RPM Repos Package
This package defines rules to confirm that all RPM packages listed in SBOMs specify a known and permitted repository id.
Rules Included
All rpms have known repo ids
Each RPM package listed in an SBOM must specify the repository id that it comes from, and that repository id must be present in the list of known and permitted repository ids. Currently this is rule enforced only for SBOM components created by cachi2.
Solution: Ensure every rpm comes from a known and permitted repository, and that the data in the SBOM correctly records that.
-
Rule type: FAILURE
-
FAILURE message:
RPM repo id check failed: %s -
Code:
rpm_repos.ids_known -
Effective from:
2024-11-10T00:00:00Z
Known repo id list provided
A list of known and permitted repository ids should be available in the rule data.
Solution: Include a data source that provides a list of known repository ids under the 'known_rpm_repositories' key under the top level 'rule_data' key. This list can extended with the 'extra_rpm_repositories' rule data key. The contents of both lists are combined.
-
Rule type: FAILURE
-
FAILURE message:
Rule data '%s' has unexpected format: %s -
Code:
rpm_repos.rule_data_provided