From bed6d37e63e84321e9069894c7ea072464a70306b23b4267d34fe24e3b610294 Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Tue, 7 Dec 2021 14:04:40 +0000 Subject: [PATCH] Accepting request 936258 from home:msmeissn:branches:security - openscap-docker-add-suse.patch: add SLES support oscap-docker (bsc#1179314) OBS-URL: https://build.opensuse.org/request/show/936258 OBS-URL: https://build.opensuse.org/package/show/security/openscap?expand=0&rev=269 --- openscap-docker-add-suse.patch | 97 ++++++++++++++++++++++++++++++++++ openscap.changes | 6 +++ openscap.spec | 2 + 3 files changed, 105 insertions(+) create mode 100644 openscap-docker-add-suse.patch diff --git a/openscap-docker-add-suse.patch b/openscap-docker-add-suse.patch new file mode 100644 index 0000000..6d28218 --- /dev/null +++ b/openscap-docker-add-suse.patch @@ -0,0 +1,97 @@ +From 9a434c4e613224b25b4dc56e38de32eb4cbdcd0c Mon Sep 17 00:00:00 2001 +From: Marcus Meissner +Date: Tue, 7 Dec 2021 11:57:21 +0100 +Subject: [PATCH] added suse support + +--- + utils/oscap_docker_python/get_cve_input.py | 20 +++++++++---- + .../oscap_docker_common.py | 30 ++++++++++++++++++- + 2 files changed, 44 insertions(+), 6 deletions(-) + +Index: openscap-1.3.5/utils/oscap_docker_python/get_cve_input.py +=================================================================== +--- openscap-1.3.5.orig/utils/oscap_docker_python/get_cve_input.py ++++ openscap-1.3.5/utils/oscap_docker_python/get_cve_input.py +@@ -31,9 +31,12 @@ class getInputCVE(object): + + hdr = {'User-agent': 'Mozilla/5.0'} + hdr2 = [('User-agent', 'Mozilla/5.0')] +- url = "https://www.redhat.com/security/data/oval/" +- dist_cve_name = "com.redhat.rhsa-RHEL{0}.xml.bz2" +- dists = [5, 6, 7] ++ rhel_url = "https://www.redhat.com/security/data/oval/" ++ rhel_dist_cve_name = "com.redhat.rhsa-RHEL{0}.xml.bz2" ++ rhel_dists = [5, 6, 7] ++ suse_url = "https://ftp.suse.com/pub/projects/security/oval/" ++ suse_dist_cve_name = "suse.linux.enterprise.{0}.xml" ++ suse_dists = [12, 15] + remote_pattern = '%a, %d %b %Y %H:%M:%S %Z' + + def __init__(self, fs_dest, DEBUG=False): +@@ -46,10 +49,18 @@ class getInputCVE(object): + Given a distribution number (i.e. 7), it will fetch the + distribution specific data file if upstream has a newer + input file. Returns the path of file. ++ We just hack that SUSE has versions above 10 to mean SUSE + ''' +- cve_file = self.dist_cve_name.format(dist) ++ if dist == "12" or dist == "15": ++ cve_file = self.suse_dist_cve_name.format(dist) ++ dist_url = urllib.parse.urljoin(self.suse_url, cve_file) ++ else: ++ cve_file = self.rhel_dist_cve_name.format(dist) ++ dist_url = urllib.parse.urljoin(self.rhel_url, cve_file) ++ ++ # stderr.write("URL {0} cve_file {1}\n".format(dist_url,cve_file)) + dest_file = join(self.dest, cve_file) +- dist_url = urllib.parse.urljoin(self.url, cve_file) ++ + if self._is_cache_same(dest_file, dist_url): + return dest_file + +Index: openscap-1.3.5/utils/oscap_docker_python/oscap_docker_common.py +=================================================================== +--- openscap-1.3.5.orig/utils/oscap_docker_python/oscap_docker_common.py ++++ openscap-1.3.5/utils/oscap_docker_python/oscap_docker_common.py +@@ -55,7 +55,7 @@ def get_dist(mountpoint, oscap_binary, l + + ''' + Test the chroot and determine what RHEL dist it is; returns +- an integer representing the dist ++ an integer representing the dist (5 - 8 for RHEL, 12 and 15 for SLES) + ''' + + cpe_dict = '/usr/share/openscap/cpe/openscap-cpe-oval.xml' +@@ -77,3 +77,32 @@ def get_dist(mountpoint, oscap_binary, l + if "{0}{1}: true".format(CPE_RHEL, dist) in result.stdout: + print("This system seems based on RHEL{0}.".format(dist)) + return dist ++ ++ CPE_SLES = 'oval:org.open-scap.cpe.sles:def:' ++ DISTS = ["12", "15"] ++ ++ ''' ++ Test the chroot and determine what SUSE dist it is; returns ++ an integer representing the dist (12 and 15 for SUSE) ++ ''' ++ ++ cpe_dict = '/usr/share/openscap/cpe/openscap-cpe-oval.xml' ++ if not os.path.exists(cpe_dict): ++ # sometime it's installed into /usr/local/share instead of /usr/local ++ cpe_dict = '/usr/local/share/openscap/cpe/openscap-cpe-oval.xml' ++ if not os.path.exists(cpe_dict): ++ raise OscapError() ++ ++ for dist in DISTS: ++ result = oscap_chroot( ++ mountpoint, oscap_binary, ++ ("oval", "eval", "--id", CPE_SLES + dist, cpe_dict, ++ mountpoint, "2>&1", ">", "/dev/null"), ++ '*', ++ local_env ++ ) ++ ++ if "{0}{1}: true".format(CPE_SLES, dist) in result.stdout: ++ print("This system seems based on SLES {0}.".format(dist)) ++ return dist ++ print("System version not detected.") diff --git a/openscap.changes b/openscap.changes index f7b76de..23c125c 100644 --- a/openscap.changes +++ b/openscap.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue Dec 7 10:58:50 UTC 2021 - Marcus Meissner + +- openscap-docker-add-suse.patch: add SLES support oscap-docker + (bsc#1179314) + ------------------------------------------------------------------- Mon Oct 4 15:33:23 UTC 2021 - Marcus Meissner diff --git a/openscap.spec b/openscap.spec index 87f99bb..f4e0350 100644 --- a/openscap.spec +++ b/openscap.spec @@ -40,6 +40,7 @@ Source5: oscap-scan.service Source6: oscap-scan.sh Patch1: openscap-opensuse-cpe.patch Patch2: openscap-suse-cpe.patch +Patch3: openscap-docker-add-suse.patch URL: https://www.open-scap.org/ BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: asciidoc @@ -177,6 +178,7 @@ This package contains the Script Checking Engine Library (SCE) for OpenSCAP. %setup -q %patch1 -p1 %patch2 -p1 +%patch3 -p1 %build %if 0%{?with_bindings}