From 61636c1853c88385c1b229abd1292dc988934b3b Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Oct 30 2018 05:06:36 +0000 Subject: import openscap-1.2.17-2.el7 --- diff --git a/.gitignore b/.gitignore index 1a1ad46..4852ada 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/openscap-1.2.16.tar.gz +SOURCES/openscap-1.2.17.tar.gz diff --git a/.openscap.metadata b/.openscap.metadata index a24d358..12ce0bc 100644 --- a/.openscap.metadata +++ b/.openscap.metadata @@ -1 +1 @@ -3f87582250548ebfeb7b0f6d6cefb3c1c4c71388 SOURCES/openscap-1.2.16.tar.gz +588676a56b6adf389140d6fdbc6a6685ef06e7b3 SOURCES/openscap-1.2.17.tar.gz diff --git a/SOURCES/openscap-1.2.17-align-bash-role-header-with-help.patch b/SOURCES/openscap-1.2.17-align-bash-role-header-with-help.patch deleted file mode 100644 index 53e6277..0000000 --- a/SOURCES/openscap-1.2.17-align-bash-role-header-with-help.patch +++ /dev/null @@ -1,24 +0,0 @@ -From 9b80b4a4ea4163f65004f2b16e65b8adcdf2b3dc Mon Sep 17 00:00:00 2001 -From: Marek Haicman -Date: Thu, 4 Jan 2018 00:29:26 +0100 -Subject: [PATCH] Make command in bash role header in line with --help - -Point is to make more explicit it's a placeholder name - using -the same name --help use might do the trick. ---- - src/XCCDF_POLICY/xccdf_policy_remediate.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/XCCDF_POLICY/xccdf_policy_remediate.c b/src/XCCDF_POLICY/xccdf_policy_remediate.c -index fbbad8885..1a7d21ed7 100644 ---- a/src/XCCDF_POLICY/xccdf_policy_remediate.c -+++ b/src/XCCDF_POLICY/xccdf_policy_remediate.c -@@ -846,7 +846,7 @@ static int _write_script_header_to_fd(struct xccdf_policy *policy, struct xccdf_ - "# Benchmark Version: %s\n#\n" - "# XCCDF Version: %s\n#\n" - "# This file was generated by OpenSCAP %s using:\n" -- "# $ oscap xccdf generate fix --profile %s%s%s sds.xml \n#\n" -+ "# $ oscap xccdf generate fix --profile %s%s%s xccdf-file.xml \n#\n" - "# This script is generated from an OpenSCAP profile without preliminary evaluation.\n" - "# It attempts to fix every selected rule, even if the system is already compliant.\n" - "#\n" diff --git a/SOURCES/openscap-1.2.17-filehash58_probe_test.patch b/SOURCES/openscap-1.2.17-filehash58_probe_test.patch new file mode 100644 index 0000000..025ed29 --- /dev/null +++ b/SOURCES/openscap-1.2.17-filehash58_probe_test.patch @@ -0,0 +1,131 @@ +diff --git a/tests/probes/filehash58/check_filehash_simple.xml b/tests/probes/filehash58/check_filehash_simple.xml +new file mode 100644 +index 000000000..2f6fa877e +--- /dev/null ++++ b/tests/probes/filehash58/check_filehash_simple.xml +@@ -0,0 +1,40 @@ ++ ++ ++ combine_ovals.py from SCAP Security Guide ++ ssg: [0, 1, 40], python: 3.6.5 ++ 5.11 ++ 2018-07-20T09:33:24 ++ ++ ++ ++ ++ Verify that hash of a file that should contain just "foo\n". ++ ++ Red Hat Enterprise Linux 7 ++ ++ This description in OVALs is mandatory, but the most important is to have description in XCCDF. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /oval-test ++ SHA-1 ++ ++ ++ ++ ++ SHA-1 ++ f1d2d2f924e986ac86fdf7b36c94bcdf32beec15 ++ ++ ++ +diff -r -U3 op0/tests/probes/filehash58/Makefile.in op1/tests/probes/filehash58/Makefile.in +--- op0/tests/probes/filehash58/Makefile.in 2018-08-14 10:45:06.065438575 +0200 ++++ op1/tests/probes/filehash58/Makefile.in 2018-08-14 10:53:57.248937836 +0200 +@@ -1106,7 +1106,7 @@ + $(top_builddir)/run + + TESTS = test_probes_filehash58.sh +-EXTRA_DIST = test_probes_filehash58.sh test_probes_filehash58.xml.sh ++EXTRA_DIST = test_probes_filehash58.sh test_probes_filehash58.xml.sh check_filehash_simple.xml + all: all-am + + .SUFFIXES: +diff -r -U3 op0/tests/probes/filehash58/test_probes_filehash58.sh op1/tests/probes/filehash58/test_probes_filehash58.sh +--- op0/tests/probes/filehash58/test_probes_filehash58.sh 2018-08-14 10:36:09.914512125 +0200 ++++ op1/tests/probes/filehash58/test_probes_filehash58.sh 2018-08-14 10:53:32.366536647 +0200 +@@ -38,15 +38,69 @@ + ret_val=1 + fi + ++ # The file was created as a side-effect of test_probes_filehash58.xml.sh + [ $ret_val -eq 0 ] && rm -f /tmp/test_probes_filehash58.tmp + + return $ret_val + } + ++ ++# $1: The chroot directory ++function test_probes_filehash58_chroot { ++ ++ probecheck "filehash58" || return 255 ++ require "sha1sum" || return 255 ++ ++ local ret_val=0; ++ local DF="$srcdir/check_filehash_simple.xml" ++ ++ absolute_probe_root=$(cd "$1" && pwd) ++ ++ # oscap-chroot is not readily available during test run, so we use oscap + env var setting. ++ result_keyword=$(OSCAP_PROBE_ROOT="$absolute_probe_root" "$OSCAP" oval eval "$DF" | grep oval_test_has_hash | grep -o '\w*$') ++ ++ [ "$result_keyword" == "$2" ] && return 0 ++ # vvv This is more a test error than a failure or "warning" vvv ++ [ "$result_keyword" == "" ] && return 2 ++ return 1 ++} ++ ++ ++function test_probes_filehash58_chroot_pass { ++ local ret_val=0 ++ ++ mkdir -p pass ++ echo foo > pass/oval-test ++ ++ test_probes_filehash58_chroot pass true ++ ret_val=$? ++ rm -rf pass ++ ++ return $ret_val ++} ++ ++ ++function test_probes_filehash58_chroot_fail { ++ local ret_val=0 ++ ++ mkdir -p fail ++ echo bar > fail/oval-test ++ ++ test_probes_filehash58_chroot fail false ++ ret_val=$? ++ rm -rf fail ++ ++ return $ret_val ++} ++ + # Testing. + + test_init "test_probes_filehash58.log" + + test_run "test_probes_filehash58" test_probes_filehash58 + ++test_run "test_probes_filehash58_chroot_fail" test_probes_filehash58_chroot_fail ++ ++test_run "test_probes_filehash58_chroot_pass" test_probes_filehash58_chroot_pass ++ + test_exit diff --git a/SOURCES/openscap-1.2.17-oscap-docker-cleanup-temp-image.patch b/SOURCES/openscap-1.2.17-oscap-docker-cleanup-temp-image.patch deleted file mode 100644 index a452d4f..0000000 --- a/SOURCES/openscap-1.2.17-oscap-docker-cleanup-temp-image.patch +++ /dev/null @@ -1,139 +0,0 @@ -From eea0fd27e7bed6a225bbd6702960bcf394f19536 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= -Date: Wed, 24 Jan 2018 17:39:04 +0100 -Subject: [PATCH 1/2] Modified the code that temp images are not forgotten. - ---- - utils/oscap_docker_python/oscap_docker_util.py | 20 ++++++++++++-------- - 1 file changed, 12 insertions(+), 8 deletions(-) - -diff --git a/utils/oscap_docker_python/oscap_docker_util.py b/utils/oscap_docker_python/oscap_docker_util.py -index b06b6001a..b9a08a99c 100644 ---- a/utils/oscap_docker_python/oscap_docker_util.py -+++ b/utils/oscap_docker_python/oscap_docker_util.py -@@ -155,7 +155,8 @@ def oscap_chroot(self, chroot_path, target, *oscap_args): - sys.stderr.write(oscap_stderr.decode("utf-8") + "\n") - - # Clean up -- self._cleanup_by_path(chroot_path) -+ DM = DockerMount("/tmp") -+ self._cleanup_by_path(chroot_path, DM) - - sys.exit(1) - -@@ -186,18 +187,17 @@ def resolve_image(self, image): - # TODO - pass - -- def _cleanup_by_path(self, path): -+ def _cleanup_by_path(self, path, DM): - ''' - Cleans up the mounted chroot by umounting it and - removing the temporary directory - ''' - # Sometimes when this def is called, path will have 'rootfs' - # appended. If it does, strip it and proceed -+ _no_rootfs = path -+ if os.path.basename(path) == 'rootfs': -+ _no_rootfs = os.path.dirname(path) - -- _no_rootfs = os.path.dirname(path) if os.path.basename(path) == \ -- 'rootfs' else path -- -- DM = DockerMount("/tmp") - # umount chroot - DM.unmount_path(_no_rootfs) - -@@ -206,6 +206,10 @@ def _cleanup_by_path(self, path): - os.rmdir(_no_rootfs) - - -+def mount_image_filesystem(): -+ _tmp_mnt_dir = DM.mount(image) -+ -+ - class OscapScan(object): - def __init__(self, tmp_dir=tempfile.gettempdir(), mnt_dir=None, - hours_old=2): -@@ -276,7 +280,7 @@ def scan_cve(self, image, scan_args): - - finally: - # Clean up -- self.helper._cleanup_by_path(_tmp_mnt_dir) -+ self.helper._cleanup_by_path(_tmp_mnt_dir, DM) - self._remove_mnt_dir(mnt_dir) - - def scan(self, image, scan_args): -@@ -301,5 +305,5 @@ def scan(self, image, scan_args): - sys.stdout.write(self.helper._scan(chroot, image, scan_args)) - - # Clean up -- self.helper._cleanup_by_path(_tmp_mnt_dir) -+ self.helper._cleanup_by_path(_tmp_mnt_dir, DM) - self._remove_mnt_dir(mnt_dir) - -From 432ee1841003b57408e7a1040c6f317cc56a9071 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= -Date: Thu, 25 Jan 2018 14:03:48 +0100 -Subject: [PATCH 2/2] Refactored error handling during scan. - ---- - utils/oscap_docker_python/oscap_docker_util.py | 24 +++++++++++------------- - 1 file changed, 11 insertions(+), 13 deletions(-) - -diff --git a/utils/oscap_docker_python/oscap_docker_util.py b/utils/oscap_docker_python/oscap_docker_util.py -index b9a08a99c..ca48d5846 100644 ---- a/utils/oscap_docker_python/oscap_docker_util.py -+++ b/utils/oscap_docker_python/oscap_docker_util.py -@@ -154,10 +154,6 @@ def oscap_chroot(self, chroot_path, target, *oscap_args): - sys.stderr.write("Command returned exit code {0}.\n".format(oscap_process.returncode)) - sys.stderr.write(oscap_stderr.decode("utf-8") + "\n") - -- # Clean up -- DM = DockerMount("/tmp") -- self._cleanup_by_path(chroot_path, DM) -- - sys.exit(1) - - sys.stderr.write(oscap_stderr.decode("utf-8") + "\n") -@@ -207,7 +203,7 @@ def _cleanup_by_path(self, path, DM): - - - def mount_image_filesystem(): -- _tmp_mnt_dir = DM.mount(image) -+ _tmp_mnt_dir = DM.mount(image) - - - class OscapScan(object): -@@ -261,9 +257,9 @@ def scan_cve(self, image, scan_args): - sys.stderr.write(str(e) + "\n") - return None - -- chroot = self._find_chroot_path(_tmp_mnt_dir) -- - try: -+ chroot = self._find_chroot_path(_tmp_mnt_dir) -+ - # Figure out which RHEL dist is in the chroot - dist = self.helper._get_dist(chroot, image) - -@@ -299,11 +295,13 @@ def scan(self, image, scan_args): - sys.stderr.write(str(e) + "\n") - return None - -- chroot = self._find_chroot_path(_tmp_mnt_dir) -+ try: -+ chroot = self._find_chroot_path(_tmp_mnt_dir) - -- # Scan the chroot -- sys.stdout.write(self.helper._scan(chroot, image, scan_args)) -+ # Scan the chroot -+ sys.stdout.write(self.helper._scan(chroot, image, scan_args)) - -- # Clean up -- self.helper._cleanup_by_path(_tmp_mnt_dir, DM) -- self._remove_mnt_dir(mnt_dir) -+ finally: -+ # Clean up -+ self.helper._cleanup_by_path(_tmp_mnt_dir, DM) -+ self._remove_mnt_dir(mnt_dir) diff --git a/SOURCES/openscap-1.2.17-revert-warnings-by-default.patch b/SOURCES/openscap-1.2.17-revert-warnings-by-default.patch deleted file mode 100644 index 90d5af7..0000000 --- a/SOURCES/openscap-1.2.17-revert-warnings-by-default.patch +++ /dev/null @@ -1,265 +0,0 @@ -From b93c8a3ec57a5fd18868de3a1abfda488fa0013d Mon Sep 17 00:00:00 2001 -From: Jan Cerny -Date: Tue, 23 Jan 2018 17:19:46 +0100 -Subject: [PATCH] Revert "Merge pull request #630 from - mpreisler/warning_default_verbose_level" - -This reverts commit 91feb5cc9658598db8e2b374b92ddae5f8577762, reversing -changes made to ef57380289a6548ea7abb6627fa1fd4845000bf8. ---- - src/XCCDF/public/xccdf_session.h | 3 --- - src/XCCDF/tailoring.c | 2 +- - src/XCCDF/xccdf_session.c | 11 +++------ - src/XCCDF_POLICY/check_engine_plugin.c | 26 ++++++++-------------- - src/XCCDF_POLICY/public/check_engine_plugin.h | 1 - - src/common/debug.c | 2 +- - tests/API/OVAL/unittests/test_external_variable.sh | 6 +---- - .../OVAL/unittests/test_object_component_type.sh | 2 ++ - .../unittests/test_remediation_subs_unresolved.sh | 2 -- - tests/probes/sql57/unsupported_engine.sh | 2 -- - tests/probes/sysctl/test_sysctl_probe_all.sh | 2 -- - utils/oscap.c | 3 +-- - 12 files changed, 18 insertions(+), 44 deletions(-) - -diff --git a/src/XCCDF/public/xccdf_session.h b/src/XCCDF/public/xccdf_session.h -index f9992399..6b6e09e7 100644 ---- a/src/XCCDF/public/xccdf_session.h -+++ b/src/XCCDF/public/xccdf_session.h -@@ -414,11 +414,8 @@ int xccdf_session_load_oval(struct xccdf_session *session); - * - * @memberof xccdf_session - * @param session XCCDF Session -- * @param plugin_name Name of the plugin to load -- * @param quiet If true we will not output errors if loading fails - * @returns zero on success - */ --int xccdf_session_load_check_engine_plugin2(struct xccdf_session *session, const char* plugin_name, bool quiet); - int xccdf_session_load_check_engine_plugin(struct xccdf_session *session, const char* plugin_name); - - /** -diff --git a/src/XCCDF/tailoring.c b/src/XCCDF/tailoring.c -index 62661040..51b05f9e 100644 ---- a/src/XCCDF/tailoring.c -+++ b/src/XCCDF/tailoring.c -@@ -187,7 +187,7 @@ struct xccdf_tailoring *xccdf_tailoring_parse(xmlTextReaderPtr reader, struct xc - } - case XCCDFE_PROFILE: { - if (benchmark != NULL) { -- dI("Parsing Tailoring Profiles without reference to Benchmark"); -+ dW("Parsing Tailoring Profiles without reference to Benchmark"); - } - struct xccdf_item *item = xccdf_profile_parse(reader, benchmark); - if (!xccdf_tailoring_add_profile(tailoring, XPROFILE(item))) { -diff --git a/src/XCCDF/xccdf_session.c b/src/XCCDF/xccdf_session.c -index ccb95821..7b1a6df5 100644 ---- a/src/XCCDF/xccdf_session.c -+++ b/src/XCCDF/xccdf_session.c -@@ -1072,9 +1072,9 @@ int xccdf_session_load_oval(struct xccdf_session *session) - return 0; - } - --int xccdf_session_load_check_engine_plugin2(struct xccdf_session *session, const char *plugin_name, bool quiet) -+int xccdf_session_load_check_engine_plugin(struct xccdf_session *session, const char *plugin_name) - { -- struct check_engine_plugin_def *plugin = check_engine_plugin_load2(plugin_name, quiet); -+ struct check_engine_plugin_def *plugin = check_engine_plugin_load(plugin_name); - - if (!plugin) - return -1; // error already set -@@ -1091,11 +1091,6 @@ int xccdf_session_load_check_engine_plugin2(struct xccdf_session *session, const - } - } - --int xccdf_session_load_check_engine_plugin(struct xccdf_session *session, const char *plugin_name) --{ -- return xccdf_session_load_check_engine_plugin2(session, plugin_name, false); --} -- - int xccdf_session_load_check_engine_plugins(struct xccdf_session *session) - { - xccdf_session_unload_check_engine_plugins(session); -@@ -1105,7 +1100,7 @@ int xccdf_session_load_check_engine_plugins(struct xccdf_session *session) - while (*known_plugins) { - // We do not report failure when a known plugin doesn't load properly, that's because they - // are optional and we don't know if it's not there or if it just failed to load. -- if (xccdf_session_load_check_engine_plugin2(session, *known_plugins, true) != 0) -+ if (xccdf_session_load_check_engine_plugin(session, *known_plugins) != 0) - oscap_clearerr(); - - known_plugins++; -diff --git a/src/XCCDF_POLICY/check_engine_plugin.c b/src/XCCDF_POLICY/check_engine_plugin.c -index d36f4cd9..9f3024c5 100644 ---- a/src/XCCDF_POLICY/check_engine_plugin.c -+++ b/src/XCCDF_POLICY/check_engine_plugin.c -@@ -47,7 +47,7 @@ static void check_engine_plugin_def_free(struct check_engine_plugin_def *plugin) - free(plugin); - } - --struct check_engine_plugin_def *check_engine_plugin_load2(const char* path, bool quiet) -+struct check_engine_plugin_def *check_engine_plugin_load(const char* path) - { - struct check_engine_plugin_def *ret = check_engine_plugin_def_new(); - -@@ -61,10 +61,9 @@ struct check_engine_plugin_def *check_engine_plugin_load2(const char* path, bool - if (!ret->module_handle) { - error = dlerror(); - -- if (!quiet) -- oscap_seterr(OSCAP_EFAMILY_GLIBC, -- "Failed to load extra check engine from '%s'. Details: '%s'.", -- path, error); -+ oscap_seterr(OSCAP_EFAMILY_GLIBC, -+ "Failed to load extra check engine from '%s'. Details: '%s'.", -+ path, error); - - check_engine_plugin_def_free(ret); - return NULL; -@@ -74,10 +73,9 @@ struct check_engine_plugin_def *check_engine_plugin_load2(const char* path, bool - *(void **)(&entry_fn) = dlsym(ret->module_handle, STRINGIZE(OPENSCAP_CHECK_ENGINE_PLUGIN_ENTRY)); - - if ((error = dlerror()) != NULL) { -- if (!quiet) -- oscap_seterr(OSCAP_EFAMILY_GLIBC, -- "Failed to retrieve module entry '%s' from loaded extra check engine '%s'. Details: '%s'.", -- STRINGIZE(OPENSCAP_CHECK_ENGINE_PLUGIN_ENTRY), path, error); -+ oscap_seterr(OSCAP_EFAMILY_GLIBC, -+ "Failed to retrieve module entry '%s' from loaded extra check engine '%s'. Details: '%s'.", -+ STRINGIZE(OPENSCAP_CHECK_ENGINE_PLUGIN_ENTRY), path, error); - - dlclose(ret->module_handle); - check_engine_plugin_def_free(ret); -@@ -85,9 +83,8 @@ struct check_engine_plugin_def *check_engine_plugin_load2(const char* path, bool - } - - if ((*entry_fn)(ret) != 0) { -- if (!quiet) -- oscap_seterr(OSCAP_EFAMILY_GLIBC, -- "Failed to fill check_engine_plugin_def when loading check engine plugin '%s'.", path); -+ oscap_seterr(OSCAP_EFAMILY_GLIBC, -+ "Failed to fill check_engine_plugin_def when loading check engine plugin '%s'.", path); - - dlclose(ret->module_handle); - check_engine_plugin_def_free(ret); -@@ -97,11 +94,6 @@ struct check_engine_plugin_def *check_engine_plugin_load2(const char* path, bool - return ret; - } - --struct check_engine_plugin_def *check_engine_plugin_load(const char* path) --{ -- return check_engine_plugin_load2(path, false); --} -- - void check_engine_plugin_unload(struct check_engine_plugin_def *plugin) - { - if (!plugin->module_handle) { -diff --git a/src/XCCDF_POLICY/public/check_engine_plugin.h b/src/XCCDF_POLICY/public/check_engine_plugin.h -index 4a992ae3..7878fe07 100644 ---- a/src/XCCDF_POLICY/public/check_engine_plugin.h -+++ b/src/XCCDF_POLICY/public/check_engine_plugin.h -@@ -52,7 +52,6 @@ struct check_engine_plugin_def - const char *(*get_capabilities_fn)(void**); - }; - --struct check_engine_plugin_def *check_engine_plugin_load2(const char* path, bool quiet); - struct check_engine_plugin_def *check_engine_plugin_load(const char* path); - void check_engine_plugin_unload(struct check_engine_plugin_def *plugin); - -diff --git a/src/common/debug.c b/src/common/debug.c -index 80731b0f..cb1f9290 100644 ---- a/src/common/debug.c -+++ b/src/common/debug.c -@@ -86,7 +86,7 @@ oscap_verbosity_levels oscap_verbosity_level_from_cstr(const char *level_name) - bool oscap_set_verbose(const char *verbosity_level, const char *filename, bool is_probe) - { - if (verbosity_level == NULL) { -- verbosity_level = "WARNING"; -+ return true; - } - __debuglog_level = oscap_verbosity_level_from_cstr(verbosity_level); - if (__debuglog_level == DBG_UNKNOWN) { -diff --git a/tests/API/OVAL/unittests/test_external_variable.sh b/tests/API/OVAL/unittests/test_external_variable.sh -index 8f6a2e8c..e23dd556 100755 ---- a/tests/API/OVAL/unittests/test_external_variable.sh -+++ b/tests/API/OVAL/unittests/test_external_variable.sh -@@ -9,11 +9,7 @@ stderr=$(mktemp ${name}.err.XXXXXX) - echo "stderr file: $stderr" - - $OSCAP oval eval --results $result --variables $srcdir/external_variables.xml $srcdir/$name.oval.xml 2> $stderr --# filter out the expected warnings in stderr -- --sed -i -E "/^W: oscap:[ ]+Referenced variable has no values \(oval:x:var:[13689]\)/d" "$stderr" --[ -f $stderr ]; [ ! -s $stderr ]; rm $stderr -- -+[ ! -s $stderr ] && rm $stderr - [ -s $result ] - - assert_exists 10 '/oval_results/oval_definitions/variables/external_variable' -diff --git a/tests/API/OVAL/unittests/test_object_component_type.sh b/tests/API/OVAL/unittests/test_object_component_type.sh -index f9189c08..30c84a44 100755 ---- a/tests/API/OVAL/unittests/test_object_component_type.sh -+++ b/tests/API/OVAL/unittests/test_object_component_type.sh -@@ -8,6 +8,8 @@ set -o pipefail - $OSCAP oval eval $srcdir/test_object_component_type.oval.xml 2> $stderr || ret=$? - [ $ret -eq 1 ] - -+stderr_line_count=`cat $stderr | wc -l` -+[ $stderr_line_count -eq 2 ] - grep -q "Entity [']something_bogus['] has not been found in textfilecontent_item (id: [0-9]\+) specified by object [']oval:oscap:obj:10[']." $stderr - grep -q "Expected record data type, but found string data type in subexpression entity in textfilecontent_item (id: [0-9]\+) specified by object [']oval:oscap:obj:10[']." $stderr - -diff --git a/tests/API/XCCDF/unittests/test_remediation_subs_unresolved.sh b/tests/API/XCCDF/unittests/test_remediation_subs_unresolved.sh -index 44ae2f77..f48239d9 100755 ---- a/tests/API/XCCDF/unittests/test_remediation_subs_unresolved.sh -+++ b/tests/API/XCCDF/unittests/test_remediation_subs_unresolved.sh -@@ -35,8 +35,6 @@ assert_exists 1 '//score[text()="0.000000"]' - ret=0 - $OSCAP xccdf eval --remediate --results $result $srcdir/${name}.xccdf.xml 2> $stderr || ret=$? - [ $ret -eq 2 ] --# filter out the expected warning in stderr --sed -i -E "/^W: oscap: The xccdf:rule-result\/xccdf:instance element was not found./d" "$stderr" - [ -f $stderr ]; [ ! -s $stderr ]; rm $stderr - - $OSCAP xccdf validate-xml $result -diff --git a/tests/probes/sql57/unsupported_engine.sh b/tests/probes/sql57/unsupported_engine.sh -index 6243cff3..f90d6c8b 100755 ---- a/tests/probes/sql57/unsupported_engine.sh -+++ b/tests/probes/sql57/unsupported_engine.sh -@@ -10,8 +10,6 @@ echo "stderr file: $stderr" - - echo "Evaluating content." - $OSCAP oval eval --results $result $srcdir/${name}.oval.xml 2> $stderr --# filter out the expected error in stderr --sed -i -E "/^E: lt-probe_sql57: DB engine not supported: sqlserver/d" "$stderr" - [ -f $stderr ]; [ ! -s $stderr ]; rm $stderr - echo "Validating results." - #$OSCAP oval validate-xml --results --schematron $result -diff --git a/tests/probes/sysctl/test_sysctl_probe_all.sh b/tests/probes/sysctl/test_sysctl_probe_all.sh -index 435eaf5d..fa353925 100755 ---- a/tests/probes/sysctl/test_sysctl_probe_all.sh -+++ b/tests/probes/sysctl/test_sysctl_probe_all.sh -@@ -29,8 +29,6 @@ grep unix-sys:name "$result" | sed -E 's;.*>(.*)<.*;\1;g' | sort > "$ourNames" - - diff "$sysctlNames" "$ourNames" - --# remove oscap error message related to permissions from stderr --sed -i -E "/^E: lt-probe_sysctl: Can't read sysctl value from /d" "$stderr" - [ ! -s $stderr ] - - rm $stderr $result $ourNames $sysctlNames -diff --git a/utils/oscap.c b/utils/oscap.c -index 9d3386fd..1f22c49b 100644 ---- a/utils/oscap.c -+++ b/utils/oscap.c -@@ -130,8 +130,7 @@ static int print_versions(const struct oscap_action *action) - const char * const *known_plugins = check_engine_plugin_get_known_plugins(); - bool known_plugin_found = false; - while (*known_plugins) { -- // try to load the plugin but output no errors if it fails (quiet=true) -- struct check_engine_plugin_def *plugin = check_engine_plugin_load2(*known_plugins, true); -+ struct check_engine_plugin_def *plugin = check_engine_plugin_load(*known_plugins); - if (plugin) { - printf("%s (from %s)\n", check_engine_plugin_get_capabilities(plugin), *known_plugins); - check_engine_plugin_unload(plugin); --- -2.14.3 - diff --git a/SOURCES/openscap-1.2.17-updated-bash-completion.patch b/SOURCES/openscap-1.2.17-updated-bash-completion.patch deleted file mode 100644 index a5ee8a3..0000000 --- a/SOURCES/openscap-1.2.17-updated-bash-completion.patch +++ /dev/null @@ -1,32 +0,0 @@ -From c3d14137500991e6eae629110cb9c71b1fadc5de Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= -Date: Fri, 1 Dec 2017 15:35:44 +0100 -Subject: [PATCH] Updated bash completion. - -Just included updated 'info' and 'xccdf eval'. ---- - dist/bash_completion.d/oscap | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/dist/bash_completion.d/oscap b/dist/bash_completion.d/oscap -index 640eb26bb..ff6677327 100644 ---- a/dist/bash_completion.d/oscap -+++ b/dist/bash_completion.d/oscap -@@ -31,7 +31,7 @@ function _oscap { - opts[oscap:oval:analyse]="--variables --directives --verbose --verbose-log-file" - opts[oscap:oval:collect]="--variables --verbose --verbose-log-file" - opts[oscap:oval:generate:report]="-o --output" -- opts[oscap:xccdf:eval]="--skip-valid --datastream-id --xccdf-id --profile --results --results-arf --report --oval-results --export-variables --fetch-remote-resources --remediate --cpe --verbose --verbose-log-file" -+ opts[oscap:xccdf:eval]="--benchmark-id --check-engine-results --cpe --datastream-id --export-variables --fetch-remote-resources --oval-results --profile --progress --remediate --report --results --results-arf --rule --sce-results --skip-valid --stig-viewer --tailoring-file --tailoring-id --thin-results --verbose --verbose-log-file --without-syschar --xccdf-id" - opts[oscap:xccdf:validate]="--schematron" - opts[oscap:xccdf:export-oval-variables]="--datastream-id --xccdf-id --profile --skip-valid --fetch-remote-resources --cpe" - opts[oscap:xccdf:remediate]="--result-id --skip-valid --fetch-remote-resources --results --results-arf --report --oval-results --export-variables --cpe" -@@ -48,7 +48,7 @@ function _oscap { - opts[oscap:ds:rds-split]="--report-id --skip-valid" - opts[oscap:cvss:score]="" - opts[oscap:cvss:describe]="" -- opts[oscap:info]="--fetch-remote-resources" -+ opts[oscap:info]="--fetch-remote-resources --profile --profiles" - - # local variables - local std cmd i prev diff --git a/SOURCES/openscap-1.2.17-use-chroot-for-rpm-probes.patch b/SOURCES/openscap-1.2.17-use-chroot-for-rpm-probes.patch deleted file mode 100644 index 00f7d80..0000000 --- a/SOURCES/openscap-1.2.17-use-chroot-for-rpm-probes.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 2e15ace4f3fe4b7e5e5b3829ddcd2d13f2743544 Mon Sep 17 00:00:00 2001 -From: Martin Preisler -Date: Wed, 18 Apr 2018 11:55:40 -0400 -Subject: [PATCH] Force the CHROOT offline mode for RPM related probes - -librpm doesn't fully support the rpmtsSetRootDir, we can't rely on it. ---- - src/OVAL/probes/unix/linux/rpminfo.c | 2 +- - src/OVAL/probes/unix/linux/rpmverify.c | 2 +- - src/OVAL/probes/unix/linux/rpmverifyfile.c | 2 +- - src/OVAL/probes/unix/linux/rpmverifypackage.c | 2 +- - 4 files changed, 4 insertions(+), 4 deletions(-) - -diff --git a/src/OVAL/probes/unix/linux/rpminfo.c b/src/OVAL/probes/unix/linux/rpminfo.c -index 77759b047..8f52f020c 100644 ---- a/src/OVAL/probes/unix/linux/rpminfo.c -+++ b/src/OVAL/probes/unix/linux/rpminfo.c -@@ -269,7 +269,7 @@ void probe_preload () - - void probe_offline_mode () - { -- probe_setoption(PROBEOPT_OFFLINE_MODE_SUPPORTED, PROBE_OFFLINE_OWN|PROBE_OFFLINE_RPMDB); -+ probe_setoption(PROBEOPT_OFFLINE_MODE_SUPPORTED, PROBE_OFFLINE_CHROOT|PROBE_OFFLINE_RPMDB); - } - - void *probe_init (void) -diff --git a/src/OVAL/probes/unix/linux/rpmverify.c b/src/OVAL/probes/unix/linux/rpmverify.c -index 1a9aca01a..b1a9eaf05 100644 ---- a/src/OVAL/probes/unix/linux/rpmverify.c -+++ b/src/OVAL/probes/unix/linux/rpmverify.c -@@ -226,7 +226,7 @@ void probe_preload () - - void probe_offline_mode () - { -- probe_setoption(PROBEOPT_OFFLINE_MODE_SUPPORTED, PROBE_OFFLINE_OWN); -+ probe_setoption(PROBEOPT_OFFLINE_MODE_SUPPORTED, PROBE_OFFLINE_CHROOT); - } - - void *probe_init (void) -diff --git a/src/OVAL/probes/unix/linux/rpmverifyfile.c b/src/OVAL/probes/unix/linux/rpmverifyfile.c -index 877653b84..cbcb85fc0 100644 ---- a/src/OVAL/probes/unix/linux/rpmverifyfile.c -+++ b/src/OVAL/probes/unix/linux/rpmverifyfile.c -@@ -311,7 +311,7 @@ void probe_preload () - - void probe_offline_mode () - { -- probe_setoption(PROBEOPT_OFFLINE_MODE_SUPPORTED, PROBE_OFFLINE_OWN); -+ probe_setoption(PROBEOPT_OFFLINE_MODE_SUPPORTED, PROBE_OFFLINE_CHROOT); - } - - void *probe_init (void) -diff --git a/src/OVAL/probes/unix/linux/rpmverifypackage.c b/src/OVAL/probes/unix/linux/rpmverifypackage.c -index 3c0dd5003..2a110ef5a 100644 ---- a/src/OVAL/probes/unix/linux/rpmverifypackage.c -+++ b/src/OVAL/probes/unix/linux/rpmverifypackage.c -@@ -312,7 +312,7 @@ ret: - - void probe_offline_mode () - { -- probe_setoption(PROBEOPT_OFFLINE_MODE_SUPPORTED, PROBE_OFFLINE_OWN); -+ probe_setoption(PROBEOPT_OFFLINE_MODE_SUPPORTED, PROBE_OFFLINE_CHROOT); - } - - void *probe_init (void) --- -2.14.3 - diff --git a/SOURCES/openscap-1.2.17-use-chroot-for-textfilecontent.patch b/SOURCES/openscap-1.2.17-use-chroot-for-textfilecontent.patch deleted file mode 100644 index 67caa76..0000000 --- a/SOURCES/openscap-1.2.17-use-chroot-for-textfilecontent.patch +++ /dev/null @@ -1,120 +0,0 @@ -From ff8e3a420f294339317f7d8d0e16f04a03511269 Mon Sep 17 00:00:00 2001 -From: Martin Preisler -Date: Wed, 18 Apr 2018 12:02:46 -0400 -Subject: [PATCH] Revert "Enables offline scan without chroot in - textfilecontent and textfilecontent54 probes" - -This reverts commit 908d002c68e43a3d3c3bede128c535fbee815a10. ---- - src/OVAL/probes/independent/textfilecontent.c | 20 ++------------------ - src/OVAL/probes/independent/textfilecontent54.c | 21 ++------------------- - 2 files changed, 4 insertions(+), 37 deletions(-) - -diff --git a/src/OVAL/probes/independent/textfilecontent.c b/src/OVAL/probes/independent/textfilecontent.c -index 2edba7a9b..961cd98cb 100644 ---- a/src/OVAL/probes/independent/textfilecontent.c -+++ b/src/OVAL/probes/independent/textfilecontent.c -@@ -327,13 +327,9 @@ static int process_file(const char *path, const char *filename, void *arg) - return ret; - } - --void probe_offline_mode () --{ -- probe_setoption(PROBEOPT_OFFLINE_MODE_SUPPORTED, PROBE_OFFLINE_OWN); --} -- - void *probe_init(void) - { -+ probe_setoption(PROBEOPT_OFFLINE_MODE_SUPPORTED, PROBE_OFFLINE_CHROOT); - return NULL; - } - -@@ -341,8 +337,6 @@ int probe_main(probe_ctx *ctx, void *arg) - { - SEXP_t *path_ent, *filename_ent, *line_ent, *behaviors_ent, *filepath_ent, *probe_in; - char *pattern; -- char path_with_root[PATH_MAX + 1]; -- unsigned int root_len = 0; - - OVAL_FTS *ofts; - OVAL_FTSENT *ofts_ent; -@@ -389,22 +383,12 @@ int probe_main(probe_ctx *ctx, void *arg) - pfd.filename_ent = filename_ent; - pfd.ctx = ctx; - -- path_with_root[PATH_MAX] = '\0'; -- if (OSCAP_GSYM(offline_mode) & PROBE_OFFLINE_OWN) { -- strncpy(path_with_root, getenv("OSCAP_PROBE_ROOT"), PATH_MAX); -- root_len = strlen(path_with_root); -- -- if (path_with_root[root_len - 1] == FILE_SEPARATOR) -- --root_len; -- } -- - if ((ofts = oval_fts_open(path_ent, filename_ent, filepath_ent, behaviors_ent, probe_ctx_getresult(ctx))) != NULL) { - while ((ofts_ent = oval_fts_read(ofts)) != NULL) { - if (ofts_ent->fts_info == FTS_F - || ofts_ent->fts_info == FTS_SL) { -- strncpy(path_with_root + root_len, ofts_ent->path, PATH_MAX - root_len); - // todo: handle return code -- process_file(path_with_root, ofts_ent->file, &pfd); -+ process_file(ofts_ent->path, ofts_ent->file, &pfd); - } - oval_ftsent_free(ofts_ent); - } -diff --git a/src/OVAL/probes/independent/textfilecontent54.c b/src/OVAL/probes/independent/textfilecontent54.c -index 1f76ee4e9..ecff6057b 100644 ---- a/src/OVAL/probes/independent/textfilecontent54.c -+++ b/src/OVAL/probes/independent/textfilecontent54.c -@@ -347,13 +347,9 @@ static int process_file(const char *path, const char *file, void *arg) - return ret; - } - --void probe_offline_mode () --{ -- probe_setoption(PROBEOPT_OFFLINE_MODE_SUPPORTED, PROBE_OFFLINE_OWN); --} -- - void *probe_init(void) - { -+ probe_setoption(PROBEOPT_OFFLINE_MODE_SUPPORTED, PROBE_OFFLINE_CHROOT); - return NULL; - } - -@@ -375,8 +371,6 @@ int probe_main(probe_ctx *ctx, void *arg) - #endif - OVAL_FTS *ofts; - OVAL_FTSENT *ofts_ent; -- char path_with_root[PATH_MAX + 1]; -- unsigned int root_len = 0; - - (void)arg; - -@@ -504,23 +498,12 @@ int probe_main(probe_ctx *ctx, void *arg) - goto cleanup; - } - #endif -- -- path_with_root[PATH_MAX] = '\0'; -- if (OSCAP_GSYM(offline_mode) & PROBE_OFFLINE_OWN) { -- strncpy(path_with_root, getenv("OSCAP_PROBE_ROOT"), PATH_MAX); -- root_len = strlen(path_with_root); -- -- if (path_with_root[root_len - 1] == FILE_SEPARATOR) -- --root_len; -- } -- - if ((ofts = oval_fts_open(path_ent, file_ent, filepath_ent, bh_ent, probe_ctx_getresult(ctx))) != NULL) { - while ((ofts_ent = oval_fts_read(ofts)) != NULL) { - if (ofts_ent->fts_info == FTS_F - || ofts_ent->fts_info == FTS_SL) { -- strncpy(path_with_root + root_len, ofts_ent->path, PATH_MAX - root_len); - // todo: handle return code -- process_file(path_with_root, ofts_ent->file, &pfd); -+ process_file(ofts_ent->path, ofts_ent->file, &pfd); - } - oval_ftsent_free(ofts_ent); - } --- -2.14.3 - diff --git a/SPECS/openscap.spec b/SPECS/openscap.spec index ea87688..0284bf3 100644 --- a/SPECS/openscap.spec +++ b/SPECS/openscap.spec @@ -5,19 +5,14 @@ restorecon -R /usr/bin/oscap /usr/libexec/openscap; \ Name: openscap -Version: 1.2.16 -Release: 8%{?dist} +Version: 1.2.17 +Release: 2%{?dist} Summary: Set of open source libraries enabling integration of the SCAP line of standards Group: System Environment/Libraries License: LGPLv2+ URL: http://www.open-scap.org/ Source0: https://github.com/OpenSCAP/openscap/releases/download/%{version}/%{name}-%{version}.tar.gz -Patch0: openscap-1.2.17-updated-bash-completion.patch -Patch1: openscap-1.2.17-align-bash-role-header-with-help.patch -Patch2: openscap-1.2.17-revert-warnings-by-default.patch -Patch3: openscap-1.2.17-oscap-docker-cleanup-temp-image.patch -Patch4: openscap-1.2.17-use-chroot-for-textfilecontent.patch -Patch5: openscap-1.2.17-use-chroot-for-rpm-probes.patch +Patch1: openscap-1.2.17-filehash58_probe_test.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: swig libxml2-devel libxslt-devel perl-XML-Parser BuildRequires: rpm-devel @@ -132,12 +127,7 @@ Tool for scanning Atomic containers. %prep %setup -q -%patch0 -p1 -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 +%patch1 -p1 -b .filehash58_probe_test %build %ifarch sparc64 @@ -289,11 +279,16 @@ rm -rf $RPM_BUILD_ROOT %changelog -* Thu Apr 19 2018 Martin Preisler - 1.2.16-8 -- Use the chroot mode for rpm probes (#1556988) - -* Wed Apr 18 2018 Martin Preisler - 1.2.16-7 -- Use the chroot mode for textfilecontent (#1547107) +* Tue Aug 14 2018 Matěj Týč - 1.2.17-2 +- Patched to include tests for filehash58 probe. + +* Wed Jul 11 2018 Matěj Týč - 1.2.17-1 +- Rebased to the 1.2.17 upstream release (#1564900). +- Fixed the offline scanning (#1547107, #1556988). +- HTML Guide user experience improvements. +- New options in HTML report "Group By" menu. +- oscap-ssh supports --oval-results. +- For more news, see https://github.com/OpenSCAP/openscap/releases/tag/1.2.17 * Tue Feb 06 2018 Watson Yuuma Sato - 1.2.16-6 - Cleanup temporary images created by oscap-docker (#1454637)