Merge branch 'maint-1.3'

jan-cerny · jan-cerny · commit 7bdecd068774 · 2025-01-07T16:58:52.000+01:00
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -330,7 +330,7 @@ cmake_dependent_option(ENABLE_OSCAP_UTIL_AS_RPM "enable the scap-as-rpm utility,
 cmake_dependent_option(ENABLE_OSCAP_UTIL_SSH "enables the oscap-ssh utility, this lets you scan remote machines over ssh" ON "NOT WIN32" OFF)
 cmake_dependent_option(ENABLE_OSCAP_UTIL_VM "enables the oscap-vm utility, this lets you scan VMs and VM storage images" ON "NOT WIN32" OFF)
 cmake_dependent_option(ENABLE_OSCAP_UTIL_PODMAN "enables the oscap-podman utility, this lets you scan Podman containers and container images" ON "NOT WIN32" OFF)
-cmake_dependent_option(ENABLE_OSCAP_UTIL_BOOTC "enables the oscap-bootc utility, this lets you build hardened bootable container images" ON "NOT WIN32" OFF)
+cmake_dependent_option(ENABLE_OSCAP_UTIL_IM "enables the oscap-im utility, this lets you build hardened bootable container images" ON "NOT WIN32" OFF)
 cmake_dependent_option(ENABLE_OSCAP_UTIL_CHROOT "enables the oscap-chroot utility, this lets you scan entire chroots using offline scanning" ON "NOT WIN32" OFF)
 option(ENABLE_OSCAP_UTIL_AUTOTAILOR "enables the autotailor utility that is able to perform command-line tailoring" TRUE)
 option(ENABLE_OSCAP_REMEDIATE_SERVICE "enables the oscap-remediate service" FALSE)
@@ -468,7 +468,7 @@ message(STATUS "scap-as-rpm: ${ENABLE_OSCAP_UTIL_AS_RPM}")
 message(STATUS "oscap-ssh: ${ENABLE_OSCAP_UTIL_SSH}")
 message(STATUS "oscap-vm: ${ENABLE_OSCAP_UTIL_VM}")
 message(STATUS "oscap-podman: ${ENABLE_OSCAP_UTIL_PODMAN}")
-message(STATUS "oscap-bootc: ${ENABLE_OSCAP_UTIL_BOOTC}")
+message(STATUS "oscap-im: ${ENABLE_OSCAP_UTIL_IM}")
 message(STATUS "oscap-chroot: ${ENABLE_OSCAP_UTIL_CHROOT}")
 message(STATUS "autotailor: ${ENABLE_OSCAP_UTIL_AUTOTAILOR}")
 message(STATUS " ")
diff --git a/docs/manual/manual.adoc b/docs/manual/manual.adoc
@@ -189,13 +189,6 @@ Checklists:
 				system: http://scap.nist.gov/schema/ocil/2
 			security-data-oval-com.redhat.rhsa-RHEL8.xml
 				system: http://oval.mitre.org/XMLSchema/oval-definitions-5
-Checks:
-	Ref-Id: scap_org.open-scap_cref_ssg-rhel8-oval.xml
-	Ref-Id: scap_org.open-scap_cref_ssg-rhel8-ocil.xml
-	Ref-Id: scap_org.open-scap_cref_ssg-rhel8-cpe-oval.xml
-	Ref-Id: scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL8.xml
-Dictionaries:
-	Ref-Id: scap_org.open-scap_cref_ssg-rhel8-cpe-dictionary.xml
 ----
 
 * **Document type** describes what format the file is in. Common types include
@@ -216,8 +209,6 @@ shown for XCCDF files and Checklists and is sourced from the XCCDF **Status**
 element.
 * **Profiles** lists available profiles, their titles and IDs that you can use for
 the `--profile` command line attribute.
-* **Checks** and **Dictionaries** lists OVAL checks components and CPE
-dictionaries components in the given data stream.
 
 To display more detailed information about a profile including the profile
 description, use the `--profile` option followed by the profile ID.
@@ -1840,15 +1831,15 @@ registry.access.redhat.com/ubi8  latest  3269c37eae33  2 months ago  208 MB
 
 Note that the `oscap-podman` command requires root privileges.
 
-=== Building hardened bootable container images using oscap-bootc
+=== Building hardened bootable container images using oscap-im
 
-The `oscap-bootc` tool is a convenience script that makes building hardened bootable container images easier.
+The `oscap-im` tool is a convenience script that makes building hardened bootable container images easier.
 This tool is designed to be used during the build of the bootable container image.
 
-Include `oscap-bootc` in your `Containerfile` that will be used to build your bootable container image.
-The `Containerfile` first needs to install the `openscap-utils` package which ships the `oscap-bootc` tool.
+Include `oscap-im` in your `Containerfile` that will be used to build your bootable container image.
+The `Containerfile` first needs to install the `openscap-utils` package which ships the `oscap-im` tool.
 
-Also, SCAP content needs to be installed to the image before `oscap-bootc` will be run.
+Also, SCAP content needs to be installed to the image before `oscap-im` will be run.
 Although any SCAP content can be consumed by the tool, the SCAP source data streams shipped in `scap-security-guide` are specially cared to be compatible with bootable containers.
 
 Example `Containerfile`:
@@ -1858,7 +1849,7 @@ FROM quay.io/centos-bootc/centos-bootc:stream9
 
 RUN dnf install -y openscap-utils scap-security-guide
 
-RUN oscap-bootc --profile stig /usr/share/xml/scap/ssg/content/ssg-cs9-ds.xml
+RUN oscap-im --profile stig /usr/share/xml/scap/ssg/content/ssg-cs9-ds.xml
 ----
 
 Once you have your `Containerfile`, execute the image build:
@@ -1867,15 +1858,15 @@ Once you have your `Containerfile`, execute the image build:
 podman build -t hardened_image .
 ----
 
-The `oscap-bootc` tool installs and removes all packages required by the selected profile to or from the image.
+The `oscap-im` tool installs and removes all packages required by the selected profile to or from the image.
 Then, it runs a scan and remediation with the selected profile.
 It doesn't use offline scanning.
 The configuration files and other content in the image are modified by this process, depending on the used SCAP content.
 
 The built bootable container image can be then deployed and booted.
 After booting the image, the state of the resulting system will be in line with the selected security profile.
 
-The `oscap-bootc` tool can't be used anywhere else than in a `Containerfile`.
+The `oscap-im` tool can't be used anywhere else than in a `Containerfile`.
 
 === Scanning of Docker containers and images using oscap-docker
 
diff --git a/openscap.spec b/openscap.spec
@@ -88,7 +88,6 @@ Summary:        OpenSCAP Utilities
 Requires:       %{name}%{?_isa} = %{epoch}:%{version}-%{release}
 Requires:       rpmdevtools rpm-build
 Requires:       %{name}-scanner%{?_isa} = %{epoch}:%{version}-%{release}
-Requires:       %{name}-engine-sce%{?_isa} = %{epoch}:%{version}-%{release}
 
 %description    utils
 The %{name}-utils package contains command-line tools build on top
diff --git a/swig/openscap_api.py b/swig/openscap_api.py
@@ -811,7 +811,7 @@ def init(self, path, paths={}):
             if OSCAP.oscap_err():
                 desc = OSCAP.oscap_err_desc()
             else:
-                desc = "Unknown error, please report this bug (http://bugzilla.redhat.com/)"
+                desc = "Unknown error, please report this bug (https://github.com/OpenSCAP/openscap/issues)"
             raise ImportError(
                 "Benchmark \"%s\" loading failed: %s" % (f_XCCDF, desc))
 
@@ -832,7 +832,7 @@ def init(self, path, paths={}):
                     if OSCAP.oscap_err():
                         desc = OSCAP.oscap_err_desc()
                     else:
-                        desc = "Unknown error,please report this bug (http://bugzilla.redhat.com/)"
+                        desc = "Unknown error,please report this bug (https://github.com/OpenSCAP/openscap/issues)"
                     raise ImportError(
                         "Cannot import definition model for \"%s\": %s" % (f_OVAL, desc))
                 def_models.append(def_model)
@@ -841,7 +841,7 @@ def init(self, path, paths={}):
                     if OSCAP.oscap_err():
                         desc = OSCAP.oscap_err_desc()
                     else:
-                        desc = "Unknown error,please report this bug (http://bugzilla.redhat.com/)"
+                        desc = "Unknown error,please report this bug (https://github.com/OpenSCAP/openscap/issues)"
                     raise ImportError(
                         "Cannot create agent session for \"%s\": %s" % (f_OVAL, desc))
                 sessions[file] = sess
diff --git a/utils/CMakeLists.txt b/utils/CMakeLists.txt
@@ -139,11 +139,11 @@ if(ENABLE_OSCAP_UTIL_PODMAN)
 		DESTINATION "${CMAKE_INSTALL_MANDIR}/man8"
 	)
 endif()
-if(ENABLE_OSCAP_UTIL_BOOTC)
-	install(PROGRAMS "oscap-bootc"
+if(ENABLE_OSCAP_UTIL_IM)
+	install(PROGRAMS "oscap-im"
 		DESTINATION ${CMAKE_INSTALL_BINDIR}
 	)
-	install(FILES "oscap-bootc.8"
+	install(FILES "oscap-im.8"
 		DESTINATION "${CMAKE_INSTALL_MANDIR}/man8"
 	)
 endif()
diff --git a/utils/oscap-im b/utils/oscap-im
@@ -21,6 +21,8 @@ import subprocess
 import sys
 import tempfile
 
+from pathlib import Path
+
 
 def parse_args():
     parser = argparse.ArgumentParser(
@@ -55,17 +57,21 @@ def parse_args():
     return parser.parse_args()
 
 
-def ensure_sce_installed():
-    query_cmd = ["rpm", "-q", "openscap-engine-sce"]
-    query_process = subprocess.run(query_cmd, capture_output=True)
-    if query_process.returncode != 0:
+def verify_bootc_build_env():
+    rv = subprocess.run(
+        ["rpm", "-q", "bootc"],
+        stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
+    bootc_env = (rv.returncode == 0)
+    container_env = Path("/run/.containerenv").exists()
+    if not bootc_env or not container_env:
         raise RuntimeError(
-            "The script requires to have the openscap-engine-sce package "
-            "installed.")
+            "This script is supposed to be used only in the bootable "
+            "container build environment.")
 
 
 def install_sce_dependencies():
     required_packages = [
+        "openscap-engine-sce",
         "setools-console"  # seinfo is used by the sebool template
     ]
     install_cmd = ["dnf", "-y", "install"] + required_packages
@@ -129,7 +135,7 @@ def scan_and_remediate(args):
 
 def main():
     args = parse_args()
-    ensure_sce_installed()
+    verify_bootc_build_env()
     install_sce_dependencies()
     pre_scan_fix(args)
     scan_and_remediate(args)
diff --git a/utils/oscap-im.8 b/utils/oscap-im.8
@@ -1,19 +1,19 @@
-.TH oscap-bootc "8" "November 2024" "Red Hat, Inc." "System Administration Utilities"
+.TH oscap-im "8" "January 2025" "Red Hat, Inc." "System Administration Utilities"
 
 .SH NAME
-oscap-bootc \- Tool for building hardened bootable container images
+oscap-im \- Tool for building hardened bootable container images
 
 .SH DESCRIPTION
-The oscap-bootc tool is a convenience script that makes building hardened bootable container images easier.
+The oscap-im tool is a convenience script that makes building hardened bootable container images easier.
 This tool is designed to be used during the build of the bootable container image.
-Include oscap-bootc in your Containerfile that will be used to build your bootable container image.
-The oscap-bootc runs oscap tool on a given container image.
+Include oscap-im in your Containerfile that will be used to build your bootable container image.
+The oscap-im runs oscap tool on a given container image.
 
-The oscap-bootc tool can't be used anywhere else than in a Containerfile.
+The oscap-im tool can't be used anywhere else than in a Containerfile.
 
 .SH USAGE
 
-oscap-bootc [OPTION...] DATASTREAM_FILE
+oscap-im [OPTION...] DATASTREAM_FILE
 
 Usage of the tool mimics usage and options of oscap(8) tool.
 
diff --git a/utils/oscap-info.c b/utils/oscap-info.c
@@ -209,8 +209,11 @@ static inline void _print_xccdf_referenced_files(struct xccdf_policy_model *poli
 	printf("%sReferenced check files:\n", prefix);
 	while (oscap_file_entry_iterator_has_more(files_it)) {
 		struct oscap_file_entry *file_entry = (struct oscap_file_entry *) oscap_file_entry_iterator_next(files_it);
-		printf("%s\t%s\n", prefix, oscap_file_entry_get_file(file_entry));
-		printf("%s\t\tsystem: %s\n", prefix, oscap_file_entry_get_system(file_entry));
+		const char *system = oscap_file_entry_get_system(file_entry);
+		if (strcmp(system, "http://open-scap.org/page/SCE")) {
+			printf("%s\t%s\n", prefix, oscap_file_entry_get_file(file_entry));
+			printf("%s\t\tsystem: %s\n", prefix, oscap_file_entry_get_system(file_entry));
+		}
 	}
 	oscap_file_entry_iterator_free(files_it);
 	oscap_file_entry_list_free(referenced_files);
@@ -490,26 +493,6 @@ static int app_info_single_ds_all(struct ds_stream_index_iterator* sds_it, struc
 		ds_sds_session_reset(session);
 	}
 	oscap_string_iterator_free(checklist_it);
-
-	printf("Checks:\n");
-	struct oscap_string_iterator* checks_it = ds_stream_index_get_checks(stream);
-	while (oscap_string_iterator_has_more(checks_it)) {
-		const char * id = oscap_string_iterator_next(checks_it);
-		printf("\tRef-Id: %s\n", id);
-	}
-	oscap_string_iterator_free(checks_it);
-
-	struct oscap_string_iterator* dict_it = ds_stream_index_get_dictionaries(stream);
-	if (oscap_string_iterator_has_more(dict_it)) {
-		printf("Dictionaries:\n");
-	} else {
-		printf("No dictionaries.\n");
-	}
-	while (oscap_string_iterator_has_more(dict_it)) {
-		const char * id = oscap_string_iterator_next(dict_it);
-		printf("\tRef-Id: %s\n", id);
-	}
-	oscap_string_iterator_free(dict_it);
 	return OSCAP_OK;
 }
 

Original file line number	Diff line number	Diff line change
`@@ -139,11 +139,11 @@ if(ENABLE_OSCAP_UTIL_PODMAN)`
`139`	`139`	`DESTINATION "${CMAKE_INSTALL_MANDIR}/man8"`
`140`	`140`	`)`
`141`	`141`	`endif()`
`142`		`-if(ENABLE_OSCAP_UTIL_BOOTC)`
`143`		`- install(PROGRAMS "oscap-bootc"`
	`142`	`+if(ENABLE_OSCAP_UTIL_IM)`
	`143`	`+ install(PROGRAMS "oscap-im"`
`144`	`144`	`DESTINATION ${CMAKE_INSTALL_BINDIR}`
`145`	`145`	`)`
`146`		`- install(FILES "oscap-bootc.8"`
	`146`	`+ install(FILES "oscap-im.8"`
`147`	`147`	`DESTINATION "${CMAKE_INSTALL_MANDIR}/man8"`
`148`	`148`	`)`
`149`	`149`	`endif()`