[meta-security][PATCH 0/6] Assorted updates

[meta-security][PATCH 0/6] Assorted updates

[Scott Murray]

This patch series rolls up contributed patches from the past few weeks,
including a couple I missed with last week's push.  They are queued on
the master-next branch if you would like to check them out to test
yourself.  I intend to merge these to master branch at end of day Monday
unless there are objections.

For folks looking for scarthgap updates, I've been a bit delayed, but
am still working up a patch series, hopefully will have it out by Monday.

Scott


Louis Rannou (2):
  openscap: fixes
  oeqa: openscap test

Yi Zhao (4):
  openscap: upgrade 1.4.1 -> 1.4.2
  scap-security-guide: upgrade 0.1.77 -> 0.1.78
  libgssglue: update HOMEPAGE
  libgssglue: add UPSTREAM_CHECK_GITTAGREGEX

 lib/oeqa/runtime/cases/openscap.py            | 48 +++++++++++++++++++
 .../{openscap_1.4.1.bb => openscap_1.4.2.bb}  |  8 ++--
 ....1.77.bb => scap-security-guide_0.1.78.bb} |  2 +-
 recipes-core/images/security-test-image.bb    |  2 +-
 recipes-security/libgssglue/libgssglue_0.9.bb |  4 +-
 5 files changed, 58 insertions(+), 6 deletions(-)
 create mode 100644 lib/oeqa/runtime/cases/openscap.py
 rename recipes-compliance/openscap/{openscap_1.4.1.bb => openscap_1.4.2.bb} (94%)
 rename recipes-compliance/scap-security-guide/{scap-security-guide_0.1.77.bb => scap-security-guide_0.1.78.bb} (96%)

-- 
2.51.0

[meta-security][PATCH 1/6] openscap: upgrade 1.4.1 -> 1.4.2

[Scott Murray]

From: Yi Zhao <yi.zhao@windriver.com>

ChangeLog:
https://github.com/OpenSCAP/openscap/releases/tag/1.4.2

Disable building on musl as scap-security-guide already does.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
 .../openscap/{openscap_1.4.1.bb => openscap_1.4.2.bb}         | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)
 rename recipes-compliance/openscap/{openscap_1.4.1.bb => openscap_1.4.2.bb} (97%)

diff --git a/recipes-compliance/openscap/openscap_1.4.1.bb b/recipes-compliance/openscap/openscap_1.4.2.bb
similarity index 97%
rename from recipes-compliance/openscap/openscap_1.4.1.bb
rename to recipes-compliance/openscap/openscap_1.4.2.bb
index 3e5f00a..f1eb647 100644
--- a/recipes-compliance/openscap/openscap_1.4.1.bb
+++ b/recipes-compliance/openscap/openscap_1.4.2.bb
@@ -13,7 +13,9 @@ SRC_URI = "git://github.com/OpenSCAP/openscap.git;branch=main;protocol=https \
            file://0001-CMakeLists.txt-fix-installation-directory-for-system.patch \
           "
 
-SRCREV = "23a8ea3de3c4fd6017db4067675a81287177166e"
+SRCREV = "e9b2a41f5796f5ead3d1e2d9df1fb06818a569ac"
+
+COMPATIBLE_HOST:libc-musl = "null"
 
 inherit cmake pkgconfig python3native python3targetconfig perlnative systemd
 
-- 
2.51.0

[meta-security][PATCH 2/6] scap-security-guide: upgrade 0.1.77 -> 0.1.78

[Scott Murray]

From: Yi Zhao <yi.zhao@windriver.com>

ChangeLog:
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.78

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
 ...p-security-guide_0.1.77.bb => scap-security-guide_0.1.78.bb} | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename recipes-compliance/scap-security-guide/{scap-security-guide_0.1.77.bb => scap-security-guide_0.1.78.bb} (96%)

diff --git a/recipes-compliance/scap-security-guide/scap-security-guide_0.1.77.bb b/recipes-compliance/scap-security-guide/scap-security-guide_0.1.78.bb
similarity index 96%
rename from recipes-compliance/scap-security-guide/scap-security-guide_0.1.77.bb
rename to recipes-compliance/scap-security-guide/scap-security-guide_0.1.78.bb
index cdd22a5..8489218 100644
--- a/recipes-compliance/scap-security-guide/scap-security-guide_0.1.77.bb
+++ b/recipes-compliance/scap-security-guide/scap-security-guide_0.1.78.bb
@@ -6,7 +6,7 @@ HOME_URL = "https://www.open-scap.org/security-policies/scap-security-guide/"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=9bfa86579213cb4c6adaffface6b2820"
 LICENSE = "BSD-3-Clause"
 
-SRCREV = "c1e1ba121d32b3c319b0e25ee2993b62386e5857"
+SRCREV = "f7d794851971087db77d4be8eeb716944a1aae21"
 SRC_URI = "git://github.com/ComplianceAsCode/content.git;nobranch=1;protocol=https \
            file://run_eval.sh \
            "
-- 
2.51.0

[meta-security][PATCH 3/6] libgssglue: update HOMEPAGE

[Scott Murray]

From: Yi Zhao <yi.zhao@windriver.com>

The original homepage is outdated.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
 recipes-security/libgssglue/libgssglue_0.9.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-security/libgssglue/libgssglue_0.9.bb b/recipes-security/libgssglue/libgssglue_0.9.bb
index 532227a..3bc37cd 100644
--- a/recipes-security/libgssglue/libgssglue_0.9.bb
+++ b/recipes-security/libgssglue/libgssglue_0.9.bb
@@ -5,7 +5,7 @@ mechanisms itself; instead it calls gssapi routines in other libraries, \
 depending on the mechanism. \
 "
 
-HOMEPAGE = "http://www.citi.umich.edu/projects/nfsv4/linux/"
+HOMEPAGE = "https://gitlab.com/gsasl/libgssglue"
 SECTION = "libs"
 
 LICENSE = "BSD-3-Clause | HPND"
-- 
2.51.0

[meta-security][PATCH 4/6] openscap: fixes

[Scott Murray]

From: Louis Rannou <louis.rannou@non.se.com>

Fixes:
  - typo in the RDEPENDS class-target override ('-' instead of ':')
  - typo SUMARRY -> SUMMARY

Signed-off-by: Louis Rannou <louis.rannou@non.se.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
 recipes-compliance/openscap/openscap_1.4.2.bb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/recipes-compliance/openscap/openscap_1.4.2.bb b/recipes-compliance/openscap/openscap_1.4.2.bb
index f1eb647..da1dbbb 100644
--- a/recipes-compliance/openscap/openscap_1.4.2.bb
+++ b/recipes-compliance/openscap/openscap_1.4.2.bb
@@ -1,7 +1,7 @@
 # Copyright (C) 2017  - 2023 Armin Kuster  <akuster808@gmail.com>
 # Released under the MIT license (see COPYING.MIT for the terms)
 
-SUMARRY = "NIST Certified SCAP 1.2 toolkit"
+SUMMARY = "NIST Certified SCAP 1.2 toolkit"
 HOME_URL = "https://www.open-scap.org/tools/openscap-base/"
 LIC_FILES_CHKSUM = "file://COPYING;md5=fbc093901857fcd118f065f900982c24"
 LICENSE = "LGPL-2.1-only"
@@ -66,5 +66,5 @@ FILES:${PN} += "${PYTHON_SITEPACKAGES_DIR}"
 
 
 RDEPENDS:${PN} = "libxml2 python3-core libgcc bash"
-RDEPENDS:${PN}-class-target = "libxml2 python3-core libgcc bash os-release"
+RDEPENDS:${PN}:class-target = "libxml2 python3-core libgcc bash os-release"
 BBCLASSEXTEND = "native"
-- 
2.51.0

[meta-security][PATCH 5/6] oeqa: openscap test

[Scott Murray]

From: Louis Rannou <louis.rannou@non.se.com>

Add basic openscap test. This looks for an existing profile and run a basic scan.

Openscap scans return 1 in case of failure, 0 in case of success and 2 when a
vulnerability has been found. As this does not aim to check openscap reports, 2 is
considered as a successful test.

Signed-off-by: Louis Rannou <louis.rannou@non.se.com>
(added to test image)
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
 lib/oeqa/runtime/cases/openscap.py         | 48 ++++++++++++++++++++++
 recipes-core/images/security-test-image.bb |  2 +-
 2 files changed, 49 insertions(+), 1 deletion(-)
 create mode 100644 lib/oeqa/runtime/cases/openscap.py

diff --git a/lib/oeqa/runtime/cases/openscap.py b/lib/oeqa/runtime/cases/openscap.py
new file mode 100644
index 0000000..7012b6b
--- /dev/null
+++ b/lib/oeqa/runtime/cases/openscap.py
@@ -0,0 +1,48 @@
+# SPDX-License-Identifier: MIT
+#
+
+from oeqa.runtime.case import OERuntimeTestCase
+from oeqa.core.decorator.depends import OETestDepends
+from oeqa.runtime.decorator.package import OEHasPackage
+
+
+class OpenscapTest(OERuntimeTestCase):
+
+    @OEHasPackage(["openscap"])
+    @OETestDepends(["ssh.SSHTest.test_ssh"])
+    def test_openscap_basic(self):
+        status, output = self.target.run("oscap -V")
+        msg = (
+            "`oscap -V` command does not work as expected. "
+            "Status and output:%s and %s" % (status, output)
+        )
+        self.assertEqual(status, 0, msg=msg)
+
+    @OEHasPackage(["openscap"])
+    @OEHasPackage(["scap-security-guide"])
+    @OETestDepends(["ssh.SSHTest.test_ssh"])
+    def test_openscap_scan(self):
+        SCAP_SOURCE = "/usr/share/xml/scap/ssg/content/ssg-openembedded-xccdf.xml"
+        CPE_DICT = "/usr/share/xml/scap/ssg/content/ssg-openembedded-cpe-dictionary.xml"
+
+        cmd = "oscap info --profiles %s" % SCAP_SOURCE
+        status, output = self.target.run(cmd)
+        msg = (
+            "oscap info` command does not work as expected.\n"
+            "Command: %s\n" % cmd + "Status and output:%s and %s" % (status, output)
+        )
+        self.assertEqual(status, 0, msg=msg)
+
+        for p in output.split("\n"):
+            profile = p.split(":")[0]
+            cmd = "oscap xccdf eval --cpe %s --profile %s %s" % (
+                CPE_DICT,
+                profile,
+                SCAP_SOURCE,
+            )
+            status, output = self.target.run(cmd)
+            msg = (
+                "`oscap xccdf eval` does not work as expected.\n"
+                "Command: %s\n" % cmd + "Status and output:%s and %s" % (status, output)
+            )
+            self.assertNotEqual(status, 1, msg=msg)
diff --git a/recipes-core/images/security-test-image.bb b/recipes-core/images/security-test-image.bb
index 81f69dd..e7e354e 100644
--- a/recipes-core/images/security-test-image.bb
+++ b/recipes-core/images/security-test-image.bb
@@ -12,7 +12,7 @@ IMAGE_INSTALL:append = "\
     ${@bb.utils.contains("BBFILE_COLLECTIONS", "integrity", "packagegroup-ima-evm-utils","", d)} \
 "
 
-TEST_SUITES = "ssh ping apparmor clamav samhain sssd checksec smack suricata aide firejail"
+TEST_SUITES = "ssh ping apparmor clamav openscap samhain sssd checksec smack suricata aide firejail"
 TEST_SUITES:append = " parsec tpm2 swtpm ima"
 
 INSTALL_CLAMAV_CVD = "1"
-- 
2.51.0

[meta-security][PATCH 6/6] libgssglue: add UPSTREAM_CHECK_GITTAGREGEX

[Scott Murray]

From: Yi Zhao <yi.zhao@eng.windriver.com>

Add UPSTREAM_CHECK_GITTAGREGEX to check the correct latest stable
verison.

Before the patch:
$ devtool latest-version libgssglue
INFO: Current version: 0.9
INFO: Latest version: 011
INFO: Latest version's commit: af30789052a8cc5f86b5b0c8fd4758c7ba1505ff

After the patch:
$ devtool latest-version libgssglue
INFO: Current version: 0.9
INFO: Latest version: 0.9
INFO: Latest version's commit: ada76bdaec665f70505f0b3aefe871b873e7c4b6

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
 recipes-security/libgssglue/libgssglue_0.9.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/recipes-security/libgssglue/libgssglue_0.9.bb b/recipes-security/libgssglue/libgssglue_0.9.bb
index 3bc37cd..0952ed1 100644
--- a/recipes-security/libgssglue/libgssglue_0.9.bb
+++ b/recipes-security/libgssglue/libgssglue_0.9.bb
@@ -26,6 +26,8 @@ SRC_URI = "git://gitlab.com/gsasl/libgssglue.git;protocol=https;branch=master \
           "
 SRCREV = "ada76bdaec665f70505f0b3aefe871b873e7c4b6"
 
+UPSTREAM_CHECK_GITTAGREGEX = "libgssglue-(?P<pver>\d+(\.\d+)+)"
+
 inherit autotools-brokensep ptest
 
 do_configure:prepend() {
-- 
2.51.0