Skip to content

Add null guard for input.v0.osv in aliased_records rule#37

Draft
Copilot wants to merge 44 commits intomainfrom
copilot/sub-pr-15-5d84275d-5c59-4c43-85ef-feaf843b92e7
Draft

Add null guard for input.v0.osv in aliased_records rule#37
Copilot wants to merge 44 commits intomainfrom
copilot/sub-pr-15-5d84275d-5c59-4c43-85ef-feaf843b92e7

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Mar 12, 2026
edited
Loading

Iterating input.v0.osv in aliased_records without a null check causes a type error when osv is null or absent, breaking evaluation entirely.

Changes

  • baseline/high-risk-vulnerability.rego: Added input.v0.osv != null guard before iterating in aliased_records, consistent with the pattern in malware-block.rego
aliased_records[k] := records if {
    input.v0.osv != null  # added
    some v_seed in input.v0.osv
    some k in vuln_keys(v_seed)
    records := {v | some v in input.v0.osv; k in vuln_keys(v)}
}

Existing tests test_no_match_null_osv and test_no_match_missing_osv cover both failure modes.

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

ciaracarey and others added 30 commits February 18, 2026 21:49
@ciaracarey
refactor(epm): introduce baseline policies.
5b65c26
@ciaracarey
Add OPA test
b82b6e3
fix formatting opa errors
ddfb697
Improving the rego and moving test to workflows
2747c24
@ciaracarey
Update opa-lint.yml
809db09
@ciaracarey
Refactor vulnerability matching and scoring logic
cbb09cd
opa formatting fixes
f9d5338
update vulnerability policy to use osv object
8bde0eb
update vulnerability policy
9522986
@ciaracarey
Update README.md
6bfd1ac 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@ciaracarey
Update .github/workflows/opa-lint.yml
c300edb 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@ciaracarey
Update .github/workflows/opa-lint.yml
aebc6ce 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@ciaracarey
fix(readme): wrap repository structure in fenced code block (#16)
d1a8e18 
* Initial plan

* fix(readme): wrap repository structure in fenced code block

Co-authored-by: ciaracarey <84123925+ciaracarey@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: ciaracarey <84123925+ciaracarey@users.noreply.github.com>
@ciaracarey
Fix Americanized spelling in README (#17)
97fbe8f 
* Initial plan

* Fix spelling: "Specialised" -> "Specialized" in README.md

Co-authored-by: ciaracarey <84123925+ciaracarey@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: ciaracarey <84123925+ciaracarey@users.noreply.github.com>
@ciaracarey
Remove import rego.v1 from advanced/huggingface-recipes policies (#18)
2c7cc2f 
* Initial plan

* Remove import rego.v1 from advanced/huggingface-recipes policies

Co-authored-by: ciaracarey <84123925+ciaracarey@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: ciaracarey <84123925+ciaracarey@users.noreply.github.com>
@ciaracarey
change name from cooldown to pacage age
0df6c6f
Simplify vulnerability policy
a1e39c4
adding the GitOps exemption workflow
fcdb540
@ciaracarey
Change branch for exemption application workflow
9094bee
@ciaracarey
Add python:time:3.4.5 to allow.json
1b32611
@ciaracarey
Update high-risk-vulnerability.rego
783e2f6
@ciaracarey
Document GitOps workflow for policy exemptions
65fcd3c 
Added section on GitOps workflow for managing policy exemptions.
@markmcmurray
add regal step to lint rego
2d9911a
@markmcmurray
tidy rego based on regal output
ced740b
@markmcmurray
relint high-risk-vulnerability
10f6b28
@markmcmurray
fix unsafe var introduced by linting fix
275f10a
@markmcmurray
Merge pull request #22 from cloudsmith-io/rego-styling-with-ci
dfe0439 
chore: tidy rego based on regal output
@markmcmurray
remove leftover rego.v1 imports
d98b345 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@markmcmurray
add unit tests for rego
804341b
@markmcmurray
Apply suggestion from @Copilot
d934db4 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
markmcmurray and others added 13 commits March 11, 2026 11:34
@markmcmurray
Merge pull request #23 from cloudsmith-io/rego-unit-tests
08baf59 
add rego unit tests
@ciaracarey
Update baseline/license-compliance.rego
3e6137e 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@ciaracarey
Update exemptions/update_policy.py
c85bc8a 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@ciaracarey
Update README.md
191d72b 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@ciaracarey
Update .github/workflows/apply-exemptions.yml
94e8c0e 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@ciaracarey
Update exemptions/templates/allowlist.rego.tpl
c6214bd 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@ciaracarey
Update exemptions/allow.json
9349c5c 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@markmcmurray
revert back to simpler osv fix comparison with regal styling (#34)
48982eb
@markmcmurray
remove trailing comma from allow list (#35)
d3921b7
@ciaracarey
Update baseline/high-risk-vulnerability.rego
a3cd25a 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@markmcmurray
only run workflows on PR to main
6b31fb5 
Co-authored-by: Mark McMurray <mmcmurray@cloudsmith.io>
@ciaracarey
Update baseline/high-risk-vulnerability_test.rego
f01d06d 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Initial plan
3c22fe6
Copilot AI mentioned this pull request Mar 12, 2026
Merged
@ciaracarey
Add null guard for input.v0.osv in aliased_records rule
8ef1390 
Co-authored-by: ciaracarey <84123925+ciaracarey@users.noreply.github.com>
Copy link
Copy Markdown
Contributor Author

Copilot AI commented Mar 12, 2026

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • openpolicyagent.org
    • Triggering command: /usr/bin/curl curl -L -o /tmp/opa REDACTED (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI changed the title [WIP] [WIP] Address feedback on Epm baseline refactor PR Add null guard for input.v0.osv in aliased_records rule Mar 12, 2026
@ciaracarey ciaracarey requested a review from Copilot March 12, 2026 12:15
Copilot AI reviewed Mar 12, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a null guard (input.v0.osv != null) to the aliased_records rule in high-risk-vulnerability.rego to prevent type errors when osv is null or absent, matching the existing defensive pattern used in malware-block.rego.

Changes:

  • Added input.v0.osv != null guard before iterating input.v0.osv in the aliased_records rule

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@ciaracarey ciaracarey force-pushed the epm-baseline-refactor branch from 3185b50 to aa38feb Compare March 12, 2026 13:35
Base automatically changed from epm-baseline-refactor to main March 12, 2026 14:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@ciaracarey ciaracarey

Copilot code review Copilot

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ciaracarey @markmcmurray