Skip to content

Fix rpm_packages.unique_version to detect cross-arch RPM mismatches #1617

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
joejstuart merged 1 commit into from
Jan 12, 2026
Merged

Fix rpm_packages.unique_version to detect cross-arch RPM mismatches #1617

joejstuart merged 1 commit into from
Jan 12, 2026
+126 −19

Conversation

@joejstuart
Copy link
Contributor

@joejstuart joejstuart commented Jan 9, 2026
edited
Loading

The unique_version rule was failing to detect RPM version differences
across architectures in multi-arch builds. The root cause was that each
arch-specific SBOM contains RPM entries for ALL architectures (from the
rpm lockfile), not just the packages actually installed on that platform.

When comparing platforms, the rule saw identical RPM sets because every
SBOM included the full lockfile. For example, the x86_64 SBOM contained
both tar-1.35-9.el10_1 (installed) and tar-1.35-7.el10 (lockfile entry
for arm64), making all platforms appear to have the same versions.

The fix filters RPMs to only include those with a "distro" qualifier,
which indicates the package is actually installed. Lockfile entries use
"repository_id" and "checksum" qualifiers instead, allowing us to
distinguish between installed packages and lockfile metadata.

Assisted-by: Claude opus 4.5

https://issues.redhat.com/browse/EC-1608

@codecov
Copy link

codecov bot commented Jan 9, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.

Files with missing lines Coverage Δ
policy/release/rpm_packages/rpm_packages.rego 100.00% <100.00%> (ø)
policy/release/rpm_packages/rpm_packages_test.rego 100.00% <100.00%> (ø)

... and 2 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@simonbaird
Copy link
Member

simonbaird commented Jan 9, 2026

Jira ref?

@joejstuart
Fix rpm_packages.unique_version to detect cross-arch RPM mismatches
57f6009 
  The unique_version rule was failing to detect RPM version differences
  across architectures in multi-arch builds. The root cause was that each
  arch-specific SBOM contains RPM entries for ALL architectures (from the
  rpm lockfile), not just the packages actually installed on that platform.

  When comparing platforms, the rule saw identical RPM sets because every
  SBOM included the full lockfile. For example, the x86_64 SBOM contained
  both tar-1.35-9.el10_1 (installed) and tar-1.35-7.el10 (lockfile entry
  for arm64), making all platforms appear to have the same versions.

  The fix filters RPMs to only include those with a "distro" qualifier,
  which indicates the package is actually installed. Lockfile entries use
  "repository_id" and "checksum" qualifiers instead, allowing us to
  distinguish between installed packages and lockfile metadata.
@joejstuart
Copy link
Contributor Author

joejstuart commented Jan 9, 2026

Jira ref?

Added

@joejstuart joejstuart marked this pull request as draft January 9, 2026 19:00
@joejstuart
Copy link
Contributor Author

joejstuart commented Jan 9, 2026

Setting to draft while I find more test cases.

@joejstuart joejstuart marked this pull request as ready for review January 9, 2026 22:12
@joejstuart joejstuart merged commit 6e7faea into conforma:main Jan 12, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Acepresso Acepresso Acepresso approved these changes

Assignees

No one assigned

Labels

size: L

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@joejstuart @simonbaird @Acepresso