From 9cbda220568a57b8766473f8e958c18805db10b0 Mon Sep 17 00:00:00 2001 From: Sylwester Piskozub Date: Mon, 11 Aug 2025 13:47:37 +0200 Subject: [PATCH 1/3] fail if no execution path found Signed-off-by: Sylwester Piskozub --- app/cli/cmd/policy_develop_eval.go | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/app/cli/cmd/policy_develop_eval.go b/app/cli/cmd/policy_develop_eval.go index 4e5409942..f57444c4b 100644 --- a/app/cli/cmd/policy_develop_eval.go +++ b/app/cli/cmd/policy_develop_eval.go @@ -63,6 +63,13 @@ evaluates the policy against the provided material or attestation.`, return newGracefulError(err) } + // Check if any result was ignored + for _, res := range result { + if res.Ignored { + return fmt.Errorf("policy evaluation failed: no execution branch matched") + } + } + return encodeJSON(result) }, } From 2ca1363bd317b8d44ecaa6f8b5e534d99c9d5b6d Mon Sep 17 00:00:00 2001 From: Sylwester Piskozub Date: Mon, 11 Aug 2025 15:52:54 +0200 Subject: [PATCH 2/3] update error handling Signed-off-by: Sylwester Piskozub --- app/cli/cmd/policy_develop_eval.go | 9 +-------- app/cli/internal/policydevel/eval.go | 13 +++---------- 2 files changed, 4 insertions(+), 18 deletions(-) diff --git a/app/cli/cmd/policy_develop_eval.go b/app/cli/cmd/policy_develop_eval.go index f57444c4b..1da7dd1ba 100644 --- a/app/cli/cmd/policy_develop_eval.go +++ b/app/cli/cmd/policy_develop_eval.go @@ -60,14 +60,7 @@ evaluates the policy against the provided material or attestation.`, result, err := policyEval.Run() if err != nil { - return newGracefulError(err) - } - - // Check if any result was ignored - for _, res := range result { - if res.Ignored { - return fmt.Errorf("policy evaluation failed: no execution branch matched") - } + return err } return encodeJSON(result) diff --git a/app/cli/internal/policydevel/eval.go b/app/cli/internal/policydevel/eval.go index eb7393888..ccb997347 100644 --- a/app/cli/internal/policydevel/eval.go +++ b/app/cli/internal/policydevel/eval.go @@ -48,13 +48,13 @@ func Evaluate(opts *EvalOptions, logger zerolog.Logger) ([]*EvalResult, error) { // 1. Create crafting schema schema, err := createCraftingSchema(opts.PolicyPath, opts.Inputs) if err != nil { - return nil, fmt.Errorf("creating crafting schema: %w", err) + return nil, err } // 2. Craft material with annotations material, err := craftMaterial(opts.MaterialPath, opts.MaterialKind, &logger) if err != nil { - return nil, fmt.Errorf("material crafting: %w", err) + return nil, err } material.Annotations = opts.Annotations @@ -95,14 +95,7 @@ func verifyMaterial(schema *v1.CraftingSchema, material *v12.Attestation_Materia // no evaluations were returned if len(policyEvs) == 0 { - return []*EvalResult{ - { - Ignored: true, - Skipped: false, - SkipReasons: []string{}, - Violations: []string{}, - }, - }, nil + return nil, fmt.Errorf("no execution branch matched for kind %s", material.MaterialType.String()) } results := make([]*EvalResult, 0, len(policyEvs)) From da3e3cc48240a9983f8fe830fe8aa2f93b454a85 Mon Sep 17 00:00:00 2001 From: Sylwester Piskozub Date: Mon, 11 Aug 2025 15:58:52 +0200 Subject: [PATCH 3/3] fix test Signed-off-by: Sylwester Piskozub --- app/cli/internal/policydevel/eval_test.go | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/app/cli/internal/policydevel/eval_test.go b/app/cli/internal/policydevel/eval_test.go index 140144374..587d63253 100644 --- a/app/cli/internal/policydevel/eval_test.go +++ b/app/cli/internal/policydevel/eval_test.go @@ -41,9 +41,8 @@ func TestEvaluate(t *testing.T) { } results, err := Evaluate(opts, logger) - require.NoError(t, err) - require.NotEmpty(t, results) - assert.NotNil(t, results[0]) + require.Error(t, err) + assert.Empty(t, results) }) t.Run("evaluation with auto-detected SBOM CYCLONEDX kind", func(t *testing.T) {