Merge pull request #9604 from Mab879/remove_oval_5_10

Remove Support for OVAL 5.10

.github/workflows/gate.yaml

@@ -148,17 +148,6 @@ jobs:
           CC_TEST_REPORTER_ID: e67e068471d32b63f8e9561dba8f6a3f84dcc76b05ebfd98e44ced1a91cff854
         with:
           coverageLocations: build/tests/coverage.xml:coverage.py
-      - name: Build 5.10 (sanity only)
-        run: |-
-          ./build_product \
-              -d \
-              --oval '5.10' \
-              rhel7 \
-              rhel8 \
-              rhel9
-      - name: Validate OVAL Build 5.10
-        working-directory: ./build
-        run: ctest -j2 -R validate-ssg-rhel[0-9]+-oval.xml --output-on-failure -E unique-stigids
       - name: Validate gitmailmap
         run: egrep "\S" .mailmap | egrep -v '^#' | git check-mailmap --stdin
 

.github/workflows/release.yaml

@@ -28,17 +28,6 @@ jobs:
       - name: Build Package Source
         run: make -j2 package_source
         working-directory: ./build
-      - name: Create Build Dir (OVAL 5.10)
-        run: mkdir -p build-oval510
-      - name: Configure (OVAL 5.10)
-        run: cmake -DSSG_TARGET_OVAL_MINOR_VERSION:STRING=10 ..
-        working-directory: ./build-oval510
-      - name: Build All (OVAL 5.10)
-        run: make -j2 all
-        working-directory: ./build-oval510
-      - name: Build ZIP (OVAL 5.10)
-        run: make -j2 zipfile
-        working-directory: ./build-oval510
       - name: Set Version
         id: set_version
         run: echo ::set-output name=tag::${GITHUB_REF/refs\/tags\//} && echo ::set-output name=ver::${GITHUB_REF/refs\/tags\/v/}
@@ -63,7 +52,5 @@ jobs:
             build/scap-security-guide-*.tar.bz2.sha512
             build/zipfile/scap-security-guide-*.zip
             build/zipfile/scap-security-guide-*.zip.sha512
-            build-oval510/zipfile/scap-security-guide-*.zip
-            build-oval510/zipfile/scap-security-guide-*.zip.sha512
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/stabilize.yaml

@@ -40,26 +40,3 @@ jobs:
         # Performs linkcheck across all build tables and html guides to ensure there are no broken references.
         run: ctest -j2 -R linkchecker --output-on-failure
         working-directory: ./build
-
-  stabilize-fedora-scapval-12:
-    name: Build and Run SCAPVal on SCAP 1.2 Content (Container)
-    runs-on: ubuntu-latest
-    container:
-      image: fedora:latest
-    steps:
-      - name: Install Deps
-        run: dnf install -y cmake ninja-build openscap-utils python3-pyyaml python3-jinja2 python3-pytest ansible expat libxslt python3-ansible-lint linkchecker java-1.8.0-openjdk unar wget python-unversioned-command
-      - name: Checkout
-        uses: actions/checkout@v2
-      - name: Configure (OVAL 5.10)
-        run: cmake -DSSG_OVAL_SCHEMATRON_VALIDATION_ENABLED=OFF -DSSG_TARGET_OVAL_MINOR_VERSION:STRING=10 ..
-        working-directory: ./build
-      - name: Build All (OVAL 5.10)
-        run: make -j2 all
-        working-directory: ./build
-      - name: Get SCAPVAL
-        run: wget $SCAPVAL_URL/$SCAPVAL_FILENAME.zip
-      - name: Unpack SCAPVAL
-        run: mkdir -p /opt/scapval/ && unar $SCAPVAL_FILENAME.zip -o /opt/scapval/
-      - name: Run SCAP Validation (1.2)
-        run: $GITHUB_WORKSPACE/tests/run_scapval.py --scap-version 1.2 --scapval-path /opt/scapval/$SCAPVAL_FILENAME/$SCAPVAL_JAR --build-dir $GITHUB_WORKSPACE/build

CMakeLists.txt

@@ -38,7 +38,7 @@ set(SSG_VERSION "${SSG_MAJOR_VERSION}.${SSG_MINOR_VERSION}.${SSG_PATCH_VERSION}"
 set(SSG_VENDOR "ssgproject" CACHE STRING "Specify the XCCDF 1.2 vendor string.")
 
 set(SSG_TARGET_OVAL_MAJOR_VERSION "5" CACHE STRING "Which major version of OVAL are we targetting. Only 5 is supported at the moment.")
-set(SSG_TARGET_OVAL_MINOR_VERSION "11" CACHE STRING "Which minor version of OVAL are we targetting. Possible choices are 10 or 11.")
+set(SSG_TARGET_OVAL_MINOR_VERSION "11" CACHE STRING "Which minor version of OVAL are we targetting. Only 11 is supported at the moment.")
 
 set(SSG_TARGET_OVAL_VERSION "${SSG_TARGET_OVAL_MAJOR_VERSION}.${SSG_TARGET_OVAL_MINOR_VERSION}")
 
@@ -145,12 +145,8 @@ cmake_dependent_option(ENABLE_PYTHON_COVERAGE "Enable Python tests with coverage
 
 find_package(OpenSCAP REQUIRED)
 
-if (SSG_TARGET_OVAL_MAJOR_VERSION EQUAL "5" AND SSG_TARGET_OVAL_VERSION_MINOR EQUAL "11" AND NOT "${OSCAP_V_OUTPUT}" MATCHES "OVAL Version: 5.11")
-    message(FATAL_ERROR "Your version of OpenSCAP does not support OVAL 5.11, please switch the OVAL target version to 5.10 or lower. $ cmake -DSSG_TARGET_OVAL_MINOR_VERSION=10 ../")
-endif()
-
-if (NOT SSG_TARGET_OVAL_VERSION VERSION_EQUAL "5.10" AND NOT SSG_TARGET_OVAL_VERSION VERSION_EQUAL "5.11")
-    message(WARNING "You are targetting OVAL version ${SSG_TARGET_OVAL_VERSION}. In SSG we support/test 5.10 and 5.11 only!")
+if (NOT SSG_TARGET_OVAL_VERSION VERSION_EQUAL "5.11")
+    message(WARNING "You are targetting OVAL version ${SSG_TARGET_OVAL_VERSION}. In SSG we support/test 5.11 only!")
 endif()
 
 # OCP4 requires non-standard extensions. Vanilla OpenSCAP 1.2 doesn't support
@@ -306,11 +302,7 @@ add_subdirectory("tests")
 
 # Targets 'stats', 'profile-stats' and 'zipfile' need to be added
 # before any product because they will receive dependencies from products added
-if(SSG_TARGET_OVAL_VERSION VERSION_EQUAL "5.11")
-    ssg_build_zipfile_target("scap-security-guide-${SSG_VERSION}")
-else()
-    ssg_build_zipfile_target("scap-security-guide-${SSG_VERSION}-oval-${SSG_TARGET_OVAL_VERSION}")
-endif()
+ssg_build_zipfile_target("scap-security-guide-${SSG_VERSION}")
 
 add_custom_target(stats)
 add_custom_target(profile-stats)
@@ -410,11 +402,8 @@ endif()
 
 # ZIP only contains source datastreams and kickstarts, people who
 # want sources to build from should get the tarball instead.
-if(SSG_TARGET_OVAL_VERSION VERSION_EQUAL "5.11")
-    ssg_build_zipfile("scap-security-guide-${SSG_VERSION}")
-else()
-    ssg_build_zipfile("scap-security-guide-${SSG_VERSION}-oval-${SSG_TARGET_OVAL_VERSION}")
-endif()
+ssg_build_zipfile("scap-security-guide-${SSG_VERSION}")
+
 
 ssg_define_guide_and_table_tests()
 

README.md

@@ -3,7 +3,6 @@
 [![Docs](https://img.shields.io/readthedocs/complianceascode)](https://complianceascode.readthedocs.io/en/latest/)
 [![Release](https://img.shields.io/github/release/ComplianceAsCode/content.svg)](https://github.com/ComplianceAsCode/content/releases/latest)
 [![Nightly ZIP Status](https://github.com/ComplianceAsCode/content/actions/workflows/nightly_build.yml/badge.svg)](https://nightly.link/ComplianceAsCode/content/workflows/nightly_build/master/Nightly%20Build.zip)
-[![Nightly 5.10 ZIP Status](https://github.com/ComplianceAsCode/content/actions/workflows/nightly_build_5_10.yml/badge.svg)](https://nightly.link/ComplianceAsCode/content/workflows/nightly_build_5_10/master/Nightly%20Build%20OVAL%205.10.zip)
 [![Maintainability](https://api.codeclimate.com/v1/badges/62c1f8d8064b2163db3e/maintainability)](https://codeclimate.com/github/ComplianceAsCode/content/maintainability)
 [![Stats, Guides, Tables](https://github.com/ComplianceAsCode/content/actions/workflows/gh-pages.yaml/badge.svg)](https://complianceascode.github.io/content-pages/)
 [![Join the chat at https://gitter.im/Compliance-As-Code-The/content](https://badges.gitter.im/Compliance-As-Code-The/content.svg)](https://gitter.im/Compliance-As-Code-The/content?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)

build_product

@@ -14,7 +14,7 @@
 # ARG_USE_ENV([ADDITIONAL_CMAKE_OPTIONS],[],[Whitespace-separated string of arguments to pass to CMake])
 # ARG_POSITIONAL_INF([product],[Products to build, ALL means all products],[0],[ALL])
 # ARG_DEFAULTS_POS([])
-# ARG_TYPE_GROUP_SET([oval_ver],[VERSION],[oval],[5.10,5.11,auto])
+# ARG_TYPE_GROUP_SET([oval_ver],[VERSION],[oval],[5.11,auto])
 # ARG_TYPE_GROUP_SET([builder_type],[BUILDER],[builder],[make,ninja,auto])
 # ARG_HELP([Wipes out contents of the 'build' directory and builds only and only the given products.])
 # ARGBASH_GO()
@@ -38,12 +38,12 @@ die()
 
 oval_ver()
 {
-	local _allowed=("5.10" "5.11" "auto") _seeking="$1"
+	local _allowed=("5.11" "auto") _seeking="$1"
 	for element in "${_allowed[@]}"
 	do
 		test "$element" = "$_seeking" && echo "$element" && return 0
 	done
-	die "Value '$_seeking' (of argument '$2') doesn't match the list of allowed values: '5.10', '5.11' and 'auto'" 4
+	die "Value '$_seeking' (of argument '$2') doesn't match the list of allowed values: '5.11' and 'auto'" 4
 }
 
 
@@ -85,7 +85,7 @@ print_help()
 	printf '%s\n' "Wipes out contents of the 'build' directory and builds only and only the given products."
 	printf 'Usage: %s [-o|--oval <VERSION>] [-b|--builder <BUILDER>] [-j|--jobs <arg>] [--(no-)debug] [--(no-)derivatives] [--(no-)ansible-playbooks] [--(no-)bash-scripts] [-d|--(no-)datastream-only] [-p|--(no-)profiling] [-h|--help] [<product-1>] ... [<product-n>] ...\n' "$0"
 	printf '\t%s\n' "<product>: Products to build, ALL means all products (defaults for <product>: 'ALL')"
-	printf '\t%s\n' "-o, --oval: OVAL version. Can be one of: '5.10', '5.11' and 'auto' (default: 'auto')"
+	printf '\t%s\n' "-o, --oval: OVAL version. Can be one of: '5.11' or 'auto' (default: 'auto')"
 	printf '\t%s\n' "-b, --builder: Builder engine. Can be one of: 'make', 'ninja' and 'auto' (default: 'auto')"
 	printf '\t%s\n' "-j, --jobs: Count of simultaneous jobs (default: 'auto')"
 	printf '\t%s\n' "--debug, --no-debug: Make a debug build with draft profiles (off by default)"

docs/manual/user_guide.adoc

@@ -93,7 +93,6 @@ If you need to use upstream content rather than what is shipped in the distribut
 The nightly builds are performed by our link:https://jenkins.complianceascode.io/view/Maintenance%20Jobs/[Jenkins instance], in the nightly jobs. Below are direct links to the latest builds:
 
 * link:https://jenkins.complianceascode.io/view/SCAP%20Security%20Guide/job/scap-security-guide-nightly-zip/lastSuccessfulBuild/artifact/scap-security-guide-nightly.zip[nightly build with OVAL 5.11]
-* link:https://jenkins.complianceascode.io/view/SCAP%20Security%20Guide/job/scap-security-guide-nightly-oval510-zip/lastSuccessfulBuild/artifact/scap-security-guide-nightly-oval-510.zip[nightly build with OVAL 5.10]
 
 If you wish to build the content yourself, please, refer to link:https://github.com/ComplianceAsCode/content/blob/master/docs/manual/developer_guide.adoc#3-building-complianceascode[Building Compliance as Code] section, in the link:https://github.com/ComplianceAsCode/content/blob/master/docs/manual/developer_guide.adoc[Developer Guide].
 

linux_os/guide/services/obsolete/r_services/no_host_based_files/oval/shared.xml

@@ -1,4 +1,4 @@
-<def-group oval_version="5.10">
+<def-group>
   <definition class="compliance" id="no_host_based_files" version="1">
     {{{ oval_metadata("There should not be any shosts.equiv files on the system.") }}}
     <criteria>

linux_os/guide/services/obsolete/r_services/no_user_host_based_files/oval/shared.xml

@@ -1,4 +1,4 @@
-<def-group oval_version="5.10">
+<def-group>
   <definition class="compliance" id="no_user_host_based_files" version="1">
     {{{ oval_metadata("There should not be any .shosts files on the system.") }}}
     <criteria>

linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/oval/shared.xml

@@ -1,6 +1,3 @@
-{{%- if target_oval_version == [5, 10] -%}}
-{{# there is no good alternative for symlink_test for OVAL 5.10 #}}
-{{%- else -%}}
 <def-group>
   <definition class="compliance" id="xwindows_runlevel_target" version="1">
     {{{ oval_metadata("Ensure that the default runlevel target is set to multi-user.target.") }}}
@@ -20,5 +17,3 @@
     <unix:canonical_path operation="pattern match">^(/usr)?/lib/systemd/system/multi-user.target$</unix:canonical_path>
   </unix:symlink_state>
 </def-group>
-{{%- endif -%}}
-

linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/oval/shared.xml

@@ -1,6 +1,3 @@
-{{%- if target_oval_version == [5, 10] -%}}
-{{# there is no good alternative for symlink_test for OVAL 5.10 #}}
-{{%- else -%}}
 <def-group>
   <definition class="compliance" id="disable_ctrlaltdel_reboot" version="1">
     {{{ oval_metadata("By default, the system will reboot when the
@@ -21,4 +18,4 @@
     <unix:canonical_path>/dev/null</unix:canonical_path>
   </unix:symlink_state>
 </def-group>
-{{%- endif -%}}
+

linux_os/guide/system/accounts/enable_authselect/oval/shared.xml

@@ -5,7 +5,6 @@
     "smartcard": "smartcard-auth",
     "system": "system-auth",
 } -%}}
-{{% if target_oval_version >= [5, 11] %}}
 <def-group>
 	<definition class="compliance" id="{{{ rule_id }}}" version="1">
     {{{ oval_metadata("Check that authselect is enabled") }}}
@@ -34,4 +33,3 @@
   </unix:symlink_state>
   {{% endfor %}}
 </def-group>
-{{% endif %}}

linux_os/guide/system/logging/ensure_rtc_utc_configuration/oval/shared.xml

@@ -1,4 +1,3 @@
-{{% if target_oval_version >= [5, 11] %}}
 <def-group oval_version="5.11">
   <definition class="compliance" id="ensure_rtc_utc_configuration" version="1">
    {{{ oval_metadata("Ensure RTC is using UTC as its time base") }}}
@@ -20,4 +19,3 @@
     <unix:canonical_path operation="pattern match">^(/usr)?/share/zoneinfo(/Etc)?/(GMT|UTC)$</unix:canonical_path>
   </unix:symlink_state>
 </def-group>
-{{% endif %}}

linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml

@@ -50,10 +50,7 @@
         <criterion comment="kernel static parameter kernel.core_pattern set to an empty string in /run/sysctl.d/*.conf"
                    test_ref="test_sysctl_kernel_core_pattern_empty_string_static_run_sysctld"/>
       </criteria>
-
-{{% if target_oval_version >= [5, 11] %}}
       <criterion comment="Check that kernel_core_pattern is defined in only one file" test_ref="test_sysctl_kernel_core_pattern_empty_string_defined_in_one_file" />
-{{% endif %}}
     </criteria>
   </definition>
 

linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/oval/shared.xml

@@ -1,5 +1,3 @@
-{{%- if target_oval_version == [5, 11] -%}}
-{{# there is no good alternative for symlink_object for OVAL 5.10 #}}
 {{% set backend_krb5_config = "/etc/crypto-policies/back-ends/krb5.config" %}}
 <def-group>
   <definition class="compliance" id="configure_kerberos_crypto_policy" version="2">
@@ -49,4 +47,3 @@
   </local_variable>
 
 </def-group>
-{{%- endif -%}}

linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_antivirus_definitions_updated/oval/shared.xml

@@ -1,4 +1,4 @@
-<def-group oval_version="5.10">
+<def-group>
   <definition class="compliance" id="mcafee_antivirus_definitions_updated" version="1">
     {{{ oval_metadata("Verify that McAfee AntiVirus definitions have been updated.") }}}
 
@@ -15,7 +15,7 @@
 
   <local_variable id="variable_mcafee_dat_files_mtime" version="1" comment="Age of file for each McAfee definition file." datatype="int">
       <time_difference format_2="seconds_since_epoch">
-        <object_component object_ref="mcafee_dat_files_mtime" item_field="m_time"/> 
+        <object_component object_ref="mcafee_dat_files_mtime" item_field="m_time"/>
       </time_difference>
   </local_variable>
 

linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/rhcos4.xml

@@ -1,4 +1,4 @@
-<def-group oval_version="5.10">
+<def-group>
   <definition class="compliance" id="enable_fips_mode" version="1">
     {{{ oval_metadata("Check if FIPS mode is enabled on the system") }}}
     <criteria operator="AND">

linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml

@@ -1,4 +1,4 @@
-<def-group oval_version="5.10">
+<def-group>
   <definition class="compliance" id="enable_fips_mode" version="1">
     {{{ oval_metadata("Check if FIPS mode is enabled on the system") }}}
     <criteria operator="AND">

linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/oval/shared.xml

@@ -1,4 +1,4 @@
-<def-group oval_version="5.10">
+<def-group>
   <definition class="compliance" id="etc_system_fips_exists" version="1">
     {{{ oval_metadata("Check /etc/system-fips exists") }}}
     <criteria operator="AND">

linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/oval/shared.xml

@@ -1,4 +1,4 @@
-<def-group oval_version="5.10">
+<def-group>
   <definition class="compliance" id="grub2_enable_fips_mode" version="1">
     {{{ oval_metadata("Ensure fips=1 is configured in the kernel line in /etc/default/grub.") }}}
     <criteria operator="AND">

linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/ubuntu.xml

@@ -1,4 +1,3 @@
-{{%- if target_oval_version == [5, 11] -%}}
 <def-group>
   <definition class="compliance" id="aide_periodic_cron_checking" version="3">
     {{{ oval_metadata("By default, AIDE does not install itself for periodic
@@ -75,4 +74,3 @@
     <linux:state state_ref="ste_aide_is_active" />
   </linux:systemdunitproperty_test>
 </def-group>
-{{% endif %}}

linux_os/guide/system/software/updating/clean_components_post_updating/oval/shared.xml

@@ -1,6 +1,6 @@
-<def-group oval_version="5.10">
+<def-group>
   <definition class="compliance" id="clean_components_post_updating" version="1">
-    {{{ oval_metadata("The clean_requirements_on_remove option should be used to ensure that old 
+    {{{ oval_metadata("The clean_requirements_on_remove option should be used to ensure that old
       versions of software components are removed after updating.") }}}
     <criteria>
       <criterion comment="check value of clean_requirements_on_remove in {{{ pkg_manager_config_file }}}" test_ref="test_yum_clean_components_post_updating" />

linux_os/guide/system/software/updating/clean_components_post_updating/oval/sle12.xml

@@ -1,4 +1,4 @@
-<def-group oval_version="5.10">
+<def-group>
   <definition class="compliance" id="clean_components_post_updating" version="1">
     <metadata>
       <title>Ensure Zypper Removes Previous Package Versions</title>

linux_os/guide/system/software/updating/clean_components_post_updating/oval/sle15.xml

@@ -1,11 +1,11 @@
-<def-group oval_version="5.10">
+<def-group>
   <definition class="compliance" id="clean_components_post_updating" version="1">
     <metadata>
       <title>Ensure Zypper Removes Previous Package Versions</title>
       <affected family="unix">
         <platform>SUSE Linux Enterprise 15</platform>
       </affected>
-      <description>The solver.upgradeRemoveDroppedPackages option should be used to ensure that old 
+      <description>The solver.upgradeRemoveDroppedPackages option should be used to ensure that old
       versions of software components are removed after updating.</description>
     </metadata>
     <criteria>

ssg/build_ovals.py

@@ -197,7 +197,7 @@ def append(element, newchild):
 def check_oval_version(oval_version):
     """Not necessary, but should help with typos"""
 
-    supported_versions = ["5.10", "5.11"]
+    supported_versions = ["5.11"]
     if oval_version not in supported_versions:
         supported_versions_str = ", ".join(supported_versions)
         sys.stderr.write(
@@ -245,8 +245,8 @@ def _check_oval_version_from_oval(oval_file_tree, oval_version):
     if file_oval_version is None:
         # oval_version does not exist in <def-group/>
         # which means the OVAL is supported for any version.
-        # By default, that version is 5.10
-        file_oval_version = "5.10"
+        # By default, that version is 5.11
+        file_oval_version = "5.11"
 
     if tuple(oval_version.split(".")) >= tuple(file_oval_version.split(".")):
         return True