Re: [Buildroot] [PATCH 4/4] package/compliance-as-code: add new package

["Alexis Lothoré via buildroot" <buildroot@buildroot.org>]

On Wed Jul 30, 2025 at 7:18 PM CEST, Thomas Petazzoni via buildroot wrote:
> Hello Alexis,
>
> Thanks for this patch (again!). Some comments below.
>
> On Wed, 30 Jul 2025 14:47:16 +0200
> Alexis Lothoré <alexis.lothore@bootlin.com> wrote:
>
>> Introduce the Compliance As Code package. This project provides data
>> files consumed by the openscap tool to evaluate a host compliance in
>> regard with security policies. The package depends on both host-openscap
>> (needed at build time to process the input files into usable files) and
>> openscap (needed on the target, will use the generated files to evaluate
>> the system configuration)
>> 
>> The project is based on cmake, but it also exposes a wrapper script
>> (build_product). The package uses the cmake build system, but exposes a
>> few Kconfig options to replicate some of the build_product options:
>> - BR2_PACKAGE_COMPLIANCE_AS_CODE_DATASTREAM_ONLY: replicates the -d
>>   option, building only the datastream files instead of all the files
>> - BR2_PACKAGE_COMPLIANCE_AS_CODE_PRODUCTS: allow selecting the
>>   product(s) for which we want to generate policies files.
>> 
>> The default install target provided by the project expects a full build,
>> and so it will try to generate all the files for all the products when
>> executed (which cancels the benefit of being able to select only a
>> single or a few products), so the package defines a custom install
>> command.
>
> Very nice commit message. Perhaps too nice as it makes me think: what
> about a support/testing/ test case for this package?

Thanks for the pointer, I was not aware of those integrated tests. I'll
take a look at it and add some (without knowing yet the full scope of this
framework, I guess it would be nice to get at least a matrix of tests on
the different Kconfig options added for this package)

[...]

>> +COMPLIANCE_AS_CODE_DEPENDENCIES = \
>> +	host-python3 \
>> +	host-openscap \
>> +	openscap \
>> +	host-python-jinja2 \
>> +	host-python-pyyaml \
>> +	host-libxslt \
>> +	host-libxml2
>
> I assume you verified all those host dependencies are actually needed?

Yes. For all the packages added in this series, I started by performing a
native build in a minimal container, to distinguish the mandatory
dependencies from the optional ones. So this list really reflects the
minimal set of needed deps.

>> +
>> +COMPLIANCE_AS_CODE_CONF_ENV = OPENSCAP_ROOT_DIR=$(HOST_DIR)
>> +COMPLIANCE_AS_CODE_SUPPORTS_IN_SOURCE_BUILD = NO
>> +COMPLIANCE_AS_CODE_MAKE_OPTS = \
>> +	$(foreach p,\
>> +	$(call qstrip,$(BR2_PACKAGE_COMPLIANCE_AS_CODE_PRODUCTS)),\
>> +	$(if $(BR2_PACKAGE_COMPLIANCE_AS_CODE_DATASTREAM_ONLY), generate-ssg-$(p)-ds.xml, $(p)))
>
> How does that work when
> BR2_PACKAGE_COMPLIANCE_AS_CODE_DATASTREAM_ONLY=y and
> BR2_PACKAGE_COMPLIANCE_AS_CODE_PRODUCTS is empty? This will lead to
> COMPLIANCE_AS_CODE_MAKE_OPTS being empty, so I don't see how the build
> can differentiate BR2_PACKAGE_COMPLIANCE_AS_CODE_DATASTREAM_ONLY=y vs.
> BR2_PACKAGE_COMPLIANCE_AS_CODE_DATASTREAM_ONLY disabled.

Ah, good catch ! I accidentally got rid of a block here when reworking this
part. That should rather be:

ifeq($(BR2_PACKAGE_COMPLIANCE_AS_CODE_DATASTREAM_ONLY),y)
COMPLIANCE_AS_CODE_MAKE_OPTS = -d
endif

COMPLIANCE_AS_CODE_MAKE_OPTS += \
	$(foreach p,\
	$(call qstrip,$(BR2_PACKAGE_COMPLIANCE_AS_CODE_PRODUCTS)),\
	$(if $(BR2_PACKAGE_COMPLIANCE_AS_CODE_DATASTREAM_ONLY), generate-ssg-$(p)-ds.xml, $(p)))

(and so, += instead of = when evaluating the products string)

Alexis

-- 
Alexis Lothoré, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot