konflux-ci · johnbieren · Feb 28, 2025 · Feb 27, 2025
@@ -13,5 +13,8 @@ OSIDB for each CVE present. If the type is not RHSA, no action will be performed
 | taskGitUrl               | The url to the git repo where the release-service-catalog tasks to be used are stored     | No       | -             |
 | taskGitRevision          | The revision in the taskGitUrl repo to be used                                            | No       | -             |
 
+## Changes in 0.1.2
+* Update the task to fail if the type is RHSA and no CVEs are provided
+
 ## Changes in 0.1.1
 * If a non RHSA type is provided, remove the severity key in case the user provided it
@@ -4,7 +4,7 @@ kind: Task
 metadata:
   name: set-advisory-severity
   labels:
-    app.kubernetes.io/version: "0.1.1"
+    app.kubernetes.io/version: "0.1.2"
   annotations:
     tekton.dev/pipelines.minVersion: "0.12.1"
     tekton.dev/tags: release
@@ -46,7 +46,8 @@ spec:
             exit 1
         fi
 
-        if [[ "$(jq -r '.releaseNotes.type' "${DATA_FILE}")" != "RHSA" ]] ; then
+        advisoryType=$(jq -r '.releaseNotes.type' "${DATA_FILE}")
+        if [[ "$advisoryType" != "RHSA" ]] ; then
             echo "Advisory is not of type RHSA. Not setting severity"
             if [ "$(jq '.releaseNotes | has("severity")' "${DATA_FILE}")" == "true" ] ; then
               echo "User provided severity key for non RHSA advisory. Removing it"
@@ -55,6 +56,14 @@ spec:
             exit 0
         fi
 
+        # Ensure RHSA is only used if CVEs are provided
+        NUM_CVES=$(jq '[.releaseNotes.content.images[]?.cves.fixed // [] | length] | add' "${DATA_FILE}")
+        if [[ "$advisoryType" == "RHSA" ]] && [[ "$NUM_CVES" -eq 0 ]] ; then
+            echo "Provided advisory type is RHSA, but no fixed CVEs were listed"
+            echo "RHSA should only be used if CVEs are fixed in the advisory. Failing..."
+            exit 1
+        fi
+
         PIPELINERUN_LABEL="internal-services.appstudio.openshift.io/pipelinerun-uid"
 
         RELEASENOTESIMAGES=$(jq -c '.releaseNotes.content.images' "${DATA_FILE}")

@@ -0,0 +1,59 @@
+---
+apiVersion: tekton.dev/v1
+kind: Pipeline
+metadata:
+  name: test-set-advisory-severity-rhsa-no-cves
+  annotations:
+    test/assert-task-failure: "run-task"
+spec:
+  description: |
+    Test for set-advisory-severity where the releaseNotes.type is RHSA but no cves are listed.
+    The task should fail
+  workspaces:
+    - name: tests-workspace
+  tasks:
+    - name: setup
+      workspaces:
+        - name: data
+          workspace: tests-workspace
+      taskSpec:
+        workspaces:
+          - name: data
+        steps:
+          - name: setup-values
+            image: quay.io/konflux-ci/release-service-utils:0b2f257d7a5c2a881c36c23f8ae3cd5e89db593a
+            script: |
+              #!/usr/bin/env sh
+              set -eux
+
+              cat > "$(workspaces.data.path)"/data.json << EOF
+              {
+                "releaseNotes": {
+                  "type": "RHSA",
+                  "content": {
+                    "images": [
+                      {
+                        "containerImage": "foo"
+                      }
+                    ]
+                  }
+                }
+              }
+              EOF
+    - name: run-task
+      taskRef:
+        name: set-advisory-severity
+      params:
+        - name: dataPath
+          value: data.json
+        - name: pipelineRunUid
+          value: $(context.pipelineRun.uid)
+        - name: taskGitUrl
+          value: "http://localhost"
+        - name: taskGitRevision
+          value: "main"
+      workspaces:
+        - name: data
+          workspace: tests-workspace
+      runAfter:
+        - setup