Fix the generation of SCE checks in the output datastream #10015
Conversation
|
Hi @nightmared. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Start a new ephemeral environment with changes proposed in this pull request: Fedora Environment Oracle Linux 8 Environment |
nightmared
force-pushed
the
fix_sce_datastream
branch
from
a265c67
to
d4fa0d6
Compare
|
I rewrote the last commit to remove the use of strings (it requires python >= 3.6, and it appears the centOS7 builder in the CI uses python3.5). |
nightmared
force-pushed
the
fix_sce_datastream
branch
2 times, most recently
from
0e3591b
to
822b39d
Compare
There was a problem hiding this comment.
Thank you very much for pointing this problem.
I tried to check whether the build works. I wasn't exactly sure how to do that. I have found that at this moment the only product that contains a SCE check in the project is the Ubuntu 20.04. There is only one SCE check and that is linux_os/guide/system/accounts/accounts-session/accounts_users_own_home_directories/sce/ubuntu2004.sh. I used the following command to build it:
[jcerny@thinkpad scap-security-guide{pr/10015}]$ ADDITIONAL_CMAKE_OPTIONS="-DSSG_SCE_ENABLED=ON" ./build_product -d ubuntu2004
On master branch, this trace backs. With this PR it builds successfully and it doesn't trace back. That's great. However, the built SCAP source data stream doesn't contain the aforementioned SCE file anywhere and I also can't find any component with that.
I think you should make it actually working and make sure the SCE content really gets populated to the generated SCAP source data stream. I think the problem related to the XPath you use (see comments inline).
I'm wondering how to prevent this bug in future. It seems that the bug hasn't been caught by any tests. Perhaps it would be very useful to add a test to this PR that verifies the SCE content build. I also wonder what setup is used by the customers. We should add measures to prevent breaking their use case again.
build-scripts/compose_ds.py
Outdated
| # The component ID is the component-ref href without leading '#' | ||
| checklist_component_id = checklists_component_ref.get(xlink_href)[1:] | ||
|
|
||
| # Locate the <xccdf:check> inside <xccdf:Rule> and detect the SCE checks |
There was a problem hiding this comment.
The problem with comments is that they can become easily outdated. They feel superflous. By better naming and better structuring code the code will become selfexplanatory and you will not need the comments.
build-scripts/compose_ds.py
Outdated
| # When SCE support is enabled, retrieve the SCE checks and embed them in the datastream. | ||
| # Collect every SCE check, extract the path to the script content, and include | ||
| # every scripts in the datastream. | ||
| def collect_sce_checks(datastreamtree, checklists, refdir): |
There was a problem hiding this comment.
we need unit tests for this function
jan-cerny
added
Infrastructure
|
Thanks for your numerous comments! I am working on a new version of this patch that will fix these shortcomings. As for the use of SCE by our customer, some SCE checks were written to either add checks outside of official recommendations, or to add support for specified by checks that lacked an implementation yet, like #10017. I do not believe it would be easy for you to detect such breakage, except maybe by having an SCE checks enabled by default in a standard profile (something like #10017 maybe?). I'm sure automated tests would help too, but I'm not very experienced with your test scripts, so even though I'm going to take a look at adding SCE tests, I can't guarantee much about their quality :) |
nightmared
force-pushed
the
fix_sce_datastream
branch
2 times, most recently
from
e56f906
to
8d8fd7b
Compare
nightmared
force-pushed
the
fix_sce_datastream
branch
from
8d8fd7b
to
a6c33d8
Compare
nightmared
force-pushed
the
fix_sce_datastream
branch
2 times, most recently
from
f10f307
to
44fe729
Compare
|
@jan-cerny Hello, sorry for the spam, but is there anything I can do to improve further this patch? |
build_product
Outdated
| @@ -378,7 +378,7 @@ for chosen_product in "${_arg_product[@]}"; do | |||
| fi | |||
| done | |||
|
|
|||
| CMAKE_OPTIONS=(${ADDITIONAL_CMAKE_OPTIONS} "${build_type_option}" "${oval_major_version_option}" "${oval_minor_version_option}" '-DSSG_PRODUCT_DEFAULT=OFF' "${cmake_enable_args[@]}" -G "$cmake_generator") | |||
| CMAKE_OPTIONS=(${ADDITIONAL_CMAKE_OPTIONS} "${build_type_option}" "${oval_major_version_option}" "${oval_minor_version_option}" '-DSSG_PRODUCT_DEFAULT=OFF' '-DSSG_SCE_ENABLED:BOOL=ON' "${cmake_enable_args[@]}" -G "$cmake_generator") | |||
There was a problem hiding this comment.
We have discussed this with the team and we think that we shouldn't enable SCE by default because at this moment we don't have any ways of ensuring quality of the contents of SCE files, ie. Automatus tests don't support SCE. Please remove this change. People can enable it on demand by adding the '-DSSG_SCE_ENABLED:BOOL=ON to the ADDITIONAL_CMAKE_OPTIONS bash variable.
I think that you have added this due to enablement of the tests in the CI. I think that instead this can be achieved by enabling it explicitly in the GitHub Actions definitions in .github/workflows/gate.yaml. For example, it can be added to the Ubuntu job that builds the Ubuntu content because that already contains the SCE check. What do you think about this?
There was a problem hiding this comment.
Sure, I hadn't thought of using ADDITIONAL_CMAKE_OPTIONS.
Would the new patch (that only enables it for Ubuntu 20.04 in the CI via the method your proposed) be acceptable in that regard?
nightmared
force-pushed
the
fix_sce_datastream
branch
from
44fe729
to
921e8e1
Compare
|
Code Climate has analyzed commit 921e8e1 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 12.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 49.7% (0.0% change). View more on Code Climate. |
There was a problem hiding this comment.
I have checked that the SCE script is present in the form of an extended component in the generated SCAP source data stream for the Ubuntu 20.04 and I have verified that it happens only when ADDITIONAL_CMAKE_OPTIONS="-DSSG_SCE_ENABLED=ON". Also, I have seen that the test ds-sce is passing in the Ubuntu 20.04 GitHub Actions CI job.
Great job! Thank you!
Description:
The support for SCE scripts appear to be have been broken since the switch from
oscap ds sds-compose, as the SCE scripts are no longer embedded in the output datastream.In fact, trying to build SCE scripts should currently fail because some function calls were not updated to account for recently added parameters.
This PR:
Rationale:
A customer of my employer is relying on SCE checks for custom automated checks.
This customer builds his own fork of ComplianceAsCode with a dedicated profile that combines these company-specific checks atop an existing profile for compliance with government standards.
We ran into problems with SCE scripts when rebasing their changes against the latest version of CAC (v0.1.65).
We were able to use successfully use SCE scripts by applying this patchset.