Generate the CPE Dictionary dynamically #6304
Conversation
|
Skipping CI for Draft Pull Request. |
openshift-ci-robot
added
the
do-not-merge/work-in-progress
|
Changes identified: Show detailsOthers: Recommended tests to execute: |
yuumasato
force-pushed
the
unify_cpe_dictionaries
branch
from
80f0d77 to
22438ae
Compare
ssg/constants.py
Outdated
| ], | ||
| "centos8": [ | ||
| "cpe:/o:centos:centos:8", | ||
| ], |
There was a problem hiding this comment.
all cpes need to be dropped from constants.py
There was a problem hiding this comment.
Actually a lot of CPE mappings can be dropped from ssg/constants.py.
I'm not sure if it would better be done in this PR or a subsequent one.
I lean towards doing it in a separate PR.
There was a problem hiding this comment.
PRODUCT_TO_CPE_MAPPING was removed
shared/applicability/cpes.yml
Outdated
| "cpe:/a:redhat:enterprise_virtualization_manager:4": | ||
| id: rhvm4 | ||
| title: "Red Hat Virtualization 4 Manager" | ||
| check_id: installed_app_is_rhv4 |
There was a problem hiding this comment.
Overall structure needs to be cleaner and clearer like so:
 - id: rhvm4
 title: "Red Hat Virtualization 4 Manager"
cpe: "cpe:/a:redhat:enterprise_virtualization_manager:4"
 check_id: installed_app_is_rhv4
There was a problem hiding this comment.
there also needs to be an additional key called additional_cpes or include_cpes that maps to shared/applicability/cpes.yml
There was a problem hiding this comment.
there also needs to be an additional key called
additional_cpesorinclude_cpesthat maps toshared/applicability/cpes.yml
Why, if the CPEs are picked up automatically based on the content included in the benchmark?
There was a problem hiding this comment.
To not only make the content readable and understandable, but also remove the abstraction of the build system. Makes it easy for content authors and everyone to read and understand additional cpe is being added in product.yml
There was a problem hiding this comment.
I find it rather cumbersome to, after selecting a rule in the profile, or adding to a rule's prodtype, to have to add any cpe-item it uses to the product.yml.
I'd expect the build-system to be handle that automatically for me (include the CPE in the dictionary of the product).
I think the readability and understandability should be solved in another way.
Maybe "compiled" products yamls? Build logs?
There was a problem hiding this comment.
... having the cpe in the product.yml makes it easy for content authors to understand...
Imagine that there is a CPE in product.yml, and I think that it got there by mistake, or that the reason why it was introduced is not valid any more. What would I have to do in order to resolve those doubts?
There was a problem hiding this comment.
Maybe I don't understand where you are heading...
If a CPE entry in a product.yml was not trivial, I would expect comment lines, if there weren't any I'd look into the commit that added it.
There was a problem hiding this comment.
Everything has a cost - if the automation performs some magic behind the content author's back, that can have a cost, especially when the magic doesn't work right, or if the author would like something slightly different.
Conversely, if there is no automation, the obvious cost is that you have to add config items s.a. CPEs manually. But that's not where it ends - you get risk of copy-paste errors, and you also have to deal with removal of items that are no longer needed or that have been removed by refactoring.
I think I understand @redhatrises concern of automating too much, and I think that we should look both ways - what are the risks of automating too little?
So far it seems that we should require non-trivial manually added CPEs to be described by comments.
There was a problem hiding this comment.
I agree that automation can make it hard to do something slightly different. But that was not the original point of the question, and I think it can be handled in a different way.
So far it seems that we should require non-trivial manually added CPEs to be described by comments.
Now I'm not sure if your previous question was about:
- the manually added CPE for the product in
product.ymlor - the automatically added CPEs in the product's
cpe-dictionary.
To clarify, the automation doesn't add anything to product.yml file, it will include cpe-item in the cpe-dictionary, as the files removed by this PR (rhel8/cpe/rhel8-cpe-dictionary.xml).
And to check the CPEs added by the build system one can check the built dictionary. It should have the same complexity as reviewing the old static files.
There was a problem hiding this comment.
My question was about items that would have to be added to product.yml if there is no automation. The automation is supposed to make sure that only and only CPEs that are needed get added. Conversely, when a CPE is added manually, it has to be kept in sync with the actual content.
You have answered the question, thanks.
|
Hello @yuumasato! Thanks for updating this PR. We checked the lines you've touched for PEP 8 issues, and found:
Comment last updated at 2020-11-06 14:22:44 UTC |
yuumasato
force-pushed
the
unify_cpe_dictionaries
branch
from
6de663d to
a1f18b5
Compare
yuumasato
force-pushed
the
unify_cpe_dictionaries
branch
from
a1f18b5 to
892ee23
Compare
openshift-ci-robot
removed
the
do-not-merge/work-in-progress
|
I'm currently updating documentation around CPEs. |
jre/product.yml
Outdated
| jre-oracle: | ||
| name: "cpe:/a:oracle:jre:" | ||
| title: "Oracle's Java Runtime Environment" | ||
| check_id: installed_app_is_java |
There was a problem hiding this comment.
do we need jre-oracle? Why not skip it and start with - name?
There was a problem hiding this comment.
The product CPES don't need to have these jre-oracle and jre-ibm... They are like IDs for the CPEs, but are not actually used by the build system.
But, the IDs of the CPEs in shared/applicability/cpes.yml are needed, these are IDs are referenced by rules and profiles.
I just tried to keep same declaration format.
There was a problem hiding this comment.
The product CPES don't need to have these
jre-oracleandjre-ibm... They are like IDs for the CPEs, but are not actually used by the build system.But, the IDs of the CPEs in
shared/applicability/cpes.ymlare needed, these are IDs are referenced by rules and profiles.
I just tried to keep same declaration format.
So, if I am understanding you correctly, jre-oracle, jre-ibm, etc. aren't needed by the build system in product.yml but are needed by the build system in cpes.yml?
There was a problem hiding this comment.
Well, the IDs are there for any content to refer to them.
But as they are already declared in the product.yml they are for, nothing else references them.
Rules and profiles refer to the IDs of cpes declared in cpes.yml.
I'd rather keep the syntax the same for cpes in product.yml and cpes.yml.
There was a problem hiding this comment.
Actually, the CPE IDs are needed.
The ocp4 profiles reference CPE's defined in the product.yml.
chromium/product.yml
Outdated
| chromium: | ||
| name: "cpe:/a:google:chromium-browser" | ||
| title: "Google Chromium Browser" | ||
| check_id: installed_app_is_chromium |
There was a problem hiding this comment.
Just like the profiles_root, I want to have additional_cpes in this file, because as a content author, I don't want to choose to add cpes.yml or not. I might come with my own cpes.yml file that doesn't contain what we have now.
There was a problem hiding this comment.
So you'd like to be able to choose the file to source the CPE's from?
So if product.yml specified a directory, and any yml (or even xml) file there was sourced. Would it satisfy your needs?
cpes_root: "../shared/applicability"
There was a problem hiding this comment.
So you'd like to be able to choose the file to source the CPE's from?
So if
product.ymlspecified a directory, and anyyml(or evenxml) file there was sourced. Would it satisfy your needs?cpes_root: "../shared/applicability"
It definitely would address the needs!
There was a problem hiding this comment.
Possibility to load multiple source CPE yml files added in 05506be
yuumasato
force-pushed
the
unify_cpe_dictionaries
branch
from
9bce03a to
05506be
Compare
openshift-ci-robot
added
the
do-not-merge/work-in-progress
openshift-ci-robot
removed
the
do-not-merge/work-in-progress
To avoid the need to manually add a new cpe-item for each product, let's generate the list of cpe-items based on the platforms included in the Benchmark (i.e. shorthand). The cpe-item for the derivate product is injected by the enable_derivatives.py script. The the main product doesn't need to contain cpe-items related to derivate product anymore.
Do no derivate the reference OVAL file from the cpe reference. They may be the same, but let's not carry this assumption.
Refactored the CPE loader to understand the new format and simpler.
One definition was overwriting the other.
The mapping is not static anymore, it is sourced directly from the cpes.yml file.
This should make management of product related CPEs easier.
From feedback, adding "-" improves readability of the CPEs. This changes the value of 'cpes' from a dictonary to a list of dictionaries.
Add parameter to product.yml to specify source directory of CPEs. As the source of CPEs can vary from product to product, now the "CPE loader" is product specific (via ProductCPEs class).
Let's not use the statically geenerated mapping, and use ProductCPEs to get the CPE names.
This mapping is now provided by class ProductCPEs via get_product_cpe_names() call.
This should make it easy to manage the CPEs.
yuumasato
force-pushed
the
unify_cpe_dictionaries
branch
from
f4a00cc to
077eb49
Compare
|
At this point, looks good to me. I also like how you broke out the shared CPEs into categories. I think that that is a nice touch. |
Description:
platformelements of the content in the shorthand xml.cpe-dictionary.product.ymlfile.cpes_rootdefined inproducts.ymlfile.cpes_rootisshared/applicability/cpes.yml.XCCDF_PLATFORM_TO_CPEandPRODUCT_TO_CPE_MAPPING.These mapping are now generated dynamically, based on the
cpesdefined to the product.Rationale: