add policy rule to check Hermeto permissive mode

This commit adds a new policy rule in the `prefetch_dependencies`
directory which checks the `mode` parameter to see if it is set to
`permissive`. If so, it will throw a violation. Additionally, this
policy rule is added to the `@redhat` collection.

Ref: EC-1531
Co-authored-by: Claude <[email protected]>
Signed-off-by: robnester-rh <[email protected]>

Author: robnester-rh

antora/docs/modules/ROOT/pages/packages/release_prefetch_dependencies.adoc

@@ -0,0 +1,21 @@
+= Prefetch Dependencies Task Package
+
+This package verifies that the prefetch-dependencies task is invoked with appropriate parameters to ensure secure dependency fetching.
+
+== Package Name
+
+* `prefetch_dependencies`
+
+== Rules Included
+
+[#prefetch_dependencies__mode_not_permissive]
+=== link:#prefetch_dependencies__mode_not_permissive[Prefetch dependencies mode parameter check]
+
+Verify the prefetch-dependencies task in the PipelineRun attestation was not invoked with the "permissive" mode parameter, which could compromise security.
+
+*Solution*: Change the mode parameter of the prefetch-dependencies task from 'permissive' to a more secure value. The permissive mode may allow insecure dependency fetching practices.
+
+* Rule type: [rule-type-indicator failure]#FAILURE#
+* FAILURE message: `Task 'prefetch-dependencies' was invoked with mode parameter set to 'permissive'`
+* Code: `prefetch_dependencies.mode_not_permissive`
+* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/prefetch_dependencies/prefetch_dependencies.rego#L15[Source, window="_blank"]

antora/docs/modules/ROOT/pages/release_policy.adoc

@@ -140,6 +140,7 @@ Rules included:
 * xref:packages/release_pre_build_script_task.adoc#pre_build_script_task__valid_pre_build_script_task_runner_image_ref[Pre-build-script task checks: Script runner image is a valid image reference]        
 * xref:packages/release_pre_build_script_task.adoc#pre_build_script_task__pre_build_script_task_runner_image_in_sbom[Pre-build-script task checks: Script runner image is included in the sbom]        
 * xref:packages/release_pre_build_script_task.adoc#pre_build_script_task__pre_build_script_task_runner_image_in_results[Pre-build-script task checks: Script runner image is listed in the task results]        
+* xref:packages/release_prefetch_dependencies.adoc#prefetch_dependencies__mode_not_permissive[Prefetch Dependencies Task: Prefetch dependencies mode parameter check]        
 * xref:packages/release_provenance_materials.adoc#provenance_materials__git_clone_source_matches_provenance[Provenance Materials: Git clone source matches materials provenance]        
 * xref:packages/release_provenance_materials.adoc#provenance_materials__git_clone_task_found[Provenance Materials: Git clone task found]        
 * xref:packages/release_quay_expiration.adoc#quay_expiration__expires_label[Quay expiration: Expires label]        
@@ -381,6 +382,9 @@ a| Checks for Operator Lifecycle Manager (OLM) bundles.
 | xref:packages/release_pre_build_script_task.adoc[pre_build_script_task]
 a| This package verifies that the pre-build-script tasks in the attestation are executed in a controlled environment
 
+| xref:packages/release_prefetch_dependencies.adoc[prefetch_dependencies]
+a| This package verifies that the prefetch-dependencies task is invoked with appropriate parameters to ensure secure dependency fetching.
+
 | xref:packages/release_provenance_materials.adoc[provenance_materials]
 a| This package provides rules for verifying the contents of the materials section of the SLSA Provenance attestation.
 

antora/docs/modules/ROOT/partials/release_policy_nav.adoc

@@ -74,6 +74,8 @@
 **** xref:packages/release_pre_build_script_task.adoc#pre_build_script_task__valid_pre_build_script_task_runner_image_ref[Script runner image is a valid image reference]
 **** xref:packages/release_pre_build_script_task.adoc#pre_build_script_task__pre_build_script_task_runner_image_in_sbom[Script runner image is included in the sbom]
 **** xref:packages/release_pre_build_script_task.adoc#pre_build_script_task__pre_build_script_task_runner_image_in_results[Script runner image is listed in the task results]
+*** xref:packages/release_prefetch_dependencies.adoc[Prefetch Dependencies Task]
+**** xref:packages/release_prefetch_dependencies.adoc#prefetch_dependencies__mode_not_permissive[Prefetch dependencies mode parameter check]
 *** xref:packages/release_provenance_materials.adoc[Provenance Materials]
 **** xref:packages/release_provenance_materials.adoc#provenance_materials__git_clone_source_matches_provenance[Git clone source matches materials provenance]
 **** xref:packages/release_provenance_materials.adoc#provenance_materials__git_clone_task_found[Git clone task found]

policy/release/prefetch_dependencies/prefetch_dependencies.rego

@@ -0,0 +1,40 @@
+#
+# METADATA
+# title: Prefetch Dependencies Task
+# description: >-
+#   This package verifies that the prefetch-dependencies task is invoked with
+#   appropriate parameters to ensure secure dependency fetching.
+#
+package prefetch_dependencies
+
+import rego.v1
+
+import data.lib
+import data.lib.tekton
+
+# METADATA
+# title: Prefetch dependencies mode parameter check
+# description: >-
+#   Verify the prefetch-dependencies task in the PipelineRun attestation was not
+#   invoked with the "permissive" mode parameter, which could compromise security.
+# custom:
+#   short_name: mode_not_permissive
+#   failure_msg: >-
+#     Task 'prefetch-dependencies' was invoked with mode parameter set to 'permissive'
+#   solution: >-
+#     Change the mode parameter of the prefetch-dependencies task from 'permissive'
+#     to a more secure value. The permissive mode may allow insecure dependency
+#     fetching practices.
+#   collections:
+#   - redhat
+#   depends_on:
+#   - attestation_type.known_attestation_type
+#
+deny contains result if {
+	some attestation in lib.pipelinerun_attestations
+	some task in tekton.tasks(attestation)
+	some name in {"prefetch-dependencies", "prefetch-dependencies-oci-ta"}
+	name in tekton.task_names(task)
+	tekton.task_param(task, "mode") == "permissive"
+	result := lib.result_helper(rego.metadata.chain(), [])
+}

policy/release/prefetch_dependencies/prefetch_dependencies_test.rego

@@ -0,0 +1,77 @@
+package prefetch_dependencies_test
+
+import rego.v1
+
+import data.lib
+import data.prefetch_dependencies
+
+test_mode_permissive_violation if {
+	lib.assert_equal_results(prefetch_dependencies.deny, {{
+		"code": "prefetch_dependencies.mode_not_permissive",
+		"effective_on": "2022-01-01T00:00:00Z",
+		"msg": "Task 'prefetch-dependencies' was invoked with mode parameter set to 'permissive'",
+	}}) with input as _attestation("prefetch-dependencies", "permissive")
+}
+
+test_mode_not_permissive_pass if {
+	lib.assert_empty(prefetch_dependencies.deny) with input as _attestation("prefetch-dependencies", "strict")
+}
+
+test_missing_mode_param_pass if {
+	lib.assert_empty(prefetch_dependencies.deny) with input as _attestation_without_mode("prefetch-dependencies")
+}
+
+test_task_not_present_pass if {
+	lib.assert_empty(prefetch_dependencies.deny) with input as _attestation("some-other-task", "permissive")
+}
+
+test_oci_ta_mode_permissive_violation if {
+	lib.assert_equal_results(prefetch_dependencies.deny, {{
+		"code": "prefetch_dependencies.mode_not_permissive",
+		"effective_on": "2022-01-01T00:00:00Z",
+		"msg": "Task 'prefetch-dependencies' was invoked with mode parameter set to 'permissive'",
+	}}) with input as _attestation("prefetch-dependencies-oci-ta", "permissive")
+}
+
+test_oci_ta_mode_not_permissive_pass if {
+	lib.assert_empty(prefetch_dependencies.deny) with input as _attestation("prefetch-dependencies-oci-ta", "strict")
+}
+
+# Helper to create attestation with mode parameter
+_attestation(task_name, mode) := {"attestations": [{"statement": {
+	"_type": "https://in-toto.io/Statement/v0.1",
+	"subject": [{"name": "registry.redhat.io/ubi8/ubi:latest"}],
+	"predicateType": "https://slsa.dev/provenance/v0.2",
+	"predicate": {
+		"buildType": lib.tekton_pipeline_run,
+		"buildConfig": {"tasks": [{
+			"name": task_name,
+			"ref": {
+				"name": task_name,
+				"kind": "Task",
+			},
+			"invocation": {"parameters": {
+				"input": "$(params.prefetch-input)",
+				"mode": mode,
+			}},
+		}]},
+	},
+}}]}
+
+# Helper to create attestation without mode parameter
+_attestation_without_mode(task_name) := {"attestations": [{"statement": {
+	"_type": "https://in-toto.io/Statement/v0.1",
+	"subject": [{"name": "registry.redhat.io/ubi8/ubi:latest"}],
+	"predicateType": "https://slsa.dev/provenance/v0.2",
+	"predicate": {
+		"buildType": lib.tekton_pipeline_run,
+		"buildConfig": {"tasks": [{
+			"name": task_name,
+			"ref": {
+				"name": task_name,
+				"kind": "Task",
+			},
+			"invocation": {"parameters": {"input": "$(params.prefetch-input)"}},
+		}]},
+	},
+}}]}