-
Notifications
You must be signed in to change notification settings - Fork 708
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
implement parsing of logical expressions in platform definitions #7915
implement parsing of logical expressions in platform definitions #7915
Conversation
Skipping CI for Draft Pull Request. |
Hello @vojtapolasek! Thanks for updating this PR. We checked the lines you've touched for PEP 8 issues, and found: There are currently no PEP 8 issues detected in this Pull Request. Cheers! 🍻 Comment last updated at 2021-11-23 15:56:21 UTC |
This datastream diff is auto generated by the check Click here to see the full diffOCIL for rule 'xccdf_org.ssgproject.content_rule_audit_rules_execution_restorecon' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,6 @@
To verify that execution of the command is being audited, run the following command:
$ sudo grep "path=/usr/sbin/restorecon" /etc/audit/audit.rules /etc/audit/rules.d/*
The output should return something similar to:
--a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+-a always,exit -F path=/usr/sbin/restorecon -F auid>=1000 -F auid!=unset -F key=privileged
Is it the case that ?
OCIL for rule 'xccdf_org.ssgproject.content_rule_audit_rules_execution_seunshare' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,6 @@
To verify that execution of the command is being audited, run the following command:
$ sudo grep "path=/usr/sbin/seunshare" /etc/audit/audit.rules /etc/audit/rules.d/*
The output should return something similar to:
--a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+-a always,exit -F path=/usr/sbin/seunshare -F auid>=1000 -F auid!=unset -F key=privileged
Is it the case that ?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll' differs:
--- old datastream
+++ new datastream
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q chrony || rpm --quiet -q ntp; }; then
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q ntp or chrony; }; then
var_time_service_set_maxpoll=''
bash remediation for rule 'xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server' differs:
--- old datastream
+++ new datastream
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q machine and (chrony or ntp); }; then
var_multiple_time_servers=''
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server'
--- old datastream
+++ new datastream
-['cpe:/a:machine']
+['cpe:/a:chrony', 'cpe:/a:ntp', 'cpe:/a:machine'] |
Was inclusion of |
cf639b6
to
fbe2649
Compare
fbe2649
to
5928958
Compare
No, it was a mistake. I rebased and it should be fine now. |
One thing I notice is that current implementation breaks our way in which we modify remediations based on platforms. We are supposing that platform names are usually package names, but they are not anymore. SEe the datastream diff. We need to fix it somehow. |
@evgenyz We have a problem with Python2. Run following: import ssg.boolean_expression as be
a = be.Algebra(function_cls=be.Function, symbol_cls=be.Symbol)
e = a.parse("not_s390x_arch", simplify=True)
str(a) With Python 3, it returns not_s390x_arch. |
It could be. But the expression is weird all by itself. The Nonetheless, I'll check |
The problem is indeed in |
I don't like the idea of subclassing. The |
self._replace_cpe_names(self.test) | ||
|
||
def _replace_cpe_names(self, exp): | ||
if isinstance(exp, CPEALFactRef): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would be better to call something like exp.replace_cpe_name()
that would either perform the operation, or it would recurse. The current approach has the CPEALPlatform
class that knows too much - instead of telling exp
to do the right thing, we either treat it in a special way, or we recurse on its children.
@@ -175,15 +174,24 @@ class CPEALPlatformSpecification(object): | |||
prefix = "cpe-lang" | |||
ns = PREFIX_TO_NS[prefix] | |||
|
|||
def __init__(self): | |||
def __init__(self, cpe_products): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This class basically parses platform definitions into expressions, and maintains a list of distinct platforms. This functionality could be relocated to a lower level - a Rule data structure could contain the parsed expression (i.e. the logical tree) already. Moreover, having a list of platforms close to the list of rules would make sense as well.
Thank you all for the feedback. It i s really valuable. I am closing this PR in favor of #7950 |
Description:
Rationale: