Hello community, here is the log from the commit of package openscap for openSUSE:Factory checked in at 2018-12-04 20:57:52 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openscap (Old) and /work/SRC/openSUSE:Factory/.openscap.new.19453 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openscap" Tue Dec 4 20:57:52 2018 rev:59 rq:653777 version:1.3.0 Changes: -------- --- /work/SRC/openSUSE:Factory/openscap/openscap.changes 2018-09-13 12:11:35.430288886 +0200 +++ /work/SRC/openSUSE:Factory/.openscap.new.19453/openscap.changes 2018-12-04 20:58:12.508594959 +0100 @@ -1,0 +2,25 @@ +Fri Oct 19 15:46:44 UTC 2018 - Robert Frohl <[email protected]> + +- openscap-1.3.0 + - New features + - Introduced a virtual '(all)' profile selecting all rules + - Verbose mode is a global option in all modules + - Added Microsoft Windows CPEs + - oscap-ssh can supply SSH options into an environment variable + - Maintenance + - Removed SEXP parser + - Added Fedora 30 CPE + - Fixed many Coverity defects (memory leaks etc.) + - SCE builds are enabled by default + - Moved many low-level functions out of public API + - Removed unused and dead code + - Updated manual pages + - Numerous small fixes +- xinetd_probe.patch: fix trailing whitespace in config +- test_probes_rpmverifypackage-disable-epoch-test.patch: fix rpmverifypackage unit test +- sysctl_unittest.patch: fix sysctl unit test +- rpmverifyfile_unittest.patch: fix rpmverifyfile unit test +- rpmverify_unittest.patch: fix rpmverify unit test +- openscap-xattr.patch: removed, included by upstream + +------------------------------------------------------------------- Old: ---- 1.2.17.tar.gz openscap-xattr.patch New: ---- 1.3.0.tar.gz openscap-rpmlintrc rpmverify_unittest.patch rpmverifyfile_unittest.patch sysctl_unittest.patch test_probes_rpmverifypackage-disable-epoch-test.patch xinetd_probe.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openscap.spec ++++++ --- /var/tmp/diff_new_pack.n3Bqsl/_old 2018-12-04 20:58:13.708593635 +0100 +++ /var/tmp/diff_new_pack.n3Bqsl/_new 2018-12-04 20:58:13.708593635 +0100 @@ -21,13 +21,14 @@ %define _fillupdir /var/adm/fillup-templates %endif -%define sover 8 +%define sover 25 %define with_bindings 0 Name: openscap -Version: 1.2.17 +Version: 1.3.0 Release: 1.0 Source: https://github.com/OpenSCAP/openscap/archive/%{version}.tar.gz +Source1: openscap-rpmlintrc Source2: sysconfig.oscap-scan # SUSE specific profile, based on yast2-security # checks. @@ -37,31 +38,47 @@ Source5: oscap-scan.service Source6: oscap-scan.sh Patch0: openscap-new-suse.patch -Patch1: openscap-xattr.patch +Patch1: xinetd_probe.patch +Patch2: test_probes_rpmverifypackage-disable-epoch-test.patch +Patch3: sysctl_unittest.patch +Patch4: rpmverifyfile_unittest.patch +Patch5: rpmverify_unittest.patch Url: http://www.open-scap.org/ BuildRoot: %{_tmppath}/%{name}-%{version}-build +BuildRequires: asciidoc BuildRequires: doxygen +# Next few lines are needed for unit tests, they expect /etc/os-release to exist +%if !0%{?is_opensuse} && 0%{?sle_version} < 130000 +BuildRequires: sles-release +%else +BuildRequires: dummy-release +%endif BuildRequires: libacl-devel +BuildRequires: libattr-devel BuildRequires: libbz2-devel BuildRequires: libcurl-devel BuildRequires: libgcrypt-devel BuildRequires: libxml2-devel # Use package name cause of "have choice for perl(XML::Parser): brp-check-suse perl-XML-Parser" -BuildRequires: autoconf -BuildRequires: automake +BuildRequires: cmake +BuildRequires: gcc-c++ BuildRequires: gconf2-devel BuildRequires: libblkid-devel BuildRequires: libcap-devel BuildRequires: libselinux-devel BuildRequires: libtool BuildRequires: libxslt-devel +BuildRequires: lua BuildRequires: openldap2-devel BuildRequires: pcre-devel BuildRequires: perl-XML-Parser +BuildRequires: perl-XML-XPath BuildRequires: pkg-config +BuildRequires: procps BuildRequires: procps-devel BuildRequires: python-devel BuildRequires: rpm-devel +BuildRequires: sendmail BuildRequires: swig BuildRequires: unixODBC-devel Summary: A Set of Libraries for Integration with SCAP @@ -79,37 +96,6 @@ More information about SCAP can be found at nvd.nist.gov. - -%package -n libopenscap%{sover} -Summary: OpenSCAP C Library -Group: System/Libraries - -%description -n libopenscap%{sover} -The OpenSCAP C Library for easy integration with SCAP. - -%package docker -Summary: Docker plugin for OpenSCAP -Group: System/Libraries - -%description docker -This package contains the Docker support for OpenSCAP. - - -%package engine-sce -Summary: Script Checking Engine for OpenSCAP -Group: System/Libraries - -%description engine-sce -This package contains the Script Checking Engine (SCE) support for OpenSCAP. - -%package -n libopenscap_sce%{sover} -Summary: Script Checking Engine Library for OpenSCAP -Group: System/Libraries -Recommends: openscap-engine-sce - -%description -n libopenscap_sce%{sover} -This package contains the Script Checking Engine Library (SCE) for OpenSCAP. - %package devel Requires: %{name} = %{version}-%{release} Requires: libopenscap%{sover} = %{version} @@ -120,6 +106,13 @@ This package contains the development files (mainly C header files) for the OpenSCAP C library. +%package docker +Summary: Docker plugin for OpenSCAP +Group: System/Libraries + +%description docker +This package contains the Docker support for OpenSCAP. + %if 0%{?with_bindings} %package -n python-openscap %py_requires @@ -142,6 +135,13 @@ The OpenSCAP Perl Library for easy integration with SCAP. %endif +%package -n libopenscap%{sover} +Summary: OpenSCAP C Library +Group: System/Libraries + +%description -n libopenscap%{sover} +The OpenSCAP C Library for easy integration with SCAP. + %package utils Summary: Openscap utilities Group: System/Monitoring @@ -152,7 +152,6 @@ %description utils The %{name}-utils package contains various utilities based on %{name} library. - %package content Summary: SCAP content Group: System/Monitoring @@ -161,16 +160,12 @@ %description content SCAP content for Fedora delivered by Open-SCAP project. +%package -n libopenscap_sce%{sover} +Summary: Script Checking Engine Library for OpenSCAP +Group: System/Libraries -%package extra-probes -Summary: SCAP probes -Group: System/Monitoring -Requires: %{name} = %{version}-%{release} -#BuildRequires: opendbx - for sql - -%description extra-probes -The %{name}-extra-probes package contains additional probes that are not -commonly used and require additional dependencies. +%description -n libopenscap_sce%{sover} +This package contains the Script Checking Engine Library (SCE) for OpenSCAP. %{!?python_sitearch: %global python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")} @@ -178,102 +173,77 @@ %setup -q %patch0 -p1 %patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 %build - -bash ./autogen.sh %if 0%{?with_bindings} -%configure --disable-silent-rules --enable-sce --enable-cce +%cmake -DENABLE_DOCS=TRUE -DCMAKE_SHARED_LINKER_FLAGS="" %else -%configure --disable-silent-rules --enable-sce --enable-cce --disable-bindings --disable-python --disable-python3 +%cmake -DENABLE_DOCS=TRUE -DENABLE_PYTHON3=FALSE -DENABLE_PERL=FALSE -DCMAKE_SHARED_LINKER_FLAGS="" %endif -make %{?_smp_mflags} -cd docs -doxygen -cd .. +%make_jobs %check -make check %{?_smp_mflags} || : +export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:%{buildroot}/%{_libdir} +cd build +# unit tests do not succeed, while working on 1.3 migration we submitted a few +# patches upstream but there is still one unit test that always fails and 1-3 +# which fail occasionally +ctest %{?_smp_mflags} || : +cd .. %install -make install DESTDIR=%{buildroot} -find %{buildroot} -name "*.la" -delete - -# last python2 user in oscap-utils ... needs porting to python3 -rm %{buildroot}/usr/bin/scap-as-rpm +%cmake_install mkdir -p %{buildroot}/%{_fillupdir} install -m 644 %{SOURCE2} %{buildroot}/%{_fillupdir} +mkdir -p %{buildroot}/%{_libexecdir}/openscap +mkdir -p %{buildroot}/%{_libdir}/openscap + install -m 644 %{SOURCE3} %{buildroot}/%{_datadir}/openscap install -m 644 %{SOURCE4} %{buildroot}/%{_datadir}/openscap # specific local scan during boot script mkdir -p %{buildroot}/%{_unitdir} install -m 644 %{SOURCE5} %{buildroot}/%{_unitdir}/oscap-scan.service +mkdir -p %{buildroot}/%{_bindir} install -m 755 %{SOURCE6} %{buildroot}/%{_bindir}/oscap-scan +mkdir -p %{buildroot}/%{_sbindir} +ln -sf %{_sbindir}/service %{buildroot}/%{_sbindir}/rcoscap-scan + +mkdir -p %{buildroot}%{_datadir}/bash-completion/completions +mv %{buildroot}%{_sysconfdir}/bash_completion.d/* %{buildroot}%{_datadir}/bash-completion/completions/ # create symlinks to default content ln -s %{_datadir}/openscap/scap-yast2sec-oval.xml %{buildroot}/%{_datadir}/openscap/scap-oval.xml ln -s %{_datadir}/openscap/scap-yast2sec-xccdf.xml %{buildroot}/%{_datadir}/openscap/scap-xccdf.xml %post -n libopenscap%{sover} -p /sbin/ldconfig -%post -n libopenscap_sce%{sover} -p /sbin/ldconfig - %postun -n libopenscap%{sover} -p /sbin/ldconfig -%postun -n libopenscap_sce%{sover} -p /sbin/ldconfig -%preun utils -%service_del_preun oscap-scan.service +%post -n libopenscap_sce%{sover} -p /sbin/ldconfig +%postun -n libopenscap_sce%{sover} -p /sbin/ldconfig -%post utils +%post -n openscap-utils %service_add_post oscap-scan.service -%{fillup_only -n oscap-scan} -%postun utils +%postun -n openscap-utils %service_del_postun oscap-scan.service -%pre utils +%pre -n openscap-utils %service_add_pre oscap-scan.service +%preun -n openscap-utils +%service_del_preun oscap-scan.service + %files %defattr(-, root, root) -%doc AUTHORS COPYING NEWS -%dir %{_libexecdir}/openscap -%{_libexecdir}/openscap/probe_dnscache -%{_libexecdir}/openscap/probe_environmentvariable -%{_libexecdir}/openscap/probe_environmentvariable58 -%{_libexecdir}/openscap/probe_family -%{_libexecdir}/openscap/probe_file -%{_libexecdir}/openscap/probe_fileextendedattribute -%{_libexecdir}/openscap/probe_filehash -%{_libexecdir}/openscap/probe_filehash58 -%{_libexecdir}/openscap/probe_iflisteners -%{_libexecdir}/openscap/probe_inetlisteningservers -%{_libexecdir}/openscap/probe_interface -%{_libexecdir}/openscap/probe_partition -%{_libexecdir}/openscap/probe_password -%{_libexecdir}/openscap/probe_process -%{_libexecdir}/openscap/probe_process58 -%{_libexecdir}/openscap/probe_routingtable -%{_libexecdir}/openscap/probe_rpminfo -%{_libexecdir}/openscap/probe_rpmverify* -%{_libexecdir}/openscap/probe_runlevel -%{_libexecdir}/openscap/probe_selinuxboolean -%{_libexecdir}/openscap/probe_selinuxsecuritycontext -%{_libexecdir}/openscap/probe_shadow -%{_libexecdir}/openscap/probe_symlink -%{_libexecdir}/openscap/probe_sysctl -%{_libexecdir}/openscap/probe_systemdunitdependency -%{_libexecdir}/openscap/probe_systemdunitproperty -%{_libexecdir}/openscap/probe_system_info -%{_libexecdir}/openscap/probe_textfilecontent -%{_libexecdir}/openscap/probe_textfilecontent54 -%{_libexecdir}/openscap/probe_uname -%{_libexecdir}/openscap/probe_variable -%{_libexecdir}/openscap/probe_xinetd -%{_libexecdir}/openscap/probe_xmlfilecontent - +%license COPYING +%doc AUTHORS NEWS %dir %{_datadir}/openscap %dir %{_datadir}/openscap/cpe %dir %{_datadir}/openscap/schemas @@ -288,7 +258,8 @@ %files devel %defattr(-, root, root) -%doc docs/{html,examples}/ +%dir /usr/share/doc/openscap +/usr/share/doc/openscap/* %{_includedir}/* %{_libdir}/*.so %{_libdir}/pkgconfig/*.pc @@ -310,7 +281,7 @@ %files -n perl-openscap %defattr(-, root, root) %{perl_vendorlib}/openscap.pm -%{perl_vendorarch}/_openscap_pm.so +%{perl_vendorarch}/openscap_pm.so %endif %files utils @@ -324,27 +295,16 @@ %{_bindir}/oscap-scan %{_bindir}/oscap-ssh %{_bindir}/oscap-chroot -# currently not shipped as it is still python2 -#{_bindir}/scap-as-rpm -%config %{_sysconfdir}/bash_completion.d/* +%{_bindir}/scap-as-rpm +%{_sbindir}/rcoscap-scan +%{_datadir}/bash-completion/completions/* %files content %defattr(-,root,root,-) %{_datadir}/openscap/scap*.xml -%files engine-sce -%defattr(-,root,root,-) -%dir %{_datadir}/openscap -%dir %{_datadir}/openscap/sectool-sce/ -%{_datadir}/openscap/sectool-sce/* - %files -n libopenscap_sce%{sover} %defattr(-,root,root,-) %{_libdir}/libopenscap_sce.so.* -%files extra-probes -%defattr(-,root,root,-) -%{_libexecdir}/openscap/probe_ldap57 -%{_libexecdir}/openscap/probe_gconf - %changelog ++++++ 1.2.17.tar.gz -> 1.3.0.tar.gz ++++++ /work/SRC/openSUSE:Factory/openscap/1.2.17.tar.gz /work/SRC/openSUSE:Factory/.openscap.new.19453/1.3.0.tar.gz differ: char 13, line 1 ++++++ openscap-new-suse.patch ++++++ --- /var/tmp/diff_new_pack.n3Bqsl/_old 2018-12-04 20:58:13.768593568 +0100 +++ /var/tmp/diff_new_pack.n3Bqsl/_new 2018-12-04 20:58:13.768593568 +0100 @@ -1,8 +1,8 @@ -Index: openscap-1.2.16/cpe/openscap-cpe-dict.xml +Index: openscap-1.3.0/cpe/openscap-cpe-dict.xml =================================================================== ---- openscap-1.2.16.orig/cpe/openscap-cpe-dict.xml -+++ openscap-1.2.16/cpe/openscap-cpe-dict.xml -@@ -133,6 +133,14 @@ +--- openscap-1.3.0.orig/cpe/openscap-cpe-dict.xml ++++ openscap-1.3.0/cpe/openscap-cpe-dict.xml +@@ -141,6 +141,14 @@ <title xml:lang="en-us">SUSE Linux Enterprise Desktop 12</title> <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"; href="openscap-cpe-oval.xml">oval:org.open-scap.cpe.sled:def:12</check> </cpe-item> @@ -17,36 +17,11 @@ <cpe-item name="cpe:/o:opensuse:opensuse:11.4"> <title xml:lang="en-us">openSUSE 11.4</title> <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"; href="openscap-cpe-oval.xml">oval:org.open-scap.cpe.opensuse:def:114</check> -@@ -145,14 +153,22 @@ - <title xml:lang="en-us">openSUSE 13.2</title> - <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"; href="openscap-cpe-oval.xml">oval:org.open-scap.cpe.opensuse:def:132</check> - </cpe-item> -- <cpe-item name="cpe:/o:novell:leap:42.1"> -+ <cpe-item name="cpe:/o:opensuse:leap:42.1"> - <title xml:lang="en-us">openSUSE 42.1</title> - <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"; href="openscap-cpe-oval.xml">oval:org.open-scap.cpe.opensuse:def:421</check> - </cpe-item> -- <cpe-item name="cpe:/o:novell:leap:42.2"> -+ <cpe-item name="cpe:/o:opensuse:leap:42.2"> - <title xml:lang="en-us">openSUSE 42.2</title> - <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"; href="openscap-cpe-oval.xml">oval:org.open-scap.cpe.opensuse:def:422</check> - </cpe-item> -+ <cpe-item name="cpe:/o:opensuse:leap:42.3"> -+ <title xml:lang="en-us">openSUSE Leap 42.3</title> -+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"; href="openscap-cpe-oval.xml">oval:org.open-scap.cpe.opensuse:def:423</check> -+ </cpe-item> -+ <cpe-item name="cpe:/o:opensuse:leap:15.0"> -+ <title xml:lang="en-us">openSUSE Leap 15.0</title> -+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"; href="openscap-cpe-oval.xml">oval:org.open-scap.cpe.opensuse:def:150</check> -+ </cpe-item> - <cpe-item name="cpe:/o:opensuse:opensuse"> - <title xml:lang="en-us">openSUSE All Versions</title> - <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"; href="openscap-cpe-oval.xml">oval:org.open-scap.cpe.opensuse:def:1</check> -Index: openscap-1.2.16/cpe/openscap-cpe-oval.xml +Index: openscap-1.3.0/cpe/openscap-cpe-oval.xml =================================================================== ---- openscap-1.2.16.orig/cpe/openscap-cpe-oval.xml -+++ openscap-1.2.16/cpe/openscap-cpe-oval.xml -@@ -449,6 +449,34 @@ +--- openscap-1.3.0.orig/cpe/openscap-cpe-oval.xml ++++ openscap-1.3.0/cpe/openscap-cpe-oval.xml +@@ -475,6 +475,34 @@ </criteria> </definition> @@ -81,54 +56,7 @@ <definition class="inventory" id="oval:org.open-scap.cpe.opensuse:def:1" version="1"> <metadata> <title>openSUSE All Versions</title> -@@ -519,17 +547,43 @@ - </definition> - <definition class="inventory" id="oval:org.open-scap.cpe.opensuse:def:422" version="1"> - <metadata> -- <title>openSUSE 42.2</title> -+ <title>openSUSE Leap 42.2</title> - <affected family="unix"> -- <platform>openSUSE 42.2</platform> -+ <platform>openSUSE Leap 42.2</platform> - </affected> - <reference ref_id="cpe:/o:novell:leap:42.2" source="CPE"/> -- <description>The operating system installed on the system is openSUSE 42.2</description> -+ <description>The operating system installed on the system is openSUSE Leap 42.2</description> - </metadata> - <criteria> - <criterion comment="openSUSE 42.2 is installed" test_ref="oval:org.open-scap.cpe.opensuse:tst:422"/> - </criteria> - </definition> -+ <definition class="inventory" id="oval:org.open-scap.cpe.opensuse:def:423" version="1"> -+ <metadata> -+ <title>openSUSE Leap 42.3</title> -+ <affected family="unix"> -+ <platform>openSUSE Leap 42.3</platform> -+ </affected> -+ <reference ref_id="cpe:/o:novell:leap:42.3" source="CPE"/> -+ <description>The operating system installed on the system is openSUSE Leap 42.3</description> -+ </metadata> -+ <criteria> -+ <criterion comment="openSUSE 42.3 is installed" test_ref="oval:org.open-scap.cpe.opensuse:tst:423"/> -+ </criteria> -+ </definition> -+ <definition class="inventory" id="oval:org.open-scap.cpe.opensuse:def:150" version="1"> -+ <metadata> -+ <title>openSUSE Leap 15.0</title> -+ <affected family="unix"> -+ <platform>openSUSE Leap 15.0</platform> -+ </affected> -+ <reference ref_id="cpe:/o:novell:leap:15.0" source="CPE"/> -+ <description>The operating system installed on the system is openSUSE Leap 15.0</description> -+ </metadata> -+ <criteria> -+ <criterion comment="openSUSE 42.3 is installed" test_ref="oval:org.open-scap.cpe.opensuse:tst:423"/> -+ </criteria> -+ </definition> - <definition class="inventory" id="oval:org.open-scap.cpe.wrlinux:def:1" version="1" > - <metadata> - <title>Wind River Linux</title> -@@ -715,6 +769,11 @@ +@@ -870,6 +898,11 @@ <object object_ref="oval:org.open-scap.cpe.sles-release:obj:1"/> <state state_ref="oval:org.open-scap.cpe.sles:ste:12"/> </rpminfo_test> @@ -140,7 +68,7 @@ <rpminfo_test check_existence="at_least_one_exists" id="oval:org.open-scap.cpe.sled:tst:10" version="1" check="at least one" comment="sled-release is version 10" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux";> <object object_ref="oval:org.open-scap.cpe.sled-release:obj:1"/> -@@ -730,6 +789,11 @@ +@@ -885,6 +918,11 @@ <object object_ref="oval:org.open-scap.cpe.sled-release:obj:1"/> <state state_ref="oval:org.open-scap.cpe.sled:ste:12"/> </rpminfo_test> @@ -152,24 +80,7 @@ <rpminfo_test check_existence="at_least_one_exists" id="oval:org.open-scap.cpe.opensuse:tst:1" version="1" check="at least one" comment="openSUSE-release is version 11.4" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux";> <object object_ref="oval:org.open-scap.cpe.openSUSE-release:obj:1"/> -@@ -760,6 +824,16 @@ - <object object_ref="oval:org.open-scap.cpe.openSUSE-release:obj:1"/> - <state state_ref="oval:org.open-scap.cpe.opensuse:ste:422"/> - </rpminfo_test> -+ <rpminfo_test check_existence="at_least_one_exists" id="oval:org.open-scap.cpe.opensuse:tst:423" version="2" check="at least one" comment="openSUSE-release is version 42.2" -+ xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux";> -+ <object object_ref="oval:org.open-scap.cpe.openSUSE-release:obj:1"/> -+ <state state_ref="oval:org.open-scap.cpe.opensuse:ste:423"/> -+ </rpminfo_test> -+ <rpminfo_test check_existence="at_least_one_exists" id="oval:org.open-scap.cpe.opensuse:tst:150" version="2" check="at least one" comment="openSUSE-release is version 42.2" -+ xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux";> -+ <object object_ref="oval:org.open-scap.cpe.openSUSE-release:obj:1"/> -+ <state state_ref="oval:org.open-scap.cpe.opensuse:ste:150"/> -+ </rpminfo_test> - <family_test check_existence="at_least_one_exists" id="oval:org.open-scap.cpe.wrlinux:tst:1" version="1" check="only one" - comment="Installed operating system is part of the Unix family." - xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent";> -@@ -955,6 +1029,9 @@ +@@ -1159,6 +1207,9 @@ <rpminfo_state id="oval:org.open-scap.cpe.sles:ste:12" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux";> <version operation="pattern match">^12($|[^\d])</version> </rpminfo_state> @@ -179,7 +90,7 @@ <rpminfo_state id="oval:org.open-scap.cpe.sled:ste:10" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux";> <version operation="pattern match">^10($|[^\d])</version> </rpminfo_state> -@@ -964,6 +1041,9 @@ +@@ -1168,6 +1219,9 @@ <rpminfo_state id="oval:org.open-scap.cpe.sled:ste:12" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux";> <version operation="pattern match">^12($|[^\d])</version> </rpminfo_state> @@ -189,16 +100,3 @@ <rpminfo_state id="oval:org.open-scap.cpe.opensuse:ste:2" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux";> <name operation="pattern match">^openSUSE-release</name> </rpminfo_state> -@@ -982,6 +1062,12 @@ - <rpminfo_state id="oval:org.open-scap.cpe.opensuse:ste:422" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux";> - <version operation="pattern match">^42.2$</version> - </rpminfo_state> -+ <rpminfo_state id="oval:org.open-scap.cpe.opensuse:ste:423" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux";> -+ <version operation="pattern match">^42.3$</version> -+ </rpminfo_state> -+ <rpminfo_state id="oval:org.open-scap.cpe.opensuse:ste:150" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux";> -+ <version operation="pattern match">^15.0$</version> -+ </rpminfo_state> - <textfilecontent54_state - id="oval:org.open-scap.cpe.wrlinux-release:ste:8" - comment="Check the /etc/wrlinux-release file for VERSION 8 specification." ++++++ openscap-rpmlintrc ++++++ # can not change docs implementation addFilter("files-duplicate /usr/share/doc/openscap/html/search") # ignore duplicates in different schema versions addFilter("files-duplicate /usr/share/openscap/schemas") ++++++ rpmverify_unittest.patch ++++++ diff --git a/tests/probes/rpmverify/test_not_equals_operation.xml b/tests/probes/rpmverify/test_not_equals_operation.xml index abdfcc4c7..1855b981e 100644 --- a/tests/probes/rpmverify/test_not_equals_operation.xml +++ b/tests/probes/rpmverify/test_not_equals_operation.xml @@ -29,12 +29,12 @@ <objects> <rpmverify_object id="oval:x:obj:1" version="1" comment="should return precisely one package" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux";> <name operation="pattern match"/> - <filepath>/</filepath> + <filepath>/etc</filepath> </rpmverify_object> <rpmverify_object id="oval:x:obj:2" version="1" comment="the path should match two packages but the result should only be one package" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux";> <name operation="not equal" var_ref="oval:x:var:1"/> - <filepath operation="pattern match">(^/$|^/etc/passwd$)</filepath> + <filepath operation="pattern match">(^/etc$|^/etc/os-release$)</filepath> </rpmverify_object> </objects> ++++++ rpmverifyfile_unittest.patch ++++++ diff --git a/tests/probes/rpmverifyfile/test_probes_rpmverifyfile.sh b/tests/probes/rpmverifyfile/test_probes_rpmverifyfile.sh index ee93a7058..0299ec6e0 100755 --- a/tests/probes/rpmverifyfile/test_probes_rpmverifyfile.sh +++ b/tests/probes/rpmverifyfile/test_probes_rpmverifyfile.sh @@ -40,7 +40,7 @@ function test_probes_rpmverifyfile { assert_exists 1 'oval_results/oval_definitions/objects/lin-def:rpmverifyfile_object/lin-def:release' assert_exists 1 'oval_results/oval_definitions/objects/lin-def:rpmverifyfile_object/lin-def:arch' assert_exists 1 'oval_results/oval_definitions/objects/lin-def:rpmverifyfile_object/lin-def:filepath' - assert_exists 1 'oval_results/oval_definitions/objects/lin-def:rpmverifyfile_object/lin-def:filepath[text()="/etc/passwd"]' + assert_exists 1 'oval_results/oval_definitions/objects/lin-def:rpmverifyfile_object/lin-def:filepath[text()="/etc/os-release"]' sc='oval_results/results/system/oval_system_characteristics/' sd=$sc'system_data/' assert_exists 1 $sc'collected_objects/object' diff --git a/tests/probes/rpmverifyfile/test_probes_rpmverifyfile.xml b/tests/probes/rpmverifyfile/test_probes_rpmverifyfile.xml index 049b82627..b36428582 100644 --- a/tests/probes/rpmverifyfile/test_probes_rpmverifyfile.xml +++ b/tests/probes/rpmverifyfile/test_probes_rpmverifyfile.xml @@ -30,7 +30,7 @@ <lin-def:version operation="pattern match"/> <lin-def:release operation="pattern match"/> <lin-def:arch operation="pattern match"/> - <lin-def:filepath>/etc/passwd</lin-def:filepath> + <lin-def:filepath>/etc/os-release</lin-def:filepath> </lin-def:rpmverifyfile_object> </objects> diff --git a/tests/probes/rpmverifyfile/test_probes_rpmverifyfile_older.sh b/tests/probes/rpmverifyfile/test_probes_rpmverifyfile_older.sh index 642f209e9..f9486e314 100755 --- a/tests/probes/rpmverifyfile/test_probes_rpmverifyfile_older.sh +++ b/tests/probes/rpmverifyfile/test_probes_rpmverifyfile_older.sh @@ -39,7 +39,7 @@ function test_probes_rpmverifyfile { assert_exists 1 'oval_results/oval_definitions/objects/lin-def:rpmverifyfile_object/lin-def:release' assert_exists 1 'oval_results/oval_definitions/objects/lin-def:rpmverifyfile_object/lin-def:arch' assert_exists 1 'oval_results/oval_definitions/objects/lin-def:rpmverifyfile_object/lin-def:filepath' - assert_exists 1 'oval_results/oval_definitions/objects/lin-def:rpmverifyfile_object/lin-def:filepath[text()="/etc/passwd"]' + assert_exists 1 'oval_results/oval_definitions/objects/lin-def:rpmverifyfile_object/lin-def:filepath[text()="/etc/os-release"]' sc='oval_results/results/system/oval_system_characteristics/' sd=$sc'system_data/' assert_exists 1 $sc'collected_objects/object' diff --git a/tests/probes/rpmverifyfile/test_probes_rpmverifyfile_older.xml b/tests/probes/rpmverifyfile/test_probes_rpmverifyfile_older.xml index fe83a1e1c..c39282f51 100644 --- a/tests/probes/rpmverifyfile/test_probes_rpmverifyfile_older.xml +++ b/tests/probes/rpmverifyfile/test_probes_rpmverifyfile_older.xml @@ -30,7 +30,7 @@ <lin-def:version operation="pattern match"/> <lin-def:release operation="pattern match"/> <lin-def:arch operation="pattern match"/> - <lin-def:filepath>/etc/passwd</lin-def:filepath> + <lin-def:filepath>/etc/os-release</lin-def:filepath> </lin-def:rpmverifyfile_object> </objects> ++++++ sysctl_unittest.patch ++++++ diff --git a/tests/probes/sysctl/test_sysctl_probe_all.sh b/tests/probes/sysctl/test_sysctl_probe_all.sh index bb9859d71..6534e1142 100755 --- a/tests/probes/sysctl/test_sysctl_probe_all.sh +++ b/tests/probes/sysctl/test_sysctl_probe_all.sh @@ -4,6 +4,12 @@ set -e -o pipefail +# on some systems sysctl might live in sbin, which can cause problems for +# non root users +PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin +# non root users are not able to access some kernel params, so they get blacklisted +SYSCTL_BLACKLIST='stable_secret\|vm.stat_refresh\|fs.protected_hardlinks\|fs.protected_symlinks\|kernel.cad_pid\|kernel.unprivileged_userns_apparmor_policy\|kernel.usermodehelper.bset\|kernel.usermodehelper.inheritable\|net.core.bpf_jit_harden\|net.core.bpf_jit_kallsyms\|net.ipv4.tcp_fastopen_key\|vm.mmap_rnd_bits\|vm.mmap_rnd_compat_bits' + function perform_test { probecheck "sysctl" || return 255 @@ -24,9 +30,9 @@ $OSCAP oval eval --results $result $srcdir/test_sysctl_probe_all.oval.xml > /dev # sysctl has duplicities in output # hide permission errors like: "sysctl: permission denied on key 'fs.protected_hardlinks'" # kernel parameters might use "/" and "." separators interchangeably - normalizing -sysctl -aN --deprecated 2> /dev/null | tr "/" "." | sort -u > "$sysctlNames" +sysctl -aN --deprecated 2> /dev/null | grep -v $SYSCTL_BLACKLIST | tr "/" "." | sort -u > "$sysctlNames" -grep unix-sys:name "$result" | sed -E 's;.*>(.*)<.*;\1;g' | sort > "$ourNames" +grep unix-sys:name "$result" | grep -v $SYSCTL_BLACKLIST | sed -E 's;.*>(.*)<.*;\1;g' | sort > "$ourNames" diff "$sysctlNames" "$ourNames" ++++++ test_probes_rpmverifypackage-disable-epoch-test.patch ++++++ diff --git a/tests/probes/rpmverifypackage/test_probes_rpmverifypackage.sh b/tests/probes/rpmverifypackage/test_probes_rpmverifypackage.sh index f4179e063..475ebf0b3 100755 --- a/tests/probes/rpmverifypackage/test_probes_rpmverifypackage.sh +++ b/tests/probes/rpmverifypackage/test_probes_rpmverifypackage.sh @@ -11,6 +11,8 @@ . $builddir/tests/test_common.sh +[ -f /etc/os-release ] && . /etc/os-release + set -e -o pipefail set -x @@ -79,7 +81,9 @@ function test_probes_rpmverifypackage_noepoch { test_init +if [[ $ID_LIKE != *"suse"* ]]; then test_run "test_probes_rpmverifypackage_epoch" test_probes_rpmverifypackage_epoch +fi test_run "test_probes_rpmverifypackage_noepoch" test_probes_rpmverifypackage_noepoch test_exit ++++++ xinetd_probe.patch ++++++ diff --git a/src/OVAL/probes/unix/xinetd_probe.c b/src/OVAL/probes/unix/xinetd_probe.c index 965d8cd04..e911ecc29 100644 --- a/src/OVAL/probes/unix/xinetd_probe.c +++ b/src/OVAL/probes/unix/xinetd_probe.c @@ -1298,6 +1298,7 @@ int op_merge_u16(void *dst, void *src, int type) int op_assign_str(void *var, char *val) { + char *strend = NULL; if (var == NULL) { return -1; } @@ -1306,7 +1307,16 @@ int op_assign_str(void *var, char *val) while(isspace(*val)) ++val; if (*val != '\0') { - *((char **)(var)) = strdup(val); + strend = strrchr(val, '\0'); + /* strip trailing whitespaces */ + do { + strend--; + } while(isspace(*strend)); + if((strend-val) < 0) { + dE("Error stripping white space from string '%s'", val); + return (-1); + } + *((char **)(var)) = strndup(val, (strend-val+1)); return (0); } else return (-1);
