tekton/trusted_test.rego | 98 ------------------- policy/lib/volatile_config_test.rego | 1 - .../task_bundle/task_bundle_test.rego | 16 --- .../base_image_registries_test.rego | 19 ---- .../buildah_build_task_test.rego | 3 - policy/release/cve/cve_test.rego | 38 ++----- .../external_parameters_test.rego | 3 - .../release/git_branch/git_branch_test.rego | 1 - .../github_certificate_test.rego | 4 - .../hermetic_task/hermetic_task_test.rego | 9 -- policy/release/labels/labels_test.rego | 6 -- policy/release/lib/attestations_test.rego | 3 - policy/release/olm/olm.rego | 2 - policy/release/olm/olm_test.rego | 44 +-------- .../pre_build_script_task_test.rego | 63 +++--------- .../provenance_materials_test.rego | 4 - .../rpm_ostree_task/rpm_ostree_task_test.rego | 12 --- .../rpm_packages/rpm_packages_test.rego | 13 --- policy/release/rpm_repos/rpm_repos_test.rego | 2 - policy/release/sbom/sbom_test.rego | 8 -- .../sbom_cyclonedx/sbom_cyclonedx_test.rego | 17 ---- policy/release/sbom_spdx/sbom_spdx.rego | 2 - policy/release/sbom_spdx/sbom_spdx_test.rego | 12 --- .../slsa_build_scripted_build_test.rego | 6 -- .../slsa_source_correlated_test.rego | 2 - .../source_image/source_image_test.rego | 2 - policy/release/tasks/tasks_test.rego | 8 -- policy/release/test/test_test.rego | 16 --- policy/release/trusted_task/trusted_task.rego | 4 - .../trusted_task/trusted_task_test.rego | 39 -------- .../volatile_config/volatile_config_test.rego | 4 +- .../stepaction_image_test.rego | 3 - policy/task/annotations/annotations_test.rego | 1 - policy/task/results/results_test.rego | 2 - .../step_image_registries_test.rego | 11 --- 48 files changed, 37 insertions(+), 515 deletions(-) diff --git a/.regal/config.yaml b/.regal/config.yaml index f115fdcfa..eff66a40b 100644 --- a/.regal/config.yaml +++ b/.regal/config.yaml @@ -45,6 +45,7 @@ rules: # schemas can be quite large. - "*_schema.rego" line-length: + max-line-length: 200 ignore: files: # schemas can have very long attribute values, e.g. description. diff --git a/antora/docs/modules/ROOT/pages/packages/release_olm.adoc b/antora/docs/modules/ROOT/pages/packages/release_olm.adoc index 6a0dc56e5..fb04068a8 100644 --- a/antora/docs/modules/ROOT/pages/packages/release_olm.adoc +++ b/antora/docs/modules/ROOT/pages/packages/release_olm.adoc @@ -43,7 +43,7 @@ Each image referenced by the OLM bundle should match an entry in the list of pre * FAILURE message: `The %q CSV image reference is not from an allowed registry.` * Code: `olm.allowed_registries` * Effective from: `2024-09-01T00:00:00Z` -* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/olm/olm.rego#L304[Source, window="_blank"] +* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/olm/olm.rego#L303[Source, window="_blank"] [#olm__allowed_resource_kinds] === link:#olm__allowed_resource_kinds[OLM bundle image manifests contain only allowed resource kinds] @@ -55,7 +55,7 @@ Every manifest in an OLM bundle must be of an allowed resource kind, as defined * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `The %q manifest kind is not in the list of OLM allowed resource kinds.` * Code: `olm.allowed_resource_kinds` -* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/olm/olm.rego#L359[Source, window="_blank"] +* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/olm/olm.rego#L358[Source, window="_blank"] [#olm__olm_bundle_multi_arch] === link:#olm__olm_bundle_multi_arch[OLM bundle images are not multi-arch] @@ -68,7 +68,7 @@ OLM bundle images should be built for a single architecture. They should not be * FAILURE message: `The %q bundle image is a multi-arch reference.` * Code: `olm.olm_bundle_multi_arch` * Effective from: `2025-05-01T00:00:00Z` -* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/olm/olm.rego#L337[Source, window="_blank"] +* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/olm/olm.rego#L336[Source, window="_blank"] [#olm__allowed_registries_related] === link:#olm__allowed_registries_related[Related images references are from allowed registries] diff --git a/antora/docs/modules/ROOT/pages/packages/release_sbom_spdx.adoc b/antora/docs/modules/ROOT/pages/packages/release_sbom_spdx.adoc index ebbab94d3..7d470fadd 100644 --- a/antora/docs/modules/ROOT/pages/packages/release_sbom_spdx.adoc +++ b/antora/docs/modules/ROOT/pages/packages/release_sbom_spdx.adoc @@ -43,7 +43,7 @@ For each of the packages fetched by Hermeto which define externalReferences, ver * FAILURE message: `Package %s fetched by Hermeto was sourced from %q which is not allowed` * Code: `sbom_spdx.allowed_package_sources` * Effective from: `2025-02-17T00:00:00Z` -* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/sbom_spdx/sbom_spdx.rego#L170[Source, window="_blank"] +* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/sbom_spdx/sbom_spdx.rego#L168[Source, window="_blank"] [#sbom_spdx__contains_files] === link:#sbom_spdx__contains_files[Contains files] @@ -55,7 +55,7 @@ Check the list of files in the SPDX SBOM is not empty. * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `The list of files is empty` * Code: `sbom_spdx.contains_files` -* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/sbom_spdx/sbom_spdx.rego#L137[Source, window="_blank"] +* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/sbom_spdx/sbom_spdx.rego#L135[Source, window="_blank"] [#sbom_spdx__contains_packages] === link:#sbom_spdx__contains_packages[Contains packages] @@ -80,7 +80,7 @@ Confirm the SPDX SBOM contains only packages without disallowed attributes. By d * FAILURE message: `Package %s has the attribute %q set%s` * Code: `sbom_spdx.disallowed_package_attributes` * Effective from: `2025-02-04T00:00:00Z` -* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/sbom_spdx/sbom_spdx.rego#L216[Source, window="_blank"] +* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/sbom_spdx/sbom_spdx.rego#L214[Source, window="_blank"] [#sbom_spdx__disallowed_package_external_references] === link:#sbom_spdx__disallowed_package_external_references[Disallowed package external references] @@ -93,7 +93,7 @@ Confirm the SPDX SBOM contains only packages without disallowed external referen * FAILURE message: `Package %s has reference %q of type %q which is disallowed%s` * Code: `sbom_spdx.disallowed_package_external_references` * Effective from: `2024-07-31T00:00:00Z` -* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/sbom_spdx/sbom_spdx.rego#L105[Source, window="_blank"] +* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/sbom_spdx/sbom_spdx.rego#L104[Source, window="_blank"] [#sbom_spdx__matches_image] === link:#sbom_spdx__matches_image[Matches image] @@ -105,7 +105,7 @@ Check the SPDX SBOM targets the image being validated. * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Image digest in the SBOM, %q, is not as expected, %q` * Code: `sbom_spdx.matches_image` -* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/sbom_spdx/sbom_spdx.rego#L152[Source, window="_blank"] +* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/sbom_spdx/sbom_spdx.rego#L150[Source, window="_blank"] [#sbom_spdx__valid] === link:#sbom_spdx__valid[Valid] diff --git a/checks/annotations_test.rego b/checks/annotations_test.rego index fb479132f..4d55aca40 100644 --- a/checks/annotations_test.rego +++ b/checks/annotations_test.rego @@ -208,16 +208,13 @@ test_required_annotations_invalid if { } test_missing_dependency_invalid if { - # regal ignore:line-length err = `ERROR: Missing dependency rule "data.attestation_type.known_attestation_type" at policy/release/attestation_task_bundle.rego:71` lib.assert_equal({err}, checks.violation) with input as opa_inspect_missing_dependency } test_duplicate_rules if { - # regal ignore:line-length err1 = `ERROR: Found non-unique code "data.attestation_type.known_attestation_type" at policy/release/attestation_type.rego:30` - # regal ignore:line-length err2 = `ERROR: Found non-unique code "data.attestation_type.known_attestation_type" at policy/release/attestation_type.rego:50` lib.assert_equal({err1, err2}, checks.violation) with input as opa_inspect_duplicate } diff --git a/policy/build_task/build_labels/build_labels_test.rego b/policy/build_task/build_labels/build_labels_test.rego index 816f4e41e..1473f2c33 100644 --- a/policy/build_task/build_labels/build_labels_test.rego +++ b/policy/build_task/build_labels/build_labels_test.rego @@ -6,7 +6,6 @@ import data.build_labels import data.lib test_build_label_found if { - # regal ignore:line-length lib.assert_empty(build_labels.deny) with input as {"metadata": {"labels": {"build.appstudio.redhat.com/build_type": "docker"}}} } diff --git a/policy/lib/sbom/sbom.rego b/policy/lib/sbom/sbom.rego index 1a69d285b..6f21bb439 100644 --- a/policy/lib/sbom/sbom.rego +++ b/policy/lib/sbom/sbom.rego @@ -263,7 +263,6 @@ rule_data_errors contains error if { }) error := { - # regal ignore:line-length "message": sprintf("Rule data %s has unexpected format: %s", [rule_data_disallowed_external_references_key, e.message]), "severity": e.severity, } @@ -295,7 +294,6 @@ rule_data_errors contains error if { ) error := { - # regal ignore:line-length "message": sprintf("Rule data %s has unexpected format: %s", [rule_data_allowed_package_sources_key, e.message]), "severity": e.severity, } diff --git a/policy/lib/sbom/sbom_test.rego b/policy/lib/sbom/sbom_test.rego index 4f3c33870..a47edd69f 100644 --- a/policy/lib/sbom/sbom_test.rego +++ b/policy/lib/sbom/sbom_test.rego @@ -140,17 +140,14 @@ test_ignore_unrelated_sboms if { ] lib.assert_equal(sbom.all_sboms, []) with input.attestations as attestations - # regal ignore:line-length -with input.image as {"ref": "registry.io/repository/image@sha256:284e302900000000000000000000000000000000000000000000000284e3029"} + with input.image as {"ref": "registry.io/repository/image@sha256:284e302900000000000000000000000000000000000000000000000284e3029"} with ec.oci.blob as "" with ec.oci.descriptor as {"mediaType": "application/vnd.oci.image.manifest.v1+json"} } test_image_ref_from_purl if { - # regal ignore:line-length purl := "pkg:oci/ubi-minimal@sha256:92b1d5747a93608b6adb64dfd54515c3c5a360802db4706765ff3d8470df6290?repository_url=registry.access.redhat.com/ubi9/ubi-minimal" - # regal ignore:line-length image_ref := "registry.access.redhat.com/ubi9/ubi-minimal@sha256:92b1d5747a93608b6adb64dfd54515c3c5a360802db4706765ff3d8470df6290" lib.assert_equal(sbom.image_ref_from_purl(purl), image_ref) } diff --git a/policy/lib/tekton/pipeline_test.rego b/policy/lib/tekton/pipeline_test.rego index 014932210..f40778b9c 100644 --- a/policy/lib/tekton/pipeline_test.rego +++ b/policy/lib/tekton/pipeline_test.rego @@ -30,7 +30,6 @@ test_pipeline_label_selector_build_task_slsa_v0_2 if { "ref": {"name": "build-container", "kind": "Task"}, "results": [ {"name": "IMAGE_URL", "type": "string", "value": "localhost:5000/repo:latest"}, - # regal ignore:line-length {"name": "IMAGE_DIGEST", "type": "string", "value": "sha256:abc0000000000000000000000000000000000000000000000000000000000abc"}, ], "invocation": {"environment": {"labels": {tekton.task_label: "generic"}}}, @@ -65,7 +64,6 @@ test_pipeline_label_selector_pipeline_run_slsa_v0_2 if { "ref": {"name": "build-container", "kind": "Task"}, "results": [ {"name": "IMAGE_URL", "type": "string", "value": "localhost:5000/repo:latest"}, - # regal ignore:line-length {"name": "IMAGE_DIGEST", "type": "string", "value": "sha256:abc0000000000000000000000000000000000000000000000000000000000abc"}, ], } diff --git a/policy/lib/tekton/recorded_att_test.rego b/policy/lib/tekton/recorded_att_test.rego index 539954beb..b20e7bd4c 100644 --- a/policy/lib/tekton/recorded_att_test.rego +++ b/policy/lib/tekton/recorded_att_test.rego @@ -15,7 +15,6 @@ test_slsa_v02_task_extraction if { {"name": "mock-av-scanner"}, {"name": ""}, { - # regal ignore:line-length "bundle": "quay.io/lucarval/test-policies-chains@sha256:ae5952d5aac1664fbeae9191d9445244051792af903d28d3e0084e9d9b7cce61", "name": "mock-build", }, @@ -32,82 +31,66 @@ test_slsa_v1_task_extraction if { expected := [ { - # regal ignore:line-length "bundle": "quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.7@sha256:916781b75e5f42a2e0b578b3ab3418e8bcc305168b2cd26ff41c8057e5c9ec28", "name": "buildah-oci-ta", }, { - # regal ignore:line-length "bundle": "quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:04f75593558f79a27da2336400bc63d460bf0c5669e3c13f40ee2fb650b1ad1e", "name": "ecosystem-cert-preflight-checks", }, { - # regal ignore:line-length "bundle": "quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:ea64f5b99202621e78ed3d74b00df5750cbf572c391e6da1956396f5945e4e11", "name": "git-clone-oci-ta", }, { - # regal ignore:line-length "bundle": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.2@sha256:3fa0204a481044b21f0e784ce39cbd25e8fb49c664a5458f3eef351fff1c906e", "name": "prefetch-dependencies-oci-ta", }, { - # regal ignore:line-length "bundle": "quay.io/konflux-ci/tekton-catalog/task-init:0.2@sha256:4072de81ade0a75ad1eaa5449a7ff02bba84757064549a81b48c28fab3aeca59", "name": "init", }, { - # regal ignore:line-length "bundle": "quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.2@sha256:5623e48314ffd583e9cab383011dc0763b6c92b09c4f427b8bfcca885394a21c", "name": "coverity-availability-check", }, { - # regal ignore:line-length "bundle": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:f59175d9a0a60411738228dfe568af4684af4aa5e7e05c832927cb917801d489", "name": "deprecated-image-check", }, { - # regal ignore:line-length "bundle": "quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.2@sha256:803ae1ecf35bc5d22be9882819e942e4b699cb17655055afc6bb6b02d34cfab8", "name": "build-image-index", }, { - # regal ignore:line-length "bundle": "quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.1@sha256:08bba4a659ecd48f871bef00b80af58954e5a09fcbb28a1783ddd640c4f6535e", "name": "push-dockerfile-oci-ta", }, { - # regal ignore:line-length "bundle": "quay.io/konflux-ci/konflux-vanguard/task-rpms-signature-scan:0.2@sha256:13cf619a8c24e5a565f1b3f20f6998273d3108a2866e04076b6f0dd967251af3", "name": "rpms-signature-scan", }, { - # regal ignore:line-length "bundle": "quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.4@sha256:60f2dac41844d222086ff7f477e51f3563716b183d87db89f603d6f604c21760", "name": "sast-snyk-check-oci-ta", }, { - # regal ignore:line-length "bundle": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:1f0fcba24ebc447d9f8a2ea2e8f262fa435d6c523ca6b0346cd67261551fc9ed", "name": "sast-shell-check-oci-ta", }, { - # regal ignore:line-length "bundle": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:f3d2d179cddcc07d0228d9f52959a233037a3afa2619d0a8b2effbb467db80c3", "name": "clamav-scan", }, { - # regal ignore:line-length "bundle": "quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:ee558db6af779ab162163ec88f288a5c1b2d5f70c3361f3690a474866e3bdc74", "name": "clair-scan", }, { - # regal ignore:line-length "bundle": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta:0.3@sha256:1833c618170ab9deb8455667f220df8e88d16ccd630a2361366f594e2bdcb712", "name": "sast-unicode-check-oci-ta", }, { - # regal ignore:line-length "bundle": "quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.2@sha256:a61d8a6d0ba804869e8fe57a9289161817afad379ef2d7433d75ae40a148e2ec", "name": "apply-tags", }, diff --git a/policy/lib/tekton/refs_test.rego b/policy/lib/tekton/refs_test.rego index c7197004f..1dc851ba4 100644 --- a/policy/lib/tekton/refs_test.rego +++ b/policy/lib/tekton/refs_test.rego @@ -28,13 +28,11 @@ _git_key := "git+https://git.local/repo.git//tasks/test.yaml" test_bundle_in_definition if { lib.assert_equal( tekton.task_ref({"taskRef": {"bundle": _image, "name": "test", "kind": "Task"}}), - # regal ignore:line-length {"bundle": _image, "kind": "task", "name": "test", "pinned": true, "pinned_ref": _image_digest, "tagged": false, "key": _image_key}, ) lib.assert_equal( tekton.task_ref({"taskRef": {"bundle": _unpinned_image, "name": "test", "kind": "Task"}}), - # regal ignore:line-length {"bundle": _unpinned_image, "kind": "task", "name": "test", "pinned": false, "tagged": true, "tagged_ref": "latest", "key": _unpinned_image_key}, ) } @@ -42,13 +40,11 @@ test_bundle_in_definition if { test_bundle_in_slsa_v1_0 if { lib.assert_equal( tekton.task_ref({"spec": {"taskRef": {"name": "test", "kind": "Task", "bundle": _image}}}), - # regal ignore:line-length {"bundle": _image, "kind": "task", "name": "test", "pinned": true, "pinned_ref": _image_digest, "tagged": false, "key": _image_key}, ) lib.assert_equal( tekton.task_ref({"spec": {"taskRef": {"name": "test", "kind": "Task", "bundle": _unpinned_image}}}), - # regal ignore:line-length {"bundle": _unpinned_image, "kind": "task", "name": "test", "pinned": false, "tagged": true, "tagged_ref": "latest", "key": _unpinned_image_key}, ) } @@ -56,13 +52,11 @@ test_bundle_in_slsa_v1_0 if { test_bundle_in_slsa_v0_2 if { lib.assert_equal( tekton.task_ref({"ref": {"name": "test", "kind": "Task", "bundle": _image}}), - # regal ignore:line-length {"bundle": _image, "kind": "task", "name": "test", "pinned": true, "pinned_ref": _image_digest, "tagged": false, "key": _image_key}, ) lib.assert_equal( tekton.task_ref({"ref": {"name": "test", "kind": "Task", "bundle": _unpinned_image}}), - # regal ignore:line-length {"bundle": _unpinned_image, "kind": "task", "name": "test", "pinned": false, "tagged": true, "tagged_ref": "latest", "key": _unpinned_image_key}, ) } @@ -74,7 +68,6 @@ test_bundles_resolver_in_definition if { {"name": "name", "value": "test"}, {"name": "kind", "value": "task"}, ]}}), - # regal ignore:line-length {"bundle": _image, "kind": "task", "name": "test", "pinned": true, "pinned_ref": _image_digest, "tagged": false, "key": _image_key}, ) @@ -84,7 +77,6 @@ test_bundles_resolver_in_definition if { {"name": "name", "value": "test"}, {"name": "kind", "value": "task"}, ]}}), - # regal ignore:line-length {"bundle": _unpinned_image, "kind": "task", "name": "test", "pinned": false, "tagged": true, "tagged_ref": "latest", "key": _unpinned_image_key}, ) } @@ -96,7 +88,6 @@ test_bundles_resolver_in_slsa_v1_0 if { {"name": "name", "value": "test"}, {"name": "kind", "value": "task"}, ]}}}), - # regal ignore:line-length {"bundle": _image, "kind": "task", "name": "test", "pinned": true, "pinned_ref": _image_digest, "tagged": false, "key": _image_key}, ) @@ -106,7 +97,6 @@ test_bundles_resolver_in_slsa_v1_0 if { {"name": "name", "value": "test"}, {"name": "kind", "value": "task"}, ]}}}), - # regal ignore:line-length {"bundle": _unpinned_image, "kind": "task", "name": "test", "pinned": false, "tagged": true, "tagged_ref": "latest", "key": _unpinned_image_key}, ) } @@ -118,7 +108,6 @@ test_bundles_resolver_in_slsa_v0_2 if { {"name": "name", "value": "test"}, {"name": "kind", "value": "task"}, ]}}), - # regal ignore:line-length {"bundle": _image, "kind": "task", "name": "test", "pinned": true, "pinned_ref": _image_digest, "tagged": false, "key": _image_key}, ) @@ -128,7 +117,6 @@ test_bundles_resolver_in_slsa_v0_2 if { {"name": "name", "value": "test"}, {"name": "kind", "value": "task"}, ]}}), - # regal ignore:line-length {"bundle": _unpinned_image, "kind": "task", "name": "test", "pinned": false, "tagged": true, "tagged_ref": "latest", "key": _unpinned_image_key}, ) } @@ -284,7 +272,6 @@ test_git_resolver_canonical_key if { ) lib.assert_equal( - # regal ignore:line-length tekton.task_ref(json.patch(task, [{"op": "add", "path": "/ref/params/0/value", "value": "git+git.local/repo.git"}])).key, expected, ) @@ -335,7 +322,6 @@ test_local_task_in_slsa_v0_2 if { test_bundle_with_defaults if { lib.assert_equal( tekton.task_ref({"ref": {"bundle": _image}}), - # regal ignore:line-length {"bundle": _image, "kind": "task", "name": tekton._no_task_name, "pinned": true, "pinned_ref": _image_digest, "tagged": false, "key": _image_key}, ) } @@ -343,7 +329,6 @@ test_bundle_with_defaults if { test_bundle_resolver_with_defaults if { lib.assert_equal( tekton.task_ref({"ref": {"resolver": "bundles", "params": [{"name": "bundle", "value": _image}]}}), - # regal ignore:line-length {"bundle": _image, "kind": "task", "name": tekton._no_task_name, "pinned": true, "pinned_ref": _image_digest, "tagged": false, "key": _image_key}, ) } diff --git a/policy/lib/tekton/task_results_test.rego b/policy/lib/tekton/task_results_test.rego index 3ddb3e468..829009822 100644 --- a/policy/lib/tekton/task_results_test.rego +++ b/policy/lib/tekton/task_results_test.rego @@ -54,12 +54,10 @@ test_artifact_result if { test_images_result if { results := [{ "name": "IMAGES", - # regal ignore:line-length "value": "img1@sha256:d19e5701000000000000000000000000000000000000000000000000d19e5701, img2@sha256:d19e5702000000000000000000000000000000000000000000000000d19e5702\n", }] lib.assert_equal(["img1", "img2"], tekton.task_result_artifact_url(resolved_slsav1_task("task1", [], results))) lib.assert_equal( - # regal ignore:line-length ["sha256:d19e5701000000000000000000000000000000000000000000000000d19e5701", "sha256:d19e5702000000000000000000000000000000000000000000000000d19e5702"], tekton.task_result_artifact_digest(resolved_slsav1_task("task1", [], results)), ) @@ -155,7 +153,6 @@ test_mixed_results if { }, { "name": "IMAGES", - # regal ignore:line-length "value": "images-1@sha256:4567000000000000000000000000000000000000000000000000000000004567,images-2@sha256:5678000000000000000000000000000000000000000000000000000000005678", }, { @@ -176,12 +173,10 @@ test_mixed_results if { }, { "name": "image1_ARTIFACT_OUTPUTS", - # regal ignore:line-length "value": {"uri": "artifact-outputs-img1", "digest": "sha256:1234000000000000000000000000000000000000000000000000000000001234"}, }, { "name": "image2_ARTIFACT_OUTPUTS", - # regal ignore:line-length "value": {"uri": "artifact-outputs-img2", "digest": "sha256:9801000000000000000000000000000000000000000000000000000000009801"}, }, ] diff --git a/policy/lib/tekton/task_test.rego b/policy/lib/tekton/task_test.rego index 195569285..900394111 100644 --- a/policy/lib/tekton/task_test.rego +++ b/policy/lib/tekton/task_test.rego @@ -234,7 +234,6 @@ test_build_task_with_images if { { "op": "replace", "path": "/statement/predicate/buildConfig/tasks/0/results/0/value", - # regal ignore:line-length "value": "img1@sha256:d19e5701000000000000000000000000000000000000000000000000d19e5701, img2@sha256:d19e5702000000000000000000000000000000000000000000000000d19e5702", }, { @@ -505,12 +504,10 @@ test_missing_required_tasks_data if { test_task_step_image_ref if { lib.assert_equal( "redhat.io/openshift/rhel8@sha256:af7dd5b3b0000000000000000000000000000000000000000000000af7dd5b3b", - # regal ignore:line-length tekton.task_step_image_ref({"name": "mystep", "imageID": "redhat.io/openshift/rhel8@sha256:af7dd5b3b0000000000000000000000000000000000000000000000af7dd5b3b"}), ) lib.assert_equal( "redhat.io/openshift/rhel8@sha256:af7dd5b3b0000000000000000000000000000000000000000000000af7dd5b3b", - # regal ignore:line-length tekton.task_step_image_ref({"environment": {"image": "redhat.io/openshift/rhel8@sha256:af7dd5b3b0000000000000000000000000000000000000000000000af7dd5b3b"}}), ) } @@ -736,7 +733,6 @@ with_params(task, task_params) := json.patch( ) # Helper to set results on an existing task -# regal ignore:line-length # Usage: with_results(slsav1_task("build"), [{"name": "IMAGE_DIGEST", "value": "sha256:abc0000000000000000000000000000000000000000000000000000000000abc"}]) with_results(task, task_results) := json.patch( task, @@ -768,7 +764,6 @@ with_annotations(task, annotations) := json.patch( ) # Helper to set the bundle reference on an existing task -# regal ignore:line-length # Usage: with_bundle(slsav1_task("build"), "quay.io/konflux/task-buildah:0.1@sha256:abc0000000000000000000000000000000000000000000000000000000000abc") with_bundle(task, bundle) := json.patch( task, diff --git a/policy/lib/tekton/trusted.rego b/policy/lib/tekton/trusted.rego index d60b545b3..252d6555a 100644 --- a/policy/lib/tekton/trusted.rego +++ b/policy/lib/tekton/trusted.rego @@ -420,7 +420,6 @@ _trusted_task_rules_schema := { "effective_on": { "type": "string", "format": "date", - # regal ignore:line-length "description": "Date when this rule becomes effective (e.g., '2025-02-01'). Rules with future effective_on dates are not considered. If omitted, rule is effective immediately.", }, "versions": { @@ -456,7 +455,6 @@ _trusted_task_rules_schema := { "effective_on": { "type": "string", "format": "date", - # regal ignore:line-length "description": "Date when this rule becomes effective (e.g., '2025-11-15'). Rules with future effective_on dates are not considered. If omitted, rule is effective immediately.", }, "message": { diff --git a/policy/lib/tekton/trusted_test.rego b/policy/lib/tekton/trusted_test.rego index d2aa520e4..5a8eb7698 100644 --- a/policy/lib/tekton/trusted_test.rego +++ b/policy/lib/tekton/trusted_test.rego @@ -25,7 +25,6 @@ import data.lib.time as time_lib # Helper to create a mock bundle_manifests map for testing # bundle_ref: the bundle reference (e.g., "registry.local/trusty:1.0@sha256:digest") # version: the version annotation value (e.g., "1.0") -# regal ignore:line-length _mock_bundle_manifests(bundle_ref, version) := {bundle_ref: {"annotations": {"org.opencontainers.image.version": version}}} # Empty bundle_manifests for tests that don't need version checking @@ -75,36 +74,29 @@ test_task_expiry_warnings_after if { test_expiry_of if { # defaults - # regal ignore:line-length lib.assert_equal("2099-01-01T00:00:00Z", time.format(tekton.expiry_of(same_date_trusted_bundle_task))) with data.trusted_tasks as trusted_tasks not tekton.expiry_of(newest_trusted_bundle_task) with data.trusted_tasks as trusted_tasks - # regal ignore:line-length lib.assert_equal("2099-01-01T00:00:00Z", time.format(tekton.expiry_of(outdated_trusted_bundle_task))) with data.trusted_tasks as trusted_tasks not tekton.expiry_of(newest_trusted_git_task) with data.trusted_tasks as trusted_tasks - # regal ignore:line-length lib.assert_equal("2099-01-01T00:00:00Z", time.format(tekton.expiry_of(outdated_trusted_git_task))) with data.trusted_tasks as trusted_tasks # when running far in the future without the grace period - # regal ignore:line-length lib.assert_equal("2099-01-01T00:00:00Z", time.format(tekton.expiry_of(same_date_trusted_bundle_task))) with data.trusted_tasks as trusted_tasks with data.config.policy.when_ns as time.parse_rfc3339_ns("2098-12-25T00:00:00Z") not tekton.expiry_of(newest_trusted_bundle_task) with data.trusted_tasks as trusted_tasks with data.config.policy.when_ns as time.parse_rfc3339_ns("2098-12-25T00:00:00Z") - # regal ignore:line-length lib.assert_equal("2099-01-01T00:00:00Z", time.format(tekton.expiry_of(outdated_trusted_bundle_task))) with data.trusted_tasks as trusted_tasks with data.config.policy.when_ns as time.parse_rfc3339_ns("2098-12-25T00:00:00Z") not tekton.expiry_of(newest_trusted_git_task) with data.trusted_tasks as trusted_tasks with data.config.policy.when_ns as time.parse_rfc3339_ns("2098-12-25T00:00:00Z") - # regal ignore:line-length lib.assert_equal("2099-01-01T00:00:00Z", time.format(tekton.expiry_of(outdated_trusted_git_task))) with data.trusted_tasks as trusted_tasks with data.config.policy.when_ns as time.parse_rfc3339_ns("2098-12-25T00:00:00Z") # when running far in the future within the grace period - # regal ignore:line-length lib.assert_equal("2099-01-01T00:00:00Z", time.format(tekton.expiry_of(same_date_trusted_bundle_task))) with data.trusted_tasks as trusted_tasks with data.config.policy.when_ns as time.parse_rfc3339_ns("2098-12-25T00:00:00Z") with data.rule_data.task_expiry_warning_days as 6 @@ -112,7 +104,6 @@ test_expiry_of if { with data.config.policy.when_ns as time.parse_rfc3339_ns("2098-12-25T00:00:00Z") with data.rule_data.task_expiry_warning_days as 6 - # regal ignore:line-length lib.assert_equal("2099-01-01T00:00:00Z", time.format(tekton.expiry_of(outdated_trusted_bundle_task))) with data.trusted_tasks as trusted_tasks with data.config.policy.when_ns as time.parse_rfc3339_ns("2098-12-25T00:00:00Z") with data.rule_data.task_expiry_warning_days as 6 @@ -120,7 +111,6 @@ test_expiry_of if { with data.config.policy.when_ns as time.parse_rfc3339_ns("2098-12-25T00:00:00Z") with data.rule_data.task_expiry_warning_days as 6 - # regal ignore:line-length lib.assert_equal("2099-01-01T00:00:00Z", time.format(tekton.expiry_of(outdated_trusted_git_task))) with data.trusted_tasks as trusted_tasks with data.config.policy.when_ns as time.parse_rfc3339_ns("2098-12-25T00:00:00Z") with data.rule_data.task_expiry_warning_days as 6 @@ -160,7 +150,6 @@ test_untrusted_task_refs if { expected := {untrusted_bundle_task, expired_trusted_bundle_task, untrusted_git_task, expired_trusted_git_task} - # regal ignore:line-length lib.assert_equal(expected, tekton.untrusted_task_refs(tasks, _empty_bundle_manifests)) with data.trusted_tasks as trusted_tasks } @@ -177,7 +166,6 @@ test_untrusted_task_refs_routes_to_rules if { # untrusted_bundle_task should be untrusted (doesn't match allow pattern) expected := {untrusted_bundle_task} - # regal ignore:line-length lib.assert_equal(expected, tekton.untrusted_task_refs(tasks, _empty_bundle_manifests)) with data.rule_data.trusted_task_rules as task_rules } @@ -189,7 +177,6 @@ test_is_trusted_task if { not tekton.is_trusted_task(untrusted_git_task, _empty_bundle_manifests) with data.trusted_tasks as trusted_tasks not tekton.is_trusted_task(expired_trusted_git_task, _empty_bundle_manifests) with data.trusted_tasks as trusted_tasks - # regal ignore:line-length not tekton.is_trusted_task(expired_trusted_bundle_task, _empty_bundle_manifests) with data.trusted_tasks as trusted_tasks } @@ -231,163 +218,133 @@ test_is_trusted_task_with_rules if { # Task that matches allow rule should be trusted allowed_task := {"spec": {"taskRef": {"resolver": "bundles", "params": [ - # regal ignore:line-length {"name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-something:0.4@sha256:d19e5700000000000000000000000000000000000000000000000000d19e5700"}, {"name": "name", "value": "task-something"}, {"name": "kind", "value": "task"}, ]}}} - # regal ignore:line-length allowed_task_manifests := _mock_bundle_manifests( "quay.io/konflux-ci/tekton-catalog/task-something:0.4@sha256:d19e5700000000000000000000000000000000000000000000000000d19e5700", # regal ignore:line-length "0.4", ) - # regal ignore:line-length tekton.is_trusted_task(allowed_task, allowed_task_manifests) with data.rule_data.trusted_task_rules as trusted_task_rules with ec.oci.image_manifests as _mock_image_manifests # Task that matches deny rule should not be trusted (deny takes precedence) denied_task := {"spec": {"taskRef": {"resolver": "bundles", "params": [ - # regal ignore:line-length {"name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-buildah:0.3@sha256:d19e5700000000000000000000000000000000000000000000000000d19e5700"}, {"name": "name", "value": "task-buildah"}, {"name": "kind", "value": "task"}, ]}}} - # regal ignore:line-length denied_task_manifests := _mock_bundle_manifests( "quay.io/konflux-ci/tekton-catalog/task-buildah:0.3@sha256:digest", # regal ignore:line-length "0.3", ) - # regal ignore:line-length not tekton.is_trusted_task(denied_task, denied_task_manifests) with data.rule_data.trusted_task_rules as trusted_task_rules with ec.oci.image_manifests as _mock_image_manifests # Task that matches allow pattern (registry.local) should be trusted # Note: The key format is oci://registry.local/trusty:1.0 (with tag), so pattern oci://registry.local/* matches registry_local_task := {"spec": {"taskRef": {"resolver": "bundles", "params": [ - # regal ignore:line-length {"name": "bundle", "value": "registry.local/trusty:1.0@sha256:d19e5700000000000000000000000000000000000000000000000000d19e5700"}, {"name": "name", "value": "trusty"}, {"name": "kind", "value": "task"}, ]}}} - # regal ignore:line-length registry_local_manifests := _mock_bundle_manifests("registry.local/trusty:1.0@sha256:digest", "1.0") - # regal ignore:line-length tekton.is_trusted_task(registry_local_task, registry_local_manifests) with data.rule_data.trusted_task_rules as trusted_task_rules with ec.oci.image_manifests as _mock_image_manifests # Task that doesn't match any allow rule should not be trusted # Note: This task uses a different path (untrusted) that doesn't match the pattern not_allowed_task := {"spec": {"taskRef": {"resolver": "bundles", "params": [ - # regal ignore:line-length {"name": "bundle", "value": "other-registry.io/untrusted:1.0@sha256:d19e5700000000000000000000000000000000000000000000000000d19e5700"}, {"name": "name", "value": "untrusted"}, {"name": "kind", "value": "task"}, ]}}} - # regal ignore:line-length not_allowed_manifests := _mock_bundle_manifests("other-registry.io/untrusted:1.0@sha256:digest", "1.0") - # regal ignore:line-length not tekton.is_trusted_task(not_allowed_task, not_allowed_manifests) with data.rule_data.trusted_task_rules as trusted_task_rules with ec.oci.image_manifests as _mock_image_manifests # Tasks satisfying at least one deny rule version constraints should be denied deny_constrained_task_denied_version := {"spec": {"taskRef": {"resolver": "bundles", "params": [ - # regal ignore:line-length {"name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/deny-task-constrained:1.5@sha256:d19e5700000000000000000000000000000000000000000000000000d19e5700"}, {"name": "name", "value": "constrained"}, {"name": "kind", "value": "task"}, ]}}} - # regal ignore:line-length deny_constrained_denied_manifests := _mock_bundle_manifests("quay.io/konflux-ci/tekton-catalog/deny-task-constrained:1.5@sha256:digest", "1.5") - # regal ignore:line-length not tekton.is_trusted_task(deny_constrained_task_denied_version, deny_constrained_denied_manifests) with data.rule_data.trusted_task_rules as trusted_task_rules with ec.oci.image_manifests as _mock_image_manifests # Task not satisfying any deny rule version constraints should not be denied deny_constrained_task_valid_version := {"spec": {"taskRef": {"resolver": "bundles", "params": [ - # regal ignore:line-length {"name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/deny-task-constrained:1.2.3@sha256:digest"}, {"name": "name", "value": "constrained"}, {"name": "kind", "value": "task"}, ]}}} - # regal ignore:line-length deny_constrained_valid_manifests := _mock_bundle_manifests("quay.io/konflux-ci/tekton-catalog/deny-task-constrained:1.2.3@sha256:digest", "1.2.3") - # regal ignore:line-length tekton.is_trusted_task(deny_constrained_task_valid_version, deny_constrained_valid_manifests) with data.rule_data.trusted_task_rules as trusted_task_rules with ec.oci.image_manifests as _mock_image_manifests # Tasks satisfying all the allow-rule version constraints should be allowed allow_constrained_task_valid_version := {"spec": {"taskRef": {"resolver": "bundles", "params": [ - # regal ignore:line-length {"name": "bundle", "value": "quay.io/konflux-ci/another-catalog/allow-task-constrained:1.5@sha256:digest"}, {"name": "name", "value": "constrained"}, {"name": "kind", "value": "task"}, ]}}} - # regal ignore:line-length allow_constrained_valid_manifests := _mock_bundle_manifests("quay.io/konflux-ci/another-catalog/allow-task-constrained:1.5@sha256:digest", "1.5") - # regal ignore:line-length tekton.is_trusted_task(allow_constrained_task_valid_version, allow_constrained_valid_manifests) with data.rule_data.trusted_task_rules as trusted_task_rules with ec.oci.image_manifests as _mock_image_manifests # Tasks *NOT* satisfying all the allow-rule version constraints should be denied allow_constrained_task_denied_version := {"spec": {"taskRef": {"resolver": "bundles", "params": [ - # regal ignore:line-length {"name": "bundle", "value": "quay.io/konflux-ci/another-catalog/allow-task-constrained:1.2.3@sha256:digest"}, {"name": "name", "value": "constrained"}, {"name": "kind", "value": "task"}, ]}}} - # regal ignore:line-length allow_constrained_denied_manifests := _mock_bundle_manifests("quay.io/konflux-ci/another-catalog/allow-task-constrained:1.2.3@sha256:digest", "1.2.3") - # regal ignore:line-length not tekton.is_trusted_task(allow_constrained_task_denied_version, allow_constrained_denied_manifests) with data.rule_data.trusted_task_rules as trusted_task_rules with ec.oci.image_manifests as _mock_image_manifests # Task with mismatching versions between ref and manifest annotations. # Only the manifest annotation is taken into consideration allow_constrained_task_denied_version_mismatching_1 := {"spec": {"taskRef": {"resolver": "bundles", "params": [ - # regal ignore:line-length {"name": "bundle", "value": "quay.io/konflux-ci/another-catalog/allow-task-constrained:1.5@sha256:d19e5700000000000000000000000000000000000000000000000000d19e5700"}, {"name": "name", "value": "constrained"}, {"name": "kind", "value": "task"}, ]}}} # Manifest has 1.2.3 even though ref has 1.5 - manifest version is used - # regal ignore:line-length mismatch_manifests_1 := _mock_bundle_manifests("quay.io/konflux-ci/another-catalog/allow-task-constrained:1.5@sha256:digest", "1.2.3") - # regal ignore:line-length not tekton.is_trusted_task(allow_constrained_task_denied_version_mismatching_1, mismatch_manifests_1) with data.rule_data.trusted_task_rules as trusted_task_rules with ec.oci.image_manifests as _mock_image_manifests # Task with mismatching versions between ref and manifest annotations. # Only the manifest annotation is taken into consideration allow_constrained_task_denied_version_mismatching_2 := {"spec": {"taskRef": {"resolver": "bundles", "params": [ - # regal ignore:line-length {"name": "bundle", "value": "quay.io/konflux-ci/another-catalog/allow-task-constrained:1.2.3@sha256:digest"}, {"name": "name", "value": "constrained"}, {"name": "kind", "value": "task"}, ]}}} # Manifest has 1.5 even though ref has 1.2.3 - manifest version is used - # regal ignore:line-length mismatch_manifests_2 := _mock_bundle_manifests("quay.io/konflux-ci/another-catalog/allow-task-constrained:1.2.3@sha256:digest", "1.5") - # regal ignore:line-length tekton.is_trusted_task(allow_constrained_task_denied_version_mismatching_2, mismatch_manifests_2) with data.rule_data.trusted_task_rules as trusted_task_rules with ec.oci.image_manifests as _mock_image_manifests } @@ -415,7 +372,6 @@ test_unexpired_records if { 3: "sha256:01de5700000000000000000000000000000000000000000000000000001de570", } - # regal ignore:line-length sorted_tasks := tekton.trusted_task_records("oci://registry.local/trusty:1.0") with data.trusted_tasks as unsorted_trusted_task every index, ref in expected_refs_by_index { lib.assert_equal(ref, sorted_tasks[index].ref) @@ -439,7 +395,6 @@ test_data_trusted_task_rules_extraction if { # Task matching allow from data.trusted_task_rules should be trusted allowed_task := {"spec": {"taskRef": {"resolver": "bundles", "params": [ - # regal ignore:line-length {"name": "bundle", "value": "registry.local/trusty:1.0@sha256:d19e5700000000000000000000000000000000000000000000000000d19e5700"}, {"name": "name", "value": "trusty"}, {"name": "kind", "value": "task"}, @@ -455,7 +410,6 @@ test_data_trusted_task_rules_extraction if { # Task matching deny from data.trusted_task_rules should not be trusted denied_task := {"spec": {"taskRef": {"resolver": "bundles", "params": [ - # regal ignore:line-length {"name": "bundle", "value": "registry.local/crook:1.0@sha256:d19e5700000000000000000000000000000000000000000000000000d19e5700"}, {"name": "name", "value": "crook"}, {"name": "kind", "value": "task"}, @@ -485,7 +439,6 @@ test_rule_data_trusted_task_rules_extraction if { # Task matching allow from rule_data should be trusted allowed_task := {"spec": {"taskRef": {"resolver": "bundles", "params": [ - # regal ignore:line-length {"name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-something:0.4@sha256:d19e5700000000000000000000000000000000000000000000000000d19e5700"}, {"name": "name", "value": "task-something"}, {"name": "kind", "value": "task"}, @@ -494,13 +447,11 @@ test_rule_data_trusted_task_rules_extraction if { # Task matching deny from rule_data should not be trusted denied_task := {"spec": {"taskRef": {"resolver": "bundles", "params": [ - # regal ignore:line-length {"name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-buildah:0.3@sha256:d19e5700000000000000000000000000000000000000000000000000d19e5700"}, {"name": "name", "value": "task-buildah"}, {"name": "kind", "value": "task"}, ]}}} - # regal ignore:line-length not tekton.is_trusted_task(denied_task, _empty_bundle_manifests) with data.rule_data.trusted_task_rules as rule_data_rules # Test when lib_rule_data returns [] (not an object) - covers default cases @@ -525,9 +476,7 @@ test_data_errors if { ], # this is allowed "duplicated-entries": [ - # regal ignore:line-length {"ref": "sha256:d19e5700000000000000000000000000000000000000000000000000d19e5700", "expires_on": "2099-01-01T00:00:00Z"}, - # regal ignore:line-length {"ref": "sha256:d19e5700000000000000000000000000000000000000000000000000d19e5700", "expires_on": "2099-01-01T00:00:00Z"}, ], } @@ -546,7 +495,6 @@ test_data_errors if { "severity": "failure", }, { - # regal ignore:line-length "message": "trusted_tasks data has unexpected format: additional-properties.0: Additional property spam is not allowed", "severity": "warning", }, @@ -589,27 +537,23 @@ test_denying_pattern if { # Create a task that matches the deny rule denied_task := {"spec": {"taskRef": {"resolver": "bundles", "params": [ - # regal ignore:line-length {"name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-buildah:0.3@sha256:d19e5700000000000000000000000000000000000000000000000000d19e5700"}, {"name": "name", "value": "task-buildah"}, {"name": "kind", "value": "task"}, ]}}} # Should return a list with the pattern that denied it - # regal ignore:line-length patterns := tekton.denying_pattern(denied_task, _empty_bundle_manifests) with data.rule_data.trusted_task_rules as trusted_task_rules with ec.oci.image_manifests as _mock_image_manifests lib.assert_equal(["oci://quay.io/konflux-ci/tekton-catalog/task-buildah*"], patterns) # Task that doesn't match any deny rule should return empty list non_matching_task := {"spec": {"taskRef": {"resolver": "bundles", "params": [ - # regal ignore:line-length {"name": "bundle", "value": "registry.local/trusty:1.0@sha256:d19e5700000000000000000000000000000000000000000000000000d19e5700"}, {"name": "name", "value": "trusty"}, {"name": "kind", "value": "task"}, ]}}} - # regal ignore:line-length patterns_empty := tekton.denying_pattern(non_matching_task, _empty_bundle_manifests) with data.rule_data.trusted_task_rules as trusted_task_rules with ec.oci.image_manifests as _mock_image_manifests lib.assert_equal([], patterns_empty) @@ -633,13 +577,11 @@ test_denying_pattern_multiple_rules if { # Should match both patterns (both rules match this task) buildah_task := {"spec": {"taskRef": {"resolver": "bundles", "params": [ - # regal ignore:line-length {"name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-buildah:0.4@sha256:d19e5700000000000000000000000000000000000000000000000000d19e5700"}, {"name": "name", "value": "task-buildah"}, {"name": "kind", "value": "task"}, ]}}} - # regal ignore:line-length patterns_multi := tekton.denying_pattern(buildah_task, _empty_bundle_manifests) with data.rule_data.trusted_task_rules as multiple_deny_rules # Should contain both patterns (order may vary) @@ -668,13 +610,11 @@ test_denial_reason if { # Case 1: Matches a deny rule (even though it also matches allow) denied_task := {"spec": {"taskRef": {"resolver": "bundles", "params": [ - # regal ignore:line-length {"name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-buildah:0.3@sha256:d19e5700000000000000000000000000000000000000000000000000d19e5700"}, {"name": "name", "value": "task-buildah"}, {"name": "kind", "value": "task"}, ]}}} - # regal ignore:line-length reason_deny := tekton.denial_reason(denied_task, _empty_bundle_manifests) with data.rule_data.trusted_task_rules as trusted_task_rules with ec.oci.image_manifests as _mock_image_manifests lib.assert_equal("deny_rule", reason_deny.type) @@ -683,13 +623,11 @@ test_denial_reason if { # Case 2: Doesn't match any allow rule and isn't in legacy not_allowed_task := {"spec": {"taskRef": {"resolver": "bundles", "params": [ - # regal ignore:line-length {"name": "bundle", "value": "registry.local/untrusted:1.0@sha256:d19e5700000000000000000000000000000000000000000000000000d19e5700"}, {"name": "name", "value": "untrusted"}, {"name": "kind", "value": "task"}, ]}}} - # regal ignore:line-length reason_not_allowed := tekton.denial_reason(not_allowed_task, _empty_bundle_manifests) with data.rule_data.trusted_task_rules as trusted_task_rules with ec.oci.image_manifests as _mock_image_manifests lib.assert_equal("not_allowed", reason_not_allowed.type) @@ -698,19 +636,16 @@ test_denial_reason if { # Task that matches allow rule should return nothing (it's trusted) allowed_task := {"spec": {"taskRef": {"resolver": "bundles", "params": [ - # regal ignore:line-length {"name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-something:0.4@sha256:d19e5700000000000000000000000000000000000000000000000000d19e5700"}, {"name": "name", "value": "task-something"}, {"name": "kind", "value": "task"}, ]}}} - # regal ignore:line-length not tekton.denial_reason(allowed_task, _empty_bundle_manifests) with data.rule_data.trusted_task_rules as trusted_task_rules with ec.oci.image_manifests as _mock_image_manifests # Task in legacy trusted_tasks but doesn't match allow rules should return "not_allowed" # (denial_reason only works with trusted_task_rules, not legacy) - # regal ignore:line-length reason_legacy := tekton.denial_reason(trusted_bundle_task, _empty_bundle_manifests) with data.rule_data.trusted_task_rules as trusted_task_rules with ec.oci.image_manifests as _mock_image_manifests with data.trusted_tasks as trusted_tasks @@ -729,13 +664,11 @@ test_denial_reason_no_allow_rules if { # Task not in legacy should return nothing (we fall back to legacy, which is empty, but denial_reason # only applies when allow rules exist) untrusted_task := {"spec": {"taskRef": {"resolver": "bundles", "params": [ - # regal ignore:line-length {"name": "bundle", "value": "registry.local/untrusted:1.0@sha256:d19e5700000000000000000000000000000000000000000000000000d19e5700"}, {"name": "name", "value": "untrusted"}, {"name": "kind", "value": "task"}, ]}}} - # regal ignore:line-length not tekton.denial_reason(untrusted_task, _empty_bundle_manifests) with data.rule_data.trusted_task_rules as rules_no_allow } @@ -787,7 +720,6 @@ test_trusted_task_rules_data_errors if { "effective_on": "not-a-date", }]} expected_date := {{ - # regal ignore:line-length "message": "trusted_task_rules data has unexpected format: allow.0.effective_on: Does not match format 'date'", "severity": "failure", }} @@ -826,7 +758,6 @@ test_denying_pattern_invalid_task if { } # Should return empty list (else branch) since task_ref fails - # regal ignore:line-length patterns := tekton.denying_pattern(invalid_task, _empty_bundle_manifests) with data.rule_data.trusted_task_rules as rules lib.assert_equal([], patterns) } @@ -845,7 +776,6 @@ test_denying_rules_info_empty if { # Task that matches allow rule - denial_reason should be empty allowed_task := {"spec": {"taskRef": {"resolver": "bundles", "params": [ - # regal ignore:line-length {"name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-buildah:0.4@sha256:d19e5700000000000000000000000000000000000000000000000000d19e5700"}, {"name": "name", "value": "task-buildah"}, {"name": "kind", "value": "task"}, @@ -855,13 +785,11 @@ test_denying_rules_info_empty if { not tekton.denial_reason(allowed_task, _empty_bundle_manifests) with data.rule_data.trusted_task_rules as rules_no_deny # denying_pattern should also return empty list (covers line 337) - # regal ignore:line-length patterns := tekton.denying_pattern(allowed_task, _empty_bundle_manifests) with data.rule_data.trusted_task_rules as rules_no_deny lib.assert_equal([], patterns) } trusted_bundle_task := {"spec": {"taskRef": {"resolver": "bundles", "params": [ - # regal ignore:line-length {"name": "bundle", "value": "registry.local/trusty:1.0@sha256:d19e5700000000000000000000000000000000000000000000000000d19e5700"}, {"name": "name", "value": "trusty"}, {"name": "kind", "value": "task"}, @@ -870,21 +798,18 @@ trusted_bundle_task := {"spec": {"taskRef": {"resolver": "bundles", "params": [ newest_trusted_bundle_task := trusted_bundle_task same_date_trusted_bundle_task := {"spec": {"taskRef": {"resolver": "bundles", "params": [ - # regal ignore:line-length {"name": "bundle", "value": "registry.local/trusty:1.0@sha256:5a4eda7e00000000000000000000000000000000000000000000000005a4eda7e"}, {"name": "name", "value": "trusty"}, {"name": "kind", "value": "task"}, ]}}} outdated_trusted_bundle_task := {"spec": {"taskRef": {"resolver": "bundles", "params": [ - # regal ignore:line-length {"name": "bundle", "value": "registry.local/trusty:1.0@sha256:007da7edd19e5700000000000000000000000000000000007da7edd19e57"}, {"name": "name", "value": "trusty"}, {"name": "kind", "value": "task"}, ]}}} expired_trusted_bundle_task := {"spec": {"taskRef": {"resolver": "bundles", "params": [ - # regal ignore:line-length {"name": "bundle", "value": "registry.local/trusty:1.0@sha256:e001edd19e5700000000000000000000000000000000000000e001edd19e57"}, {"name": "name", "value": "trusty"}, {"name": "kind", "value": "task"}, @@ -897,7 +822,6 @@ unpinned_bundle_task := {"spec": {"taskRef": {"resolver": "bundles", "params": [ ]}}} untrusted_bundle_task := {"spec": {"taskRef": {"resolver": "bundles", "params": [ - # regal ignore:line-length {"name": "bundle", "value": "registry.local/crook:1.0@sha256:d19e5700000000000000000000000000000000000000000000000000d19e5700"}, {"name": "name", "value": "crook"}, {"name": "kind", "value": "task"}, @@ -1015,99 +939,77 @@ test_version_satisfies_all_rule_constraints if { # Has version constraints and valid semver manifests_1_2_3 := _mock_bundle_manifests("example.com/task:1.0", "1.2.3") - # regal ignore:line-length tekton._version_satisfies_all_rule_constraints({"bundle": "example.com/task:1.0"}, {"versions": [">=1.1", "<3"]}, manifests_1_2_3) manifests_1_1_0 := _mock_bundle_manifests("example.com/task:1.0", "1.1.0") - # regal ignore:line-length tekton._version_satisfies_all_rule_constraints({"bundle": "example.com/task:1.0"}, {"versions": [">=1.1", "<3"]}, manifests_1_1_0) manifests_1_1_1 := _mock_bundle_manifests("example.com/task:1.0", "v1.1.1") - # regal ignore:line-length tekton._version_satisfies_all_rule_constraints({"bundle": "example.com/task:1.0"}, {"versions": [">1.1", "<3"]}, manifests_1_1_1) manifests_3_0_0 := _mock_bundle_manifests("example.com/task:1.0", "v3.0.0") - # regal ignore:line-length tekton._version_satisfies_all_rule_constraints({"bundle": "example.com/task:1.0"}, {"versions": [">1.1", "<=3"]}, manifests_3_0_0) # Version doesn't match all the constraints manifests_1_5_0 := _mock_bundle_manifests("example.com/task:1.0", "v1.5.0") - # regal ignore:line-length not tekton._version_satisfies_all_rule_constraints({"bundle": "example.com/task:1.0"}, {"versions": [">=2"]}, manifests_1_5_0) manifests_v1_1_0 := _mock_bundle_manifests("example.com/task:1.0", "v1.1.0") - # regal ignore:line-length not tekton._version_satisfies_all_rule_constraints({"bundle": "example.com/task:1.0"}, {"versions": [">1.1", "<3"]}, manifests_v1_1_0) manifests_v3_0_0 := _mock_bundle_manifests("example.com/task:1.0", "v3.0.0") - # regal ignore:line-length not tekton._version_satisfies_all_rule_constraints({"bundle": "example.com/task:1.0"}, {"versions": [">1.1", "<3"]}, manifests_v3_0_0) - # regal ignore:line-length not tekton._version_satisfies_all_rule_constraints({"bundle": "example.com/task:1.0"}, {"versions": ["<2", ">=1.5.1"]}, manifests_1_5_0) # Invalid inputs - should fail manifests_empty := {"example.com/task:1.0": {"annotations": {}}} - # regal ignore:line-length not tekton._version_satisfies_all_rule_constraints({"bundle": "example.com/task:1.0"}, {"versions": [">=2"]}, manifests_empty) manifests_invalid := _mock_bundle_manifests("example.com/task:1.0", "invalid") - # regal ignore:line-length not tekton._version_satisfies_all_rule_constraints({"bundle": "example.com/task:1.0"}, {"versions": [">=2"]}, manifests_invalid) } test_version_satisfies_any_rule_constraints if { # No version constraints in rule - should always pass - # regal ignore:line-length tekton._version_satisfies_any_rule_constraints({"bundle": "example.com/task:1.2.3"}, {}, _empty_bundle_manifests) # Has version constraints and valid semver manifests_v1_2_3 := _mock_bundle_manifests("example.com/task:1.0", "v1.2.3") - # regal ignore:line-length tekton._version_satisfies_any_rule_constraints({"bundle": "example.com/task:1.0"}, {"versions": [">=1.1", "<3"]}, manifests_v1_2_3) manifests_v1_1_0 := _mock_bundle_manifests("example.com/task:1.0", "v1.1.0") - # regal ignore:line-length tekton._version_satisfies_any_rule_constraints({"bundle": "example.com/task:1.0"}, {"versions": [">=1.1", "<3"]}, manifests_v1_1_0) manifests_v1_1_1 := _mock_bundle_manifests("example.com/task:1.0", "v1.1.1") - # regal ignore:line-length tekton._version_satisfies_any_rule_constraints({"bundle": "example.com/task:1.0"}, {"versions": [">1.1", "<3"]}, manifests_v1_1_1) manifests_v3_0_0 := _mock_bundle_manifests("example.com/task:1.0", "v3.0.0") - # regal ignore:line-length tekton._version_satisfies_any_rule_constraints({"bundle": "example.com/task:1.0"}, {"versions": [">1.1", "<=3"]}, manifests_v3_0_0) # Version doesn't match all the constraints, but still passes - # regal ignore:line-length tekton._version_satisfies_any_rule_constraints({"bundle": "example.com/task:1.0"}, {"versions": [">1.1", "<3"]}, manifests_v1_1_0) - # regal ignore:line-length tekton._version_satisfies_any_rule_constraints({"bundle": "example.com/task:1.0"}, {"versions": [">1.1", "<3"]}, manifests_v3_0_0) # Version doesn't match any constraint manifests_v1_5_0 := _mock_bundle_manifests("example.com/task:1.0", "v1.5.0") - # regal ignore:line-length not tekton._version_satisfies_all_rule_constraints({"bundle": "example.com/task:1.0"}, {"versions": [">=2"]}, manifests_v1_5_0) - # regal ignore:line-length not tekton._version_satisfies_any_rule_constraints({"bundle": "example.com/task:1.0"}, {"versions": ["<1", ">=1.5.1"]}, manifests_v1_5_0) # Missing or invalid version annotation - should return true (deny by default for security) manifests_empty := {"example.com/task:1.0": {"annotations": {}}} - # regal ignore:line-length tekton._version_satisfies_any_rule_constraints({"bundle": "example.com/task:1.0"}, {"versions": [">=2"]}, manifests_empty) manifests_invalid := _mock_bundle_manifests("example.com/task:1.0", "invalid") - # regal ignore:line-length tekton._version_satisfies_any_rule_constraints({"bundle": "example.com/task:1.0"}, {"versions": [">=2"]}, manifests_invalid) - # regal ignore:line-length not tekton._version_satisfies_any_rule_constraints({"bundle": "example.com/task:1.0"}, {"versions": ["<1", ">=1.5.1"]}, manifests_v1_5_0) } diff --git a/policy/lib/volatile_config_test.rego b/policy/lib/volatile_config_test.rego index c01d0eff0..5c741ce85 100644 --- a/policy/lib/volatile_config_test.rego +++ b/policy/lib/volatile_config_test.rego @@ -33,7 +33,6 @@ test_warning_threshold_days_default if { } test_warning_threshold_days_custom if { - # regal ignore:line-length lib.assert_equal(lib.warning_threshold_days, 14) with data.rule_data__configuration__.volatile_config_warning_threshold_days as 14 } diff --git a/policy/pipeline/task_bundle/task_bundle_test.rego b/policy/pipeline/task_bundle/task_bundle_test.rego index fff129bb8..0c3eeadfc 100644 --- a/policy/pipeline/task_bundle/task_bundle_test.rego +++ b/policy/pipeline/task_bundle/task_bundle_test.rego @@ -57,7 +57,6 @@ test_bundle_reference_valid if { # All good when the most recent bundle is used. test_trusted_bundle_up_to_date if { - # regal ignore:line-length tasks := [{"name": "my-task", "taskRef": {"bundle": "reg.com/repo:v2@sha256:abc0000000000000000000000000000000000000000000000000000000000abc"}}] lib.assert_empty(task_bundle.warn) with input.spec.tasks as tasks @@ -71,7 +70,6 @@ test_trusted_bundle_up_to_date if { # All good when the most recent bundle is used for a version that is still maintained test_trusted_bundle_up_to_date_maintained_version if { - # regal ignore:line-length tasks := [{"name": "my-task", "taskRef": {"bundle": "reg.com/repo:v3@sha256:0000000000000000000000000000000000000000000000000000000000000901"}}] lib.assert_empty(task_bundle.warn) with input.spec.tasks as tasks @@ -85,7 +83,6 @@ test_trusted_bundle_up_to_date_maintained_version if { # Warn about out of date bundles that are still trusted. test_trusted_bundle_out_of_date_past if { - # regal ignore:line-length tasks := [{"name": "my-task-1", "taskRef": {"bundle": "reg.com/repo:v2@sha256:bcd0000000000000000000000000000000000000000000000000000000000bcd"}}] lib.assert_equal_results(task_bundle.warn, {{ @@ -105,7 +102,6 @@ test_trusted_bundle_out_of_date_past if { # Deny bundles that are no longer active. test_trusted_bundle_expired if { - # regal ignore:line-length tasks := [{"name": "my-task", "taskRef": {"bundle": "reg.com/repo@sha256:def0000000000000000000000000000000000000000000000000000000000def"}}] lib.assert_empty(task_bundle.warn) with input.spec.tasks as tasks @@ -114,7 +110,6 @@ test_trusted_bundle_expired if { lib.assert_equal_results(task_bundle.deny, {{ "code": "task_bundle.untrusted_task_bundle", - # regal ignore:line-length "msg": "Pipeline task 'my-task' uses an untrusted task bundle 'reg.com/repo@sha256:def0000000000000000000000000000000000000000000000000000000000def'", }}) with input.spec.tasks as tasks with data.trusted_tasks as trusted_tasks @@ -124,21 +119,15 @@ test_trusted_bundle_expired if { test_ec316 if { tasks := [{ "name": "my-task", - # regal ignore:line-length "taskRef": {"bundle": "registry.io/repository/image:0.3@sha256:abc0000000000000000000000000000000000000000000000000000000000abc"}, }] trusted_tasks := { - # regal ignore:line-length "oci://registry.io/repository/image:0.1": [{"ref": "sha256:abc0000000000000000000000000000000000000000000000000000000000abc", "effective_on": "2024-02-02T00:00:00Z"}], - # regal ignore:line-length "oci://registry.io/repository/image:0.2": [{"ref": "sha256:abc0000000000000000000000000000000000000000000000000000000000abc", "effective_on": "2024-02-02T00:00:00Z"}], "oci://registry.io/repository/image:0.3": [ - # regal ignore:line-length {"ref": "sha256:abc0000000000000000000000000000000000000000000000000000000000abc", "effective_on": "2024-02-02T00:00:00Z"}, - # regal ignore:line-length {"ref": "sha256:abc0000000000000000000000000000000000000000000000000000000000abc", "effective_on": "2024-01-21T00:00:00Z"}, - # regal ignore:line-length {"ref": "sha256:abc0000000000000000000000000000000000000000000000000000000000abc", "effective_on": "2024-01-21T00:00:00Z"}, ], } @@ -161,22 +150,17 @@ test_missing_required_data if { } trusted_tasks := { - # regal ignore:line-length "oci://reg.com/repo:v3": [{"ref": "sha256:0000000000000000000000000000000000000000000000000000000000000901", "effective_on": "2022-04-11T00:00:00Z"}], "oci://reg.com/repo:v2": [ # Latest v2 - # regal ignore:line-length {"ref": "sha256:abc0000000000000000000000000000000000000000000000000000000000abc", "effective_on": "2022-04-11T00:00:00Z"}, # Older v2 - # regal ignore:line-length {"ref": "sha256:bcd0000000000000000000000000000000000000000000000000000000000bcd", "effective_on": "2022-03-11T00:00:00Z", "expires_on": "2022-04-11T00:00:00Z"}, ], "oci://reg.com/repo:v1": [ # Latest v1 - # regal ignore:line-length {"ref": "sha256:cde0000000000000000000000000000000000000000000000000000000000cde", "effective_on": "2022-02-01T00:00:00Z"}, # Older v1 - # regal ignore:line-length {"ref": "sha256:def0000000000000000000000000000000000000000000000000000000000def", "effective_on": "2021-01-01T00:00:00Z", "expires_on": "2022-02-01T00:00:00Z"}, ], } diff --git a/policy/release/base_image_registries/base_image_registries_test.rego b/policy/release/base_image_registries/base_image_registries_test.rego index 67dc13320..8d466b26c 100644 --- a/policy/release/base_image_registries/base_image_registries_test.rego +++ b/policy/release/base_image_registries/base_image_registries_test.rego @@ -20,7 +20,6 @@ test_allowed_base_images if { "name": "konflux:container:is_base_image", "value": "true", }], - # regal ignore:line-length "purl": "pkg:oci/ubi@sha256:abc0000000000000000000000000000000000000000000000000000000000abc?repository_url=registry.redhat.io/ubi7", }]}, {"components": [{ @@ -30,7 +29,6 @@ test_allowed_base_images if { "name": "konflux:container:is_builder_image:for_stage", "value": "0", }], - # regal ignore:line-length "purl": "pkg:oci/registry@sha256:bcd0000000000000000000000000000000000000000000000000000000000bcd?repository_url=docker.io/library/registry", }]}, ]}] @@ -48,7 +46,6 @@ test_allowed_base_images_from_snapshot if { "name": "konflux:container:is_base_image", "value": "true", }], - # regal ignore:line-length "purl": "pkg:oci/ubi@sha256:abc0000000000000000000000000000000000000000000000000000000000abc?repository_url=registry.redhat.io/ubi7", }]}, {"components": [{ @@ -58,14 +55,12 @@ test_allowed_base_images_from_snapshot if { "name": "konflux:container:is_builder_image:for_stage", "value": "0", }], - # regal ignore:line-length "purl": "pkg:oci/registry@sha256:bcd0000000000000000000000000000000000000000000000000000000000bcd?repository_url=docker.io/library/registry", }]}, ]}] snapshot := {"components": [ {"containerImage": "ignored.io/ignore@sha256:abc0000000000000000000000000000000000000000000000000000000000abc"}, - # regal ignore:line-length {"containerImage": "ignored.dev/ignore:ignore@sha256:bcd0000000000000000000000000000000000000000000000000000000000bcd"}, ]} @@ -114,7 +109,6 @@ test_disallowed_base_images if { # Tweak the repository_url so they're no longer allowed # regal ignore:line-length {"op": "replace", "path": "/0/packages/0/externalRefs/0/referenceLocator", "value": "pkg:oci/ignored@sha256:1230000000000000000000000000000000000000000000000000000000000123?repository_url=registry.redhat.blah/ubi7/3"}, - # regal ignore:line-length {"op": "replace", "path": "/0/packages/1/externalRefs/0/referenceLocator", "value": "pkg:oci/ignored@sha256:456?repository_url=registry.redhat.whatever/ubi7/3"}, # Actually these two won't matter, but let's change them anyhow so the name and repository_url are consistent {"op": "replace", "path": "/0/packages/0/name", "value": "registry.redhat.blah/ubi7/3"}, @@ -139,7 +133,6 @@ test_disallowed_base_images if { }, { "code": "base_image_registries.base_image_permitted", - # regal ignore:line-length "msg": "Base image \"registry.redhat.blah/ubi7/3@sha256:1230000000000000000000000000000000000000000000000000000000000123\" is from a disallowed registry", "term": "registry.redhat.blah/ubi7/3", }, @@ -162,7 +155,6 @@ test_disallowed_base_images_with_snapshot if { "name": "konflux:container:is_base_image", "value": "true", }], - # regal ignore:line-length "purl": "pkg:oci/ubi@sha256:abc0000000000000000000000000000000000000000000000000000000000abc?repository_url=registry.redhat.io/ubi7", }]}, {"components": [{ @@ -172,7 +164,6 @@ test_disallowed_base_images_with_snapshot if { "name": "konflux:container:is_builder_image:for_stage", "value": "0", }], - # regal ignore:line-length "purl": "pkg:oci/registry@sha256:bcd0000000000000000000000000000000000000000000000000000000000bcd?repository_url=docker.io/library/registry", }]}, ]}] @@ -190,32 +181,27 @@ test_disallowed_base_images_with_snapshot if { snapshot := {"components": [ {"containerImage": "ignored.io/ignore@sha256:cba0000000000000000000000000000000000000000000000000000000000cba"}, - # regal ignore:line-length {"containerImage": "ignored.dev/ignore:ignore@sha256:dcb0000000000000000000000000000000000000000000000000000000000dcb"}, ]} expected := { { "code": "base_image_registries.base_image_permitted", - # regal ignore:line-length "msg": "Base image \"docker.io/library/registry@sha256:bcd0000000000000000000000000000000000000000000000000000000000bcd\" is from a disallowed registry", "term": "docker.io/library/registry", }, { "code": "base_image_registries.base_image_permitted", - # regal ignore:line-length "msg": "Base image \"registry.redhat.io/ubi7@sha256:abc0000000000000000000000000000000000000000000000000000000000abc\" is from a disallowed registry", "term": "registry.redhat.io/ubi7", }, { "code": "base_image_registries.base_image_permitted", - # regal ignore:line-length "msg": "Base image \"registry.redhat.blah/ubi7/3@sha256:ccc0000000000000000000000000000000000000000000000000000000000ccc\" is from a disallowed registry", "term": "registry.redhat.blah/ubi7/3", }, { "code": "base_image_registries.base_image_permitted", - # regal ignore:line-length "msg": "Base image \"registry.redhat.whatever/ubi7/3@sha256:ddd0000000000000000000000000000000000000000000000000000000000ddd\" is from a disallowed registry", "term": "registry.redhat.whatever/ubi7/3", }, @@ -367,7 +353,6 @@ test_rule_data_validation if { }, { "code": "base_image_registries.allowed_registries_provided", - # regal ignore:line-length "msg": "Rule data allowed_registry_prefixes has unexpected format: 0: Invalid type. Expected: string, given: integer", "severity": "failure", }, @@ -380,14 +365,12 @@ test_rule_data_validation if { _spdx_sbom := [{"packages": [ { - # regal ignore:line-length "SPDXID": "SPDXRef-image-registry.redhat.io/single-container-app-9520a72cbb69edfca5cac88ea2a9e0e09142ec934952b9420d686e77765f002c", "name": "single-container-app", "downloadLocation": "NOASSERTION", "externalRefs": [{ "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", - # regal ignore:line-length "referenceLocator": "pkg:oci/single-container-app@sha256:abc0000000000000000000000000000000000000000000000000000000000abc?repository_url=registry.redhat.io/single-container-app", }], "annotations": [{ @@ -398,14 +381,12 @@ _spdx_sbom := [{"packages": [ }], }, { - # regal ignore:line-length "SPDXID": "SPDXRef-image-docker.io/single-container-app-9520a72cbb69edfca5cac88ea2a9e0e09142ec934952b9420d686e77765f002c", "name": "single-container-app", "downloadLocation": "NOASSERTION", "externalRefs": [{ "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", - # regal ignore:line-length "referenceLocator": "pkg:oci/single-container-app@sha256:bcd0000000000000000000000000000000000000000000000000000000000bcd?repository_url=docker.io/single-container-app", }], "annotations": [{ diff --git a/policy/release/buildah_build_task/buildah_build_task_test.rego b/policy/release/buildah_build_task/buildah_build_task_test.rego index 536c84593..917bbb7a9 100644 --- a/policy/release/buildah_build_task/buildah_build_task_test.rego +++ b/policy/release/buildah_build_task/buildah_build_task_test.rego @@ -291,7 +291,6 @@ test_platform_param_disallowed if { ) task2 = tekton_test.with_results(_task2_w_params, _results) - # regal ignore:line-length lib.assert_equal_results(expected, buildah_build_task.deny) with input.attestations as [tekton_test.slsav1_attestation([task1])] with data.rule_data.disallowed_platform_patterns as [".*root.*"] @@ -313,7 +312,6 @@ test_plat_patterns_rule_data_validation if { expected := { { "code": "buildah_build_task.disallowed_platform_patterns_pattern", - # regal ignore:line-length "msg": "Rule data disallowed_platform_patterns has unexpected format: 0: Invalid type. Expected: string, given: integer", "severity": "failure", }, @@ -454,7 +452,6 @@ _results := [ }, { "name": "IMAGE_URL", - # regal ignore:line-length "value": "quay.io/jstuart/hacbs-docker-build:tag@sha256:0a50000000000000000000000000000000000000000000000000000000000a50", }, ] diff --git a/policy/release/cve/cve_test.rego b/policy/release/cve/cve_test.rego index 607a74c47..c32eeaf4c 100644 --- a/policy/release/cve/cve_test.rego +++ b/policy/release/cve/cve_test.rego @@ -10,16 +10,14 @@ import data.lib_test test_success if { lib.assert_empty(cve.deny | cve.warn) with input.attestations as _no_vuln_attestations - # regal ignore:line-length -with input.image.ref as "registry.io/repository/image@sha256:14a9ed19e570000000000000000000000000000000000000000014a9ed19e57" + with input.image.ref as "registry.io/repository/image@sha256:14a9ed19e570000000000000000000000000000000000000000014a9ed19e57" with ec.oci.image_manifest as _mock_image_manifest with ec.oci.blob as _mock_blob } test_success_with_rule_data if { lib.assert_empty(cve.deny | cve.warn) with input.attestations as _with_vuln_attestations - # regal ignore:line-length -with input.image.ref as "registry.io/repository/image@sha256:14a9ed19e570000000000000000000000000000000000000000014a9ed19e57" + with input.image.ref as "registry.io/repository/image@sha256:14a9ed19e570000000000000000000000000000000000000000014a9ed19e57" with ec.oci.image_manifest as _mock_image_manifest with ec.oci.blob as _mock_blob with data.rule_data.restrict_cve_security_levels as [] @@ -51,8 +49,7 @@ test_failure if { } lib.assert_equal_results(cve.deny, expected_deny) with input.attestations as _with_vuln_attestations - # regal ignore:line-length -with input.image.ref as "registry.io/repository/image@sha256:14a9ed19e570000000000000000000000000000000000000000014a9ed19e57" + with input.image.ref as "registry.io/repository/image@sha256:14a9ed19e570000000000000000000000000000000000000000014a9ed19e57" with ec.oci.image_manifest as _mock_image_manifest with ec.oci.blob as _mock_blob } @@ -102,8 +99,7 @@ test_failure_with_rule_data if { } lib.assert_equal_results(cve.deny, expected) with input.attestations as _with_vuln_attestations - # regal ignore:line-length -with input.image.ref as "registry.io/repository/image@sha256:14a9ed19e570000000000000000000000000000000000000000014a9ed19e57" + with input.image.ref as "registry.io/repository/image@sha256:14a9ed19e570000000000000000000000000000000000000000014a9ed19e57" with ec.oci.image_manifest as _mock_image_manifest with ec.oci.blob as _mock_blob with data.rule_data.restrict_cve_security_levels as ["unknown", "low"] @@ -142,8 +138,7 @@ test_failure_with_leeway if { # Violations are updated with an effective_on in the future. lib.assert_equal_results_no_collections(cve.deny, expected_deny) with input.attestations as _with_vuln_attestations - # regal ignore:line-length -with input.image.ref as "registry.io/repository/image@sha256:14a9ed19e570000000000000000000000000000000000000000014a9ed19e57" + with input.image.ref as "registry.io/repository/image@sha256:14a9ed19e570000000000000000000000000000000000000000014a9ed19e57" with ec.oci.image_manifest as _mock_image_manifest with ec.oci.blob as _mock_blob with data.rule_data.cve_leeway as {"critical": 3} @@ -187,8 +182,7 @@ test_failure_with_missing_leeway_data if { # Violations are updated with an effective_on in the future. lib.assert_equal_results_no_collections(cve.deny, expected_deny) with input.attestations as _with_vuln_attestations - # regal ignore:line-length -with input.image.ref as "registry.io/repository/image@sha256:14a9ed19e570000000000000000000000000000000000000000014a9ed19e57" + with input.image.ref as "registry.io/repository/image@sha256:14a9ed19e570000000000000000000000000000000000000000014a9ed19e57" with ec.oci.image_manifest as _mock_image_manifest with ec.oci.blob as _mock_blob with data.rule_data.cve_leeway as {} @@ -224,8 +218,7 @@ test_warn if { } lib.assert_equal_results(cve.warn, expected) with input.attestations as _with_vuln_attestations - # regal ignore:line-length -with input.image.ref as "registry.io/repository/image@sha256:14a9ed19e570000000000000000000000000000000000000000014a9ed19e57" + with input.image.ref as "registry.io/repository/image@sha256:14a9ed19e570000000000000000000000000000000000000000014a9ed19e57" with ec.oci.image_manifest as _mock_image_manifest with ec.oci.blob as _mock_blob } @@ -295,8 +288,7 @@ test_warn_with_rule_data if { } lib.assert_equal_results(cve.warn, expected) with input.attestations as _with_vuln_attestations - # regal ignore:line-length -with input.image.ref as "registry.io/repository/image@sha256:14a9ed19e570000000000000000000000000000000000000000014a9ed19e57" + with input.image.ref as "registry.io/repository/image@sha256:14a9ed19e570000000000000000000000000000000000000000014a9ed19e57" with ec.oci.image_manifest as _mock_image_manifest with ec.oci.blob as _mock_blob with data.rule_data.warn_cve_security_levels as ["medium", "low", "unknown"] @@ -360,33 +352,28 @@ test_rule_data_provided if { }, { "code": "cve.rule_data_provided", - # regal ignore:line-length "msg": "Rule data restrict_cve_security_levels has unexpected format: 0: 0 must be one of the following: \"critical\", \"high\", \"medium\", \"low\", \"unknown\"", "severity": "failure", }, { "code": "cve.rule_data_provided", - # regal ignore:line-length "msg": "Rule data restrict_unpatched_cve_security_levels has unexpected format: 0: 0 must be one of the following: \"critical\", \"high\", \"medium\", \"low\", \"unknown\"", "severity": "failure", }, { "code": "cve.rule_data_provided", - # regal ignore:line-length "msg": "Rule data warn_cve_security_levels has unexpected format: 0: 0 must be one of the following: \"critical\", \"high\", \"medium\", \"low\", \"unknown\"", "severity": "failure", }, { "code": "cve.rule_data_provided", - # regal ignore:line-length "msg": "Rule data warn_unpatched_cve_security_levels has unexpected format: 0: 0 must be one of the following: \"critical\", \"high\", \"medium\", \"low\", \"unknown\"", "severity": "failure", }, } lib.assert_equal_results(cve.deny, expected) with input.attestations as _no_vuln_attestations - # regal ignore:line-length -with input.image.ref as "registry.io/repository/image@sha256:14a9ed19e570000000000000000000000000000000000000000014a9ed19e57" + with input.image.ref as "registry.io/repository/image@sha256:14a9ed19e570000000000000000000000000000000000000000014a9ed19e57" with ec.oci.image_manifest as _mock_image_manifest with ec.oci.blob as _mock_blob with data.rule_data as d @@ -423,8 +410,7 @@ test_leeway_rule_data_check if { } lib.assert_equal_results(cve.deny, expected) with input.attestations as _no_vuln_attestations - # regal ignore:line-length -with input.image.ref as "registry.io/repository/image@sha256:14a9ed19e570000000000000000000000000000000000000000014a9ed19e57" + with input.image.ref as "registry.io/repository/image@sha256:14a9ed19e570000000000000000000000000000000000000000014a9ed19e57" with ec.oci.image_manifest as _mock_image_manifest with ec.oci.blob as _mock_blob with data.rule_data as d @@ -488,9 +474,7 @@ _manifests := { } _blobs := { - # regal ignore:line-length "registry.io/repository/image@sha256:4e007b10bd19e5700000000000000000000000004e007b10bd19e57": json.marshal(_clair_report), - # regal ignore:line-length "registry.io/repository/image@sha256:00001e4ab10bd19e5700000000000001e4ab10bd19e57": json.marshal({"vulnerabilities": {}}), } @@ -500,10 +484,8 @@ _mock_blob(ref) := _blobs[ref] _bundle := "registry.img/spam@sha256:4e388ab32b10dc8dbc7e28144f552830adc74787c1e2c0824032078a79f227fb" -# regal ignore:line-length _no_vuln_attestations := _attestations_with_reports({"sha256:14a9ed19e570000000000000000000000000000000000000000014a9ed19e57": "sha256:00001e4a0007d19e5700000000000000000001e4a0007d19e57"}) -# regal ignore:line-length _with_vuln_attestations := _attestations_with_reports({"sha256:14a9ed19e570000000000000000000000000000000000000000014a9ed19e57": "sha256:4e007d19e570000000000000000000000000000000004e007d19e57"}) _attestations_with_reports(reports) := attestations if { diff --git a/policy/release/external_parameters/external_parameters_test.rego b/policy/release/external_parameters/external_parameters_test.rego index c83a2071a..a3a8a51d7 100644 --- a/policy/release/external_parameters/external_parameters_test.rego +++ b/policy/release/external_parameters/external_parameters_test.rego @@ -10,11 +10,9 @@ test_success if { } test_pipeline_run_params_missing_params if { - # regal ignore:line-length provenance := json.remove(good_provenance, ["/statement/predicate/buildDefinition/externalParameters/runSpec/params/0"]) expected := {{ "code": "external_parameters.pipeline_run_params", - # regal ignore:line-length "msg": `PipelineRun params, {"git-revision", "output-image"}, do not match expectation, {"git-repo", "git-revision", "output-image"}.`, }} lib.assert_equal_results(external_parameters.deny, expected) with input.attestations as [provenance] @@ -28,7 +26,6 @@ test_pipeline_run_params_empty_values if { }]) expected := {{ "code": "external_parameters.pipeline_run_params", - # regal ignore:line-length "msg": `PipelineRun params, {"git-revision", "output-image"}, do not match expectation, {"git-repo", "git-revision", "output-image"}.`, }} lib.assert_equal_results(external_parameters.deny, expected) with input.attestations as [provenance] diff --git a/policy/release/git_branch/git_branch_test.rego b/policy/release/git_branch/git_branch_test.rego index a96db3d50..526766aca 100644 --- a/policy/release/git_branch/git_branch_test.rego +++ b/policy/release/git_branch/git_branch_test.rego @@ -5,7 +5,6 @@ import data.lib import rego.v1 single_test_case(branch, expected_results) if { - # regal ignore:line-length mock_input := {"attestations": [{"statement": {"predicate": {"buildConfig": {"tasks": [{"invocation": {"environment": {"annotations": {"build.appstudio.redhat.com/target_branch": branch}}}}]}}}}]} mock_rule_data := [ diff --git a/policy/release/github_certificate/github_certificate_test.rego b/policy/release/github_certificate/github_certificate_test.rego index a2e47a69f..39de7f5b1 100644 --- a/policy/release/github_certificate/github_certificate_test.rego +++ b/policy/release/github_certificate/github_certificate_test.rego @@ -138,25 +138,21 @@ test_rule_data_provided if { }, { "code": "github_certificate.rule_data_provided", - # regal ignore:line-length "msg": "Rule data allowed_gh_workflow_repos has unexpected format: 0: Invalid type. Expected: string, given: integer", "severity": "failure", }, { "code": "github_certificate.rule_data_provided", - # regal ignore:line-length "msg": "Rule data allowed_gh_workflow_refs has unexpected format: 0: Invalid type. Expected: string, given: integer", "severity": "failure", }, { "code": "github_certificate.rule_data_provided", - # regal ignore:line-length "msg": "Rule data allowed_gh_workflow_names has unexpected format: 0: Invalid type. Expected: string, given: integer", "severity": "failure", }, { "code": "github_certificate.rule_data_provided", - # regal ignore:line-length "msg": "Rule data allowed_gh_workflow_triggers has unexpected format: 0: Invalid type. Expected: string, given: integer", "severity": "failure", }, diff --git a/policy/release/hermetic_task/hermetic_task_test.rego b/policy/release/hermetic_task/hermetic_task_test.rego index 1e3146df6..09d95a770 100644 --- a/policy/release/hermetic_task/hermetic_task_test.rego +++ b/policy/release/hermetic_task/hermetic_task_test.rego @@ -38,7 +38,6 @@ test_not_hermetic_task if { lib.assert_equal_results(expected, hermetic_task.deny) with input.attestations as [hermetic_not_true] with data.rule_data.required_hermetic_tasks as ["buildah", "run-script-oci-ta"] - # regal ignore:line-length hermetic_missing := json.remove(_good_attestation, ["/statement/predicate/buildConfig/tasks/0/invocation/parameters/HERMETIC"]) lib.assert_equal_results(expected, hermetic_task.deny) with input.attestations as [hermetic_missing] with data.rule_data.required_hermetic_tasks as ["buildah", "run-script-oci-ta"] @@ -68,7 +67,6 @@ test_many_hermetic_tasks if { {"name": "IMAGE_URL", "value": "registry/repo"}, {"name": "IMAGE_DIGEST", "value": "digest"}, ], - # regal ignore:line-length "ref": {"kind": "Task", "name": "buildah", "bundle": "reg.img/spam@sha256:abc0000000000000000000000000000000000000000000000000000000000abc"}, "invocation": {"parameters": {"HERMETIC": "true"}}, } @@ -78,7 +76,6 @@ test_many_hermetic_tasks if { {"name": "IMAGE_URL", "value": "registry/repo"}, {"name": "IMAGE_DIGEST", "value": "digest"}, ], - # regal ignore:line-length "ref": {"kind": "Task", "name": "run-script-oci-ta", "bundle": "reg.img/spam@sha256:abc0000000000000000000000000000000000000000000000000000000000abc"}, "invocation": {"parameters": {"HERMETIC": "true"}}, } @@ -134,7 +131,6 @@ test_many_hermetic_tasks if { "msg": "Task 'buildah' was not invoked with the hermetic parameter set", }} - # regal ignore:line-length lib.assert_equal_results(expected_mixed_hermetic_1, hermetic_task.deny) with input.attestations as [attestation_mixed_hermetic_1] with data.rule_data.required_hermetic_tasks as ["buildah", "run-script-oci-ta"] @@ -157,7 +153,6 @@ test_many_hermetic_tasks if { "msg": "Task 'run-script-oci-ta' was not invoked with the hermetic parameter set", }} - # regal ignore:line-length lib.assert_equal_results(expected_mixed_hermetic_2, hermetic_task.deny) with input.attestations as [attestation_mixed_hermetic_2] with data.rule_data.required_hermetic_tasks as ["buildah", "run-script-oci-ta"] @@ -181,7 +176,6 @@ test_many_hermetic_tasks if { slsav1_attestation_mixed_hermetic := tekton_test.slsav1_attestation([slsav1_task1_mixed, slsav1_task2_mixed]) - # regal ignore:line-length lib.assert_equal_results(expected_mixed_hermetic_2, hermetic_task.deny) with input.attestations as [slsav1_attestation_mixed_hermetic] with data.rule_data.required_hermetic_tasks as ["buildah", "run-script-oci-ta"] @@ -217,7 +211,6 @@ test_many_hermetic_tasks if { }, } - # regal ignore:line-length lib.assert_equal_results(expected_non_hermetic, hermetic_task.deny) with input.attestations as [attestation_non_hermetic] with data.rule_data.required_hermetic_tasks as ["buildah", "run-script-oci-ta"] @@ -244,7 +237,6 @@ test_many_hermetic_tasks if { slsav1_task2_non_hermetic, ]) - # regal ignore:line-length lib.assert_equal_results(expected_non_hermetic, hermetic_task.deny) with input.attestations as [slsav1_attestation_non_hermetic] with data.rule_data.required_hermetic_tasks as ["buildah", "run-script-oci-ta"] } @@ -276,7 +268,6 @@ _good_attestation := {"statement": { {"name": "IMAGE_URL", "value": "registry/repo"}, {"name": "IMAGE_DIGEST", "value": "digest"}, ], - # regal ignore:line-length "ref": {"kind": "Task", "name": "buildah", "bundle": "reg.img/spam@sha256:abc0000000000000000000000000000000000000000000000000000000000abc"}, "invocation": {"parameters": {"HERMETIC": "true"}}, }]}, diff --git a/policy/release/labels/labels_test.rego b/policy/release/labels/labels_test.rego index fb69b967e..58f003928 100644 --- a/policy/release/labels/labels_test.rego +++ b/policy/release/labels/labels_test.rego @@ -11,7 +11,6 @@ import data.lib # mock implementations: _mock_image_manifest and _mock_blob return the data the # test requires the image reference is constructed such that it contains a # serialized array of JSON patches following the # sign in the image reference, -# regal ignore:line-length # e.g.: registry.io/repository/image@sha256:d19e5700000000000000000000000000000000000000000000000000d19e5700#[{"op": ...}]. # There are several helper functions to allow for readability and somewhat for # maintainability of the tests: @@ -146,7 +145,6 @@ test_required_image_labels_with_values if { test_fbc_required_image_labels_with_values if { expected := {{ "code": "labels.required_labels", - # regal ignore:line-length "msg": "The \"fbc.vendor\" label has an unexpected \"DeVille, Inc.\" value. Must be one of: Acme, Inc., Goodfellas, Inc.", "term": "fbc.vendor", }} @@ -516,7 +514,6 @@ test_rule_data_provided if { }, { "code": "labels.rule_data_provided", - # regal ignore:line-length "msg": "Rule data disallowed_inherited_labels has unexpected format: 0: Invalid type. Expected: object, given: integer", "severity": "failure", }, @@ -527,7 +524,6 @@ test_rule_data_provided if { }, { "code": "labels.rule_data_provided", - # regal ignore:line-length "msg": "Rule data fbc_disallowed_inherited_labels has unexpected format: 0: Invalid type. Expected: object, given: integer", "severity": "failure", }, @@ -584,7 +580,6 @@ test_strip_digest if { lib.assert_equal("foo", labels._strip_digest("foo@bar")) lib.assert_equal("foo:latest", labels._strip_digest("foo:latest@bar")) - # regal ignore:line-length lib.assert_equal("registry.io/registry/image", labels._strip_digest("registry.io/registry/image@sha256:ace0fba5e0000000000000000000000000000000000000000000000ace0fba5e")) } @@ -635,7 +630,6 @@ _test_ref_patches(patches) := sprintf("%s@%s", [ _test_digest(patches), ]) -# regal ignore:line-length _test_digest(patches) := sprintf("sha256:14a9ed19e570000000000000000000000000000000000000000014a9ed19e57#%s", [json.marshal(patches)]) _config(patches) := { diff --git a/policy/release/lib/attestations_test.rego b/policy/release/lib/attestations_test.rego index adca16176..1995b3502 100644 --- a/policy/release/lib/attestations_test.rego +++ b/policy/release/lib/attestations_test.rego @@ -483,7 +483,6 @@ test_pipelinerun_attestations_multiple_v1_missing_timestamp if { _task_base, [ {"name": "IMAGE_URL", "type": "string", "value": "quay.io/test/image:tag"}, - # regal ignore:line-length {"name": "IMAGE_DIGEST", "type": "string", "value": "sha256:abc1230000000000000000000000000000000000000000000000000000abc123"}, ], ) @@ -506,7 +505,6 @@ test_pipelinerun_attestations_mixed_formats if { _task_base, [ {"name": "IMAGE_URL", "type": "string", "value": "quay.io/test/image:tag"}, - # regal ignore:line-length {"name": "IMAGE_DIGEST", "type": "string", "value": "sha256:abc1230000000000000000000000000000000000000000000000000000abc123"}, ], ) @@ -563,7 +561,6 @@ test_pipelinerun_attestations_v1_single_no_timestamp if { _task_base, [ {"name": "IMAGE_URL", "type": "string", "value": "quay.io/test/image:tag"}, - # regal ignore:line-length {"name": "IMAGE_DIGEST", "type": "string", "value": "sha256:abc1230000000000000000000000000000000000000000000000000000abc123"}, ], ) diff --git a/policy/release/olm/olm.rego b/policy/release/olm/olm.rego index 265191fa0..276ae1946 100644 --- a/policy/release/olm/olm.rego +++ b/policy/release/olm/olm.rego @@ -297,7 +297,6 @@ deny contains result if { some unmatched_image in unmatched_image_refs not ec.oci.image_manifest(image.str(unmatched_image.ref)) - # regal ignore:line-length result := lib.result_helper_with_term(rego.metadata.chain(), [image.str(unmatched_image.ref)], image.str(unmatched_image.ref)) } @@ -427,7 +426,6 @@ _related_images(tested_image) := [e | # Finds all image references and their locations (paths). Returns all image # references (parsed into components) found in locations as specified by: -# regal ignore:line-length # https://github.com/containerbuildsystem/operator-manifest/blob/f24cd9374f5ad9fed04f47701acffa16837d940e/README.md#pull-specifications # and https://osbs.readthedocs.io/en/latest/users.html#pullspec-locations all_image_ref(manifest) := [e | diff --git a/policy/release/olm/olm_test.rego b/policy/release/olm/olm_test.rego index ab18c068f..565410bf9 100644 --- a/policy/release/olm/olm_test.rego +++ b/policy/release/olm/olm_test.rego @@ -19,10 +19,8 @@ pinned2 := "registry.io/repository/image2@sha256:7ea0000000000000000000000000000 pinned3 := "registry.io/repository/image3@sha256:c0ffee0000000000000000000000000000000000000000000000000000c0ffee" -# regal ignore:line-length pinned_ref := {"digest": "sha256:cafe000000000000000000000000000000000000000000000000000000cafe00", "repo": "registry.io/repository/image", "tag": ""} -# regal ignore:line-length pinned_ref2 := {"digest": "sha256:7ea0000000000000000000000000000000000000000000000000000000007ea0", "repo": "registry.io/repository/image2", "tag": ""} component0 := { @@ -70,7 +68,6 @@ manifest := { "features.operators.openshift.io/token-auth-gcp": "false", "operators.openshift.io/valid-subscription": `["spam"]`, "alm-examples": `"endpoint": "http://example:4317" spam`, - # regal ignore:line-length "features.operators.image": `{"kind":"Namespace","apiVersion":"v1","metadata":{"name":"openshift-workload-availability","annotations":{"openshift.io/node-selector":""}}}`, }}, "spec": { @@ -130,17 +127,14 @@ test_all_image_ref if { "ref": pinned_ref, }, { - # regal ignore:line-length "path": `spec.install.spec.deployments[0 ("unnamed")].spec.template.spec.initContainers[0 ("i1")].image`, "ref": pinned_ref, }, { - # regal ignore:line-length "path": `spec.install.spec.deployments[0 ("unnamed")].spec.template.spec.containers[0 ("c1")].env["RELATED_IMAGE_C1"]`, "ref": pinned_ref, }, { - # regal ignore:line-length "path": `spec.install.spec.deployments[0 ("unnamed")].spec.template.spec.initContainers[0 ("i1")].env["RELATED_IMAGE_E1"]`, "ref": pinned_ref, }, @@ -172,7 +166,6 @@ test_related_img_unpinned if { expected = {{ "code": "olm.unpinned_references", - # regal ignore:line-length "msg": `The "registry.io/repository:tag" image reference is not pinned at spec.install.spec.deployments[0 ("unnamed")].spec.template.spec.containers[0 ("c1")].env["RELATED_IMAGE_C1"].`, "term": "registry.io/repository:tag", }} @@ -194,13 +187,11 @@ test_feature_annotations_format if { expected := { { "code": "olm.feature_annotations_format", - # regal ignore:line-length "msg": "The annotation \"features.operators.openshift.io/disconnected\" is either missing or has an unexpected value", "term": "features.operators.openshift.io/disconnected", }, { "code": "olm.feature_annotations_format", - # regal ignore:line-length "msg": "The annotation \"features.operators.openshift.io/fips-compliant\" is either missing or has an unexpected value", "term": "features.operators.openshift.io/fips-compliant", }, @@ -211,7 +202,6 @@ test_feature_annotations_format if { }, { "code": "olm.feature_annotations_format", - # regal ignore:line-length "msg": "The annotation \"features.operators.openshift.io/tls-profiles\" is either missing or has an unexpected value", "term": "features.operators.openshift.io/tls-profiles", }, @@ -244,7 +234,6 @@ test_feature_annotations_format_custom_rule_data if { test_required_olm_features_annotations_provided if { expected_empty := {{ "code": "olm.required_olm_features_annotations_provided", - # regal ignore:line-length "msg": "Rule data required_olm_features_annotations has unexpected format: (Root): Array must have at least 1 items", "severity": "failure", }} @@ -280,7 +269,6 @@ test_required_olm_features_annotations_provided if { }, { "code": "olm.required_olm_features_annotations_provided", - # regal ignore:line-length "msg": "Rule data required_olm_features_annotations has unexpected format: 0: Invalid type. Expected: string, given: integer", "severity": "failure", }, @@ -344,19 +332,16 @@ test_subscriptions_annotation_format if { }, { "code": "olm.subscriptions_annotation_format", - # regal ignore:line-length "msg": "Value of operators.openshift.io/valid-subscription annotation is invalid: (Root): Array must have at least 1 items", "severity": "failure", }, { "code": "olm.subscriptions_annotation_format", - # regal ignore:line-length "msg": "Value of operators.openshift.io/valid-subscription annotation is invalid: (Root): array items[0,1] must be unique", "severity": "failure", }, { "code": "olm.subscriptions_annotation_format", - # regal ignore:line-length "msg": "Value of operators.openshift.io/valid-subscription annotation is invalid: 0: Invalid type. Expected: string, given: integer", "severity": "failure", }, @@ -377,8 +362,7 @@ test_unpinned_snapshot_references_operator if { lib.assert_equal_results(olm.deny, expected) with input.snapshot.components as [unpinned_component, component1] with data.rule_data.pipeline_intention as "release" with data.rule_data.allowed_olm_image_registry_prefixes as ["registry.io"] - # regal ignore:line-length -with ec.oci.image_manifest as `{"config": {"digest": "sha256:90a7000000000000000000000000000000000000000000000000000000090a70"}}` + with ec.oci.image_manifest as `{"config": {"digest": "sha256:90a7000000000000000000000000000000000000000000000000000000090a70"}}` with input.image.ref as unpinned_component.containerImage with data.rule_data.allowed_olm_resource_kinds as ["ClusterServiceVersion"] } @@ -387,15 +371,13 @@ test_unpinned_snapshot_references_different_input if { lib.assert_empty(olm.deny) with input.snapshot.components as [unpinned_component] with data.rule_data.pipeline_intention as "release" with data.rule_data.allowed_olm_image_registry_prefixes as ["registry.io"] - # regal ignore:line-length -with ec.oci.image_manifest as `{"config": {"digest": "sha256:90a7000000000000000000000000000000000000000000000000000000090a70"}}` + with ec.oci.image_manifest as `{"config": {"digest": "sha256:90a7000000000000000000000000000000000000000000000000000000090a70"}}` with input.image.ref as pinned2 } test_unmapped_references_in_operator if { expected := {{ "code": "olm.unmapped_references", - # regal ignore:line-length "msg": "The \"registry.io/repository/image2@sha256:7ea0000000000000000000000000000000000000000000000000000000007ea0\" CSV image reference is not in the snapshot or accessible.", "term": "registry.io/repository/image2@sha256:7ea0000000000000000000000000000000000000000000000000000000007ea0", }} @@ -419,8 +401,7 @@ test_unpinned_related_images if { with data.rule_data.allowed_olm_image_registry_prefixes as ["registry.io"] with input.snapshot.components as [component0] with input.attestations as _with_related_images - # regal ignore:line-length -with input.image.ref as "registry.io/repository/image@sha256:14a9ed19e570000000000000000000000000000000000000000014a9ed19e57" + with input.image.ref as "registry.io/repository/image@sha256:14a9ed19e570000000000000000000000000000000000000000014a9ed19e57" with ec.oci.image_manifest as _mock_unpinned_image_partial with ec.oci.blob as _mock_unpinned_blob with ec.oci.descriptor as mock_ec_oci_image_descriptor @@ -429,7 +410,6 @@ with input.image.ref as "registry.io/repository/image@sha256:14a9ed19e57000000 test_inaccessible_related_images if { expected_deny := {{ "code": "olm.inaccessible_related_images", - # regal ignore:line-length "msg": "The \"registry.io/repository/image2@sha256:7ea0000000000000000000000000000000000000000000000000000000007ea0\" related image reference is not accessible.", "term": "registry.io/repository/image2@sha256:7ea0000000000000000000000000000000000000000000000000000000007ea0", }} @@ -438,8 +418,7 @@ test_inaccessible_related_images if { with data.rule_data.allowed_olm_image_registry_prefixes as ["registry.io"] with input.snapshot.components as [component1] with input.attestations as _with_related_images - # regal ignore:line-length -with input.image.ref as "registry.io/repository/image@sha256:14a9ed19e570000000000000000000000000000000000000000014a9ed19e57" + with input.image.ref as "registry.io/repository/image@sha256:14a9ed19e570000000000000000000000000000000000000000014a9ed19e57" with ec.oci.image_manifest as _mock_image_partial with ec.oci.blob as _mock_blob with ec.oci.descriptor as mock_ec_oci_image_descriptor @@ -451,14 +430,12 @@ mock_ec_oci_image_descriptor("registry.io/repository/image@sha256:cafe0000000000 # regal ignore:line-length mock_ec_oci_image_descriptor("registry.io/repository/image3@sha256:c0ffee0000000000000000000000000000000000000000000000000000c0ffee") := `{"config": {"digest": "sha256:c0ffee0000000000000000000000000000000000000000000000000000c0ffee"}}` -# regal ignore:line-length mock_ec_oci_image_descriptor("registry.io/repository/image2@sha256:7ea0000000000000000000000000000000000000000000000000000000007ea0") := false mock_ec_oci_image_descriptor("registry.io/repo/msd:latest") := `{"config": {"digest": ""}}` test_olm_ci_pipeline if { # Make sure no violations are thrown if it isn't a release pipeline - # regal ignore:line-length lib.assert_equal(false, lib.pipeline_intention_match(rego.metadata.chain())) with data.rule_data as {"pipeline_intention": null} } @@ -466,7 +443,6 @@ test_mock_cafe_descriptor if { # Test case that uses the mock_ec_oci_image_descriptor for cafe image expected := `{"config": {"digest": "sha256:cafe000000000000000000000000000000000000000000000000000000cafe00"}}` - # regal ignore:line-length lib.assert_equal(mock_ec_oci_image_descriptor("registry.io/repository/image@sha256:cafe000000000000000000000000000000000000000000000000000000cafe00"), expected) } @@ -492,7 +468,6 @@ test_bundle_image_index if { expected_deny := {{ "code": "olm.olm_bundle_multi_arch", - # regal ignore:line-length "msg": "The \"registry.io/repository/image@sha256:cafe000000000000000000000000000000000000000000000000000000cafe00\" bundle image is a multi-arch reference.", "term": "registry.io/repository/image@sha256:cafe000000000000000000000000000000000000000000000000000000cafe00", }} @@ -510,13 +485,11 @@ test_unallowed_registries if { expected := { { "code": "olm.allowed_registries", - # regal ignore:line-length "msg": "The \"registry.io/repository/image@sha256:cafe000000000000000000000000000000000000000000000000000000cafe00\" CSV image reference is not from an allowed registry.", "term": "registry.io/repository/image", }, { "code": "olm.allowed_registries", - # regal ignore:line-length "msg": "The \"registry.io/repository/image2@sha256:7ea0000000000000000000000000000000000000000000000000000000007ea0\" CSV image reference is not from an allowed registry.", "term": "registry.io/repository/image2", }, @@ -534,19 +507,16 @@ test_allowed_registries_related if { expected_deny := { { "code": "olm.allowed_registries_related", - # regal ignore:line-length "msg": "The \"registry.io/repository/image@sha256:cafe000000000000000000000000000000000000000000000000000000cafe00\" related image reference is not from an allowed registry.", "term": "registry.io/repository/image", }, { "code": "olm.allowed_registries_related", - # regal ignore:line-length "msg": "The \"registry.io/repository/image2@sha256:7ea0000000000000000000000000000000000000000000000000000000007ea0\" related image reference is not from an allowed registry.", "term": "registry.io/repository/image2", }, { "code": "olm.allowed_registries_related", - # regal ignore:line-length "msg": "The \"registry.io/repository/image3@sha256:c0ffee0000000000000000000000000000000000000000000000000000c0ffee\" related image reference is not from an allowed registry.", "term": "registry.io/repository/image3", }, @@ -556,8 +526,7 @@ test_allowed_registries_related if { with data.rule_data.allowed_olm_image_registry_prefixes as ["registry.access.redhat.com", "registry.redhat.io"] with input.snapshot.components as [component1, component2, component3] with input.attestations as _with_related_images - # regal ignore:line-length -with input.image.ref as "registry.io/repository/image@sha256:14a9ed19e570000000000000000000000000000000000000000014a9ed19e57" + with input.image.ref as "registry.io/repository/image@sha256:14a9ed19e570000000000000000000000000000000000000000014a9ed19e57" with ec.oci.image_manifest as _mock_image_all with ec.oci.blob as _mock_blob with ec.oci.descriptor as mock_ec_oci_image_descriptor @@ -598,7 +567,6 @@ _manifests_unpinned := { "registry.io/repository/image@sha256:d05a000000000000000000000000000000000000000000000000000000d05a00": {"config": {"digest": "sha256:d05a000000000000000000000000000000000000000000000000000000d05a00"}}, } -# regal ignore:line-length _blobs := {"registry.io/repository/image@sha256:4e1a7edb10bd19e57000000000000000000000004e1a7edb10bd19e57": json.marshal(_related_images)} unpinned_blob_key := "registry.io/repository/image@sha256:4e1a7ed00100b10bd19e57000000004e1a7ed00100b10bd19e57" @@ -617,7 +585,6 @@ _mock_unpinned_blob(ref) := _unpinned_blobs[ref] _bundle := "registry.img/spam@sha256:4e388ab32b10dc8dbc7e28144f552830adc74787c1e2c0824032078a79f227fb" -# regal ignore:line-length _with_related_images := _attestations_with_attachment("sha256:4e1a7edd19e5700000000000000000000000000000004e1a7edd19e57") _attestations_with_attachment(attachment) := attestations if { @@ -644,7 +611,6 @@ _attestations_with_attachment(attachment) := attestations if { } test_image_ref_with_digest if { - # regal ignore:line-length img := {"repo": "registry.io/repo", "digest": "sha256:abc0000000000000000000000000000000000000000000000000000000000abc", "tag": "latest"} expected := "registry.io/repo@sha256:abc0000000000000000000000000000000000000000000000000000000000abc" lib.assert_equal(olm._image_ref(img), expected) diff --git a/policy/release/pre_build_script_task/pre_build_script_task_test.rego b/policy/release/pre_build_script_task/pre_build_script_task_test.rego index 7c2514984..af7c1c7ff 100644 --- a/policy/release/pre_build_script_task/pre_build_script_task_test.rego +++ b/policy/release/pre_build_script_task/pre_build_script_task_test.rego @@ -6,44 +6,36 @@ import data.lib import data.pre_build_script_task test_good_pre_build_script_tasks if { - # regal ignore:line-length lib.assert_empty(pre_build_script_task.deny) with input.attestations as [_good_attestation, _cyclonedx_sbom_attestation] with data.rule_data.allowed_registry_prefixes as _allowed_registries with ec.oci.descriptor as {"mediaType": "application/vnd.oci.image.manifest.v1+json"} - # regal ignore:line-length -with input.image as {"ref": "registry.io/repository/image@sha256:284e302900000000000000000000000000000000000000000000000284e3029"} + with input.image as {"ref": "registry.io/repository/image@sha256:284e302900000000000000000000000000000000000000000000000284e3029"} good_attestation_with_image_index := json.patch(_good_attestation, [{ "op": "add", "path": "/statement/predicate/buildConfig/tasks/2", "value": { "name": "run-script-oci-ta-3", - # regal ignore:line-length "ref": {"kind": "Task", "name": "run-script-oci-ta", "bundle": "reg.img/spam@sha256:abc0000000000000000000000000000000000000000000000000000000000abc"}, "invocation": {"parameters": { "SCRIPT": "/some-other-script.sh", - # regal ignore:line-length "SCRIPT_RUNNER_IMAGE": "quay.io/konflux-ci/bazel6-ubi9@sha256:007105b04000000000000000000000000000000000000000007105b04000", }}, - # regal ignore:line-length "results": [{"name": "SCRIPT_RUNNER_IMAGE_REFERENCE", "value": "quay.io/konflux-ci/bazel6-ubi9@sha256:007105b04000000000000000000000000000000000000000007105b04000"}], }, }]) image_manifest := {"mediaType": "application/vnd.oci.image.index.v1+json"} - # regal ignore:line-length lib.assert_empty(pre_build_script_task.deny) with input.attestations as [good_attestation_with_image_index, _cyclonedx_sbom_attestation] with data.rule_data.allowed_registry_prefixes as _allowed_registries with ec.oci.descriptor as image_manifest - # regal ignore:line-length -with input.image as {"ref": "registry.io/repository/image@sha256:284e302900000000000000000000000000000000000000000000000284e3029"} + with input.image as {"ref": "registry.io/repository/image@sha256:284e302900000000000000000000000000000000000000000000000284e3029"} } test_disallowed_script_task_runner_image if { expected := {{ "code": "pre_build_script_task.pre_build_script_task_runner_image_allowed", - # regal ignore:line-length "msg": "Pre-Build-Script task runner image \"malicious.io/img:latest@sha256:abc0000000000000000000000000000000000000000000000000000000000abc\" is from a disallowed registry", "term": "malicious.io/img", }} @@ -54,12 +46,10 @@ test_disallowed_script_task_runner_image if { "value": "malicious.io/img:latest@sha256:abc0000000000000000000000000000000000000000000000000000000000abc", }]) - # regal ignore:line-length lib.assert_equal_results(expected, pre_build_script_task.deny) with input.attestations as [disallowed_image, _cyclonedx_sbom_attestation] with data.rule_data.allowed_registry_prefixes as _allowed_registries with ec.oci.descriptor as {"mediaType": "application/vnd.oci.image.manifest.v1+json"} - # regal ignore:line-length -with input.image as {"ref": "registry.io/repository/image@sha256:284e302900000000000000000000000000000000000000000000000284e3029"} + with input.image as {"ref": "registry.io/repository/image@sha256:284e302900000000000000000000000000000000000000000000000284e3029"} } test_pre_build_image_not_in_task_result if { @@ -73,28 +63,22 @@ test_pre_build_image_not_in_task_result if { "path": "/statement/predicate/buildConfig/tasks/0/results/0", }]) - # regal ignore:line-length lib.assert_equal_results(expected, pre_build_script_task.deny) with input.attestations as [attestation_missing_task_result, _cyclonedx_sbom_attestation] with data.rule_data.allowed_registry_prefixes as _allowed_registries with ec.oci.descriptor as {"mediaType": "application/vnd.oci.image.manifest.v1+json"} - # regal ignore:line-length -with input.image as {"ref": "registry.io/repository/image@sha256:284e302900000000000000000000000000000000000000000000000284e3029"} + with input.image as {"ref": "registry.io/repository/image@sha256:284e302900000000000000000000000000000000000000000000000284e3029"} } test_pre_build_image_in_sbom if { - # regal ignore:line-length lib.assert_empty(pre_build_script_task.deny) with input.attestations as [_good_attestation, _cyclonedx_sbom_attestation] with data.rule_data.allowed_registry_prefixes as _allowed_registries with ec.oci.descriptor as {"mediaType": "application/vnd.oci.image.manifest.v1+json"} - # regal ignore:line-length -with input.image as {"ref": "registry.io/repository/image@sha256:284e302900000000000000000000000000000000000000000000000284e3029"} + with input.image as {"ref": "registry.io/repository/image@sha256:284e302900000000000000000000000000000000000000000000000284e3029"} - # regal ignore:line-length lib.assert_empty(pre_build_script_task.deny) with input.attestations as [_good_attestation, _spdx_sbom_attestation] with data.rule_data.allowed_registry_prefixes as _allowed_registries with ec.oci.descriptor as {"mediaType": "application/vnd.oci.image.manifest.v1+json"} - # regal ignore:line-length -with input.image as {"ref": "registry.io/repository/image@sha256:284e302900000000000000000000000000000000000000000000000284e3029"} + with input.image as {"ref": "registry.io/repository/image@sha256:284e302900000000000000000000000000000000000000000000000284e3029"} } test_pre_build_image_in_sbom_ignoring_tag if { @@ -108,30 +92,24 @@ test_pre_build_image_in_sbom_ignoring_tag if { { "op": "replace", "path": "/statement/predicate/buildConfig/tasks/1/results/0/value", - # regal ignore:line-length "value": "quay.io/konflux-ci/bazel6-ubi9:latest@sha256:def0000000000000000000000000000000000000000000000000000000000def", }, ]) - # regal ignore:line-length lib.assert_empty(pre_build_script_task.deny) with input.attestations as [good_attestation_with_tag_in_image_ref, _cyclonedx_sbom_attestation] with data.rule_data.allowed_registry_prefixes as _allowed_registries with ec.oci.descriptor as {"mediaType": "application/vnd.oci.image.manifest.v1+json"} - # regal ignore:line-length -with input.image as {"ref": "registry.io/repository/image@sha256:284e302900000000000000000000000000000000000000000000000284e3029"} + with input.image as {"ref": "registry.io/repository/image@sha256:284e302900000000000000000000000000000000000000000000000284e3029"} - # regal ignore:line-length lib.assert_empty(pre_build_script_task.deny) with input.attestations as [good_attestation_with_tag_in_image_ref, _spdx_sbom_attestation] with data.rule_data.allowed_registry_prefixes as _allowed_registries with ec.oci.descriptor as {"mediaType": "application/vnd.oci.image.manifest.v1+json"} - # regal ignore:line-length -with input.image as {"ref": "registry.io/repository/image@sha256:284e302900000000000000000000000000000000000000000000000284e3029"} + with input.image as {"ref": "registry.io/repository/image@sha256:284e302900000000000000000000000000000000000000000000000284e3029"} } test_pre_build_image_not_in_sbom if { expected := {{ "code": "pre_build_script_task.pre_build_script_task_runner_image_in_sbom", - # regal ignore:line-length "msg": "Pre-Build-Script task runner image \"registry.redhat.io/ubi7@sha256:bcd0000000000000000000000000000000000000000000000000000000000bcd\" is not in the SBOM", }} @@ -140,30 +118,25 @@ test_pre_build_image_not_in_sbom if { "path": "/statement/predicate/components/1", }]) - # regal ignore:line-length lib.assert_equal_results(expected, pre_build_script_task.deny) with input.attestations as [_good_attestation, incomplete_cyclonedx_sbom_attestation] with data.rule_data.allowed_registry_prefixes as _allowed_registries with ec.oci.descriptor as {"mediaType": "application/vnd.oci.image.manifest.v1+json"} - # regal ignore:line-length -with input.image as {"ref": "registry.io/repository/image@sha256:284e302900000000000000000000000000000000000000000000000284e3029"} + with input.image as {"ref": "registry.io/repository/image@sha256:284e302900000000000000000000000000000000000000000000000284e3029"} incomplete_spdx_sbom_attestation := json.patch(_spdx_sbom_attestation, [{ "op": "remove", "path": "/statement/predicate/packages/0/externalRefs/1", }]) - # regal ignore:line-length lib.assert_equal_results(expected, pre_build_script_task.deny) with input.attestations as [_good_attestation, incomplete_spdx_sbom_attestation] with data.rule_data.allowed_registry_prefixes as _allowed_registries with ec.oci.descriptor as {"mediaType": "application/vnd.oci.image.manifest.v1+json"} - # regal ignore:line-length -with input.image as {"ref": "registry.io/repository/image@sha256:284e302900000000000000000000000000000000000000000000000284e3029"} + with input.image as {"ref": "registry.io/repository/image@sha256:284e302900000000000000000000000000000000000000000000000284e3029"} } test_pre_build_image_reference_is_not_valid if { expected := {{ "code": "pre_build_script_task.valid_pre_build_script_task_runner_image_ref", - # regal ignore:line-length "msg": "Pre-Build-Script task runner image \"not-a-valid-image-ref\" is not a valid image reference", }} @@ -173,12 +146,10 @@ test_pre_build_image_reference_is_not_valid if { "value": "not-a-valid-image-ref", }]) - # regal ignore:line-length lib.assert_equal_results(expected, pre_build_script_task.deny) with input.attestations as [invalid_prebuild_img_attestation, _cyclonedx_sbom_attestation] with data.rule_data.allowed_registry_prefixes as _allowed_registries with ec.oci.descriptor as {"mediaType": "application/vnd.oci.image.manifest.v1+json"} - # regal ignore:line-length -with input.image as {"ref": "registry.io/repository/image@sha256:284e302900000000000000000000000000000000000000000000000284e3029"} + with input.image as {"ref": "registry.io/repository/image@sha256:284e302900000000000000000000000000000000000000000000000284e3029"} } _good_attestation := {"statement": { @@ -188,26 +159,20 @@ _good_attestation := {"statement": { "buildConfig": {"tasks": [ { "name": "run-script-oci-ta-1", - # regal ignore:line-length "ref": {"kind": "Task", "name": "run-script-oci-ta", "bundle": "reg.img/spam@sha256:abc0000000000000000000000000000000000000000000000000000000000abc"}, "invocation": {"parameters": { "SCRIPT": "/some-script.sh", - # regal ignore:line-length "SCRIPT_RUNNER_IMAGE": "registry.redhat.io/ubi7@sha256:bcd0000000000000000000000000000000000000000000000000000000000bcd", }}, - # regal ignore:line-length "results": [{"name": "SCRIPT_RUNNER_IMAGE_REFERENCE", "value": "registry.redhat.io/ubi7@sha256:bcd0000000000000000000000000000000000000000000000000000000000bcd"}], }, { "name": "run-script-oci-ta-2", - # regal ignore:line-length "ref": {"kind": "Task", "name": "run-script-oci-ta", "bundle": "reg.img/spam@sha256:abc0000000000000000000000000000000000000000000000000000000000abc"}, "invocation": {"parameters": { "SCRIPT": "/some-other-script.sh", - # regal ignore:line-length "SCRIPT_RUNNER_IMAGE": "quay.io/konflux-ci/bazel6-ubi9@sha256:def0000000000000000000000000000000000000000000000000000000000def", }}, - # regal ignore:line-length "results": [{"name": "SCRIPT_RUNNER_IMAGE_REFERENCE", "value": "quay.io/konflux-ci/bazel6-ubi9@sha256:def0000000000000000000000000000000000000000000000000000000000def"}], }, ]}, @@ -222,20 +187,17 @@ _spdx_sbom_attestation := {"statement": { { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", - # regal ignore:line-length "referenceLocator": "pkg:oci/spam@sha256:abc0000000000000000000000000000000000000000000000000000000000abc?repository_url=example.com/org/spam", }, { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", - # regal ignore:line-length "referenceLocator": "pkg:oci/ubi7@sha256:bcd0000000000000000000000000000000000000000000000000000000000bcd?repository_url=registry.redhat.io/ubi7", }, { # Intentionally different referenceCategory here "referenceCategory": "PACKAGE_MANAGER", "referenceType": "purl", - # regal ignore:line-length "referenceLocator": "pkg:oci/bazel6-ubi9@sha256:def0000000000000000000000000000000000000000000000000000000000def?repository_url=quay.io/konflux-ci/bazel6-ubi9", }, ]}]}, @@ -244,11 +206,8 @@ _spdx_sbom_attestation := {"statement": { _cyclonedx_sbom_attestation := {"statement": { "predicateType": "https://cyclonedx.org/bom", "predicate": {"components": [ - # regal ignore:line-length {"purl": "pkg:oci/spam@sha256:abc0000000000000000000000000000000000000000000000000000000000abc?repository_url=example.com/org/spam"}, - # regal ignore:line-length {"purl": "pkg:oci/ubi7@sha256:bcd0000000000000000000000000000000000000000000000000000000000bcd?repository_url=registry.redhat.io/ubi7"}, - # regal ignore:line-length {"purl": "pkg:oci/bazel6-ubi9@sha256:def0000000000000000000000000000000000000000000000000000000000def?repository_url=quay.io/konflux-ci/bazel6-ubi9"}, ]}, }} diff --git a/policy/release/provenance_materials/provenance_materials_test.rego b/policy/release/provenance_materials/provenance_materials_test.rego index 52f503561..a9ef85d57 100644 --- a/policy/release/provenance_materials/provenance_materials_test.rego +++ b/policy/release/provenance_materials/provenance_materials_test.rego @@ -121,7 +121,6 @@ test_commit_mismatch if { expected := {{ "code": "provenance_materials.git_clone_source_matches_provenance", - # regal ignore:line-length "msg": `Entry in materials for the git repo "git+https://gitforge/repo.git" and commit "b10a8c637a91f427576eb0a4f39f1766c7987385" not found`, }} lib.assert_equal_results(expected, provenance_materials.deny) with input.attestations as [_mock_attestation_v02(tasks)] @@ -166,7 +165,6 @@ test_commit_and_url_mismatch if { expected := {{ "code": "provenance_materials.git_clone_source_matches_provenance", - # regal ignore:line-length "msg": `Entry in materials for the git repo "git+https://shady/repo.git" and commit "b10a8c637a91f427576eb0a4f39f1766c7987385" not found`, }} lib.assert_equal_results(expected, provenance_materials.deny) with input.attestations as [_mock_attestation_v02(tasks)] @@ -206,12 +204,10 @@ test_provenance_many_git_clone_tasks if { # one task's cloned digest doesn't match expected := {{ "code": "provenance_materials.git_clone_source_matches_provenance", - # regal ignore:line-length "msg": `Entry in materials for the git repo "git+https://gitforge/repo.git" and commit "big-bada-boom" not found`, }} # v0.2: patch buildConfig/tasks - # regal ignore:line-length lib.assert_equal_results(expected, provenance_materials.deny) with input.attestations as [json.patch(attestation_v02, [{ "op": "replace", "path": "/statement/predicate/buildConfig/tasks/0/results/1/value", diff --git a/policy/release/rpm_ostree_task/rpm_ostree_task_test.rego b/policy/release/rpm_ostree_task/rpm_ostree_task_test.rego index c8dd55905..f8f0402bf 100644 --- a/policy/release/rpm_ostree_task/rpm_ostree_task_test.rego +++ b/policy/release/rpm_ostree_task/rpm_ostree_task_test.rego @@ -14,7 +14,6 @@ test_success if { "buildConfig": {"tasks": [{ "name": "rpm-ostree-p", "ref": {"kind": "Task", "name": "rpm-ostree"}, - # regal ignore:line-length "invocation": {"parameters": {"BUILDER_IMAGE": "registry.local/builder:v0.2@sha256:abc0000000000000000000000000000000000000000000000000000000000abc"}}, }]}, }, @@ -52,7 +51,6 @@ test_builder_image_param_failures if { { "name": "rpm-ostree-2", "ref": {"kind": "Task", "name": "rpm-ostree"}, - # regal ignore:line-length "invocation": {"parameters": {"BUILDER_IMAGE": "registry.local/deprecated:v0.2@sha256:abc0000000000000000000000000000000000000000000000000000000000abc"}}, }, ]}, @@ -101,13 +99,11 @@ test_builder_image_param_failures if { # Prefix not allowed { "code": "rpm_ostree_task.builder_image_param", - # regal ignore:line-length "msg": "BUILDER_IMAGE \"registry.local/spam:v0.2\" does not start with a pre-approved prefix: registry.local/builder, registry.local/deprecated", "effective_on": "2024-03-20T00:00:00Z", }, { "code": "rpm_ostree_task.builder_image_param", - # regal ignore:line-length "msg": "BUILDER_IMAGE \"registry.local/spam:v1.0\" does not start with a pre-approved prefix: registry.local/builder, registry.local/deprecated", "effective_on": "2024-03-20T00:00:00Z", }, @@ -148,13 +144,11 @@ test_rule_data_failures if { expected := { { "code": "rpm_ostree_task.rule_data", - # regal ignore:line-length "msg": "Rule data allowed_rpm_ostree_builder_image_prefixes has unexpected format: 0: Invalid type. Expected: object, given: array", "severity": "failure", }, { "code": "rpm_ostree_task.rule_data", - # regal ignore:line-length "msg": "Rule data allowed_rpm_ostree_builder_image_prefixes has unexpected format: 0: Must validate at least one schema (anyOf)", "severity": "failure", }, @@ -165,37 +159,31 @@ test_rule_data_failures if { }, { "code": "rpm_ostree_task.rule_data", - # regal ignore:line-length "msg": "Rule data allowed_rpm_ostree_builder_image_prefixes has unexpected format: 1: Must validate at least one schema (anyOf)", "severity": "failure", }, { "code": "rpm_ostree_task.rule_data", - # regal ignore:line-length "msg": "Rule data allowed_rpm_ostree_builder_image_prefixes has unexpected format: 2: Additional property spam is not allowed", "severity": "warning", }, { "code": "rpm_ostree_task.rule_data", - # regal ignore:line-length "msg": "Rule data allowed_rpm_ostree_builder_image_prefixes has unexpected format: 2: Must validate at least one schema (anyOf)", "severity": "failure", }, { "code": "rpm_ostree_task.rule_data", - # regal ignore:line-length "msg": "Rule data allowed_rpm_ostree_builder_image_prefixes has unexpected format: 3.expires_on: Invalid type. Expected: string, given: integer", "severity": "failure", }, { "code": "rpm_ostree_task.rule_data", - # regal ignore:line-length "msg": "Rule data allowed_rpm_ostree_builder_image_prefixes has unexpected format: 3.value: Invalid type. Expected: string, given: integer", "severity": "failure", }, { "code": "rpm_ostree_task.rule_data", - # regal ignore:line-length "msg": "Rule data allowed_rpm_ostree_builder_image_prefixes has unexpected format: 3: Must validate at least one schema (anyOf)", "severity": "failure", }, diff --git a/policy/release/rpm_packages/rpm_packages_test.rego b/policy/release/rpm_packages/rpm_packages_test.rego index cec66ebe1..0244850cd 100644 --- a/policy/release/rpm_packages/rpm_packages_test.rego +++ b/policy/release/rpm_packages/rpm_packages_test.rego @@ -161,14 +161,12 @@ test_mismatch_detected_with_lockfile_noise if { } # CycloneDX mock blobs - purls must have distro= qualifier to be considered installed -# regal ignore:line-length _mock_blob(`registry.local/cyclonedx-1@sha256:c0c101e01d19e5700000000000000000000000c0c101e01d19e57`) := json.marshal({"components": [ {"purl": "pkg:rpm/redhat/spam@1.0.0-1?distro=rhel-10.0"}, {"purl": "pkg:rpm/redhat/bacon@1.0.0-2?distro=rhel-10.0"}, {"purl": "pkg:rpm/redhat/ham@4.2.0-0?distro=rhel-10.0"}, ]}) -# regal ignore:line-length _mock_blob(`registry.local/cyclonedx-2@sha256:c0c102e02d19e5700000000000000000000000c0c102e02d19e57`) := json.marshal({"components": [ {"purl": "pkg:rpm/redhat/spam@1.0.0-2?distro=rhel-10.0"}, {"purl": "pkg:rpm/redhat/bacon@1.0.0-2?distro=rhel-10.0"}, @@ -176,7 +174,6 @@ _mock_blob(`registry.local/cyclonedx-2@sha256:c0c102e02d19e570000000000000000000 ]}) # SPDX mock blobs - purls must have distro= qualifier to be considered installed -# regal ignore:line-length _mock_blob(`registry.local/spdx-1@sha256:50d01d19e57000000000000000000000000000000000000050d01d19e57`) := json.marshal({"packages": [ {"externalRefs": [{ "referenceType": "purl", @@ -196,7 +193,6 @@ _mock_blob(`registry.local/spdx-1@sha256:50d01d19e570000000000000000000000000000 }]}, ]}) -# regal ignore:line-length _mock_blob(`registry.local/spdx-2@sha256:50d02d19e57000000000000000000000000000000000000050d02d19e57`) := json.marshal({"packages": [ {"externalRefs": [{ "referenceType": "purl", @@ -217,7 +213,6 @@ _mock_blob(`registry.local/spdx-2@sha256:50d02d19e570000000000000000000000000000 ]}) # Mock blob with multiple versions of spam (both 1.0.0-1 and 1.0.0-2) -# regal ignore:line-length _mock_blob(`registry.local/multi-spam@sha256:4017150a4d19e5700000000000000000000000004017150a4d19e57`) := json.marshal({"packages": [ {"externalRefs": [{ "referenceType": "purl", @@ -237,7 +232,6 @@ _mock_blob(`registry.local/multi-spam@sha256:4017150a4d19e5700000000000000000000 ]}) # Mock blob with only one version of spam (1.0.0-1) - for mismatch testing -# regal ignore:line-length _mock_blob(`registry.local/single-spam@sha256:5109150a4d19e5700000000000000000000000005109150a4d19e57`) := json.marshal({"packages": [ {"externalRefs": [{ "referenceType": "purl", @@ -252,7 +246,6 @@ _mock_blob(`registry.local/single-spam@sha256:5109150a4d19e570000000000000000000 ]}) # Mock blob with spam version 1.0.0-3 - for grouping test -# regal ignore:line-length _mock_blob(`registry.local/spam-v3@sha256:50a43d19e57000000000000000000000000000000000050a43d19e57`) := json.marshal({"packages": [ {"externalRefs": [{ "referenceType": "purl", @@ -269,7 +262,6 @@ _mock_blob(`registry.local/spam-v3@sha256:50a43d19e57000000000000000000000000000 # Mock blob simulating amd64 SBOM with lockfile entries for all arches # The installed package (with distro=) is spam-1.0.0-1 # Lockfile entries (with repository_id=) show spam-1.0.0-2 for arm64 - should be ignored -# regal ignore:line-length _mock_blob(`registry.local/sbom-lockfile-amd64@sha256:5b0410cfa4d64d19e5700000000000005b0410cfa4d64d19e57`) := json.marshal({"packages": [ # Installed package on this platform {"externalRefs": [{ @@ -286,7 +278,6 @@ _mock_blob(`registry.local/sbom-lockfile-amd64@sha256:5b0410cfa4d64d19e570000000 ]}) # Mock blob simulating arm64 SBOM with lockfile entries - installed version matches amd64 -# regal ignore:line-length _mock_blob(`registry.local/sbom-lockfile-arm64@sha256:5b0410cfa4464d19e5700000000000005b0410cfa4464d19e57`) := json.marshal({"packages": [ # Installed package on this platform - same version as amd64 {"externalRefs": [{ @@ -303,7 +294,6 @@ _mock_blob(`registry.local/sbom-lockfile-arm64@sha256:5b0410cfa4464d19e570000000 ]}) # Mock blob simulating arm64 SBOM with different installed version than amd64 -# regal ignore:line-length _mock_blob(`registry.local/sbom-lockfile-arm64-diff@sha256:5b0410cfa46d1ffd19e570005b0410cfa46d1ffd19e57`) := json.marshal({"packages": [ # Installed package on this platform - DIFFERENT version than amd64 {"externalRefs": [{ @@ -319,13 +309,10 @@ _mock_blob(`registry.local/sbom-lockfile-arm64-diff@sha256:5b0410cfa46d1ffd19e57 }]}, ]}) -# regal ignore:line-length _sbom_with_lockfile_amd64 := "registry.local/sbom-lockfile-amd64@sha256:5b0410cfa4d64d19e5700000000000005b0410cfa4d64d19e57" -# regal ignore:line-length _sbom_with_lockfile_arm64 := "registry.local/sbom-lockfile-arm64@sha256:5b0410cfa4464d19e5700000000000005b0410cfa4464d19e57" -# regal ignore:line-length _sbom_with_lockfile_arm64_different := "registry.local/sbom-lockfile-arm64-diff@sha256:5b0410cfa46d1ffd19e570005b0410cfa46d1ffd19e57" _cyclonedx_url_1 := "registry.local/cyclonedx-1@sha256:c0c101e01d19e5700000000000000000000000c0c101e01d19e57" diff --git a/policy/release/rpm_repos/rpm_repos_test.rego b/policy/release/rpm_repos/rpm_repos_test.rego index 13f3a9d23..f85110653 100644 --- a/policy/release/rpm_repos/rpm_repos_test.rego +++ b/policy/release/rpm_repos/rpm_repos_test.rego @@ -123,7 +123,6 @@ test_repo_id_purls_missing_repo_ids if { test_repo_id_purls_missing_repo_ids_truncated if { expected := {{ "code": "rpm_repos.ids_known", - # regal ignore:line-length "msg": "RPM repo id check failed: An RPM component in the SBOM did not specify a repository_id value in its purl: pkg:rpm/borken (1 additional similar violations not separately listed)", "term": "pkg:rpm/borken", }} @@ -279,5 +278,4 @@ p5 := "pkg:rpm/borken" p6 := "pkg:golang/gitplanet.com/bacon@1.2.3?arch=amd64" -# regal ignore:line-length p7 := "pkg:rpmmod/redhat/squid@4%3A8040020210420090912%3A522a0ee4?arch=ppc64le&repository_id=rhel-8-for-x86_64-appstream-eus-rpms__8_DOT_6" diff --git a/policy/release/sbom/sbom_test.rego b/policy/release/sbom/sbom_test.rego index 7f6dcbc1e..843315846 100644 --- a/policy/release/sbom/sbom_test.rego +++ b/policy/release/sbom/sbom_test.rego @@ -115,7 +115,6 @@ test_rule_data_validation if { }, { "code": "sbom.disallowed_packages_provided", - # regal ignore:line-length "msg": "Rule data disallowed_packages has unexpected format: 2.format: 2.format must be one of the following: \"semver\", \"semverv\"", "severity": "failure", }, @@ -166,13 +165,11 @@ test_rule_data_validation if { }, { "code": "sbom.disallowed_packages_provided", - # regal ignore:line-length "msg": "Rule data disallowed_attributes has unexpected format: 4.name: Invalid type. Expected: string, given: integer", "severity": "failure", }, { "code": "sbom.disallowed_packages_provided", - # regal ignore:line-length "msg": "Rule data disallowed_attributes has unexpected format: 4.value: Invalid type. Expected: string, given: integer", "severity": "failure", }, @@ -223,7 +220,6 @@ test_rule_data_validation if { }, { "code": "sbom.disallowed_packages_provided", - # regal ignore:line-length "msg": "Rule data disallowed_external_references has unexpected format: 1: Additional property invalid is not allowed", "severity": "warning", }, @@ -239,7 +235,6 @@ test_rule_data_validation if { }, { "code": "sbom.disallowed_packages_provided", - # regal ignore:line-length "msg": "Rule data disallowed_packages has unexpected format: 2.exceptions.0.subpath: Invalid type. Expected: string, given: integer", "severity": "failure", }, @@ -283,7 +278,6 @@ _spdx_sbom_attestation := {"statement": { "externalRefs": [{ "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", - # regal ignore:line-length "referenceLocator": "pkg:oci/kernel-module-management-rhel9-operator@sha256%3Ad845f0bd93dad56c92c47e8c116a11a0cc5924c0b99aed912b4f8b54178efa98", }], "checksums": [{ @@ -324,7 +318,6 @@ _cyclonedx_sbom_attestation := {"statement": { }, }, "components": [{ - # regal ignore:line-length "bom-ref": "pkg:rpm/rhel/coreutils-single@8.32-34.el9?arch=x86_64&upstream=coreutils-8.32-34.el9.src.rpm&distro=rhel-9.3&package-id=f4f4e3cc2a6d9c37", "type": "library", "publisher": "Red Hat, Inc.", @@ -332,7 +325,6 @@ _cyclonedx_sbom_attestation := {"statement": { "version": "8.32-34.el9", "licenses": [{"license": {"name": "GPLv3+"}}], "cpe": "cpe:2.3:a:coreutils-single:coreutils-single:8.32-34.el9:*:*:*:*:*:*:*", - # regal ignore:line-length "purl": "pkg:rpm/rhel/coreutils-single@8.32-34.el9?arch=x86_64&upstream=coreutils-8.32-34.el9.src.rpm&distro=rhel-9.3", "properties": [ {"name": "attr1"}, diff --git a/policy/release/sbom_cyclonedx/sbom_cyclonedx_test.rego b/policy/release/sbom_cyclonedx/sbom_cyclonedx_test.rego index b0d529bda..bc328414b 100644 --- a/policy/release/sbom_cyclonedx/sbom_cyclonedx_test.rego +++ b/policy/release/sbom_cyclonedx/sbom_cyclonedx_test.rego @@ -109,9 +109,7 @@ test_attributes_not_allowed_all_good if { test_attributes_not_allowed_pair if { expected := {{ "code": "sbom_cyclonedx.disallowed_package_attributes", - # regal ignore:line-length "term": "pkg:rpm/rhel/coreutils-single@8.32-34.el9?arch=x86_64&upstream=coreutils-8.32-34.el9.src.rpm&distro=rhel-9.3", - # regal ignore:line-length "msg": `Package pkg:rpm/rhel/coreutils-single@8.32-34.el9?arch=x86_64&upstream=coreutils-8.32-34.el9.src.rpm&distro=rhel-9.3 has the attribute "attr1" set`, }} @@ -123,9 +121,7 @@ test_attributes_not_allowed_pair if { test_attributes_not_allowed_value if { expected := {{ "code": "sbom_cyclonedx.disallowed_package_attributes", - # regal ignore:line-length "term": "pkg:rpm/rhel/coreutils-single@8.32-34.el9?arch=x86_64&upstream=coreutils-8.32-34.el9.src.rpm&distro=rhel-9.3", - # regal ignore:line-length "msg": `Package pkg:rpm/rhel/coreutils-single@8.32-34.el9?arch=x86_64&upstream=coreutils-8.32-34.el9.src.rpm&distro=rhel-9.3 has the attribute "attr2" set to "value2"`, }} @@ -138,17 +134,13 @@ test_attributes_not_allowed_effective_on if { expected := { { "code": "sbom_cyclonedx.disallowed_package_attributes", - # regal ignore:line-length "term": "pkg:rpm/rhel/coreutils-single@8.32-34.el9?arch=x86_64&upstream=coreutils-8.32-34.el9.src.rpm&distro=rhel-9.3", - # regal ignore:line-length "msg": `Package pkg:rpm/rhel/coreutils-single@8.32-34.el9?arch=x86_64&upstream=coreutils-8.32-34.el9.src.rpm&distro=rhel-9.3 has the attribute "attr1" set`, "effective_on": "2025-01-01T00:00:00Z", }, { "code": "sbom_cyclonedx.disallowed_package_attributes", - # regal ignore:line-length "term": "pkg:rpm/rhel/coreutils-single@8.32-34.el9?arch=x86_64&upstream=coreutils-8.32-34.el9.src.rpm&distro=rhel-9.3", - # regal ignore:line-length "msg": `Package pkg:rpm/rhel/coreutils-single@8.32-34.el9?arch=x86_64&upstream=coreutils-8.32-34.el9.src.rpm&distro=rhel-9.3 has the attribute "attr2" set to "value2"`, "effective_on": "2024-07-31T00:00:00Z", }, @@ -173,7 +165,6 @@ test_attributes_not_allowed_value_no_purl if { expected := {{ "code": "sbom_cyclonedx.disallowed_package_attributes", "term": "rhel", - # regal ignore:line-length "msg": `Package rhel has the attribute "syft:distro:id" set to "rhel"`, }} @@ -192,7 +183,6 @@ test_external_references_allowed_regex_with_no_rules_is_allowed if { test_external_references_allowed_regex if { expected := {{ "code": "sbom_cyclonedx.allowed_package_external_references", - # regal ignore:line-length "term": "pkg:rpm/rhel/coreutils-single@8.32-34.el9?arch=x86_64&upstream=coreutils-8.32-34.el9.src.rpm&distro=rhel-9.3", # regal ignore:line-length "msg": `Package pkg:rpm/rhel/coreutils-single@8.32-34.el9?arch=x86_64&upstream=coreutils-8.32-34.el9.src.rpm&distro=rhel-9.3 has reference "https://example.com/file.txt" of type "distribution" which is not explicitly allowed by pattern ".*allowed.net.*"`, @@ -210,7 +200,6 @@ test_external_references_allowed_no_purl if { expected := {{ "code": "sbom_cyclonedx.allowed_package_external_references", "term": "rhel", - # regal ignore:line-length "msg": `Package rhel has reference "https://www.redhat.com/" of type "website" which is not explicitly allowed by pattern ".*example.com.*"`, }} @@ -225,7 +214,6 @@ test_external_references_allowed_no_purl if { test_external_references_disallowed_regex if { expected := {{ "code": "sbom_cyclonedx.disallowed_package_external_references", - # regal ignore:line-length "term": "pkg:rpm/rhel/coreutils-single@8.32-34.el9?arch=x86_64&upstream=coreutils-8.32-34.el9.src.rpm&distro=rhel-9.3", # regal ignore:line-length "msg": `Package pkg:rpm/rhel/coreutils-single@8.32-34.el9?arch=x86_64&upstream=coreutils-8.32-34.el9.src.rpm&distro=rhel-9.3 has reference "https://example.com/file.txt" of type "distribution" which is disallowed by pattern ".*example.com.*"`, @@ -243,7 +231,6 @@ test_external_references_disallowed_no_purl if { expected := {{ "code": "sbom_cyclonedx.disallowed_package_external_references", "term": "rhel", - # regal ignore:line-length "msg": `Package rhel has reference "https://www.redhat.com/" of type "website" which is disallowed by pattern ".*redhat.com.*"`, }} @@ -289,7 +276,6 @@ test_allowed_package_sources if { "name": "hermeto:found_by", "value": "hermeto", }], - # regal ignore:line-length "externalReferences": [{"type": "distribution", "url": "https://repo.maven.apache.org/maven2/org/apache/xmlgraphics/batik-anim/1.9.1/batik-anim-1.9.1.pom"}], }, }, @@ -337,7 +323,6 @@ test_allowed_package_sources_no_rule_defined if { "name": "hermeto:found_by", "value": "hermeto", }], - # regal ignore:line-length "externalReferences": [{"type": "distribution", "url": "https://repo.maven.apache.org/maven2/org/apache/xmlgraphics/batik-anim/1.9.1/batik-anim-1.9.1.pom"}], }, }]) @@ -517,7 +502,6 @@ _sbom_1_5_attestation := {"statement": { }, "components": [ { - # regal ignore:line-length "bom-ref": "pkg:rpm/rhel/coreutils-single@8.32-34.el9?arch=x86_64&upstream=coreutils-8.32-34.el9.src.rpm&distro=rhel-9.3&package-id=f4f4e3cc2a6d9c37", "type": "library", "publisher": "Red Hat, Inc.", @@ -525,7 +509,6 @@ _sbom_1_5_attestation := {"statement": { "version": "8.32-34.el9", "licenses": [{"license": {"name": "GPLv3+"}}], "cpe": "cpe:2.3:a:coreutils-single:coreutils-single:8.32-34.el9:*:*:*:*:*:*:*", - # regal ignore:line-length "purl": "pkg:rpm/rhel/coreutils-single@8.32-34.el9?arch=x86_64&upstream=coreutils-8.32-34.el9.src.rpm&distro=rhel-9.3", "properties": [ {"name": "attr1"}, diff --git a/policy/release/sbom_spdx/sbom_spdx.rego b/policy/release/sbom_spdx/sbom_spdx.rego index d7fffd41e..3e6705c4a 100644 --- a/policy/release/sbom_spdx/sbom_spdx.rego +++ b/policy/release/sbom_spdx/sbom_spdx.rego @@ -98,7 +98,6 @@ deny contains result if { msg := regex.replace(object.get(allowed, "url", ""), `(.+)`, ` by pattern "$1"`) - # regal ignore:line-length result := lib.result_helper(rego.metadata.chain(), [pkg.name, reference.referenceLocator, reference.referenceType, msg]) } @@ -130,7 +129,6 @@ deny contains result if { msg := regex.replace(object.get(disallowed, "url", ""), `(.+)`, ` by pattern "$1"`) - # regal ignore:line-length result := lib.result_helper(rego.metadata.chain(), [pkg.name, reference.referenceLocator, reference.referenceType, msg]) } diff --git a/policy/release/sbom_spdx/sbom_spdx_test.rego b/policy/release/sbom_spdx/sbom_spdx_test.rego index 9a8f4d6ac..67c40ee5f 100644 --- a/policy/release/sbom_spdx/sbom_spdx_test.rego +++ b/policy/release/sbom_spdx/sbom_spdx_test.rego @@ -196,7 +196,6 @@ test_allowed_package_sources if { "externalRefs": [{ "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", - # regal ignore:line-length "referenceLocator": "pkg:maven/org.apache.xmlgraphics/batik-anim@1.9.1?type=pom&download_url=https://repo.maven.apache.org/maven2/org/apache/xmlgraphics/batik-anim/1.9.1/batik-anim-1.9.1.pom", }], "annotations": [{ @@ -247,9 +246,7 @@ test_allowed_package_sources if { test_attributes_not_allowed_pair if { expected := {{ "code": "sbom_spdx.disallowed_package_attributes", - # regal ignore:line-length "term": "pkg:oci/kernel-module-management-rhel9-operator@sha256%3Ad845f0bd93dad56c92c47e8c116a11a0cc5924c0b99aed912b4f8b54178efa98", - # regal ignore:line-length "msg": `Package pkg:oci/kernel-module-management-rhel9-operator@sha256%3Ad845f0bd93dad56c92c47e8c116a11a0cc5924c0b99aed912b4f8b54178efa98 has the attribute "attr1" set`, }} @@ -261,9 +258,7 @@ test_attributes_not_allowed_pair if { test_attributes_not_allowed_value if { expected := {{ "code": "sbom_spdx.disallowed_package_attributes", - # regal ignore:line-length "term": "pkg:oci/kernel-module-management-rhel9-operator@sha256%3Ad845f0bd93dad56c92c47e8c116a11a0cc5924c0b99aed912b4f8b54178efa98", - # regal ignore:line-length "msg": `Package pkg:oci/kernel-module-management-rhel9-operator@sha256%3Ad845f0bd93dad56c92c47e8c116a11a0cc5924c0b99aed912b4f8b54178efa98 has the attribute "attr2" set to "value2"`, }} @@ -276,17 +271,13 @@ test_attributes_not_allowed_effective_on if { expected := { { "code": "sbom_spdx.disallowed_package_attributes", - # regal ignore:line-length "term": "pkg:oci/kernel-module-management-rhel9-operator@sha256%3Ad845f0bd93dad56c92c47e8c116a11a0cc5924c0b99aed912b4f8b54178efa98", - # regal ignore:line-length "msg": `Package pkg:oci/kernel-module-management-rhel9-operator@sha256%3Ad845f0bd93dad56c92c47e8c116a11a0cc5924c0b99aed912b4f8b54178efa98 has the attribute "attr1" set`, "effective_on": "2025-01-01T00:00:00Z", }, { "code": "sbom_spdx.disallowed_package_attributes", - # regal ignore:line-length "term": "pkg:oci/kernel-module-management-rhel9-operator@sha256%3Ad845f0bd93dad56c92c47e8c116a11a0cc5924c0b99aed912b4f8b54178efa98", - # regal ignore:line-length "msg": `Package pkg:oci/kernel-module-management-rhel9-operator@sha256%3Ad845f0bd93dad56c92c47e8c116a11a0cc5924c0b99aed912b4f8b54178efa98 has the attribute "attr2" set to "value2"`, "effective_on": "2025-02-04T00:00:00Z", }, @@ -326,9 +317,7 @@ test_attributes_multiple_external_refs if { }, { "code": "sbom_spdx.disallowed_package_attributes", - # regal ignore:line-length "term": "pkg:oci/kernel-module-management-rhel9-operator@sha256%3Ad845f0bd93dad56c92c47e8c116a11a0cc5924c0b99aed912b4f8b54178efa98", - # regal ignore:line-length "msg": `Package pkg:oci/kernel-module-management-rhel9-operator@sha256%3Ad845f0bd93dad56c92c47e8c116a11a0cc5924c0b99aed912b4f8b54178efa98 has the attribute "attr2" set to "value2"`, }, } @@ -360,7 +349,6 @@ _sbom_attestation := {"statement": { "externalRefs": [{ "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", - # regal ignore:line-length "referenceLocator": "pkg:oci/kernel-module-management-rhel9-operator@sha256%3Ad845f0bd93dad56c92c47e8c116a11a0cc5924c0b99aed912b4f8b54178efa98", }], "annotations": [ diff --git a/policy/release/slsa_build_scripted_build/slsa_build_scripted_build_test.rego b/policy/release/slsa_build_scripted_build/slsa_build_scripted_build_test.rego index 4ea8bf0cf..93c78f731 100644 --- a/policy/release/slsa_build_scripted_build/slsa_build_scripted_build_test.rego +++ b/policy/release/slsa_build_scripted_build/slsa_build_scripted_build_test.rego @@ -155,7 +155,6 @@ test_build_script_used_many_build_tasks if { # none of the build tasks produced the expected results expected_results := {{ "code": "slsa_build_scripted_build.subject_build_task_matches", - # regal ignore:line-length "msg": `The attestation subject, "some.image/foo:bar@sha256:1230000000000000000000000000000000000000000000000000000000000123", does not match any of the images built`, }} lib.assert_equal_results( @@ -276,7 +275,6 @@ test_subject_mismatch if { expected := {{ "code": "slsa_build_scripted_build.subject_build_task_matches", - # regal ignore:line-length "msg": `The attestation subject, "some.image/foo:bar@sha256:1230000000000000000000000000000000000000000000000000000000000123", does not match any of the images built`, }} @@ -346,7 +344,6 @@ test_subject_with_tag_and_digest_mismatch_digest_fails if { expected := {{ "code": "slsa_build_scripted_build.subject_build_task_matches", - # regal ignore:line-length "msg": `The attestation subject, "registry.io/repository/image@sha256:00e0ec7ed000000000000000000000000000000000000000000000e0ec7ed0", does not match any of the images built`, }} @@ -385,7 +382,6 @@ test_image_built_by_trusted_task_no_build_task if { expected := {{ "code": "slsa_build_scripted_build.image_built_by_trusted_task", - # regal ignore:line-length "msg": "Image \"some.image/foo:bar@sha256:1230000000000000000000000000000000000000000000000000000000000123\" not built by a trusted task: No Pipeline Tasks built the image", }} @@ -415,7 +411,6 @@ test_image_built_by_trusted_task_not_trusted if { expected := {{ "code": "slsa_build_scripted_build.image_built_by_trusted_task", - # regal ignore:line-length "msg": `Image "some.image/foo:bar@sha256:1230000000000000000000000000000000000000000000000000000000000123" not built by a trusted task: Build Task(s) "buildah" are not trusted`, }} @@ -462,7 +457,6 @@ test_image_built_by_multiple_not_trusted_tasks if { expected := {{ "code": "slsa_build_scripted_build.image_built_by_trusted_task", - # regal ignore:line-length "msg": `Image "some.image/foo:bar@sha256:1230000000000000000000000000000000000000000000000000000000000123" not built by a trusted task: Build Task(s) "buildah-1,buildah-2" are not trusted`, }} diff --git a/policy/release/slsa_source_correlated/slsa_source_correlated_test.rego b/policy/release/slsa_source_correlated/slsa_source_correlated_test.rego index 89ee42c44..8bf192120 100644 --- a/policy/release/slsa_source_correlated/slsa_source_correlated_test.rego +++ b/policy/release/slsa_source_correlated/slsa_source_correlated_test.rego @@ -339,7 +339,6 @@ test_slsa_v02_source_references if { lib.assert_empty(slsa_source_correlated._source_references) with input.attestations as [att3] # no uri - # regal ignore:line-length att4 = _material_attestation([{"digest": {"sha256": "cafe000000000000000000000000000000000000000000000000000000cafe00"}}]) lib.assert_empty(slsa_source_correlated._source_references) with input.attestations as [att4] lib.assert_equal( @@ -374,7 +373,6 @@ test_slsa_v10_source_references if { lib.assert_empty(slsa_source_correlated._source_references) with input.attestations as [att4] # no uri - # regal ignore:line-length att5 = _resolved_dependencies_attestation([{"digest": {"sha256": "cafe000000000000000000000000000000000000000000000000000000cafe00"}}]) lib.assert_empty(slsa_source_correlated._source_references) with input.attestations as [att5] lib.assert_equal( diff --git a/policy/release/source_image/source_image_test.rego b/policy/release/source_image/source_image_test.rego index 12924660f..3741b07f5 100644 --- a/policy/release/source_image/source_image_test.rego +++ b/policy/release/source_image/source_image_test.rego @@ -212,13 +212,11 @@ test_missing_signature if { expected := { { "code": "source_image.signed", - # regal ignore:line-length "msg": "Image signature verification failed for registry.local/repo:v0.2@sha256:4e388ab32b10dc8dbc7e28144f552830adc74787c1e2c0824032078a79f227fb: kaboom!", }, { "code": "source_image.signed", "effective_on": "2022-01-01T00:00:00Z", - # regal ignore:line-length "msg": "Image signature verification failed for registry.local/repo:v1.0@sha256:4e388ab32b10dc8dbc7e28144f552830adc74787c1e2c0824032078a79f227fb: kaboom!", }, } diff --git a/policy/release/tasks/tasks_test.rego b/policy/release/tasks/tasks_test.rego index 3eca620b8..210c19fc9 100644 --- a/policy/release/tasks/tasks_test.rego +++ b/policy/release/tasks/tasks_test.rego @@ -261,7 +261,6 @@ test_extra_tasks_ignored if { {}, )] - # regal ignore:line-length lib.assert_empty(tasks.deny) with data["pipeline-required-tasks"] as _required_pipeline_tasks with data.trusted_tasks as _trusted_tasks with ec.oci.image_manifests as _mock_image_manifests @@ -751,7 +750,6 @@ test_deprecated_slsa_v0_2 if { expected := {{ "code": "tasks.unsupported", - # regal ignore:line-length "msg": `Task "task" is used by pipeline task "task" is or will be unsupported as of 2200-01-01T00:00:00Z. Upgrade to a newer version of the Task.`, "term": "task", }} @@ -769,7 +767,6 @@ test_expired_slsa_v0_2 if { expected := {{ "code": "tasks.unsupported", - # regal ignore:line-length "msg": `Task "task" is used by pipeline task "task" is or will be unsupported as of 2000-01-01T00:00:00Z. Upgrade to a newer version of the Task.`, "term": "task", }} @@ -792,7 +789,6 @@ test_deprecated_slsa_v1 if { expected := {{ "code": "tasks.unsupported", - # regal ignore:line-length "msg": `Task "task" is used by pipeline task "task" is or will be unsupported as of 2200-01-01T00:00:00Z. Upgrade to a newer version of the Task.`, "term": "task", }} @@ -815,7 +811,6 @@ test_expired_slsa_v1 if { expected := {{ "code": "tasks.unsupported", - # regal ignore:line-length "msg": `Task "task" is used by pipeline task "task" is or will be unsupported as of 2000-01-01T00:00:00Z. Upgrade to a newer version of the Task.`, "term": "task", }} @@ -841,7 +836,6 @@ test_expired_with_custom_message if { expected := {{ "code": "tasks.unsupported", - # regal ignore:line-length "msg": `Task "task" is used by pipeline task "task" is or will be unsupported as of 2000-01-01T00:00:00Z. The Task has been discontinued.`, "term": "task", }} @@ -984,7 +978,6 @@ test_data_errors_on_pipeline_required_tasks if { }, { "code": "tasks.data_provided", - # regal ignore:line-length "msg": `pipeline-required-tasks.spam[0].effective_on is not valid RFC3339 format: "bad-datetime-format"`, "severity": "failure", }, @@ -1250,7 +1243,6 @@ _time_based_required_tasks := [ _bundle := "registry.img/spam:0.1@sha256:4e388ab32b10dc8dbc7e28144f552830adc74787c1e2c0824032078a79f227fb" -# regal ignore:line-length _untrusted_bundle := "registry.io/repository/unacceptable:0.1@sha256:4e388ab32b10dc8dbc7e28144f552830adc74787c1e2c0824032078a79f227fb" _trusted_tasks := {"oci://registry.img/spam:0.1": [{ diff --git a/policy/release/test/test_test.rego b/policy/release/test/test_test.rego index 351dd5c86..d4d29dadf 100644 --- a/policy/release/test/test_test.rego +++ b/policy/release/test/test_test.rego @@ -362,26 +362,19 @@ test_mixed_statuses if { v02_att_error_1 := lib_test.att_mock_helper_ref(lib.task_test_result_name, {"result": "ERROR"}, "error_1", _bundle) - # regal ignore:line-length v02_att_success_1 := lib_test.att_mock_helper_ref(lib.task_test_result_name, {"result": "SUCCESS"}, "success_1", _bundle) - # regal ignore:line-length v02_att_failure_1 := lib_test.att_mock_helper_ref(lib.task_test_result_name, {"result": "FAILURE"}, "failure_1", _bundle) - # regal ignore:line-length v02_att_skipped_1 := lib_test.att_mock_helper_ref(lib.task_test_result_name, {"result": "SKIPPED"}, "skipped_1", _bundle) - # regal ignore:line-length v02_att_failure_2 := lib_test.att_mock_helper_ref(lib.task_test_result_name, {"result": "FAILURE"}, "failure_2", _bundle) - # regal ignore:line-length v02_att_skipped_2 := lib_test.att_mock_helper_ref(lib.task_test_result_name, {"result": "SKIPPED"}, "skipped_2", _bundle) - # regal ignore:line-length v02_att_warning_1 := lib_test.att_mock_helper_ref(lib.task_test_result_name, {"result": "WARNING"}, "warning_1", _bundle) v02_att_error_2 := lib_test.att_mock_helper_ref(lib.task_test_result_name, {"result": "ERROR"}, "error_2", _bundle) - # regal ignore:line-length v02_att_warning_2 := lib_test.att_mock_helper_ref(lib.task_test_result_name, {"result": "WARNING"}, "warning_2", _bundle) v02_tasks := [ @@ -478,11 +471,9 @@ test_mixed_statuses if { test_unsupported_test_result if { v02_att_error_1 := lib_test.att_mock_helper_ref(lib.task_test_result_name, {"result": "EROR"}, "error_1", _bundle) - # regal ignore:line-length v02_att_success_1 := lib_test.att_mock_helper_ref(lib.task_test_result_name, {"result": "SUCESS"}, "success_1", _bundle) v02_att_failure_1 := lib_test.att_mock_helper_ref(lib.task_test_result_name, {"result": "FAIL"}, "failure_1", _bundle) - # regal ignore:line-length v02_att_skipped_1 := lib_test.att_mock_helper_ref(lib.task_test_result_name, {"result": "SKIPED"}, "skipped_1", _bundle) v02_tasks := [ @@ -578,7 +569,6 @@ test_wrong_attestation_type if { } test_all_image_processed if { - # regal ignore:line-length digests_processed := {"image": {"digests": ["sha256:4e388ab32b10dc8dbc7e28144f552830adc74787c1e2c0824032078a79f227fb"]}} pipeline_run := lib_test.att_mock_helper_ref("IMAGES_PROCESSED", digests_processed, "success_23", _bundle) attestations := [ @@ -608,7 +598,6 @@ test_all_images_not_processed if { lib.assert_equal_results(test.deny, {{ "code": "test.test_all_images", - # regal ignore:line-length "msg": "Test 'success_23' did not process image with digest 'sha256:4e388ab32b10dc8dbc7e28144f552830adc74787c1e2c0824032078a79f227fb'.", "term": "success_23", }}) with input.attestations as [attestation] @@ -659,13 +648,11 @@ test_rule_data_provided if { expected := { { "code": "test.rule_data_provided", - # regal ignore:line-length "msg": `Rule data erred_tests_results has unexpected format: 0: 0 must be one of the following: "SUCCESS", "FAILURE", "WARNING", "SKIPPED", "ERROR"`, "severity": "failure", }, { "code": "test.rule_data_provided", - # regal ignore:line-length "msg": `Rule data failed_tests_results has unexpected format: 0: 0 must be one of the following: "SUCCESS", "FAILURE", "WARNING", "SKIPPED", "ERROR"`, "severity": "failure", }, @@ -681,7 +668,6 @@ test_rule_data_provided if { }, { "code": "test.rule_data_provided", - # regal ignore:line-length "msg": `Rule data skipped_tests_results has unexpected format: 0: 0 must be one of the following: "SUCCESS", "FAILURE", "WARNING", "SKIPPED", "ERROR"`, "severity": "failure", }, @@ -692,13 +678,11 @@ test_rule_data_provided if { }, { "code": "test.rule_data_provided", - # regal ignore:line-length "msg": `Rule data supported_tests_results has unexpected format: 0: 0 must be one of the following: "SUCCESS", "FAILURE", "WARNING", "SKIPPED", "ERROR"`, "severity": "failure", }, { "code": "test.rule_data_provided", - # regal ignore:line-length "msg": `Rule data warned_tests_results has unexpected format: 0: 0 must be one of the following: "SUCCESS", "FAILURE", "WARNING", "SKIPPED", "ERROR"`, "severity": "failure", }, diff --git a/policy/release/trusted_task/trusted_task.rego b/policy/release/trusted_task/trusted_task.rego index c78d39467..81c6f561e 100644 --- a/policy/release/trusted_task/trusted_task.rego +++ b/policy/release/trusted_task/trusted_task.rego @@ -466,7 +466,6 @@ _format_trust_error_rules_ta(task, dependency_chain) := error if { error := { "msg": sprintf( - # regal ignore:line-length "Untrusted version of PipelineTask %q (Task %q) was included in build chain comprised of: %s. The denial reason is: %s", [untrusted_pipeline_task_name, untrusted_task_name, concat(", ", dependency_chain), reason_msg], ), @@ -485,7 +484,6 @@ _format_trust_error_rules(task) := error if { error := { "msg": sprintf( - # regal ignore:line-length "PipelineTask %q uses an untrusted task reference: %s. The denial reason is: %s", [untrusted_pipeline_task_name, untrusted_task_info, reason_msg], ), @@ -536,7 +534,6 @@ _format_trust_error_legacy_ta(task, dependency_chain) := error if { error := { "msg": sprintf( - # regal ignore:line-length "Untrusted version of PipelineTask %q (Task %q) was included in build chain comprised of: %s. Please upgrade the task version to: %s", [untrusted_pipeline_task_name, untrusted_task_name, concat(", ", dependency_chain), latest_trusted_ref], ), @@ -564,7 +561,6 @@ _format_trust_error_legacy(task) := error if { error := { "msg": sprintf( - # regal ignore:line-length "PipelineTask %q uses an untrusted task reference: %s. Please upgrade the task version to: %s", [untrusted_pipeline_task_name, untrusted_task_info, latest_trusted_ref], ), diff --git a/policy/release/trusted_task/trusted_task_test.rego b/policy/release/trusted_task/trusted_task_test.rego index 3f4f76c2e..0586c720d 100644 --- a/policy/release/trusted_task/trusted_task_test.rego +++ b/policy/release/trusted_task/trusted_task_test.rego @@ -38,12 +38,10 @@ test_pinned_warning if { expected := { { "code": "trusted_task.pinned", - # regal ignore:line-length "msg": `Pipeline task "unpinned-honest-abe-p" uses an unpinned task reference, git+git.local/repo.git//tasks/honest-abe.yaml@`, "term": "honest-abe", }, { "code": "trusted_task.pinned", - # regal ignore:line-length "msg": `Pipeline task "unpinned-trusty-p" uses an unpinned task reference, oci://registry.local/trusty:1.0@`, "term": "trusty", }, } @@ -66,7 +64,6 @@ test_tagged_warning if { expected := {{ "code": "trusted_task.tagged", - # regal ignore:line-length "msg": "Pipeline task \"untagged-trusty-p\" uses an untagged task reference, oci://registry.local/trusty@sha256:d19e5700000000000000000000000000000000000000000000000000d19e5700", "term": "trusty", }} @@ -130,7 +127,6 @@ test_trusted_violation if { expected := { { "code": "trusted_task.trusted", - # regal ignore:line-length "msg": `PipelineTask "crook-p" uses an untrusted task reference: oci://registry.local/crook:1.0@sha256:d19e5700000000000000000000000000000000000000000000000000d19e5700`, "term": "crook", }, @@ -147,13 +143,11 @@ test_trusted_violation if { "term": "trusty", }, { - # regal ignore:line-length "code": "trusted_task.trusted", "msg": `PipelineTask "inlined-p" uses an untrusted task reference: @`, "term": "", }, { "code": "trusted_task.trusted", - # regal ignore:line-length "msg": `PipelineTask "untrusted-lawless-p" uses an untrusted task reference: git+git.local/repo.git//tasks/lawless.yaml@37ef630394794f28142224295851a45eea5c63ae`, "term": "lawless", }, @@ -173,13 +167,11 @@ test_trusted_artifact_tampering if { expected := { { "code": "trusted_task.trusted", - # regal ignore:line-length "msg": `Code tampering detected, untrusted PipelineTask "task_b" (Task "TaskB") was included in build chain comprised of: task_a, task_b, task_c`, "term": "TaskB", }, { "code": "trusted_task.trusted", - # regal ignore:line-length "msg": `Code tampering detected, untrusted PipelineTask "task_b" (Task "TaskB") was included in build chain comprised of: task_b, task_c, task_test_a`, "term": "TaskB", }, @@ -279,7 +271,6 @@ test_trusted_artifact_denied_by_rules if { }, { "code": "trusted_task.trusted_parameters", - # regal ignore:line-length "msg": "The \"image\" parameter of the \"task_image_index\" PipelineTask includes an untrusted digest: sha256:49a6fd43239ae41643426daefc5239857a1cc1a6f2c1595f88965d7de88efcb9", }, } @@ -312,7 +303,6 @@ test_future_deny_rule_warning if { expected := {{ "code": "trusted_task.future_deny_rule", - # regal ignore:line-length "msg": `Task "trusty-p" will be denied by rule pattern "oci://registry.local/trusty:1.0*" starting on 2099-01-01.`, "term": "trusty", }} @@ -389,7 +379,6 @@ test_trusted_artifact_inputs_from_parameters if { "param1": "value1", "SOME_ARTIFACT": "value2", "SOURCE_ARTIFACT": artifact_a, - # regal ignore:line-length "UNEXPECTED_ARTIFACT": "oci:registry.io/repository/image@sha256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", }}} @@ -440,13 +429,11 @@ test_trusted_parameters if { lib.assert_equal_results(trusted_task.deny, {{ "code": "trusted_task.trusted_parameters", - # regal ignore:line-length "msg": `The "image" parameter of the "task_image_index" PipelineTask includes an untrusted digest: sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff`, }}) with data.trusted_tasks as trusted_tasks_data with input.attestations as [evil_attestation] with ec.oci.image_manifests as _mock_image_manifests - # regal ignore:line-length fake_component := {"containerImage": "registry.io/repository/image@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"} # If that same digest was found in the snapshot then we assume that it's not actually evil and therefore permit it @@ -501,7 +488,6 @@ test_trusted_build_digests_from_run_script_result if { # A digest from the SCRIPT_RUNNER_IMAGE_REFERENCE task result in the run-script-oci-ta # task appears in _trusted_build_digests if the task is considered a trusted task attestation := _mock_att_with_task({ - # regal ignore:line-length "ref": {"name": "run-script-oci-ta", "bundle": "registry.local/trusty:1.0@sha256:d19e5700000000000000000000000000000000000000000000000000d19e5700"}, "results": [_mock_run_script_result], }) @@ -515,7 +501,6 @@ test_trusted_build_digests_from_run_script_untrusted if { # A digest from the SCRIPT_RUNNER_IMAGE_REFERENCE task result in the run-script-oci-ta # task does not appear in _trusted_build_digests if the task is not considered a trusted task attestation := _mock_att_with_task({ - # regal ignore:line-length "ref": {"name": "run-script-oci-ta", "bundle": "registry.local/unknown:1.0@sha256:d19e5700000000000000000000000000000000000000000000000000d19e5700"}, "results": [_mock_run_script_result], }) @@ -529,7 +514,6 @@ test_trusted_build_digests_from_run_script_no_result if { # in _trusted_build_digests even if the task is not considered a trusted task results := json.patch(_mock_run_script_result, [{"op": "add", "path": "/name", "value": "SOME_OTHER_NAME"}]) attestation := _mock_att_with_task({ - # regal ignore:line-length "ref": {"name": "run-script-oci-ta", "bundle": "registry.local/trusty:1.0@sha256:d19e5700000000000000000000000000000000000000000000000000d19e5700"}, "results": [results], }) @@ -542,11 +526,9 @@ test_trusted_build_digests_from_build_task_results if { # A digest from the the IMAGE_DIGEST build task result appears in _trusted_build_digests # if the build task is considered a trusted task attestation := _mock_att_with_task({ - # regal ignore:line-length "ref": {"name": "some-task", "bundle": "registry.local/trusty:1.0@sha256:d19e5700000000000000000000000000000000000000000000000000d19e5700"}, "results": [ {"name": "SOME_IMAGE_URL", "value": "registry.io/whatever/image", "type": "string"}, - # regal ignore:line-length {"name": "SOME_IMAGE_DIGEST", "value": "sha256:2222222222222222222222222222222222222222222222222222222222222222", "type": "string"}, ], }) @@ -559,9 +541,7 @@ test_trusted_build_digests_from_build_task_results if { test_trusted_build_digests_from_snapshot_components if { # Digests present in the snapshot components should appear in _trusted_build_digests components := [ - # regal ignore:line-length {"containerImage": "registry.io/repository/image1@sha256:3333333333333333333333333333333333333333333333333333333333333333"}, - # regal ignore:line-length {"containerImage": "registry.io/repository/image2@sha256:4444444444444444444444444444444444444444444444444444444444444444"}, ] expected := { @@ -578,7 +558,6 @@ test_trusted_build_digests_from_snapshot_components if { trusted_bundle_pipeline_task := { "name": "trusty-p", "ref": {"resolver": "bundles", "params": [ - # regal ignore:line-length {"name": "bundle", "value": "registry.local/trusty:1.0@sha256:d19e5700000000000000000000000000000000000000000000000000d19e5700"}, {"name": "name", "value": "trusty"}, {"name": "kind", "value": "task"}, @@ -590,7 +569,6 @@ newest_bundle_pipeline_task := trusted_bundle_pipeline_task outdated_bundle_pipeline_task := { "name": "outdated-trusty-p", "ref": {"resolver": "bundles", "params": [ - # regal ignore:line-length {"name": "bundle", "value": "registry.local/trusty:1.0@sha256:007da7edd19e5700000000000000000000000000000000007da7edd19e57"}, {"name": "name", "value": "trusty"}, {"name": "kind", "value": "task"}, @@ -600,7 +578,6 @@ outdated_bundle_pipeline_task := { expired_bundle_pipeline_task := { "name": "expired-trusty-p", "ref": {"resolver": "bundles", "params": [ - # regal ignore:line-length {"name": "bundle", "value": "registry.local/trusty:1.0@sha256:e001edd19e5700000000000000000000000000000000000000e001edd19e57"}, {"name": "name", "value": "trusty"}, {"name": "kind", "value": "task"}, @@ -619,7 +596,6 @@ unpinned_bundle_pipeline_task := { untagged_bundle_pipeline_task := { "name": "untagged-trusty-p", "ref": {"resolver": "bundles", "params": [ - # regal ignore:line-length {"name": "bundle", "value": "registry.local/trusty@sha256:d19e5700000000000000000000000000000000000000000000000000d19e5700"}, {"name": "name", "value": "trusty"}, {"name": "kind", "value": "task"}, @@ -629,7 +605,6 @@ untagged_bundle_pipeline_task := { unknown_bundle_pipeline_task := { "name": "crook-p", "ref": {"resolver": "bundles", "params": [ - # regal ignore:line-length {"name": "bundle", "value": "registry.local/crook:1.0@sha256:d19e5700000000000000000000000000000000000000000000000000d19e5700"}, {"name": "name", "value": "crook"}, {"name": "kind", "value": "task"}, @@ -858,7 +833,6 @@ trusted_tasks_data := { # A1 — On trusted_tasks, no rules → trusted # Task is in trusted_tasks, trusted_task_rules is empty → should be trusted via legacy fallback test_on_trusted_tasks_no_rules_trusted if { - # regal ignore:line-length rules_trusted_tasks_data := {"oci://quay.io/konflux-ci/tekton-catalog/task-buildah:0.4": [{"ref": "sha256:abc1230000000000000000000000000000000000000000000000000000abc123"}]} trusted_task_rules_data := { @@ -868,7 +842,6 @@ test_on_trusted_tasks_no_rules_trusted if { att := _rules_make_attestation([_rules_make_task( "buildah-task", - # regal ignore:line-length "quay.io/konflux-ci/tekton-catalog/task-buildah:0.4@sha256:abc1230000000000000000000000000000000000000000000000000000abc123", "task-buildah", )]) @@ -894,7 +867,6 @@ test_on_trusted_tasks_expired_untrusted if { att := _rules_make_attestation([_rules_make_task( "buildah-task", - # regal ignore:line-length "quay.io/konflux-ci/tekton-catalog/task-buildah:0.4@sha256:abc1230000000000000000000000000000000000000000000000000000abc123", "task-buildah", )]) @@ -957,7 +929,6 @@ test_allow_by_location if { att := _rules_make_attestation([_rules_make_task( "buildah-task", - # regal ignore:line-length "quay.io/konflux-ci/tekton-catalog/task-buildah:0.4@sha256:abc1230000000000000000000000000000000000000000000000000000abc123", "task-buildah", )]) @@ -1023,7 +994,6 @@ test_deny_takes_precedence_over_allow if { att := _rules_make_attestation([_rules_make_task( "buildah-task", - # regal ignore:line-length "quay.io/konflux-ci/tekton-catalog/task-buildah:0.4@sha256:abc1230000000000000000000000000000000000000000000000000000abc123", "task-buildah", )]) @@ -1060,7 +1030,6 @@ test_allow_rule_not_yet_effective if { att := _rules_make_attestation([_rules_make_task( "buildah-task", - # regal ignore:line-length "quay.io/konflux-ci/tekton-catalog/task-buildah:0.4@sha256:abc1230000000000000000000000000000000000000000000000000000abc123", "task-buildah", )]) @@ -1093,7 +1062,6 @@ test_allow_rule_effective_trusted if { att := _rules_make_attestation([_rules_make_task( "buildah-task", - # regal ignore:line-length "quay.io/konflux-ci/tekton-catalog/task-buildah:0.4@sha256:abc1230000000000000000000000000000000000000000000000000000abc123", "task-buildah", )]) @@ -1123,7 +1091,6 @@ test_deny_rule_not_yet_effective if { att := _rules_make_attestation([_rules_make_task( "buildah-task", - # regal ignore:line-length "quay.io/konflux-ci/tekton-catalog/task-buildah:0.4@sha256:abc1230000000000000000000000000000000000000000000000000000abc123", "task-buildah", )]) @@ -1153,7 +1120,6 @@ test_deny_rule_becomes_effective if { att := _rules_make_attestation([_rules_make_task( "buildah-task", - # regal ignore:line-length "quay.io/konflux-ci/tekton-catalog/task-buildah:0.4@sha256:abc1230000000000000000000000000000000000000000000000000000abc123", "task-buildah", )]) @@ -1195,7 +1161,6 @@ test_multiple_allow_rules if { att := _rules_make_attestation([_rules_make_task( "buildah-task", - # regal ignore:line-length "quay.io/konflux-ci/tekton-catalog/task-buildah:0.4@sha256:abc1230000000000000000000000000000000000000000000000000000abc123", "task-buildah", )]) @@ -1229,7 +1194,6 @@ test_deny_with_message if { att := _rules_make_attestation([_rules_make_task( "manifest-task", - # regal ignore:line-length "quay.io/konflux-ci/tekton-catalog/task-build-image-manifest:1.0@sha256:abc1230000000000000000000000000000000000000000000000000000abc123", "task-build-image-manifest", )]) @@ -1272,7 +1236,6 @@ test_rules_allow_trusted_tasks_expiry_ignored if { att := _rules_make_attestation([_rules_make_task( "buildah-task", - # regal ignore:line-length "quay.io/konflux-ci/tekton-catalog/task-buildah:0.4@sha256:abc1230000000000000000000000000000000000000000000000000000abc123", "task-buildah", )]) @@ -1303,7 +1266,6 @@ test_unknown_fields_ignored if { att := _rules_make_attestation([_rules_make_task( "buildah-task", - # regal ignore:line-length "quay.io/konflux-ci/tekton-catalog/task-buildah:0.4@sha256:abc1230000000000000000000000000000000000000000000000000000abc123", "task-buildah", )]) @@ -1334,7 +1296,6 @@ test_mixed_trusted_and_untrusted_tasks if { att := _rules_make_attestation([ _rules_make_task( "trusted-task", - # regal ignore:line-length "quay.io/konflux-ci/tekton-catalog/task-buildah:0.4@sha256:abc1230000000000000000000000000000000000000000000000000000abc123", "task-buildah", ), diff --git a/policy/release/volatile_config/volatile_config_test.rego b/policy/release/volatile_config/volatile_config_test.rego index 426358a81..7540d0e47 100644 --- a/policy/release/volatile_config/volatile_config_test.rego +++ b/policy/release/volatile_config/volatile_config_test.rego @@ -191,7 +191,6 @@ test_warn_invalid_config_effective_on if { expected := {{ "code": "volatile_config.invalid_config", - # regal ignore:line-length "msg": "Volatile include rule 'broken.rule' has invalid date configuration (effectiveOn: not-a-date, effectiveUntil: )", }} @@ -452,8 +451,7 @@ test_warn_with_malformed_image_ref_multiple_at if { # Global rules apply with malformed image ref containing multiple @ symbols # This tests the case where split("@") doesn't produce exactly 2 parts lib.assert_equal_results(volatile_config.warn, expected) with input.policy_spec as policy_spec - # regal ignore:line-length -with input.image.ref as "quay.io/repo/image@sha256:abc123@sha256:def4560000000000000000000000000000000000000000000000000000def456" + with input.image.ref as "quay.io/repo/image@sha256:abc123@sha256:def4560000000000000000000000000000000000000000000000000000def456" with input.component_name as _component_name with time_lib.effective_current_time_ns as _now_ns } diff --git a/policy/stepaction/stepaction_image/stepaction_image_test.rego b/policy/stepaction/stepaction_image/stepaction_image_test.rego index 164929c2c..35b75a71e 100644 --- a/policy/stepaction/stepaction_image/stepaction_image_test.rego +++ b/policy/stepaction/stepaction_image/stepaction_image_test.rego @@ -55,7 +55,6 @@ test_image_not_permitted if { test_rule_data_list_empty if { expected := {{ "code": "stepaction_image.rule_data", - # regal ignore:line-length "msg": "Rule data allowed_step_image_registry_prefixes has unexpected format: (Root): Array must have at least 1 items", "severity": "failure", }} @@ -75,13 +74,11 @@ test_rule_data_list_format if { expected := { { "code": "stepaction_image.rule_data", - # regal ignore:line-length "msg": "Rule data allowed_step_image_registry_prefixes has unexpected format: 0: Invalid type. Expected: string, given: integer", "severity": "failure", }, { "code": "stepaction_image.rule_data", - # regal ignore:line-length "msg": "Rule data allowed_step_image_registry_prefixes has unexpected format: (Root): array items[1,2] must be unique", "severity": "failure", }, diff --git a/policy/task/annotations/annotations_test.rego b/policy/task/annotations/annotations_test.rego index 3d6471c45..d2a7ab15e 100644 --- a/policy/task/annotations/annotations_test.rego +++ b/policy/task/annotations/annotations_test.rego @@ -6,7 +6,6 @@ import data.annotations import data.lib test_valid_expiry_dates if { - # regal ignore:line-length lib.assert_empty(annotations.deny) with input.metadata.annotations as {annotations._expires_on_annotation: "2000-01-02T03:04:05Z"} } diff --git a/policy/task/results/results_test.rego b/policy/task/results/results_test.rego index 446f5f7cf..733f6e4c4 100644 --- a/policy/task/results/results_test.rego +++ b/policy/task/results/results_test.rego @@ -131,13 +131,11 @@ test_rule_data_provided if { }, { "code": "results.rule_data_provided", - # regal ignore:line-length "msg": "Rule data required_task_results has unexpected format: 4.task: Invalid type. Expected: string, given: integer", "severity": "failure", }, { "code": "results.rule_data_provided", - # regal ignore:line-length "msg": "Rule data required_task_results has unexpected format: 5.result: Invalid type. Expected: string, given: integer", "severity": "failure", }, diff --git a/policy/task/step_image_registries/step_image_registries_test.rego b/policy/task/step_image_registries/step_image_registries_test.rego index 9e21350c7..a65b97d6d 100644 --- a/policy/task/step_image_registries/step_image_registries_test.rego +++ b/policy/task/step_image_registries/step_image_registries_test.rego @@ -5,10 +5,8 @@ import rego.v1 import data.lib import data.step_image_registries -# regal ignore:line-length good_image := "registry.redhat.io/openshift-pipelines/pipelines-git-init-rhel8@sha256:af7dd5b3b0000000000000000000000000000000000000000000000af7dd5b3b" -# regal ignore:line-length bad_image := "hackz.io/openshift-pipelines/pipelines-git-init-rhel8@sha256:af7dd5b3b0000000000000000000000000000000000000000000000af7dd5b3b" test_step_images_permitted_success if { @@ -30,13 +28,11 @@ test_step_images_permitted_failure if { expected := { { "code": "step_image_registries.step_images_permitted", - # regal ignore:line-length "msg": "Step 0 uses disallowed image ref 'hackz.io/openshift-pipelines/pipelines-git-init-rhel8@sha256:af7dd5b3b0000000000000000000000000000000000000000000000af7dd5b3b'", "term": "git-clone/1.0", }, { "code": "step_image_registries.step_images_permitted", - # regal ignore:line-length "msg": "Step 2 uses disallowed image ref 'hackz.io/openshift-pipelines/pipelines-git-init-rhel8@sha256:af7dd5b3b0000000000000000000000000000000000000000000000af7dd5b3b'", "term": "git-clone/1.0", }, @@ -54,7 +50,6 @@ test_step_images_missing_name_version if { lib.assert_equal_results(step_image_registries.deny, {{ "code": "step_image_registries.step_images_permitted", - # regal ignore:line-length "msg": "Step 0 uses disallowed image ref 'hackz.io/openshift-pipelines/pipelines-git-init-rhel8@sha256:af7dd5b3b0000000000000000000000000000000000000000000000af7dd5b3b'", "term": "noname/1.0", }}) with input as task_no_name @@ -67,7 +62,6 @@ test_step_images_missing_name_version if { lib.assert_equal_results(step_image_registries.deny, {{ "code": "step_image_registries.step_images_permitted", - # regal ignore:line-length "msg": "Step 0 uses disallowed image ref 'hackz.io/openshift-pipelines/pipelines-git-init-rhel8@sha256:af7dd5b3b0000000000000000000000000000000000000000000000af7dd5b3b'", "term": "git-clone/noversion", }}) with input as task_no_version @@ -79,7 +73,6 @@ test_step_images_missing_name_version if { lib.assert_equal_results(step_image_registries.deny, {{ "code": "step_image_registries.step_images_permitted", - # regal ignore:line-length "msg": "Step 0 uses disallowed image ref 'hackz.io/openshift-pipelines/pipelines-git-init-rhel8@sha256:af7dd5b3b0000000000000000000000000000000000000000000000af7dd5b3b'", "term": "noname/noversion", }}) with input as task_no_name_no_version @@ -104,13 +97,11 @@ test_step_images_permitted_prefix_list_empty if { expected := { { "code": "step_image_registries.step_image_registry_prefix_list_provided", - # regal ignore:line-length "msg": "Rule data allowed_step_image_registry_prefixes has unexpected format: (Root): Array must have at least 1 items", "severity": "failure", }, { "code": "step_image_registries.step_images_permitted", - # regal ignore:line-length "msg": "Step 0 uses disallowed image ref 'registry.redhat.io/openshift-pipelines/pipelines-git-init-rhel8@sha256:af7dd5b3b0000000000000000000000000000000000000000000000af7dd5b3b'", "term": "git-clone/1.0", }, @@ -132,13 +123,11 @@ test_step_image_registry_prefix_list_format if { expected := { { "code": "step_image_registries.step_image_registry_prefix_list_provided", - # regal ignore:line-length "msg": "Rule data allowed_step_image_registry_prefixes has unexpected format: 0: Invalid type. Expected: string, given: integer", "severity": "failure", }, { "code": "step_image_registries.step_image_registry_prefix_list_provided", - # regal ignore:line-length "msg": "Rule data allowed_step_image_registry_prefixes has unexpected format: (Root): array items[1,2] must be unique", "severity": "failure", },