[Buildroot] [PATCH 0/4] package/compliance-as-code: introduce new package

[Buildroot] [PATCH 0/4] package/compliance-as-code: introduce new package

[Alexis Lothoré via buildroot]

Hello,
this series brings in new packages in order to enable building
Compliance As Code policies [1] (CaC) on a target. This project aims to
provide security policy content on systems: this content brings data
files describing checks standards and automations for system
configuration.  Those files come in various formats (XCCDF, OVAL, SCAP).
This project is tightly coupled to the OpenSCAP tool [2]:
- to build the data files to embed on the target system
- and to perform analysis on the system, by consuming the data files

CaC then depends on both openscap and host-openscap.
The series brings in the following commits:
- commit 1 brings libxmsec1, one of openscap dependencies
- commit 2 brings back host-libcurl (which has been supported and later
  removed from BR, as there was no user anymore), since host-openscap
  needs host-libcurl
- commit 3 brings openscap package
- commit 4 brings CaC package

The new CaC package brings a minimal feature set for now: it only brings
the security policy data files (ie: XML files) on the target. It can be
extended later as needed to bring in for example generated bash script,
ansible playbooks, etc.

Testing output:
$ ./utils/test-pkg -c cac.config -p compliance-as-code
   bootlin-armv5-uclibc [1/6]: OK
   bootlin-armv7-glibc [2/6]: OK
   bootlin-armv7m-uclibc [3/6]: SKIPPED
   bootlin-x86-64-musl [4/6]: OK
   br-arm-full-static [5/6]: SKIPPED
   arm-aarch64 [6/6]: OK

[1] https://github.com/ComplianceAsCode/content
[2] https://github.com/OpenSCAP/openscap

Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
---
Alexis Lothoré (4):
      package/libxmlsec1: Add libxmlsec1 used by openSCAP
      package/libcurl: Reapply "libcurl: add host variant"
      package/openscap: add openscap package
      package/compliance-as-code: add new package

 package/Config.in                                  |  3 ++
 package/compliance-as-code/Config.in               | 35 +++++++++++++++
 package/compliance-as-code/compliance-as-code.hash |  5 +++
 package/compliance-as-code/compliance-as-code.mk   | 34 ++++++++++++++
 package/libcurl/libcurl.mk                         | 13 ++++++
 package/libxmlsec1/Config.in                       | 13 ++++++
 package/libxmlsec1/libxmlsec1.hash                 |  4 ++
 package/libxmlsec1/libxmlsec1.mk                   | 28 ++++++++++++
 package/openscap/Config.in                         | 18 ++++++++
 package/openscap/openscap.hash                     |  6 +++
 package/openscap/openscap.mk                       | 52 ++++++++++++++++++++++
 11 files changed, 211 insertions(+)
---
base-commit: 0461043a51322ebcf7cdd90b0d2f9b59df17bb9c
change-id: 20250724-openscap-7166fbe1571e

Best regards,
-- 
Alexis Lothoré, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 1/4] package/libxmlsec1: Add libxmlsec1 used by openSCAP

[Alexis Lothoré via buildroot]

Introduce the libxmlsec1 library package. libxmlsec implements XML
security standards.

The library has only a few mandatory dependencies(libxml2 and libxslt
and a crypto library).  It needs one of the following cryptographic
libraries: OpenSSL, NSS, or Gcrypt/GNUTLS. Default to openssl for now to
keep the package simple.

Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
---
 package/Config.in                  |  1 +
 package/libxmlsec1/Config.in       | 13 +++++++++++++
 package/libxmlsec1/libxmlsec1.hash |  4 ++++
 package/libxmlsec1/libxmlsec1.mk   | 28 ++++++++++++++++++++++++++++
 4 files changed, 46 insertions(+)

diff --git a/package/Config.in b/package/Config.in
index 137f74ed82ce8029e7d8f53fc3e1fabc9584f73e..2d19bc81306abf66634b8fcea40712107612aed7 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -1947,6 +1947,7 @@ menu "JSON/XML"
 	source "package/libxmlb/Config.in"
 	source "package/libxmlpp/Config.in"
 	source "package/libxmlrpc/Config.in"
+	source "package/libxmlsec1/Config.in"
 	source "package/libxslt/Config.in"
 	source "package/libyaml/Config.in"
 	source "package/mxml/Config.in"
diff --git a/package/libxmlsec1/Config.in b/package/libxmlsec1/Config.in
new file mode 100644
index 0000000000000000000000000000000000000000..155efac825c071d0d3518a92ca35caf7d7decf9e
--- /dev/null
+++ b/package/libxmlsec1/Config.in
@@ -0,0 +1,13 @@
+config BR2_PACKAGE_LIBXMLSEC1
+	bool "libxmlsec1"
+	select BR2_PACKAGE_OPENSSL
+	select BR2_PACKAGE_LIBXML2
+	select BR2_PACKAGE_LIBXSLT
+	help
+	  XMLSec library provides C based implementation for major XML
+	  Security standards:
+	    - XML Signature Syntax and Processing
+	    - XML Encryption Syntax and Processing
+
+	  https://www.aleksey.com/xmlsec/
+	  https://github.com/lsh123/xmlsec
diff --git a/package/libxmlsec1/libxmlsec1.hash b/package/libxmlsec1/libxmlsec1.hash
new file mode 100644
index 0000000000000000000000000000000000000000..156e1310a3609465d7914b2c9e830e5157b88f99
--- /dev/null
+++ b/package/libxmlsec1/libxmlsec1.hash
@@ -0,0 +1,4 @@
+# Locally computed
+sha256  d82e93b69b8aa205a616b62917a269322bf63a3eaafb3775014e61752b2013ea  xmlsec1-1.3.7.tar.gz
+# Locally comp
+sha256  d5e9388534256360c6a009d4f19ab2b8d6ec0aa7ff32a51e22d899ed7beb5c48  Copyright
diff --git a/package/libxmlsec1/libxmlsec1.mk b/package/libxmlsec1/libxmlsec1.mk
new file mode 100644
index 0000000000000000000000000000000000000000..b05465dd10fffcf490db40d12b7a66ac33da7d47
--- /dev/null
+++ b/package/libxmlsec1/libxmlsec1.mk
@@ -0,0 +1,28 @@
+################################################################################
+#
+# libxmlsec1
+#
+################################################################################
+
+LIBXMLSEC1_VERSION = 1.3.7
+LIBXMLSEC1_SOURCE = xmlsec1-$(LIBXMLSEC1_VERSION).tar.gz
+LIBXMLSEC1_SITE = https://github.com/lsh123/xmlsec/releases/download/$(LIBXMLSEC1_VERSION)
+LIBXMLSEC1_LICENSE = MIT
+LIBXMLSEC1_LICENSE_FILES = Copyright
+LIBXMLSEC1_INSTALL_STAGING = YES
+LIBXMLSEC1_DEPENDENCIES = libxml2 libxslt openssl
+HOST_LIBXMLSEC1_DEPENDENCIES = host-libxml2 host-libxslt host-openssl
+
+LIBXMLSEC1_CONF_OPTS =	--disable-static \
+			--enable-crypto-dl=no \
+			--with-openssl \
+			--with-gnutls=no \
+			--with-gcrypt=no \
+			--with-nss=no
+
+LIBXMLSEC1_AUTORECONF = YES
+
+HOST_LIBXMLSEC1_CONF_OPTS = $(LIBXMLSEC1_CONF_OPTS)
+
+$(eval $(autotools-package))
+$(eval $(host-autotools-package))

-- 
2.50.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/4] package/libxmlsec1: Add libxmlsec1 used by openSCAP

[Thomas Petazzoni via buildroot]

Hello Alexis,

Thanks for your patch! See some review below.

On Wed, 30 Jul 2025 14:47:13 +0200
Alexis Lothoré <alexis.lothore@bootlin.com> wrote:

> Introduce the libxmlsec1 library package. libxmlsec implements XML
> security standards.
> 
> The library has only a few mandatory dependencies(libxml2 and libxslt
> and a crypto library).  It needs one of the following cryptographic
> libraries: OpenSSL, NSS, or Gcrypt/GNUTLS. Default to openssl for now to
> keep the package simple.
> 
> Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>

By convention, the title of the patch should be:

	package/libxmlsec1: new package

> ---
>  package/Config.in                  |  1 +
>  package/libxmlsec1/Config.in       | 13 +++++++++++++
>  package/libxmlsec1/libxmlsec1.hash |  4 ++++
>  package/libxmlsec1/libxmlsec1.mk   | 28 ++++++++++++++++++++++++++++
>  4 files changed, 46 insertions(+)

You need to add an entry to the DEVELOPERS file for this package.


> diff --git a/package/libxmlsec1/libxmlsec1.hash b/package/libxmlsec1/libxmlsec1.hash
> new file mode 100644
> index 0000000000000000000000000000000000000000..156e1310a3609465d7914b2c9e830e5157b88f99
> --- /dev/null
> +++ b/package/libxmlsec1/libxmlsec1.hash
> @@ -0,0 +1,4 @@
> +# Locally computed
> +sha256  d82e93b69b8aa205a616b62917a269322bf63a3eaafb3775014e61752b2013ea  xmlsec1-1.3.7.tar.gz
> +# Locally comp

"Locally comp" and then your keyboard was blo? :-)

Not need to repeat this comment, if it's applicable for both lines.

> +sha256  d5e9388534256360c6a009d4f19ab2b8d6ec0aa7ff32a51e22d899ed7beb5c48  Copyright
> diff --git a/package/libxmlsec1/libxmlsec1.mk b/package/libxmlsec1/libxmlsec1.mk
> new file mode 100644
> index 0000000000000000000000000000000000000000..b05465dd10fffcf490db40d12b7a66ac33da7d47
> --- /dev/null
> +++ b/package/libxmlsec1/libxmlsec1.mk
> @@ -0,0 +1,28 @@
> +################################################################################
> +#
> +# libxmlsec1
> +#
> +################################################################################
> +
> +LIBXMLSEC1_VERSION = 1.3.7
> +LIBXMLSEC1_SOURCE = xmlsec1-$(LIBXMLSEC1_VERSION).tar.gz
> +LIBXMLSEC1_SITE = https://github.com/lsh123/xmlsec/releases/download/$(LIBXMLSEC1_VERSION)
> +LIBXMLSEC1_LICENSE = MIT

OK, license verified.

> +LIBXMLSEC1_LICENSE_FILES = Copyright
> +LIBXMLSEC1_INSTALL_STAGING = YES
> +LIBXMLSEC1_DEPENDENCIES = libxml2 libxslt openssl
> +HOST_LIBXMLSEC1_DEPENDENCIES = host-libxml2 host-libxslt host-openssl
> +
> +LIBXMLSEC1_CONF_OPTS =	--disable-static \
> +			--enable-crypto-dl=no \
> +			--with-openssl \
> +			--with-gnutls=no \
> +			--with-gcrypt=no \
> +			--with-nss=no

This should be a bit more nicely formatted, and use --disable/--without
instead of --enable-..=no and --with-...=no. Also, you shouldn't pass
--disable-static unless you have a very good reason to. Indeed,
Buildroot is passing --{enable,disable}-{shared,static} automatically
based on the BR2_SHARED_LIBS/BR2_STATIC_LIBS settings.

So:

LIBXMLSEC1_CONF_OPTS = \
	--disable-crypto-dl \
	--with-openssl \
	--without-gnutls \
	--without-gcrypt \
	--without-nss

> +
> +LIBXMLSEC1_AUTORECONF = YES

Perhaps put this "earlier", as it's valid for both the target and host
variants.

> +HOST_LIBXMLSEC1_CONF_OPTS = $(LIBXMLSEC1_CONF_OPTS)

I'm not sure I like re-using like this target options for the host
variant. I think I'd prefer them to be duplicated.

Thanks!

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/4] package/libxmlsec1: Add libxmlsec1 used by openSCAP

[Alexis Lothoré via buildroot]

Hi Thomas,

thanks for the review !
On Wed Jul 30, 2025 at 6:53 PM CEST, Thomas Petazzoni via buildroot wrote:
> Hello Alexis,
>> +LIBXMLSEC1_CONF_OPTS =	--disable-static \
>> +			--enable-crypto-dl=no \
>> +			--with-openssl \
>> +			--with-gnutls=no \
>> +			--with-gcrypt=no \
>> +			--with-nss=no
>
> This should be a bit more nicely formatted, and use --disable/--without
> instead of --enable-..=no and --with-...=no. Also, you shouldn't pass
> --disable-static unless you have a very good reason to. Indeed,
> Buildroot is passing --{enable,disable}-{shared,static} automatically
> based on the BR2_SHARED_LIBS/BR2_STATIC_LIBS settings.
>
> So:
>
> LIBXMLSEC1_CONF_OPTS = \
> 	--disable-crypto-dl \
> 	--with-openssl \
> 	--without-gnutls \
> 	--without-gcrypt \
> 	--without-nss

Yes, I must confess that I did not thoroughly reviewed those conf opts
before including them. I'll give a try without the static, remove it if not
needed, and use proper BR mechanisms if it is actually needed.

[...]

>> +HOST_LIBXMLSEC1_CONF_OPTS = $(LIBXMLSEC1_CONF_OPTS)
>
> I'm not sure I like re-using like this target options for the host
> variant. I think I'd prefer them to be duplicated.

You right, and this pattern actually bit me in one of the other packages
brought in this series !

Alexis


-- 
Alexis Lothoré, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 2/4] package/libcurl: Reapply "libcurl: add host variant"

[Alexis Lothoré via buildroot]

libcurl host build support has initially been added with 736e0fc5d610
("libcurl: add host variant") while adding support for host-cargo build,
and reverted with 69e84008abf8 ("Revert "libcurl: add host variant"")
when standalone cargo build has been removed. In order to bring a new
host package depending on libcurl, re-enable host-libcurl build support.

This reverts commit w9e84008abf87eaeeb3f2d53c880cf33492a3bf8.

Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
---
 package/libcurl/libcurl.mk | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/package/libcurl/libcurl.mk b/package/libcurl/libcurl.mk
index 1cfdda27d215775cb8021979bc955c30ae4fea4c..700c161ade6cfb9d87727d03de9dfceb97cfb7cf 100644
--- a/package/libcurl/libcurl.mk
+++ b/package/libcurl/libcurl.mk
@@ -189,4 +189,17 @@ endef
 LIBCURL_POST_INSTALL_TARGET_HOOKS += LIBCURL_TARGET_CLEANUP
 endif
 
+HOST_LIBCURL_DEPENDENCIES = host-openssl
+HOST_LIBCURL_CONF_OPTS = \
+	--disable-manual \
+	--disable-ntlm-wb \
+	--disable-curldebug \
+	--with-ssl \
+	--without-gnutls \
+	--without-mbedtls \
+	--without-nss
+
+HOST_LIBCURL_POST_PATCH_HOOKS += LIBCURL_FIX_DOT_PC
+
 $(eval $(autotools-package))
+$(eval $(host-autotools-package))

-- 
2.50.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 2/4] package/libcurl: Reapply "libcurl: add host variant"

[Thomas Petazzoni via buildroot]

Hello Alexis,

On Wed, 30 Jul 2025 14:47:14 +0200
Alexis Lothoré <alexis.lothore@bootlin.com> wrote:

> libcurl host build support has initially been added with 736e0fc5d610
> ("libcurl: add host variant") while adding support for host-cargo build,
> and reverted with 69e84008abf8 ("Revert "libcurl: add host variant"")
> when standalone cargo build has been removed. In order to bring a new
> host package depending on libcurl, re-enable host-libcurl build support.
> 
> This reverts commit w9e84008abf87eaeeb3f2d53c880cf33492a3bf8.
> 
> Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
> ---
>  package/libcurl/libcurl.mk | 13 +++++++++++++
>  1 file changed, 13 insertions(+)
> 
> diff --git a/package/libcurl/libcurl.mk b/package/libcurl/libcurl.mk
> index 1cfdda27d215775cb8021979bc955c30ae4fea4c..700c161ade6cfb9d87727d03de9dfceb97cfb7cf 100644
> --- a/package/libcurl/libcurl.mk
> +++ b/package/libcurl/libcurl.mk
> @@ -189,4 +189,17 @@ endef
>  LIBCURL_POST_INSTALL_TARGET_HOOKS += LIBCURL_TARGET_CLEANUP
>  endif
>  
> +HOST_LIBCURL_DEPENDENCIES = host-openssl
> +HOST_LIBCURL_CONF_OPTS = \
> +	--disable-manual \
> +	--disable-ntlm-wb \
> +	--disable-curldebug \
> +	--with-ssl \
> +	--without-gnutls \
> +	--without-mbedtls \
> +	--without-nss
> +
> +HOST_LIBCURL_POST_PATCH_HOOKS += LIBCURL_FIX_DOT_PC

This LIBCURL_FIX_DOT_PC hook no longer exists, so that line is a no-op.

Thanks!

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 3/4] package/openscap: add openscap package

[Alexis Lothoré via buildroot]

Introduce the openscap package. openscap is a command line tool allowing
to scan a system configuration to perform security compliance checks.
The tool consumes XCCDF and OVAL files to perform system evaluation
against a list of policies.

Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
---
 package/Config.in              |  1 +
 package/openscap/Config.in     | 18 +++++++++++++++
 package/openscap/openscap.hash |  6 +++++
 package/openscap/openscap.mk   | 52 ++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 77 insertions(+)

diff --git a/package/Config.in b/package/Config.in
index 2d19bc81306abf66634b8fcea40712107612aed7..29fff74876731856819364f7fd7e2b94f6ffc895 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -2352,6 +2352,7 @@ menu "Security"
 	source "package/libselinux/Config.in"
 	source "package/libsemanage/Config.in"
 	source "package/libsepol/Config.in"
+	source "package/openscap/Config.in"
 	source "package/safeclib/Config.in"
 	source "package/softhsm2/Config.in"
 endmenu
diff --git a/package/openscap/Config.in b/package/openscap/Config.in
new file mode 100644
index 0000000000000000000000000000000000000000..66f087d896030bb96ef6ed8676a9ef645215b8c6
--- /dev/null
+++ b/package/openscap/Config.in
@@ -0,0 +1,18 @@
+config BR2_PACKAGE_OPENSCAP
+	bool "openscap"
+	depends on BR2_PACKAGE_LIBGPG_ERROR_ARCH_SUPPORTS  # libgpg
+	depends on !BR2_STATIC_LIBS # dlfcn.h
+	select BR2_PACKAGE_LIBXMLSEC1
+	select BR2_PACKAGE_HOST_PYTHON3
+	select BR2_PACKAGE_OPENSSL
+	select BR2_PACKAGE_LIBCURL
+	select BR2_PACKAGE_LIBGCRYPT
+	select BR2_PACKAGE_LIBXML2
+	select BR2_PACKAGE_PCRE
+	select BR2_PACKAGE_MUSL_FTS if !BR2_TOOLCHAIN_USES_GLIBC
+	help
+	  The purpose of this project is to create security policy
+	  content for various platforms
+
+	  https://www.open-scap.org/
+	  https://github.com/OpenSCAP/openscap
diff --git a/package/openscap/openscap.hash b/package/openscap/openscap.hash
new file mode 100644
index 0000000000000000000000000000000000000000..608142d66fca217f5d60481a69d3a37856226834
--- /dev/null
+++ b/package/openscap/openscap.hash
@@ -0,0 +1,6 @@
+# Locally calculated
+sha256  6e61913fca3a74d310d7cf9354973eeaefa42be909ae649af1df48c3c08bc6ff  openscap-1.3.12.tar.gz
+# Locally calculated
+sha256  5df07007198989c622f5d41de8d703e7bef3d0e79d62e24332ee739a452af62a  COPYING
+# Locally calculated
+sha256  6610483ec62e1cae3ef36a7433ed30c23345f2703ddcfe19c930b9cc674a65bb  lgpl-2.1.rtf
diff --git a/package/openscap/openscap.mk b/package/openscap/openscap.mk
new file mode 100644
index 0000000000000000000000000000000000000000..f440de6e908ac5816284a810ad935d0d496db863
--- /dev/null
+++ b/package/openscap/openscap.mk
@@ -0,0 +1,52 @@
+################################################################################
+#
+# openscap
+#
+################################################################################
+
+OPENSCAP_VERSION = 1.3.12
+OPENSCAP_SITE = https://github.com/OpenSCAP/openscap/releases/download/$(OPENSCAP_VERSION)
+OPENSCAP_LICENSE = LGPL-2.1
+OPENSCAP_LICENSE_FILES = lgpl-2.1.rtf COPYING
+OPENSCAP_SUPPORTS_IN_SOURCE_BUILD = NO
+OPENSCAP_DEPENDENCIES = openssl libcurl libxslt libxml2 libxmlsec1 pcre libgcrypt host-pkgconf
+OPENSCAP_INSTALL_STAGING = YES
+HOST_OPENSCAP_DEPENDENCIES = host-openssl host-python3 host-libcurl host-libxslt host-libxml2 host-libxmlsec1 host-pcre host-libgcrypt host-pkgconf
+
+OPENSCAP_CONF_OPTS += \
+		      -DENABLE_OSCAP_UTIL=ON \
+		      -DENABLE_OSCAP_UTIL_DOCKER=OFF \
+		      -DENABLE_OSCAP_UTIL_CHROOT=OFF \
+		      -DENABLE_OSCAP_UTIL_PODMAN=OFF \
+		      -DENABLE_OSCAP_UTIL_VM=OFF \
+		      -DENABLE_PROBES_WINDOWS=OFF \
+		      -DENABLE_TESTS=OFF \
+		      -DWITH_CRYPTO=gcrypt \
+		      -DENABLE_PYTHON3=ON
+
+HOST_OPENSCAP_CONF_OPTS = \
+		      -DENABLE_OSCAP_UTIL=ON \
+		      -DENABLE_OSCAP_UTIL_DOCKER=OFF \
+		      -DENABLE_OSCAP_UTIL_CHROOT=OFF \
+		      -DENABLE_OSCAP_UTIL_PODMAN=OFF \
+		      -DENABLE_OSCAP_UTIL_VM=OFF \
+		      -DENABLE_PROBES_WINDOWS=OFF \
+		      -DENABLE_TESTS=OFF \
+		      -DWITH_CRYPTO=gcrypt \
+		      -DENABLE_PYTHON3=ON
+
+ifeq ($(BR2_PACKAGE_ACL),y)
+OPENSCAP_DEPENDENCIES += acl
+endif
+
+ifeq ($(BR2_PACKAGE_LIBCAP),y)
+OPENSCAP_DEPENDENCIES += libcap
+endif
+
+ifneq ($(BR2_TOOLCHAIN_USES_GLIBC),y)
+OPENSCAP_DEPENDENCIES += musl-fts
+OPENSCAP_CONF_OPTS += -DCMAKE_EXE_LINKER_FLAGS=-lfts
+endif
+
+$(eval $(cmake-package))
+$(eval $(host-cmake-package))

-- 
2.50.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 3/4] package/openscap: add openscap package

[Thomas Petazzoni via buildroot]

Hello Alexis,

On Wed, 30 Jul 2025 14:47:15 +0200
Alexis Lothoré <alexis.lothore@bootlin.com> wrote:

> Introduce the openscap package. openscap is a command line tool allowing
> to scan a system configuration to perform security compliance checks.
> The tool consumes XCCDF and OVAL files to perform system evaluation
> against a list of policies.

Perhaps you could mention here why a host variant of this package is
needed/useful.

Commit title should be:

	package/openscap: new package

>  package/Config.in              |  1 +
>  package/openscap/Config.in     | 18 +++++++++++++++
>  package/openscap/openscap.hash |  6 +++++
>  package/openscap/openscap.mk   | 52 ++++++++++++++++++++++++++++++++++++++++++
>  4 files changed, 77 insertions(+)

Entry in the DEVELOPERS file is needed.


> diff --git a/package/openscap/Config.in b/package/openscap/Config.in
> new file mode 100644
> index 0000000000000000000000000000000000000000..66f087d896030bb96ef6ed8676a9ef645215b8c6
> --- /dev/null
> +++ b/package/openscap/Config.in
> @@ -0,0 +1,18 @@
> +config BR2_PACKAGE_OPENSCAP
> +	bool "openscap"
> +	depends on BR2_PACKAGE_LIBGPG_ERROR_ARCH_SUPPORTS  # libgpg

This dependency actually comes from the fact that you select libgcrypt,
so the comment should be # libgcrypt

> +	depends on !BR2_STATIC_LIBS # dlfcn.h
> +	select BR2_PACKAGE_LIBXMLSEC1
> +	select BR2_PACKAGE_HOST_PYTHON3

You don't need to select this option, we don't force selecting options
for host packages.

> +	select BR2_PACKAGE_OPENSSL
> +	select BR2_PACKAGE_LIBCURL

Alphabetic ordering is always nice to have :-)

> +	select BR2_PACKAGE_LIBGCRYPT
> +	select BR2_PACKAGE_LIBXML2
> +	select BR2_PACKAGE_PCRE
> +	select BR2_PACKAGE_MUSL_FTS if !BR2_TOOLCHAIN_USES_GLIBC
> +	help
> +	  The purpose of this project is to create security policy
> +	  content for various platforms
> +
> +	  https://www.open-scap.org/
> +	  https://github.com/OpenSCAP/openscap

You need a Config.in comment:

comment "openscap needs a toolchain w/ dynamic library"
	depends on BR2_PACKAGE_LIBGPG_ERROR_ARCH_SUPPORTS
	depends on BR2_STATIC_LIBS

> diff --git a/package/openscap/openscap.hash b/package/openscap/openscap.hash
> new file mode 100644
> index 0000000000000000000000000000000000000000..608142d66fca217f5d60481a69d3a37856226834
> --- /dev/null
> +++ b/package/openscap/openscap.hash
> @@ -0,0 +1,6 @@
> +# Locally calculated
> +sha256  6e61913fca3a74d310d7cf9354973eeaefa42be909ae649af1df48c3c08bc6ff  openscap-1.3.12.tar.gz
> +# Locally calculated
> +sha256  5df07007198989c622f5d41de8d703e7bef3d0e79d62e24332ee739a452af62a  COPYING
> +# Locally calculated
> +sha256  6610483ec62e1cae3ef36a7433ed30c23345f2703ddcfe19c930b9cc674a65bb  lgpl-2.1.rtf

No need to repeat "Locally calculated" 3 times.

> diff --git a/package/openscap/openscap.mk b/package/openscap/openscap.mk
> new file mode 100644
> index 0000000000000000000000000000000000000000..f440de6e908ac5816284a810ad935d0d496db863
> --- /dev/null
> +++ b/package/openscap/openscap.mk
> @@ -0,0 +1,52 @@
> +################################################################################
> +#
> +# openscap
> +#
> +################################################################################
> +
> +OPENSCAP_VERSION = 1.3.12
> +OPENSCAP_SITE = https://github.com/OpenSCAP/openscap/releases/download/$(OPENSCAP_VERSION)
> +OPENSCAP_LICENSE = LGPL-2.1

I think the license is LGPL-2.1+, as the few source files I looked at
contain the "or later" statement.

> +OPENSCAP_LICENSE_FILES = lgpl-2.1.rtf COPYING

Is the .rtf file useful, as COPYING already contains the full text of
LGPL-2.1 ?

> +OPENSCAP_SUPPORTS_IN_SOURCE_BUILD = NO
> +OPENSCAP_DEPENDENCIES = openssl libcurl libxslt libxml2 libxmlsec1 pcre libgcrypt host-pkgconf
> +OPENSCAP_INSTALL_STAGING = YES
> +HOST_OPENSCAP_DEPENDENCIES = host-openssl host-python3 host-libcurl host-libxslt host-libxml2 host-libxmlsec1 host-pcre host-libgcrypt host-pkgconf

Line a bit long, you can split it:

HOST_OPENSCAP_DEPENDENCIES = \
	host-openssl \
	host-python3 \
	...

> +
> +OPENSCAP_CONF_OPTS += \

Use = instead of +=.

> +		      -DENABLE_OSCAP_UTIL=ON \
> +		      -DENABLE_OSCAP_UTIL_DOCKER=OFF \
> +		      -DENABLE_OSCAP_UTIL_CHROOT=OFF \
> +		      -DENABLE_OSCAP_UTIL_PODMAN=OFF \
> +		      -DENABLE_OSCAP_UTIL_VM=OFF \
> +		      -DENABLE_PROBES_WINDOWS=OFF \
> +		      -DENABLE_TESTS=OFF \
> +		      -DWITH_CRYPTO=gcrypt \
> +		      -DENABLE_PYTHON3=ON

Only one tab for the indentation.

Questions:

- You're using WITH_CRYPTO=gcrypt, but you also select
  BR2_PACKAGE_OPENSSL. You need both?

- You're setting ENABLE_PYTHON3=ON, but your target package does not
  depend on host-python3 nor python3 in terms of build dependency.
  Could you clarify what this ENABLE_PYTHON3 option does?

> +
> +HOST_OPENSCAP_CONF_OPTS = \
> +		      -DENABLE_OSCAP_UTIL=ON \
> +		      -DENABLE_OSCAP_UTIL_DOCKER=OFF \
> +		      -DENABLE_OSCAP_UTIL_CHROOT=OFF \
> +		      -DENABLE_OSCAP_UTIL_PODMAN=OFF \
> +		      -DENABLE_OSCAP_UTIL_VM=OFF \
> +		      -DENABLE_PROBES_WINDOWS=OFF \
> +		      -DENABLE_TESTS=OFF \
> +		      -DWITH_CRYPTO=gcrypt \
> +		      -DENABLE_PYTHON3=ON
> +
> +ifeq ($(BR2_PACKAGE_ACL),y)
> +OPENSCAP_DEPENDENCIES += acl
> +endif

No explicit option to enable/disable ACL support?

> +
> +ifeq ($(BR2_PACKAGE_LIBCAP),y)
> +OPENSCAP_DEPENDENCIES += libcap
> +endif

Same question.

> +
> +ifneq ($(BR2_TOOLCHAIN_USES_GLIBC),y)
> +OPENSCAP_DEPENDENCIES += musl-fts
> +OPENSCAP_CONF_OPTS += -DCMAKE_EXE_LINKER_FLAGS=-lfts
> +endif
> +
> +$(eval $(cmake-package))
> +$(eval $(host-cmake-package))
> 

Thanks a lot!

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 3/4] package/openscap: add openscap package

[Alexis Lothoré via buildroot]

On Wed Jul 30, 2025 at 7:02 PM CEST, Thomas Petazzoni via buildroot wrote:
> Hello Alexis,

[...]

>> +		      -DENABLE_OSCAP_UTIL=ON \
>> +		      -DENABLE_OSCAP_UTIL_DOCKER=OFF \
>> +		      -DENABLE_OSCAP_UTIL_CHROOT=OFF \
>> +		      -DENABLE_OSCAP_UTIL_PODMAN=OFF \
>> +		      -DENABLE_OSCAP_UTIL_VM=OFF \
>> +		      -DENABLE_PROBES_WINDOWS=OFF \
>> +		      -DENABLE_TESTS=OFF \
>> +		      -DWITH_CRYPTO=gcrypt \
>> +		      -DENABLE_PYTHON3=ON
>
> Only one tab for the indentation.
>
> Questions:
>
> - You're using WITH_CRYPTO=gcrypt, but you also select
>   BR2_PACKAGE_OPENSSL. You need both?

So from the CMakeLists.txt:

find_package(OpenSSL REQUIRED)
[...]
# WITH_CRYPTO
set(WITH_CRYPTO "gcrypt" CACHE STRING "gcrypt|nss")
if(${WITH_CRYPTO} STREQUAL "nss")
        message("-- Using NSS")
        find_package(NSS)
else()
        message("-- Using GCrypt")
        find_package(GCrypt)
endif()
if(GCRYPT_FOUND OR NSS_FOUND)
        set(CRYPTO_FOUND TRUE)
endif()

it looks like gcrypt/nss is not mandatory. But if I try to configure and
run a build in an environment without libgcrypt, I got same late linkage
error, about some missing crapi_init (no, I am not making this function's
name up...) being missing. It appears that there are code paths
preprocessed conditionnaly on either libgcrypt or nss presence, without any
fallback if none is found. I am not sure if I am facing some optional
dependencies that are not "optional enough" in the code base, or some hard
dpendencies that are not sufficiently enforced in the cmake files. But in
the project current state, the software does not build without libgcrypt.

If I take a further look at the dev doc
(https://github.com/OpenSCAP/openscap/blob/main/docs/developer/developer.adoc),
it seems to hint that libgcrypt is actually needed in any case.

I'll remove the WITH_CRYPTO=gcrypt though, as it is the default value in
CMakeLists.txt.

> - You're setting ENABLE_PYTHON3=ON, but your target package does not
>   depend on host-python3 nor python3 in terms of build dependency.
>   Could you clarify what this ENABLE_PYTHON3 option does?

That's an omission on my side. This ENABLE_PYTHON3 allows building some
bindings (to write some python automation tools based on openscap ?) if the
interpreter is found. I'll remove it.

>> +
>> +HOST_OPENSCAP_CONF_OPTS = \
>> +		      -DENABLE_OSCAP_UTIL=ON \
>> +		      -DENABLE_OSCAP_UTIL_DOCKER=OFF \
>> +		      -DENABLE_OSCAP_UTIL_CHROOT=OFF \
>> +		      -DENABLE_OSCAP_UTIL_PODMAN=OFF \
>> +		      -DENABLE_OSCAP_UTIL_VM=OFF \
>> +		      -DENABLE_PROBES_WINDOWS=OFF \
>> +		      -DENABLE_TESTS=OFF \
>> +		      -DWITH_CRYPTO=gcrypt \
>> +		      -DENABLE_PYTHON3=ON
>> +
>> +ifeq ($(BR2_PACKAGE_ACL),y)
>> +OPENSCAP_DEPENDENCIES += acl
>> +endif
>
> No explicit option to enable/disable ACL support?

Unfortunately no, this is searched unconditionally:

find_package(ACL)
if(ACL_FOUND)
        check_library_exists("${ACL_LIBRARY}" acl_extended_file "" HAVE_ACL_EXTENDED_FILE)
        check_include_file(acl/libacl.h HAVE_ACL_LIBACL_H)
        check_include_file(sys/acl.h HAVE_SYS_ACL_H)
endif()

>> +
>> +ifeq ($(BR2_PACKAGE_LIBCAP),y)
>> +OPENSCAP_DEPENDENCIES += libcap
>> +endif
>
> Same question.

Ditto

Alexis

-- 
Alexis Lothoré, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 3/4] package/openscap: add openscap package

[Thomas Petazzoni via buildroot]

On Thu, 31 Jul 2025 14:34:01 +0200
Alexis Lothoré <alexis.lothore@bootlin.com> wrote:

> it looks like gcrypt/nss is not mandatory. But if I try to configure and
> run a build in an environment without libgcrypt, I got same late linkage
> error, about some missing crapi_init (no, I am not making this function's
> name up...) being missing. It appears that there are code paths
> preprocessed conditionnaly on either libgcrypt or nss presence, without any
> fallback if none is found. I am not sure if I am facing some optional
> dependencies that are not "optional enough" in the code base, or some hard
> dpendencies that are not sufficiently enforced in the cmake files. But in
> the project current state, the software does not build without libgcrypt.
> 
> If I take a further look at the dev doc
> (https://github.com/OpenSCAP/openscap/blob/main/docs/developer/developer.adoc),
> it seems to hint that libgcrypt is actually needed in any case.

That's fine, we don't expect you to fix all upstream issues :)

However, my concern was not so much about gcrypt being needed, but the
fact that you need openssl *and* libgcrypt. Are both truly needed?

> I'll remove the WITH_CRYPTO=gcrypt though, as it is the default value in
> CMakeLists.txt.

Well, you can keep it explicit, I think it's a good idea.

> 
> > - You're setting ENABLE_PYTHON3=ON, but your target package does not
> >   depend on host-python3 nor python3 in terms of build dependency.
> >   Could you clarify what this ENABLE_PYTHON3 option does?  
> 
> That's an omission on my side. This ENABLE_PYTHON3 allows building some
> bindings (to write some python automation tools based on openscap ?) if the
> interpreter is found. I'll remove it.

Then ENABLE_PYTHON3=OFF is probably better. Generally speaking the more
options are explicitly set, the better.


> > No explicit option to enable/disable ACL support?  
> 
> Unfortunately no, this is searched unconditionally:

OK!

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 3/4] package/openscap: add openscap package

[Alexis Lothoré via buildroot]

On Thu Jul 31, 2025 at 2:48 PM CEST, Thomas Petazzoni wrote:
> On Thu, 31 Jul 2025 14:34:01 +0200
> Alexis Lothoré <alexis.lothore@bootlin.com> wrote:
>
>> it looks like gcrypt/nss is not mandatory. But if I try to configure and
>> run a build in an environment without libgcrypt, I got same late linkage
>> error, about some missing crapi_init (no, I am not making this function's
>> name up...) being missing. It appears that there are code paths
>> preprocessed conditionnaly on either libgcrypt or nss presence, without any
>> fallback if none is found. I am not sure if I am facing some optional
>> dependencies that are not "optional enough" in the code base, or some hard
>> dpendencies that are not sufficiently enforced in the cmake files. But in
>> the project current state, the software does not build without libgcrypt.
>> 
>> If I take a further look at the dev doc
>> (https://github.com/OpenSCAP/openscap/blob/main/docs/developer/developer.adoc),
>> it seems to hint that libgcrypt is actually needed in any case.
>
> That's fine, we don't expect you to fix all upstream issues :)
>
> However, my concern was not so much about gcrypt being needed, but the
> fact that you need openssl *and* libgcrypt. Are both truly needed?

As showned in the sample above: yes, both are needed, OpenSSL because it is
a hard dependency in CMakeLists.txt (tested by removing libssl-dev from my
testing env, it indeed fails to configure the project, and there is no
option to disable it), and libgcrypt, because linkage will fail otherwise.

>> I'll remove the WITH_CRYPTO=gcrypt though, as it is the default value in
>> CMakeLists.txt.
>
> Well, you can keep it explicit, I think it's a good idea.

ACK

>> 
>> > - You're setting ENABLE_PYTHON3=ON, but your target package does not
>> >   depend on host-python3 nor python3 in terms of build dependency.
>> >   Could you clarify what this ENABLE_PYTHON3 option does?  
>> 
>> That's an omission on my side. This ENABLE_PYTHON3 allows building some
>> bindings (to write some python automation tools based on openscap ?) if the
>> interpreter is found. I'll remove it.
>
> Then ENABLE_PYTHON3=OFF is probably better. Generally speaking the more
> options are explicitly set, the better.

ACK

Alexis
-- 
Alexis Lothoré, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 3/4] package/openscap: add openscap package

[Thomas Petazzoni via buildroot]

On Thu, 31 Jul 2025 15:14:56 +0200
Alexis Lothoré <alexis.lothore@bootlin.com> wrote:

> As showned in the sample above: yes, both are needed, OpenSSL because it is
> a hard dependency in CMakeLists.txt (tested by removing libssl-dev from my
> testing env, it indeed fails to configure the project, and there is no
> option to disable it), and libgcrypt, because linkage will fail otherwise.

Fair enough, thanks for the explanation!

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 4/4] package/compliance-as-code: add new package

[Alexis Lothoré via buildroot]

Introduce the Compliance As Code package. This project provides data
files consumed by the openscap tool to evaluate a host compliance in
regard with security policies. The package depends on both host-openscap
(needed at build time to process the input files into usable files) and
openscap (needed on the target, will use the generated files to evaluate
the system configuration)

The project is based on cmake, but it also exposes a wrapper script
(build_product). The package uses the cmake build system, but exposes a
few Kconfig options to replicate some of the build_product options:
- BR2_PACKAGE_COMPLIANCE_AS_CODE_DATASTREAM_ONLY: replicates the -d
  option, building only the datastream files instead of all the files
- BR2_PACKAGE_COMPLIANCE_AS_CODE_PRODUCTS: allow selecting the
  product(s) for which we want to generate policies files.

The default install target provided by the project expects a full build,
and so it will try to generate all the files for all the products when
executed (which cancels the benefit of being able to select only a
single or a few products), so the package defines a custom install
command.

Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
---
 package/Config.in                                  |  1 +
 package/compliance-as-code/Config.in               | 35 ++++++++++++++++++++++
 package/compliance-as-code/compliance-as-code.hash |  5 ++++
 package/compliance-as-code/compliance-as-code.mk   | 34 +++++++++++++++++++++
 4 files changed, 75 insertions(+)

diff --git a/package/Config.in b/package/Config.in
index 29fff74876731856819364f7fd7e2b94f6ffc895..f44cd884a0a8a7e5cd2705eb0ba247a5c3feaa90 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -2348,6 +2348,7 @@ endif
 endmenu
 
 menu "Security"
+	source "package/compliance-as-code/Config.in"
 	source "package/libapparmor/Config.in"
 	source "package/libselinux/Config.in"
 	source "package/libsemanage/Config.in"
diff --git a/package/compliance-as-code/Config.in b/package/compliance-as-code/Config.in
new file mode 100644
index 0000000000000000000000000000000000000000..402bf2ba8610808f4d536f5d102348a879fb4d5d
--- /dev/null
+++ b/package/compliance-as-code/Config.in
@@ -0,0 +1,35 @@
+config BR2_PACKAGE_COMPLIANCE_AS_CODE
+	bool "compliance-as-code"
+	depends on BR2_PACKAGE_LIBGPG_ERROR_ARCH_SUPPORTS  # openscap
+	depends on !BR2_STATIC_LIBS # dlfcn.h
+	select BR2_PACKAGE_HOST_OPENSCAP
+	select BR2_PACKAGE_OPENSCAP
+	select BR2_PACKAGE_HOST_PYTHON
+	select BR2_PACKAGE_HOST_PYTHON_PYAML
+	select BR2_PACKAGE_HOST_PYTHON_JINJA2
+	select BR2_PACKAGE_HOST_LIBXSLT
+	select BR2_PACKAGE_HOST_LIBXML2
+	help
+	  Generate and install the profiles used for
+	  security (e.g. FIPS, CSPN) compliance analysis.
+
+	  Uses ComplianceAsCode to generate profiles
+	  https://complianceascode.readthedocs.io/en/latest/
+
+if BR2_PACKAGE_COMPLIANCE_AS_CODE
+
+config BR2_PACKAGE_COMPLIANCE_AS_CODE_DATASTREAM_ONLY
+	bool "datastream only"
+	default y
+	help
+	  Build only the datastreams (do not build the html tables,
+	  guides, etc)
+
+config BR2_PACKAGE_COMPLIANCE_AS_CODE_PRODUCTS
+	string "products"
+	help
+	  Provide a space-separated list of products for which you want
+	  to build security content. Leave empty to build content for
+	  all supported products.
+
+endif
diff --git a/package/compliance-as-code/compliance-as-code.hash b/package/compliance-as-code/compliance-as-code.hash
new file mode 100644
index 0000000000000000000000000000000000000000..7b100dc4be54126a4c8f1f84b918d26196cc0d7d
--- /dev/null
+++ b/package/compliance-as-code/compliance-as-code.hash
@@ -0,0 +1,5 @@
+
+# Locally calculated
+sha256  bb79e996035a1d985c49e5df8988a5d5f2310f5b3b5d49492f95a6845db00f43  compliance-as-code-0.1.77.tar.gz
+# Locally calculated
+sha256  ade633d5db670a58ff5f735c3602caafc72657a516416969fff79ff8a0c10298  LICENSE
diff --git a/package/compliance-as-code/compliance-as-code.mk b/package/compliance-as-code/compliance-as-code.mk
new file mode 100644
index 0000000000000000000000000000000000000000..dc273403c52371753bb6076c7b0b381d5958749f
--- /dev/null
+++ b/package/compliance-as-code/compliance-as-code.mk
@@ -0,0 +1,34 @@
+################################################################################
+#
+# Compliance As Code
+#
+################################################################################
+
+COMPLIANCE_AS_CODE_VERSION = 0.1.77
+COMPLIANCE_AS_CODE_SITE = $(call github,ComplianceAsCode,content,v$(COMPLIANCE_AS_CODE_VERSION))
+COMPLIANCE_AS_CODE_LICENSE = BSD-3-Clause
+COMPLIANCE_AS_CODE_LICENSE_FILES = LICENSE
+COMPLIANCE_AS_CODE_REDISTRIBUTE = NO
+
+COMPLIANCE_AS_CODE_DEPENDENCIES = \
+	host-python3 \
+	host-openscap \
+	openscap \
+	host-python-jinja2 \
+	host-python-pyyaml \
+	host-libxslt \
+	host-libxml2
+
+COMPLIANCE_AS_CODE_CONF_ENV = OPENSCAP_ROOT_DIR=$(HOST_DIR)
+COMPLIANCE_AS_CODE_SUPPORTS_IN_SOURCE_BUILD = NO
+COMPLIANCE_AS_CODE_MAKE_OPTS = \
+	$(foreach p,\
+	$(call qstrip,$(BR2_PACKAGE_COMPLIANCE_AS_CODE_PRODUCTS)),\
+	$(if $(BR2_PACKAGE_COMPLIANCE_AS_CODE_DATASTREAM_ONLY), generate-ssg-$(p)-ds.xml, $(p)))
+
+define COMPLIANCE_AS_CODE_INSTALL_TARGET_CMDS
+	mkdir -p $(TARGET_DIR)/etc/openscap
+	rsync -a $(@D)/buildroot-build/*.xml $(TARGET_DIR)/etc/openscap/
+endef
+
+$(eval $(cmake-package))

-- 
2.50.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 4/4] package/compliance-as-code: add new package

[Thomas Petazzoni via buildroot]

Hello Alexis,

Thanks for this patch (again!). Some comments below.

On Wed, 30 Jul 2025 14:47:16 +0200
Alexis Lothoré <alexis.lothore@bootlin.com> wrote:

> Introduce the Compliance As Code package. This project provides data
> files consumed by the openscap tool to evaluate a host compliance in
> regard with security policies. The package depends on both host-openscap
> (needed at build time to process the input files into usable files) and
> openscap (needed on the target, will use the generated files to evaluate
> the system configuration)
> 
> The project is based on cmake, but it also exposes a wrapper script
> (build_product). The package uses the cmake build system, but exposes a
> few Kconfig options to replicate some of the build_product options:
> - BR2_PACKAGE_COMPLIANCE_AS_CODE_DATASTREAM_ONLY: replicates the -d
>   option, building only the datastream files instead of all the files
> - BR2_PACKAGE_COMPLIANCE_AS_CODE_PRODUCTS: allow selecting the
>   product(s) for which we want to generate policies files.
> 
> The default install target provided by the project expects a full build,
> and so it will try to generate all the files for all the products when
> executed (which cancels the benefit of being able to select only a
> single or a few products), so the package defines a custom install
> command.

Very nice commit message. Perhaps too nice as it makes me think: what
about a support/testing/ test case for this package?

Commit title should be:

	package/compliance-as-code: new package

> Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
> ---
>  package/Config.in                                  |  1 +
>  package/compliance-as-code/Config.in               | 35 ++++++++++++++++++++++
>  package/compliance-as-code/compliance-as-code.hash |  5 ++++
>  package/compliance-as-code/compliance-as-code.mk   | 34 +++++++++++++++++++++
>  4 files changed, 75 insertions(+)

Entry in the DEVELOPERS file.


> diff --git a/package/compliance-as-code/Config.in b/package/compliance-as-code/Config.in
> new file mode 100644
> index 0000000000000000000000000000000000000000..402bf2ba8610808f4d536f5d102348a879fb4d5d
> --- /dev/null
> +++ b/package/compliance-as-code/Config.in
> @@ -0,0 +1,35 @@
> +config BR2_PACKAGE_COMPLIANCE_AS_CODE
> +	bool "compliance-as-code"
> +	depends on BR2_PACKAGE_LIBGPG_ERROR_ARCH_SUPPORTS  # openscap
> +	depends on !BR2_STATIC_LIBS # dlfcn.h

I guess this comes also from openscap, so the comment should also be
# openscap

> +	select BR2_PACKAGE_HOST_OPENSCAP

Not needed, this option does not exists.

> +	select BR2_PACKAGE_OPENSCAP
> +	select BR2_PACKAGE_HOST_PYTHON

This option does not exist, and it's not necessary to select
BR2_PACKAGE_HOST_PYTHON3.

> +	select BR2_PACKAGE_HOST_PYTHON_PYAML

This option does not exist, it's BR2_PACKAGE_HOST_PYTHON_PYYAML, but
selecting it is not needed.

> +	select BR2_PACKAGE_HOST_PYTHON_JINJA2

This option does not exist.

> +	select BR2_PACKAGE_HOST_LIBXSLT

This option does not exist.

> +	select BR2_PACKAGE_HOST_LIBXML2

This option does not exist.

Basically, you almost never need to select the option of host packages.
The only case is if you need a sub-option of a host package, like
BR2_PACKAGE_HOST_PYTHON3_BZIP2 for example.

> diff --git a/package/compliance-as-code/compliance-as-code.hash b/package/compliance-as-code/compliance-as-code.hash
> new file mode 100644
> index 0000000000000000000000000000000000000000..7b100dc4be54126a4c8f1f84b918d26196cc0d7d
> --- /dev/null
> +++ b/package/compliance-as-code/compliance-as-code.hash
> @@ -0,0 +1,5 @@
> +
> +# Locally calculated
> +sha256  bb79e996035a1d985c49e5df8988a5d5f2310f5b3b5d49492f95a6845db00f43  compliance-as-code-0.1.77.tar.gz
> +# Locally calculated
> +sha256  ade633d5db670a58ff5f735c3602caafc72657a516416969fff79ff8a0c10298  LICENSE
> diff --git a/package/compliance-as-code/compliance-as-code.mk b/package/compliance-as-code/compliance-as-code.mk
> new file mode 100644
> index 0000000000000000000000000000000000000000..dc273403c52371753bb6076c7b0b381d5958749f
> --- /dev/null
> +++ b/package/compliance-as-code/compliance-as-code.mk
> @@ -0,0 +1,34 @@
> +################################################################################
> +#
> +# Compliance As Code
> +#
> +################################################################################
> +
> +COMPLIANCE_AS_CODE_VERSION = 0.1.77
> +COMPLIANCE_AS_CODE_SITE = $(call github,ComplianceAsCode,content,v$(COMPLIANCE_AS_CODE_VERSION))
> +COMPLIANCE_AS_CODE_LICENSE = BSD-3-Clause
> +COMPLIANCE_AS_CODE_LICENSE_FILES = LICENSE
> +COMPLIANCE_AS_CODE_REDISTRIBUTE = NO

Why? If it's BSD-3-Clause.

> +COMPLIANCE_AS_CODE_DEPENDENCIES = \
> +	host-python3 \
> +	host-openscap \
> +	openscap \
> +	host-python-jinja2 \
> +	host-python-pyyaml \
> +	host-libxslt \
> +	host-libxml2

I assume you verified all those host dependencies are actually needed?

> +
> +COMPLIANCE_AS_CODE_CONF_ENV = OPENSCAP_ROOT_DIR=$(HOST_DIR)
> +COMPLIANCE_AS_CODE_SUPPORTS_IN_SOURCE_BUILD = NO
> +COMPLIANCE_AS_CODE_MAKE_OPTS = \
> +	$(foreach p,\
> +	$(call qstrip,$(BR2_PACKAGE_COMPLIANCE_AS_CODE_PRODUCTS)),\
> +	$(if $(BR2_PACKAGE_COMPLIANCE_AS_CODE_DATASTREAM_ONLY), generate-ssg-$(p)-ds.xml, $(p)))

How does that work when
BR2_PACKAGE_COMPLIANCE_AS_CODE_DATASTREAM_ONLY=y and
BR2_PACKAGE_COMPLIANCE_AS_CODE_PRODUCTS is empty? This will lead to
COMPLIANCE_AS_CODE_MAKE_OPTS being empty, so I don't see how the build
can differentiate BR2_PACKAGE_COMPLIANCE_AS_CODE_DATASTREAM_ONLY=y vs.
BR2_PACKAGE_COMPLIANCE_AS_CODE_DATASTREAM_ONLY disabled.

> +define COMPLIANCE_AS_CODE_INSTALL_TARGET_CMDS
> +	mkdir -p $(TARGET_DIR)/etc/openscap
> +	rsync -a $(@D)/buildroot-build/*.xml $(TARGET_DIR)/etc/openscap/

We often use:

	cp -dpfr $(@D)/buildroot-build/*.xml $(TARGET_DIR)/etc/openscap/

for this kind of situation.

Thanks!

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 4/4] package/compliance-as-code: add new package

[Alexis Lothoré via buildroot]

On Wed Jul 30, 2025 at 7:18 PM CEST, Thomas Petazzoni via buildroot wrote:
> Hello Alexis,
>
> Thanks for this patch (again!). Some comments below.
>
> On Wed, 30 Jul 2025 14:47:16 +0200
> Alexis Lothoré <alexis.lothore@bootlin.com> wrote:
>
>> Introduce the Compliance As Code package. This project provides data
>> files consumed by the openscap tool to evaluate a host compliance in
>> regard with security policies. The package depends on both host-openscap
>> (needed at build time to process the input files into usable files) and
>> openscap (needed on the target, will use the generated files to evaluate
>> the system configuration)
>> 
>> The project is based on cmake, but it also exposes a wrapper script
>> (build_product). The package uses the cmake build system, but exposes a
>> few Kconfig options to replicate some of the build_product options:
>> - BR2_PACKAGE_COMPLIANCE_AS_CODE_DATASTREAM_ONLY: replicates the -d
>>   option, building only the datastream files instead of all the files
>> - BR2_PACKAGE_COMPLIANCE_AS_CODE_PRODUCTS: allow selecting the
>>   product(s) for which we want to generate policies files.
>> 
>> The default install target provided by the project expects a full build,
>> and so it will try to generate all the files for all the products when
>> executed (which cancels the benefit of being able to select only a
>> single or a few products), so the package defines a custom install
>> command.
>
> Very nice commit message. Perhaps too nice as it makes me think: what
> about a support/testing/ test case for this package?

Thanks for the pointer, I was not aware of those integrated tests. I'll
take a look at it and add some (without knowing yet the full scope of this
framework, I guess it would be nice to get at least a matrix of tests on
the different Kconfig options added for this package)

[...]

>> +COMPLIANCE_AS_CODE_DEPENDENCIES = \
>> +	host-python3 \
>> +	host-openscap \
>> +	openscap \
>> +	host-python-jinja2 \
>> +	host-python-pyyaml \
>> +	host-libxslt \
>> +	host-libxml2
>
> I assume you verified all those host dependencies are actually needed?

Yes. For all the packages added in this series, I started by performing a
native build in a minimal container, to distinguish the mandatory
dependencies from the optional ones. So this list really reflects the
minimal set of needed deps.

>> +
>> +COMPLIANCE_AS_CODE_CONF_ENV = OPENSCAP_ROOT_DIR=$(HOST_DIR)
>> +COMPLIANCE_AS_CODE_SUPPORTS_IN_SOURCE_BUILD = NO
>> +COMPLIANCE_AS_CODE_MAKE_OPTS = \
>> +	$(foreach p,\
>> +	$(call qstrip,$(BR2_PACKAGE_COMPLIANCE_AS_CODE_PRODUCTS)),\
>> +	$(if $(BR2_PACKAGE_COMPLIANCE_AS_CODE_DATASTREAM_ONLY), generate-ssg-$(p)-ds.xml, $(p)))
>
> How does that work when
> BR2_PACKAGE_COMPLIANCE_AS_CODE_DATASTREAM_ONLY=y and
> BR2_PACKAGE_COMPLIANCE_AS_CODE_PRODUCTS is empty? This will lead to
> COMPLIANCE_AS_CODE_MAKE_OPTS being empty, so I don't see how the build
> can differentiate BR2_PACKAGE_COMPLIANCE_AS_CODE_DATASTREAM_ONLY=y vs.
> BR2_PACKAGE_COMPLIANCE_AS_CODE_DATASTREAM_ONLY disabled.

Ah, good catch ! I accidentally got rid of a block here when reworking this
part. That should rather be:

ifeq($(BR2_PACKAGE_COMPLIANCE_AS_CODE_DATASTREAM_ONLY),y)
COMPLIANCE_AS_CODE_MAKE_OPTS = -d
endif

COMPLIANCE_AS_CODE_MAKE_OPTS += \
	$(foreach p,\
	$(call qstrip,$(BR2_PACKAGE_COMPLIANCE_AS_CODE_PRODUCTS)),\
	$(if $(BR2_PACKAGE_COMPLIANCE_AS_CODE_DATASTREAM_ONLY), generate-ssg-$(p)-ds.xml, $(p)))

(and so, += instead of = when evaluating the products string)

Alexis

-- 
Alexis Lothoré, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 4/4] package/compliance-as-code: add new package

[Thomas Petazzoni via buildroot]

Hello,

On Wed, 30 Jul 2025 20:09:11 +0200
Alexis Lothoré <alexis.lothore@bootlin.com> wrote:

> Thanks for the pointer, I was not aware of those integrated tests. I'll
> take a look at it and add some (without knowing yet the full scope of this
> framework, I guess it would be nice to get at least a matrix of tests on
> the different Kconfig options added for this package)

You don't have to test all possible combinations. Just a single test
that exercises a bit compliance-as-code + openscap would be more than
enough.

> > I assume you verified all those host dependencies are actually needed?  
> 
> Yes. For all the packages added in this series, I started by performing a
> native build in a minimal container, to distinguish the mandatory
> dependencies from the optional ones. So this list really reflects the
> minimal set of needed deps.

Excellent!

> Ah, good catch ! I accidentally got rid of a block here when reworking this
> part. That should rather be:
> 
> ifeq($(BR2_PACKAGE_COMPLIANCE_AS_CODE_DATASTREAM_ONLY),y)
> COMPLIANCE_AS_CODE_MAKE_OPTS = -d
> endif
> 
> COMPLIANCE_AS_CODE_MAKE_OPTS += \
> 	$(foreach p,\
> 	$(call qstrip,$(BR2_PACKAGE_COMPLIANCE_AS_CODE_PRODUCTS)),\
> 	$(if $(BR2_PACKAGE_COMPLIANCE_AS_CODE_DATASTREAM_ONLY), generate-ssg-$(p)-ds.xml, $(p)))
> 
> (and so, += instead of = when evaluating the products string)

Sounds good. Perhaps you want to indent this a bit:

COMPLIANCE_AS_CODE_MAKE_OPTS += \
 	$(foreach p,\
 		$(call qstrip,$(BR2_PACKAGE_COMPLIANCE_AS_CODE_PRODUCTS)),\
 		$(if $(BR2_PACKAGE_COMPLIANCE_AS_CODE_DATASTREAM_ONLY), generate-ssg-$(p)-ds.xml, $(p))
	)

Thanks!

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot