SPDX SBOM Package
Checks different properties of the CycloneDX SBOMs associated with the image being validated.
Rules Included
Allowed
Confirm the SPDX SBOM contains only allowed packages. By default all packages are allowed. Use the "disallowed_packages" rule data key to provide a list of disallowed packages.
Solution: Update the image to not use any disallowed package.
-
Rule type: FAILURE
-
FAILURE message:
Package is not allowed: %s -
Code:
sbom_spdx.allowed
Allowed package external references
Confirm the SPDX SBOM contains only packages with explicitly allowed external references. By default all external references are allowed unless the "allowed_external_references" rule data key provides a list of type-pattern pairs that forbid the use of any other external reference of the given type where the reference url matches the given pattern.
Solution: Update the image to use only packages with explicitly allowed external references.
-
Rule type: FAILURE
-
FAILURE message:
Package %s has reference %q of type %q which is not explicitly allowed%s -
Code:
sbom_spdx.allowed_package_external_references
Allowed package sources
For each of the packages fetched by Cachi2 which define externalReferences, verify they are allowed based on the allowed_package_sources rule data key. By default, allowed_package_sources is empty, which means no components with such references are allowed.
Solution: Update the image to not use a package from a disallowed source.
-
Rule type: FAILURE
-
FAILURE message:
Package %s fetched by cachi2 was sourced from %q which is not allowed -
Code:
sbom_spdx.allowed_package_sources -
Effective from:
2025-02-17T00:00:00Z
Contains files
Check the list of files in the SPDX SBOM is not empty.
Solution: Verify the SBOM is correctly identifying the files in the image.
-
Rule type: FAILURE
-
FAILURE message:
The list of files is empty -
Code:
sbom_spdx.contains_files
Contains packages
Check the list of packages in the SPDX SBOM is not empty.
Solution: Verify the SBOM is correctly identifying the package in the image.
-
Rule type: FAILURE
-
FAILURE message:
The list of packages is empty -
Code:
sbom_spdx.contains_packages
Disallowed package attributes
Confirm the SPDX SBOM contains only packages without disallowed attributes. By default all attributes are allowed. Use the "disallowed_attributes" rule data key to provide a list of key-value pairs that forbid the use of an attribute set to the given value.
Solution: Update the image to not use any disallowed package attributes.
-
Rule type: FAILURE
-
FAILURE message:
Package %s has the attribute %q set%s -
Code:
sbom_spdx.disallowed_package_attributes -
Effective from:
2025-02-04T00:00:00Z
Disallowed package external references
Confirm the SPDX SBOM contains only packages without disallowed external references. By default all external references are allowed. Use the "disallowed_external_references" rule data key to provide a list of type-pattern pairs that forbid the use of an external reference of the given type where the reference url matches the given pattern.
Solution: Update the image to not use a package with a disallowed external reference.
-
Rule type: FAILURE
-
FAILURE message:
Package %s has reference %q of type %q which is disallowed%s -
Code:
sbom_spdx.disallowed_package_external_references -
Effective from:
2024-07-31T00:00:00Z
Matches image
Check the SPDX SBOM targets the image being validated.
Solution: The SPDX SBOM associated with the image describes a different image. Verify the integrity of the build system.
-
Rule type: FAILURE
-
FAILURE message:
Image digest in the SBOM, %q, is not as expected, %q -
Code:
sbom_spdx.matches_image