Investigate and resolve `java.trusted_dependencies_source_list_provided` Konflux rule policy violation

[michael-valdron]

/kind bug

Which area is this bug related to?

/area ci
/area registry

Bug Summary

Describe the bug:

Konflux EC testing at the time of writing has recently started throwing a violation for an array allowed_java_component_sources being empty.

To Reproduce:

Run Konflux EC testing via a PR.

Expected behavior

Konflux EC testing should pass with the up to date patching.

Any logs, error output, screenshots etc? Provide the devfile that sees this bug, if applicable

✕ [Violation] java.trusted_dependencies_source_list_provided
  ImageRef: quay.io/redhat-user-workloads/devfiles-tenant/registry-viewer-main@sha256:bfdaef3606f08e4d9a720080f7f1098fe86db10451be666184db3386d192ee24
  Reason: Rule data allowed_java_component_sources has unexpected format: (Root): Array must have at least 1 items
  Title: Trusted Java dependency source list was provided
  Description: Confirm the `allowed_java_component_sources` rule data was provided, since it's required by the policy rules in
  this package. To exclude this rule add "java.trusted_dependencies_source_list_provided" to the `exclude` section of the policy
  configuration.
  Solution: Add a data source that contains allowable source repositories for build dependencies. The source must be located under
  a key named 'allowed_java_component_sources'. More information on adding xref:ec-cli:ROOT:configuration.adoc#_data_sources[data
  sources].

✕ [Violation] java.trusted_dependencies_source_list_provided
  ImageRef: quay.io/redhat-user-workloads/devfiles-tenant/devfile-registry-main/devfile-registry-main@sha256:4668fd9b3a1459e54fc3b0a353ae53b412683ea822cea35bd5ef2e38bd0d1425
  Reason: Rule data allowed_java_component_sources has unexpected format: (Root): Array must have at least 1 items
  Title: Trusted Java dependency source list was provided
  Description: Confirm the `allowed_java_component_sources` rule data was provided, since it's required by the policy rules in
  this package. To exclude this rule add "java.trusted_dependencies_source_list_provided" to the `exclude` section of the policy
  configuration.
  Solution: Add a data source that contains allowable source repositories for build dependencies. The source must be located under
  a key named 'allowed_java_component_sources'. More information on adding xref:ec-cli:ROOT:configuration.adoc#_data_sources[data
  sources].

Additional context

Any workaround?

None, any violation in the EC testing will block any new devfile registry promotions to staging or production.

Suggestion on how to fix the bug

None known at this time. An investigation into what is expected here needs to be done, opening Konflux support ticket is a good start.

[michael-valdron]

This bug is also blocking the latest Konflux patch PRs from merging:

• chore(deps): update konflux references registry#579
• chore(deps): update konflux references devfile-web#196

And would most likely block all PRs that currently needs testing to pass.

[michael-valdron]

The violation has disappeared and it appears to have been a one time issue on the Konflux side. Rerunning the EC testing is now passing.

Closing this as resolved.