-
Notifications
You must be signed in to change notification settings - Fork 72
/
log4shell-demo-policy.yaml
89 lines (89 loc) · 3.1 KB
/
log4shell-demo-policy.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
apiVersion: policy.sigstore.dev/v1alpha1
kind: ClusterImagePolicy
metadata:
name: log4shell-demo-policy
spec:
images:
- glob: "ghcr.io/chainguard-dev/log4shell-demo/*"
authorities:
- name: keyatt
keyless:
url: "https://fulcio.sigstore.dev"
identities:
- issuerRegExp: ".*"
subjectRegExp: ".*"
attestations:
- predicateType: cyclonedx
name: log4shellcyclonedx
policy:
type: cue
data: |
import (
"list"
"strings"
)
let log4shell_names = [
"log4j-api", "log4j-core"
]
let log4shell_versions = [
"2.0-beta9", "2.0-rc1", "2.0-rc2", "2.0", "2.0.1",
"2.0.2", "2.1", "2.2", "2.3", "2.4", "2.4.1", "2.5",
"2.6", "2.6.1", "2.6.2", "2.7", "2.8", "2.8.1",
"2.8.2", "2.9.0", "2.9.1","2.10.0", "2.11.0", "2.11.1",
"2.11.2", "2.12.0", "2.12.1", "2.13.0", "2.13.1",
"2.13.2", "2.13.3", "2.14.0", "2.14.1", "2.15.0"
]
predicate: {
Data: {
components: [...{
name: name
version: version
if list.Contains(log4shell_names, name) &&
list.Contains(log4shell_versions, version) {
err: strings.Join([
"Error: CycloneDX SBOM contains package",
name, "version", version, "which is",
"vulnerable to Log4Shell (CVE-2021-44228)"
], " ")
name: err
}
}]
}
}
- predicateType: spdxjson
name: log4shellspdxjson
policy:
type: cue
data: |
import (
"list"
"strings"
)
let log4shell_names = [
"log4j-api", "log4j-core"
]
let log4shell_versions = [
"2.0-beta9", "2.0-rc1", "2.0-rc2", "2.0", "2.0.1",
"2.0.2", "2.1", "2.2", "2.3", "2.4", "2.4.1", "2.5",
"2.6", "2.6.1", "2.6.2", "2.7", "2.8", "2.8.1",
"2.8.2", "2.9.0", "2.9.1","2.10.0", "2.11.0", "2.11.1",
"2.11.2", "2.12.0", "2.12.1", "2.13.0", "2.13.1",
"2.13.2", "2.13.3", "2.14.0", "2.14.1", "2.15.0"
]
predicate: {
Data: {
packages: [...{
name: name
versionInfo: versionInfo
if list.Contains(log4shell_names, name) &&
list.Contains(log4shell_versions, versionInfo) {
err: strings.Join([
"Error: SPDX SBOM contains package",
name, "version", versionInfo, "which is",
"vulnerable to Log4Shell (CVE-2021-44228)"
], " ")
name: err
}
}]
}
}