diff options
| author | Francesco Colista <fcolista@alpinelinux.org> | 2019-06-15 15:52:40 +0000 |
|---|---|---|
| committer | Francesco Colista <fcolista@alpinelinux.org> | 2019-06-15 15:52:50 +0000 |
| commit | 776e2b5cc13032ed7671a4496947a36d08034f5e (patch) | |
| tree | fccc83f39549c7b3e1fb5b66edf101229652008b | |
| parent | 26026a25a98a3426e08076ef7355dcce58ddb1df (diff) | |
| download | aports-776e2b5cc13032ed7671a4496947a36d08034f5e.tar.bz2 aports-776e2b5cc13032ed7671a4496947a36d08034f5e.tar.xz | |
testing/openscap: upgrade to 1.3.1
| -rw-r--r-- | testing/openscap/APKBUILD | 12 | ||||
| -rw-r--r-- | testing/openscap/openscap.patch | 98 | ||||
| -rw-r--r-- | testing/openscap/sysctl_unittest.patch | 29 | ||||
| -rw-r--r-- | testing/openscap/xinetd_probe.patch | 31 |
4 files changed, 3 insertions, 167 deletions
diff --git a/testing/openscap/APKBUILD b/testing/openscap/APKBUILD index 41bef15989..9a332b2ec3 100644 --- a/testing/openscap/APKBUILD +++ b/testing/openscap/APKBUILD @@ -1,8 +1,8 @@ # Contributor: Francesco Colista <fcolista@alpinelinux.org> # Maintainer: Francesco Colista <fcolista@alpinelinux.org> pkgname=openscap -pkgver=1.3.0 -pkgrel=4 +pkgver=1.3.1 +pkgrel=0 pkgdesc="NIST Certified SCAP 1.2 toolkit " url="https://www.open-scap.org/tools/openscap-base/" arch="all" @@ -15,9 +15,6 @@ libbz2 util-linux-dev nss-dev" options="!check" subpackages="$pkgname-dev $pkgname-doc $pkgname-bash-completion:bashcomp:noarch" source="https://github.com/OpenSCAP/openscap/releases/download/$pkgver/$pkgname-$pkgver.tar.gz -openscap.patch -sysctl_unittest.patch -xinetd_probe.patch fix-ppc64le-path_max.patch path_mounted.patch" builddir="$srcdir"/$pkgname-$pkgver @@ -55,9 +52,6 @@ bashcomp() { "$subpkgdir"/usr/share/bash-completion/completions/$pkgname } -sha512sums="9405d0f17b60ab4a52ddd0f49d0e2395eb2540f0d07d68dfd142e2b8b2988e88cf127230523e68f67d3d22a6dd4eb2397f9468c923d19bb7cb059abf487ab5a1 openscap-1.3.0.tar.gz -6122baecee2ed3340e5f67d345bd75cfdb8450be26ef5d92d350ae1f13f799bbfd787171539ace4e5ec3e38d093e210aac99745c0fb122ceb7e9ac2e676894ae openscap.patch -346cc61dd2bfb270bd33bbfc09dd25a28e99eafd7ea9ec5a687eeb92ac2cce3015b2628fd110f2a7d912f9359ca78658ed9eb2782dc2f49d31e119ed8e25fd5b sysctl_unittest.patch -166015c7823ec5a9dd9695ec919aea9fb0843df87c4613ff8b98362c8cccc55a8201c0de18c09901c61406ef27e84c23d569dbf0cff7c5717b72a00d1bbe2746 xinetd_probe.patch +sha512sums="c42c59a19e3f71a4ef55daa82be7a2b66514dfe4a98b8e897a03d4785b25395a3508ff2457072d3ae123328a104cab054e64dcb52209ae77060542484439d859 openscap-1.3.1.tar.gz 70bcc718e473862ecac22752ad553c5a520e42207688960403e3d7b9caefc7868fc4d81379a07d3c50fdd9373caab5ac91f758f306d1e3d2bbf355618674b611 fix-ppc64le-path_max.patch f2157d6b1d31affe16edb184a287b69d28808123f1cc26a5a4238040d935517b307772b1f2d66271b8ee99b59a4d204930f9147b78478c83c36c7fc8718ec1d9 path_mounted.patch" diff --git a/testing/openscap/openscap.patch b/testing/openscap/openscap.patch deleted file mode 100644 index aa70b93215..0000000000 --- a/testing/openscap/openscap.patch +++ /dev/null @@ -1,98 +0,0 @@ -diff --git a/tests/API/XCCDF/unittests/all.sh b/tests/API/XCCDF/unittests/all.sh -index 8796cc0..8e57aa3 100755 ---- a/tests/API/XCCDF/unittests/all.sh -+++ b/tests/API/XCCDF/unittests/all.sh -@@ -98,7 +98,7 @@ test_run "XCCDF Remediate + perl fix" $srcdir/test_remediate_perl.sh - # - # Tests for XCCDF report - # --test_run 'generate report: xccdf:check/@selector=""' $srcdir/test_report_check_with_empty_selector.sh -+#test_run 'generate report: xccdf:check/@selector=""' $srcdir/test_report_check_with_empty_selector.sh - test_run "generate report: missing xsl shall not segfault" $srcdir/test_report_without_xsl_fails_gracefully.sh - test_run "generate report: avoid warnings from libxml" $srcdir/test_report_without_oval_poses_no_errors.sh - -diff --git a/tests/mitre/test_mitre_common.sh b/tests/mitre/test_mitre_common.sh -index e922444..7fbf025 100755 ---- a/tests/mitre/test_mitre_common.sh -+++ b/tests/mitre/test_mitre_common.sh -@@ -12,7 +12,7 @@ DISTRO="$(cat /etc/*-release | head -n1)" - DISTRO_NAME="$(cat /etc/*-release | awk '{print $1}' | head -n1)" - DISTRO_RELEASE="$(cat /etc/*-release | sed -n 's|^[^0-9]*\([0-9]*\).*$|\1|p' | head -n1)" - SELINUX_ENABLED=$(grep -iqE "(SELINUX=enforcing|SELINUX=permissive)" \ -- /etc/selinux/config 2>/dev/null; echo $?) -+echo "SELinux test bypassed" - - function test_mitre { - -diff --git a/tests/probes/runlevel/test_probes_runlevel.sh b/tests/probes/runlevel/test_probes_runlevel.sh -index f8dd13e..78cd148 100755 ---- a/tests/probes/runlevel/test_probes_runlevel.sh -+++ b/tests/probes/runlevel/test_probes_runlevel.sh -@@ -20,7 +20,7 @@ - - function test_probes_runlevel_A { - -- probecheck "runlevel" || return 255 -+ probecheck "runlevellllll" || return 255 - require "chkconfig" || return 255 - require "egrep" || return 255 - require "awk" || return 255 -@@ -81,7 +81,7 @@ function test_probes_runlevel_A { - - function test_probes_runlevel_B { - -- probecheck "runlevel" || return 255 -+ probecheck "runlevellllll" || return 255 - - local ret_val=0; - local DF="test_probes_runlevel_B.xml" -@@ -108,7 +108,7 @@ function test_probes_runlevel_B { - } - - function test_probes_runlevel_C { -- probecheck "runlevel" || return 255 -+ probecheck "runlevellllll" || return 255 - - local ret_val=0; - local definition="test_probes_runlevel_C.xml" -diff --git a/tests/probes/uname/test_probes_uname.xml.sh b/tests/probes/uname/test_probes_uname.xml.sh -index fe8f545..c78424c 100644 ---- a/tests/probes/uname/test_probes_uname.xml.sh -+++ b/tests/probes/uname/test_probes_uname.xml.sh -@@ -846,7 +846,7 @@ cat <<EOF - <os_name>`uname -s`</os_name> - <os_release>`uname -r`</os_release> - <os_version>`uname -v`</os_version> -- <processor_type>`uname -p`</processor_type> -+ <processor_type>`uname -m`</processor_type> - </uname_state> - - <!-- FULLY FALSE STATE --> -@@ -856,7 +856,7 @@ cat <<EOF - <os_name>X`uname -s`</os_name> - <os_release>X`uname -r`</os_release> - <os_version>X`uname -v`</os_version> -- <processor_type>X`uname -p`</processor_type> -+ <processor_type>X`uname -m`</processor_type> - </uname_state> - - <!-- MIXED STATE :-) --> -@@ -866,7 +866,7 @@ cat <<EOF - <os_name>`uname -s`</os_name> - <os_release>`uname -r`</os_release> - <os_version>`uname -v`</os_version> -- <processor_type>X`uname -p`</processor_type> -+ <processor_type>X`uname -m`</processor_type> - </uname_state> - - </states> -diff --git a/tests/API/XCCDF/CMakeLists.txt b/tests/API/XCCDF/CMakeLists.txt -index 678b1e9..efabcfa 100644 ---- a/tests/API/XCCDF/CMakeLists.txt -+++ b/tests/API/XCCDF/CMakeLists.txt -@@ -1,5 +1,4 @@ - add_subdirectory("applicability") --add_subdirectory("default_cpe") - add_subdirectory("fix") - add_subdirectory("guide") - add_subdirectory("parser") diff --git a/testing/openscap/sysctl_unittest.patch b/testing/openscap/sysctl_unittest.patch deleted file mode 100644 index 174b38f2e1..0000000000 --- a/testing/openscap/sysctl_unittest.patch +++ /dev/null @@ -1,29 +0,0 @@ -diff --git a/tests/probes/sysctl/test_sysctl_probe_all.sh b/tests/probes/sysctl/test_sysctl_probe_all.sh -index bb9859d71..6534e1142 100755 ---- a/tests/probes/sysctl/test_sysctl_probe_all.sh -+++ b/tests/probes/sysctl/test_sysctl_probe_all.sh -@@ -4,6 +4,12 @@ - - set -e -o pipefail - -+# on some systems sysctl might live in sbin, which can cause problems for -+# non root users -+PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin -+# non root users are not able to access some kernel params, so they get blacklisted -+SYSCTL_BLACKLIST='stable_secret\|vm.stat_refresh\|fs.protected_hardlinks\|fs.protected_symlinks\|kernel.cad_pid\|kernel.unprivileged_userns_apparmor_policy\|kernel.usermodehelper.bset\|kernel.usermodehelper.inheritable\|net.core.bpf_jit_harden\|net.core.bpf_jit_kallsyms\|net.ipv4.tcp_fastopen_key\|vm.mmap_rnd_bits\|vm.mmap_rnd_compat_bits' -+ - function perform_test { - probecheck "sysctl" || return 255 - -@@ -24,9 +30,9 @@ $OSCAP oval eval --results $result $srcdir/test_sysctl_probe_all.oval.xml > /dev - # sysctl has duplicities in output - # hide permission errors like: "sysctl: permission denied on key 'fs.protected_hardlinks'" - # kernel parameters might use "/" and "." separators interchangeably - normalizing --sysctl -aN --deprecated 2> /dev/null | tr "/" "." | sort -u > "$sysctlNames" -+sysctl -aN --deprecated 2> /dev/null | grep -v $SYSCTL_BLACKLIST | tr "/" "." | sort -u > "$sysctlNames" - --grep unix-sys:name "$result" | sed -E 's;.*>(.*)<.*;\1;g' | sort > "$ourNames" -+grep unix-sys:name "$result" | grep -v $SYSCTL_BLACKLIST | sed -E 's;.*>(.*)<.*;\1;g' | sort > "$ourNames" - - diff "$sysctlNames" "$ourNames" - diff --git a/testing/openscap/xinetd_probe.patch b/testing/openscap/xinetd_probe.patch deleted file mode 100644 index 367f804dca..0000000000 --- a/testing/openscap/xinetd_probe.patch +++ /dev/null @@ -1,31 +0,0 @@ -diff --git a/src/OVAL/probes/unix/xinetd_probe.c b/src/OVAL/probes/unix/xinetd_probe.c -index 965d8cd04..e911ecc29 100644 ---- a/src/OVAL/probes/unix/xinetd_probe.c -+++ b/src/OVAL/probes/unix/xinetd_probe.c -@@ -1298,6 +1298,7 @@ int op_merge_u16(void *dst, void *src, int type) - - int op_assign_str(void *var, char *val) - { -+ char *strend = NULL; - if (var == NULL) { - return -1; - } -@@ -1306,7 +1307,16 @@ int op_assign_str(void *var, char *val) - while(isspace(*val)) ++val; - - if (*val != '\0') { -- *((char **)(var)) = strdup(val); -+ strend = strrchr(val, '\0'); -+ /* strip trailing whitespaces */ -+ do { -+ strend--; -+ } while(isspace(*strend)); -+ if((strend-val) < 0) { -+ dE("Error stripping white space from string '%s'", val); -+ return (-1); -+ } -+ *((char **)(var)) = strndup(val, (strend-val+1)); - return (0); - } else - return (-1); - |