Fail build if profiles or controls contain invalid rule selections #11135
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Skipping CI for Draft Pull Request. |
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
Start a new ephemeral environment with changes proposed in this pull request: Fedora Environment Oracle Linux 8 Environment |
The correct rule ID is `install_PAE_kernel_on_x86-32`.
The rule service_zebra_disabled doesn't apply to RHEL 9 because of its `prodtype`, that means this rule shouldn't be a part of the RHEL 9 profile.
The rule service_rexec_disabled doesn't apply to RHEL 9 because of its `prodtype`, that means this rule shouldn't be a part of the RHEL 9 profile.
The rule service_zebra_disabled doesn't apply to RHEL 9 because of its `prodtype`, that means this rule shouldn't be a part of the RHEL 9 profile.
`locking_out_password_attempts` is an invalid rule ID, this rule doesn't exist, it's a group instead.
jan-cerny
force-pushed
the
issue8870
branch
from
477fef4
to
6ece53d
Compare
The rule `package_iptables_installed` is a part of multiple profiles in products but doesn't have prodtypes in these products.
These rules don't have the sle15 prodtype and therefore they don't exist in the sle15 benchmark.
This rule isn't a part of Fedora according to the rule `prodtype`.
This rule is a part of the RHEL 8 OSPP profile, but the rule doesn't have ol8 in prodtype. I think we can enable this rule on OL 8 because the rule exists also in RHEL 8.
This rule is selected by OL 9 OSPP profile but it doesn't have the prodtype.
This rule is selected by the E8 profile for OL 9 but it doesn't have OL 9 in the prodtype
firefox_preferences-dod_root_certificate is a group the correct rule ID is firefox_preferences-dod_root_certificate_installed
jan-cerny
force-pushed
the
issue8870
branch
from
6ece53d
to
0717eea
Compare
The rules changed by this commit are used by the OpenEmbedded standard profile but don't have the product ID in the prodtype key.
The rule accounts_users_own_home_directories is a part of the Ubuntu 22.04 Standard profile, but the rule doesn't have this product in its prodtype.
First, rename the function `resolve_selections_with_rules` to `apply_filter` to better express the purpose of this function. Second, move the call of `apply_filter` to a correct place. Previously, the function was checking if a rule ID is a rule that exists and is applicable to the currently built product. It removed the selections that selected the rules that don't exist. However, this operation shadowed a check in `resolve` that served to raise an exception if a rule isn't available. This exception could never be raised because at the moment of the check guarding the exception the selections already contained only existing rules. This flaw is fixed by moving the `apply_filter` call after the exception and removing the duplicate check.
We will raise an exception and terminate the build if a control selects a rule that doesn't exist. To do that, we need to get a list of all existing rules in the project. Unfortunately, we can't reuse a list of the rules available in the currently built product because control files can contain all rules from all benchmarks from all products. Control files are product agnostic and benchmark agnostic.
Add a simple unit test that verifies if the `Control.load()` method raises an exception if a control selects an invalid rule ID.
jan-cerny
force-pushed
the
issue8870
branch
from
0717eea
to
70cbe76
Compare
|
Code Climate has analyzed commit 70cbe76 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 56.9%. View more on Code Climate. |
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
|
I have made this PR ready for review |
Mab879
approved these changes
Sep 25, 2023
There was a problem hiding this comment.
Thanks for this great improvement @jan-cerny !
@ComplianceAsCode/suse-maintainers and @ComplianceAsCode/oracle-maintainers please take a look as well.
|
@jan-cerny Great feature! Thank you for fixing the missing OL |
teacup-on-rockingchair
approved these changes
Sep 26, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
This PR adds checks which will cause to raise an exception and terminate the build:
This change revealed some invalid selections in our profiles and controls, these bugs are fixed in this PR as well.
For more details, please read commit messages of all commits.
Rationale:
This will ensure integrity of profiles and avoid invalid rule IDs.
Fixes: #8870
Review Hints: