Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-62912

Violations of Konflux policy detected when using registry-standard tests

XMLWordPrintable

    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • None
    • Agent Sprint 278
    • 1
    • In Progress
    • Release Note Not Required
    • None
    • None
    • None
    • None
    • None

      When enabling the registry-standard suite of tests for the IntegrationTestScenario the following violations were reported:

      Results:
✕ [Violation] buildah_build_task.platform_param
  ImageRef: quay.io/redhat-user-workloads/ocp-agent-based-installer-tenant/ove-ui-iso@sha256:a611ad4b58c973dc4437c854da2eda506a6c15e486a13523fb4b76a920e622e8
  Reason: PLATFORM parameter value "linux-root/amd64" is disallowed by regex ".*root.*"
  Title: PLATFORM parameter
  Description: Verify the value of the PLATFORM parameter of a builder Task is allowed by matching against a list of disallowed
  patterns. The list of patterns can be customized via the `disallowed_platform_patterns` rule data key. If empty, all values are
  allowed. To exclude this rule add "buildah_build_task.platform_param" to the `exclude` section of the policy configuration.
  Solution: Use a different PLATFORM value that is not disallowed by the policy config.

✕ [Violation] buildah_build_task.privileged_nested_param
  ImageRef: quay.io/redhat-user-workloads/ocp-agent-based-installer-tenant/ove-ui-iso@sha256:a611ad4b58c973dc4437c854da2eda506a6c15e486a13523fb4b76a920e622e8
  Reason: setting PRIVILEGED_NESTED parameter to true is not allowed
  Title: PRIVILEGED_NESTED parameter
  Description: Verify the PRIVILEGED_NESTED parameter of a builder Tasks was not set to `true`. To exclude this rule add
  "buildah_build_task.privileged_nested_param" to the `exclude` section of the policy configuration.
  Solution: Setting PRIVILEGED_NESTED parameter to true is not allowed for most container image builds. Either set the parameter
  value to false or use a policy config that excludes this policy rule.

✕ [Violation] hermetic_task.hermetic
  ImageRef: quay.io/redhat-user-workloads/ocp-agent-based-installer-tenant/ove-ui-iso@sha256:a611ad4b58c973dc4437c854da2eda506a6c15e486a13523fb4b76a920e622e8
  Reason: Task 'buildah-remote-oci-ta' was not invoked with the hermetic parameter set
  Title: Task called with hermetic param set
  Description: Verify the task in the PipelineRun attestation was invoked with the proper parameters to make the task execution
  hermetic. To exclude this rule add "hermetic_task.hermetic" to the `exclude` section of the policy configuration.
  Solution: Make sure the task has the input parameter 'HERMETIC' set to 'true'.

✕ [Violation] labels.required_labels
  ImageRef: quay.io/redhat-user-workloads/ocp-agent-based-installer-tenant/ove-ui-iso@sha256:a611ad4b58c973dc4437c854da2eda506a6c15e486a13523fb4b76a920e622e8
  Reason: The required "com.redhat.component" label is missing. Label description: The Bugzilla component name where bugs against
  this container should be reported by users.
  Term: com.redhat.component
  Title: Required labels
  Description: Check the image for the presence of labels that are required. Use the rule data `required_labels` key to set the
  list of labels to check, or the `fbc_required_labels` key for fbc images. To exclude this rule add
  "labels.required_labels:com.redhat.component" to the `exclude` section of the policy configuration.
  Solution: Update the image build process to set the required labels.

✕ [Violation] labels.required_labels
  ImageRef: quay.io/redhat-user-workloads/ocp-agent-based-installer-tenant/ove-ui-iso@sha256:a611ad4b58c973dc4437c854da2eda506a6c15e486a13523fb4b76a920e622e8
  Reason: The required "description" label is missing. Label description: Detailed description of the image.
  Term: description
  Title: Required labels
  Description: Check the image for the presence of labels that are required. Use the rule data `required_labels` key to set the
  list of labels to check, or the `fbc_required_labels` key for fbc images. To exclude this rule add
  "labels.required_labels:description" to the `exclude` section of the policy configuration.
  Solution: Update the image build process to set the required labels.

✕ [Violation] labels.required_labels
  ImageRef: quay.io/redhat-user-workloads/ocp-agent-based-installer-tenant/ove-ui-iso@sha256:a611ad4b58c973dc4437c854da2eda506a6c15e486a13523fb4b76a920e622e8
  Reason: The required "distribution-scope" label is missing. Label description: Scope of intended distribution of the image.
  (private/authoritative-source-only/restricted/public).
  Term: distribution-scope
  Title: Required labels
  Description: Check the image for the presence of labels that are required. Use the rule data `required_labels` key to set the
  list of labels to check, or the `fbc_required_labels` key for fbc images. To exclude this rule add
  "labels.required_labels:distribution-scope" to the `exclude` section of the policy configuration.
  Solution: Update the image build process to set the required labels.

✕ [Violation] labels.required_labels
  ImageRef: quay.io/redhat-user-workloads/ocp-agent-based-installer-tenant/ove-ui-iso@sha256:a611ad4b58c973dc4437c854da2eda506a6c15e486a13523fb4b76a920e622e8
  Reason: The required "io.k8s.description" label is missing. Label description: Description of the container displayed in
  Kubernetes.
  Term: io.k8s.description
  Title: Required labels
  Description: Check the image for the presence of labels that are required. Use the rule data `required_labels` key to set the
  list of labels to check, or the `fbc_required_labels` key for fbc images. To exclude this rule add
  "labels.required_labels:io.k8s.description" to the `exclude` section of the policy configuration.
  Solution: Update the image build process to set the required labels.

✕ [Violation] labels.required_labels
  ImageRef: quay.io/redhat-user-workloads/ocp-agent-based-installer-tenant/ove-ui-iso@sha256:a611ad4b58c973dc4437c854da2eda506a6c15e486a13523fb4b76a920e622e8
  Reason: The required "name" label is missing. Label description: Name of the Image or Container.
  Term: name
  Title: Required labels
  Description: Check the image for the presence of labels that are required. Use the rule data `required_labels` key to set the
  list of labels to check, or the `fbc_required_labels` key for fbc images. To exclude this rule add "labels.required_labels:name"
  to the `exclude` section of the policy configuration.
  Solution: Update the image build process to set the required labels.

✕ [Violation] labels.required_labels
  ImageRef: quay.io/redhat-user-workloads/ocp-agent-based-installer-tenant/ove-ui-iso@sha256:a611ad4b58c973dc4437c854da2eda506a6c15e486a13523fb4b76a920e622e8
  Reason: The required "release" label is missing. Label description: Release Number for this version.
  Term: release
  Title: Required labels
  Description: Check the image for the presence of labels that are required. Use the rule data `required_labels` key to set the
  list of labels to check, or the `fbc_required_labels` key for fbc images. To exclude this rule add
  "labels.required_labels:release" to the `exclude` section of the policy configuration.
  Solution: Update the image build process to set the required labels.

✕ [Violation] labels.required_labels
  ImageRef: quay.io/redhat-user-workloads/ocp-agent-based-installer-tenant/ove-ui-iso@sha256:a611ad4b58c973dc4437c854da2eda506a6c15e486a13523fb4b76a920e622e8
  Reason: The required "url" label is missing. Label description: A URL where the user can find more information about the image.
  Term: url
  Title: Required labels
  Description: Check the image for the presence of labels that are required. Use the rule data `required_labels` key to set the
  list of labels to check, or the `fbc_required_labels` key for fbc images. To exclude this rule add "labels.required_labels:url"
  to the `exclude` section of the policy configuration.
  Solution: Update the image build process to set the required labels.

✕ [Violation] labels.required_labels
  ImageRef: quay.io/redhat-user-workloads/ocp-agent-based-installer-tenant/ove-ui-iso@sha256:a611ad4b58c973dc4437c854da2eda506a6c15e486a13523fb4b76a920e622e8
  Reason: The required "vendor" label is missing. Label description: Name of the vendor.
  Term: vendor
  Title: Required labels
  Description: Check the image for the presence of labels that are required. Use the rule data `required_labels` key to set the
  list of labels to check, or the `fbc_required_labels` key for fbc images. To exclude this rule add
  "labels.required_labels:vendor" to the `exclude` section of the policy configuration.
  Solution: Update the image build process to set the required labels.

✕ [Violation] labels.required_labels
  ImageRef: quay.io/redhat-user-workloads/ocp-agent-based-installer-tenant/ove-ui-iso@sha256:a611ad4b58c973dc4437c854da2eda506a6c15e486a13523fb4b76a920e622e8
  Reason: The required "version" label is missing. Label description: Version of the image.
  Term: version
  Title: Required labels
  Description: Check the image for the presence of labels that are required. Use the rule data `required_labels` key to set the
  list of labels to check, or the `fbc_required_labels` key for fbc images. To exclude this rule add
  "labels.required_labels:version" to the `exclude` section of the policy configuration.
  Solution: Update the image build process to set the required labels.

✕ [Violation] source_image.exists
  ImageRef: quay.io/redhat-user-workloads/ocp-agent-based-installer-tenant/ove-ui-iso@sha256:a611ad4b58c973dc4437c854da2eda506a6c15e486a13523fb4b76a920e622e8
  Reason: No source image references found
  Title: Exists
  Description: Verify the source container image exists. To exclude this rule add "source_image.exists" to the `exclude` section
  of the policy configuration.

✕ [Violation] tasks.required_tasks_found
  ImageRef: quay.io/redhat-user-workloads/ocp-agent-based-installer-tenant/ove-ui-iso@sha256:a611ad4b58c973dc4437c854da2eda506a6c15e486a13523fb4b76a920e622e8
  Reason: Required task "clair-scan" is missing
  Term: clair-scan
  Title: All required tasks were included in the pipeline
  Description: Ensure that the set of required tasks are included in the PipelineRun attestation. To exclude this rule add
  "tasks.required_tasks_found:clair-scan" to the `exclude` section of the policy configuration.
  Solution: Make sure all required tasks are in the build pipeline. The required task list is contained as
  https://conforma.dev/docs/cli/configuration.html#_data_sources under the key 'required-tasks'.

✕ [Violation] tasks.required_tasks_found
  ImageRef: quay.io/redhat-user-workloads/ocp-agent-based-installer-tenant/ove-ui-iso@sha256:a611ad4b58c973dc4437c854da2eda506a6c15e486a13523fb4b76a920e622e8
  Reason: One of "source-build", "source-build-oci-ta" tasks is missing
  Terms: source-build, source-build-oci-ta
  Title: All required tasks were included in the pipeline
  Description: Ensure that the set of required tasks are included in the PipelineRun attestation. To exclude this rule add one or
  more of "tasks.required_tasks_found:source-build", "tasks.required_tasks_found:source-build-oci-ta" to the `exclude` section of
  the policy configuration.
  Solution: Make sure all required tasks are in the build pipeline. The required task list is contained as
  https://conforma.dev/docs/cli/configuration.html#_data_sources under the key 'required-tasks'.

✕ [Violation] test.no_erred_tests
  ImageRef: quay.io/redhat-user-workloads/ocp-agent-based-installer-tenant/ove-ui-iso@sha256:a611ad4b58c973dc4437c854da2eda506a6c15e486a13523fb4b76a920e622e8
  Reason: The Task "ecosystem-cert-preflight-checks" from the build Pipeline reports a test erred
  Term: ecosystem-cert-preflight-checks
  Title: No tests erred
  Description: Produce a violation if any tests have their result set to "ERROR". The result type is configurable by the
  "erred_tests_results" key in the rule data. To exclude this rule add "test.no_erred_tests:ecosystem-cert-preflight-checks" to
  the `exclude` section of the policy configuration.
  Solution: There is a test that erred. Make sure that any task in the build pipeline with a result named 'TEST_OUTPUT' does not
  err. More information about the test should be available in the logs for the build Pipeline.

✕ [Violation] test.no_skipped_tests
  ImageRef: quay.io/redhat-user-workloads/ocp-agent-based-installer-tenant/ove-ui-iso@sha256:a611ad4b58c973dc4437c854da2eda506a6c15e486a13523fb4b76a920e622e8
  Reason: The Task "sast-snyk-check-oci-ta" from the build Pipeline reports a test was skipped
  Term: sast-snyk-check-oci-ta
  Title: No tests were skipped
  Description: Produce a violation if any tests have their result set to "SKIPPED". A skipped result means a pre-requirement for
  executing the test was not met, e.g. a license key for executing a scanner was not provided. The result type is configurable by
  the "skipped_tests_results" key in the rule data. To exclude this rule add "test.no_skipped_tests:sast-snyk-check-oci-ta" to the
  `exclude` section of the policy configuration.
  Solution: There is a test that was skipped. Make sure that each task with a result named 'TEST_OUTPUT' was not skipped. You can
  find which test was skipped by examining the 'result' key in the 'TEST_OUTPUT'. More information about the test should be
  available in the logs for the build Pipeline.

✕ [Violation] base_image_registries.base_image_permitted
  ImageRef: quay.io/redhat-user-workloads/ocp-agent-based-installer-tenant/ove-ui-iso@sha256:538f4b60df5fa3bc57ce8a74b564cd27831476238cfc2fcb43bf670b9cb13c33
  Reason: Base image "registry.ci.openshift.org/ocp/4.21@sha256:549aada9a03130e243c5e40c7244bdbb06319fbce5f84db50e8f5c303ef4a209"
  is from a disallowed registry
  Term: registry.ci.openshift.org/ocp/4.21
  Title: Base image comes from permitted registry
  Description: Verify that the base images used when building a container image come from a known set of trusted registries to
  reduce potential supply chain attacks. By default this policy defines trusted registries as registries that are fully maintained
  by Red Hat and only contain content produced by Red Hat. The list of permitted registries can be customized by setting the
  `allowed_registry_prefixes` list in the rule data. Base images that are found in the snapshot being validated are also allowed
  since EC will also validate those images individually. To exclude this rule add
  "base_image_registries.base_image_permitted:registry.ci.openshift.org/ocp/4.21" to the `exclude` section of the policy
  configuration. To exclude this rule add "base_image_registries.base_image_permitted:registry.ci.openshift.org/ocp/4.21" to the
  `exclude` section of the policy configuration.
  Solution: Make sure the image used in each task comes from a trusted registry. The list of trusted registries is a configurable
  https://conforma.dev/docs/cli/configuration.html#_data_sources.

✕ [Violation] base_image_registries.base_image_permitted
  ImageRef: quay.io/redhat-user-workloads/ocp-agent-based-installer-tenant/ove-ui-iso@sha256:538f4b60df5fa3bc57ce8a74b564cd27831476238cfc2fcb43bf670b9cb13c33
  Reason: Base image "registry.ci.openshift.org/ocp/4.21@sha256:549aada9a03130e243c5e40c7244bdbb06319fbce5f84db50e8f5c303ef4a209"
  is from a disallowed registry
  Term: registry.ci.openshift.org/ocp/4.21
  Title: Base image comes from permitted registry
  Description: Verify that the base images used when building a container image come from a known set of trusted registries to
  reduce potential supply chain attacks. By default this policy defines trusted registries as registries that are fully maintained
  by Red Hat and only contain content produced by Red Hat. The list of permitted registries can be customized by setting the
  `allowed_registry_prefixes` list in the rule data. Base images that are found in the snapshot being validated are also allowed
  since EC will also validate those images individually. To exclude this rule add
  "base_image_registries.base_image_permitted:registry.ci.openshift.org/ocp/4.21" to the `exclude` section of the policy
  configuration. To exclude this rule add "base_image_registries.base_image_permitted:registry.ci.openshift.org/ocp/4.21" to the
  `exclude` section of the policy configuration.
  Solution: Make sure the image used in each task comes from a trusted registry. The list of trusted registries is a configurable
  https://conforma.dev/docs/cli/configuration.html#_data_sources.

✕ [Violation] buildah_build_task.platform_param
  ImageRef: quay.io/redhat-user-workloads/ocp-agent-based-installer-tenant/ove-ui-iso@sha256:538f4b60df5fa3bc57ce8a74b564cd27831476238cfc2fcb43bf670b9cb13c33
  Reason: PLATFORM parameter value "linux-root/amd64" is disallowed by regex ".*root.*"
  Title: PLATFORM parameter
  Description: Verify the value of the PLATFORM parameter of a builder Task is allowed by matching against a list of disallowed
  patterns. The list of patterns can be customized via the `disallowed_platform_patterns` rule data key. If empty, all values are
  allowed. To exclude this rule add "buildah_build_task.platform_param" to the `exclude` section of the policy configuration.
  Solution: Use a different PLATFORM value that is not disallowed by the policy config.

✕ [Violation] buildah_build_task.privileged_nested_param
  ImageRef: quay.io/redhat-user-workloads/ocp-agent-based-installer-tenant/ove-ui-iso@sha256:538f4b60df5fa3bc57ce8a74b564cd27831476238cfc2fcb43bf670b9cb13c33
  Reason: setting PRIVILEGED_NESTED parameter to true is not allowed
  Title: PRIVILEGED_NESTED parameter
  Description: Verify the PRIVILEGED_NESTED parameter of a builder Tasks was not set to `true`. To exclude this rule add
  "buildah_build_task.privileged_nested_param" to the `exclude` section of the policy configuration.
  Solution: Setting PRIVILEGED_NESTED parameter to true is not allowed for most container image builds. Either set the parameter
  value to false or use a policy config that excludes this policy rule.

✕ [Violation] cve.cve_results_found
  ImageRef: quay.io/redhat-user-workloads/ocp-agent-based-installer-tenant/ove-ui-iso@sha256:538f4b60df5fa3bc57ce8a74b564cd27831476238cfc2fcb43bf670b9cb13c33
  Reason: Clair CVE scan results were not found
  Title: CVE scan results found
  Description: Confirm that clair-scan task results are present in the SLSA Provenance attestation of the build pipeline. To
  exclude this rule add "cve.cve_results_found" to the `exclude` section of the policy configuration.
  Solution: Make sure there is a successful task in the build pipeline that runs a Clair scan.

✕ [Violation] hermetic_task.hermetic
  ImageRef: quay.io/redhat-user-workloads/ocp-agent-based-installer-tenant/ove-ui-iso@sha256:538f4b60df5fa3bc57ce8a74b564cd27831476238cfc2fcb43bf670b9cb13c33
  Reason: Task 'buildah-remote-oci-ta' was not invoked with the hermetic parameter set
  Title: Task called with hermetic param set
  Description: Verify the task in the PipelineRun attestation was invoked with the proper parameters to make the task execution
  hermetic. To exclude this rule add "hermetic_task.hermetic" to the `exclude` section of the policy configuration.
  Solution: Make sure the task has the input parameter 'HERMETIC' set to 'true'.

✕ [Violation] labels.required_labels
  ImageRef: quay.io/redhat-user-workloads/ocp-agent-based-installer-tenant/ove-ui-iso@sha256:538f4b60df5fa3bc57ce8a74b564cd27831476238cfc2fcb43bf670b9cb13c33
  Reason: The required "com.redhat.component" label is missing. Label description: The Bugzilla component name where bugs against
  this container should be reported by users.
  Term: com.redhat.component
  Title: Required labels
  Description: Check the image for the presence of labels that are required. Use the rule data `required_labels` key to set the
  list of labels to check, or the `fbc_required_labels` key for fbc images. To exclude this rule add
  "labels.required_labels:com.redhat.component" to the `exclude` section of the policy configuration.
  Solution: Update the image build process to set the required labels.

✕ [Violation] labels.required_labels
  ImageRef: quay.io/redhat-user-workloads/ocp-agent-based-installer-tenant/ove-ui-iso@sha256:538f4b60df5fa3bc57ce8a74b564cd27831476238cfc2fcb43bf670b9cb13c33
  Reason: The required "description" label is missing. Label description: Detailed description of the image.
  Term: description
  Title: Required labels
  Description: Check the image for the presence of labels that are required. Use the rule data `required_labels` key to set the
  list of labels to check, or the `fbc_required_labels` key for fbc images. To exclude this rule add
  "labels.required_labels:description" to the `exclude` section of the policy configuration.
  Solution: Update the image build process to set the required labels.

✕ [Violation] labels.required_labels
  ImageRef: quay.io/redhat-user-workloads/ocp-agent-based-installer-tenant/ove-ui-iso@sha256:538f4b60df5fa3bc57ce8a74b564cd27831476238cfc2fcb43bf670b9cb13c33
  Reason: The required "distribution-scope" label is missing. Label description: Scope of intended distribution of the image.
  (private/authoritative-source-only/restricted/public).
  Term: distribution-scope
  Title: Required labels
  Description: Check the image for the presence of labels that are required. Use the rule data `required_labels` key to set the
  list of labels to check, or the `fbc_required_labels` key for fbc images. To exclude this rule add
  "labels.required_labels:distribution-scope" to the `exclude` section of the policy configuration.
  Solution: Update the image build process to set the required labels.

✕ [Violation] labels.required_labels
  ImageRef: quay.io/redhat-user-workloads/ocp-agent-based-installer-tenant/ove-ui-iso@sha256:538f4b60df5fa3bc57ce8a74b564cd27831476238cfc2fcb43bf670b9cb13c33
  Reason: The required "io.k8s.description" label is missing. Label description: Description of the container displayed in
  Kubernetes.
  Term: io.k8s.description
  Title: Required labels
  Description: Check the image for the presence of labels that are required. Use the rule data `required_labels` key to set the
  list of labels to check, or the `fbc_required_labels` key for fbc images. To exclude this rule add
  "labels.required_labels:io.k8s.description" to the `exclude` section of the policy configuration.
  Solution: Update the image build process to set the required labels.

✕ [Violation] labels.required_labels
  ImageRef: quay.io/redhat-user-workloads/ocp-agent-based-installer-tenant/ove-ui-iso@sha256:538f4b60df5fa3bc57ce8a74b564cd27831476238cfc2fcb43bf670b9cb13c33
  Reason: The required "name" label is missing. Label description: Name of the Image or Container.
  Term: name
  Title: Required labels
  Description: Check the image for the presence of labels that are required. Use the rule data `required_labels` key to set the
  list of labels to check, or the `fbc_required_labels` key for fbc images. To exclude this rule add "labels.required_labels:name"
  to the `exclude` section of the policy configuration.
  Solution: Update the image build process to set the required labels.

✕ [Violation] labels.required_labels
  ImageRef: quay.io/redhat-user-workloads/ocp-agent-based-installer-tenant/ove-ui-iso@sha256:538f4b60df5fa3bc57ce8a74b564cd27831476238cfc2fcb43bf670b9cb13c33
  Reason: The required "release" label is missing. Label description: Release Number for this version.
  Term: release
  Title: Required labels
  Description: Check the image for the presence of labels that are required. Use the rule data `required_labels` key to set the
  list of labels to check, or the `fbc_required_labels` key for fbc images. To exclude this rule add
  "labels.required_labels:release" to the `exclude` section of the policy configuration.
  Solution: Update the image build process to set the required labels.

✕ [Violation] labels.required_labels
  ImageRef: quay.io/redhat-user-workloads/ocp-agent-based-installer-tenant/ove-ui-iso@sha256:538f4b60df5fa3bc57ce8a74b564cd27831476238cfc2fcb43bf670b9cb13c33
  Reason: The required "url" label is missing. Label description: A URL where the user can find more information about the image.
  Term: url
  Title: Required labels
  Description: Check the image for the presence of labels that are required. Use the rule data `required_labels` key to set the
  list of labels to check, or the `fbc_required_labels` key for fbc images. To exclude this rule add "labels.required_labels:url"
  to the `exclude` section of the policy configuration.
  Solution: Update the image build process to set the required labels.

✕ [Violation] labels.required_labels
  ImageRef: quay.io/redhat-user-workloads/ocp-agent-based-installer-tenant/ove-ui-iso@sha256:538f4b60df5fa3bc57ce8a74b564cd27831476238cfc2fcb43bf670b9cb13c33
  Reason: The required "vendor" label is missing. Label description: Name of the vendor.
  Term: vendor
  Title: Required labels
  Description: Check the image for the presence of labels that are required. Use the rule data `required_labels` key to set the
  list of labels to check, or the `fbc_required_labels` key for fbc images. To exclude this rule add
  "labels.required_labels:vendor" to the `exclude` section of the policy configuration.
  Solution: Update the image build process to set the required labels.

✕ [Violation] labels.required_labels
  ImageRef: quay.io/redhat-user-workloads/ocp-agent-based-installer-tenant/ove-ui-iso@sha256:538f4b60df5fa3bc57ce8a74b564cd27831476238cfc2fcb43bf670b9cb13c33
  Reason: The required "version" label is missing. Label description: Version of the image.
  Term: version
  Title: Required labels
  Description: Check the image for the presence of labels that are required. Use the rule data `required_labels` key to set the
  list of labels to check, or the `fbc_required_labels` key for fbc images. To exclude this rule add
  "labels.required_labels:version" to the `exclude` section of the policy configuration.
  Solution: Update the image build process to set the required labels.

✕ [Violation] source_image.exists
  ImageRef: quay.io/redhat-user-workloads/ocp-agent-based-installer-tenant/ove-ui-iso@sha256:538f4b60df5fa3bc57ce8a74b564cd27831476238cfc2fcb43bf670b9cb13c33
  Reason: No source image references found
  Title: Exists
  Description: Verify the source container image exists. To exclude this rule add "source_image.exists" to the `exclude` section
  of the policy configuration.

✕ [Violation] tasks.required_tasks_found
  ImageRef: quay.io/redhat-user-workloads/ocp-agent-based-installer-tenant/ove-ui-iso@sha256:538f4b60df5fa3bc57ce8a74b564cd27831476238cfc2fcb43bf670b9cb13c33
  Reason: Required task "clair-scan" is missing
  Term: clair-scan
  Title: All required tasks were included in the pipeline
  Description: Ensure that the set of required tasks are included in the PipelineRun attestation. To exclude this rule add
  "tasks.required_tasks_found:clair-scan" to the `exclude` section of the policy configuration.
  Solution: Make sure all required tasks are in the build pipeline. The required task list is contained as
  https://conforma.dev/docs/cli/configuration.html#_data_sources under the key 'required-tasks'.

✕ [Violation] tasks.required_tasks_found
  ImageRef: quay.io/redhat-user-workloads/ocp-agent-based-installer-tenant/ove-ui-iso@sha256:538f4b60df5fa3bc57ce8a74b564cd27831476238cfc2fcb43bf670b9cb13c33
  Reason: One of "source-build", "source-build-oci-ta" tasks is missing
  Terms: source-build, source-build-oci-ta
  Title: All required tasks were included in the pipeline
  Description: Ensure that the set of required tasks are included in the PipelineRun attestation. To exclude this rule add one or
  more of "tasks.required_tasks_found:source-build", "tasks.required_tasks_found:source-build-oci-ta" to the `exclude` section of
  the policy configuration.
  Solution: Make sure all required tasks are in the build pipeline. The required task list is contained as
  https://conforma.dev/docs/cli/configuration.html#_data_sources under the key 'required-tasks'.

✕ [Violation] test.no_erred_tests
  ImageRef: quay.io/redhat-user-workloads/ocp-agent-based-installer-tenant/ove-ui-iso@sha256:538f4b60df5fa3bc57ce8a74b564cd27831476238cfc2fcb43bf670b9cb13c33
  Reason: The Task "ecosystem-cert-preflight-checks" from the build Pipeline reports a test erred
  Term: ecosystem-cert-preflight-checks
  Title: No tests erred
  Description: Produce a violation if any tests have their result set to "ERROR". The result type is configurable by the
  "erred_tests_results" key in the rule data. To exclude this rule add "test.no_erred_tests:ecosystem-cert-preflight-checks" to
  the `exclude` section of the policy configuration.
  Solution: There is a test that erred. Make sure that any task in the build pipeline with a result named 'TEST_OUTPUT' does not
  err. More information about the test should be available in the logs for the build Pipeline.

✕ [Violation] test.no_skipped_tests
  ImageRef: quay.io/redhat-user-workloads/ocp-agent-based-installer-tenant/ove-ui-iso@sha256:538f4b60df5fa3bc57ce8a74b564cd27831476238cfc2fcb43bf670b9cb13c33
  Reason: The Task "sast-snyk-check-oci-ta" from the build Pipeline reports a test was skipped
  Term: sast-snyk-check-oci-ta
  Title: No tests were skipped
  Description: Produce a violation if any tests have their result set to "SKIPPED". A skipped result means a pre-requirement for
  executing the test was not met, e.g. a license key for executing a scanner was not provided. The result type is configurable by
  the "skipped_tests_results" key in the rule data. To exclude this rule add "test.no_skipped_tests:sast-snyk-check-oci-ta" to the
  `exclude` section of the policy configuration.
  Solution: There is a test that was skipped. Make sure that each task with a result named 'TEST_OUTPUT' was not skipped. You can
  find which test was skipped by examining the 'result' key in the 'TEST_OUTPUT'. More information about the test should be
  available in the logs for the build Pipeline.

              bfournie@redhat.com Robert Fournier
              bfournie@redhat.com Robert Fournier
              None
              None
              Manoj Hans Manoj Hans
              None
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: