rpms/openscap
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix test fails

Browse Source 
- Do not set RPATH on built binaries
- Fix UBI9 scan (rhbz#1953610)
- Fix failing rpminspect xml test

Resolves: RHBZ#1952789
This commit is contained in:
Jan Černý 2021-06-28 15:05:21 +02:00
parent 83f314aa21
commit 96f558718c
4 changed files with 172 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
openscap-1.3.6-rpath-pr-1765.patch Normal file
View File

@ -0,0 +1,42 @@
From 5f8879927fa34827f1b367eac311845e6ebec9a7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Thu, 10 Jun 2021 13:41:25 +0200
Subject: [PATCH] Do not set Rpath
See: https://docs.fedoraproject.org/en-US/packaging-guidelines/#_beware_of_rpath
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1967200
---
CMakeLists.txt | 18 ------------------
1 file changed, 18 deletions(-)
diff --git a/CMakeLists.txt b/CMakeLists.txt
index c70ba29bf..cc7b5e005 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -482,25 +482,7 @@ else()
endif()
set(OSCAP_TEMP_DIR "/tmp" CACHE STRING "use different temporary directory to execute sce scripts (default=/tmp)")
-# ---------- RPATHS for linking
-# see https://cmake.org/Wiki/CMake_RPATH_handling
-
-# use, i.e. don't skip the full RPATH for the build tree
-set(CMAKE_SKIP_BUILD_RPATH FALSE)
-
-# when building, don't use the install RPATH already
-# (but later on when installing)
-set(CMAKE_BUILD_WITH_INSTALL_RPATH FALSE)
-
-set(CMAKE_INSTALL_RPATH ${CMAKE_INSTALL_FULL_LIBDIR})
-
-# add the automatically determined parts of the RPATH
-# which point to directories outside the build tree to the install RPATH
-set(CMAKE_INSTALL_RPATH_USE_LINK_PATH TRUE)
-
-# Turn on RPATH for OSX for policy warning
-set(CMAKE_MACOSX_RPATH ON)
# ---------- CONFIGURATION
configure_file("config.h.in" "config.h")

81
openscap-1.3.6-rpminspect-xml-pr-1773.patch Normal file
View File

@ -0,0 +1,81 @@
From e515fc9694efb8703f6c55782094e0273c0dec9d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Fri, 25 Jun 2021 13:59:59 +0200
Subject: [PATCH] Workaround rpminspect problem
rpminspect produces this problem:
xml-files:
----------
1) File /usr/share/openscap/xsl/oval-results-report.xsl is a malformed XML file on x86_64
Result: VERIFY
Waiver Authorization: Anyone
Details:
No declaration for element stylesheet
Suggested Remedy: Correct the reported errors in the XML document
I assume that it's caused by mixing the DTD and schema - it probably
expects that the DTD will contain a declaration of the root element
as well. The workaround simply expands both entities by substituting
them by their contents.
---
xsl/oval-results-report.xsl | 18 ++++++------------
1 file changed, 6 insertions(+), 12 deletions(-)
diff --git a/xsl/oval-results-report.xsl b/xsl/oval-results-report.xsl
index fe50717795..744540c8f8 100644
--- a/xsl/oval-results-report.xsl
+++ b/xsl/oval-results-report.xsl
@@ -1,10 +1,4 @@
<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE xsl:stylesheet [
-<!-- check symbol -->
-<!ENTITY resultgood "&#x2713;">
-<!-- x symbol -->
-<!ENTITY resultbad "&#x2715;">
-]>
<!--
****************************************************************************************
@@ -129,7 +123,7 @@
<tr class="LightRow">
<td class="resultbadA ColorBox"/>
<td class="resultbadB ColorBox"/>
- <td class="Text" title="Non-Compliant/Vulnerable/Unpatched">&resultbad;</td>
+ <td class="Text" title="Non-Compliant/Vulnerable/Unpatched">&#x2715;</td>
</tr>
</table>
</td>
@@ -138,7 +132,7 @@
<tr class="LightRow">
<td class="resultgoodA ColorBox"/>
<td class="resultgoodB ColorBox"/>
- <td class="Text" title="Compliant/Non-Vulnerable/Patched">&resultgood;</td>
+ <td class="Text" title="Compliant/Non-Vulnerable/Patched">&#x2713;</td>
</tr>
</table>
</td>
@@ -227,8 +221,8 @@
<table border="1">
<tr class="Title">
<td class="TitleLabel" align="center">Systems Analyzed</td>
- <td class="TitleLabel" align="center" title="Non-Compliant/Vulnerable/Unpatched">&resultbad;</td>
- <td class="TitleLabel" align="center" title="Compliant/Non-Vulnerable/Patched">&resultgood;</td>
+ <td class="TitleLabel" align="center" title="Non-Compliant/Vulnerable/Unpatched">&#x2715;</td>
+ <td class="TitleLabel" align="center" title="Compliant/Non-Vulnerable/Patched">&#x2713;</td>
<td class="TitleLabel" align="center">Errors</td>
<td class="TitleLabel" align="center">Unknown</td>
<td class="TitleLabel" align="center" title="Inventory/Miscellaneous class, or Not Applicable/Not Evaluated result">Other</td>
@@ -497,8 +491,8 @@
<xsl:template name="GeneratorResTotals">
<xsl:param name="resultsElm"/>
<tr class="DarkRow Center">
- <td class="SmallLabel" style="width: 20%;" title="Non-Compliant/Vulnerable/Unpatched">#&resultbad;</td>
- <td class="SmallLabel" style="width: 20%;" title="Compliant/Non-Vulnerable/Patched">#&resultgood;</td>
+ <td class="SmallLabel" style="width: 20%;" title="Non-Compliant/Vulnerable/Unpatched">#&#x2715;</td>
+ <td class="SmallLabel" style="width: 20%;" title="Compliant/Non-Vulnerable/Patched">#&#x2713;</td>
<td class="SmallLabel" style="width: 20%;" title="Error">#Error</td>
<td class="SmallLabel" style="width: 20%;" title="Unknown">#Unknown</td>
<td class="SmallLabel" style="width: 20%;" title="Inventory/Miscellaneous class, or Not Applicable/Not Evaluated result">#Other</td>

38
openscap-1.3.6-ubi9-pr-1772.patch Normal file
View File

@ -0,0 +1,38 @@
From 80543bc666d648d0251e4c7b675489b8011a548a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Fri, 25 Jun 2021 10:19:43 +0200
Subject: [PATCH] Fix UBI 9 scan
In offline mode when scanning a cointainer based on UBI 9 the
system_info probe failed because the function `_offline_get_hname` which
reads from `/etc/hostname` returns an empty string which causes
`__sysinfo_saneval(hname)` check to return zero which in turn causes the
probe returns an error. We can prevent this situation by replacing the
empty string by `"Unknown"`, which we already do when the `hname` is
`NULL`.
Addressing:
W: oscap: Can't receive message: 125, Operation canceled.
E: oscap: Recv: retry limit (0) reached.
OpenSCAP Error: Probe at sd=32 (system_info) reported an error: Invalid type, value or format [/home/jcerny/work/git/openscap/src/OVAL/oval_probe_ext.c:383]
Unable to receive a message from probe [/home/jcerny/work/git/openscap/src/OVAL/oval_probe_ext.c:572]
Resolves: rhbz#1953610
---
src/OVAL/probes/independent/system_info_probe.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/OVAL/probes/independent/system_info_probe.c b/src/OVAL/probes/independent/system_info_probe.c
index 9bdd73556d..8251e655ed 100644
--- a/src/OVAL/probes/independent/system_info_probe.c
+++ b/src/OVAL/probes/independent/system_info_probe.c
@@ -732,7 +732,7 @@ int system_info_probe_main(probe_ctx *ctx, void *arg)
if (!architecture)
architecture = strdup(unknown);
- if (!hname)
+ if (!hname || *hname == '\0')
hname = strdup(unknown);
if (__sysinfo_saneval(os_name) < 1 ||

14
openscap.spec
View File

@ -1,13 +1,16 @@
Name: openscap Name: openscap
Version: 1.3.5 Version: 1.3.5
Release: 2%{?dist} Release: 3%{?dist}
Epoch: 1 Epoch: 1
Summary: Set of open source libraries enabling integration of the SCAP line of standards Summary: Set of open source libraries enabling integration of the SCAP line of standards
License: LGPLv2+ License: LGPLv2+
URL: http://www.open-scap.org/ URL: http://www.open-scap.org/
Source0: https://github.com/OpenSCAP/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz Source0: https://github.com/OpenSCAP/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz
Patch1: openscap-1.3.6-waive-hugetables-pr-1745.patch Patch1: openscap-1.3.6-waive-hugetables-pr-1745.patch
Patch2: openscap-1.3.6-replace-getlogin-pr-1753.patch Patch2: openscap-1.3.6-replace-getlogin-pr-1753.patch
Patch3: openscap-1.3.6-rpath-pr-1765.patch
Patch4: openscap-1.3.6-ubi9-pr-1772.patch
Patch5: openscap-1.3.6-rpminspect-xml-pr-1773.patch
BuildRequires: cmake >= 2.6 BuildRequires: cmake >= 2.6
BuildRequires: gcc BuildRequires: gcc
BuildRequires: gcc-c++ BuildRequires: gcc-c++
@ -193,6 +196,11 @@ pathfix.py -i %{__python3} -p -n $RPM_BUILD_ROOT%{_bindir}/scap-as-rpm
%{_bindir}/oscap-run-sce-script %{_bindir}/oscap-run-sce-script
%changelog %changelog
* Mon Jun 28 2021 Jan Černý <jcerny@redhat.com> - 1:1.3.5-3
- Do not set RPATH on built binaries
- Fix UBI9 scan (rhbz#1953610)
- Fix failing rpminspect xml test
* Thu May 20 2021 Jan Černý <jcerny@redhat.com> - 1:1.3.5-2 * Thu May 20 2021 Jan Černý <jcerny@redhat.com> - 1:1.3.5-2
- Remove containers subpackage - Remove containers subpackage