UNCLASSIFIED - NO CUI

Skip to content

Resolve "Add LABEL_ALLOWLIST_REGEX to pipeline"

Closes #230 (closed)

This MR allows additional labels in the hardening_manifest.yaml on per project after approval basis. additionalProperties not used because it allows all additional properties, whereas just using PatternProperties allows. Will need to add LABEL_ALLOWLIST_REGEX to CI variables for https://repo1.dso.mil/dsop/aqua-security/enterprise before merging.

Tested locally, with the following results:

export LABEL_ALLOWLIST_REGEX='^com\.aquasec[a-zA-Z0-9_.-]*$'

hardening_manifest.yaml with incorrect labels

  org.opencontainers.image.title: "console-5.3"
  ## Human-readable description of the software packaged in the image
  org.opencontainers.image.description: "Aqua Security Enterprise - console"
  ## License(s) under which contained software is distributed
  org.opencontainers.image.licenses: "proprietary"
  ## URL to find more information on the image
  # org.opencontainers.image.url: "FIXME"
  ## Name of the distributing entity, organization or individual
  org.opencontainers.image.vendor: "Aqua Security"
  org.opencontainers.image.version: "5.3.21026-ubi8"
  ## Keywords to help with search (ex. "cicd,gitops,golang")
  mil.dso.ironbank.image.keywords: "FIXME"
  ## This value can be "opensource" or "commercial"
  mil.dso.ironbank.image.type: "commercial"
  ## Product the image belongs to for grouping multiple images
  # mil.dso.ironbank.product.name: "FIXME"
  mil.dso.ironbank.foo.bar: "foobar"
  test.arbitrary: "something"
  com.aquasec: "test"
  com.aquasec..builddate: "2021-01-26T09:44:48"
  com.aquasec.c ommit: "3e586a1"
  com.aquasec. component: "console"
  com.aquasec.\nrelease: "5.3.0"
  com.aquasec./version: "5.3.0"
  com.aquasec.dod.commit: "a2831d5"
  com.aquasec.dod.builddate: "2021-02-12T01:23+02:00"
  com.aquasec.baseimage: "registry1.dsop.io/ironbank/redhat/ubi/ubi8-minimal:8.3"

hardening_manifest.yaml with correct labels

  org.opencontainers.image.title: "console-5.3"
  ## Human-readable description of the software packaged in the image
  org.opencontainers.image.description: "Aqua Security Enterprise - console"
  ## License(s) under which contained software is distributed
  org.opencontainers.image.licenses: "proprietary"
  ## URL to find more information on the image
  # org.opencontainers.image.url: "FIXME"
  ## Name of the distributing entity, organization or individual
  org.opencontainers.image.vendor: "Aqua Security"
  org.opencontainers.image.version: "5.3.21026-ubi8"
  ## Keywords to help with search (ex. "cicd,gitops,golang")
  mil.dso.ironbank.image.keywords: "FIXME"
  ## This value can be "opensource" or "commercial"
  mil.dso.ironbank.image.type: "commercial"
  ## Product the image belongs to for grouping multiple images
  # mil.dso.ironbank.product.name: "FIXME"
  com.aquasec: "sdaf"
  com.aquasec.builddate: "2021-01-26T09:44:48"
  com.aquasec.commit: "3e586a1"
  com.aquasec.component: "console"
  com.aquasec.release: "5.3.0"
  com.aquasec.version: "5.3.0"
  com.aquasec.dod.commit: "a2831d5"
  com.aquasec.dod.builddate: "2021-02-12T01:23+02:00"
  com.aquasec.baseimage: "registry1.dsop.io/ironbank/redhat/ubi/ubi8-minimal:8.3"

All incorrect labels included

ERROR: 'com.aquasec..builddate' does not match '^[a-z0-9]([.-]?[a-z0-9]+)*$'

builddate resolved

ERROR: 'com.aquasec.c ommit' does not match '^[a-z0-9]([.-]?[a-z0-9]+)*$'

builddate, commit resolved

ERROR: 'com.aquasec. component' does not match '^[a-z0-9]([.-]?[a-z0-9]+)*$'

builddate, commit, component resolved

ERROR: 'com.aquasec.\\nrelease' does not match '^[a-z0-9]([.-]?[a-z0-9]+)*$'

builddate, commit, component, release resolved

ERROR: 'com.aquasec./version' does not match '^[a-z0-9]([.-]?[a-z0-9]+)*$'

builddate, commit, component, release, version resolved

ERROR: 'mil.dso.ironbank.foo.bar', 'test.arbitrary' do not match any of the regexes: '^com\\.aquasec[a-zA-Z0-9_.-]*$'

builddate, commit, component, release, version, and non com.aquasec labels resolved

INFO: JSON is validated
Edited by Kenneth Maguire

Merge request reports