Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement OpenSCAP JSON tailoring support (HMS-3825) #1777

Merged
merged 5 commits into from
May 31, 2024
Merged

Implement OpenSCAP JSON tailoring support (HMS-3825) #1777

merged 5 commits into from
May 31, 2024

Conversation

kingsleyzissou
Copy link
Contributor

@kingsleyzissou kingsleyzissou commented May 9, 2024
edited

With the oscap-utils-1.3.10 release, the autotailor command now supports importing a JSON tailoring file[1] that is then converted to the XML tailoring file which is consumed by the oscap command in the remediation stage.

[1] https://github.com/ComplianceAsCode/schemas/blob/main/tailoring/schema.json

@kingsleyzissou kingsleyzissou force-pushed the oscap-json-tailoring branch 3 times, most recently from c7f6331 to 56f3332 Compare May 10, 2024 14:28
@kingsleyzissou kingsleyzissou marked this pull request as ready for review May 10, 2024 15:04
@kingsleyzissou
Copy link
Contributor Author

kingsleyzissou commented May 15, 2024
edited

An interesting thought came up in the discussions for otk.

We could potentially handle all of this with a resolver in osbuild-composer/images and then pass the resulting xml file through. This could be a simpler and more elegant solution. Thoughts?

Edit to add: some benifits:
- this would make the images code less spaghetti-like.
- the workers should have a more consistent version of oscap-utils

The above idea adds a lot of extra complexity and would also create a hard dependency on oscap, oscap-utils and scap-security-guides in osbuild-composer.

@achilleas-k
Copy link
Member

We merged an update to the repo snapshots from yesterday, so this conflicts now and the first commit can be dropped.

@kingsleyzissou kingsleyzissou force-pushed the oscap-json-tailoring branch 4 times, most recently from 5ce560c to 022e7c8 Compare May 22, 2024 19:02
@kingsleyzissou kingsleyzissou mentioned this pull request May 23, 2024
Draft
achilleas-k
achilleas-k reviewed May 27, 2024
View reviewed changes
Copy link
Member

@achilleas-k achilleas-k left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This LGTM. I'm not approving since we haven't resolved the property name discussion, but other than that I think we're good to go.

@kingsleyzissou kingsleyzissou force-pushed the oscap-json-tailoring branch 4 times, most recently from d3ca1f4 to 4782342 Compare May 28, 2024 18:57
achilleas-k
achilleas-k previously approved these changes May 28, 2024
View reviewed changes
Copy link
Member

@achilleas-k achilleas-k left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! This LGTM now.
Sorry for all the pedantry :)

@kingsleyzissou
Copy link
Contributor Author

Thanks! This LGTM now. Sorry for all the pedantry :)

Thanks! No need to apologise, I appreciate that we take the time to think about this and try get it right rather than living with the pain of something we're not 100% happy with

@kingsleyzissou kingsleyzissou mentioned this pull request May 28, 2024
Closed
@kingsleyzissou kingsleyzissou enabled auto-merge (rebase) May 29, 2024 09:22
@kingsleyzissou
manifest/fedora-vars: update snapshot
4e7cb0d 
We need a minimum version of `oscap-utils-1.3.10` which is available
in the `20240508` updates snapshot.
@kingsleyzissou
test: update stage diffs for snapshot 20240514
4b37930 
Since updating the snapshots the diffs for some stage tests have
changed. This commit updates the diffs accordingly.

I followed the same steps used in 1148a6e.
@kingsleyzissou
stages/oscap.autotailor: add json tailoring
6597995 
With the `oscap-utils-1.3.10` release, the `autotailor` command now
supports importing a JSON tailoring file[1] that is then converted to the
XML tailoring file which is consumed by the `oscap` command in the
remediation stage.

[1] https://github.com/ComplianceAsCode/schemas/blob/main/tailoring/schema.json
@kingsleyzissou
Copy link
Contributor Author

One of the tests broke after a rebase :/ so just fixing that now

@kingsleyzissou
stages/oscap.autotailor: add json import unit test
7488140 
Add a small unit test for the json tailoring file import.
@kingsleyzissou
test: test autotailor json import
3b59402 
Add a test to ensure that json tailoring import is supported for the
`oscap.autotailor` stage.
thozza
thozza approved these changes May 31, 2024
View reviewed changes
Copy link
Member

@thozza thozza left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

bcl
bcl approved these changes May 31, 2024
View reviewed changes
Copy link
Contributor

@bcl bcl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good!

@kingsleyzissou kingsleyzissou merged commit 8985155 into osbuild:main May 31, 2024
40 checks passed
@kingsleyzissou kingsleyzissou deleted the oscap-json-tailoring branch May 31, 2024 19:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bcl bcl bcl approved these changes

@thozza thozza thozza approved these changes

@mvo5 mvo5 Awaiting requested review from mvo5

@achilleas-k achilleas-k Awaiting requested review from achilleas-k

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@kingsleyzissou @achilleas-k @bcl @thozza