From cdad88fb6bd7e48d7df12c93750a35b8de1ce24e Mon Sep 17 00:00:00 2001
From: Ralph Bean <rbean@redhat.com>
Date: Wed, 15 Jan 2025 15:03:44 -0500
Subject: [PATCH] Add a list of suppressed rpm repos

---
 hack/render-known-rpm-repositories.sh | 21 +++++++++++++++++++++
 hack/suppressed_rpm_repositories.yml  |  7 +++++++
 hack/update-known-rpm-repositories.sh | 13 +------------
 hack/verify-data.sh                   |  4 +---
 4 files changed, 30 insertions(+), 15 deletions(-)
 create mode 100755 hack/render-known-rpm-repositories.sh
 create mode 100644 hack/suppressed_rpm_repositories.yml

diff --git a/hack/render-known-rpm-repositories.sh b/hack/render-known-rpm-repositories.sh
new file mode 100755
index 0000000..5988c56
--- /dev/null
+++ b/hack/render-known-rpm-repositories.sh
@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+
+set -o errexit
+set -o pipefail
+set -o nounset
+
+cd "$(git rev-parse --show-toplevel)"
+
+BASE_URL='https://access.redhat.com/security/data/meta/v1/repository-to-cpe.json'
+
+export COMMENT='
+This file is automatically generated by hack/update-repository-to-cpe.sh. Do not update it directly.
+'
+
+curl -L "${BASE_URL}" | \
+    yq '.data |
+        [to_entries[].key] as $repos |
+        $repos + load("hack/extra_rpm_repositories.yml").extras | sort | unique as $repos |
+        $repos - load("hack/suppressed_rpm_repositories.yml").suppressed | sort | unique as $repos |
+        {"rule_data": {"known_rpm_repositories": $repos}} |
+        . head_comment=env(COMMENT)'
diff --git a/hack/suppressed_rpm_repositories.yml b/hack/suppressed_rpm_repositories.yml
new file mode 100644
index 0000000..9d6bdd0
--- /dev/null
+++ b/hack/suppressed_rpm_repositories.yml
@@ -0,0 +1,7 @@
+# Update this list for any repos that we be removed from the list of known repositories.
+#
+# As of KONFLUX-6218, put repositories here that we don't want people to use even though they do appear in the cpe mapping file.
+
+suppressed:
+- ubi-9-appstream-rpms
+- ubi-9-baseos-rpms
diff --git a/hack/update-known-rpm-repositories.sh b/hack/update-known-rpm-repositories.sh
index 89d31f8..663c03a 100755
--- a/hack/update-known-rpm-repositories.sh
+++ b/hack/update-known-rpm-repositories.sh
@@ -6,15 +6,4 @@ set -o nounset
 
 cd "$(git rev-parse --show-toplevel)"
 
-BASE_URL='https://access.redhat.com/security/data/meta/v1/repository-to-cpe.json'
-
-export COMMENT='
-This file is automatically generated by hack/update-repository-to-cpe.sh. Do not update it directly.
-'
-
-curl -L "${BASE_URL}" | \
-    yq '.data |
-        [to_entries[].key] as $repos |
-        $repos + load("hack/extra_rpm_repositories.yml").extras | sort | unique as $repos |
-        {"rule_data": {"known_rpm_repositories": $repos}} |
-        . head_comment=env(COMMENT)' > data/known_rpm_repositories.yml
+hack/render-known-rpm-repositories.sh > data/known_rpm_repositories.yml
diff --git a/hack/verify-data.sh b/hack/verify-data.sh
index ac61e5b..ae07618 100755
--- a/hack/verify-data.sh
+++ b/hack/verify-data.sh
@@ -7,9 +7,7 @@ set -o nounset
 cd "$(git rev-parse --show-toplevel)"
 
 # Verify known_rpm_repositories.yml has been updated with entries from extra_rpm_repositories.yml.
-outdated="$(comm -13 \
-    <(yq .rule_data.known_rpm_repositories "data/known_rpm_repositories.yml" | sort -u) \
-    <(yq .extras "hack/extra_rpm_repositories.yml" | sort -u))"
+outdated="$(./hack/render-known-rpm-repositories.sh | diff data/known_rpm_repositories.yml - || true)"
 if [[ -n "${outdated}" && "${outdated}" != "[]" ]]; then
     echo "Out of date items found:"
     echo "${outdated}"