dodys
commented
8 months ago just to add more information, the same happen with # complex-check = AND.
Just the mere presence of it causes this issue independent for the value assigned.
Closed a-skr closed 8 months ago
dodys
commented
8 months ago just to add more information, the same happen with # complex-check = AND.
Just the mere presence of it causes this issue independent for the value assigned.
Mab879
commented
8 months ago I will note that this area of the build system is a self-described "hack".
I went back to 0.1.69 and it this still seemed to be there.
cipherboy
commented
8 months ago I can fix this one. :-)
dodys
commented
8 months ago it seems the fix for this actually created an issue:
[9/19] [ubuntu2204-content] generating plain XCCDF, OVAL and OCIL files
FAILED: ubuntu2204/ssg-ubuntu2204-xccdf.xml ubuntu2204/ssg-ubuntu2204-oval.xml ubuntu2204/ssg-ubuntu2204-ocil.xml /home/ubuntu/git-pulls/usg/CaC-upstream/build/ubuntu2204/ssg-ubuntu2204-xccdf.xml /home/ubuntu/git-pulls/usg/CaC-upstream/build/ubuntu2204/ssg-ubuntu2204-oval.xml /home/ubuntu/git-pulls/usg/CaC-upstream/build/ubuntu2204/ssg-ubuntu2204-ocil.xml
cd /home/ubuntu/git-pulls/usg/CaC-upstream/build/ubuntu2204 && env PYTHONPATH=/home/ubuntu/git-pulls/usg/CaC-upstream::/home/ubuntu/git-pulls/ubuntu-cve-tracker/scripts /usr/bin/python3 /home/ubuntu/git-pulls/usg/CaC-upstream/build-scripts/build_xccdf.py --build-ovals-dir /home/ubuntu/git-pulls/usg/CaC-upstream/build/ubuntu2204/checks/oval --resolved-base /home/ubuntu/git-pulls/usg/CaC-upstream/build/ubuntu2204 --build-config-yaml /home/ubuntu/git-pulls/usg/CaC-upstream/build/build_config.yml --product-yaml /home/ubuntu/git-pulls/usg/CaC-upstream/build/ubuntu2204/product.yml --xccdf /home/ubuntu/git-pulls/usg/CaC-upstream/build/ubuntu2204/ssg-ubuntu2204-xccdf.xml --oval /home/ubuntu/git-pulls/usg/CaC-upstream/build/ubuntu2204/ssg-ubuntu2204-oval.xml --ocil /home/ubuntu/git-pulls/usg/CaC-upstream/build/ubuntu2204/ssg-ubuntu2204-ocil.xml --thin-ds-components-dir off && sync
Traceback (most recent call last):
File "/home/ubuntu/git-pulls/usg/CaC-upstream/build-scripts/build_xccdf.py", line 148, in <module>
main()
File "/home/ubuntu/git-pulls/usg/CaC-upstream/build-scripts/build_xccdf.py", line 131, in main
oval_linker = link_oval(xccdftree, checks, args.oval, args.build_ovals_dir)
File "/home/ubuntu/git-pulls/usg/CaC-upstream/build-scripts/build_xccdf.py", line 76, in link_oval
oval_linker.link()
File "/home/ubuntu/git-pulls/usg/CaC-upstream/ssg/build_renumber.py", line 180, in link
self._link_oval_tree()
File "/home/ubuntu/git-pulls/usg/CaC-upstream/ssg/build_renumber.py", line 202, in _link_oval_tree
self._ensure_by_xccdf_referenced_oval_def_is_defined_in_oval_file()
File "/home/ubuntu/git-pulls/usg/CaC-upstream/ssg/build_renumber.py", line 279, in _ensure_by_xccdf_referenced_oval_def_is_defined_in_oval_file
rule.remove(check)
ValueError: list.remove(x): x not in list
ninja: build stopped: subcommand failed.This only happens when # complex-check is present in a SCE script
dodys
commented
8 months ago For some reason this is not happening when building on a newer Ubuntu version, I wonder if that's python incompatibility I will keep it open until I confirm what is happening.
cipherboy
commented
8 months ago @dodys I'm running Python 3.12.2 on Fedora 39 at the moment, so I definitely have a very new Python interpreter.
When pulling @a-skr's commit on top of main (bcc8c93f02dfe93bccf031309338b82b0231989b) and building, I get no error:
$ ADDITIONAL_CMAKE_OPTIONS="-DSSG_SCE_ENABLED:BOOL=ON -DSSG_JINJA2_CACHE_DIR=$SSG_JINJA2_CACHE_DIR" ./build_product -j99 debian12
... output elided for brevity...
-- Scanning for dependencies of debian12 fixes (bash, ansible, puppet, anaconda, ignition, kubernetes and blueprint)...
-- Configuring done (0.7s)
-- Generating done (0.0s)
-- Build files have been written to: /home/cipherboy/GitHub/ComplianceAsCode/content/build
[19/19] [man-page] generating man page
$ grep 'HELLO' ./build/ssg-debian12-ds-1.2.xml
echo "HELLO_THIS_IS_MY_TEST"(And I am also able to build ubuntu1804, ubuntu2004, and ubuntu2204 products just fine.)
Do you have a commit for me to test with? This one has a check like:
#! /bin/bash
# platform = multi_platform_all
# check-import = stdout
# complex-check = OR
echo "HELLO_THIS_IS_MY_TEST"That said, the fix was in XPath, which it seems suspicious that it'd be a Python version issue as I doubt xpath's behavior around node traversal and // operators has changed... My 2c. but I'd perhaps be inclined to believe there's more bugs running around, given what Matt quoted me as commenting earlier. :D
dodys
commented
8 months ago @cipherboy it is truly weird but I finally found it is only happening for rule all_apparmor_profiles_in_enforce_complain_mode
if I add the complex-check to the SCE. It happens on both versions of Ubuntu and python I tested, therefore I'm ruling out the python version.
dodys
commented
8 months ago ok, I don't seem to be able to reproduce it anymore. Not sure what is going on in my environment today. I will just close it for now and let you know otherwise.
Description of problem:
This issue is related to the guide generation tool-chain.
When adding a SCE script on a rule that already contains an OVAL rule, if the SCE script uses a complex-check, the SCE script is not included in the data-stream.
SCAP Security Guide Version:
current / master.
Operating System Version:
Issue has been observed on Debian 12 and Ubuntu 22.04. I cannot tell for other operating systems (but the issue is likely present).
Steps to Reproduce:
linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/sce/shared.shfile with the following content:Then,
returns nothing.
Actual Results:
The script is not included in the data-stream file.
Expected Results:
The script shall be included in the data-stream file.
Additional Information/Debugging Steps:
If the complex-check is omitted, the script is included in the datastream file.