Reduction of CPE content in DS

[Honny1]

Description:

This PR reduces the CPE OVAL, CPE AL and CPE dictionary in the data stream. This PR also includes the integration of minimal CPE components into thin DS. For example, the data stream size reduction generated by ./build_product fedora --rule-id audit_rules_privileged_commands_fusermount3 is 249K.

This PR also deals with the problem of adding new CPE platforms to the derivative. In connection with this, an automatically formatted derivative is generated.

Review Hints:

To test one rule you can run this command:

./build_product fedora --rule-id audit_rules_privileged_commands_fusermount3

To test changes you can run this script:

#!/bin/bash

./build_product fedora --thin

for filename in ./build/thin_ds/*.xml; do
    echo "$filename"
    oscap xccdf eval  --profile "(all)" --results-arf "arf_results/arf_$(basename -- $filename)" "$filename"
done

The script generates a thin Datastream for each rule and then performs a scan using oscap.
This test takes more than an hour to run because there are approximately 1830 rules to process and some are memory intensive.

Depends on:

• Rework of cpe_generate.py #11644

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment

Oracle Linux 8 Environment

[github-actions]

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:11648
This image was built from commit: 2647ff4

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:11648

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:11648 make deploy-local

[jan-cerny]

This is a great improvement!

What are the new added reference elements in the CPE OVAL definitions? They aren't there in current master. For example: <oval-def:reference ref_id="installed_env_is_a_container" source="ssg"/>

[Honny1]

/packit retest-failed

[Honny1]

@jan-cerny This new reference is created during translation to map the original id before translation. Do we want to keep it? It can be easily turned off.

[jan-cerny]

@Honny1 I'd propose to turn it off, I don't know what value it brings.

[jan-cerny]

Usually 2 spaces are used in XMLs.

[jan-cerny]

I know that this isn't done by you but I think you should move all these namespace definitions to ssg/constants.py and only import it from there here. Also, the cpe-lang NS should be defined as a separate constant and not using the PREFIX_TO_NS dictionary which should only reference the constant.

[jan-cerny]

So far it looks great. I have seen the thin data streams. I also have seen that the unused CPE items and the corresponding unused CPE OVAL definitions are succesfully removed also from the classic data stream which helps reduce it size.

However, the CI tail of TF on CS8 is a legit failure and needs to be fixed fixed. The problem happens with the derivative products, such as CentOS 8. The derivative data stream ssg-centos8-ds.xml doesn't contain the OVAL definition installed_OS_is_centos8 for the platform .cpe:/o:centos:centos:8.

This problem is most likely caused by the fact that your code now strips off all the unused items, but when builiding derivatives, new items are added later by the enable_derivatives.py. You can see that this scripts adds additional CPEs for CS or SL.

You need to invent how to workaround this problem. Maybe add a special case for the definitions used in the derivatives data streams so that they are never removed?

[Honny1]

/packit retest-failed

[jan-cerny]

/packit retest-failed

[jan-cerny]

I think that the xmllint reformat needs to stay there because apparently OpenSCAP has problems with not pretty formatted XMLs and on RHEL 7 the Python doesn't produce pretty outputs.

The segfault is reproducible, it's not a random glitch.

[Honny1]

Ok, fixed, after RHEL 7 is not supported we can remove the formatting tool.

[codeclimate]

Code Climate has analyzed commit 2647ff4 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 13.7% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.3% (-0.5% change).

View more on Code Climate.

[Honny1]

/packit retest-failed

[Honny1]

/packit retest-failed

[jan-cerny]

Today I reviewed the code again. I have built Fedora and RHEL 8 products and checked some of the thin data streams and also single rule data streams and tried to evaluated them. I also have built derivative products and checked that the CPE entry has been inserted there.