Select rules on the command line #1832
Merged
Commits on Jan 18, 2022
-
When multiple --rule options will be specified on the command line, OpenSCAP will evaluate multiple rules at once. Resolves: rhbz#2020581
-
The option will allow users to easily tell oscap to skip some rules without having to create a tailoring file. User will simply provide --skip-rule RULE_ID option on the command line to skip evaluation of the rule RULE_ID. Resolves: rhbz#2020580
-
The rule `xccdf_moc.elpmaxe.www_rule_17` requires group `xccdf_moc.elpmaxe.www_group_1_2` which is a typo or mistake because group `xccdf_moc.elpmaxe.www_group_1_2` doesn't exist. Instead, there is group `xccdf_moc.elpmaxe_group_1_2` (the correct group ID doesn't contain `.www`). To fix this, we could simply fix the ID in the `requires` element of rule `xccdf_moc.elpmaxe.www_rule_17`. But, since all other IDs in this XCCDF are in a form of `xccdf_moc.elpmaxe.www_.*` and we like consistency we will instead rename the group so that all IDs follow the same format.
-
Extend tests of the XCCDF requires and conflicts
The purpose of these new test cases is to preserve the current behavior of rules with requires and conflicts elements when `oscap` is invoked with the `--rule` option selecting specific rule or rules. The tests are based on current behavior, not on any specification, as `--rule` option is our custom feature, but at the same time we want notice behavior changes in future.
-
This allows us to modify the final selection at other places without consulting the real selection in the XCCDF document.
-
Ignore selections and conflicts
If the user explicitly requests a rule using --rule, they expect all the rules would be evaluated regardless selections and conflicts. The use-case for the `--rule` option is development and testing and in these situation it anyways behaves as an override. However, this patch doesn't solve the "requires" element handling. Required rules are still not added.
-
Issue a warning about required rules
If at least one `--rule` option is provided by the user, only the rules listed as arguments of `--rule` options are evaluated. It ignores the `requires` element in the rule. The required rules aren't added automatically and aren't evaluated unless they're explicitely listed. This way we keep the behavior of `--rule` option in previous versions of OpenSCAP, because SSGTS relies on the fact that single occurence of `--rule` options means that at most 1 rule is evaluated. To avoid confusion, OpenSCAP will now report a warning that the rule they are evaluating a requires another rule.
-
-
-
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.