Merge branch 'demo-pst' into bsi-app-4.4-a8to11

.editorconfig

@@ -16,7 +16,7 @@ indent_size = unset
 tab_width = 4
 max_line_length = 99
 
-[{**.yml,**.yaml,**.jinja,**.var,**.profile}]
+[{**.yml,**.yaml,**.jinja,**.var,**.profile,**.json}]
 indent_style = space
 indent_size = 4
 

.github/workflows/compare-ds.yaml

@@ -138,3 +138,35 @@ jobs:
           type: delete
           comment_id: ${{ steps.fc.outputs.comment-id }}
           token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Compare Ansible playbook shell commands
+        if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
+        run: utils/ansible_shell_diff.py ssg-${{steps.product.outputs.prop}}-ds.xml build/ssg-${{steps.product.outputs.prop}}-ds.xml | tee diff.log
+        env:
+          PYTHONPATH: ${{ github.workspace }}
+      - name: Test if there are Ansible shell module changes
+        if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
+        run: echo "SHELL_DIFF_OUTPUT_SIZE=$(stat --printf="%s" diff.log)" >> $GITHUB_OUTPUT
+        id: ansible_shell_diff
+      - name: Find Comment
+        uses: peter-evans/find-comment@v3
+        id: shell_diff
+        with:
+          issue-number: ${{ github.event.pull_request.number }}
+          comment-author: 'github-actions[bot]'
+          body-includes: Change in Ansible 'shell' module found.
+      - name: Create comment
+        if: ${{ steps.ansible_shell_diff.outputs.SHELL_DIFF_OUTPUT_SIZE != '0' && steps.shell_diff.outputs.comment-id == 0 }}
+        uses: peter-evans/create-or-update-comment@v4
+        with:
+          issue-number: ${{ github.event.pull_request.number }}
+          body: |
+            Change in Ansible `shell` module found.
+
+            Please consider using more suitable Ansible module than `shell` if possible.
+      - name: Delete existing comment in case new commits trigger no changes in Ansible shell module
+        if: ${{ (steps.ansible_shell_diff.outputs.SHELL_DIFF_OUTPUT_SIZE == '0' || steps.ctf.outputs.CTF_OUTPUT_SIZE == '0') && steps.shell_diff.outputs.comment-id != 0 }}
+        uses: jungwinter/comment@v1
+        with:
+          type: delete
+          comment_id: ${{ steps.shell_diff.outputs.comment-id }}
+          token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/gate.yaml

@@ -90,7 +90,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
       - name: Upgrade pip python
-        run: pip3 install --upgrade pip 
+        run: pip3 install --upgrade pip
       - name: Install deps python
         run: pip3 install -r requirements.txt -r test-requirements.txt --ignore-installed PyYAML
       - name: Build
@@ -180,14 +180,14 @@ jobs:
     name: Build on Windows
     runs-on: windows-latest
     env:
-      OPENSCAP_VERSION: "1.3.10"
-      OPENSCAP_ROOT_DIR: "C:\\Program Files\\OpenSCAP 1.3.10"
+      OPENSCAP_VERSION: "1.4.0"
+      OPENSCAP_ROOT_DIR: "C:\\Program Files\\OpenSCAP 1.4.0"
     steps:
         - name: Install Deps
           run: choco install xsltproc
         - name: Get Latest OpenSCAP
           shell: powershell
-          run: "Invoke-WebRequest -Uri https://nightly.link/OpenSCAP/openscap/workflows/build/maint-1.3/openscap-win64.zip -OutFile ${{ github.workspace }}\\openscap-win.zip"
+          run: "Invoke-WebRequest -Uri https://nightly.link/OpenSCAP/openscap/workflows/build/main/openscap-win64.zip -OutFile ${{ github.workspace }}\\openscap-win.zip"
         - name: Extract Latest OpenSCAP
           shell: powershell
           run: "Expand-Archive -LiteralPath ${{ github.workspace }}\\openscap-win.zip -DestinationPath ${{ github.workspace }}\\openscap-win -Verbose:$true"

.github/workflows/gate_fedora.yml

@@ -36,6 +36,7 @@ jobs:
                         rhel7 \
                         rhel8 \
                         rhel9 \
+                        rhel10 \
                         uos20 \
                         ocp4 \
                         eks
@@ -48,7 +49,7 @@ jobs:
                 run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
             -   name: Upload coverage to Code Climate  # Requires: git package
                 if: ${{ github.repository == 'ComplianceAsCode/content' }}
-                uses: paambaati/codeclimate-action@v5.0.0
+                uses: paambaati/codeclimate-action@v6.0.0
                 env:
                     CC_TEST_REPORTER_ID: e67e068471d32b63f8e9561dba8f6a3f84dcc76b05ebfd98e44ced1a91cff854
                 with:

.github/workflows/gate_thin_ds.yml

@@ -0,0 +1,29 @@
+name: Gate Thin DS
+on:
+  merge_group:
+    branches: [ 'master' ]
+  push:
+    branches: ['*', '!stabilization*', '!stable*', 'master' ]
+  pull_request:
+    branches: [ 'master', 'stabilization*' ]
+concurrency:
+  group: ${{ github.workflow }}-fedora-${{ github.event.number || github.run_id }}
+  cancel-in-progress: true
+jobs:
+    build-and-test-thin-ds:
+        name: Build, Test on Fedora Latest (Container)
+        runs-on: ubuntu-latest
+        container:
+            image: fedora:latest
+        steps:
+            -   name: Install Deps
+                run: dnf install -y cmake make openscap-utils python3-pyyaml bats ansible python3-pip ShellCheck git gcc gcc-c++ python3-devel python3-lxml python3-pytest
+            -   name: Checkout
+                uses: actions/checkout@v4
+            -   name: Install deps python
+                # pytest-xdist is used for parallel execution of thin ds test
+                run: pip install pcre2 pytest-xdist -r requirements.txt -r test-requirements.txt
+            -   name: Build
+                run: ./build_product rhel9 --thin
+            -   name: Test
+                run: python3 -m pytest -n auto tests/test_thin_ds.py

.github/workflows/gh-pages.yaml

@@ -50,7 +50,7 @@ jobs:
           git config --global --add safe.directory "$GITHUB_WORKSPACE"
       - name: Deploy
         if: ${{ github.event_name == 'push' && github.repository == 'ComplianceAsCode/content' && github.ref == 'refs/heads/master'  }}
-        uses: JamesIves/github-pages-deploy-action@v4.5.0
+        uses: JamesIves/github-pages-deploy-action@v4.6.1
         with:
           branch: main # The branch the action should deploy to.
           folder: ${{ env.PAGES_DIR }} # The folder the action should deploy.

.github/workflows/k8s-content-pr-test.yaml

@@ -0,0 +1,53 @@
+---
+name: Gate / Kubernetes Test Content Parsing
+
+on:
+  pull_request:
+    types:
+    - opened
+    - reopened
+    - synchronize
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.number || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  datastream-parsing:
+    name: XCCDF Datastream parsing
+    runs-on: ubuntu-latest
+    steps:
+      - name: Copy XCCDF files from existing content image
+        uses: nick-fields/retry@v3
+        with:
+          timeout_minutes: 20
+          max_attempts: 3
+          retry_wait_seconds: 300
+          retry_on: error
+          command: |
+            mkdir -p content
+            docker pull ghcr.io/complianceascode/k8scontent:${{ github.event.number }}
+            docker run --rm -v $PWD/content:/content:z ghcr.io/complianceascode/k8scontent:${{ github.event.number }} bash -c "cp *.xml /content"
+      - name: Clone compliance operator repository
+        run: |
+          git clone https://github.com/ComplianceAsCode/compliance-operator.git
+      - name: Fetch go version used in compliance-operator go.mod
+        run: |
+          cd compliance-operator
+          go mod edit -json | jq -r '.Go' > go-version
+          if [ ! -s go-version ]; then
+            echo "Failed to fetch go version from compliance-operator go.mod"
+            exit 1
+          fi
+      - name: Save go version to be used in setup-go action
+        id: save-go-version
+        run: |
+          echo "go-version=$(cat compliance-operator/go-version)" > compliance-operator/go-version
+      - uses: actions/setup-go@v5
+        with:
+          go-version: ${{ steps.save-go-version.outputs.go-version }}
+      - name: Run ginkgo tests and check if each XCCDF file is parsed correctly
+        run: |
+          export DEFAULT_CONTENT_DS_FILE_PATH=$PWD/content
+          cd compliance-operator
+          make test-datastreams

.github/workflows/k8s-content-pr.yaml

@@ -57,7 +57,7 @@ jobs:
         with:
           ref: refs/pull/${{ needs.get-pr-number.outputs.pr-number }}/head
       - name: Login to ghcr.io
-        uses: docker/login-action@v3.0.0
+        uses: docker/login-action@v3.2.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}

.github/workflows/release.yaml

@@ -45,7 +45,7 @@ jobs:
         env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: Release
-        uses: softprops/action-gh-release@v0.1.15
+        uses: softprops/action-gh-release@v2.0.5
         with:
           draft: True
           name: Content ${{ steps.set_version.outputs.ver }}

.github/workflows/srg-mapping-table.yaml

@@ -28,7 +28,7 @@ jobs:
         run: cmake .. -G Ninja
         working-directory: ./build
       - name: Build
-        run: ninja -j2 rhel9 ocp4
+        run: ninja -j2 rhel10 rhel9 ocp4
         working-directory: ./build
       - name: Build rule dir json
         run: python3 utils/rule_dir_json.py
@@ -52,6 +52,14 @@ jobs:
         run: python3 utils/create_srg_export.py -c controls/srg_gpos.yml -p rhel9 -m shared/references/disa-os-srg-v2r7.xml --out-format html --output $PAGES_DIR/srg-mapping-rhel9.html
         env:
           PYTHONPATH: ${{ github.workspace }}
+      - name: Generate XLSX for RHEL10
+        run: python3 utils/create_srg_export.py -c controls/srg_gpos.yml -p rhel10 -m shared/references/disa-os-srg-v2r7.xml --out-format xlsx --output $PAGES_DIR/srg-mapping-rhel10.xlsx
+        env:
+          PYTHONPATH: ${{ github.workspace }}
+      - name: Generate HTML for RHEL10
+        run: python3 utils/create_srg_export.py -c controls/srg_gpos.yml -p rhel10 -m shared/references/disa-os-srg-v2r7.xml --out-format html --output $PAGES_DIR/srg-mapping-rhel10.html
+        env:
+          PYTHONPATH: ${{ github.workspace }}
       - uses: actions/upload-artifact@v4
         if: ${{ github.event_name == 'pull_request' }}
         with:
@@ -62,6 +70,17 @@ jobs:
         with:
           name: srg-mapping-rhel9.html
           path: ${{ env.PAGES_DIR }}/srg-mapping-rhel9.html
+
+      - uses: actions/upload-artifact@v4
+        if: ${{ github.event_name == 'pull_request' }}
+        with:
+          name: srg-mapping-rhel10.xlsx
+          path: ${{ env.PAGES_DIR }}/srg-mapping-rhel10.xlsx
+      - uses: actions/upload-artifact@v4
+        if: ${{ github.event_name == 'pull_request' }}
+        with:
+          name: srg-mapping-rhel10.html
+          path: ${{ env.PAGES_DIR }}/srg-mapping-rhel10.html
       - uses: actions/upload-artifact@v4
         if: ${{ github.event_name == 'pull_request' }}
         with:
@@ -73,14 +92,14 @@ jobs:
           name: srg-mapping-ocp4.html
           path: ${{ env.PAGES_DIR }}/srg-mapping-ocp4.html
       - name: Generate HTML pages
-        run: utils/generate_html_index_srg_mapping.sh $PAGES_DIR "rhel9 ocp4" # add more products to this list to generate their index
+        run: utils/generate_html_index_srg_mapping.sh $PAGES_DIR "rhel10 rhel9 ocp4" # add more products to this list to generate their index
         shell: bash
       - name: Configure git to trust the workspace despite the different owner
         run:
           git config --global --add safe.directory "$GITHUB_WORKSPACE"
       - name: Deploy
         if: ${{ github.event_name == 'push' && github.repository == 'ComplianceAsCode/content' }}
-        uses: JamesIves/github-pages-deploy-action@v4.5.0
+        uses: JamesIves/github-pages-deploy-action@v4.6.1
         with:
           branch: main # The branch the action should deploy to.
           folder: ${{ env.PAGES_DIR }} # The folder the action should deploy.

.github/workflows/update-oscal.yml

@@ -45,7 +45,7 @@ jobs:
                   trestle href --name "${{ matrix.variables.profile-name }}" -hr "trestle://catalogs/${{ matrix.variables.catalog-name }}/catalog.json"
               working-directory: ./shared/references/oscal
             - name: Update content
-              uses: peter-evans/[email protected].1
+              uses: peter-evans/[email protected].5
               with:
                   base: master
                   branch: "oscal-update-${{ github.run_id }}"

.packit.yaml

@@ -19,20 +19,117 @@ jobs:
   - centos-stream-8-x86_64
   - centos-stream-9-x86_64
 
-- &test
+- <<: *build
+  trigger: commit
+  branch: "gh-readonly-queue/.*"
+
+- &test-static-checks
   job: tests
   trigger: pull_request
+  fmf_path: tests/tmt-plans
+  identifier: /static-checks
+  tmt_plan: /static-checks
   targets:
-    fedora-latest-stable: { }
     epel-7:
       distros: [ centos-7 ]
-    centos-stream-8: { }
-    centos-stream-9: { }
+    centos-stream-8: {}
+    centos-stream-9: {}
 
-- <<: *test
-  trigger: commit
-  branch: "gh-readonly-queue/.*"
+# when modifying this, modify also tests/tmt-plans/
 
-- <<: *build
-  trigger: commit
-  branch: "gh-readonly-queue/.*"
+- <<: *test-static-checks
+  identifier: /hardening/host-os/ansible/anssi_bp28_high
+  tmt_plan: /hardening/host-os/ansible/anssi_bp28_high
+  targets:
+    centos-stream-8: {}
+    centos-stream-9: {}
+# disable for now - it seems to be broken on CentOS Stream
+#- <<: *test-static-checks
+#  identifier: /hardening/host-os/ansible/ccn_advanced
+#  tmt_plan: /hardening/host-os/ansible/ccn_advanced
+#  targets:
+#    centos-stream-9: {}
+- <<: *test-static-checks
+  identifier: /hardening/host-os/ansible/cis
+  tmt_plan: /hardening/host-os/ansible/cis
+- <<: *test-static-checks
+  identifier: /hardening/host-os/ansible/cis_server_l1
+  tmt_plan: /hardening/host-os/ansible/cis_server_l1
+- <<: *test-static-checks
+  identifier: /hardening/host-os/ansible/cis_workstation_l1
+  tmt_plan: /hardening/host-os/ansible/cis_workstation_l1
+- <<: *test-static-checks
+  identifier: /hardening/host-os/ansible/cis_workstation_l2
+  tmt_plan: /hardening/host-os/ansible/cis_workstation_l2
+- <<: *test-static-checks
+  identifier: /hardening/host-os/ansible/cui
+  tmt_plan: /hardening/host-os/ansible/cui
+- <<: *test-static-checks
+  identifier: /hardening/host-os/ansible/e8
+  tmt_plan: /hardening/host-os/ansible/e8
+- <<: *test-static-checks
+  identifier: /hardening/host-os/ansible/hipaa
+  tmt_plan: /hardening/host-os/ansible/hipaa
+- <<: *test-static-checks
+  identifier: /hardening/host-os/ansible/ism_o
+  tmt_plan: /hardening/host-os/ansible/ism_o
+  targets:
+    centos-stream-8: {}
+    centos-stream-9: {}
+- <<: *test-static-checks
+  identifier: /hardening/host-os/ansible/ospp
+  tmt_plan: /hardening/host-os/ansible/ospp
+- <<: *test-static-checks
+  identifier: /hardening/host-os/ansible/pci-dss
+  tmt_plan: /hardening/host-os/ansible/pci-dss
+- <<: *test-static-checks
+  identifier: /hardening/host-os/ansible/stig
+  tmt_plan: /hardening/host-os/ansible/stig
+
+- <<: *test-static-checks
+  identifier: /hardening/host-os/oscap/anssi_bp28_high
+  tmt_plan: /hardening/host-os/oscap/anssi_bp28_high
+  targets:
+    centos-stream-8: {}
+    centos-stream-9: {}
+- <<: *test-static-checks
+  identifier: /hardening/host-os/oscap/ccn_advanced
+  tmt_plan: /hardening/host-os/oscap/ccn_advanced
+  targets:
+    centos-stream-9: {}
+- <<: *test-static-checks
+  identifier: /hardening/host-os/oscap/cis
+  tmt_plan: /hardening/host-os/oscap/cis
+- <<: *test-static-checks
+  identifier: /hardening/host-os/oscap/cis_server_l1
+  tmt_plan: /hardening/host-os/oscap/cis_server_l1
+- <<: *test-static-checks
+  identifier: /hardening/host-os/oscap/cis_workstation_l1
+  tmt_plan: /hardening/host-os/oscap/cis_workstation_l1
+- <<: *test-static-checks
+  identifier: /hardening/host-os/oscap/cis_workstation_l2
+  tmt_plan: /hardening/host-os/oscap/cis_workstation_l2
+- <<: *test-static-checks
+  identifier: /hardening/host-os/oscap/cui
+  tmt_plan: /hardening/host-os/oscap/cui
+- <<: *test-static-checks
+  identifier: /hardening/host-os/oscap/e8
+  tmt_plan: /hardening/host-os/oscap/e8
+- <<: *test-static-checks
+  identifier: /hardening/host-os/oscap/hipaa
+  tmt_plan: /hardening/host-os/oscap/hipaa
+- <<: *test-static-checks
+  identifier: /hardening/host-os/oscap/ism_o
+  tmt_plan: /hardening/host-os/oscap/ism_o
+  targets:
+    centos-stream-8: {}
+    centos-stream-9: {}
+- <<: *test-static-checks
+  identifier: /hardening/host-os/oscap/ospp
+  tmt_plan: /hardening/host-os/oscap/ospp
+- <<: *test-static-checks
+  identifier: /hardening/host-os/oscap/pci-dss
+  tmt_plan: /hardening/host-os/oscap/pci-dss
+- <<: *test-static-checks
+  identifier: /hardening/host-os/oscap/stig
+  tmt_plan: /hardening/host-os/oscap/stig