diff options
Diffstat (limited to 'external/meta-security/meta-security-compliance')
19 files changed, 355 insertions, 218 deletions
diff --git a/external/meta-security/meta-security-compliance/README b/external/meta-security/meta-security-compliance/README index b29c143b..320f8567 100644 --- a/external/meta-security/meta-security-compliance/README +++ b/external/meta-security/meta-security-compliance/README @@ -28,9 +28,9 @@ Maintenance Send pull requests, patches, comments or questions to yocto@yoctoproject.org When sending single patches, please using something like: -'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-security][PATCH' +'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-security-compliance][PATCH' -Layer Maintainer: Armin Kuster <akuster@mvista.com> +Layer Maintainer: Armin Kuster <akuster808@gmail.com> License diff --git a/external/meta-security/meta-security-compliance/conf/layer.conf b/external/meta-security/meta-security-compliance/conf/layer.conf index fcc5cd6c..965c8379 100644 --- a/external/meta-security/meta-security-compliance/conf/layer.conf +++ b/external/meta-security/meta-security-compliance/conf/layer.conf @@ -8,8 +8,8 @@ BBFILE_COLLECTIONS += "scanners-layer" BBFILE_PATTERN_scanners-layer = "^${LAYERDIR}/" BBFILE_PRIORITY_scanners-layer = "10" -LAYERSERIES_COMPAT_scanners-layer = "thud" +LAYERSERIES_COMPAT_scanners-layer = "dunfell" -LAYERDEPENDS_scanners-layer = " \ - core \ -" +LAYERDEPENDS_scanners-layer = "core openembedded-layer meta-python" + +BBLAYERS_LAYERINDEX_NAME_scanners-layer = "meta-security-compliance" diff --git a/external/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.6.8.bb b/external/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.7.5.bb index 28a44691..245761c3 100644 --- a/external/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.6.8.bb +++ b/external/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.7.5.bb @@ -8,8 +8,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=3edd6782854304fd11da4975ab9799c1" SRC_URI = "https://cisofy.com/files/${BPN}-${PV}.tar.gz" -SRC_URI[md5sum] = "91a538055bfb682733ef8e4fe7eb0902" -SRC_URI[sha256sum] = "2e4c5157a4f2d9bb37d3f0f1f5bea03f92233a2a7d4df6eddf231a784087dfac" +SRC_URI[md5sum] = "fb527b6976e70a6bcd57036c9cddc242" +SRC_URI[sha256sum] = "3d27ade73a5c1248925ad9c060024940ce5d2029f40aaa901f43314888fe324d" S = "${WORKDIR}/${BPN}" @@ -38,4 +38,4 @@ do_install () { FILES_${PN} += "${sysconfdir}/developer.prf ${sysconfdir}/default.prf" FILES_${PN}-doc += "lynis.8 FAQ README CHANGELOG.md CONTRIBUTIONS.md CONTRIBUTORS.md" -RDEPENDS_${PN} += "procps" +RDEPENDS_${PN} += "procps findutils" diff --git a/external/meta-security/meta-security-compliance/recipes-openscap/oe-scap/oe-scap_1.0.bb b/external/meta-security/meta-security-compliance/recipes-openscap/oe-scap/oe-scap_1.0.bb index 5b613756..fd53fcba 100644 --- a/external/meta-security/meta-security-compliance/recipes-openscap/oe-scap/oe-scap_1.0.bb +++ b/external/meta-security/meta-security-compliance/recipes-openscap/oe-scap/oe-scap_1.0.bb @@ -8,12 +8,11 @@ LICENSE = "MIT" SRCREV = "7147871d7f37d408c0dd7720ef0fd3ec1b54ad98" SRC_URI = "git://github.com/akuster/oe-scap.git" SRC_URI += " \ - file://run_cve.sh \ - file://run_test.sh \ - file://OpenEmbedded_nodistro_0.xml \ - file://OpenEmbedded_nodistro_0.xccdf.xml \ -" - + file://run_cve.sh \ + file://run_test.sh \ + file://OpenEmbedded_nodistro_0.xml \ + file://OpenEmbedded_nodistro_0.xccdf.xml \ + " S = "${WORKDIR}/git" @@ -31,4 +30,4 @@ do_install () { FILES_${PN} += "${datadir}/oe-scap" -RDEPENDS_${PN} = "openscap" +RDEPENDS_${PN} = "openscap bash" diff --git a/external/meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/files/0001-Renamed-module-and-variables-to-get-rid-of-async.patch b/external/meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/files/0001-Renamed-module-and-variables-to-get-rid-of-async.patch new file mode 100644 index 00000000..2a518bfe --- /dev/null +++ b/external/meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/files/0001-Renamed-module-and-variables-to-get-rid-of-async.patch @@ -0,0 +1,130 @@ +From c34349720a57997d30946286756e2ba9dbab6ace Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com> +Date: Mon, 2 Jul 2018 11:21:19 +0200 +Subject: [PATCH] Renamed module and variables to get rid of async. + +async is a reserved word in Python 3.7. + +Upstream-Status: Backport +[https://github.com/OpenSCAP/openscap-daemon/commit/c34349720a57997d30946286756e2ba9dbab6ace] + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + openscap_daemon/{async.py => async_tools.py} | 0 + openscap_daemon/dbus_daemon.py | 2 +- + openscap_daemon/system.py | 16 ++++++++-------- + tests/unit/test_basic_update.py | 3 ++- + 4 files changed, 11 insertions(+), 10 deletions(-) + rename openscap_daemon/{async.py => async_tools.py} (100%) + +diff --git a/openscap_daemon/async.py b/openscap_daemon/async_tools.py +similarity index 100% +rename from openscap_daemon/async.py +rename to openscap_daemon/async_tools.py +diff --git a/openscap_daemon/dbus_daemon.py b/openscap_daemon/dbus_daemon.py +index e6eadf9..cb6a8b6 100644 +--- a/openscap_daemon/dbus_daemon.py ++++ b/openscap_daemon/dbus_daemon.py +@@ -81,7 +81,7 @@ class OpenSCAPDaemonDbus(dbus.service.Object): + @dbus.service.method(dbus_interface=dbus_utils.DBUS_INTERFACE, + in_signature="", out_signature="a(xsi)") + def GetAsyncActionsStatus(self): +- return self.system.async.get_status() ++ return self.system.async_manager.get_status() + + @dbus.service.method(dbus_interface=dbus_utils.DBUS_INTERFACE, + in_signature="s", out_signature="(sssn)") +diff --git a/openscap_daemon/system.py b/openscap_daemon/system.py +index 2012f6e..85c2680 100644 +--- a/openscap_daemon/system.py ++++ b/openscap_daemon/system.py +@@ -26,7 +26,7 @@ import logging + from openscap_daemon.task import Task + from openscap_daemon.config import Configuration + from openscap_daemon import oscap_helpers +-from openscap_daemon import async ++from openscap_daemon import async_tools + + + class ResultsNotAvailable(Exception): +@@ -40,7 +40,7 @@ TASK_ACTION_PRIORITY = 10 + + class System(object): + def __init__(self, config_file): +- self.async = async.AsyncManager() ++ self.async_manager = async_tools.AsyncManager() + + logging.info("Loading configuration from '%s'.", config_file) + self.config = Configuration() +@@ -90,7 +90,7 @@ class System(object): + input_file, tailoring_file, None + ) + +- class AsyncEvaluateSpecAction(async.AsyncAction): ++ class AsyncEvaluateSpecAction(async_tools.AsyncAction): + def __init__(self, system, spec): + super(System.AsyncEvaluateSpecAction, self).__init__() + +@@ -113,7 +113,7 @@ class System(object): + return "Evaluate Spec '%s'" % (self.spec) + + def evaluate_spec_async(self, spec): +- return self.async.enqueue( ++ return self.async_manager.enqueue( + System.AsyncEvaluateSpecAction( + self, + spec +@@ -488,7 +488,7 @@ class System(object): + + return ret + +- class AsyncUpdateTaskAction(async.AsyncAction): ++ class AsyncUpdateTaskAction(async_tools.AsyncAction): + def __init__(self, system, task_id, reference_datetime): + super(System.AsyncUpdateTaskAction, self).__init__() + +@@ -536,7 +536,7 @@ class System(object): + + if task.should_be_updated(reference_datetime): + self.tasks_scheduled.add(task.id_) +- self.async.enqueue( ++ self.async_manager.enqueue( + System.AsyncUpdateTaskAction( + self, + task.id_, +@@ -662,7 +662,7 @@ class System(object): + fix_type + ) + +- class AsyncEvaluateCVEScannerWorkerAction(async.AsyncAction): ++ class AsyncEvaluateCVEScannerWorkerAction(async_tools.AsyncAction): + def __init__(self, system, worker): + super(System.AsyncEvaluateCVEScannerWorkerAction, self).__init__() + +@@ -680,7 +680,7 @@ class System(object): + return "Evaluate CVE Scanner Worker '%s'" % (self.worker) + + def evaluate_cve_scanner_worker_async(self, worker): +- return self.async.enqueue( ++ return self.async_manager.enqueue( + System.AsyncEvaluateCVEScannerWorkerAction( + self, + worker +diff --git a/tests/unit/test_basic_update.py b/tests/unit/test_basic_update.py +index 6f683e6..7f953f7 100755 +--- a/tests/unit/test_basic_update.py ++++ b/tests/unit/test_basic_update.py +@@ -37,8 +37,9 @@ class BasicUpdateTest(unit_test_harness.APITest): + print(self.system.tasks) + self.system.schedule_tasks() + +- while len(self.system.async.actions) > 0: ++ while len(self.system.async_manager.actions) > 0: + time.sleep(1) + ++ + if __name__ == "__main__": + BasicUpdateTest.run() +-- +2.7.4 + diff --git a/external/meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/openscap-daemon_0.1.10.bb b/external/meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/openscap-daemon_0.1.10.bb index a6a9373e..a7750214 100644 --- a/external/meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/openscap-daemon_0.1.10.bb +++ b/external/meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/openscap-daemon_0.1.10.bb @@ -9,10 +9,15 @@ LICENSE = "LGPL-2.1" DEPENDS = "python3-dbus" SRCREV = "f25b16afb6ac761fea13132ff406fba4cdfd2b76" -SRC_URI = "git://github.com/OpenSCAP/openscap-daemon.git" +SRC_URI = "git://github.com/OpenSCAP/openscap-daemon.git \ + file://0001-Renamed-module-and-variables-to-get-rid-of-async.patch \ + " inherit setuptools3 S = "${WORKDIR}/git" -RDEPENDS_${PN} = "python" +RDEPENDS_${PN} = "openscap scap-security-guide \ + python3-core python3-dbus \ + python3-pygobject \ + " diff --git a/external/meta-security/meta-security-compliance/recipes-openscap/openscap/files/crypto_pkgconfig.patch b/external/meta-security/meta-security-compliance/recipes-openscap/openscap/files/crypto_pkgconfig.patch deleted file mode 100644 index 2d70855a..00000000 --- a/external/meta-security/meta-security-compliance/recipes-openscap/openscap/files/crypto_pkgconfig.patch +++ /dev/null @@ -1,36 +0,0 @@ -Index: git/configure.ac -=================================================================== ---- git.orig/configure.ac -+++ git/configure.ac -@@ -360,25 +360,13 @@ case "${with_crypto}" in - AC_DEFINE([HAVE_NSS3], [1], [Define to 1 if you have 'NSS' library.]) - ;; - gcrypt) -- SAVE_LIBS=$LIBS -- AC_CHECK_LIB([gcrypt], [gcry_check_version], -- [crapi_CFLAGS=`libgcrypt-config --cflags`; -- crapi_LIBS=`libgcrypt-config --libs`; -- crapi_libname="GCrypt";], -- [AC_MSG_ERROR([library 'gcrypt' is required for GCrypt.])], -- []) -- AC_DEFINE([HAVE_GCRYPT], [1], [Define to 1 if you have 'gcrypt' library.]) -- AC_CACHE_CHECK([for GCRYCTL_SET_ENFORCED_FIPS_FLAG], -- [ac_cv_gcryctl_set_enforced_fips_flag], -- [AC_COMPILE_IFELSE([AC_LANG_PROGRAM([#include<gcrypt.h>], -- [return GCRYCTL_SET_ENFORCED_FIPS_FLAG;])], -- [ac_cv_gcryctl_set_enforced_fips_flag=yes], -- [ac_cv_gcryctl_set_enforced_fips_flag=no])]) -+ PKG_CHECK_MODULES([libgcrypt], [libgcrypt >= 1.7.9],[], -+ AC_MSG_FAILURE([libgcrypt devel support is missing])) - -- if test "${ac_cv_gcryctl_set_enforced_fips_flag}" == "yes"; then -- AC_DEFINE([HAVE_GCRYCTL_SET_ENFORCED_FIPS_FLAG], [1], [Define to 1 if you have 'gcrypt' library with GCRYCTL_SET_ENFORCED_FIPS_FLAG.]) -- fi -- LIBS=$SAVE_LIBS -+ crapi_libname="libgcrypt" -+ crapi_CFLAGS=$libgcrypt_CFLAGS -+ crapi_LIBS=$libgcrypt_LIBS -+ AC_DEFINE([HAVE_GCRYPT], [1], [Define to 1 if you have 'libgcrypt' library.]) - ;; - *) - AC_MSG_ERROR([unknown crypto backend]) diff --git a/external/meta-security/meta-security-compliance/recipes-openscap/openscap/files/probe_dir_fixup.patch b/external/meta-security/meta-security-compliance/recipes-openscap/openscap/files/probe_dir_fixup.patch deleted file mode 100644 index ecbe6026..00000000 --- a/external/meta-security/meta-security-compliance/recipes-openscap/openscap/files/probe_dir_fixup.patch +++ /dev/null @@ -1,17 +0,0 @@ -Index: git/configure.ac -=================================================================== ---- git.orig/configure.ac -+++ git/configure.ac -@@ -1109,11 +1109,7 @@ AC_ARG_WITH([crypto], - [], - [crypto=gcrypt]) - --if test "x${libexecdir}" = xNONE; then -- probe_dir="/usr/local/libexec/openscap" --else -- EXPAND_DIR(probe_dir,"${libexecdir}/openscap") --fi -+probe_dir="/usr/local/libexec/openscap" - - AC_SUBST(probe_dir) - diff --git a/external/meta-security/meta-security-compliance/recipes-openscap/openscap/files/run-ptest b/external/meta-security/meta-security-compliance/recipes-openscap/openscap/files/run-ptest deleted file mode 100644 index 454a6a3c..00000000 --- a/external/meta-security/meta-security-compliance/recipes-openscap/openscap/files/run-ptest +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh -cd tests -make -k check diff --git a/external/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap.inc b/external/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap.inc index e9589b6b..afa576a9 100644 --- a/external/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap.inc +++ b/external/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap.inc @@ -1,2 +1,55 @@ +# Copyright (C) 2017 Armin Kuster <akuster808@gmail.com> +# Released under the MIT license (see COPYING.MIT for the terms) + +SUMARRY = "NIST Certified SCAP 1.2 toolkit" +HOME_URL = "https://www.open-scap.org/tools/openscap-base/" +LIC_FILES_CHKSUM = "file://COPYING;md5=fbc093901857fcd118f065f900982c24" +LICENSE = "LGPL-2.1" + +DEPENDS = "dbus acl bzip2 pkgconfig gconf procps curl libxml2 libxslt libcap swig" +DEPENDS_class-native = "pkgconfig-native swig-native curl-native libxml2-native libxslt-native libcap-native" + +S = "${WORKDIR}/git" + +inherit cmake pkgconfig python3native perlnative + +PACKAGECONFIG ?= "python3 rpm perl gcrypt ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}" +PACKAGECONFIG[python3] = "-DENABLE_PYTHON3=ON, ,python3, python3" +PACKAGECONFIG[perl] = "-DENABLE_PERL=ON, ,perl, perl" +PACKAGECONFIG[rpm] = "-DENABLE_OSCAP_UTIL_AS_RPM=ON, ,rpm, rpm" +PACKAGECONFIG[gcrypt] = "-DWITH_CRYPTO=gcrypt, ,libgcrypt" +PACKAGECONFIG[nss3] = "-DWITH_CRYPTO=nss3, ,nss" +PACKAGECONFIG[selinux] = ", ,libselinux" + +EXTRA_OECMAKE += "-DENABLE_PROBES_LINUX=ON -DENABLE_PROBES_UNIX=ON \ + -DENABLE_PROBES_SOLARIS=OFF -DENABLE_PROBES_INDEPENDENT=ON \ + -DENABLE_OSCAP_UTIL=ON -DENABLE_OSCAP_UTIL_SSH=ON \ + -DENABLE_OSCAP_UTIL_DOCKER=OFF -DENABLE_OSCAP_UTIL_CHROOT=OFF \ + -DENABLE_OSCAP_UTIL_PODMAN=OFF -DENABLE_OSCAP_UTIL_VM=OFF \ + -DENABLE_PROBES_WINDOWS=OFF -DENABLE_VALGRIND=OFF \ + -DENABLE_SCE=ON -DENABLE_MITRE=OFF -DENABLE_TESTS=OFF \ + -DCMAKE_SKIP_INSTALL_RPATH=ON -DCMAKE_SKIP_RPATH=ON \ + " + STAGING_OSCAP_DIR = "${TMPDIR}/work-shared/${MACHINE}/oscap-source" STAGING_OSCAP_BUILDDIR = "${TMPDIR}/work-shared/openscap/oscap-build-artifacts" + +do_configure_append_class-native () { + sed -i 's:OSCAP_DEFAULT_CPE_PATH.*$:OSCAP_DEFAULT_CPE_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/cpe":' ${B}/config.h + sed -i 's:OSCAP_DEFAULT_SCHEMA_PATH.*$:OSCAP_DEFAULT_SCHEMA_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/schemas":' ${B}/config.h + sed -i 's:OSCAP_DEFAULT_XSLT_PATH.*$:OSCAP_DEFAULT_XSLT_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/xsl":' ${B}/config.h +} + +do_install_class-native[cleandirs] += " ${STAGING_OSCAP_BUILDDIR}" +do_install_append_class-native () { + oscapdir=${STAGING_OSCAP_BUILDDIR}/${datadir_native} + install -d $oscapdir + cp -a ${D}/${STAGING_DATADIR_NATIVE}/openscap $oscapdir +} + + +FILES_${PN} += "${PYTHON_SITEPACKAGES_DIR}" + +RDEPENDS_${PN} += "libxml2 python3-core libgcc bash" + +BBCLASSEXTEND = "native" diff --git a/external/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_1.2.17.bb b/external/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_1.2.17.bb deleted file mode 100644 index e2a4fa2e..00000000 --- a/external/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_1.2.17.bb +++ /dev/null @@ -1,87 +0,0 @@ -# Copyright (C) 2017 Armin Kuster <akuster808@gmail.com> -# Released under the MIT license (see COPYING.MIT for the terms) - -SUMARRY = "NIST Certified SCAP 1.2 toolkit" -HOME_URL = "https://www.open-scap.org/tools/openscap-base/" -LIC_FILES_CHKSUM = "file://COPYING;md5=fbc093901857fcd118f065f900982c24" -LICENSE = "LGPL-2.1" - -DEPENDS = "autoconf-archive pkgconfig gconf procps curl libxml2 rpm \ - libxslt libcap swig swig-native" - -DEPENDS_class-native = "autoconf-archive-native pkgconfig-native swig-native curl-native libxml2-native libxslt-native dpkg-native libgcrypt-native nss-native" - -SRCREV = "59c234b3e9907480c89dfbd1b466a6bf72a2d2ed" -SRC_URI = "git://github.com/akuster/openscap.git;branch=oe \ - file://crypto_pkgconfig.patch \ - file://run-ptest \ -" - -inherit autotools-brokensep pkgconfig python3native perlnative ptest - -S = "${WORKDIR}/git" - -PACKAGECONFIG ?= "nss3 pcre rpm" -PACKAGECONFIG[pcre] = ",--enable-regex-posix, libpcre" -PACKAGECONFIG[gcrypt] = "--with-crypto=gcrypt,, libgcrypt " -PACKAGECONFIG[nss3] = "--with-crypto=nss3,, nss" -PACKAGECONFIG[python] = "--enable-python, --disable-python, python, python" -PACKAGECONFIG[python3] = "--enable-python3, --disable-python3, python3, python3" -PACKAGECONFIG[perl] = "--enable-perl, --disable-perl, perl, perl" -PACKAGECONFIG[rpm] = " --enable-util-scap-as-rpm, --disable-util-scap-as-rpm, rpm, rpm" - -export LDFLAGS += " -ldl" - -EXTRA_OECONF += "--enable-probes-independent --enable-probes-linux \ - --enable-probes-solaris --enable-probes-unix --disable-util-oscap-docker\ - --enable-util-oscap-ssh --enable-util-oscap --enable-ssp --enable-sce \ -" - -EXTRA_OECONF_class-native += "--disable-probes-independent --enable-probes-linux \ - --disable-probes-solaris --disable-probes-unix \ - --enable-util-oscap \ -" - -do_configure_prepend () { - sed -i 's:-I/usr/include:-I${STAGING_INCDIR}:' ${S}/swig/perl/Makefile.am - sed -i 's:-I/usr/include:-I${STAGING_INCDIR}:' ${S}/swig/python3/Makefile.am - sed -i 's:-I/usr/include:-I${STAGING_INCDIR}:' ${S}/swig/python2/Makefile.am - sed -i 's:python2:python:' ${S}/utils/scap-as-rpm -} - - -include openscap.inc - -do_configure_append_class-native () { - sed -i 's:OSCAP_DEFAULT_CPE_PATH.*$:OSCAP_DEFAULT_CPE_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/cpe":' ${S}/config.h - sed -i 's:OSCAP_DEFAULT_SCHEMA_PATH.*$:OSCAP_DEFAULT_SCHEMA_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/schemas":' ${S}/config.h - sed -i 's:OSCAP_DEFAULT_XSLT_PATH.*$:OSCAP_DEFAULT_XSLT_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/xsl":' ${S}/config.h -} - -do_clean[cleandirs] += " ${STAGING_OSCAP_BUILDDIR}" - -do_install_append_class-native () { - oscapdir=${STAGING_OSCAP_BUILDDIR}/${datadir_native} - install -d $oscapdir - cp -a ${D}/${STAGING_DATADIR_NATIVE}/openscap $oscapdir -} - -TESTDIR = "tests" - -do_compile_ptest() { - sed -i 's:python2:python:' ${S}/${TESTDIR}/nist/test_worker.py - echo 'buildtest-TESTS: $(check)' >> ${TESTDIR}/Makefile - oe_runmake -C ${TESTDIR} buildtest-TESTS -} - -do_install_ptest() { - # install the tests - cp -rf ${B}/${TESTDIR} ${D}${PTEST_PATH} -} - -FILES_${PN} += "${PYTHON_SITEPACKAGES_DIR}" - -RDEPENDS_${PN} += "libxml2 python libgcc" -RDEPENDS_${PN}-ptest = "bash perl python" - -BBCLASSEXTEND = "native" diff --git a/external/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_1.3.1.bb b/external/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_1.3.1.bb new file mode 100644 index 00000000..ad29efda --- /dev/null +++ b/external/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_1.3.1.bb @@ -0,0 +1,9 @@ +SUMARRY = "NIST Certified SCAP 1.2 toolkit" + +require openscap.inc + +SRCREV = "3a4c635691380fa990a226acc8558db35d7ebabc" +SRC_URI = "git://github.com/OpenSCAP/openscap.git;branch=maint-1.3 \ +" + +DEFAULT_PREFERENCE = "-1" diff --git a/external/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_git.bb b/external/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_git.bb new file mode 100644 index 00000000..963d3dec --- /dev/null +++ b/external/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_git.bb @@ -0,0 +1,12 @@ +# Copyright (C) 2017 Armin Kuster <akuster808@gmail.com> +# Released under the MIT license (see COPYING.MIT for the terms) + +SUMARRY = "NIST Certified SCAP 1.2 toolkit with OE changes" + +include openscap.inc + +SRCREV = "4bbdb46ff651f809d5b38ca08d769790c4bfff90" +SRC_URI = "git://github.com/akuster/openscap.git;branch=oe-1.3 \ +" + +PV = "1.3.1+git${SRCPV}" diff --git a/external/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/files/0001-Fix-XML-parsing-of-the-remediation-functions-file.patch b/external/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/files/0001-Fix-XML-parsing-of-the-remediation-functions-file.patch new file mode 100644 index 00000000..c0b93e41 --- /dev/null +++ b/external/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/files/0001-Fix-XML-parsing-of-the-remediation-functions-file.patch @@ -0,0 +1,39 @@ +From 174293162e5840684d967e36840fc1f9f57c90be Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com> +Date: Thu, 5 Dec 2019 15:02:05 +0100 +Subject: [PATCH] Fix XML "parsing" of the remediation functions file. + +A proper fix is not worth the effort, as we aim to kill shared Bash remediation +with Jinja2 macros. + +Upstream-Status: Backport +[https://github.com/ComplianceAsCode/content/commit/174293162e5840684d967e36840fc1f9f57c90be] + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + ssg/build_remediations.py | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py +index 7da807bd6..13e90f732 100644 +--- a/ssg/build_remediations.py ++++ b/ssg/build_remediations.py +@@ -56,11 +56,11 @@ def get_available_functions(build_dir): + remediation_functions = [] + with codecs.open(xmlfilepath, "r", encoding="utf-8") as xmlfile: + filestring = xmlfile.read() +- # This regex looks implementation dependent but we can rely on +- # ElementTree sorting XML attrs alphabetically. Hidden is guaranteed +- # to be the first attr and ID is guaranteed to be second. ++ # This regex looks implementation dependent but we can rely on the element attributes ++ # being present on one line. ++ # We can't rely on ElementTree sorting XML attrs in any way since Python 3.7. + remediation_functions = re.findall( +- r'<Value hidden=\"true\" id=\"function_(\S+)\"', ++ r'<Value.*id=\"function_(\S+)\"', + filestring, re.DOTALL + ) + +-- +2.17.1 + diff --git a/external/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/files/0002-Fixed-the-broken-fix-when-greedy-regex-ate-the-whole.patch b/external/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/files/0002-Fixed-the-broken-fix-when-greedy-regex-ate-the-whole.patch new file mode 100644 index 00000000..f0c9909c --- /dev/null +++ b/external/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/files/0002-Fixed-the-broken-fix-when-greedy-regex-ate-the-whole.patch @@ -0,0 +1,35 @@ +From 28a35d63a0cc6b7beb51c77d93bb30778e6960cd Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com> +Date: Mon, 9 Dec 2019 13:41:47 +0100 +Subject: [PATCH] Fixed the broken fix, when greedy regex ate the whole file. + +We want to match attributes in an XML element, not in the whole file. + +Upstream-Status: Backport +[https://github.com/ComplianceAsCode/content/commit/28a35d63a0cc6b7beb51c77d93bb30778e6960cd] + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + ssg/build_remediations.py | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py +index 13e90f732..edf31c0cf 100644 +--- a/ssg/build_remediations.py ++++ b/ssg/build_remediations.py +@@ -57,10 +57,10 @@ def get_available_functions(build_dir): + with codecs.open(xmlfilepath, "r", encoding="utf-8") as xmlfile: + filestring = xmlfile.read() + # This regex looks implementation dependent but we can rely on the element attributes +- # being present on one line. ++ # being present. Beware, DOTALL means we go through the whole file at once. + # We can't rely on ElementTree sorting XML attrs in any way since Python 3.7. + remediation_functions = re.findall( +- r'<Value.*id=\"function_(\S+)\"', ++ r'<Value[^>]+id=\"function_(\S+)\"', + filestring, re.DOTALL + ) + +-- +2.17.1 + diff --git a/external/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc b/external/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc new file mode 100644 index 00000000..66c26230 --- /dev/null +++ b/external/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc @@ -0,0 +1,35 @@ +# Copyright (C) 2017 Armin Kuster <akuster808@gmail.com> +# Released under the MIT license (see COPYING.MIT for the terms) + +SUMARRY = "SCAP content for various platforms" +HOME_URL = "https://www.open-scap.org/security-policies/scap-security-guide/" +LIC_FILES_CHKSUM = "file://LICENSE;md5=97662e4486d9a1d09f358851d9f41a1a" +LICENSE = "LGPL-2.1" + +DEPENDS = "openscap-native python3 python3-pyyaml-native python3-jinja2-native libxml2-native" + +S = "${WORKDIR}/git" + +inherit cmake pkgconfig python3native + +STAGING_OSCAP_BUILDDIR = "${TMPDIR}/work-shared/openscap/oscap-build-artifacts" +export OSCAP_CPE_PATH="${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/cpe" +export OSCAP_SCHEMA_PATH="${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/schemas" +export OSCAP_XSLT_PATH="${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/xsl" + +OECMAKE_GENERATOR = "Unix Makefiles" + +EXTRA_OECMAKE += "-DENABLE_PYTHON_COVERAGE=OFF" + +B = "${S}/build" + +do_configure[depends] += "openscap-native:do_install" + +do_configure_prepend () { + sed -i -e 's:NAMES\ sed:NAMES\ ${HOSTTOOLS_DIR}/sed:g' ${S}/CMakeLists.txt + sed -i -e 's:NAMES\ grep:NAMES\ ${HOSTTOOLS_DIR}/grep:g' ${S}/CMakeLists.txt +} + +FILES_${PN} += "${datadir}/xml" + +RDEPENDS_${PN} = "openscap" diff --git a/external/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_0.1.33.bb b/external/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_0.1.33.bb deleted file mode 100644 index 7fa417de..00000000 --- a/external/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_0.1.33.bb +++ /dev/null @@ -1,57 +0,0 @@ -# Copyright (C) 2017 Armin Kuster <akuster808@gmail.com> -# Released under the MIT license (see COPYING.MIT for the terms) - -SUMARRY = "SCAP content for various platforms" -HOME_URL = "https://www.open-scap.org/security-policies/scap-security-guide/" -LIC_FILES_CHKSUM = "file://LICENSE;md5=236e81befc8154d18c93c848185d7e52" -LICENSE = "LGPL-2.1" - -DEPENDS = "openscap-native" - -SRCREV = "423d9f40021a03abd018bef7818a3a9fe91a083c" -SRC_URI = "git://github.com/akuster/scap-security-guide.git;branch=oe;" - -inherit cmake - -PARALLEL_MAKE = "" - -S = "${WORKDIR}/git" - -STAGING_OSCAP_BUILDDIR = "${TMPDIR}/work-shared/openscap/oscap-build-artifacts" - -EXTRA_OECMAKE += "-DSSG_PRODUCT_CHROMIUM:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_DEBIAN8:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_FEDORA:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_FIREFOX:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_JBOSS_EAP5:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_JBOSS_FUSE6:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_JRE:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_OPENSUSE:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_OSP7:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_RHEL5:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_RHEL6:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_RHEL7:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_RHEV3:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_SUSE11:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_SUSE12:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_UBUNTU1404:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_UBUNTU1604:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_WRLINUX:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_WEBMIN:BOOL=OFF" - -do_configure_prepend () { - sed -i -e 's:NAMES\ sed:NAMES\ ${HOSTTOOLS_DIR}/sed:g' ${S}/CMakeLists.txt - sed -i 's:/usr/share/openscap/:${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/:g' ${S}/cmake/SSGCommon.cmake -} - -do_compile () { - cd ${B} - make openembedded -} - -do_install () { - cd ${B} - make DESTDIR=${D} install -} -FILES_${PN} += "${datadir}/xml" -RDEPNEDS_${PN} = "openscap" diff --git a/external/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_0.1.44.bb b/external/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_0.1.44.bb new file mode 100644 index 00000000..d80ecd7e --- /dev/null +++ b/external/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_0.1.44.bb @@ -0,0 +1,8 @@ +SUMARRY = "SCAP content for various platforms, upstream version" + +SRCREV = "8cb2d0f351faff5440742258782281164953b0a6" +SRC_URI = "git://github.com/ComplianceAsCode/content.git" + +DEFAULT_PREFERENCE = "-1" + +require scap-security-guide.inc diff --git a/external/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_git.bb b/external/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_git.bb new file mode 100644 index 00000000..f35d7691 --- /dev/null +++ b/external/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_git.bb @@ -0,0 +1,12 @@ +SUMARRY = "SCAP content for various platforms, OE changes" + +SRCREV = "5fdfdcb2e95afbd86ace555beca5d20cbf1043ed" +SRC_URI = "git://github.com/akuster/scap-security-guide.git;branch=oe-0.1.44; \ + file://0001-Fix-XML-parsing-of-the-remediation-functions-file.patch \ + file://0002-Fixed-the-broken-fix-when-greedy-regex-ate-the-whole.patch \ + " +PV = "0.1.44+git${SRCPV}" + +require scap-security-guide.inc + +EXTRA_OECMAKE += "-DSSG_PRODUCT_OPENEMBEDDED=ON" |