From e7686c84dba7d36e14e1ef19ed5e3d74f8dca7bd Mon Sep 17 00:00:00 2001 From: Evgeny Kolesnikov Date: Tue, 25 Jun 2024 21:57:49 +0200 Subject: [PATCH 1/6] Remove --schematron option The option is a noop since introduction of --skip-schematron and enabled state becoming the default behavior. --- .../OVAL/unittests/test_xsinil_envv58_pid.sh | 2 +- tests/API/OVAL/validate/all.sh | 2 +- tests/API/XCCDF/variable_instance/all.sh | 40 +++++++++---------- tests/CPE/all.sh | 2 +- tests/DS/schematron/schematron.sh | 4 +- tests/probes/sql57/unsupported_engine.sh | 2 +- ...probes_systemdunitdependency_validation.sh | 2 +- utils/oscap-oval.c | 2 - utils/oscap-xccdf.c | 2 - 9 files changed, 27 insertions(+), 31 deletions(-) diff --git a/tests/API/OVAL/unittests/test_xsinil_envv58_pid.sh b/tests/API/OVAL/unittests/test_xsinil_envv58_pid.sh index 1acb1baa64f..049412eec96 100755 --- a/tests/API/OVAL/unittests/test_xsinil_envv58_pid.sh +++ b/tests/API/OVAL/unittests/test_xsinil_envv58_pid.sh @@ -10,7 +10,7 @@ echo "Result file: $result" echo "Evaluating content." $OSCAP oval eval --results $result $srcdir/${name}.oval.xml echo "Validating results." -$OSCAP oval validate --results --schematron $result +$OSCAP oval validate --results $result echo "Testing results values." assert_exists 1 '/oval_results' assert_exists 1 '/oval_results/oval_definitions' diff --git a/tests/API/OVAL/validate/all.sh b/tests/API/OVAL/validate/all.sh index 0117effbd72..e34b14d5f74 100755 --- a/tests/API/OVAL/validate/all.sh +++ b/tests/API/OVAL/validate/all.sh @@ -30,7 +30,7 @@ function oval-schema-fail { } function oval-schematron-fail { - $OSCAP oval validate --schematron ${srcdir}/oval-schematron-fail.xml + $OSCAP oval validate ${srcdir}/oval-schematron-fail.xml ret=$? if [ $ret -eq 2 ]; then return 0 diff --git a/tests/API/XCCDF/variable_instance/all.sh b/tests/API/XCCDF/variable_instance/all.sh index 1a8d4c7da8d..5aa64bb703e 100755 --- a/tests/API/XCCDF/variable_instance/all.sh +++ b/tests/API/XCCDF/variable_instance/all.sh @@ -40,7 +40,7 @@ function xccdf_export_1_multival() { [ -f $stderr ]; [ ! -s $stderr ] [ -f $variables0 ] [ ! -f $variables1 ] - $OSCAP oval validate --schematron $variables0 + $OSCAP oval validate $variables0 assert_exists 1 '/oval_variables' assert_exists 1 '/oval_variables/variables' assert_exists 1 '/oval_variables/variables/variable' @@ -73,8 +73,8 @@ function xccdf_export_2_multiset(){ [ -f $variables0 ] [ -f $variables1 ] [ ! -f $variables2 ] - $OSCAP oval validate --schematron $variables0 - $OSCAP oval validate --schematron $variables1 + $OSCAP oval validate $variables0 + $OSCAP oval validate $variables1 local result="$variables0" assert_exists 1 '/oval_variables' assert_exists 1 '/oval_variables/variables' @@ -112,7 +112,7 @@ function xccdf_export_3_twice_same(){ [ -f $stderr ]; [ ! -s $stderr ] [ -f $variables0 ] [ ! -f $variables1 ] - $OSCAP oval validate --schematron $variables0 + $OSCAP oval validate $variables0 local result="$variables0" assert_exists 1 '/oval_variables' assert_exists 1 '/oval_variables/variables' @@ -142,7 +142,7 @@ function xccdf_export_4_two_same(){ [ -f $stderr ]; [ ! -s $stderr ] [ -f $variables0 ] [ ! -f $variables1 ] - $OSCAP oval validate --schematron $variables0 + $OSCAP oval validate $variables0 local result="$variables0" assert_exists 1 '/oval_variables' assert_exists 1 '/oval_variables/variables' @@ -171,7 +171,7 @@ function xccdf_export_5_multival_twice(){ [ -f $stderr ]; [ ! -s $stderr ] [ -f $variables0 ] [ ! -f $variables1 ] - $OSCAP oval validate --schematron $variables0 + $OSCAP oval validate $variables0 local result="$variables0" assert_exists 1 '/oval_variables' assert_exists 1 '/oval_variables/variables' @@ -204,8 +204,8 @@ function xccdf_export_6_multiset_multival(){ [ -f $variables0 ] [ -f $variables1 ] [ ! -f $variables2 ] - $OSCAP oval validate --schematron $variables0 - $OSCAP oval validate --schematron $variables1 + $OSCAP oval validate $variables0 + $OSCAP oval validate $variables1 local result="$variables0" assert_exists 1 '/oval_variables' assert_exists 1 '/oval_variables/variables' @@ -246,7 +246,7 @@ function xccdf_export_7_shuffled_multival(){ [ -f $stderr ]; [ ! -s $stderr ] [ -f $variables0 ] [ ! -f $variables1 ] - $OSCAP oval validate --schematron $variables0 + $OSCAP oval validate $variables0 local result="$variables0" assert_exists 1 '/oval_variables' assert_exists 1 '/oval_variables/variables' @@ -279,7 +279,7 @@ function xccdf_export_8_shuffled_multival(){ [ -f $stderr ]; [ ! -s $stderr ] [ -f $variables0 ] [ ! -f $variables1 ] - $OSCAP oval validate --schematron $variables0 + $OSCAP oval validate $variables0 local result="$variables0" assert_exists 1 '/oval_variables' assert_exists 1 '/oval_variables/variables' @@ -313,8 +313,8 @@ function xccdf_export_9_first_subset(){ [ -f $variables0 ] [ -f $variables1 ] [ ! -f $variables2 ] - $OSCAP oval validate --schematron $variables0 - $OSCAP oval validate --schematron $variables1 + $OSCAP oval validate $variables0 + $OSCAP oval validate $variables1 local result="$variables0" assert_exists 1 '/oval_variables' assert_exists 1 '/oval_variables/variables' @@ -358,8 +358,8 @@ function xccdf_export_A_second_subset(){ [ -f $variables0 ] [ -f $variables1 ] [ ! -f $variables2 ] - $OSCAP oval validate --schematron $variables0 - $OSCAP oval validate --schematron $variables1 + $OSCAP oval validate $variables0 + $OSCAP oval validate $variables1 local result="$variables0" assert_exists 1 '/oval_variables' assert_exists 1 '/oval_variables/variables' @@ -413,9 +413,9 @@ function xccdf_eval_2_multiset(){ [ -f $variables0 ] [ -f $variables1 ] [ ! -f $variables2 ] - $OSCAP oval validate --schematron $variables0 - $OSCAP oval validate --schematron $variables1 - $OSCAP oval validate --schematron $oval_result + $OSCAP oval validate $variables0 + $OSCAP oval validate $variables1 + $OSCAP oval validate $oval_result local result="$xccdf_result" assert_exists 1 '/Benchmark/TestResult' assert_exists 1 '/Benchmark/TestResult/profile' @@ -574,9 +574,9 @@ function xccdf_eval_1_multiset_syschar(){ [ -f $variables0 ] [ -f $variables1 ] [ ! -f $variables2 ] - $OSCAP oval validate --schematron $variables0 - $OSCAP oval validate --schematron $variables1 - $OSCAP oval validate --schematron $oval_result + $OSCAP oval validate $variables0 + $OSCAP oval validate $variables1 + $OSCAP oval validate $oval_result result="$variables0" assert_exists 1 '/oval_variables' assert_exists 1 '/oval_variables/variables' diff --git a/tests/CPE/all.sh b/tests/CPE/all.sh index c6de2a6e924..d34a4fe40d3 100755 --- a/tests/CPE/all.sh +++ b/tests/CPE/all.sh @@ -8,7 +8,7 @@ set -e -o pipefail . $builddir/tests/test_common.sh function test_cpe() { - $OSCAP oval validate --schematron ${top_srcdir}/cpe/openscap-cpe-oval.xml + $OSCAP oval validate ${top_srcdir}/cpe/openscap-cpe-oval.xml $OSCAP cpe validate ${top_srcdir}/cpe/openscap-cpe-dict.xml } diff --git a/tests/DS/schematron/schematron.sh b/tests/DS/schematron/schematron.sh index b51970feeef..2ef5ec43096 100755 --- a/tests/DS/schematron/schematron.sh +++ b/tests/DS/schematron/schematron.sh @@ -5,7 +5,7 @@ set -e -o pipefail # both XCCDF and SDS schematrons find only warnings but not errors output="$(mktemp)" -$OSCAP xccdf validate --schematron "$srcdir/simple_ds.xml" >"$output" +$OSCAP xccdf validate "$srcdir/simple_ds.xml" >"$output" [ $? = 0 ] grep -q "Schematron validation of OVAL Definition component 'test_single_rule.oval.xml': PASS" "$output" grep -q "Schematron validation of XCCDF Checklist component 'scap_org.open-scap_cref_test_single_rule.xccdf.xml': PASS" "$output" @@ -16,7 +16,7 @@ rm -f "$output" # XCCDF schematron reports an error output="$(mktemp)" stderr="$(mktemp)" -$OSCAP xccdf validate --schematron "$srcdir/simple_ds_xccdf_schematron_error.xml" >"$output" 2>"$stderr" || ret=$? +$OSCAP xccdf validate "$srcdir/simple_ds_xccdf_schematron_error.xml" >"$output" 2>"$stderr" || ret=$? [ $ret = 2 ] grep -q "Error: The given @idref attribute 'xccdf_com.example.www_rule_test-pass2' must match a the @id or @cluster-id attributes of a 'Rule' or 'Group' element. See the XCCDF 1.2.1 specification, Section 6.5.3." $output grep -q "Schematron validation of OVAL Definition component 'test_single_rule.oval.xml': PASS" "$output" diff --git a/tests/probes/sql57/unsupported_engine.sh b/tests/probes/sql57/unsupported_engine.sh index b49a95cafc4..35ade42eb17 100755 --- a/tests/probes/sql57/unsupported_engine.sh +++ b/tests/probes/sql57/unsupported_engine.sh @@ -15,7 +15,7 @@ $OSCAP oval eval --results $result $srcdir/${name}.oval.xml 2> $stderr sed -i -E "/^E: probe_sql57: DB engine not supported: sqlserver/d" "$stderr" [ -f $stderr ]; [ ! -s $stderr ]; rm $stderr echo "Validating results." -#$OSCAP oval validate --results --schematron $result +#$OSCAP oval validate --results $result echo "Testing results values." assert_exists 1 '/oval_results' assert_exists 1 '/oval_results/oval_definitions' diff --git a/tests/probes/systemdunitdependency/test_probes_systemdunitdependency_validation.sh b/tests/probes/systemdunitdependency/test_probes_systemdunitdependency_validation.sh index a15f76567c2..bba879ca15e 100755 --- a/tests/probes/systemdunitdependency/test_probes_systemdunitdependency_validation.sh +++ b/tests/probes/systemdunitdependency/test_probes_systemdunitdependency_validation.sh @@ -15,7 +15,7 @@ set -e function oval_validation { DF="test_probes_systemdunitdependency_validate.xml" ${srcdir}/test_probes_systemdunitdependency.xml.sh "true" > $DF - $OSCAP oval validate --schematron $DF + $OSCAP oval validate $DF } test_run "OVAL 5.11 validation (systemdunitdependency)" oval_validation diff --git a/utils/oscap-oval.c b/utils/oscap-oval.c index 19b29b899e9..62e950e05a2 100644 --- a/utils/oscap-oval.c +++ b/utils/oscap-oval.c @@ -670,8 +670,6 @@ bool getopt_oval_validate(int argc, char **argv, struct oscap_action *action) { "syschar", no_argument, &action->doctype, OSCAP_DOCUMENT_OVAL_SYSCHAR }, { "results", no_argument, &action->doctype, OSCAP_DOCUMENT_OVAL_RESULTS }, { "directives", no_argument, &action->doctype, OSCAP_DOCUMENT_OVAL_DIRECTIVES }, - //TODO: force schematron validation (no-op, deprecate and remove) - { "schematron", no_argument, &action->schematron, 1 }, { "skip-schematron",no_argument, &action->schematron, 0 }, // end { 0, 0, 0, 0 } diff --git a/utils/oscap-xccdf.c b/utils/oscap-xccdf.c index e9172c1e97c..59337c16ace 100644 --- a/utils/oscap-xccdf.c +++ b/utils/oscap-xccdf.c @@ -1254,8 +1254,6 @@ bool getopt_xccdf(int argc, char **argv, struct oscap_action *action) {"remediate", no_argument, &action->remediate, 1}, {"hide-profile-info", no_argument, &action->hide_profile_info, 1}, {"export-variables", no_argument, &action->export_variables, 1}, - //TODO: deprecate and remove - {"schematron", no_argument, &action->schematron, 1}, {"skip-schematron", no_argument, &action->schematron, 0}, {"without-syschar", no_argument, &action->without_sys_chars, 1}, {"thin-results", no_argument, &action->thin_results, 1}, From ad26fd17d38b69c2d12688111787faf73a1c1bda Mon Sep 17 00:00:00 2001 From: Evgeny Kolesnikov Date: Tue, 25 Jun 2024 21:59:09 +0200 Subject: [PATCH 2/6] Don't look for AptPkg, we don't use the library at all --- CMakeLists.txt | 2 -- 1 file changed, 2 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index d727fa9f982..6756ff6e63a 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -88,8 +88,6 @@ if(ACL_FOUND) check_include_file(sys/acl.h HAVE_SYS_ACL_H) endif() -find_package(AptPkg) - find_package(Blkid) if(BLKID_FOUND) check_library_exists("${BLKID_LIBRARY}" blkid_get_tag_value "" HAVE_BLKID_GET_TAG_VALUE) From 13b78215d7a97585c7ccfacc3fcd5a3d370ff862 Mon Sep 17 00:00:00 2001 From: Evgeny Kolesnikov Date: Tue, 25 Jun 2024 22:00:16 +0200 Subject: [PATCH 3/6] Disable gconf probe by default --- CMakeLists.txt | 2 +- openscap.spec | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 6756ff6e63a..2453d5eddf0 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -275,7 +275,7 @@ cmake_dependent_option(OPENSCAP_PROBE_INDEPENDENT_YAMLFILECONTENT "Independent y cmake_dependent_option(OPENSCAP_PROBE_UNIX_DNSCACHE "Unix dnscache probe" ON "ENABLE_PROBES_UNIX" OFF) cmake_dependent_option(OPENSCAP_PROBE_UNIX_FILE "Unix file probe" ON "ENABLE_PROBES_UNIX" OFF) cmake_dependent_option(OPENSCAP_PROBE_UNIX_FILEEXTENDEDATTRIBUTE "Unix fileextendedattribute probe" ON "ENABLE_PROBES_UNIX; HAVE_SYS_XATTR_H OR HAVE_ATTR_XATTR_H OR HAVE_SYS_EXTATTR_H" OFF) -cmake_dependent_option(OPENSCAP_PROBE_UNIX_GCONF "Unix gconf probe" ON "ENABLE_PROBES_UNIX; GCONF_FOUND" OFF) +cmake_dependent_option(OPENSCAP_PROBE_UNIX_GCONF "Unix gconf probe" OFF "ENABLE_PROBES_UNIX; GCONF_FOUND" OFF) cmake_dependent_option(OPENSCAP_PROBE_UNIX_INTERFACE "Unix interface probe" ON "ENABLE_PROBES_UNIX" OFF) cmake_dependent_option(OPENSCAP_PROBE_UNIX_PASSWORD "Unix password probe" ON "ENABLE_PROBES_UNIX" OFF) cmake_dependent_option(OPENSCAP_PROBE_UNIX_PROCESS "Unix process probe" ON "ENABLE_PROBES_UNIX" OFF) diff --git a/openscap.spec b/openscap.spec index fbc844192fc..7d111f1d0d6 100644 --- a/openscap.spec +++ b/openscap.spec @@ -139,7 +139,6 @@ Tool for scanning Atomic containers. %endif -DENABLE_PERL=OFF \ -DENABLE_DOCS=ON \ - -DOPENSCAP_PROBE_UNIX_GCONF=OFF \ -DGCONF_LIBRARY= %cmake_build make docs From 8e3e4aed6404aac0b8ae4303eeb514c94458a8e4 Mon Sep 17 00:00:00 2001 From: Evgeny Kolesnikov Date: Tue, 25 Jun 2024 22:00:54 +0200 Subject: [PATCH 4/6] Python is always 3, we won't work with Python2 --- tests/sce/CMakeLists.txt | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/tests/sce/CMakeLists.txt b/tests/sce/CMakeLists.txt index 5f2d1cd3f0a..18c65bc79e6 100644 --- a/tests/sce/CMakeLists.txt +++ b/tests/sce/CMakeLists.txt @@ -1,7 +1,5 @@ if(ENABLE_SCE) - if(${PYTHON_VERSION_MAJOR} EQUAL "3") - add_oscap_test("test_sce.sh") - endif() + add_oscap_test("test_sce.sh") add_oscap_test("test_passing_vars.sh") add_oscap_test("test_check_engine_results.sh") add_oscap_test("test_sce_in_ds.sh") From 2f5950c06bc3f427cd6bb8f51c5d2a4ec4526023 Mon Sep 17 00:00:00 2001 From: Evgeny Kolesnikov Date: Tue, 25 Jun 2024 22:01:34 +0200 Subject: [PATCH 5/6] We work only with PCRE2 from now on --- openscap.spec | 3 --- 1 file changed, 3 deletions(-) diff --git a/openscap.spec b/openscap.spec index 7d111f1d0d6..50a92839e79 100644 --- a/openscap.spec +++ b/openscap.spec @@ -134,9 +134,6 @@ Tool for scanning Atomic containers. # gconf is a legacy system not used any more, and it blocks testing of oscap-anaconda-addon # as gconf is no longer part of the installation medium %cmake \ -%if 0%{?fedora} - -DWITH_PCRE2=ON \ -%endif -DENABLE_PERL=OFF \ -DENABLE_DOCS=ON \ -DGCONF_LIBRARY= From e0436578931ee4999b444571b019345cd2b525b5 Mon Sep 17 00:00:00 2001 From: Evgeny Kolesnikov Date: Tue, 25 Jun 2024 22:01:56 +0200 Subject: [PATCH 6/6] Don't delete now-fixed test DS Since the removal of compose functions from oscap utility test DSes are not generated anymore. We should not delete them. --- .../API/XCCDF/applicability/test_remediate_fix_processing_ds.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/API/XCCDF/applicability/test_remediate_fix_processing_ds.sh b/tests/API/XCCDF/applicability/test_remediate_fix_processing_ds.sh index 6043a6f0cc8..8f2edb00929 100755 --- a/tests/API/XCCDF/applicability/test_remediate_fix_processing_ds.sh +++ b/tests/API/XCCDF/applicability/test_remediate_fix_processing_ds.sh @@ -87,4 +87,4 @@ assert_exists 1 '//TestResult[@id="xccdf_org.open-scap_testresult_default-profil assert_exists 1 '//TestResult[@id="xccdf_org.open-scap_testresult_default-profile001"]/rule-result/result' assert_exists 1 '//TestResult[@id="xccdf_org.open-scap_testresult_default-profile001"]/rule-result/result[text()="fixed"]' -rm $resultx $arf $sds +rm $resultx $arf