From patchwork Fri Nov 14 08:29:47 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Louis Rannou X-Patchwork-Id: 74523 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 162B9CDE03F for ; Fri, 14 Nov 2025 08:30:08 +0000 (UTC) Received: from smtpout-02.galae.net (smtpout-02.galae.net [185.246.84.56]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.13574.1763109005153858108 for ; Fri, 14 Nov 2025 00:30:05 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: no key for signature: lookup dkim._domainkey.semalibre.com on 100.100.100.100:53: no such host" header.i=@semalibre.com header.s=dkim header.b=WKU+EdYN; spf=pass (domain: semalibre.com, ip: 185.246.84.56, mailfrom: louis.rannou@semalibre.com) Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-02.galae.net (Postfix) with ESMTPS id CB7B81A1A9E; Fri, 14 Nov 2025 08:30:03 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id A14CD6060E; Fri, 14 Nov 2025 08:30:03 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id 4A0F8102F29CE; Fri, 14 Nov 2025 09:30:02 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=semalibre.com; s=dkim; t=1763109003; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=O9/TS9nIjwbVOFEfkdMLTNGK6t/KkLRNZO5ovuAotwk=; b=WKU+EdYNDfB05QsFNhC9IZNdxc6Z4YKrHce4qQDzrLpwChvztdZtuYQhonK5tlrGsBzvks 4B81hfuHZ9f/b6RmM0Hm1mEhi/gl7giltz1tesh2EPDb6h2JqbJgJo4FQobBOkj+NowfV4 EtSi4yxyifxabxp80laHGykqq+111CotMePkfmxKjqTN29zNVeId1B7D4L4ditmOqTt11U 9yf1+Rej/S5WPpYPrWPgcoOkOiCUG0g29gvCz86OQ224UrNQVdA1mJe6lfDb/JFyKs3uf/ tHNr+L3hw+h3QfGgqA4wYJ+OPJsIFpiZILeNfaWnI7pRnGA/WJLQNz2GDkQfHA== From: Louis Rannou To: yocto-patches@lists.yoctoproject.org Cc: scott.murray@konsulko.com, rybczynska@gmail.com, pascal.eberhard@non.se.com, yi.zhao@windriver.com, Louis Rannou Subject: [meta-security][PATCH 1/4] openscap: update to 1.4.2 Date: Fri, 14 Nov 2025 09:29:47 +0100 Message-ID: <20251114-openscap_bump-v1-1-1c8169b8e332@non.se.com> X-Mailer: git-send-email 2.51.2 In-Reply-To: <20251114-openscap_bump-v1-0-1c8169b8e332@non.se.com> References: <20251114-openscap_bump-v1-0-1c8169b8e332@non.se.com> MIME-Version: 1.0 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 14 Nov 2025 08:30:08 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/2554 From: Louis Rannou SRC_URI is based on the github release instead of the SHA for more efficiency. Extra fix: - typo in the RDEPENDS class-target override ('-' instead of ':') - typo SUMARRY -> SUMMARY New in 1.4.2 (2025-04-06): https://github.com/OpenSCAP/openscap/releases/tag/1.4.2 - Maintenance, bug fix - Fix thread synchronization bugs - Fix textfilecontent54_probe behaviour for negative instance numbers - Fix signature obtaining in rpm_info probe Signed-off-by: Louis Rannou fix --- .../openscap/{openscap_1.4.1.bb => openscap_1.4.2.bb} | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/recipes-compliance/openscap/openscap_1.4.1.bb b/recipes-compliance/openscap/openscap_1.4.2.bb similarity index 87% rename from recipes-compliance/openscap/openscap_1.4.1.bb rename to recipes-compliance/openscap/openscap_1.4.2.bb index 3e5f00a..f7c7aec 100644 --- a/recipes-compliance/openscap/openscap_1.4.1.bb +++ b/recipes-compliance/openscap/openscap_1.4.2.bb @@ -1,7 +1,7 @@ # Copyright (C) 2017 - 2023 Armin Kuster # Released under the MIT license (see COPYING.MIT for the terms) -SUMARRY = "NIST Certified SCAP 1.2 toolkit" +SUMMARY = "NIST Certified SCAP 1.2 toolkit" HOME_URL = "https://www.open-scap.org/tools/openscap-base/" LIC_FILES_CHKSUM = "file://COPYING;md5=fbc093901857fcd118f065f900982c24" LICENSE = "LGPL-2.1-only" @@ -9,11 +9,12 @@ LICENSE = "LGPL-2.1-only" DEPENDS = "dbus acl bzip2 pkgconfig gconf procps curl libxml2 libxslt libcap swig libpcre xmlsec1" DEPENDS:class-native = "pkgconfig-native swig-native curl-native libxml2-native libxslt-native libcap-native libpcre-native xmlsec1-native" -SRC_URI = "git://github.com/OpenSCAP/openscap.git;branch=main;protocol=https \ - file://0001-CMakeLists.txt-fix-installation-directory-for-system.patch \ - " +SRC_URI = " \ + https://github.com/OpenSCAP/openscap/releases/download/1.4.2/openscap-${PV}.tar.gz \ + file://0001-CMakeLists.txt-fix-installation-directory-for-system.patch \ +" -SRCREV = "23a8ea3de3c4fd6017db4067675a81287177166e" +SRC_URI[sha512sum] = "126b88d028fafe9c2af882ae7b90ad59a7a429899b45cfa0f4fea188f32b0f9c51615d69a172e9bd4c0a6663aaf40e8fd85c8563575fce00099f3d58d572cbda" inherit cmake pkgconfig python3native python3targetconfig perlnative systemd @@ -64,5 +65,5 @@ FILES:${PN} += "${PYTHON_SITEPACKAGES_DIR}" RDEPENDS:${PN} = "libxml2 python3-core libgcc bash" -RDEPENDS:${PN}-class-target = "libxml2 python3-core libgcc bash os-release" +RDEPENDS:${PN}:class-target = "libxml2 python3-core libgcc bash os-release" BBCLASSEXTEND = "native" From patchwork Fri Nov 14 08:29:48 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Louis Rannou X-Patchwork-Id: 74525 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 16EC4CDE032 for ; Fri, 14 Nov 2025 08:30:08 +0000 (UTC) Received: from smtpout-03.galae.net (smtpout-03.galae.net [185.246.85.4]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.13576.1763109006259240414 for ; Fri, 14 Nov 2025 00:30:06 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: no key for signature: lookup dkim._domainkey.semalibre.com on 100.100.100.100:53: no such host" header.i=@semalibre.com header.s=dkim header.b=FYl8ePLI; spf=pass (domain: semalibre.com, ip: 185.246.85.4, mailfrom: louis.rannou@semalibre.com) Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-03.galae.net (Postfix) with ESMTPS id EB8114E416B5; Fri, 14 Nov 2025 08:30:04 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id C09696060E; Fri, 14 Nov 2025 08:30:04 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id 6CB5A102F2A6F; Fri, 14 Nov 2025 09:30:03 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=semalibre.com; s=dkim; t=1763109004; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=zlvB2kLW5lVeucoyc3EFFGxpJ6Ur15dDHXdCydobXu4=; b=FYl8ePLIyNgOgM+HF1v+H0B8rvxhey3AqmQl/Kz/NBZlePjw8Z5OIZT2Rh0qZq+qbhArGG VWFpw8TpVD3SheyOl81scmzqsnpM5CZtu6zjsvVnl8wB5WpvVxD2n6a0yO5TJoVaOoAh2A 2bOCS8Yf7wZOPdSvcBRl0s2k6VTjVHLJmWsTS29yFwzsiiBdXnJifIPV/Zr8Eo/RWnuFgl l8VIgv7DWwrpuDTgGc7AWnfmaZB1q7rp1cso69uIyP9Z04+8TewD0D3gtqeWdz1bnG0+d+ CxdBaVd4d5O2UsLUJOvAU/2rAjbsDEeO3dczqdq/HexZNGRAxuaXDkXyAPGNGw== From: Louis Rannou To: yocto-patches@lists.yoctoproject.org Cc: scott.murray@konsulko.com, rybczynska@gmail.com, pascal.eberhard@non.se.com, yi.zhao@windriver.com, Louis Rannou Subject: [meta-security][PATCH 2/4] scap-security-guide: update to 0.1.78 Date: Fri, 14 Nov 2025 09:29:48 +0100 Message-ID: <20251114-openscap_bump-v1-2-1c8169b8e332@non.se.com> X-Mailer: git-send-email 2.51.2 In-Reply-To: <20251114-openscap_bump-v1-0-1c8169b8e332@non.se.com> References: <20251114-openscap_bump-v1-0-1c8169b8e332@non.se.com> MIME-Version: 1.0 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 14 Nov 2025 08:30:08 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/2555 From: Louis Rannou New in 0.1.78 (2025-09-05): https://github.com/ComplianceAsCode/content/releases/tag/v0.1.78 Important Highlights Enable SCE content for problematic rules that can traverse the whole filesystem (#13758) Remove unnecessary Jinja2 macros in control files (#13592) Update RHEL 8 STIG to V2R4 (#13774) Update RHEL 9 STIG to V2R5 (#13795) Add CIS benchmark support for debian (#13712) Add Debian 13 profile for ANSSI BP 28 (enhanced) (#13571) Create SLE Micro 5 General profile (#13490) Update the way in which the stable branch is maintained (#13769) New Rules and Profiles add anssi BP28 high profile to debian13 product (#13603) Debian13 ANSSI BP28 (minimal) (#13540) Debian13: add BP28 intermediary profile (#13556) Implement rpm_verify_crypto_policies (#13469) Update RHEL 8 STIG to V2R4 (#13774) Create slmicro6 product (#13570) Updated Rules and Profiles RHEL 9 STIG: align login timeout with the STIG policy (#13826) [Ubuntu 24.04]: Add vlock_installed pkg override (#13582) [Ubuntu] Define firewall varriable for Ubuntu 2404 STIG (#13689) Add CCE for rsyncd disabled rule to slmicro5 (#13523) Add distributed config support (#13653) Adjust description of file_permissions_sudo (#13685) Fix GRUB 2 UEFI selections in RHEL 9 ANSSI profiles (#13598) Fix(accounts_tmout): OVAL check incorrectly passes for TMOUT=0 (#13564) Move RHEL 8 STIG to Control file (#13481) Move RHEL 9 ISM O Profile to Control File (#13511) Remove rule from OL09-00-001085 (#13673) RHEL 9 CIS: add ensure_gpgcheck_never_disabled (#13706) RHEL 9 CIS: complete 6.3.3.5 (#13707) Set var_screensaver_lock_delay for OL9 (#13672) Slmicro5 disable ipv6 rules (#13524) Fix bsi conflicts (#13847) stop using fixfiles relabel in remediations (#13738) Support drop-in files in coredump rules (#13665) Update OL10 profiles (#13569) Update var_password_pam_unix_rounds for OL9 stig control (#13516) Use default order in configure_gnutls_tls_crypto_policy (#13692) Removed Products Remove leftover from ubuntu2004 (#13604) Remove Ubuntu 16.04, 18.04 and 20.04 products (#13483) Changes in Remediations RHEL 9 Ansible replace systemd_service module with systemd (#13829) Add OL9 to platform in ssh ciphers rule's bash (#13506) Enable audit configure rules for slmicro5 (#13525) Ensure tmout.sh and ssh_confirm.sh have correct permissions on creation (#13711) Exclude remote mounted filesystems from local partition nodev tasks (#13530) Fix architecture dependent path (#13714) Implement mount_option_tmp_noexec for slmicro5 platform (#13509) Implement oval and remediation files to tftp_uses_secure_mode_systemd (#13694) Prevent fails in check mode (#13703) Prevent problems with single quotes (#13742) Reduce gathering facts in profile Ansible Playbooks (#13739) Remove file_owner_var_log_messages bash remediation (#13488) SLE fixes for gid-related rules (#13779) SLE improve require_singleuser_auth oval check and remediations (#13746) stop using fixfiles relabel in remediations (#13738) Support banner with single quote (#13713) Update ansible for auditd_data_retention_action_mail_acct (#13650) Update ansible in require_singleuser_auth for OL (#13651) Update disable_users_coredumps rule to support drop-in and string values (#13749) Update jinja in require_emergency_target_auth for OL (#13652) Use fully qualified collection name in Ansible tasks (#13794) Workaround OpenSCAP issue for Image Mode (#13645) Changes in Checks [Ubuntu] Fix rule encrypt_partitions (#13596) Add OL9 in oval to directory_permissions_var_log_audit rule (#13745) Add oval check for prevent_direct_root_logins (#13615) Add OVAL for encrypt_partitions rule (#13539) Allow spaces around equal sign (#13691) Create slmicro6 product (#13570) Disable value of zero in dconf_gnome_screensaver_idle_delay (#13671) Enable multi_platform_sle platforms for encrypt_partition oval check (#13775) Exclude remote mounted filesystems from local partition nodev tasks (#13530) Fix(accounts_tmout): OVAL check incorrectly passes for TMOUT=0 (#13564) Fix(OVAL): Correct variable reference in account_disable_inactivity_* (#13591) Implement mount_option_tmp_noexec for slmicro5 platform (#13509) Implement oval and remediation files to tftp_uses_secure_mode_systemd (#13694) Improve OVAL checks for nss-altfiles (#13759) Make sure oval service disable macro covers also not found definition (#13725) SLE fixes for gid-related rules (#13779) SLE improve require_singleuser_auth oval check and remediations (#13746) SLE kernel package may be called kernel-default-base (#13748) Sshd rekey limit update OVAL (#13687) Update disable_users_coredumps rule to support drop-in and string values (#13749) Update path for OL9 in sysctl_kernel_exec_shield oval file (#13538) Update sshd_set_idle_timeout oval file & sshd_lineinfile template for OL (#13695) Changes in the Infrastructure [workflow] Fix ansible for Ubuntu workflow (#13480) Add the ability built more than one product with SRG XLSX Option (#13693) Fix Debian 13 in CI (#13557) Fix level inheritance when processing profiles (#13666) Fix SCAP Delta Tailoring (#13542) Format rhel8 related yaml files (#13621) Improve reproducibility and stability (#13531) Move RHEL 9 E8 profile to use the e8 control file (#13482) Pre-load Jinja macros (#13502) Remove 2 functions (#13659) Remove Ubuntu 16.04, 18.04 and 20.04 products (#13483) Update Export SRG Script (#13474) Changes in the Test Suite [Ubuntu] Fix test of package_bind_removed (#13560) Add missing profile stability data (#13600) Add OL9 to disable_ctrlaltdel_reboot tests (#13609) Add tags to test scenarios in accounts_root_path_dirs_no_write (#13536) Change TS in networkmanager_dns_mode from fail to pass (#13724) CI: fedora gating - collapse the multiline command (#13735) file_groupownership_system_commands_dirs fix test scenario (#13675) Fix platform tag in test scenarios (#13534) Fix tests for rule grub2_pti_argument (#13733) Update profile to variable in banner_etc_issue_disa_dod_short test (#13667) Documentation Remove outdated Code Climate badage (#13744) Update Contributors for 0.1.78 (#13807) Fixed Bugs RHEL 9 STIG: align login timeout with the STIG policy (#13826) [stabilization]: auditd_lineinfile: allow specifying data type of XCCDF variable (#13841) RHEL 9 Ansible replace systemd_service module with systemd (#13829) [Ubuntu] Remove non-ascii character (#13607) Add var_sudo_timestamp_timeout=always_prompt to RHEL 9 and RHEL 10 STIG (#13517) Adjust description of file_permissions_sudo (#13685) Allow spaces around equal sign (#13691) file_groupownership_system_commands_dirs fix test scenario (#13675) Fix rule auditd_freq (#13718) grub2_*_admin_username: make regex less strict (#13740) Install package polkit-pkla-compat (#13729) make service_rngd_enabled applicable in case FIPS mode is not enabled (#13705) Remove remaining dependencies on installed_OS_is_FIPS_certified (#13757) replace instances of grub-mkconfig with correct grub2-mkconfig (#13640) sshd_limit_user_access is missing the opening tag (#13616) stop using fixfiles relabel in remediations (#13738) Support drop-in files in coredump rules (#13665) Update links which pointed to outdated documentation (#13508) Update the suffix for rules used when generating components gh pages (#13597) Use default order in configure_gnutls_tls_crypto_policy (#13692) Use template in grub2_nousb_argument (#13726) Signed-off-by: Louis Rannou --- .../{scap-security-guide_0.1.77.bb => scap-security-guide_0.1.78.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/recipes-compliance/scap-security-guide/scap-security-guide_0.1.77.bb b/recipes-compliance/scap-security-guide/scap-security-guide_0.1.78.bb similarity index 96% rename from recipes-compliance/scap-security-guide/scap-security-guide_0.1.77.bb rename to recipes-compliance/scap-security-guide/scap-security-guide_0.1.78.bb index cdd22a5..8489218 100644 --- a/recipes-compliance/scap-security-guide/scap-security-guide_0.1.77.bb +++ b/recipes-compliance/scap-security-guide/scap-security-guide_0.1.78.bb @@ -6,7 +6,7 @@ HOME_URL = "https://www.open-scap.org/security-policies/scap-security-guide/" LIC_FILES_CHKSUM = "file://LICENSE;md5=9bfa86579213cb4c6adaffface6b2820" LICENSE = "BSD-3-Clause" -SRCREV = "c1e1ba121d32b3c319b0e25ee2993b62386e5857" +SRCREV = "f7d794851971087db77d4be8eeb716944a1aae21" SRC_URI = "git://github.com/ComplianceAsCode/content.git;nobranch=1;protocol=https \ file://run_eval.sh \ " From patchwork Fri Nov 14 08:29:49 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Louis Rannou X-Patchwork-Id: 74524 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 263FDCE7A89 for ; Fri, 14 Nov 2025 08:30:08 +0000 (UTC) Received: from smtpout-02.galae.net (smtpout-02.galae.net [185.246.84.56]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.13404.1763109007343208300 for ; Fri, 14 Nov 2025 00:30:07 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: no key for signature: lookup dkim._domainkey.semalibre.com on 100.100.100.100:53: no such host" header.i=@semalibre.com header.s=dkim header.b=EqWQK1Wz; spf=pass (domain: semalibre.com, ip: 185.246.84.56, mailfrom: louis.rannou@semalibre.com) Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-02.galae.net (Postfix) with ESMTPS id 1163A1A1A9E; Fri, 14 Nov 2025 08:30:06 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id D26436060E; Fri, 14 Nov 2025 08:30:05 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id 8978B102F29CE; Fri, 14 Nov 2025 09:30:04 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=semalibre.com; s=dkim; t=1763109005; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=2DKuLNFd8014DP39UlX8Lh7sgSg6Sc9OgEVRiOu3cv8=; b=EqWQK1WzTYodisz7pE5gZWM/rsgnHkbAsE0BqTpQcsT2b+4du0IVnn084r8FSbv33DIF+H Alb8aQR7O2Ux9/V+AAaW/Z65ss6/faaw1V5mosKNNtfxjyvdhkflh7RdIpPXUTo+msh7KW hauP6M7khVwRs0Nv5cb4xRTQPpbjHRTZaGY0FDG3YSUXoYpn6vChBXSaoe0mUmNjtyHLMY zxJsVB3uzadlHiRY1S7uKRblZO0lQJgzKpwOup6iofUaMcGP+4H7r/5XA/8c0dX7X4tT/u f2MVUqS+ppVunQrkGRHM7QfoZux4qKRSIERTBMD458IqncXMj978cbOvdC6LwA== From: Louis Rannou To: yocto-patches@lists.yoctoproject.org Cc: scott.murray@konsulko.com, rybczynska@gmail.com, pascal.eberhard@non.se.com, yi.zhao@windriver.com, Louis Rannou Subject: [meta-security][PATCH 3/4] oeqa: openscap test Date: Fri, 14 Nov 2025 09:29:49 +0100 Message-ID: <20251114-openscap_bump-v1-3-1c8169b8e332@non.se.com> X-Mailer: git-send-email 2.51.2 In-Reply-To: <20251114-openscap_bump-v1-0-1c8169b8e332@non.se.com> References: <20251114-openscap_bump-v1-0-1c8169b8e332@non.se.com> MIME-Version: 1.0 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 14 Nov 2025 08:30:08 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/2556 From: Louis Rannou Add basic openscap test. This looks for an existing profile and run a basic scan. Openscap scans return 1 in case of failure, 0 in case of success and 2 when a vulnerability has been found. As this does not aim to check openscap reports, 2 is considered as a successful test. Signed-off-by: Louis Rannou --- lib/oeqa/runtime/cases/openscap.py | 48 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) diff --git a/lib/oeqa/runtime/cases/openscap.py b/lib/oeqa/runtime/cases/openscap.py new file mode 100644 index 0000000..7012b6b --- /dev/null +++ b/lib/oeqa/runtime/cases/openscap.py @@ -0,0 +1,48 @@ +# SPDX-License-Identifier: MIT +# + +from oeqa.runtime.case import OERuntimeTestCase +from oeqa.core.decorator.depends import OETestDepends +from oeqa.runtime.decorator.package import OEHasPackage + + +class OpenscapTest(OERuntimeTestCase): + + @OEHasPackage(["openscap"]) + @OETestDepends(["ssh.SSHTest.test_ssh"]) + def test_openscap_basic(self): + status, output = self.target.run("oscap -V") + msg = ( + "`oscap -V` command does not work as expected. " + "Status and output:%s and %s" % (status, output) + ) + self.assertEqual(status, 0, msg=msg) + + @OEHasPackage(["openscap"]) + @OEHasPackage(["scap-security-guide"]) + @OETestDepends(["ssh.SSHTest.test_ssh"]) + def test_openscap_scan(self): + SCAP_SOURCE = "/usr/share/xml/scap/ssg/content/ssg-openembedded-xccdf.xml" + CPE_DICT = "/usr/share/xml/scap/ssg/content/ssg-openembedded-cpe-dictionary.xml" + + cmd = "oscap info --profiles %s" % SCAP_SOURCE + status, output = self.target.run(cmd) + msg = ( + "oscap info` command does not work as expected.\n" + "Command: %s\n" % cmd + "Status and output:%s and %s" % (status, output) + ) + self.assertEqual(status, 0, msg=msg) + + for p in output.split("\n"): + profile = p.split(":")[0] + cmd = "oscap xccdf eval --cpe %s --profile %s %s" % ( + CPE_DICT, + profile, + SCAP_SOURCE, + ) + status, output = self.target.run(cmd) + msg = ( + "`oscap xccdf eval` does not work as expected.\n" + "Command: %s\n" % cmd + "Status and output:%s and %s" % (status, output) + ) + self.assertNotEqual(status, 1, msg=msg) From patchwork Fri Nov 14 08:29:50 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Louis Rannou X-Patchwork-Id: 74526 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 15917CDE03F for ; Fri, 14 Nov 2025 08:30:18 +0000 (UTC) Received: from smtpout-02.galae.net (smtpout-02.galae.net [185.246.84.56]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.13405.1763109008212660662 for ; Fri, 14 Nov 2025 00:30:08 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: no key for signature: lookup dkim._domainkey.semalibre.com on 100.100.100.100:53: no such host" header.i=@semalibre.com header.s=dkim header.b=JPcRjTuR; spf=pass (domain: semalibre.com, ip: 185.246.84.56, mailfrom: louis.rannou@semalibre.com) Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-02.galae.net (Postfix) with ESMTPS id E29841A1AA0 for ; Fri, 14 Nov 2025 08:30:06 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id B0F606060E; Fri, 14 Nov 2025 08:30:06 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id A193D102F2A6F; Fri, 14 Nov 2025 09:30:05 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=semalibre.com; s=dkim; t=1763109006; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=RNNcmG4myTCZPic1yoKp5tCVBbEMcOT6jC1/vtBkGu4=; b=JPcRjTuR3/2tzoFuK5bRR66FL8GVLE3zzB6eW+3jsgns4RlNPY/QUO6dhIuhOFyLsXDZYi RtwRP6UmgsTQkixVfpRglC4DAzpFkpb/4xfwJnkkf1fPu7+hHijVB/M0foS6lwkSVl9csF HO441gr+/orcWC1I7EUk7GLjqDbIxLQGitsvi3+KRBUyznCSzgqDFFMYqQ0bRIta2in5ee HxRZSxmDt7SpLnKO+mp6AkyySShe5qFY4X60WShOtm27/drMkzsBmqo1JkeEHU7Y8ajMiA gFb2zrppD8GwgClpMJyqSz5EejpkEJ4KM6nUbryhk0yQjrICLK7NDApDdji29Q== From: Louis Rannou To: yocto-patches@lists.yoctoproject.org Cc: scott.murray@konsulko.com, rybczynska@gmail.com, pascal.eberhard@non.se.com, yi.zhao@windriver.com, Louis Rannou Subject: [meta-security][PATCH 4/4] openscap: fix musl compatibility Date: Fri, 14 Nov 2025 09:29:50 +0100 Message-ID: <20251114-openscap_bump-v1-4-1c8169b8e332@non.se.com> X-Mailer: git-send-email 2.51.2 In-Reply-To: <20251114-openscap_bump-v1-0-1c8169b8e332@non.se.com> References: <20251114-openscap_bump-v1-0-1c8169b8e332@non.se.com> MIME-Version: 1.0 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 14 Nov 2025 08:30:18 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/2557 From: Louis Rannou Add the dependency to musl-fts and the link flag for compliance with the musl C library. The link flag is prepended. For some reason, probably a compliance issue with CMake, the link can't be made if appended. Signed-off-by: Louis Rannou --- recipes-compliance/openscap/openscap_1.4.2.bb | 3 +++ recipes-compliance/scap-security-guide/scap-security-guide_0.1.78.bb | 2 -- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/recipes-compliance/openscap/openscap_1.4.2.bb b/recipes-compliance/openscap/openscap_1.4.2.bb index f7c7aec..bf38e12 100644 --- a/recipes-compliance/openscap/openscap_1.4.2.bb +++ b/recipes-compliance/openscap/openscap_1.4.2.bb @@ -67,3 +67,6 @@ FILES:${PN} += "${PYTHON_SITEPACKAGES_DIR}" RDEPENDS:${PN} = "libxml2 python3-core libgcc bash" RDEPENDS:${PN}:class-target = "libxml2 python3-core libgcc bash os-release" BBCLASSEXTEND = "native" + +DEPENDS:append:libc-musl = " fts" +OECMAKE_C_LINK_FLAGS:prepend:libc-musl = " -lfts " diff --git a/recipes-compliance/scap-security-guide/scap-security-guide_0.1.78.bb b/recipes-compliance/scap-security-guide/scap-security-guide_0.1.78.bb index 8489218..94415c4 100644 --- a/recipes-compliance/scap-security-guide/scap-security-guide_0.1.78.bb +++ b/recipes-compliance/scap-security-guide/scap-security-guide_0.1.78.bb @@ -42,5 +42,3 @@ do_install:append() { FILES:${PN} += "${datadir}/xml ${datadir}/openscap" RDEPENDS:${PN} = "openscap" - -COMPATIBLE_HOST:libc-musl = "null"