Fix Automatus in CI

[jan-cerny]

Description:

Some rules depend on rule installed_OS_is_FIPS_certified which makes
it difficult to run test scenarios of these rules on different systems
that aren't certified by FIPS. For example, this happens when you run
test scenarios on Fedora container or CentOS container.

This situation is currently handled by a feature of Automatus using the
--add-product-to-fips-certified option which extends the OVAL in rule
installed_OS_is_FIPS_certified to make it pass on a selected platform.
Unfortunately, this depends on assumption that there exist an OVAL
definition installed_OS_is_${product}. After recent changes in build
system, it doesn't have to be true, because if this definition isn't
used by any rule, it gets removed by code that filters out unused
definitions.

This option depends on assumption that the given SCAP source data
stream contains definitions of all possible products which might
not be the case if the definiton isn't used by any rule in that
data stream. The feature is fragile

We will add a new Automatus option '--remove-fips-certified' which will
remove all <oval-def:extend_definition> elements that reference OVAL
definition for rule installed_OS_is_FIPS_certified from all other
rules. As a result, no rule will depend on
installed_OS_is_FIPS_certifed when this option will be used.

Review Hints:

python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel8 --remove-fips-certified --scenario  correct_value.pass.sh sshd_use_approved_ciphers

Check the Automatus CI jobs.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment

Oracle Linux 8 Environment

[jan-cerny]

This is a link to the output of the Automatus Fedora / Run Tests job: https://github.com/ComplianceAsCode/content/actions/runs/7707656693/job/21005286727?pr=11494. Now, I will remove the test commit so that I can make it ready for review.

[codeclimate]

Code Climate has analyzed commit 3ca2eb0 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 58.3% (0.0% change).

View more on Code Climate.

[jan-cerny]

/packit retest-failed

[Mab879]

/packit retest-failed

[Mab879]

@mildas are aware anything else that might need adjusting with this change?

[mildas]

I don't think. Other places where AutoMatus is used doesn't use this option.