Build SCE content by default in rhel9 and rhel10 products #12488
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
Skipping CI for Draft Pull Request. |
|
Start a new ephemeral environment with changes proposed in this pull request: Fedora Environment Oracle Linux 8 Environment |
|
Change in Ansible Please consider using more suitable Ansible module than |
jan-cerny
force-pushed
the
sce_default
branch
from
66c6569
to
c324ded
Compare
jan-cerny
changed the title
jan-cerny
force-pushed
the
sce_default
branch
3 times, most recently
from
d217dbd
to
2a81f80
Compare
jan-cerny
added
RHEL9
|
The problem is that: The following requirements and recommendations apply to the xccdf:check element:~~Content containing the use of checking systems other than the OVAL and OCIL checking systems SHALL NOT be considered well-formed with regards to SCAP.~~OVAL checking system~Use of the OVAL checking system SHALL be indicated by setting the xccdf:check element's @System attribute to "http://oval.mitre.org/XMLSchema/oval-definitions-5 ". |
matusmarhefka
added a commit
to matusmarhefka/contest
that referenced
this pull request
Oct 18, 2024
Scapval tool is failing when we build SCE content by default in RHEL 9 and RHEL 10 data streams because it doesn't expect content to use checking systems other than the OVAL and OCIL (base requirement `SRC-118`). For more details see ComplianceAsCode/content#12488 We can waive this fail, it shouldn't cause any problems for 3rd party scanners as our content still contains also OVAL checks. To do so the test has been updated to parse XML results file generated by the scapval tool. The test is also updated to work on RHEL 10 where `java-21-openjdk` is the default as scapval tool has no problem running with this newer version of java.
matusmarhefka
added a commit
to matusmarhefka/contest
that referenced
this pull request
Oct 18, 2024
Scapval tool is failing when we build SCE content by default in RHEL 9 and RHEL 10 data streams because it doesn't expect content to use checking systems other than the OVAL and OCIL (base requirement `SRC-118`). For more details see ComplianceAsCode/content#12488 We can waive this fail, it shouldn't cause any problems for 3rd party scanners as our content still contains also OVAL checks. To do so the test has been updated to parse XML results file generated by the scapval tool. The test is also updated to work on RHEL 10 where `java-21-openjdk` is the default as scapval tool has no problem running with this newer version of java.
matusmarhefka
added a commit
to matusmarhefka/contest
that referenced
this pull request
Oct 18, 2024
Scapval tool is failing when we build SCE content by default in RHEL 9 and RHEL 10 data streams because it doesn't expect content to use checking systems other than the OVAL and OCIL (base requirement `SRC-118`). For more details see ComplianceAsCode/content#12488 We can waive this fail, it shouldn't cause any problems for 3rd party scanners as our content still contains also OVAL checks. To do so the test has been updated to parse XML results file generated by the scapval tool. The test is also updated to work on RHEL 10 where `java-21-openjdk` is the default as scapval tool has no problem running with this newer version of java.
matusmarhefka
added a commit
to matusmarhefka/contest
that referenced
this pull request
Oct 18, 2024
Scapval tool is failing when we build SCE content by default in RHEL 9 and RHEL 10 data streams because it doesn't expect content to use checking systems other than the OVAL and OCIL (base requirement `SRC-118`). For more details see ComplianceAsCode/content#12488 We can waive this fail, it shouldn't cause any problems for 3rd party scanners as our content still contains also OVAL checks. To do so the test has been updated to parse XML results file generated by the scapval tool. The test is also updated to work on RHEL 10 where `java-21-openjdk` is the default as scapval tool has no problem running with this newer version of java.
mildas
pushed a commit
to RHSecurityCompliance/contest
that referenced
this pull request
Oct 18, 2024
Scapval tool is failing when we build SCE content by default in RHEL 9 and RHEL 10 data streams because it doesn't expect content to use checking systems other than the OVAL and OCIL (base requirement `SRC-118`). For more details see ComplianceAsCode/content#12488 We can waive this fail, it shouldn't cause any problems for 3rd party scanners as our content still contains also OVAL checks. To do so the test has been updated to parse XML results file generated by the scapval tool. The test is also updated to work on RHEL 10 where `java-21-openjdk` is the default as scapval tool has no problem running with this newer version of java.
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
Change the `build_product` convenient script so that it will build SCE by default for the `rhel9` and `rhel10` product.
SCE should be built in Ubuntu 20.04 and 22.04 products. However, this is specified only in the CI workflow description. In previous commit we have started to build SCE in RHEL 9 and 10. If we would like to start testing it in CI, we could do it either by changing the CI workflow description or the build_product script. It would be less complex if we could unify it in a single place which is the build_product script.
jan-cerny
force-pushed
the
sce_default
branch
from
2a81f80
to
7c812c3
Compare
|
I have rebased this PR on the top of the latest upstream master branch. |
|
Code Climate has analyzed commit 7c812c3 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 60.9% (0.0% change). View more on Code Climate. |
jan-cerny
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
Build SCE checks into RHEL 9 and RHEL 10 data streams by default.
Rationale:
This change supports building bootable container images based on RHEL 9 and 10 (and CentOS Stream 9 and 10).
SCE checks will be used during the image build for the rules for which the classic OVAL check don't work in a container build environment (mainly service enabled/disabled rules).
Review Hints:
Build the RHEL 10 and RHEL 9 products and verify visually that SCE extended components are present in the built data stream.
Then, you can download the built scap-security-guide RPMs EL9 from Packit from COPR and verify visually that SCE extended components are present in the shipped data stream.