From 265dcc791f3adccb0d9df3f04da9ea75bdb2c671 Mon Sep 17 00:00:00 2001 From: Gabe Date: Thu, 12 May 2016 08:23:02 -0600 Subject: [PATCH 1/2] [Enhancement][BugFix] Jboss Fuse 6 build fixes & enhancements - Update Makefile to be able to build with regular OVAL and OVAL5.11 - Fix deprecated OVAL tags - Fix cpe_generate.py to use - Part of #1046 --- JBoss/Fuse/6/Makefile | 42 +++++++++++++++++-- .../6/input/oval/installed_app_is_fuse6.xml | 24 ++++++----- .../jboss_karaf-vender_supported_version.xml | 5 ++- shared/transforms/cpe_generate.py | 27 ++++++++++++ 4 files changed, 81 insertions(+), 17 deletions(-) diff --git a/JBoss/Fuse/6/Makefile b/JBoss/Fuse/6/Makefile index cf3227f7fd7..de00538adbf 100644 --- a/JBoss/Fuse/6/Makefile +++ b/JBoss/Fuse/6/Makefile @@ -4,10 +4,26 @@ SHARED = ../../../shared include $(SHARED)/product-make.include PROD = fuse6 +PROD_OVAL = $(BUILD)/$(PROD)_oval checks: - xmlwf $(IN)/oval/*.xml - $(SHARED)/$(TRANS)/combineovals.py $(CONF) $(PROD) $(IN)/oval > $(OUT)/unlinked-$(PROD)-oval.xml + # Make intermediate $(PROD_OVAL) directory to hold final list of OVAL checks for $(PROD) + mkdir -p $(PROD_OVAL) + # Search $(SHARED_OVAL) and $(IN)/oval directories to find all product specific OVAL checks, + # which are regular files (not symlinks). Merge the final list into $(PROD_OVAL) directory + find $(SHARED_OVAL) $(IN)/oval -maxdepth 1 -type f -name '*.xml' -exec cp {} $(PROD_OVAL) ';' + # If openscap on the system supports OVAL-5.11 language version, include also OVAL-5.11 checks + # into final list of OVAL checks +ifeq ($(OVAL_5_11), 0) + # Search $(SHARED_OVAL_5_11) and $(IN)/oval/oval_5.11 directories to find all product specific + # OVAL-5.11 checks, which are regular files (not symlinks). Merge the final list into $(PROD_OVAL) + # directory + find $(SHARED_OVAL_5_11) $(IN)/oval/oval_5.11 -maxdepth 1 -type f -name '*.xml' -exec cp {} $(PROD_OVAL) ';' + # System supports OVAL-5.11 => propagate 'RUNTIME_OVAL_VERSION' variable into the environment + $(eval MOD_ENV := env RUNTIME_OVAL_VERSION='5.11') +endif + xmlwf $(PROD_OVAL)/*.xml + $(MOD_ENV) $(SHARED)/$(TRANS)/combineovals.py $(CONF) $(PROD) $(PROD_OVAL) > $(OUT)/unlinked-$(PROD)-oval.xml xmllint --format --output $(OUT)/unlinked-$(PROD)-oval.xml $(OUT)/unlinked-$(PROD)-oval.xml # example, if needed: for converting XCCDF into shorthand @@ -65,12 +81,18 @@ content: $(OUT)/xccdf-unlinked-final.xml checks xsltproc --stringparam reverse_DNS org.ssgproject.content /usr/share/openscap/xsl/xccdf_1.1_to_1.2.xsl \ $(OUT)/$(ID)-$(PROD)-xccdf-nodangles.xml > $(OUT)/$(ID)-$(PROD)-xccdf-1.2.xml sed -i '/idref="dangling reference to /d' $(OUT)/$(ID)-$(PROD)-xccdf-1.2.xml -# Update "style" attribute of to "SCAP_1.2". Fixes #1059 +# Update @style attribute of to "SCAP_1.2". Fixes #1059 sed -i 's/style="SCAP_1.1"/style="SCAP_1.2"/' $(OUT)/$(ID)-$(PROD)-xccdf-1.2.xml oscap ds sds-compose $(OUT)/$(ID)-$(PROD)-xccdf-1.2.xml $(OUT)/$(ID)-$(PROD)-ds.xml +# Update @schematron-version attribute in datastream to "1.2". Fixes #1191 +# (Workaround for https://github.com/OpenSCAP/openscap/issues/383) + sed -i 's/schematron-version="[0-9].[0-9]"/schematron-version="1.2"/' $(OUT)/$(ID)-$(PROD)-ds.xml # Add in CPE and OVAL content to datastream oscap ds sds-add $(OUT)/$(ID)-$(PROD)-cpe-dictionary.xml $(OUT)/$(ID)-$(PROD)-ds.xml oscap ds sds-add $(OUT)/$(ID)-$(PROD)-oval.xml $(OUT)/$(ID)-$(PROD)-ds.xml + # Fixes https://github.com/OpenSCAP/scap-security-guide/issues/1100 + # Fixes https://github.com/OpenSCAP/scap-security-guide/issues/1101 + $(SHARED)/$(TRANS)/datastream_move_ocil_to_ds_checks.py $(OUT)/$(ID)-$(PROD)-ds.xml $(OUT)/$(ID)-$(PROD)-ds.xml content-stig: table-stigs guide checks xmllint --format --output $(OUT)/unlinked-stig-$(PROD)-xccdf.xml $(OUT)/unlinked-stig-$(PROD)-xccdf.xml @@ -101,7 +123,19 @@ validate-xml: oscap ds sds-validate $(OUT)/$(ID)-$(PROD)-ds.xml validate: validate-xml - cd $(OUT); ../$(SHARED)/$(UTILS)/verify-references.py --rules-with-invalid-checks --ovaldefs-unused ssg-$(PROD)-xccdf.xml +ifeq ($(OVAL_5_11), 0) + cd $(OUT); ../$(SHARED)/$(UTILS)/verify-references.py --rules-with-invalid-checks --ovaldefs-unused $(ID)-$(PROD)-xccdf.xml +else + # If we are building against oscap version not supporting OVAL-5.11 language version yet, + # don't call verify-references.py with "--rules-with-invalid-checks" argument, since the + # OVAL checks using the 5.11 OVAL version will not be included in that case + @echo -e "\nWarning:\n" + @echo -e "\tRHEL/7 content build using oscap not supporting OVAL-5.11 language version detected!" + @echo -e "\tSince the OVAL-5.11 RHEL/7 OVAL checks are missing, will skip test for referenced," + @echo -e "\tbut undefined OVAL definitions during content validation. Consider building RHEL/7" + @echo -e "\tcontent with version OpenSCAP-1.2.2, or newer in order to perform full content validation!\n" + cd $(OUT); ../$(SHARED)/$(UTILS)/verify-references.py --ovaldefs-unused $(ID)-$(PROD)-xccdf.xml +endif eval-test: oscap xccdf eval --profile test $(OUT)/$(ID)-$(PROD)-xccdf.xml diff --git a/JBoss/Fuse/6/input/oval/installed_app_is_fuse6.xml b/JBoss/Fuse/6/input/oval/installed_app_is_fuse6.xml index 676008dbeae..e5e048984f4 100644 --- a/JBoss/Fuse/6/input/oval/installed_app_is_fuse6.xml +++ b/JBoss/Fuse/6/input/oval/installed_app_is_fuse6.xml @@ -13,17 +13,26 @@ + + + FUSE_HOME + + + + + + /etc + + + - - FUSE_HOME - - + config.properties karaf\.framework\.felix=.*org\.apache\.felix\.framework-([0-9a-z\.-]{18})\.jar 1 @@ -33,11 +42,4 @@ 4.0.3.redhat-60024 - - - - /etc/ - - - diff --git a/JBoss/Fuse/6/input/oval/jboss_karaf-vender_supported_version.xml b/JBoss/Fuse/6/input/oval/jboss_karaf-vender_supported_version.xml index aaa04522c0e..a81d612bb85 100644 --- a/JBoss/Fuse/6/input/oval/jboss_karaf-vender_supported_version.xml +++ b/JBoss/Fuse/6/input/oval/jboss_karaf-vender_supported_version.xml @@ -17,9 +17,10 @@ - + + FUSE_HOME - + diff --git a/shared/transforms/cpe_generate.py b/shared/transforms/cpe_generate.py index c4446b45a98..7ddc9030ffc 100755 --- a/shared/transforms/cpe_generate.py +++ b/shared/transforms/cpe_generate.py @@ -24,6 +24,21 @@ def parse_xml_file(xmlfile): return tree +def extract_subelement(objects, sub_elem_type): + for obj in objects: + for subelement in obj.getiterator(): + if subelement.get(sub_elem_type): + sub_element = subelement.get(sub_elem_type) + return sub_element + + +def extract_env_obj(objects, local_var): + for obj in objects: + env_id = extract_subelement(local_var, 'object_ref') + if env_id == obj.get('id'): + return obj + + def extract_referred_nodes(tree_with_refs, tree_with_ids, attrname): reflist = [] elementlist = [] @@ -89,15 +104,27 @@ def main(): objects = ovaltree.find("./{%s}objects" % oval_ns) cpe_objects = extract_referred_nodes(tests, objects, "object_ref") + env_objects = extract_referred_nodes(objects, objects, "id") objects.clear() [objects.append(cpe_object) for cpe_object in cpe_objects] + # if any subelements in an object contain var_ref, return it here + local_var_ref = extract_subelement(objects, 'var_ref') + variables = ovaltree.find("./{%s}variables" % oval_ns) if variables is not None: cpe_variables = extract_referred_nodes(tests, variables, "var_ref") + local_variables = extract_referred_nodes(variables, variables, "id") if cpe_variables: variables.clear() [variables.append(cpe_variable) for cpe_variable in cpe_variables] + elif local_var_ref: + for local_var in local_variables: + if local_var.get('id') == local_var_ref: + variables.clear() + variables.append(local_var) + env_obj = extract_env_obj(env_objects, local_var) + objects.append(env_obj) else: ovaltree.remove(variables) From 90186a3c4c218e43ef509d968e929b777c59edcd Mon Sep 17 00:00:00 2001 From: Gabe Date: Fri, 13 May 2016 06:30:33 -0600 Subject: [PATCH 2/2] Minor JBoss 6 build fixes - Remove RHEL references - Add README for empty oval_5.11 directory --- JBoss/Fuse/6/Makefile | 6 +++--- JBoss/Fuse/6/input/oval/oval_5.11/README | 1 + 2 files changed, 4 insertions(+), 3 deletions(-) create mode 100644 JBoss/Fuse/6/input/oval/oval_5.11/README diff --git a/JBoss/Fuse/6/Makefile b/JBoss/Fuse/6/Makefile index de00538adbf..3f6c22a6eac 100644 --- a/JBoss/Fuse/6/Makefile +++ b/JBoss/Fuse/6/Makefile @@ -130,9 +130,9 @@ else # don't call verify-references.py with "--rules-with-invalid-checks" argument, since the # OVAL checks using the 5.11 OVAL version will not be included in that case @echo -e "\nWarning:\n" - @echo -e "\tRHEL/7 content build using oscap not supporting OVAL-5.11 language version detected!" - @echo -e "\tSince the OVAL-5.11 RHEL/7 OVAL checks are missing, will skip test for referenced," - @echo -e "\tbut undefined OVAL definitions during content validation. Consider building RHEL/7" + @echo -e "\tJBoss content build using oscap not supporting OVAL-5.11 language version detected!" + @echo -e "\tSince the OVAL-5.11 JBoss OVAL checks are missing, will skip test for referenced," + @echo -e "\tbut undefined OVAL definitions during content validation. Consider building JBoss" @echo -e "\tcontent with version OpenSCAP-1.2.2, or newer in order to perform full content validation!\n" cd $(OUT); ../$(SHARED)/$(UTILS)/verify-references.py --ovaldefs-unused $(ID)-$(PROD)-xccdf.xml endif diff --git a/JBoss/Fuse/6/input/oval/oval_5.11/README b/JBoss/Fuse/6/input/oval/oval_5.11/README new file mode 100644 index 00000000000..540144ca03d --- /dev/null +++ b/JBoss/Fuse/6/input/oval/oval_5.11/README @@ -0,0 +1 @@ +Remove this file when there is content in this directory