Closed yuumasato closed 11 months ago
Ping @matejak @jan-cerny I'm not sure how to fix this issue.
One way I can think of is for the BuildLoader
to also keep track of all rules, not just the applicable ones.
So that the build system can warn of invalid rule IDs, but not get tricked by valid rule IDs if a control adds a rule that is not applicable to the product being currently built.
Description of problem:
The build system silently ignores invalid rule IDs in profiles and controls.
SCAP Security Guide Version:
Latest master (ab510556f587bf0140da78593c46b86450778ab5)
Operating System Version:
Any
Steps to Reproduce:
Actual Results:
Build succeeds without error, warning or traceback.
Expected Results:
Additional Information/Debugging Steps:
resolve_selections_with_rules()
: https://github.com/ComplianceAsCode/content/commit/20491c7c5876dc335b62140b6a43100116f18458#diff-7bdd84322da01c2b17cc451968f9b7eb024114feec6b64e25fd264710a119424R551-R552.resolve_controls()
may add invalid invalid rule IDs. The code doesn't have a way to distinguish invalid rule IDs from rules not available to the product. This is partly caused by theBuildLoader
discarding all rules not applicable, due to incompatibleprodtype
.resolve_selections_with_rules()
is that it drops out invalid IDs and the other check for invalid IDs never triggers: https://github.com/ComplianceAsCode/content/blob/master/ssg/build_yaml.py#L669