OVAL object model #11041
OVAL object model #11041
Conversation
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
Hi @Honny1. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Start a new ephemeral environment with changes proposed in this pull request: Fedora Environment Oracle Linux 8 Environment |
|
I haven't reviewed the PR thoroughly, but I have some thoughts:
|
jan-cerny
added
enhancement
|
@jan-cerny As for objects, states, and variables, I have created abstract logic. Because these endpoints are very similar. If we are interested in collecting objects, for example, I can create a specific object class that extends the current class. The endpoint type(object/state/variable) can be determined from the class instance of the attribute tag. |
Honny1
force-pushed
the
oval-object-model
branch
6 times, most recently
from
69e2e1d
to
af94260
Compare
|
|
||
|
|
||
| def test_content_variable(): | ||
| assert False |
| assert text_file_content_object.list_of_property | ||
| list_of_property = [ | ||
| OVALEntityProperty( | ||
| "{http://oval.mitre.org/XMLSchema/oval-definitions-5#independent}filepath", |
There was a problem hiding this comment.
you should use namespace definitions from ssg/constants.py.
| if notes_el == child_node_el: | ||
| continue |
There was a problem hiding this comment.
What is the reason for this special handling of notes element?
There was a problem hiding this comment.
Because the notes element is represented as a class. The notes element is loaded using the load_notes() function.
There was a problem hiding this comment.
I think it would need at least a comment there.
There was a problem hiding this comment.
I have an idea how to make it clear.
ssg/oval_object_model/general.py
Outdated
| BOOL_TO_STR = {True: "true", False: "false"} | ||
|
|
||
| OVAL_NAMESPACES = { | ||
| "oval": "http://oval.mitre.org/XMLSchema/oval-common-5", |
There was a problem hiding this comment.
If this isn't already defined in ssg/constants.py you should put it there and not here.
There was a problem hiding this comment.
Should I move all constants from the OVAL object model to the ssg/constants.py file?
There was a problem hiding this comment.
In general, I would say that constants that have a likelihood of being used elsewhere in the project should be moved to ssg/constants.py. Namespace URLs are an example of constants that should definitely go to ssg/constants.py. On the other hand, you can still keep some constants in this module, but those should be constants that are extremely unique for this module and you don't expect reusing them anywhere else in future.
| return "external_variable" in component.tag | ||
|
|
||
| @staticmethod | ||
| def _add_oval_component(component, component_dict): |
There was a problem hiding this comment.
This method feels too complex. Also, I'd prefer to build the exception messages using .format() instead of + operators.
| ) | ||
|
|
||
| space = " " | ||
| oval_definition_el.set( |
There was a problem hiding this comment.
This looks really suspicious. The library should declare the namespaces and prefixes automatically without you touching it.
There was a problem hiding this comment.
In this case, a special attribute with links to schemas is created. This attribute is intended for the validator. For this purpose, the namespace and attributes are set manually.
There was a problem hiding this comment.
Could you give an example of the special attribute? I think we need to take a detailed look into this.
There was a problem hiding this comment.
The xsi:schemaLocation attribute is with a namespace. I figured out how to add this attribute with namespace correctly. It's nothing special. But in the OVAL context, it's a different type of attribute. (It is not specified by OVAL XSD schemas)
ssg/oval_object_model/general.py
Outdated
| tag, | ||
| id_, | ||
| version, | ||
| list_of_property, |
There was a problem hiding this comment.
Would properties be a better name for this variable?
| "..", | ||
| ) | ||
| OVAL_DOCUMENT_PATH_FROM_BUILD = os.path.join( | ||
| PROJECT_ROOT, "build", "ssg-rhel9-oval.xml" |
There was a problem hiding this comment.
What if a different product would be built? I think that a unit test should never depend on built artifacts.
| @pytest.fixture | ||
| def oval_document_from_build(): | ||
| return _load_oval_document(OVAL_DOCUMENT_PATH_FROM_BUILD) |
There was a problem hiding this comment.
No, we shouldn't do this, we need to invent a different way. I think that a unit test should never depend on built artifacts. I'm afraid that as the contents of the real products will change the test can start failing.
There was a problem hiding this comment.
I can see that you already have other tests testing on test data so I think that you should remove this and move the checks to the test cases that test on the the test data.
|
|
||
|
|
||
| def test_content_state(): | ||
| assert False |
Honny1
force-pushed
the
oval-object-model
branch
2 times, most recently
from
fcd2c7f
to
0cd5600
Compare
Honny1
force-pushed
the
oval-object-model
branch
from
0cd5600
to
6cc2bdf
Compare
Honny1
force-pushed
the
oval-object-model
branch
9 times, most recently
from
a89de7d
to
4b576b0
Compare
Honny1
force-pushed
the
oval-object-model
branch
from
dadfae3
to
e7fd463
Compare
| assert text_file_content_object.properties | ||
|
|
||
| property_file_path = OVALEntityProperty( | ||
| "{{{}}}filepath".format(OVAL_NAMESPACES.independent) |
There was a problem hiding this comment.
I've got an idea to split the constructor parameter to 2 parameters: tag name and namespace. This would help us avoid this ugly format composition repeating frequently. WDYT?
There was a problem hiding this comment.
I think it's a good idea.
Honny1
force-pushed
the
oval-object-model
branch
from
e7fd463
to
056d22d
Compare
| def _get_xml_el(tag_name, xml_el): | ||
| el = xml_el.find("./{%s}%s" % (OVAL_NAMESPACES.definition, tag_name)) | ||
| return el if el else [] |
There was a problem hiding this comment.
The name of this function can be a little misleading for someone because the purpose of the function is to supply an iterable over the children, hence the empty list returned if the element isn't found.
| "{%s}oval_definitions" % OVAL_NAMESPACES.definition | ||
| ) | ||
|
|
||
| register_namespaces({"xsi": "http://www.w3.org/2001/XMLSchema-instance"}) |
There was a problem hiding this comment.
The URL needs to be moved to ssg/constants.py.
| "{1}{2}#linux linux-definitions-schema.xsd" | ||
| ).format( | ||
| OVAL_NAMESPACES.oval, | ||
| space, |
There was a problem hiding this comment.
Why is this space here?
There was a problem hiding this comment.
I checked the documentation and found no specific requirement for a separator between pairs in xsi:schemaLocation. So, I will replace the nine spaces between pairs with two spaces for better visual separation.
There was a problem hiding this comment.
I used the same number of spaces as used in documents generated with ./build_product.
| title_tag = "{http://oval.mitre.org/XMLSchema/oval-definitions-5}title" | ||
| description_tag = "{http://oval.mitre.org/XMLSchema/oval-definitions-5}description" |
There was a problem hiding this comment.
You should use the namespace from ssg/constants.py instead of hardcoding the URI here.
| DATA_DIR, "minimal_oval_of_oval_ssg-sshd_rekey_limit_def.xml" | ||
| ) | ||
|
|
||
| PROJECT_ROOT = os.path.join( |
There was a problem hiding this comment.
It looks like this variable is not used anywhere.
| assert not oval_document_from_shorthand.variables | ||
| assert not oval_document_from_shorthand.states |
There was a problem hiding this comment.
Wouldn't it be better to have some variables and states in the document as well? That would help you test them as well.
There was a problem hiding this comment.
Yes, I will prepare dog-food and extend the test.
Honny1
force-pushed
the
oval-object-model
branch
from
056d22d
to
1afa780
Compare
|
@Honny1 I'm missing any comment from you. Has every feedback been addressed? |
|
/ok-to-test |
openshift-ci
bot
added
ok-to-test
|
@jan-cerny Not yet. |
Honny1
force-pushed
the
oval-object-model
branch
from
225505f
to
f372989
Compare
Honny1
force-pushed
the
oval-object-model
branch
from
f372989
to
0cf25e4
Compare
|
Code Climate has analyzed commit 4202324 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 91.3% (50% is the threshold). This pull request will bring the total coverage in the repository to 56.8% (3.0% change). View more on Code Climate. |
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
There was a problem hiding this comment.
I have reviewed the code. i have executed the unit tests locally and they passed. I have used your test pastebin but modified it for RHEL 9 and reviewed the generated OVAL and I have compared the input and the output. I have seen that every feedback has been addressed. Thanks for this PR.
Description:
This PR introduces the OVAL object model into the SSG module. The OVAL object model can currently read XML OVAL documents and save yourself to XML OVAL document. The generated file is a valid XML OVAL document according to the
oscap oval validate <file>command. The model can be loaded from OVAL shorthand. Integration into the build system and other features will be introduced in future PRs.Doc with features ideas
Rationale:
Epic: OPENSCAP-2183
Review Hints:
Class Diagram:
Test script
pastebin.com/sSGMFREZ
In the root directory execute the test script via the commands below.
Run pytest