diff --git a/SOURCES/openscap-1.2.12-oscap-docker-incompliance.patch b/SOURCES/openscap-1.2.12-oscap-docker-incompliance.patch new file mode 100644 index 0000000..5621480 --- /dev/null +++ b/SOURCES/openscap-1.2.12-oscap-docker-incompliance.patch @@ -0,0 +1,44 @@ +From 5ffdcf51b500494ac235a6a0160c126fc6f2144c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Mon, 24 Oct 2016 10:30:07 +0200 +Subject: [PATCH] Issue#475: RHBZ#1387248: Fix oscap-docker reporting + incompliance + +Compliance scan of a Docker image/container using oscap-docker reported +incorrectly that there had been an error even if scan had been successful +but incompliance of the assessed system had been found. +--- + utils/oscap_docker_python/oscap_docker_util.py | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/utils/oscap_docker_python/oscap_docker_util.py b/utils/oscap_docker_python/oscap_docker_util.py +index 210ac57..8ca31b5 100644 +--- a/utils/oscap_docker_python/oscap_docker_util.py ++++ b/utils/oscap_docker_python/oscap_docker_util.py +@@ -119,19 +119,19 @@ def oscap_chroot(self, target, image, chroot_path, *oscap_args): + os.environ["OSCAP_PROBE_" + "PRIMARY_HOST_NAME"] = "{0}-{1}".format(target, image) + cmd = ['oscap'] + [x for x in oscap_args] +- try: +- run = subprocess.check_output(cmd) +- except Exception as error: +- print("\nCommand: {0} failed!\n".format(" ".join(cmd))) +- print("Error was:\n") +- print(error) ++ oscap_process = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE) ++ oscap_stdout, oscap_stderr = oscap_process.communicate() ++ if oscap_process.returncode not in [0, 2]: ++ sys.stderr.write("\nCommand: {0} failed!\n".format(" ".join(cmd))) ++ sys.stderr.write("Command returned exit code {0}.\n".format(oscap_process.returncode)) ++ sys.stderr.write(oscap_stderr.decode("utf-8") + "\n") + + # Clean up + self._cleanup_by_path(chroot_path) + + sys.exit(1) + +- return run.decode("utf-8") ++ return oscap_stdout.decode("utf-8") + + def _scan_cve(self, chroot, dist, scan_args): + ''' diff --git a/SPECS/openscap.spec b/SPECS/openscap.spec index cd9fd7a..cb28f0c 100644 --- a/SPECS/openscap.spec +++ b/SPECS/openscap.spec @@ -6,13 +6,14 @@ restorecon -R /usr/bin/oscap /usr/libexec/openscap; \ Name: openscap Version: 1.2.10 -Release: 2%{?dist} +Release: 3%{?dist} Summary: Set of open source libraries enabling integration of the SCAP line of standards Group: System Environment/Libraries License: LGPLv2+ URL: http://www.open-scap.org/ Source0: http://fedorahosted.org/releases/o/p/openscap/%{name}-%{version}.tar.gz Patch1: openscap-1.2.10-oscap-docker-urllib.patch +Patch2: openscap-1.2.12-oscap-docker-incompliance.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: swig libxml2-devel libxslt-devel perl-XML-Parser BuildRequires: rpm-devel @@ -117,6 +118,7 @@ for developing applications that use %{name}-engine-sce. %prep %setup -q %patch1 -p1 +%patch2 -p1 %build %ifarch sparc64 @@ -256,6 +258,9 @@ rm -rf $RPM_BUILD_ROOT %{_libdir}/libopenscap_sce.so.* %changelog +* Thu Jan 05 2017 Raphael Sanchez Prudencio - 1.2.10-3 +- fix oscap-docker bug that incorrectly informs about incompliance of the assessed system (#1410409) + * Mon Sep 05 2016 Jan Černý - 1.2.10-2 - fix oscap-docker to follow the proxy settings (#1351952)