Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

bug: wrong evaluation when there are multiple tags set for artifact_signature #961

Closed
rdimitrov opened this issue Sep 14, 2023 · 1 comment · Fixed by #1030
Closed

bug: wrong evaluation when there are multiple tags set for artifact_signature #961

rdimitrov opened this issue Sep 14, 2023 · 1 comment · Fixed by #1030
Assignees
Labels
bug Something isn't working go Pull requests that update Go code

Comments

@rdimitrov
Copy link
Member

Describe the bug

The policy status is incorrect when we set more than 1 tag in a policy using the artifact_signature rule.

To Reproduce

Steps to reproduce the behavior:

  1. Start Mediator
  2. Register it to a repository producing signed artifacts
  3. Set and create a policy using the artifact_signature rule configured with more than 1 tag, i.e. tags: [main, latest]
  4. Build, publish, sign the image from the registry with just a single tag, i.e. main only
  5. Evaluate the policy status

Expected behavior

In the case above it should have failed, instead it passed.

Part of the fix is to update the way we compare the tags in https://github.com/stacklok/mediator/blob/f362a4632e176613c89bc01219d8464e42f01bd4/internal/engine/ingester/artifact/artifact.go#L113 to HasAll.

Another use case that it failed (with the up-mentioned change) is:

  • build an image with the correct set of tags, i.e. [main,prod,latest]
  • have a policy configured to check for [main,prod]
  • evaluating it passes and it's okay
  • then we build and push and sign a new image containing only one of the tags, i.e. main
  • evaluating the same policy still shows as successful when it shouldn't have (main tag is now tailored to another image)

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

  • OS: [e.g. iOS]
  • Browser [e.g. chrome, safari]
  • Version [e.g. 22]

Smartphone (please complete the following information):

  • Device: [e.g. iPhone6]
  • OS: [e.g. iOS8.1]
  • Browser [e.g. stock browser, safari]
  • Version [e.g. 22]

Additional context
Add any other context about the problem here.

@rdimitrov rdimitrov added bug Something isn't working go Pull requests that update Go code labels Sep 14, 2023
@rdimitrov rdimitrov self-assigned this Sep 14, 2023
@rdimitrov
Copy link
Member Author

Related to #831

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working go Pull requests that update Go code
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant