From 4e2b278196e1be7bcf5ea10d58168fcf12289e53 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Aug 01 2017 03:48:52 +0000 Subject: import openscap-1.2.14-2.el7 --- diff --git a/.gitignore b/.gitignore index 27df50c..741acb3 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/openscap-1.2.10.tar.gz +SOURCES/openscap-1.2.14.tar.gz diff --git a/.openscap.metadata b/.openscap.metadata index 0bf8c95..850ff0f 100644 --- a/.openscap.metadata +++ b/.openscap.metadata @@ -1 +1 @@ -d75375b87afa7032de659ee36258caf2bc6a2b7f SOURCES/openscap-1.2.10.tar.gz +6c2f4ff0bbbd6b80e6c99f15a2e0d052a1f9afe1 SOURCES/openscap-1.2.14.tar.gz diff --git a/SOURCES/openscap-1.2.10-oscap-docker-urllib.patch b/SOURCES/openscap-1.2.10-oscap-docker-urllib.patch deleted file mode 100644 index 7c6a662..0000000 --- a/SOURCES/openscap-1.2.10-oscap-docker-urllib.patch +++ /dev/null @@ -1,34 +0,0 @@ -From fea6c0359ff145c723f3d8df3f2e1496bc797f41 Mon Sep 17 00:00:00 2001 -From: Martin Preisler -Date: Fri, 29 Jul 2016 14:42:36 -0400 -Subject: [PATCH] Use build_opener() in get_cve_input.py, it's simpler and - honors proxy settings - -See https://bugzilla.redhat.com/show_bug.cgi?id=1351952 ---- - utils/oscap_docker_python/get_cve_input.py | 9 ++------- - 1 file changed, 2 insertions(+), 7 deletions(-) - -diff --git a/utils/oscap_docker_python/get_cve_input.py b/utils/oscap_docker_python/get_cve_input.py -index 8d72bd0..1b55f03 100644 ---- a/utils/oscap_docker_python/get_cve_input.py -+++ b/utils/oscap_docker_python/get_cve_input.py -@@ -113,13 +113,8 @@ class getInputCVE(object): - if self.DEBUG: - stderr.write("No file in cache, fetching {0}\n".format(dest_file)) - return False -- opener = urllib.OpenerDirector() -- opener.add_handler(urllib.HTTPHandler()) -- opener.add_handler(urllib.HTTPSHandler()) -- opener.add_handler(urllib.HTTPDefaultErrorHandler()) -- # Extra for handling redirects -- opener.add_handler(urllib.HTTPErrorProcessor()) -- opener.add_handler(urllib.HTTPRedirectHandler()) -+ -+ opener = urllib.build_opener() - # Add the header - opener.addheaders = self.hdr2 - # Grab the header --- -2.7.4 - diff --git a/SOURCES/openscap-1.2.12-oscap-docker-incompliance.patch b/SOURCES/openscap-1.2.12-oscap-docker-incompliance.patch deleted file mode 100644 index 5621480..0000000 --- a/SOURCES/openscap-1.2.12-oscap-docker-incompliance.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 5ffdcf51b500494ac235a6a0160c126fc6f2144c Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Mon, 24 Oct 2016 10:30:07 +0200 -Subject: [PATCH] Issue#475: RHBZ#1387248: Fix oscap-docker reporting - incompliance - -Compliance scan of a Docker image/container using oscap-docker reported -incorrectly that there had been an error even if scan had been successful -but incompliance of the assessed system had been found. ---- - utils/oscap_docker_python/oscap_docker_util.py | 14 +++++++------- - 1 file changed, 7 insertions(+), 7 deletions(-) - -diff --git a/utils/oscap_docker_python/oscap_docker_util.py b/utils/oscap_docker_python/oscap_docker_util.py -index 210ac57..8ca31b5 100644 ---- a/utils/oscap_docker_python/oscap_docker_util.py -+++ b/utils/oscap_docker_python/oscap_docker_util.py -@@ -119,19 +119,19 @@ def oscap_chroot(self, target, image, chroot_path, *oscap_args): - os.environ["OSCAP_PROBE_" - "PRIMARY_HOST_NAME"] = "{0}-{1}".format(target, image) - cmd = ['oscap'] + [x for x in oscap_args] -- try: -- run = subprocess.check_output(cmd) -- except Exception as error: -- print("\nCommand: {0} failed!\n".format(" ".join(cmd))) -- print("Error was:\n") -- print(error) -+ oscap_process = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE) -+ oscap_stdout, oscap_stderr = oscap_process.communicate() -+ if oscap_process.returncode not in [0, 2]: -+ sys.stderr.write("\nCommand: {0} failed!\n".format(" ".join(cmd))) -+ sys.stderr.write("Command returned exit code {0}.\n".format(oscap_process.returncode)) -+ sys.stderr.write(oscap_stderr.decode("utf-8") + "\n") - - # Clean up - self._cleanup_by_path(chroot_path) - - sys.exit(1) - -- return run.decode("utf-8") -+ return oscap_stdout.decode("utf-8") - - def _scan_cve(self, chroot, dist, scan_args): - ''' diff --git a/SOURCES/openscap-1.2.14-rpm-probes-not-applicable-PR-733.patch b/SOURCES/openscap-1.2.14-rpm-probes-not-applicable-PR-733.patch new file mode 100644 index 0000000..c5a4643 --- /dev/null +++ b/SOURCES/openscap-1.2.14-rpm-probes-not-applicable-PR-733.patch @@ -0,0 +1,473 @@ +From 61fef6cc090b097141cd45c1f783c4fe6b89efc5 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 5 May 2017 12:39:07 +0200 +Subject: [PATCH 1/9] Change rpmverifyfile error when init fails + +When rpmverifyfile probe_init() fails it is because RPM config files +were not found, and we expect "not applicable" in this case. +--- + src/OVAL/probes/unix/linux/rpmverifyfile.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/src/OVAL/probes/unix/linux/rpmverifyfile.c b/src/OVAL/probes/unix/linux/rpmverifyfile.c +index 0897b82c4..f0febdee9 100644 +--- a/src/OVAL/probes/unix/linux/rpmverifyfile.c ++++ b/src/OVAL/probes/unix/linux/rpmverifyfile.c +@@ -435,11 +435,10 @@ int probe_main (probe_ctx *ctx, void *arg) + uint64_t collect_flags = 0; + unsigned int i; + ++ /* ++ * If probe_init() failed it's because there was no rpm config files ++ */ + if (arg == NULL) { +- return PROBE_EINIT; +- } +- +- if (g_rpm.rpmts == NULL) { + probe_cobj_set_flag(probe_ctx_getresult(ctx), SYSCHAR_FLAG_NOT_APPLICABLE); + return 0; + } + +From 71f41d635142297e299cc4877bd93ea896271e70 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 5 May 2017 12:42:26 +0200 +Subject: [PATCH 2/9] Fix rpmverifyfile probe fini when init fails + +When rpmverifyfile probe_init() fails g_rpm->rpmts and g_rpm->mutex are +not initialized +--- + src/OVAL/probes/unix/linux/rpmverifyfile.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/src/OVAL/probes/unix/linux/rpmverifyfile.c b/src/OVAL/probes/unix/linux/rpmverifyfile.c +index f0febdee9..968bb3807 100644 +--- a/src/OVAL/probes/unix/linux/rpmverifyfile.c ++++ b/src/OVAL/probes/unix/linux/rpmverifyfile.c +@@ -330,11 +330,18 @@ void probe_fini (void *ptr) + { + struct rpm_probe_global *r = (struct rpm_probe_global *)ptr; + +- rpmtsFree(r->rpmts); + rpmFreeCrypto(); + rpmFreeRpmrc(); + rpmFreeMacros(NULL); + rpmlogClose(); ++ ++ /* ++ * If probe_init() failed r->rpmts and r->mutex were not initialized ++ */ ++ if (r == NULL) ++ return; ++ ++ rpmtsFree(r->rpmts); + pthread_mutex_destroy (&(r->mutex)); + + return; + +From 4912ee36b3230c2f431150750c78380d4e149621 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 5 May 2017 12:48:00 +0200 +Subject: [PATCH 3/9] Change rpmverify error when init fails + +When rpmverify probe_init() fails it is because RPM config files +were not found, and we expect "not applicable" in this case. +--- + src/OVAL/probes/unix/linux/rpmverify.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/OVAL/probes/unix/linux/rpmverify.c b/src/OVAL/probes/unix/linux/rpmverify.c +index 5eb069d21..dd667a9f1 100644 +--- a/src/OVAL/probes/unix/linux/rpmverify.c ++++ b/src/OVAL/probes/unix/linux/rpmverify.c +@@ -321,10 +321,10 @@ int probe_main (probe_ctx *ctx, void *arg) + uint64_t collect_flags = 0; + unsigned int i; + ++ /* ++ * If probe_init() failed it's because there was no rpm config files ++ */ + if (arg == NULL) { +- return PROBE_EINIT; +- } +- if (g_rpm.rpmts == NULL) { + probe_cobj_set_flag(probe_ctx_getresult(ctx), SYSCHAR_FLAG_NOT_APPLICABLE); + return 0; + } + +From b9c3afd67b2f86644a08375aaee822b72c077149 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 5 May 2017 12:49:04 +0200 +Subject: [PATCH 4/9] Fix rpmverify probe fini when init fails + +When rpmverify probe_init() fails g_rpm->rpmts and g_rpm->mutex are +not initialized. +--- + src/OVAL/probes/unix/linux/rpmverify.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +diff --git a/src/OVAL/probes/unix/linux/rpmverify.c b/src/OVAL/probes/unix/linux/rpmverify.c +index dd667a9f1..f1f32417e 100644 +--- a/src/OVAL/probes/unix/linux/rpmverify.c ++++ b/src/OVAL/probes/unix/linux/rpmverify.c +@@ -246,12 +246,19 @@ void probe_fini (void *ptr) + { + struct rpm_probe_global *r = (struct rpm_probe_global *)ptr; + +- rpmtsFree(r->rpmts); + rpmFreeCrypto(); +- rpmFreeRpmrc(); +- rpmFreeMacros(NULL); +- rpmlogClose(); +- pthread_mutex_destroy (&(r->mutex)); ++ rpmFreeRpmrc(); ++ rpmFreeMacros(NULL); ++ rpmlogClose(); ++ ++ /* ++ * If probe_init() failed r->rpmts and r->mutex were not initialized ++ */ ++ if (r == NULL) ++ return; ++ ++ rpmtsFree(r->rpmts); ++ pthread_mutex_destroy (&(r->mutex)); + + return; + } + +From 20893b46b6a813326dcc7a60f1b888da14ead3ac Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 5 May 2017 13:23:04 +0200 +Subject: [PATCH 5/9] Change rpminfo probe_init() fails + +rpminfo probe_init() can fail because regex compilation failed or +because RPM config files were not found, return error in the first +case and "not applicable" in the second. +--- + src/OVAL/probes/unix/linux/rpminfo.c | 24 ++++++++++++++++-------- + 1 file changed, 16 insertions(+), 8 deletions(-) + +diff --git a/src/OVAL/probes/unix/linux/rpminfo.c b/src/OVAL/probes/unix/linux/rpminfo.c +index f7f73a727..639030a52 100644 +--- a/src/OVAL/probes/unix/linux/rpminfo.c ++++ b/src/OVAL/probes/unix/linux/rpminfo.c +@@ -275,19 +275,20 @@ void *probe_init (void) + #ifdef HAVE_RPM46 + rpmlogSetCallback(rpmErrorCb, NULL); + #endif +- if (rpmReadConfigFiles ((const char *)NULL, (const char *)NULL) != 0) { +- dI("rpmReadConfigFiles failed: %u, %s.", errno, strerror (errno)); +- return (NULL); +- } +- +- g_rpm.rpmts = rpmtsCreate(); +- pthread_mutex_init (&(g_rpm.mutex), NULL); +- + if (regcomp(&g_keyid_regex, g_keyid_regex_string, REG_EXTENDED) != 0) { + dE("regcomp(%s) failed."); + return NULL; + } + ++ if (rpmReadConfigFiles ((const char *)NULL, (const char *)NULL) != 0) { ++ dI("rpmReadConfigFiles failed: %u, %s.", errno, strerror (errno)); ++ g_rpm.rpmts = NULL; ++ return ((void *)&g_rpm); ++ } ++ ++ g_rpm.rpmts = rpmtsCreate(); ++ pthread_mutex_init (&(g_rpm.mutex), NULL); ++ + return ((void *)&g_rpm); + } + +@@ -378,9 +379,16 @@ int probe_main (probe_ctx *ctx, void *arg) + struct rpminfo_req request_st; + struct rpminfo_rep *reply_st; + ++ /* ++ * arg is NULL if regex compilation failed ++ */ + if (arg == NULL) { + return PROBE_EINIT; + } ++ ++ /* ++ * There was no rpm config files ++ */ + if (g_rpm.rpmts == NULL) { + probe_cobj_set_flag(probe_ctx_getresult(ctx), SYSCHAR_FLAG_NOT_APPLICABLE); + return 0; + +From 070ec7e9029f8221163fd3f07e242c244d0b3b65 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 5 May 2017 13:27:02 +0200 +Subject: [PATCH 6/9] Fix rpminfo probe fini when init fails + +When rpminfo probe_init() fails either the regex compilation failed +or RPM config files were not found. The probe_fini() should handle each +case differently. +--- + src/OVAL/probes/unix/linux/rpminfo.c | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +diff --git a/src/OVAL/probes/unix/linux/rpminfo.c b/src/OVAL/probes/unix/linux/rpminfo.c +index 639030a52..28cba15e0 100644 +--- a/src/OVAL/probes/unix/linux/rpminfo.c ++++ b/src/OVAL/probes/unix/linux/rpminfo.c +@@ -296,14 +296,22 @@ void probe_fini (void *ptr) + { + struct rpm_probe_global *r = (struct rpm_probe_global *)ptr; + +- rpmtsFree(r->rpmts); + rpmFreeCrypto(); +- rpmFreeRpmrc(); +- rpmFreeMacros(NULL); +- rpmlogClose(); +- pthread_mutex_destroy (&(r->mutex)); ++ rpmFreeRpmrc(); ++ rpmFreeMacros(NULL); ++ rpmlogClose(); ++ ++ if (r == NULL) ++ return; ++ + regfree(&g_keyid_regex); + ++ if (r->rpmts == NULL) ++ return; ++ ++ rpmtsFree(r->rpmts); ++ pthread_mutex_destroy (&(r->mutex)); ++ + return; + } + + +From 881461099ce42160079b9228c2080b072f1d4232 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 5 May 2017 13:30:42 +0200 +Subject: [PATCH 7/9] Change rpmverifypackage probe_init() fails + +rpmverifypackage probe_init() can fail because chroot failed or +because RPM config files were not found, return error in the first +case and "not applicable" in the second. +--- + src/OVAL/probes/unix/linux/rpmverifypackage.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/src/OVAL/probes/unix/linux/rpmverifypackage.c b/src/OVAL/probes/unix/linux/rpmverifypackage.c +index 34d7255ca..15e0e0d89 100644 +--- a/src/OVAL/probes/unix/linux/rpmverifypackage.c ++++ b/src/OVAL/probes/unix/linux/rpmverifypackage.c +@@ -336,7 +336,8 @@ void *probe_init (void) + + if (rpmReadConfigFiles (NULL, (const char *)NULL) != 0) { + dI("rpmReadConfigFiles failed: %u, %s.", errno, strerror (errno)); +- return (NULL); ++ g_rpm.rpm.rpmts = NULL; ++ return ((void *)&g_rpm); + } + + g_rpm.rpm.rpmts = rpmtsCreate(); +@@ -417,10 +418,16 @@ int probe_main (probe_ctx *ctx, void *arg) + uint64_t collect_flags = 0; + unsigned int i; + ++ /* ++ * arg is NULL if we were not able to chroot during probe_init() ++ */ + if (arg == NULL) { + return PROBE_EINIT; + } + ++ /* ++ * There was no rpm config files ++ */ + if (g_rpm.rpm.rpmts == NULL) { + probe_cobj_set_flag(probe_ctx_getresult(ctx), SYSCHAR_FLAG_NOT_APPLICABLE); + return 0; + +From 7d4bfce2966dec8b4c1ff44edfa473e17a6aeaec Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 5 May 2017 13:38:12 +0200 +Subject: [PATCH 8/9] Fix rpmverifypackage probe fini when init fails + +rpmverifypackage probe_init() can fail during chroot or because +RPM config files were not found, return error in the first +case and "not applicable" in the second. +--- + src/OVAL/probes/unix/linux/rpmverifypackage.c | 21 +++++++++++++++++++-- + 1 file changed, 19 insertions(+), 2 deletions(-) + +diff --git a/src/OVAL/probes/unix/linux/rpmverifypackage.c b/src/OVAL/probes/unix/linux/rpmverifypackage.c +index 15e0e0d89..43c47e308 100644 +--- a/src/OVAL/probes/unix/linux/rpmverifypackage.c ++++ b/src/OVAL/probes/unix/linux/rpmverifypackage.c +@@ -360,12 +360,29 @@ void probe_fini (void *ptr) + { + struct verifypackage_global *r = (struct verifypackage_global *)ptr; + +- rpmtsFree(r->rpm.rpmts); +- probe_chroot_free(&(r->chr)); + rpmFreeCrypto(); + rpmFreeRpmrc(); + rpmFreeMacros(NULL); + rpmlogClose(); ++ ++ /* ++ * This will be always set by probe_init(), lets free it ++ */ ++ probe_chroot_free(&g_rpm.chr); ++ ++ /* ++ * If r is null, probe_init() failed during chroot ++ */ ++ if (r == NULL) ++ return; ++ ++ /* ++ * If r->rpm.rpmts was not initialized the mutex was not as well ++ */ ++ if (r->rpm.rpmts == NULL) ++ return; ++ ++ rpmtsFree(r->rpm.rpmts); + pthread_mutex_destroy (&(r->rpm.mutex)); + + return; + +From 6fcc797c6f35b8ad72c9c6190e44f0bfa2b68673 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 12 May 2017 20:33:42 +0200 +Subject: [PATCH 9/9] Fix comment style + +--- + src/OVAL/probes/unix/linux/rpminfo.c | 8 ++------ + src/OVAL/probes/unix/linux/rpmverify.c | 8 ++------ + src/OVAL/probes/unix/linux/rpmverifyfile.c | 8 ++------ + src/OVAL/probes/unix/linux/rpmverifypackage.c | 20 +++++--------------- + 4 files changed, 11 insertions(+), 33 deletions(-) + +diff --git a/src/OVAL/probes/unix/linux/rpminfo.c b/src/OVAL/probes/unix/linux/rpminfo.c +index 28cba15e0..602cf4c91 100644 +--- a/src/OVAL/probes/unix/linux/rpminfo.c ++++ b/src/OVAL/probes/unix/linux/rpminfo.c +@@ -387,16 +387,12 @@ int probe_main (probe_ctx *ctx, void *arg) + struct rpminfo_req request_st; + struct rpminfo_rep *reply_st; + +- /* +- * arg is NULL if regex compilation failed +- */ ++ // arg is NULL if regex compilation failed + if (arg == NULL) { + return PROBE_EINIT; + } + +- /* +- * There was no rpm config files +- */ ++ // There was no rpm config files + if (g_rpm.rpmts == NULL) { + probe_cobj_set_flag(probe_ctx_getresult(ctx), SYSCHAR_FLAG_NOT_APPLICABLE); + return 0; +diff --git a/src/OVAL/probes/unix/linux/rpmverify.c b/src/OVAL/probes/unix/linux/rpmverify.c +index f1f32417e..6ef7da574 100644 +--- a/src/OVAL/probes/unix/linux/rpmverify.c ++++ b/src/OVAL/probes/unix/linux/rpmverify.c +@@ -251,9 +251,7 @@ void probe_fini (void *ptr) + rpmFreeMacros(NULL); + rpmlogClose(); + +- /* +- * If probe_init() failed r->rpmts and r->mutex were not initialized +- */ ++ // If probe_init() failed r->rpmts and r->mutex were not initialized + if (r == NULL) + return; + +@@ -328,9 +326,7 @@ int probe_main (probe_ctx *ctx, void *arg) + uint64_t collect_flags = 0; + unsigned int i; + +- /* +- * If probe_init() failed it's because there was no rpm config files +- */ ++ // If probe_init() failed it's because there was no rpm config files + if (arg == NULL) { + probe_cobj_set_flag(probe_ctx_getresult(ctx), SYSCHAR_FLAG_NOT_APPLICABLE); + return 0; +diff --git a/src/OVAL/probes/unix/linux/rpmverifyfile.c b/src/OVAL/probes/unix/linux/rpmverifyfile.c +index 968bb3807..763c03c9f 100644 +--- a/src/OVAL/probes/unix/linux/rpmverifyfile.c ++++ b/src/OVAL/probes/unix/linux/rpmverifyfile.c +@@ -335,9 +335,7 @@ void probe_fini (void *ptr) + rpmFreeMacros(NULL); + rpmlogClose(); + +- /* +- * If probe_init() failed r->rpmts and r->mutex were not initialized +- */ ++ // If probe_init() failed r->rpmts and r->mutex were not initialized + if (r == NULL) + return; + +@@ -442,9 +440,7 @@ int probe_main (probe_ctx *ctx, void *arg) + uint64_t collect_flags = 0; + unsigned int i; + +- /* +- * If probe_init() failed it's because there was no rpm config files +- */ ++ // If probe_init() failed it's because there was no rpm config files + if (arg == NULL) { + probe_cobj_set_flag(probe_ctx_getresult(ctx), SYSCHAR_FLAG_NOT_APPLICABLE); + return 0; +diff --git a/src/OVAL/probes/unix/linux/rpmverifypackage.c b/src/OVAL/probes/unix/linux/rpmverifypackage.c +index 43c47e308..3c0dd5003 100644 +--- a/src/OVAL/probes/unix/linux/rpmverifypackage.c ++++ b/src/OVAL/probes/unix/linux/rpmverifypackage.c +@@ -365,20 +365,14 @@ void probe_fini (void *ptr) + rpmFreeMacros(NULL); + rpmlogClose(); + +- /* +- * This will be always set by probe_init(), lets free it +- */ ++ // This will be always set by probe_init(), lets free it + probe_chroot_free(&g_rpm.chr); + +- /* +- * If r is null, probe_init() failed during chroot +- */ ++ // If r is null, probe_init() failed during chroot + if (r == NULL) + return; + +- /* +- * If r->rpm.rpmts was not initialized the mutex was not as well +- */ ++ // If r->rpm.rpmts was not initialized the mutex was not as well + if (r->rpm.rpmts == NULL) + return; + +@@ -435,16 +429,12 @@ int probe_main (probe_ctx *ctx, void *arg) + uint64_t collect_flags = 0; + unsigned int i; + +- /* +- * arg is NULL if we were not able to chroot during probe_init() +- */ ++ // arg is NULL if we were not able to chroot during probe_init() + if (arg == NULL) { + return PROBE_EINIT; + } + +- /* +- * There was no rpm config files +- */ ++ // There was no rpm config files + if (g_rpm.rpm.rpmts == NULL) { + probe_cobj_set_flag(probe_ctx_getresult(ctx), SYSCHAR_FLAG_NOT_APPLICABLE); + return 0; diff --git a/SOURCES/openscap-1.2.14-sysctl-test-s390x-PR-726.patch b/SOURCES/openscap-1.2.14-sysctl-test-s390x-PR-726.patch new file mode 100644 index 0000000..9923391 --- /dev/null +++ b/SOURCES/openscap-1.2.14-sysctl-test-s390x-PR-726.patch @@ -0,0 +1,23 @@ +From 83342658ceb4230c218b0b47046ca6bb8e239f62 Mon Sep 17 00:00:00 2001 +From: Marek Haicman +Date: Mon, 24 Apr 2017 10:05:59 +0200 +Subject: [PATCH] Fixing sysctl test on s390 architecture + +--- + tests/probes/sysctl/test_sysctl_probe_all.sh | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/tests/probes/sysctl/test_sysctl_probe_all.sh b/tests/probes/sysctl/test_sysctl_probe_all.sh +index 1b725231d..fa3539255 100755 +--- a/tests/probes/sysctl/test_sysctl_probe_all.sh ++++ b/tests/probes/sysctl/test_sysctl_probe_all.sh +@@ -22,7 +22,8 @@ $OSCAP oval eval --results $result $srcdir/test_sysctl_probe_all.oval.xml > /dev + + # sysctl has duplicities in output + # hide permission errors like: "sysctl: permission denied on key 'fs.protected_hardlinks'" +-sysctl -aN --deprecated 2> /dev/null | sort -u > "$sysctlNames" ++# kernel parameters might use "/" and "." separators interchangeably - normalizing ++sysctl -aN --deprecated 2> /dev/null | tr "/" "." | sort -u > "$sysctlNames" + + grep unix-sys:name "$result" | sed -E 's;.*>(.*)<.*;\1;g' | sort > "$ourNames" + diff --git a/SOURCES/openscap-1.2.14-warning-by-default-PR-630.patch b/SOURCES/openscap-1.2.14-warning-by-default-PR-630.patch new file mode 100644 index 0000000..28ab34b --- /dev/null +++ b/SOURCES/openscap-1.2.14-warning-by-default-PR-630.patch @@ -0,0 +1,281 @@ +From bb66711ed1151a5dfaa52a9ba4ad3658bdf546f7 Mon Sep 17 00:00:00 2001 +From: Martin Preisler +Date: Wed, 4 Jan 2017 16:41:31 -0500 +Subject: [PATCH 1/9] Make WARNING the default verbosity level + +--- + src/common/debug.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/common/debug.c b/src/common/debug.c +index bbcad4583..71d345a9d 100644 +--- a/src/common/debug.c ++++ b/src/common/debug.c +@@ -85,7 +85,7 @@ oscap_verbosity_levels oscap_verbosity_level_from_cstr(const char *level_name) + bool oscap_set_verbose(const char *verbosity_level, const char *filename, bool is_probe) + { + if (verbosity_level == NULL) { +- return true; ++ verbosity_level = "WARNING"; + } + __debuglog_level = oscap_verbosity_level_from_cstr(verbosity_level); + if (__debuglog_level == DBG_UNKNOWN) { + +From 54d66d5db6ab4e3fc24c05e239b7a4c474e3b20e Mon Sep 17 00:00:00 2001 +From: Martin Preisler +Date: Wed, 1 Feb 2017 13:24:47 -0500 +Subject: [PATCH 3/9] Changed a warning about parsing without benchmark + reference to info + +It's not a serious warning and in many use-cases is expected. +--- + src/XCCDF/tailoring.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/XCCDF/tailoring.c b/src/XCCDF/tailoring.c +index dd2379e5f..4fe9e5d88 100644 +--- a/src/XCCDF/tailoring.c ++++ b/src/XCCDF/tailoring.c +@@ -187,7 +187,7 @@ struct xccdf_tailoring *xccdf_tailoring_parse(xmlTextReaderPtr reader, struct xc + } + case XCCDFE_PROFILE: { + if (benchmark != NULL) { +- dW("Parsing Tailoring Profiles without reference to Benchmark"); ++ dI("Parsing Tailoring Profiles without reference to Benchmark"); + } + struct xccdf_item *item = xccdf_profile_parse(reader, benchmark); + if (!xccdf_tailoring_add_profile(tailoring, XPROFILE(item))) { + +From 3ef6685ae05007f7328b9284c0fcb22732b38f00 Mon Sep 17 00:00:00 2001 +From: Martin Preisler +Date: Wed, 1 Feb 2017 14:00:54 -0500 +Subject: [PATCH 4/9] Filter expected permission errors from stderr in + test_sysctl_probe_all.sh + +--- + tests/probes/sysctl/test_sysctl_probe_all.sh | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tests/probes/sysctl/test_sysctl_probe_all.sh b/tests/probes/sysctl/test_sysctl_probe_all.sh +index 1b725231d..8e763ac37 100755 +--- a/tests/probes/sysctl/test_sysctl_probe_all.sh ++++ b/tests/probes/sysctl/test_sysctl_probe_all.sh +@@ -28,6 +28,8 @@ grep unix-sys:name "$result" | sed -E 's;.*>(.*)<.*;\1;g' | sort > "$ourNames" + + diff "$sysctlNames" "$ourNames" + ++# remove oscap error message related to permissions from stderr ++sed -i -E "/^E: lt-probe_sysctl: Can't read sysctl value from /d" "$stderr" + [ ! -s $stderr ] + + rm $stderr $result $ourNames $sysctlNames + +From 789486ee35410af0fc5739e2d68436470f2b3006 Mon Sep 17 00:00:00 2001 +From: Martin Preisler +Date: Wed, 1 Feb 2017 14:51:34 -0500 +Subject: [PATCH 5/9] Filter out the expected error in sql57 probe test + +--- + tests/probes/sql57/unsupported_engine.sh | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tests/probes/sql57/unsupported_engine.sh b/tests/probes/sql57/unsupported_engine.sh +index f90d6c8b7..6243cff35 100755 +--- a/tests/probes/sql57/unsupported_engine.sh ++++ b/tests/probes/sql57/unsupported_engine.sh +@@ -10,6 +10,8 @@ echo "stderr file: $stderr" + + echo "Evaluating content." + $OSCAP oval eval --results $result $srcdir/${name}.oval.xml 2> $stderr ++# filter out the expected error in stderr ++sed -i -E "/^E: lt-probe_sql57: DB engine not supported: sqlserver/d" "$stderr" + [ -f $stderr ]; [ ! -s $stderr ]; rm $stderr + echo "Validating results." + #$OSCAP oval validate-xml --results --schematron $result + +From cdff2e8504c19f473cbe3b1c64f56b99f13106af Mon Sep 17 00:00:00 2001 +From: Martin Preisler +Date: Wed, 8 Feb 2017 15:04:17 -0500 +Subject: [PATCH 6/9] Do not output errors if check engine plugin auto-loading + fails + +If SCE is not installed it will fail in an expected way and it makes no +sense to clutter the error log with it. Explicit plugin loading via the +API will still fail with errors. +--- + src/XCCDF/public/xccdf_session.h | 3 +++ + src/XCCDF/xccdf_session.c | 11 ++++++++--- + src/XCCDF_POLICY/check_engine_plugin.c | 26 +++++++++++++++++--------- + src/XCCDF_POLICY/public/check_engine_plugin.h | 1 + + utils/oscap.c | 3 ++- + 5 files changed, 31 insertions(+), 13 deletions(-) + +diff --git a/src/XCCDF/public/xccdf_session.h b/src/XCCDF/public/xccdf_session.h +index e1473aebe..2f1bf87c1 100644 +--- a/src/XCCDF/public/xccdf_session.h ++++ b/src/XCCDF/public/xccdf_session.h +@@ -358,8 +358,11 @@ int xccdf_session_load_oval(struct xccdf_session *session); + * + * @memberof xccdf_session + * @param session XCCDF Session ++ * @param plugin_name Name of the plugin to load ++ * @param quiet If true we will not output errors if loading fails + * @returns zero on success + */ ++int xccdf_session_load_check_engine_plugin2(struct xccdf_session *session, const char* plugin_name, bool quiet); + int xccdf_session_load_check_engine_plugin(struct xccdf_session *session, const char* plugin_name); + + /** +diff --git a/src/XCCDF/xccdf_session.c b/src/XCCDF/xccdf_session.c +index 3474e265e..60ea38bae 100644 +--- a/src/XCCDF/xccdf_session.c ++++ b/src/XCCDF/xccdf_session.c +@@ -945,9 +945,9 @@ int xccdf_session_load_oval(struct xccdf_session *session) + return 0; + } + +-int xccdf_session_load_check_engine_plugin(struct xccdf_session *session, const char *plugin_name) ++int xccdf_session_load_check_engine_plugin2(struct xccdf_session *session, const char *plugin_name, bool quiet) + { +- struct check_engine_plugin_def *plugin = check_engine_plugin_load(plugin_name); ++ struct check_engine_plugin_def *plugin = check_engine_plugin_load2(plugin_name, quiet); + + if (!plugin) + return -1; // error already set +@@ -964,6 +964,11 @@ int xccdf_session_load_check_engine_plugin(struct xccdf_session *session, const + } + } + ++int xccdf_session_load_check_engine_plugin(struct xccdf_session *session, const char *plugin_name) ++{ ++ return xccdf_session_load_check_engine_plugin2(session, plugin_name, false); ++} ++ + int xccdf_session_load_check_engine_plugins(struct xccdf_session *session) + { + xccdf_session_unload_check_engine_plugins(session); +@@ -973,7 +978,7 @@ int xccdf_session_load_check_engine_plugins(struct xccdf_session *session) + while (*known_plugins) { + // We do not report failure when a known plugin doesn't load properly, that's because they + // are optional and we don't know if it's not there or if it just failed to load. +- if (xccdf_session_load_check_engine_plugin(session, *known_plugins) != 0) ++ if (xccdf_session_load_check_engine_plugin2(session, *known_plugins, true) != 0) + oscap_clearerr(); + + known_plugins++; +diff --git a/src/XCCDF_POLICY/check_engine_plugin.c b/src/XCCDF_POLICY/check_engine_plugin.c +index af9791a46..ea9e821b6 100644 +--- a/src/XCCDF_POLICY/check_engine_plugin.c ++++ b/src/XCCDF_POLICY/check_engine_plugin.c +@@ -47,7 +47,7 @@ static void check_engine_plugin_def_free(struct check_engine_plugin_def *plugin) + oscap_free(plugin); + } + +-struct check_engine_plugin_def *check_engine_plugin_load(const char* path) ++struct check_engine_plugin_def *check_engine_plugin_load2(const char* path, bool quiet) + { + struct check_engine_plugin_def *ret = check_engine_plugin_def_new(); + +@@ -61,9 +61,10 @@ struct check_engine_plugin_def *check_engine_plugin_load(const char* path) + if (!ret->module_handle) { + error = dlerror(); + +- oscap_seterr(OSCAP_EFAMILY_GLIBC, +- "Failed to load extra check engine from '%s'. Details: '%s'.", +- path, error); ++ if (!quiet) ++ oscap_seterr(OSCAP_EFAMILY_GLIBC, ++ "Failed to load extra check engine from '%s'. Details: '%s'.", ++ path, error); + + check_engine_plugin_def_free(ret); + return NULL; +@@ -73,9 +74,10 @@ struct check_engine_plugin_def *check_engine_plugin_load(const char* path) + *(void **)(&entry_fn) = dlsym(ret->module_handle, STRINGIZE(OPENSCAP_CHECK_ENGINE_PLUGIN_ENTRY)); + + if ((error = dlerror()) != NULL) { +- oscap_seterr(OSCAP_EFAMILY_GLIBC, +- "Failed to retrieve module entry '%s' from loaded extra check engine '%s'. Details: '%s'.", +- STRINGIZE(OPENSCAP_CHECK_ENGINE_PLUGIN_ENTRY), path, error); ++ if (!quiet) ++ oscap_seterr(OSCAP_EFAMILY_GLIBC, ++ "Failed to retrieve module entry '%s' from loaded extra check engine '%s'. Details: '%s'.", ++ STRINGIZE(OPENSCAP_CHECK_ENGINE_PLUGIN_ENTRY), path, error); + + dlclose(ret->module_handle); + check_engine_plugin_def_free(ret); +@@ -83,8 +85,9 @@ struct check_engine_plugin_def *check_engine_plugin_load(const char* path) + } + + if ((*entry_fn)(ret) != 0) { +- oscap_seterr(OSCAP_EFAMILY_GLIBC, +- "Failed to fill check_engine_plugin_def when loading check engine plugin '%s'.", path); ++ if (!quiet) ++ oscap_seterr(OSCAP_EFAMILY_GLIBC, ++ "Failed to fill check_engine_plugin_def when loading check engine plugin '%s'.", path); + + dlclose(ret->module_handle); + check_engine_plugin_def_free(ret); +@@ -94,6 +97,11 @@ struct check_engine_plugin_def *check_engine_plugin_load(const char* path) + return ret; + } + ++struct check_engine_plugin_def *check_engine_plugin_load(const char* path) ++{ ++ return check_engine_plugin_load2(path, false); ++} ++ + void check_engine_plugin_unload(struct check_engine_plugin_def *plugin) + { + if (!plugin->module_handle) { +diff --git a/src/XCCDF_POLICY/public/check_engine_plugin.h b/src/XCCDF_POLICY/public/check_engine_plugin.h +index 7878fe07f..4a992ae34 100644 +--- a/src/XCCDF_POLICY/public/check_engine_plugin.h ++++ b/src/XCCDF_POLICY/public/check_engine_plugin.h +@@ -52,6 +52,7 @@ struct check_engine_plugin_def + const char *(*get_capabilities_fn)(void**); + }; + ++struct check_engine_plugin_def *check_engine_plugin_load2(const char* path, bool quiet); + struct check_engine_plugin_def *check_engine_plugin_load(const char* path); + void check_engine_plugin_unload(struct check_engine_plugin_def *plugin); + +diff --git a/utils/oscap.c b/utils/oscap.c +index 7396101a8..1e966540c 100644 +--- a/utils/oscap.c ++++ b/utils/oscap.c +@@ -126,7 +126,8 @@ static int print_versions(const struct oscap_action *action) + const char * const *known_plugins = check_engine_plugin_get_known_plugins(); + bool known_plugin_found = false; + while (*known_plugins) { +- struct check_engine_plugin_def *plugin = check_engine_plugin_load(*known_plugins); ++ // try to load the plugin but output no errors if it fails (quiet=true) ++ struct check_engine_plugin_def *plugin = check_engine_plugin_load2(*known_plugins, true); + if (plugin) { + printf("%s (from %s)\n", check_engine_plugin_get_capabilities(plugin), *known_plugins); + check_engine_plugin_unload(plugin); + +From 703c1045aedf1f826f007a01cf8b387b525c1d55 Mon Sep 17 00:00:00 2001 +From: Martin Preisler +Date: Thu, 9 Feb 2017 13:54:53 -0500 +Subject: [PATCH 7/9] Filter out the expected warning in + test_remediation_subs_unresolved + +--- + tests/API/XCCDF/unittests/test_remediation_subs_unresolved.sh | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tests/API/XCCDF/unittests/test_remediation_subs_unresolved.sh b/tests/API/XCCDF/unittests/test_remediation_subs_unresolved.sh +index f48239d93..44ae2f772 100755 +--- a/tests/API/XCCDF/unittests/test_remediation_subs_unresolved.sh ++++ b/tests/API/XCCDF/unittests/test_remediation_subs_unresolved.sh +@@ -35,6 +35,8 @@ assert_exists 1 '//score[text()="0.000000"]' + ret=0 + $OSCAP xccdf eval --remediate --results $result $srcdir/${name}.xccdf.xml 2> $stderr || ret=$? + [ $ret -eq 2 ] ++# filter out the expected warning in stderr ++sed -i -E "/^W: oscap: The xccdf:rule-result\/xccdf:instance element was not found./d" "$stderr" + [ -f $stderr ]; [ ! -s $stderr ]; rm $stderr + + $OSCAP xccdf validate-xml $result + diff --git a/SPECS/openscap.spec b/SPECS/openscap.spec index cb28f0c..11ce8ca 100644 --- a/SPECS/openscap.spec +++ b/SPECS/openscap.spec @@ -5,15 +5,17 @@ restorecon -R /usr/bin/oscap /usr/libexec/openscap; \ Name: openscap -Version: 1.2.10 -Release: 3%{?dist} +Version: 1.2.14 +Release: 2%{?dist} Summary: Set of open source libraries enabling integration of the SCAP line of standards Group: System Environment/Libraries License: LGPLv2+ URL: http://www.open-scap.org/ Source0: http://fedorahosted.org/releases/o/p/openscap/%{name}-%{version}.tar.gz -Patch1: openscap-1.2.10-oscap-docker-urllib.patch -Patch2: openscap-1.2.12-oscap-docker-incompliance.patch +Patch0: openscap-1.2.14-rpm-probes-not-applicable-PR-733.patch +Patch1: openscap-1.2.14-sysctl-test-s390x-PR-726.patch +# We are reverting the patch below, not applying it! The patch has been modified to remove line count changes, we got rid of line count checking in 1.2.14 +Patch2: openscap-1.2.14-warning-by-default-PR-630.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: swig libxml2-devel libxslt-devel perl-XML-Parser BuildRequires: rpm-devel @@ -117,8 +119,9 @@ for developing applications that use %{name}-engine-sce. %prep %setup -q +%patch0 -p1 %patch1 -p1 -%patch2 -p1 +%patch2 -p1 -R %build %ifarch sparc64 @@ -258,17 +261,53 @@ rm -rf $RPM_BUILD_ROOT %{_libdir}/libopenscap_sce.so.* %changelog -* Thu Jan 05 2017 Raphael Sanchez Prudencio - 1.2.10-3 -- fix oscap-docker bug that incorrectly informs about incompliance of the assessed system (#1410409) +* Fri May 19 2017 Martin Preisler - 1.2.14-2 +- RPM probes to return not applicable on non-rpm systems (#1447629) +- fixed sysctl tests on s390x architecture (#1447649) +- Revert warning by default in oscap tool, our message categories are not ready for it (#1447341) + +* Tue Mar 21 2017 Jan Černý - 1.2.14-1 +- Upgrade to the latest upstream release +- Detailed information about ARF files in 'oscap info' +- Generating remediation scripts from ARF +- HTML report UX improvements +- Fixed CPE dictionary to identify RHEVH as RHEL7 (#1420038) +- Fixed systemd probes crashes inside containers (#1431186) +- Fixed output on terminals with white background (#1365911) +- Error handling in oscap-vm (#1391754) +- Fixed SCE stderr stalling (#1420811) +- Fixed absolute filepath parsing in OVAL (#1312831, #1312824) +- Fixed segmentation faults in RPM probes (#1414303, #1414312) +- Fixed missing header in result-oriented Ansible remediations + +* Thu Jan 05 2017 Martin Preisler - 1.2.13-1 +- Upgrade to the latest upstream release +- Added --thin-results CLI override to oscap xccdf eval +- Added --without-syschar CLI override to oscap xccdf eval +- Remediations are not filtered by applicability +- Fixed segmentation faults in XCCDF and OVAL processing +- Added a warning on generating an ARF from XCCDF 1.1 + +* Wed Nov 16 2016 Martin Preisler - 1.2.12-1 +- Upgrade to the latest upstream release +- improved HTML report by referencing links +- fixed validity errors in ARF files +- fixed CVE parsing +- fixed injecting xccdf:check-content-ref references in ARF results +- fixed oscap-docker incompliance reporting (#1387248) +- fixed oscap-docker man page (#1387166) + +* Mon Nov 14 2016 Martin Preisler - 1.2.11-1 +- upgrade to the latest upstream release * Mon Sep 05 2016 Jan Černý - 1.2.10-2 - fix oscap-docker to follow the proxy settings (#1351952) -* Thu Jun 30 2016 Jan Černý - 1.2.10-1 +* Thu Jun 30 2016 Jan Černý - 1.2.10-1 - upgrade to the latest upstream release * Tue May 31 2016 Martin Preisler - 1.2.9-7 -- fixed dates in the changlog +- fixed dates in the changelog - changed Release to 7 to avoid conflicts * Tue May 31 2016 Martin Preisler - 1.2.9-4