-
Notifications
You must be signed in to change notification settings - Fork 671
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Platforms: prevent building content when version comparison is used and platform provides remediation conditional #10040
Conversation
… cause inconsistency between OVAL and remediations Currently, if a platform definition uses version comparison, this restriction renders in OVAL correctly. But it does not render correctly as remediation conditional - the conditional check for package presence but not for its version.
codeclimate is complaining
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks mostly fine. Please resolve the CodeClimate problem and also check my feedback below.
Hello @jan-cerny , I fixed problems which you mention. I must say I am not sure how to aproach the Codeclimate issue. I mean... I think the function is not that complex and that fragmenting it to smaller functions would be kinda artificial. What do you think? |
@vojtapolasek I usually manage to satisfy the CodeClimate bot when I extract the inside of the |
Code Climate has analyzed commit ae32f6e and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 95.2% (50% is the threshold). This pull request will bring the total coverage in the repository to 49.8% (-0.1% change). View more on Code Climate. |
@jan-cerny good advice, it worked. Thank you. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm able to successfully trigger this exception when I add a package versioned platform expression to a rule.
FAILED: rhel9/collect-remediations-rhel9 /home/jcerny/work/git/scap-security-guide/build/rhel9/collect-remediations-rhel9
cd /home/jcerny/work/git/scap-security-guide/build/rhel9 && env PYTHONPATH=/home/jcerny/work/git/scap-security-guide /usr/bin/python3 /home/jcerny/work/git/scap-security-guide/build-scripts/collect_remediations.py --resolved-rules-dir /home/jcerny/work/git/scap-security-guide/build/rhel9/rules --build-config-yaml /home/jcerny/work/git/scap-security-guide/build/build_config.yml --product-yaml /home/jcerny/work/git/scap-security-guide/products/rhel9/product.yml --remediation-type bash --remediation-type ansible --remediation-type puppet --remediation-type anaconda --remediation-type ignition --remediation-type kubernetes --remediation-type blueprint --output-dir /home/jcerny/work/git/scap-security-guide/build/rhel9/fixes --fixes-from-templates-dir /home/jcerny/work/git/scap-security-guide/build/rhel9/fixes_from_templates --platforms-dir /home/jcerny/work/git/scap-security-guide/build/rhel9/platforms --cpe-items-dir /home/jcerny/work/git/scap-security-guide/build/rhel9/cpe_items && /usr/bin/cmake -E touch /home/jcerny/work/git/scap-security-guide/build/rhel9/collect-remediations-rhel9
Traceback (most recent call last):
File "/home/jcerny/work/git/scap-security-guide/build-scripts/collect_remediations.py", line 154, in <module>
main()
File "/home/jcerny/work/git/scap-security-guide/build-scripts/collect_remediations.py", line 147, in main
collect_remediations(
File "/home/jcerny/work/git/scap-security-guide/build-scripts/collect_remediations.py", line 114, in collect_remediations
process_remediation(
File "/home/jcerny/work/git/scap-security-guide/build-scripts/collect_remediations.py", line 95, in process_remediation
fix = remediation.process(remediation_obj, env_yaml, cpe_platforms)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/jcerny/work/git/scap-security-guide/ssg/build_remediations.py", line 209, in process
result = remediation.parse_from_file_with_jinja(env_yaml, cpe_platforms)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/jcerny/work/git/scap-security-guide/ssg/build_remediations.py", line 251, in parse_from_file_with_jinja
BashRemediation, self).get_rule_specific_conditionals("bash", cpe_platforms))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/jcerny/work/git/scap-security-guide/ssg/build_remediations.py", line 191, in get_rule_specific_conditionals
return self.get_stripped_conditionals(language, cpe_platform_names, cpe_platforms)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/jcerny/work/git/scap-security-guide/ssg/build_remediations.py", line 184, in get_stripped_conditionals
maybe_stripped_conditional = self._get_stripped_conditional(language, platform)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/jcerny/work/git/scap-security-guide/ssg/build_remediations.py", line 164, in _get_stripped_conditional
raise ValueError(
ValueError: The platform definition you are trying to use uses version comparison. Remediation conditionals for such platforms are currently not implemented for bash remediations. package[audit]>15.4 can't be used.
ninja: build stopped: subcommand failed.
Description:
Rationale:
If the version comparison is used within platform definition, the resulting OVAL check will perform the check but remediation conditionals will not. This introduces inconsistency and there should be prevented.