fix: ignore gpg-pubkey package

This rpm is never signed. It delivers the public key used to validate all other packages. It is present in the sbom, but the container catalog gets confused when it is present. As an unsigned rpm, it displays it as "excluded" from security scans. Rather than claim that it is signed, let's exclude it from the manifest uploaded to pyxis. Signed-off-by: Ralph Bean <[email protected]>
konflux-ci · Nov 13, 2024 · e45fecb · e45fecb
1 parent cd8822f
commit e45fecb
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 0 deletions.
diff --git a/pyxis/test_upload_rpm_data.py b/pyxis/test_upload_rpm_data.py
@@ -102,6 +102,14 @@
             }
         ]
     },
+    {  # with redhat namespace, but special gpg-pubkey rpm
+        "externalRefs": [
+            {
+                "referenceType": "purl",
+                "referenceLocator": "pkg:rpm/redhat/gpg-pubkey@abcd-efgh?arch=noarch",
+            }
+        ]
+    },
 ]
 
 

diff --git a/pyxis/upload_rpm_data.py b/pyxis/upload_rpm_data.py
@@ -32,6 +32,7 @@
 import pyxis
 
 LOGGER = logging.getLogger("upload_rpm_data")
+IGNORED_PACKAGES = ["gpg-pubkey"]
 
 
 def upload_container_rpm_data_with_retry(
@@ -237,6 +238,8 @@ def construct_rpm_items_and_content_sets(
             purl_dict = PackageURL.from_string(externalRef["referenceLocator"]).to_dict()
             if purl_dict["type"] != "rpm":
                 continue
+            if purl_dict["name"] in IGNORED_PACKAGES:
+                continue
             rpm_item = {
                 "name": purl_dict["name"],
                 "summary": purl_dict["name"],