Skip to content

chore(policies): improve error message in policy eval when no branches were executed #2576

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Nov 25, 2025
Merged

chore(policies): improve error message in policy eval when no branches were executed #2576

merged 4 commits into from
Nov 25, 2025
+3 −5

Conversation

@jiparis
Copy link
Member

@jiparis jiparis commented Nov 21, 2025

When policy evaluation result is empty, it might happen that the material didn't match, or that the policy logic (Rego) has set the ignore flag to true (because of missing input parameters or any other criteria).

ERR no execution branch matched, or all of them were ignored, for kind SBOM_CYCLONEDX_JSON

@jiparis jiparis requested review from Piskoo and migmartri November 21, 2025 16:35
migmartri
migmartri approved these changes Nov 24, 2025
View reviewed changes
app/cli/internal/policydevel/eval.go

if len(policyEvs) == 0 || policyEvs[0] == nil {
return nil, fmt.Errorf("no execution branch matched for kind %s", material.MaterialType.String())
return nil, fmt.Errorf("no execution branch matched, or all of them were ignored, for kind %s", material.MaterialType.String())
Copy link
Member

@migmartri migmartri Nov 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is there any better way we could do this? I mean, is there any way to distinguish them? Maybe we can add some debug logging so if you run eval with debug you get info about if the execution path was ignored or executed?

Copy link
Member Author

@jiparis jiparis Nov 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That would be ideal, yes. It has implications in the engine, though. Let me check them

Copy link
Member Author

@jiparis jiparis Nov 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The message was already there, but a bug prevented it from being shown. Check my comment in the PR

@jiparis
Copy link
Member Author

jiparis commented Nov 24, 2025
edited
Loading

Check the change in policy_develop_eval.go. I noticed that the debug flag in that command is overriding the global debug flag value, so by default it was disabling all CLI debug messages.
Now, the message can be clearly seen:

DBG evaluating policy sbom-banned-components against auto-detected-material
DBG policy sbom-banned-components explicitly ignored by definition <---------
ERR no execution branch matched, or all of them were ignored, for kind SBOM_CYCLONEDX_JSON

@jiparis
fix docs
45e3fb1 
Signed-off-by: Jose I. Paris <[email protected]>
@jiparis jiparis merged commit b13f004 into chainloop-dev:main Nov 25, 2025
13 checks passed
@jiparis jiparis deleted the PFM-3981 branch November 25, 2025 12:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@migmartri migmartri migmartri approved these changes

@Piskoo Piskoo Awaiting requested review from Piskoo

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jiparis @migmartri