Loading...

Type: Task
Resolution: Done
Priority: Blocker
Fix Version/s: 1.6.0, 1.7.0
Affects Version/s: 1.6.0
Component/s: Build
Labels:
None

Story Points:
2
Epic Link:
RHDH Hermetic Builds
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
Intelligence Requested:
Market:

Sprint:
RHDH Core Platform 3272

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

✕ [Violation] sbom_spdx.allowed_package_sources
  Package
  pkg:generic/chromium-headless-shell-linux.zip?checksum=sha256:3536f44d07d251389a57be819cdb2ea724c5c9b6b1eb0eddd8a37c547cc05234&download_url=https://cdn.playwright.dev/dbazure/download/playwright/builds/chromium/1155/chromium-headless-shell-linux.zip
  fetched by cachi2 was sourced from
  "https://cdn.playwright.dev/dbazure/download/playwright/builds/chromium/1155/chromium-headless-shell-linux.zip" 
 By default, allowed_package_sources is empty, which means no components with such
  references are allowed. To exclude this rule add
  "sbom_spdx.allowed_package_sources:pkg:generic/chromium-headless-shell-linux.zip?checksum=sha256:3536f44d07d251389a57be819cdb2ea724c5c9b6b1eb0eddd8a37c547cc05234&download_url=https://cdn.playwright.dev/dbazure/download/playwright/builds/chromium/1155/chromium-headless-shell-linux.zip"
  to the `exclude` section of the policy

✕ [Violation] sbom_spdx.allowed_package_sources
  Package
  pkg:generic/chromium-linux.zip?checksum=sha256:cadb84ee9dd3b3a5ce435175c2e39c585c90457292358534acf6e6f2f1fa248d&download_url=https://cdn.playwright.dev/dbazure/download/playwright/builds/chromium/1155/chromium-linux.zip
  fetched by cachi2 was sourced from
  "https://cdn.playwright.dev/dbazure/download/playwright/builds/chromium/1155/chromium-linux.zip" which is not allowed
  Title: Allowed package sources
  Description: For each of the packages fetched by Cachi2 which define externalReferences, verify they are allowed based on the
  allowed_package_sources rule data key. By default, allowed_package_sources is empty, which means no components with such
  references are allowed. To exclude this rule add
  "sbom_spdx.allowed_package_sources:pkg:generic/chromium-linux.zip?checksum=sha256:cadb84ee9dd3b3a5ce435175c2e39c585c90457292358534acf6e6f2f1fa248d&download_url=https://cdn.playwright.dev/dbazure/download/playwright/builds/chromium/1155/chromium-linux.zip"
  to the `exclude` section of the policy

✕ [Violation] sbom_spdx.allowed_package_sources
  Package
  pkg:generic/ffmpeg-linux.zip?checksum=sha256:ebc74fc5b94830176a3c2914ae96bd8bc7f6a91f4f33890230f84a172ee61ccc&download_url=https://playwright.azureedge.net/builds/ffmpeg/1011/ffmpeg-linux.zip
  fetched by cachi2 was sourced from "https://playwright.azureedge.net/builds/ffmpeg/1011/ffmpeg-linux.zip" which is not allowed
  Title: Allowed package sources
  Description: For each of the packages fetched by Cachi2 which define externalReferences, verify they are allowed based on the
  allowed_package_sources rule data key. By default, allowed_package_sources is empty, which means no components with such
  references are allowed. To exclude this rule add
  "sbom_spdx.allowed_package_sources:pkg:generic/ffmpeg-linux.zip?checksum=sha256:ebc74fc5b94830176a3c2914ae96bd8bc7f6a91f4f33890230f84a172ee61ccc&download_url=https://playwright.azureedge.net/builds/ffmpeg/1011/ffmpeg-linux.zip"
  to the `exclude` section of the policy

✕ [Violation] sbom_spdx.allowed_package_sources
  Package
  pkg:generic/node-v22.13.1-headers.tar.gz?checksum=sha256:f9cde9ace585c3979f1b4ee247914f35fae6e7b7eabc6a40961f89ad39e78964&download_url=https://nodejs.org/download/release/v22.13.1/node-v22.13.1-headers.tar.gz
  fetched by cachi2 was sourced from "https://nodejs.org/download/release/v22.13.1/node-v22.13.1-headers.tar.gz" 
 By default, allowed_package_sources is empty, which means no components with such
  references are allowed. To exclude this rule add
  "sbom_spdx.allowed_package_sources:pkg:generic/node-v22.13.1-headers.tar.gz?checksum=sha256:f9cde9ace585c3979f1b4ee247914f35fae6e7b7eabc6a40961f89ad39e78964&download_url=https://nodejs.org/download/release/v22.13.1/node-v22.13.1-headers.tar.gz"
  to the `exclude` section of the policy

✕ [Violation] sbom_spdx.allowed_package_sources
  Package
  pkg:pypi/plantuml-markdown?checksum=sha256:a487c2312a53fe47a0947e8624290b2c8ea51e373140d02950531966b1db5caa&download_url=https://github.com/mikitex70/plantuml-markdown/archive/fcf62aa930708368ec1daaad8b5b5dbe1d1b2014.zip
  fetched by cachi2 was sourced from
  "https://github.com/mikitex70/plantuml-markdown/archive/fcf62aa930708368ec1daaad8b5b5dbe1d1b2014.zip" which is not allowed
  Title: Allowed package sources
  Description: For each of the packages fetched by Cachi2 which define externalReferences, verify they are allowed based on the
  allowed_package_sources rule data key. By default, allowed_package_sources is empty, which means no components with such
  references are allowed. To exclude this rule add
  "sbom_spdx.allowed_package_sources:pkg:pypi/plantuml-markdown?checksum=sha256:a487c2312a53fe47a0947e8624290b2c8ea51e373140d02950531966b1db5caa&download_url=https://github.com/mikitex70/plantuml-markdown/archive/fcf62aa930708368ec1daaad8b5b5dbe1d1b2014.zip"
  to the `exclude` section of the policy

clones

RHIDP-6754 handle ECP violation: unknown or disallowed repository_id

Closed

is cloned by

RHIDP-6756 handle ECP violation: binary pypi packages

Closed

links to

redhat-developer/rhdh#2728: chore: dockerfile: remove playwright browser deps we don't need downstream

redhat-developer/rhdh#2735: chore(deps): switch back to node-v22.13.1-headers which is the one in the nodejs-22 base image we're using (not yet latest 22.14.0); also add readme about how to keep things up to date (RHIDP-6755)

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

Hide