Accepting request 936258 from home:msmeissn:branches:security

- openscap-docker-add-suse.patch: add SLES support oscap-docker (bsc#1179314) OBS-URL: https://build.opensuse.org/request/show/936258 OBS-URL: https://build.opensuse.org/package/show/security/openscap?expand=0&rev=269
2021-12-07 14:04:40 +00:00 · 2021-12-07 14:04:40 +00:00 · bed6d37e63
commit bed6d37e63
parent 0b1bd89f4f
3 changed files with 105 additions and 0 deletions
--- a/openscap-docker-add-suse.patch
+++ b/openscap-docker-add-suse.patch
@ -0,0 +1,97 @@
+From 9a434c4e613224b25b4dc56e38de32eb4cbdcd0c Mon Sep 17 00:00:00 2001
+From: Marcus Meissner <meissner@suse.de>
+Date: Tue, 7 Dec 2021 11:57:21 +0100
+Subject: [PATCH] added suse support
+
+---
+ utils/oscap_docker_python/get_cve_input.py    | 20 +++++++++----
+ .../oscap_docker_common.py                    | 30 ++++++++++++++++++-
+ 2 files changed, 44 insertions(+), 6 deletions(-)
+
+Index: openscap-1.3.5/utils/oscap_docker_python/get_cve_input.py
+===================================================================
+--- openscap-1.3.5.orig/utils/oscap_docker_python/get_cve_input.py
+++ openscap-1.3.5/utils/oscap_docker_python/get_cve_input.py
+@@ -31,9 +31,12 @@ class getInputCVE(object):
+ 
+     hdr = {'User-agent': 'Mozilla/5.0'}
+     hdr2 = [('User-agent', 'Mozilla/5.0')]
+-    url = "https://www.redhat.com/security/data/oval/"
+-    dist_cve_name = "com.redhat.rhsa-RHEL{0}.xml.bz2"
+-    dists = [5, 6, 7]
+    rhel_url = "https://www.redhat.com/security/data/oval/"
+    rhel_dist_cve_name = "com.redhat.rhsa-RHEL{0}.xml.bz2"
+    rhel_dists = [5, 6, 7]
+    suse_url = "https://ftp.suse.com/pub/projects/security/oval/"
+    suse_dist_cve_name = "suse.linux.enterprise.{0}.xml"
+    suse_dists = [12, 15]
+     remote_pattern = '%a, %d %b %Y %H:%M:%S %Z'
+ 
+     def __init__(self, fs_dest, DEBUG=False):
+@@ -46,10 +49,18 @@ class getInputCVE(object):
+         Given a distribution number (i.e. 7), it will fetch the
+         distribution specific data file if upstream has a newer
+         input file.  Returns the path of file.
+        We just hack that SUSE has versions above 10 to mean SUSE
+         '''
+-        cve_file = self.dist_cve_name.format(dist)
+        if dist == "12" or dist == "15":
+            cve_file = self.suse_dist_cve_name.format(dist)
+            dist_url = urllib.parse.urljoin(self.suse_url, cve_file)
+        else:
+            cve_file = self.rhel_dist_cve_name.format(dist)
+            dist_url = urllib.parse.urljoin(self.rhel_url, cve_file)
+
+        # stderr.write("URL {0} cve_file {1}\n".format(dist_url,cve_file))
+         dest_file = join(self.dest, cve_file)
+-        dist_url = urllib.parse.urljoin(self.url, cve_file)
+
+         if self._is_cache_same(dest_file, dist_url):
+             return dest_file
+ 
+Index: openscap-1.3.5/utils/oscap_docker_python/oscap_docker_common.py
+===================================================================
+--- openscap-1.3.5.orig/utils/oscap_docker_python/oscap_docker_common.py
+++ openscap-1.3.5/utils/oscap_docker_python/oscap_docker_common.py
+@@ -55,7 +55,7 @@ def get_dist(mountpoint, oscap_binary, l
+ 
+     '''
+     Test the chroot and determine what RHEL dist it is; returns
+-    an integer representing the dist
+    an integer representing the dist (5 - 8 for RHEL, 12 and 15 for SLES)
+     '''
+ 
+     cpe_dict = '/usr/share/openscap/cpe/openscap-cpe-oval.xml'
+@@ -77,3 +77,32 @@ def get_dist(mountpoint, oscap_binary, l
+         if "{0}{1}: true".format(CPE_RHEL, dist) in result.stdout:
+             print("This system seems based on RHEL{0}.".format(dist))
+             return dist
+
+    CPE_SLES = 'oval:org.open-scap.cpe.sles:def:'
+    DISTS = ["12", "15"]
+
+    '''
+    Test the chroot and determine what SUSE dist it is; returns
+    an integer representing the dist (12 and 15 for SUSE)
+    '''
+
+    cpe_dict = '/usr/share/openscap/cpe/openscap-cpe-oval.xml'
+    if not os.path.exists(cpe_dict):
+        # sometime it's installed into /usr/local/share instead of /usr/local
+        cpe_dict = '/usr/local/share/openscap/cpe/openscap-cpe-oval.xml'
+        if not os.path.exists(cpe_dict):
+            raise OscapError()
+
+    for dist in DISTS:
+        result = oscap_chroot(
+            mountpoint, oscap_binary,
+            ("oval", "eval", "--id", CPE_SLES + dist, cpe_dict,
+             mountpoint, "2>&1", ">", "/dev/null"),
+            '*',
+            local_env
+        )
+
+        if "{0}{1}: true".format(CPE_SLES, dist) in result.stdout:
+            print("This system seems based on SLES {0}.".format(dist))
+            return dist
+    print("System version not detected.")
--- a/openscap.changes
+++ b/openscap.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Tue Dec  7 10:58:50 UTC 2021 - Marcus Meissner <meissner@suse.com>
+
+- openscap-docker-add-suse.patch: add SLES support oscap-docker
+  (bsc#1179314)
+
 -------------------------------------------------------------------
 Mon Oct  4 15:33:23 UTC 2021 - Marcus Meissner <meissner@suse.com>

--- a/openscap.spec
+++ b/openscap.spec
@ -40,6 +40,7 @@ Source5:        oscap-scan.service
 Source6:        oscap-scan.sh
 Patch1:         openscap-opensuse-cpe.patch
 Patch2:         openscap-suse-cpe.patch
+Patch3:         openscap-docker-add-suse.patch
 URL:            https://www.open-scap.org/
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  asciidoc
@ -177,6 +178,7 @@ This package contains the Script Checking Engine Library (SCE) for OpenSCAP.
 %setup -q
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1

 %build
 %if 0%{?with_bindings}