From 1b329ec8ef420e7f0e0a77b3f046a71ecd8cb9e3 Mon Sep 17 00:00:00 2001 From: Yashvardhan Nanavati Date: Wed, 18 Dec 2024 11:45:04 -0800 Subject: [PATCH 1/2] feat: add Operator FIPS Compliance checks as required tasks CVP-4373. This commit adds fbc-fips-check as a required task to the FBC pipeline and fips-operator-bundle-check as a required task in the container pipeline. The commit also adds their repective TA versions. Signed-off-by: Yashvardhan Nanavati --- data/required_tasks.yml | 71 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 71 insertions(+) diff --git a/data/required_tasks.yml b/data/required_tasks.yml index 383c15e..10c3e65 100644 --- a/data/required_tasks.yml +++ b/data/required_tasks.yml @@ -2,6 +2,14 @@ # https://enterprisecontract.dev/docs/ec-policies/release_policy.html#tasks_package pipeline-required-tasks: fbc: + - effective_on: "2025-03-01T00:00:00Z" + tasks: + - [buildah, buildah-10gb, buildah-6gb, buildah-8gb, buildah-remote, buildah-oci-ta, buildah-remote-oci-ta] + - deprecated-image-check + - [fbc-fips-check, fbc-fips-check-oci-ta] + - [fbc-related-image-check, validate-fbc] + - [git-clone, git-clone-oci-ta] + - init - effective_on: "2024-11-01T00:00:00Z" tasks: - [buildah, buildah-10gb, buildah-6gb, buildah-8gb, buildah-remote, buildah-oci-ta, buildah-remote-oci-ta] @@ -29,6 +37,19 @@ pipeline-required-tasks: - inspect-image - summary docker: + - effective_on: "2025-03-01T00:00:00Z" + tasks: + - [buildah, buildah-10gb, buildah-6gb, buildah-8gb, buildah-remote, buildah-oci-ta, buildah-remote-oci-ta] + - clair-scan + - clamav-scan + - deprecated-image-check + - [fips-operator-bundle-check, fips-operator-bundle-check-oci-ta] + - [git-clone, git-clone-oci-ta] + - init + - [prefetch-dependencies, prefetch-dependencies-oci-ta] + - rpms-signature-scan + - [sast-snyk-check, sast-snyk-check-oci-ta] + - [source-build, source-build-oci-ta] - effective_on: "2024-11-01T00:00:00Z" tasks: - [buildah, buildah-10gb, buildah-6gb, buildah-8gb, buildah-remote, buildah-oci-ta, buildah-remote-oci-ta] @@ -65,6 +86,19 @@ pipeline-required-tasks: - source-build - summary generic: + - effective_on: "2025-03-01T00:00:00Z" + tasks: + - [buildah, buildah-10gb, buildah-6gb, buildah-8gb, buildah-remote, buildah-oci-ta, buildah-remote-oci-ta] + - clair-scan + - clamav-scan + - deprecated-image-check + - [fips-operator-bundle-check, fips-operator-bundle-check-oci-ta] + - [git-clone, git-clone-oci-ta] + - init + - [prefetch-dependencies, prefetch-dependencies-oci-ta] + - rpms-signature-scan + - [sast-snyk-check, sast-snyk-check-oci-ta] + - [source-build, source-build-oci-ta] - effective_on: "2024-11-01T00:00:00Z" tasks: - [buildah, buildah-10gb, buildah-6gb, buildah-8gb, buildah-remote, buildah-oci-ta, buildah-remote-oci-ta] @@ -101,6 +135,19 @@ pipeline-required-tasks: - source-build - summary java: + - effective_on: "2025-03-01T00:00:00Z" + tasks: + - clair-scan + - clamav-scan + - deprecated-image-check + - [fips-operator-bundle-check, fips-operator-bundle-check-oci-ta] + - [git-clone, git-clone-oci-ta] + - init + - [prefetch-dependencies, prefetch-dependencies-oci-ta] + - rpms-signature-scan + - s2i-java + - [sast-snyk-check, sast-snyk-check-oci-ta] + - [source-build, source-build-oci-ta] - effective_on: "2024-11-01T00:00:00Z" tasks: - clair-scan @@ -137,6 +184,19 @@ pipeline-required-tasks: - source-build - summary nodejs: + - effective_on: "2025-03-01T00:00:00Z" + tasks: + - clair-scan + - clamav-scan + - deprecated-image-check + - [fips-operator-bundle-check, fips-operator-bundle-check-oci-ta] + - [git-clone, git-clone-oci-ta] + - init + - [prefetch-dependencies, prefetch-dependencies-oci-ta] + - rpms-signature-scan + - s2i-nodejs + - [sast-snyk-check, sast-snyk-check-oci-ta] + - [source-build, source-build-oci-ta] - effective_on: "2024-11-01T00:00:00Z" tasks: - clair-scan @@ -175,6 +235,17 @@ pipeline-required-tasks: # https://enterprisecontract.dev/docs/ec-policies/release_policy.html#tasks_package required-tasks: + - effective_on: "2025-03-01T00:00:00Z" + tasks: + - clair-scan + - clamav-scan + - [fips-operator-bundle-check, fips-operator-bundle-check-oci-ta] + - [git-clone, git-clone-oci-ta] + - init + - [prefetch-dependencies, prefetch-dependencies-oci-ta] + - rpms-signature-scan + - [sast-snyk-check, sast-snyk-check-oci-ta] + - [source-build, source-build-oci-ta] - effective_on: "2024-11-01T00:00:00Z" tasks: - clair-scan From a04eff4ad3d15c1d597433370f41b3fc2548f9b1 Mon Sep 17 00:00:00 2001 From: Yashvardhan Nanavati Date: Sun, 22 Dec 2024 03:11:52 -0800 Subject: [PATCH 2/2] feat: add FIPS operator bundle checks as informative tests with fips-operator-bundle-check and fips-operator-bundle-check-ta being added as required tasks, they may fail even if the operator bundle is FIPS compliant for a specific OCP version. This is because on a bundle level, there's no way to determine the target OCP version for it and hence, we cannot apply the appropriate exception list during the check. This can only be determined when dealing with an FBC fragment. Hence, this commit adds the operator bundle check as informative. Signed-off-by: Yashvardhan Nanavati --- data/rule_data.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/data/rule_data.yml b/data/rule_data.yml index b6fb554..9493900 100644 --- a/data/rule_data.yml +++ b/data/rule_data.yml @@ -120,6 +120,8 @@ rule_data: # https://enterprisecontract.dev/docs/ec-policies/release_policy.html#test_package informative_tests: + - fips-operator-bundle-check + - fips-operator-bundle-check-oci-ta - sast-snyk-check - sast-snyk-check-oci-ta - ecosystem-cert-preflight-checks