There were multiple occasions in which the labelling of the checkers was lacking some serious invariants which we all implicitly agreed upon, but never actually and thoroughly verified with tooling. Violating these invariants should have never resulted in serious issues, but quirky or unexpected behaviour could have occurred.
This patch extends the label-tool with facilities to verify, and, optionally, support automatically fixing the label set of each checker "globally" to uphold the following invariants:
There were multiple occasions in which the labelling of the checkers was lacking some serious invariants which we all implicitly agreed upon, but never actually and thoroughly verified with tooling. Violating these invariants should have never resulted in serious issues, but quirky or unexpected behaviour could have occurred.
This patch extends the
label-tool
with facilities to verify, and, optionally, support automatically fixing the label set of each checker "globally" to uphold the following invariants:profile:default
⊆
profile:sensitive
⊆
profile:extreme
guideline:sei-cert
⇔
sei-cert:<some rule's ID>
guideline:sei-cert
⇒
profile:security