[Enhancement][BugFix] Jboss Fuse 6 build fixes & enhancements

JBoss/Fuse/6/Makefile

@@ -4,10 +4,26 @@ SHARED = ../../../shared
 include $(SHARED)/product-make.include
 
 PROD = fuse6
+PROD_OVAL = $(BUILD)/$(PROD)_oval
 
 checks:
-	xmlwf $(IN)/oval/*.xml
-	$(SHARED)/$(TRANS)/combineovals.py $(CONF) $(PROD) $(IN)/oval > $(OUT)/unlinked-$(PROD)-oval.xml
+	# Make intermediate $(PROD_OVAL) directory to hold final list of OVAL checks for $(PROD)
+	mkdir -p $(PROD_OVAL)
+	# Search $(SHARED_OVAL) and $(IN)/oval directories to find all product specific OVAL checks,
+	# which are regular files (not symlinks). Merge the final list into $(PROD_OVAL) directory
+	find $(SHARED_OVAL) $(IN)/oval -maxdepth 1 -type f -name '*.xml' -exec cp {} $(PROD_OVAL) ';'
+	# If openscap on the system supports OVAL-5.11 language version, include also OVAL-5.11 checks
+	# into final list of OVAL checks
+ifeq ($(OVAL_5_11), 0)
+	# Search $(SHARED_OVAL_5_11) and $(IN)/oval/oval_5.11 directories to find all product specific
+	# OVAL-5.11 checks, which are regular files (not symlinks). Merge the final list into $(PROD_OVAL)
+	# directory
+	find $(SHARED_OVAL_5_11) $(IN)/oval/oval_5.11 -maxdepth 1 -type f -name '*.xml' -exec cp {} $(PROD_OVAL) ';'
+	# System supports OVAL-5.11 => propagate 'RUNTIME_OVAL_VERSION' variable into the environment
+	$(eval MOD_ENV := env RUNTIME_OVAL_VERSION='5.11')
+endif
+	xmlwf $(PROD_OVAL)/*.xml
+	$(MOD_ENV) $(SHARED)/$(TRANS)/combineovals.py $(CONF) $(PROD) $(PROD_OVAL) > $(OUT)/unlinked-$(PROD)-oval.xml
 	xmllint --format --output $(OUT)/unlinked-$(PROD)-oval.xml $(OUT)/unlinked-$(PROD)-oval.xml
 
 # example, if needed: for converting XCCDF into shorthand
@@ -65,12 +81,18 @@ content: $(OUT)/xccdf-unlinked-final.xml checks
 	xsltproc --stringparam reverse_DNS org.ssgproject.content /usr/share/openscap/xsl/xccdf_1.1_to_1.2.xsl \
 		$(OUT)/$(ID)-$(PROD)-xccdf-nodangles.xml > $(OUT)/$(ID)-$(PROD)-xccdf-1.2.xml
 	sed -i '/idref="dangling reference to /d' $(OUT)/$(ID)-$(PROD)-xccdf-1.2.xml
-#	Update "style" attribute of <xccdf:Benchmark> to "SCAP_1.2". Fixes #1059
+#	Update @style attribute of <xccdf:Benchmark> to "SCAP_1.2". Fixes #1059
 	sed -i 's/style="SCAP_1.1"/style="SCAP_1.2"/' $(OUT)/$(ID)-$(PROD)-xccdf-1.2.xml
 	oscap ds sds-compose $(OUT)/$(ID)-$(PROD)-xccdf-1.2.xml $(OUT)/$(ID)-$(PROD)-ds.xml
+#	Update @schematron-version attribute in datastream to "1.2". Fixes #1191
+#	(Workaround for https://github.com/OpenSCAP/openscap/issues/383)
+	sed -i 's/schematron-version="[0-9].[0-9]"/schematron-version="1.2"/' $(OUT)/$(ID)-$(PROD)-ds.xml
 #	Add in CPE and OVAL content to datastream
 	oscap ds sds-add $(OUT)/$(ID)-$(PROD)-cpe-dictionary.xml $(OUT)/$(ID)-$(PROD)-ds.xml
 	oscap ds sds-add $(OUT)/$(ID)-$(PROD)-oval.xml $(OUT)/$(ID)-$(PROD)-ds.xml
+	# Fixes https://github.com/OpenSCAP/scap-security-guide/issues/1100
+	# Fixes https://github.com/OpenSCAP/scap-security-guide/issues/1101
+	$(SHARED)/$(TRANS)/datastream_move_ocil_to_ds_checks.py $(OUT)/$(ID)-$(PROD)-ds.xml $(OUT)/$(ID)-$(PROD)-ds.xml
 
 content-stig: table-stigs guide checks
 	xmllint --format --output $(OUT)/unlinked-stig-$(PROD)-xccdf.xml $(OUT)/unlinked-stig-$(PROD)-xccdf.xml
@@ -101,7 +123,19 @@ validate-xml:
 	oscap ds sds-validate $(OUT)/$(ID)-$(PROD)-ds.xml
 
 validate: validate-xml
-	cd $(OUT); ../$(SHARED)/$(UTILS)/verify-references.py --rules-with-invalid-checks --ovaldefs-unused ssg-$(PROD)-xccdf.xml
+ifeq ($(OVAL_5_11), 0)
+	cd $(OUT); ../$(SHARED)/$(UTILS)/verify-references.py --rules-with-invalid-checks --ovaldefs-unused $(ID)-$(PROD)-xccdf.xml
+else
+	# If we are building against oscap version not supporting OVAL-5.11 language version yet,
+	# don't call verify-references.py with "--rules-with-invalid-checks" argument, since the
+	# OVAL checks using the 5.11 OVAL version will not be included in that case
+	@echo -e "\nWarning:\n"
+	@echo -e "\tJBoss content build using oscap not supporting OVAL-5.11 language version detected!"
+	@echo -e "\tSince the OVAL-5.11 JBoss OVAL checks are missing, will skip test for referenced,"
+	@echo -e "\tbut undefined OVAL definitions during content validation. Consider building JBoss"
+	@echo -e "\tcontent with version OpenSCAP-1.2.2, or newer in order to perform full content validation!\n"
+	cd $(OUT); ../$(SHARED)/$(UTILS)/verify-references.py --ovaldefs-unused $(ID)-$(PROD)-xccdf.xml
+endif
 
 eval-test:
 	oscap xccdf eval --profile test $(OUT)/$(ID)-$(PROD)-xccdf.xml

JBoss/Fuse/6/input/oval/installed_app_is_fuse6.xml

@@ -13,17 +13,26 @@
     </criteria>
   </definition>
 
+  <ind:environmentvariable58_object id="obj_env_fuse_installed_app_home" version="1">
+    <ind:pid xsi:nil="true" datatype="int" />
+    <ind:name>FUSE_HOME</ind:name>
+  </ind:environmentvariable58_object>
+
+  <local_variable id="local_var_installed_app_is_fuse6" version="1" datatype="string" comment="log location">
+    <concat>
+      <object_component object_ref="obj_env_fuse_installed_app_home" item_field="value" />
+      <literal_component>/etc</literal_component>
+    </concat>
+  </local_variable>
+
   <ind:textfilecontent54_test id="test_installed_app_is_fuse6" version="1"
     check="all" check_existence="all_exist" comment="Check Fuse Version">
     <ind:object object_ref="obj_installed_app_is_fuse6" />
     <ind:state state_ref="state_installed_app_is_fuse6" />
   </ind:textfilecontent54_test>
-  <ind:environmentvariable_object id="env_obj_fuse_home" version="1">
-    <ind:name>FUSE_HOME</ind:name>
-  </ind:environmentvariable_object>
 
   <ind:textfilecontent54_object id="obj_installed_app_is_fuse6" version="1">
-    <ind:path var_ref="local_var_installed_app_is_fuse6"/>
+    <ind:path var_ref="local_var_installed_app_is_fuse6" />
     <ind:filename>config.properties</ind:filename>
     <ind:pattern operation="pattern match">karaf\.framework\.felix=.*org\.apache\.felix\.framework-([0-9a-z\.-]{18})\.jar</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
@@ -33,11 +42,4 @@
     <ind:subexpression>4.0.3.redhat-60024</ind:subexpression>
   </ind:textfilecontent54_state>
 
-  <local_variable id="local_var_installed_app_is_fuse6" version="1" datatype="string" comment="log location">
-    <concat>
-      <object_component object_ref="env_obj_fuse_home" item_field="value" />
-      <literal_component>/etc/</literal_component>
-    </concat>
-  </local_variable>
-
 </def-group>

JBoss/Fuse/6/input/oval/jboss_karaf-vender_supported_version.xml

@@ -17,9 +17,10 @@
     <ind:object object_ref="obj_vender_supported_version" />
     <ind:state state_ref="state_vender_supported_version" />
   </ind:textfilecontent54_test>
-  <ind:environmentvariable_object id="env_obj_fuse_home" version="1">
+  <ind:environmentvariable58_object id="env_obj_fuse_home" version="1">
+    <ind:pid xsi:nil="true" datatype="int" />
     <ind:name>FUSE_HOME</ind:name>
-  </ind:environmentvariable_object>
+  </ind:environmentvariable58_object>
 
   <ind:textfilecontent54_object id="obj_vender_supported_version" version="1">
     <ind:path var_ref="local_var_vender_supported_version"/>

JBoss/Fuse/6/input/oval/oval_5.11/README

@@ -0,0 +1 @@
+Remove this file when there is content in this directory

shared/transforms/cpe_generate.py

@@ -24,6 +24,21 @@ def parse_xml_file(xmlfile):
     return tree
 
 
+def extract_subelement(objects, sub_elem_type):
+    for obj in objects:
+        for subelement in obj.getiterator():
+            if subelement.get(sub_elem_type):
+                sub_element = subelement.get(sub_elem_type)
+                return sub_element
+
+
+def extract_env_obj(objects, local_var):
+    for obj in objects:
+        env_id = extract_subelement(local_var, 'object_ref')
+        if env_id == obj.get('id'):
+            return obj
+
+
 def extract_referred_nodes(tree_with_refs, tree_with_ids, attrname):
     reflist = []
     elementlist = []
@@ -89,15 +104,27 @@ def main():
 
     objects = ovaltree.find("./{%s}objects" % oval_ns)
     cpe_objects = extract_referred_nodes(tests, objects, "object_ref")
+    env_objects = extract_referred_nodes(objects, objects, "id")
     objects.clear()
     [objects.append(cpe_object) for cpe_object in cpe_objects]
 
+    # if any subelements in an object contain var_ref, return it here
+    local_var_ref = extract_subelement(objects, 'var_ref')
+
     variables = ovaltree.find("./{%s}variables" % oval_ns)
     if variables is not None:
         cpe_variables = extract_referred_nodes(tests, variables, "var_ref")
+        local_variables = extract_referred_nodes(variables, variables, "id")
         if cpe_variables:
             variables.clear()
             [variables.append(cpe_variable) for cpe_variable in cpe_variables]
+        elif local_var_ref:
+            for local_var in local_variables:
+                if local_var.get('id') == local_var_ref:
+                    variables.clear()
+                    variables.append(local_var)
+                    env_obj = extract_env_obj(env_objects, local_var)
+                    objects.append(env_obj)
         else:
             ovaltree.remove(variables)