scripts/find_invalid_waivers.py: new script to indetify invalid waivers

[matusmarhefka]

Example output using results from the latest CaC/content stabilization (v0.1.76):

$ ./find_invalid_waivers.py test_results/rhel10/results.txt.gz test_results/rhel9/results.txt.gz test_results/rhel8/results.txt.gz
2025-02-24 17:26:57 find_invalid_waivers.py:161: lib.waive.collect_waivers:149: using /home/matus/tests/contest/conf/waivers for waiving
===============================================================
The following waivers are no longer valid, they either did not
match any test results or only matched the 'pass' test results:
===============================================================

/hardening/host-os/ansible/anssi_.+/timer_logrotate_enabled
/hardening/host-os/ansible/anssi_.+/timer_dnf-automatic_enabled
    True

/per-rule/.+/directory_permissions_var_log_audit/incorrect_value_0700.fail
/per-rule/.+/tftpd_uses_secure_mode/correct.pass
/per-rule/.+/dconf_gnome_lock_screen_on_smartcard_removal/wrong_value.fail
/per-rule/.+/tftpd_uses_secure_mode/wrong.fail
/per-rule/.+/file_ownership_var_log_audit_stig/correct_value_default_file.pass
/per-rule/.+/directory_permissions_var_log_audit/correct_value_0700.pass
    rhel == 9

/per-rule/.+/package_talk_removed/package-installed.fail
    rhel == 8

/per-rule/.+/audit_rules_unsuccessful_file_modification_openat_o_creat/o_creat_rules.pass
/per-rule/.+/audit_rules_unsuccessful_file_modification_openat_o_trunc_write/o_trunc.pass
/per-rule/.+/audit_rules_unsuccessful_file_modification_open_rule_order/ordered_filter.pass
/per-rule/.+/audit_rules_unsuccessful_file_modification_openat_rule_order/ordered_arch.pass
/per-rule/.+/audit_rules_unsuccessful_file_modification_open_rule_order/ordered_arch.pass
/per-rule/.+/audit_rules_unsuccessful_file_modification_openat_o_creat/o_creat_last.pass
/per-rule/.+/audit_rules_unsuccessful_file_modification_openat_rule_order/ordered_filter.pass
    rhel == 10

/scanning/disa-alignment/.*/harden_sshd_ciphers_opensshserver_conf_crypto_policy
    rhel == 9

/scanning/disa-alignment/[^/]+/auditd_audispd_configure_sufficiently_large_partition
    True

/hardening/host-os/oscap/[^/]+/service_nftables_disabled
    True

/hardening/anaconda/with-gui/cis_workstation_l[12]
    status == 'error'

/hardening/image-builder/stig
    rhel == 9 and status == 'error'

/scanning/disa-alignment/.*/sysctl_kernel_core_pattern
    rhel == 8

/hardening/host-os/oscap/[^/]+/package_dnf-automatic_installed
/hardening/host-os/oscap/[^/]+/package_rsyslog-gnutls_installed
/hardening/host-os/oscap/[^/]+/timer_dnf-automatic_enabled
    True

/hardening/host-os/.*/(ospp|cui)/timer_dnf-automatic_enabled
    rhel == 8 or rhel == 9

/scanning/oscap-eval/ERROR
    rhel == 8 and note == 'E: oscap: Failed to convert OVAL state to SEXP, id: oval:ssg-state_file_groupowner_var_log_syslog_gid_4_0:ste:1.'

/static-checks/html-links/.+
    "failed: certificate has expired" in note

[comps]

I think I would prefer this being in some new tools or scripts directory, not in conf, which is supposed to be importable by tests and lib.