Merge pull request #2279 from evgenyz/main-merge-2

evgenyz · web-flow · commit 3dcbda5c5808 · 2025-11-23T17:58:54.000+01:00
Merge 1.3
diff --git a/AUTHORS b/AUTHORS
@@ -1,5 +1,6 @@
 Alexander Bergmann <abergmann@suse.com>
 Alexander Scheel <ascheel@redhat.com>
+Arden97 <arden2545@gmail.com>
 Axel Nennker <axel@nennker.de>
 Brady Alleman <brady@alleman.me>
 Brandon Dixon <Brandon.Dixon@g2-inc.com>
@@ -23,6 +24,7 @@ Evgeni Golov <egolov@redhat.com>
 Evgeny Kolesnikov <ekolesni@redhat.com>
 Felix Wolfsteller <felix.wolfsteller@greenbone.net>
 Fen Labalme <fen@civicactions.com>
+Flos Lonicerae <lonicerae@gmail.com>
 Francisco Slavin <fslavin@tresys.com>
 Gabe Alford <redhatrises@gmail.com>
 Gabriel Gaspar Becker <ggasparb@redhat.com>
diff --git a/docs/manual/manual.adoc b/docs/manual/manual.adoc
@@ -1617,9 +1617,12 @@ Also, OpenSCAP uses `libcurl` library which also can be configured using environ
 
 == Using external or remote resources
 
-Some SCAP content references external resources. For example, some content
-can use external OVAL file to check that the system is up to date and has no known
-security vulnerabilities.
+Some SCAP content references external resources. For example, older versions of SCAP Security Guide (prior to version 0.1.73)
+used external OVAL file to check that the system is up to date and has no known
+security vulnerabilities. However, other content can use external resources for
+other purposes.
+
+NOTE: Starting with version 0.1.73, SCAP Security Guide content doesn't use external resources anymore.
 
 When you are evaluating SCAP content with external resources the `oscap` tool
 will warn you:
@@ -1669,6 +1672,8 @@ $ wget -O ~/scap-files/security-data-oval-com.redhat.rhsa-RHEL8.xml https://www.
 $ oscap xccdf eval --local-files ~/scap-files --profile ospp ssg-rhel8-ds.xml
 ----
 
+NOTE: The `--local-files` option works only with SCAP 1.3 source data streams. It can't be used with SCAP 1.2 source data streams.
+
 == Practical Examples
 This section demonstrates practical usage of certain security content provided
 for Red Hat products.
@@ -2000,6 +2005,7 @@ You can find the ID of the customized profile with `oscap info <your_tailoring_f
 
 Yes, it's possible, you can download the file on other computer that is connected to the internet and then copy the file to the system where you run `oscap`.
 Instead of the `--fetch-remote-resources` option you will use the `--local-files` option.
+This option works only with SCAP 1.3 source data streams. It can't be used with SCAP 1.2 source data streams.
 For more information, please refer to section <<_using_external_or_remote_resources,Using external or remote resources>>.
 
 *I have generated a kickstart but the generated file isn't a valid kickstart.*
diff --git a/src/DS/ds_sds_session.c b/src/DS/ds_sds_session.c
@@ -342,6 +342,25 @@ void ds_sds_session_configure_remote_resources(struct ds_sds_session *session, b
 	session->fetch_remote_resources = allowed;
 	session->local_files = local_files;
 	session->progress = (callback != NULL) ? callback : download_progress_empty_calllback;
+	if (local_files != NULL) {
+		struct ds_sds_index *idx = ds_sds_session_get_sds_idx(session);
+		struct ds_stream_index_iterator *streams = ds_sds_index_get_streams(idx);
+		while (ds_stream_index_iterator_has_more(streams)) {
+			struct ds_stream_index *stream = ds_stream_index_iterator_next(streams);
+			const char *version = ds_stream_index_get_version(stream);
+			if (strcmp(version, "1.3")) {
+				ds_sds_session_remote_resources_progress(session)(
+					true,
+					"WARNING: The '--local-files' option can be used only with "
+					"SCAP 1.3 source data streams, but the provided data stream "
+					"is version '%s'. No local files will be used.\n",
+					version);
+				break;
+			}
+
+		}
+		ds_stream_index_iterator_free(streams);
+	}
 }
 
 const char *ds_sds_session_local_files(struct ds_sds_session *session)
diff --git a/tests/API/XCCDF/unittests/CMakeLists.txt b/tests/API/XCCDF/unittests/CMakeLists.txt
@@ -114,4 +114,3 @@ add_oscap_test("test_no_newline_between_select_elements.sh")
 add_oscap_test("test_single_line_tailoring.sh")
 add_oscap_test("test_reference.sh")
 add_oscap_test("test_remediation_bootc.sh")
-add_oscap_test("test_oscap_bootc_pass_down.sh")
diff --git a/tests/API/XCCDF/unittests/test_oscap_bootc_pass_down.ds.xml b/tests/API/XCCDF/unittests/test_oscap_bootc_pass_down.ds.xml
diff --git a/tests/API/XCCDF/unittests/test_oscap_bootc_pass_down.sh b/tests/API/XCCDF/unittests/test_oscap_bootc_pass_down.sh
diff --git a/tests/DS/test_ds_use_local_remote_resources.sh b/tests/DS/test_ds_use_local_remote_resources.sh
@@ -4,7 +4,6 @@
 #   Jan Černý <jcerny@redhat.com>
 
 set -e -o pipefail
-set -x
 
 . $builddir/tests/test_common.sh
 	
@@ -81,3 +80,13 @@ assert_exists 1 '//rule-result[@idref="xccdf_com.example.www_rule_test-pass2"]/r
 popd
 rm -f "$result" "$stderr"
 rm -rf "$tmpdir1" "$tmpdir2" "$tmpdir3"
+
+
+# test that a warning is shown when --local-files is provided with SCAP 1.2 DS
+result=$(mktemp)
+stderr=$(mktemp)
+tmpdir=$(mktemp -d)
+$OSCAP xccdf eval --local-files "$tmpdir" --profile "$PROFILE" --results "$result" "${srcdir}/ds_continue_without_remote_resources/remote_content_1.2.ds.xml" 2>"$stderr" || ret=$?
+[ "$ret" = 2 ]
+grep -q "WARNING: The '--local-files' option can be used only with SCAP 1.3 source data streams, but the provided data stream is version '1.2'. No local files will be used." "$stderr"
+rm -rf "$result" "$stderr" "$tmpdir"
diff --git a/utils/oscap-im b/utils/oscap-im
@@ -111,35 +111,50 @@ def add_eval_args(args, cmd):
 
 
 def pre_scan_fix(args):
-    with tempfile.NamedTemporaryFile(delete=False) as remediation_script:
+    with tempfile.NamedTemporaryFile() as remediation_script:
         gen_fix_cmd = [
             "oscap", "xccdf", "generate", "fix", "--fix-type", "bootc",
             "--output", remediation_script.name]
         add_common_args(args, gen_fix_cmd)
         gen_fix_cmd.append(args.data_stream)
-        subprocess.run(gen_fix_cmd, check=True)
-        subprocess.run(["bash", remediation_script.name], check=True)
+        try:
+            subprocess.run(gen_fix_cmd, check=True, capture_output=True)
+        except subprocess.CalledProcessError as e:
+            raise RuntimeError(
+                f"OpenSCAP generate fix failed with return code "
+                f"{e.returncode}.\nOutput: {e.stderr.decode()}")
+        try:
+            subprocess.run(["bash", remediation_script.name], check=True)
+        except subprocess.CalledProcessError as e:
+            raise RuntimeError(
+                f"Remediation script failed with return code "
+                f"{e.returncode}.")
 
 
 def scan_and_remediate(args):
     oscap_cmd = ["oscap", "xccdf", "eval", "--progress", "--remediate"]
     add_common_args(args, oscap_cmd)
     add_eval_args(args, oscap_cmd)
     oscap_cmd.append(args.data_stream)
-    env = {**os.environ, "OSCAP_PREFERRED_ENGINE": "SCE", "OSCAP_BOOTC_BUILD": "YES"}
+    env = {**os.environ, "OSCAP_PREFERRED_ENGINE": "SCE"}
     try:
         subprocess.run(oscap_cmd, env=env, check=True)
     except subprocess.CalledProcessError as e:
         if e.returncode not in [0, 2]:
-            print(e, file=sys.stderr)
+            raise RuntimeError(
+                f"OpenSCAP scan failed with return code {e.returncode}.\n")
 
 
 def main():
     args = parse_args()
     verify_bootc_build_env()
     install_sce_dependencies()
-    pre_scan_fix(args)
-    scan_and_remediate(args)
+    try:
+        pre_scan_fix(args)
+        scan_and_remediate(args)
+    except RuntimeError as e:
+        print(e, file=sys.stderr)
+        sys.exit(1)
 
 
 if __name__ == "__main__":
diff --git a/utils/oscap-xccdf.c b/utils/oscap-xccdf.c
@@ -643,6 +643,49 @@ int xccdf_set_profile_or_report_bad_id(struct xccdf_session *session, const char
 	return return_code;
 }
 
+
+static bool _system_is_in_bootc_mode(void)
+{
+#ifdef OS_WINDOWS
+	return false;
+#else
+	#define BOOTC_PATH "/usr/bin/bootc"
+	#define CHUNK_SIZE 1024
+	struct stat statbuf;
+	if (stat(BOOTC_PATH, &statbuf) == -1) {
+		return false;
+	}
+	FILE *output = popen(BOOTC_PATH " status --format json 2>/dev/null", "r");
+	if (output == NULL) {
+		return false;
+	}
+	size_t buf_size = CHUNK_SIZE;
+	char *buf = calloc(buf_size, sizeof(char));
+	if (buf == NULL) {
+		pclose(output);
+		return false;
+	}
+	int c;
+	size_t i = 0;
+	while ((c = fgetc(output)) != EOF) {
+		if (i >= buf_size) {
+			buf_size += CHUNK_SIZE;
+			char *new_buf = realloc(buf, buf_size);
+			if (new_buf == NULL) {
+				pclose(output);
+				return false;
+			}
+			buf = new_buf;
+		}
+		buf[i++] = c;
+	}
+	pclose(output);
+	bool result = (*buf != '\0' && strstr(buf, "\"booted\":null") == NULL);
+	free(buf);
+	return result;
+#endif
+}
+
 /**
  * XCCDF Processing fucntion
  * @param action OSCAP Action structure
@@ -653,6 +696,16 @@ int app_evaluate_xccdf(const struct oscap_action *action)
 	struct xccdf_session *session = NULL;
 
 	int result = OSCAP_ERROR;
+
+	if (action->remediate && _system_is_in_bootc_mode()) {
+		fprintf(stderr,
+			"Detected running Image Mode operating system. OpenSCAP can't "
+			"perform remediation of this system because majority of the "
+			"system is read-only. Please apply remediation during bootable "
+			"container image build using 'oscap-im' instead.\n");
+		return result;
+	}
+
 #if defined(HAVE_SYSLOG_H)
 	int priority = LOG_NOTICE;
 
@@ -856,6 +909,14 @@ int app_xccdf_remediate(const struct oscap_action *action)
 {
 	struct xccdf_session *session = NULL;
 	int result = OSCAP_ERROR;
+	if (_system_is_in_bootc_mode()) {
+		fprintf(stderr,
+			"Detected running Image Mode operating system. OpenSCAP can't "
+			"perform remediation of this system because majority of the "
+			"system is read-only. Please apply remediation during bootable "
+			"container image build using 'oscap-im' instead.\n");
+		return result;
+	}
 	session = xccdf_session_new(action->f_xccdf);
 	if (session == NULL)
 		goto cleanup;
diff --git a/utils/oscap.8 b/utils/oscap.8
@@ -66,6 +66,7 @@ Allow download of remote components referenced from data stream.
 \fB\-\-local-files DIRECTORY\fR
 .RS
 Instead of downloading remote data stream components from the network, use data stream components stored locally as files in the given directory. In place of the remote data stream component OpenSCAP will attempt to use a file whose file name is equal to @name attribute of the uri element within the catalog element within the component-ref element in the data stream if such file exists.
+This option works only with SCAP 1.3 source data streams. It can't be used with SCAP 1.2 source data streams.
 .RE
 .TP
 \fB\-\-profile PROFILE\fR
@@ -216,6 +217,7 @@ Allow download of remote OVAL content referenced from XCCDF by check-content-ref
 \fB\-\-local-files DIRECTORY\fR
 .RS
 Instead of downloading remote data stream components from the network, use data stream components stored locally as files in the given directory. In place of the remote data stream component OpenSCAP will attempt to use a file whose file name is equal to @name attribute of the uri element within the catalog element within the component-ref element in the data stream if such file exists.
+This option works only with SCAP 1.3 source data streams. It can't be used with SCAP 1.2 source data streams.
 .RE
 .TP
 \fB\-\-remediate\fR
@@ -251,6 +253,7 @@ Allow download of remote OVAL content referenced from XCCDF by check-content-ref
 \fB\-\-local-files DIRECTORY\fR
 .RS
 Instead of downloading remote data stream components from the network, use data stream components stored locally as files in the given directory. In place of the remote data stream component OpenSCAP will attempt to use a file whose file name is equal to @name attribute of the uri element within the catalog element within the component-ref element in the data stream if such file exists.
+This option works only with SCAP 1.3 source data streams. It can't be used with SCAP 1.2 source data streams.
 .RE
 .TP
 \fB\-\-cpe CPE_FILE\fR
@@ -338,6 +341,7 @@ Allow download of remote OVAL content referenced from XCCDF by check-content-ref
 \fB\-\-local-files DIRECTORY\fR
 .RS
 Instead of downloading remote data stream components from the network, use data stream components stored locally as files in the given directory. In place of the remote data stream component OpenSCAP will attempt to use a file whose file name is equal to @name attribute of the uri element within the catalog element within the component-ref element in the data stream if such file exists.
+This option works only with SCAP 1.3 source data streams. It can't be used with SCAP 1.2 source data streams.
 .RE
 .TP
 \fB\-\-skip-validation\fR
@@ -505,6 +509,7 @@ Allow download of remote components referenced from data stream.
 .TP
 \fB\-\-local-files DIRECTORY\fR
 Instead of downloading remote data stream components from the network, use data stream components stored locally as files in the given directory. In place of the remote data stream component OpenSCAP will attempt to use a file whose file name is equal to @name attribute of the uri element within the catalog element within the component-ref element in the data stream if such file exists.
+This option works only with SCAP 1.3 source data streams. It can't be used with SCAP 1.2 source data streams.
 .RE
 
 .TP
