Enable templated SCE checks #12445
Enable templated SCE checks #12445
Conversation
Add a templated SCE check to the service_enabled template. The check could be used in the "podman build" environment where the OVAL check don't work because they depend on dbus which isn't available in this environment. OVAL check isn't going to be removed.
Members of the `langs` list aren't strings but are `TemplatingLang` named tuples. Therefore, it isn't possible to write condition `if 'sce-bash' in langs` but we need to check the `name` member of the named tuple instances instead. This fix will make building templated SCE content from templates working.
We will rename the check `variable`. The `check` variable was shadowed later when OVAL check is inserted. If a rule had both SCE and OVAL check, the element referencing the SCE check was overwritten by the element referencing the OVAL check. This will allow rules to have both SCE and OVAL at the same time.
Reduce code complexity of to_xml_element method by extracting the code responsible for creating the SCE check reference element to a new method _add_sce_check_element.
Reduce code complexity by extracting code responsible for inserting the element that references the OVAL check to a new method _add_oval_check_element.
Reduce the complexity of the to_xml_element method by moving out the code responsible for creating XCCDF check element referencing OCIL to a new method.
Refactor code by extracting it to a new method build_templated_sce_check.
This variable is set and incremented but never used.
The `SCE_DIR` argument of the `/build-scripts/build_sce.py` was
set to `/shared/checks/sce` and `${product}/checks/sce`. These
directories don't exist and it wouldn't make sense to create them.
We will remove the code working with these directories, this code
is effectively unused.
This commit converts `checks()` function to a new class `SCEBuilder`. This change will allow us future refactoring and simplification.
Extracts code that processes static SCE checks to a new method _build_static_sce_check.
Transform function `build_templated_sce_check` to a method of the `SCEBuilder` class `_build_templated_sce_check`.
Simplify code in _build_templated_sce_check to prevent having too many levels.
Move variable local_env_yaml to method where it is used. Avoid passing it as a parameter if this isn't necessary.
Move code responsible for assembling a list of directories that should be interated over.
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
Skipping CI for Draft Pull Request. |
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
🤖 A k8s content image for this PR is available at: Click here to see how to deploy itIf you alread have Compliance Operator deployed: Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and: |
Extracting some code to a new method `_get_rule_sce_lang` allows us to get rid of the `for` loop because there is always at most 1 item with name "sce-bash". Addressing: Function _build_templated_sce_check has a Cognitive Complexity of 8 (exceeds 7 allowed). Consider refactoring.
Extract code from the `_add_sce_check_element` method to multiple new methods in order to reduce complexity. Addressing: Function _add_sce_check_element has a Cognitive Complexity of 16 (exceeds 7 allowed). Consider refactoring.
Move duplicate code to a new function. Addressing: Identical blocks of code found in 2 locations. Consider refactoring.
Addressing: Expected 2 blank lines, found 1
|
Code Climate has analyzed commit f4f88d8 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 69.1% (50% is the threshold). This pull request will bring the total coverage in the repository to 61.0% (1.5% change). View more on Code Climate. |
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
There was a problem hiding this comment.
After running tests as suggested by the author, I was able to verify that the SCE content coming from templates is in the datastream and OpenSCAP is able to use them (with the openscap-engine-sce package installed) correctly. I made sure to disable the OVAL check from the template data for the rule I was testing so OpenSCAP uses SCE only as suggested by the author.
The code looks code to me.
The CI failures are not related to these changes.
Description:
The build system seems to have option to have SCE content in templates. But in reality the code is broken and this option isn't used. This PR fixes the build system to enable SCE checks in templates. Then, it adds first SCEs to templates.
This PR contains:
Most of the PR changes is actually the refactoring and simplifying to satisfy Code Climate.
Rationale:
The SCE checks for state of systemd services can be used to check service status during a container image build. In the container image build environment OVAL checks for service status don't work because they depend on DBus which isn't available there. Using SCE checks there is easier than designing and implementing new OVAL test and object types.
Review Hints:
The first 3 commits are the main, the rest is either refactoring commits or extending commits.
Build with SCE:
Unfortunately, the SCE checks are hard to test at this moment because if a rule has both SCE and OVAL checks then OpenSCAP prefers using OVAL check and ignores the SCE check and there is no way to choose one of them by the user. This problem will be solved by OpenSCAP/openscap#2165. I suggest that you disable the OVAL in a selected rules temporarily for the purpose of testing.