|
1 | 1 | apiVersion: workflowcontract.chainloop.dev/v1 |
2 | 2 | kind: Policy |
3 | 3 | metadata: |
4 | | - name: cdx-fresh |
5 | | - description: Checks that SBOM is maximum of 30 days old |
6 | | - annotations: |
7 | | - category: quickstart |
| 4 | + name: cdx-fresh |
| 5 | + description: Checks that SBOM is maximum of 30 days old |
| 6 | + annotations: |
| 7 | + category: quickstart |
8 | 8 | spec: |
9 | | - policies: |
10 | | - - embedded: | |
11 | | - package main |
12 | | -
|
13 | | - import rego.v1 |
14 | | -
|
15 | | - ################################ |
16 | | - # Common section do NOT change # |
17 | | - ################################ |
18 | | -
|
19 | | - result := { |
20 | | - "skipped": skipped, |
21 | | - "violations": violations, |
22 | | - "skip_reason": skip_reason, |
23 | | - "ignore": ignore, |
24 | | - } |
25 | | -
|
26 | | - default skip_reason := "" |
27 | | -
|
28 | | - skip_reason := m if { |
29 | | - not valid_input |
30 | | - m := "invalid input" |
31 | | - } |
32 | | -
|
33 | | - default skipped := true |
34 | | -
|
35 | | - skipped := false if valid_input |
36 | | -
|
37 | | - default ignore := false |
38 | | -
|
39 | | - ######################################## |
40 | | - # EO Common section, custom code below # |
41 | | - ######################################## |
42 | | - # Validates if the input is valid and can be understood by this policy |
43 | | - valid_input := true |
44 | | -
|
45 | | - limit := 30 |
46 | | - nanosecs_per_second := (1000 * 1000) * 1000 |
47 | | - nanosecs_per_day := ((24 * 60) * 60) * nanosecs_per_second |
48 | | - maximum_age := limit * nanosecs_per_day |
49 | | -
|
50 | | - # If the input is valid, check for any policy violation here |
51 | | - violations contains msg if { |
52 | | - sbom_ns = time.parse_rfc3339_ns(input.metadata.timestamp) |
53 | | - exceeding = time.now_ns() - (sbom_ns + maximum_age) |
54 | | - exceeding > 0 |
55 | | - msg := sprintf("SBOM created at: %s which is too old (freshness limit set to %d days)", [input.metadata.timestamp, limit]) |
56 | | - } |
57 | | - kind: SBOM_CYCLONEDX_JSON |
| 9 | + policies: |
| 10 | + - embedded: | |
| 11 | + package main |
| 12 | +
|
| 13 | + import rego.v1 |
| 14 | +
|
| 15 | + ################################ |
| 16 | + # Common section do NOT change # |
| 17 | + ################################ |
| 18 | +
|
| 19 | + result := { |
| 20 | + "skipped": skipped, |
| 21 | + "violations": violations, |
| 22 | + "skip_reason": skip_reason, |
| 23 | + "ignore": ignore, |
| 24 | + } |
| 25 | +
|
| 26 | + default skip_reason := "" |
| 27 | +
|
| 28 | + skip_reason := m if { |
| 29 | + not valid_input |
| 30 | + m := "invalid input" |
| 31 | + } |
| 32 | +
|
| 33 | + default skipped := true |
| 34 | +
|
| 35 | + skipped := false if valid_input |
| 36 | +
|
| 37 | + default ignore := false |
| 38 | +
|
| 39 | + ######################################## |
| 40 | + # EO Common section, custom code below # |
| 41 | + ######################################## |
| 42 | + # Validates if the input is valid and can be understood by this policy |
| 43 | + valid_input := true |
| 44 | +
|
| 45 | + limit := 30 |
| 46 | + nanosecs_per_second := (1000 * 1000) * 1000 |
| 47 | + nanosecs_per_day := ((24 * 60) * 60) * nanosecs_per_second |
| 48 | + maximum_age := limit * nanosecs_per_day |
| 49 | +
|
| 50 | + # If the input is valid, check for any policy violation here |
| 51 | + violations contains msg if { |
| 52 | + sbom_ns = time.parse_rfc3339_ns(input.metadata.timestamp) |
| 53 | + exceeding = time.now_ns() - (sbom_ns + maximum_age) |
| 54 | + exceeding > 0 |
| 55 | + msg := sprintf("SBOM created at: %s which is too old (freshness limit set to %d days)", [input.metadata.timestamp, limit]) |
| 56 | + } |
| 57 | + kind: SBOM_CYCLONEDX_JSON |
0 commit comments