Update ID mappings to fix STIGViewer imports

[egibs]

This PR updates our GPOS STIG and Benchmark IDs to allow for the following STIGViewer workflow:

• File -> Import STIG
• Select ssg-chainguard-gpos-ds.xml (or import U_GPOS_V3R2_SRG.zip directly)
• Checklist -> Create Checklist - Check Marked STIG(s)
• Import XCCDF Results File -> results.xml

For the most part, this follows existing STIG patterns and seems to work without issue (plus the original results.html file still displays as it always did).

[egibs]

Fixed the validation for the files in 53b2559 and 1a6dbad:

$ docker run -i --rm -u 0:0 --pid=host -v /var/run/docker.sock:/var/run/docker.sock   -v $(pwd)/out:/out -v $(pwd):/workspace cgr.dev/chainguard/openscap:latest-dev ds sds-validate /workspace/gpos/xml/scap/ssg/content/ssg-chainguard-gpos-ds.xml
$
$ $ docker run -i --rm -u 0:0 --pid=host -v /var/run/docker.sock:/var/run/docker.sock -v $(pwd)/out:/out -v $(pwd):/workspace cgr.dev/chainguard/openscap:latest-dev xccdf validate /workspace/gpos/xml/scap/ssg/content/ssg-chainguard-xccdf/OvalChecks/XccdfOvalChecks.xml
<?xml version="1.0"?>
Warning: The 'cpe:/' prefix (CPE URI binding) is allowed within an @idref attribute, but the CPE Formatted String binding is preferred. See the XCCDF 1.2.1 specification, Section 6.2.5.

[stevebeattie]

Ugh, github won't let me comment inline on the unified diff of all commits, so I'm having to add comments on the individual commits, sorry about that. We're getting better, but there are still some issues.

[egibs]

I can import the results cleanly against both STIGs with the latest changes. The upstream STIG contains more detail, but since the results work with either it's trivial to swap between them.

Using CATI as an example --
Our STIG:

Upstream (straing from the .zip archive):

[stevebeattie]

One more thing to note is that, with the rule id changes in place, we'll have some tests in a couple of packages to update; https://github.com/wolfi-dev/os/blob/main/chainguard-security-guide.yaml being one of them.

[stevebeattie]

Verified that I can use oscap/oscap-docker to generate results, that the html report looks sensible in both success and failure conditions, that the results files can be imported into a stig checklist with both stig viewer v2 (when applied to both the disa xccdf and our xccdf) and v3.

Thanks for all your efforts!

[brooksphilip]

Can we add one more change to output the test run, the result, and the pass/fail to the finding details box?

[egibs]

Can we add one more change to output the test run, the result, and the pass/fail to the finding details box?

Would that be here?