Removing unused variables from the datastream

[Honny1]

Description:

This PR removes unused variables in the datastream. It also fixes missing variables for thin data streams. The problem was caused by removing XCCDF groups without rules because the removed groups contained variables that were used in rules from other groups.

The problem can be replicated by building a thin ds for the enable_fips_mode rule.

./build_product fedora --rule-id enable_fips_mode
oscap ds sds-validate ./build/ssg-fedora-ds.xml

To solve this problem, an in-memory XCCDF benchmark is created that contains all the rules from which information is obtained about which rule uses which variable. This step slows down the build.

Review Hints:

Verify that the problem does not occur with a single rule:

./build_product fedora --rule-id enable_fips_mode
oscap ds sds-validate ./build/ssg-fedora-ds.xml

For all thin ds, you can run a test from the test suite. (A validation test has been implemented for this problem)

./build_product fedora --thin
python3 -m pytest -n auto tests/test_thin_ds.py

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment

Oracle Linux 8 Environment

[github-actions]

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:11858
This image was built from commit: c904b62

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:11858

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:11858 make deploy-local

[jan-cerny]

@Honny1 I have built the rhel9 product from this PR's branch and I have noticed a problem in the build/ssg-rhel9-ds.xml. There are some variables that are referenced in refine-value elements in Profile elements but there is no corresponding Value element with that ID, so these references are dangling. For example, var_sudo_dedicated_group or var_sudo_umask that are refined in ANSSI High profile but aren't defined in the benchmark.

[Honny1]

@jan-cerny
I added variables present in the profile to the variable selection. So now the variables should be present in the Datastream.

[codeclimate]

Code Climate has analyzed commit c904b62 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 66.6% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.4% (0.1% change).

View more on Code Climate.

[Honny1]

/packit rebuild-failed

[jan-cerny]

I like the PR. I have checked the review hints. I have also compared the built data streams for RHEL 8 and 9 products. I haven't found any problem.

[jan-cerny]

it would be better to extract this code to a variable