ComplianceAsCode · jan-cerny · Oct 21, 2022 · Oct 20, 2022 · Oct 20, 2022 · Oct 20, 2022
diff --git a/docs/manual/developer/05_tools_and_utilities.md b/docs/manual/developer/05_tools_and_utilities.md
@@ -123,7 +123,8 @@ These sub-commands are:
 - `duplicate_subkeys`: finds (but doesn't fix!) any rules with duplicated
   `identifiers` or `references`.
 - `sort_subkeys`: sorts all subkeys under `identifiers` and `references`.
-- `sort_prodtypes`: "sorts the products in prodtype"
+- `sort_prodtypes`: sorts the products in prodtype.
+- `add-cce`: automatically assign CCE identifiers to rules.
 
 To execute:
 
@@ -140,6 +141,30 @@ For example:
 Note that it is generally good practice to commit all changes prior to running
 one of these commands and then commit the results separately.
 
+#### How to automatically assign CCEs with the `add-cce` sub-command
+
+First you need to make sure that that the `rule_dirs.json` exists, run the following to create it:
+
+```bash
+    $ ./utils/rule_dir_json.py
+```
+
+Then based on the available pool you want to assign the CCEs, you can run something like:
+
+```bash
+    $ python utils/fix_rules.py --product products/rhel9/product.yml add-cce --cce-pool redhat audit_rules_privileged_commands_newuidmap
+```
+
+Note: Multiple rules can have the CCE at the same time by just adding space separated rule IDs.
+Note: The rule should have the product assigned to the `prodtype` attribute or the `prodtype` should be empty.
+
+Example for `sle15` product:
+
+```bash
+    $ python utils/fix_rules.py --product products/sle15/product.yml add-cce --cce-pool sle15 audit_rules_privileged_commands_newuidmap audit_rules_privileged_commands_newuidmap
+```
+
+
 ### `utils/autoprodtyper.py` -- automatically add product to `prodtype`
 
 When building a profile for a new product version (such as forking

diff --git a/shared/references/cce-sles12-avail.txt → shared/references/cce-sle12-avail.txt b/shared/references/cce-sles12-avail.txt → shared/references/cce-sle12-avail.txt
@@ -237,4 +237,4 @@ CCE-92446-4
 CCE-92447-2
 CCE-92448-0
 CCE-92449-8
-CCE-92450-6
+CCE-92450-6
diff --git a/shared/references/cce-sles15-avail.txt → shared/references/cce-sle15-avail.txt b/shared/references/cce-sles15-avail.txt → shared/references/cce-sle15-avail.txt
@@ -315,4 +315,4 @@ CCE-92696-4
 CCE-92697-2
 CCE-92698-0
 CCE-92699-8
-CCE-92700-4
+CCE-92700-4
diff --git a/ssg/cce.py b/ssg/cce.py
@@ -55,16 +55,28 @@ def absolute_path(self):
         return os.path.join(self.project_root, "shared", "references", "cce-redhat-avail.txt")
 
 
+class SLE12CCEFile(CCEFile):
+    @property
+    def absolute_path(self):
+        return os.path.join(self.project_root, "shared", "references", "cce-sle12-avail.txt")
+
+
+class SLE15CCEFile(CCEFile):
+    @property
+    def absolute_path(self):
+        return os.path.join(self.project_root, "shared", "references", "cce-sle15-avail.txt")
+
+
 CCE_POOLS["redhat"] = RedhatCCEFile
+CCE_POOLS["sle12"] = SLE12CCEFile
+CCE_POOLS["sle15"] = SLE15CCEFile
 
 
 def is_cce_format_valid(cceid):
     """
     IF CCE ID IS IN VALID FORM (either 'CCE-XXXX-X' or 'CCE-XXXXX-X'
     where each X is a digit, and the final X is a check-digit)
     based on Requirement A17:
-
-    http://people.redhat.com/swells/nist-scap-validation/scap-val-requirements-1.2.html
     """
     match = re.match(r'^CCE-\d{4,5}-\d$', cceid)
     return match is not None