Re: [Buildroot] [PATCH 3/4] package/openscap: add openscap package

[Thomas Petazzoni via buildroot <buildroot@buildroot.org>]

Hello Alexis,

On Wed, 30 Jul 2025 14:47:15 +0200
Alexis Lothoré <alexis.lothore@bootlin.com> wrote:

> Introduce the openscap package. openscap is a command line tool allowing
> to scan a system configuration to perform security compliance checks.
> The tool consumes XCCDF and OVAL files to perform system evaluation
> against a list of policies.

Perhaps you could mention here why a host variant of this package is
needed/useful.

Commit title should be:

	package/openscap: new package

>  package/Config.in              |  1 +
>  package/openscap/Config.in     | 18 +++++++++++++++
>  package/openscap/openscap.hash |  6 +++++
>  package/openscap/openscap.mk   | 52 ++++++++++++++++++++++++++++++++++++++++++
>  4 files changed, 77 insertions(+)

Entry in the DEVELOPERS file is needed.


> diff --git a/package/openscap/Config.in b/package/openscap/Config.in
> new file mode 100644
> index 0000000000000000000000000000000000000000..66f087d896030bb96ef6ed8676a9ef645215b8c6
> --- /dev/null
> +++ b/package/openscap/Config.in
> @@ -0,0 +1,18 @@
> +config BR2_PACKAGE_OPENSCAP
> +	bool "openscap"
> +	depends on BR2_PACKAGE_LIBGPG_ERROR_ARCH_SUPPORTS  # libgpg

This dependency actually comes from the fact that you select libgcrypt,
so the comment should be # libgcrypt

> +	depends on !BR2_STATIC_LIBS # dlfcn.h
> +	select BR2_PACKAGE_LIBXMLSEC1
> +	select BR2_PACKAGE_HOST_PYTHON3

You don't need to select this option, we don't force selecting options
for host packages.

> +	select BR2_PACKAGE_OPENSSL
> +	select BR2_PACKAGE_LIBCURL

Alphabetic ordering is always nice to have :-)

> +	select BR2_PACKAGE_LIBGCRYPT
> +	select BR2_PACKAGE_LIBXML2
> +	select BR2_PACKAGE_PCRE
> +	select BR2_PACKAGE_MUSL_FTS if !BR2_TOOLCHAIN_USES_GLIBC
> +	help
> +	  The purpose of this project is to create security policy
> +	  content for various platforms
> +
> +	  https://www.open-scap.org/
> +	  https://github.com/OpenSCAP/openscap

You need a Config.in comment:

comment "openscap needs a toolchain w/ dynamic library"
	depends on BR2_PACKAGE_LIBGPG_ERROR_ARCH_SUPPORTS
	depends on BR2_STATIC_LIBS

> diff --git a/package/openscap/openscap.hash b/package/openscap/openscap.hash
> new file mode 100644
> index 0000000000000000000000000000000000000000..608142d66fca217f5d60481a69d3a37856226834
> --- /dev/null
> +++ b/package/openscap/openscap.hash
> @@ -0,0 +1,6 @@
> +# Locally calculated
> +sha256  6e61913fca3a74d310d7cf9354973eeaefa42be909ae649af1df48c3c08bc6ff  openscap-1.3.12.tar.gz
> +# Locally calculated
> +sha256  5df07007198989c622f5d41de8d703e7bef3d0e79d62e24332ee739a452af62a  COPYING
> +# Locally calculated
> +sha256  6610483ec62e1cae3ef36a7433ed30c23345f2703ddcfe19c930b9cc674a65bb  lgpl-2.1.rtf

No need to repeat "Locally calculated" 3 times.

> diff --git a/package/openscap/openscap.mk b/package/openscap/openscap.mk
> new file mode 100644
> index 0000000000000000000000000000000000000000..f440de6e908ac5816284a810ad935d0d496db863
> --- /dev/null
> +++ b/package/openscap/openscap.mk
> @@ -0,0 +1,52 @@
> +################################################################################
> +#
> +# openscap
> +#
> +################################################################################
> +
> +OPENSCAP_VERSION = 1.3.12
> +OPENSCAP_SITE = https://github.com/OpenSCAP/openscap/releases/download/$(OPENSCAP_VERSION)
> +OPENSCAP_LICENSE = LGPL-2.1

I think the license is LGPL-2.1+, as the few source files I looked at
contain the "or later" statement.

> +OPENSCAP_LICENSE_FILES = lgpl-2.1.rtf COPYING

Is the .rtf file useful, as COPYING already contains the full text of
LGPL-2.1 ?

> +OPENSCAP_SUPPORTS_IN_SOURCE_BUILD = NO
> +OPENSCAP_DEPENDENCIES = openssl libcurl libxslt libxml2 libxmlsec1 pcre libgcrypt host-pkgconf
> +OPENSCAP_INSTALL_STAGING = YES
> +HOST_OPENSCAP_DEPENDENCIES = host-openssl host-python3 host-libcurl host-libxslt host-libxml2 host-libxmlsec1 host-pcre host-libgcrypt host-pkgconf

Line a bit long, you can split it:

HOST_OPENSCAP_DEPENDENCIES = \
	host-openssl \
	host-python3 \
	...

> +
> +OPENSCAP_CONF_OPTS += \

Use = instead of +=.

> +		      -DENABLE_OSCAP_UTIL=ON \
> +		      -DENABLE_OSCAP_UTIL_DOCKER=OFF \
> +		      -DENABLE_OSCAP_UTIL_CHROOT=OFF \
> +		      -DENABLE_OSCAP_UTIL_PODMAN=OFF \
> +		      -DENABLE_OSCAP_UTIL_VM=OFF \
> +		      -DENABLE_PROBES_WINDOWS=OFF \
> +		      -DENABLE_TESTS=OFF \
> +		      -DWITH_CRYPTO=gcrypt \
> +		      -DENABLE_PYTHON3=ON

Only one tab for the indentation.

Questions:

- You're using WITH_CRYPTO=gcrypt, but you also select
  BR2_PACKAGE_OPENSSL. You need both?

- You're setting ENABLE_PYTHON3=ON, but your target package does not
  depend on host-python3 nor python3 in terms of build dependency.
  Could you clarify what this ENABLE_PYTHON3 option does?

> +
> +HOST_OPENSCAP_CONF_OPTS = \
> +		      -DENABLE_OSCAP_UTIL=ON \
> +		      -DENABLE_OSCAP_UTIL_DOCKER=OFF \
> +		      -DENABLE_OSCAP_UTIL_CHROOT=OFF \
> +		      -DENABLE_OSCAP_UTIL_PODMAN=OFF \
> +		      -DENABLE_OSCAP_UTIL_VM=OFF \
> +		      -DENABLE_PROBES_WINDOWS=OFF \
> +		      -DENABLE_TESTS=OFF \
> +		      -DWITH_CRYPTO=gcrypt \
> +		      -DENABLE_PYTHON3=ON
> +
> +ifeq ($(BR2_PACKAGE_ACL),y)
> +OPENSCAP_DEPENDENCIES += acl
> +endif

No explicit option to enable/disable ACL support?

> +
> +ifeq ($(BR2_PACKAGE_LIBCAP),y)
> +OPENSCAP_DEPENDENCIES += libcap
> +endif

Same question.

> +
> +ifneq ($(BR2_TOOLCHAIN_USES_GLIBC),y)
> +OPENSCAP_DEPENDENCIES += musl-fts
> +OPENSCAP_CONF_OPTS += -DCMAKE_EXE_LINKER_FLAGS=-lfts
> +endif
> +
> +$(eval $(cmake-package))
> +$(eval $(host-cmake-package))
> 

Thanks a lot!

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot