Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Platforms: prevent building content when version comparison is used and platform provides remediation conditional #10040

Merged
merged 10 commits into from
Jan 12, 2023
Merged

Platforms: prevent building content when version comparison is used and platform provides remediation conditional #10040

merged 10 commits into from
Jan 12, 2023

Conversation

vojtapolasek
Copy link
Collaborator

Description:

  • when building remediations, check if a platform which should influence the remediation by providing conditional tries to check applicability by version comparison
  • if yes, abort the build and explain the reason
  • update documentation accordingly
  • add relevant test

Rationale:

If the version comparison is used within platform definition, the resulting OVAL check will perform the check but remediation conditionals will not. This introduces inconsistency and there should be prevented.

@vojtapolasek
prevent content build if usage of certain platform defiinitions would…
1da1a9a 
… cause inconsistency between OVAL and remediations

Currently, if a platform definition uses version comparison, this restriction renders in OVAL correctly.
But it does not render correctly as remediation conditional - the conditional check for package presence but not for its version.
@vojtapolasek
wip test
02d4994
@vojtapolasek
add test and new testing platform
7f11de4
@vojtapolasek
update documentation explaining the change
c7cef16
@vojtapolasek
update outdated mention of shadow-utils platform
89f86de
@vojtapolasek
fix a typo
c8d7cec
@vojtapolasek vojtapolasek added Infrastructure Our content build system CPE-AL CPE Applicability Language labels Jan 10, 2023
@github-actions
Copy link

Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@jan-cerny jan-cerny self-assigned this Jan 12, 2023
@jan-cerny jan-cerny added this to the 0.1.66 milestone Jan 12, 2023
jan-cerny
jan-cerny requested changes Jan 12, 2023
View reviewed changes
Copy link
Collaborator

@jan-cerny jan-cerny left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks mostly fine. Please resolve the CodeClimate problem and also check my feedback below.

ssg/build_remediations.py Outdated Show resolved Hide resolved
tests/unit/ssg-module/data/package_ntp_eq_1_0.yml Show resolved Hide resolved
@vojtapolasek
Copy link
Collaborator Author

Hello @jan-cerny , I fixed problems which you mention. I must say I am not sure how to aproach the Codeclimate issue. I mean... I think the function is not that complex and that fragmenting it to smaller functions would be kinda artificial. What do you think?

@jan-cerny
Copy link
Collaborator

@vojtapolasek I usually manage to satisfy the CodeClimate bot when I extract the inside of the for loop to a new function.

@codeclimate
Copy link

codeclimate bot commented Jan 12, 2023

Code Climate has analyzed commit ae32f6e and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 95.2% (50% is the threshold).

This pull request will bring the total coverage in the repository to 49.8% (-0.1% change).

View more on Code Climate.

@vojtapolasek
Copy link
Collaborator Author

@jan-cerny good advice, it worked. Thank you.

jan-cerny
jan-cerny approved these changes Jan 12, 2023
View reviewed changes
Copy link
Collaborator

@jan-cerny jan-cerny left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm able to successfully trigger this exception when I add a package versioned platform expression to a rule.

FAILED: rhel9/collect-remediations-rhel9 /home/jcerny/work/git/scap-security-guide/build/rhel9/collect-remediations-rhel9 
cd /home/jcerny/work/git/scap-security-guide/build/rhel9 && env PYTHONPATH=/home/jcerny/work/git/scap-security-guide /usr/bin/python3 /home/jcerny/work/git/scap-security-guide/build-scripts/collect_remediations.py --resolved-rules-dir /home/jcerny/work/git/scap-security-guide/build/rhel9/rules --build-config-yaml /home/jcerny/work/git/scap-security-guide/build/build_config.yml --product-yaml /home/jcerny/work/git/scap-security-guide/products/rhel9/product.yml --remediation-type bash --remediation-type ansible --remediation-type puppet --remediation-type anaconda --remediation-type ignition --remediation-type kubernetes --remediation-type blueprint --output-dir /home/jcerny/work/git/scap-security-guide/build/rhel9/fixes --fixes-from-templates-dir /home/jcerny/work/git/scap-security-guide/build/rhel9/fixes_from_templates --platforms-dir /home/jcerny/work/git/scap-security-guide/build/rhel9/platforms --cpe-items-dir /home/jcerny/work/git/scap-security-guide/build/rhel9/cpe_items && /usr/bin/cmake -E touch /home/jcerny/work/git/scap-security-guide/build/rhel9/collect-remediations-rhel9
Traceback (most recent call last):
  File "/home/jcerny/work/git/scap-security-guide/build-scripts/collect_remediations.py", line 154, in <module>
    main()
  File "/home/jcerny/work/git/scap-security-guide/build-scripts/collect_remediations.py", line 147, in main
    collect_remediations(
  File "/home/jcerny/work/git/scap-security-guide/build-scripts/collect_remediations.py", line 114, in collect_remediations
    process_remediation(
  File "/home/jcerny/work/git/scap-security-guide/build-scripts/collect_remediations.py", line 95, in process_remediation
    fix = remediation.process(remediation_obj, env_yaml, cpe_platforms)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/jcerny/work/git/scap-security-guide/ssg/build_remediations.py", line 209, in process
    result = remediation.parse_from_file_with_jinja(env_yaml, cpe_platforms)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/jcerny/work/git/scap-security-guide/ssg/build_remediations.py", line 251, in parse_from_file_with_jinja
    BashRemediation, self).get_rule_specific_conditionals("bash", cpe_platforms))
                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/jcerny/work/git/scap-security-guide/ssg/build_remediations.py", line 191, in get_rule_specific_conditionals
    return self.get_stripped_conditionals(language, cpe_platform_names, cpe_platforms)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/jcerny/work/git/scap-security-guide/ssg/build_remediations.py", line 184, in get_stripped_conditionals
    maybe_stripped_conditional = self._get_stripped_conditional(language, platform)
                                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/jcerny/work/git/scap-security-guide/ssg/build_remediations.py", line 164, in _get_stripped_conditional
    raise ValueError(
ValueError: The platform definition you are trying to use uses version comparison. Remediation conditionals for such platforms are currently not implemented for bash remediations. package[audit]>15.4 can't be used.
ninja: build stopped: subcommand failed.

@jan-cerny jan-cerny merged commit 1d2f469 into ComplianceAsCode:master Jan 12, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jan-cerny jan-cerny jan-cerny approved these changes

Assignees

@jan-cerny jan-cerny

Labels
CPE-AL CPE Applicability Language Infrastructure Our content build system
Projects
None yet
Milestone
0.1.66
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@vojtapolasek @jan-cerny