[Buildroot] [PATCH v3 0/5] package/compliance-as-code: introduce new package

[Buildroot] [PATCH v3 0/5] package/compliance-as-code: introduce new package

[Alexis Lothoré via buildroot]

Hello,
this is the v3 of the series bringing in Compliance As Code policies [1]
(CaC) on a target. v2 has not received any new review since it has been
sent, but in the mean time, I found some small issues (either at build
time or runtime, due to a lack in my testing setup) so this new revision
acts both as an update and a resend.

This project aims to provide security policy content on systems: this
content brings data files describing checks standards and automations
for system configuration.  Those files come in various formats (XCCDF,
OVAL, SCAP).  This project is tightly coupled to the OpenSCAP tool [2]:
- to build the data files to embed on the target system
- and to perform analysis on the system, by consuming the data files

CaC then depends on both openscap and host-openscap.
The series brings in the following commits:
- commit 1 brings libxmsec1, one of openscap dependencies
- commit 2 brings back host-libcurl (which has been supported and later
  removed from BR, as there was no user anymore), since host-openscap
  needs host-libcurl
- commit 3 brings openscap package
- commit 4 brings CaC package

The new CaC package brings a minimal feature set for now: it only brings
the security policy data files (ie: XML files) on the target. It can be
extended later as needed to bring in for example generated bash script,
ansible playbooks, etc.

Testing output:
$ ./utils/test-pkg -c cac.config -p compliance-as-code
   bootlin-armv5-uclibc [1/6]: OK
   bootlin-armv7-glibc [2/6]: OK
   bootlin-armv7m-uclibc [3/6]: SKIPPED
   bootlin-x86-64-musl [4/6]: OK
   br-arm-full-static [5/6]: SKIPPED
   arm-aarch64 [6/6]: OK

[1] https://github.com/ComplianceAsCode/content
[2] https://github.com/OpenSCAP/openscap

Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
---
Changes in v3:
- added missing --disable-libpsl for host-libcurl to prevent build
  failure
- make openscap selects CONFIG_BR2_PACKAGE_PCRE_UTF to prevent runtime
  failure
- Link to v2: https://lore.kernel.org/r/20250731-openscap-v2-0-5d7fec0cb36d@bootlin.com

Changes in v2:
- reworded commits titles and messages
- reformated, reordered content and/or cleaned multiple files
- added Kconfig comments for toolchain deps
- added missing DEVELOPERS entry
- fixed licensing issues for openscap
- disabled python3 in openscap
- removed some non existing KConfig dependencies and hooks 
- fixed KConfig management in CaC .mk file
- updated install target in CaC to use cp
- introduced a simple runtime test for openscap/CaC
- Link to v1: https://lore.kernel.org/r/20250730-openscap-v1-0-46e4a32e26da@bootlin.com

---
Alexis Lothoré (5):
      package/libxmlsec1: new package
      package/libcurl: Reapply "libcurl: add host variant"
      package/openscap: new package
      package/compliance-as-code: new package
      support/testing: add runtime testing for compliance-as-code

 DEVELOPERS                                         |  6 ++
 package/Config.in                                  |  3 +
 package/compliance-as-code/Config.in               | 33 +++++++++++
 package/compliance-as-code/compliance-as-code.hash |  4 ++
 package/compliance-as-code/compliance-as-code.mk   | 41 +++++++++++++
 package/libcurl/libcurl.mk                         | 12 ++++
 package/libxmlsec1/Config.in                       | 13 ++++
 package/libxmlsec1/libxmlsec1.hash                 |  3 +
 package/libxmlsec1/libxmlsec1.mk                   | 32 ++++++++++
 package/openscap/Config.in                         | 22 +++++++
 package/openscap/openscap.hash                     |  3 +
 package/openscap/openscap.mk                       | 69 ++++++++++++++++++++++
 .../tests/package/test_compliance_as_code.py       | 23 ++++++++
 13 files changed, 264 insertions(+)
---
base-commit: 39ea74ffc7d6387af0a3040542008960c7cdbf2f
change-id: 20250724-openscap-7166fbe1571e

Best regards,
-- 
Alexis Lothoré, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH v3 1/5] package/libxmlsec1: new package

[Alexis Lothoré via buildroot]

Introduce the libxmlsec1 library package. libxmlsec implements XML
security standards.

The library has only a few mandatory dependencies(libxml2 and libxslt
and a crypto library).  It needs one of the following cryptographic
libraries: OpenSSL, NSS, or Gcrypt/GNUTLS. Default to openssl for now to
keep the package simple.

Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
---
Changes in v2:
- reword commit title
- add maintainer entry
- remove duplicate comment in hash file
- reformat conf opts list
- remove hardcoded static build conf opt
- properly duplicate conf opts for host variant
---
 DEVELOPERS                         |  3 +++
 package/Config.in                  |  1 +
 package/libxmlsec1/Config.in       | 13 +++++++++++++
 package/libxmlsec1/libxmlsec1.hash |  3 +++
 package/libxmlsec1/libxmlsec1.mk   | 32 ++++++++++++++++++++++++++++++++
 5 files changed, 52 insertions(+)

diff --git a/DEVELOPERS b/DEVELOPERS
index 8403db636f72d1ce56025baf15211f319f541ba6..474de36ead5f929d43f64bbf32a5b212149a3519 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -153,6 +153,9 @@ F:	configs/cubieboard2_defconfig
 N:	Alexey Lukyanchuk <skif@skif-web.ru>
 F:	package/zabbix/
 
+N:	Alexis Lothoré <alexis.lothore@bootlin.com>
+F:	package/libxmlsec1/
+
 N:	Alistair Francis <alistair@alistair23.me>
 F:	board/sifive/
 F:	boot/opensbi/
diff --git a/package/Config.in b/package/Config.in
index 85928509f8f127a21fceb18497c43040822b1c6c..fed47b6291d13033ce3807ead8fede9b048b9787 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -1935,6 +1935,7 @@ menu "JSON/XML"
 	source "package/libxmlb/Config.in"
 	source "package/libxmlpp/Config.in"
 	source "package/libxmlrpc/Config.in"
+	source "package/libxmlsec1/Config.in"
 	source "package/libxslt/Config.in"
 	source "package/libyaml/Config.in"
 	source "package/mxml/Config.in"
diff --git a/package/libxmlsec1/Config.in b/package/libxmlsec1/Config.in
new file mode 100644
index 0000000000000000000000000000000000000000..155efac825c071d0d3518a92ca35caf7d7decf9e
--- /dev/null
+++ b/package/libxmlsec1/Config.in
@@ -0,0 +1,13 @@
+config BR2_PACKAGE_LIBXMLSEC1
+	bool "libxmlsec1"
+	select BR2_PACKAGE_OPENSSL
+	select BR2_PACKAGE_LIBXML2
+	select BR2_PACKAGE_LIBXSLT
+	help
+	  XMLSec library provides C based implementation for major XML
+	  Security standards:
+	    - XML Signature Syntax and Processing
+	    - XML Encryption Syntax and Processing
+
+	  https://www.aleksey.com/xmlsec/
+	  https://github.com/lsh123/xmlsec
diff --git a/package/libxmlsec1/libxmlsec1.hash b/package/libxmlsec1/libxmlsec1.hash
new file mode 100644
index 0000000000000000000000000000000000000000..db1dc77effd7c756f7da0fb99f4a3e3f9aae4516
--- /dev/null
+++ b/package/libxmlsec1/libxmlsec1.hash
@@ -0,0 +1,3 @@
+# Locally computed
+sha256  d82e93b69b8aa205a616b62917a269322bf63a3eaafb3775014e61752b2013ea  xmlsec1-1.3.7.tar.gz
+sha256  d5e9388534256360c6a009d4f19ab2b8d6ec0aa7ff32a51e22d899ed7beb5c48  Copyright
diff --git a/package/libxmlsec1/libxmlsec1.mk b/package/libxmlsec1/libxmlsec1.mk
new file mode 100644
index 0000000000000000000000000000000000000000..16b3bcf84887244ed63a5746194249f339b8a20f
--- /dev/null
+++ b/package/libxmlsec1/libxmlsec1.mk
@@ -0,0 +1,32 @@
+################################################################################
+#
+# libxmlsec1
+#
+################################################################################
+
+LIBXMLSEC1_VERSION = 1.3.7
+LIBXMLSEC1_SOURCE = xmlsec1-$(LIBXMLSEC1_VERSION).tar.gz
+LIBXMLSEC1_SITE = https://github.com/lsh123/xmlsec/releases/download/$(LIBXMLSEC1_VERSION)
+LIBXMLSEC1_LICENSE = MIT
+LIBXMLSEC1_LICENSE_FILES = Copyright
+LIBXMLSEC1_INSTALL_STAGING = YES
+LIBXMLSEC1_DEPENDENCIES = libxml2 libxslt openssl
+HOST_LIBXMLSEC1_DEPENDENCIES = host-libxml2 host-libxslt host-openssl
+LIBXMLSEC1_AUTORECONF = YES
+
+LIBXMLSEC1_CONF_OPTS = \
+	--enable-crypto-dl=no \
+	--with-openssl \
+	--without-gnutls \
+	--without-gcrypt \
+	--without-nss
+
+HOST_LIBXMLSEC1_CONF_OPTS = \
+	--enable-crypto-dl=no \
+	--with-openssl \
+	--without-gnutls \
+	--without-gcrypt \
+	--without-nss
+
+$(eval $(autotools-package))
+$(eval $(host-autotools-package))

-- 
2.51.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v3 1/5] package/libxmlsec1: new package

[Thomas Petazzoni via buildroot]

On Thu, Oct 16, 2025 at 04:46:34PM +0200, Alexis Lothoré via buildroot wrote:
> Introduce the libxmlsec1 library package. libxmlsec implements XML
> security standards.
> 
> The library has only a few mandatory dependencies(libxml2 and libxslt
> and a crypto library).  It needs one of the following cryptographic
> libraries: OpenSSL, NSS, or Gcrypt/GNUTLS. Default to openssl for now to
> keep the package simple.
> 
> Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>

Thanks, applied, after updating to 1.3.9, since 1.3.7 was not building
here (most likely due to gcc 15.x, but I haven't really investigated
much since 1.3.9 built just fine).

Thanks!

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH v3 2/5] package/libcurl: Reapply "libcurl: add host variant"

[Alexis Lothoré via buildroot]

libcurl host build support has initially been added with 736e0fc5d610
("libcurl: add host variant") while adding support for host-cargo build,
and reverted with 69e84008abf8 ("Revert "libcurl: add host variant"")
when standalone cargo build has been removed. In order to bring a new
host package depending on libcurl, re-enable host-libcurl build support.
While doing so, remove the not-needed-anymore post-patch hook.

This reverts commit w9e84008abf87eaeeb3f2d53c880cf33492a3bf8.

Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
---
Changes in v3:
- add --disable-libpsl

Changes in v2:
- remove the post-patch hook, as the corresponding command does not
  exist anymore
---
 package/libcurl/libcurl.mk | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/package/libcurl/libcurl.mk b/package/libcurl/libcurl.mk
index 0aa88044bdf05d14d56b7eb5873a093ab737ae2a..7d7f2cd6e776029789ec2edb44864590d8e29b40 100644
--- a/package/libcurl/libcurl.mk
+++ b/package/libcurl/libcurl.mk
@@ -189,4 +189,16 @@ endef
 LIBCURL_POST_INSTALL_TARGET_HOOKS += LIBCURL_TARGET_CLEANUP
 endif
 
+HOST_LIBCURL_DEPENDENCIES = host-openssl
+HOST_LIBCURL_CONF_OPTS = \
+	--disable-manual \
+	--disable-ntlm-wb \
+	--disable-curldebug \
+	--with-ssl \
+	--without-gnutls \
+	--without-mbedtls \
+	--without-nss \
+	--without-libpsl
+
 $(eval $(autotools-package))
+$(eval $(host-autotools-package))

-- 
2.51.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v3 2/5] package/libcurl: Reapply "libcurl: add host variant"

[Thomas Petazzoni via buildroot]

On Thu, Oct 16, 2025 at 04:46:35PM +0200, Alexis Lothoré via buildroot wrote:
> libcurl host build support has initially been added with 736e0fc5d610
> ("libcurl: add host variant") while adding support for host-cargo build,
> and reverted with 69e84008abf8 ("Revert "libcurl: add host variant"")
> when standalone cargo build has been removed. In order to bring a new
> host package depending on libcurl, re-enable host-libcurl build support.
> While doing so, remove the not-needed-anymore post-patch hook.

Applied with some slight rewording of the commit message.

Thanks a lot!

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH v3 3/5] package/openscap: new package

[Alexis Lothoré via buildroot]

Introduce the openscap package. openscap is a command line tool allowing
to scan a system configuration to perform security compliance checks.
The tool consumes XCCDF and OVAL files to perform system evaluation
against a list of policies.

The package provides both a target and a host build configuration, as it
is needed on both sides:
- it is needed on the host to allow building the security policy files
  to be embedded on the target
- it is needed on the target to actually parse and evaluate those
  security policy files.

Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
---
Changes in v3:
- add missing CONFIG_BR2_PACKAGE_PCRE_UTF dependency to prevent runtime
  failure

Changes in v2:
- reword commit title and message
- add DEVELOPERS entry
- update comment on Config.in deps
- reorder and reformat various variables and Kconfig entries
- drop uneeded selects on host Config entries
- add a comment about the toolchain configuration in Config.in
- drop duplicate comment in hash file
- drop additional license file reference
- use assign rather than concat for package conf opts
- drop python dependency
---
 DEVELOPERS                     |  1 +
 package/Config.in              |  1 +
 package/openscap/Config.in     | 22 ++++++++++++++
 package/openscap/openscap.hash |  3 ++
 package/openscap/openscap.mk   | 69 ++++++++++++++++++++++++++++++++++++++++++
 5 files changed, 96 insertions(+)

diff --git a/DEVELOPERS b/DEVELOPERS
index 474de36ead5f929d43f64bbf32a5b212149a3519..321cb876802e86a58e490cf59a2ebcb72b273ac8 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -155,6 +155,7 @@ F:	package/zabbix/
 
 N:	Alexis Lothoré <alexis.lothore@bootlin.com>
 F:	package/libxmlsec1/
+F:	package/openscap/
 
 N:	Alistair Francis <alistair@alistair23.me>
 F:	board/sifive/
diff --git a/package/Config.in b/package/Config.in
index fed47b6291d13033ce3807ead8fede9b048b9787..e78229ea172ad60903d53b3ea3c54a1fb8365913 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -2339,6 +2339,7 @@ menu "Security"
 	source "package/libselinux/Config.in"
 	source "package/libsemanage/Config.in"
 	source "package/libsepol/Config.in"
+	source "package/openscap/Config.in"
 	source "package/safeclib/Config.in"
 	source "package/softhsm2/Config.in"
 endmenu
diff --git a/package/openscap/Config.in b/package/openscap/Config.in
new file mode 100644
index 0000000000000000000000000000000000000000..fc40cdee59a8dd326e4999ae7d5055ab5a5ddf66
--- /dev/null
+++ b/package/openscap/Config.in
@@ -0,0 +1,22 @@
+config BR2_PACKAGE_OPENSCAP
+	bool "openscap"
+	depends on BR2_PACKAGE_LIBGPG_ERROR_ARCH_SUPPORTS  # libgcrypt
+	depends on !BR2_STATIC_LIBS # dlfcn.h
+	select BR2_PACKAGE_LIBCURL
+	select BR2_PACKAGE_LIBGCRYPT
+	select BR2_PACKAGE_LIBXML2
+	select BR2_PACKAGE_LIBXMLSEC1
+	select BR2_PACKAGE_MUSL_FTS if !BR2_TOOLCHAIN_USES_GLIBC
+	select BR2_PACKAGE_OPENSSL
+	select BR2_PACKAGE_PCRE
+	select BR2_PACKAGE_PCRE_UTF
+	help
+	  The purpose of this project is to create security policy
+	  content for various platforms
+
+	  https://www.open-scap.org/
+	  https://github.com/OpenSCAP/openscap
+
+comment "openscap needs a toolchain w/ dynamic library"
+	depends on BR2_PACKAGE_LIBGPG_ERROR_ARCH_SUPPORTS
+	depends on BR2_STATIC_LIBS
diff --git a/package/openscap/openscap.hash b/package/openscap/openscap.hash
new file mode 100644
index 0000000000000000000000000000000000000000..e98631372d517c1ce96058477b11d8add35342b1
--- /dev/null
+++ b/package/openscap/openscap.hash
@@ -0,0 +1,3 @@
+# Locally computed
+sha256  6e61913fca3a74d310d7cf9354973eeaefa42be909ae649af1df48c3c08bc6ff  openscap-1.3.12.tar.gz
+sha256  5df07007198989c622f5d41de8d703e7bef3d0e79d62e24332ee739a452af62a  COPYING
diff --git a/package/openscap/openscap.mk b/package/openscap/openscap.mk
new file mode 100644
index 0000000000000000000000000000000000000000..84dd3fe48456497cfe2539c9ed24a7f93fe7a9eb
--- /dev/null
+++ b/package/openscap/openscap.mk
@@ -0,0 +1,69 @@
+################################################################################
+#
+# openscap
+#
+################################################################################
+
+OPENSCAP_VERSION = 1.3.12
+OPENSCAP_SITE = https://github.com/OpenSCAP/openscap/releases/download/$(OPENSCAP_VERSION)
+OPENSCAP_LICENSE = LGPL-2.1+
+OPENSCAP_LICENSE_FILES = COPYING
+OPENSCAP_SUPPORTS_IN_SOURCE_BUILD = NO
+OPENSCAP_INSTALL_STAGING = YES
+OPENSCAP_DEPENDENCIES = \
+	host-pkgconf \
+	libcurl \
+	libgcrypt \
+	libxml2 \
+	libxmlsec1 \
+	libxslt \
+	openssl \
+	pcre
+
+HOST_OPENSCAP_DEPENDENCIES = \
+	host-pkgconf \
+	host-libcurl \
+	host-libgcrypt \
+	host-libxml2 \
+	host-libxmlsec1 \
+	host-libxslt \
+	host-openssl \
+	host-pcre
+
+OPENSCAP_CONF_OPTS = \
+	-DENABLE_OSCAP_UTIL=ON \
+	-DENABLE_OSCAP_UTIL_DOCKER=OFF \
+	-DENABLE_OSCAP_UTIL_CHROOT=OFF \
+	-DENABLE_OSCAP_UTIL_PODMAN=OFF \
+	-DENABLE_OSCAP_UTIL_VM=OFF \
+	-DENABLE_PROBES_WINDOWS=OFF \
+	-DENABLE_TESTS=OFF \
+	-DWITH_CRYPTO=gcrypt \
+	-DENABLE_PYTHON3=OFF
+
+HOST_OPENSCAP_CONF_OPTS = \
+	-DENABLE_OSCAP_UTIL=ON \
+	-DENABLE_OSCAP_UTIL_DOCKER=OFF \
+	-DENABLE_OSCAP_UTIL_CHROOT=OFF \
+	-DENABLE_OSCAP_UTIL_PODMAN=OFF \
+	-DENABLE_OSCAP_UTIL_VM=OFF \
+	-DENABLE_PROBES_WINDOWS=OFF \
+	-DENABLE_TESTS=OFF \
+	-DWITH_CRYPTO=gcrypt \
+	-DENABLE_PYTHON3=OFF
+
+ifeq ($(BR2_PACKAGE_ACL),y)
+OPENSCAP_DEPENDENCIES += acl
+endif
+
+ifeq ($(BR2_PACKAGE_LIBCAP),y)
+OPENSCAP_DEPENDENCIES += libcap
+endif
+
+ifneq ($(BR2_TOOLCHAIN_USES_GLIBC),y)
+OPENSCAP_DEPENDENCIES += musl-fts
+OPENSCAP_CONF_OPTS += -DCMAKE_EXE_LINKER_FLAGS=-lfts
+endif
+
+$(eval $(cmake-package))
+$(eval $(host-cmake-package))

-- 
2.51.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v3 3/5] package/openscap: new package

[Thomas Petazzoni via buildroot]

On Thu, Oct 16, 2025 at 04:46:36PM +0200, Alexis Lothoré via buildroot wrote:
> Introduce the openscap package. openscap is a command line tool allowing
> to scan a system configuration to perform security compliance checks.
> The tool consumes XCCDF and OVAL files to perform system evaluation
> against a list of policies.
> 
> The package provides both a target and a host build configuration, as it
> is needed on both sides:
> - it is needed on the host to allow building the security policy files
>   to be embedded on the target
> - it is needed on the target to actually parse and evaluate those
>   security policy files.
> 
> Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>

Applied with the following changes:

    [Thomas:
    - Drop dependency on openssl, apparently not needed
    - Depend on gcrypt if !nss, as either can be used
    - Add missing dependency on libxslt]

Hopefully I didn't mess up with these changes (of course it builds
fine, and your compliance-as-code test continues to work on top of
this).

Thanks!

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH v3 4/5] package/compliance-as-code: new package

[Alexis Lothoré via buildroot]

Introduce the Compliance As Code package. This project provides data
files consumed by the openscap tool to evaluate a host compliance in
regard with security policies. The package depends on both host-openscap
(needed at build time to process the input files into usable files) and
openscap (needed on the target, will use the generated files to evaluate
the system configuration)

The project is based on cmake, but it also exposes a wrapper script
(build_product). The package uses the cmake build system, but exposes a
few Kconfig options to replicate some of the build_product options:
- BR2_PACKAGE_COMPLIANCE_AS_CODE_DATASTREAM_ONLY: replicates the -d
  option, building only the datastream files instead of all the files
- BR2_PACKAGE_COMPLIANCE_AS_CODE_PRODUCTS: allow selecting the
  product(s) for which we want to generate policies files.

The default install target provided by the project expects a full build,
and so it will try to generate all the files for all the products when
executed (which cancels the benefit of being able to select only a
single or a few products), so the package defines a custom install
command.

Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
---
Changes in v2:
- reword commit title
- add entry to DEVELOPERS file
- remove non-relevant KConfig deps
- add comment about depends in Config.in
- remove FOO_REDISTRIBUTE = NO
- fix datastream-only build configuration management
- update install target to use cp rather than rsync
---
 DEVELOPERS                                         |  1 +
 package/Config.in                                  |  1 +
 package/compliance-as-code/Config.in               | 33 +++++++++++++++++
 package/compliance-as-code/compliance-as-code.hash |  4 +++
 package/compliance-as-code/compliance-as-code.mk   | 41 ++++++++++++++++++++++
 5 files changed, 80 insertions(+)

diff --git a/DEVELOPERS b/DEVELOPERS
index 321cb876802e86a58e490cf59a2ebcb72b273ac8..c1d09019c3a705d45b028443aac508a6908a70f1 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -156,6 +156,7 @@ F:	package/zabbix/
 N:	Alexis Lothoré <alexis.lothore@bootlin.com>
 F:	package/libxmlsec1/
 F:	package/openscap/
+F:	package/compliance-as-code/
 
 N:	Alistair Francis <alistair@alistair23.me>
 F:	board/sifive/
diff --git a/package/Config.in b/package/Config.in
index e78229ea172ad60903d53b3ea3c54a1fb8365913..d8e2b8029d25478d15f26ac55441c3e2b01e815c 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -2335,6 +2335,7 @@ endif
 endmenu
 
 menu "Security"
+	source "package/compliance-as-code/Config.in"
 	source "package/libapparmor/Config.in"
 	source "package/libselinux/Config.in"
 	source "package/libsemanage/Config.in"
diff --git a/package/compliance-as-code/Config.in b/package/compliance-as-code/Config.in
new file mode 100644
index 0000000000000000000000000000000000000000..f791f0c88cad4cb2e9e2930a44295fd5a69a9364
--- /dev/null
+++ b/package/compliance-as-code/Config.in
@@ -0,0 +1,33 @@
+config BR2_PACKAGE_COMPLIANCE_AS_CODE
+	bool "compliance-as-code"
+	depends on BR2_PACKAGE_LIBGPG_ERROR_ARCH_SUPPORTS  # openscap
+	depends on !BR2_STATIC_LIBS # dlfcn.h
+	select BR2_PACKAGE_OPENSCAP
+	help
+	  Generate and install the profiles used for
+	  security (e.g. FIPS, CSPN) compliance analysis.
+
+	  Uses ComplianceAsCode to generate profiles
+	  https://complianceascode.readthedocs.io/en/latest/
+
+comment "compliance-as-code needs a toolchain w/ dynamic library"
+	depends on BR2_PACKAGE_LIBGPG_ERROR_ARCH_SUPPORTS
+	depends on BR2_STATIC_LIBS
+
+if BR2_PACKAGE_COMPLIANCE_AS_CODE
+
+config BR2_PACKAGE_COMPLIANCE_AS_CODE_DATASTREAM_ONLY
+	bool "datastream only"
+	default y
+	help
+	  Build only the datastreams (do not build the html tables,
+	  guides, etc)
+
+config BR2_PACKAGE_COMPLIANCE_AS_CODE_PRODUCTS
+	string "products"
+	help
+	  Provide a space-separated list of products for which you want
+	  to build security content. Leave empty to build content for
+	  all supported products.
+
+endif
diff --git a/package/compliance-as-code/compliance-as-code.hash b/package/compliance-as-code/compliance-as-code.hash
new file mode 100644
index 0000000000000000000000000000000000000000..223216295de39ac1f2dbf4e5146e669758c80d6a
--- /dev/null
+++ b/package/compliance-as-code/compliance-as-code.hash
@@ -0,0 +1,4 @@
+
+# Locally computed
+sha256  bb79e996035a1d985c49e5df8988a5d5f2310f5b3b5d49492f95a6845db00f43  compliance-as-code-0.1.77.tar.gz
+sha256  ade633d5db670a58ff5f735c3602caafc72657a516416969fff79ff8a0c10298  LICENSE
diff --git a/package/compliance-as-code/compliance-as-code.mk b/package/compliance-as-code/compliance-as-code.mk
new file mode 100644
index 0000000000000000000000000000000000000000..7a961b3ab40d7166a52aac383b3fded929f19650
--- /dev/null
+++ b/package/compliance-as-code/compliance-as-code.mk
@@ -0,0 +1,41 @@
+################################################################################
+#
+# Compliance As Code
+#
+################################################################################
+
+COMPLIANCE_AS_CODE_VERSION = 0.1.77
+COMPLIANCE_AS_CODE_SITE = $(call github,ComplianceAsCode,content,v$(COMPLIANCE_AS_CODE_VERSION))
+COMPLIANCE_AS_CODE_LICENSE = BSD-3-Clause
+COMPLIANCE_AS_CODE_LICENSE_FILES = LICENSE
+
+COMPLIANCE_AS_CODE_DEPENDENCIES = \
+	host-python3 \
+	host-openscap \
+	openscap \
+	host-python-jinja2 \
+	host-python-pyyaml \
+	host-libxslt \
+	host-libxml2
+
+COMPLIANCE_AS_CODE_CONF_ENV = OPENSCAP_ROOT_DIR=$(HOST_DIR)
+COMPLIANCE_AS_CODE_SUPPORTS_IN_SOURCE_BUILD = NO
+
+ifeq ($(BR2_PACKAGE_COMPLIANCE_AS_CODE_DATASTREAM_ONLY),y)
+COMPLIANCE_AS_CODE_MAKE_OPTS = -d
+endif
+
+COMPLIANCE_AS_CODE_MAKE_OPTS += \
+	$(foreach p,\
+		$(call qstrip,$(BR2_PACKAGE_COMPLIANCE_AS_CODE_PRODUCTS)),\
+		$(if $(BR2_PACKAGE_COMPLIANCE_AS_CODE_DATASTREAM_ONLY), \
+			generate-ssg-$(p)-ds.xml, $(p) \
+		)\
+	)
+
+define COMPLIANCE_AS_CODE_INSTALL_TARGET_CMDS
+	mkdir -p $(TARGET_DIR)/etc/openscap
+	cp -dpfr $(@D)/buildroot-build/*.xml $(TARGET_DIR)/etc/openscap/
+endef
+
+$(eval $(cmake-package))

-- 
2.51.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH v3 5/5] support/testing: add runtime testing for compliance-as-code

[Alexis Lothoré via buildroot]

Add some basic runtime testing for openscap/compliance-as-code. By
running a single command, we test that:
- the oscap binary is installed and can execute
- the compliance-as-code policy files are properly installed
- oscap can parse a policy file, and so those are correctly built

Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
---
Changes in v2:
- new commit
---
 DEVELOPERS                                         |  1 +
 .../tests/package/test_compliance_as_code.py       | 23 ++++++++++++++++++++++
 2 files changed, 24 insertions(+)

diff --git a/DEVELOPERS b/DEVELOPERS
index c1d09019c3a705d45b028443aac508a6908a70f1..3488583d9206ad463a55b7f78dcccbf95cde7b3c 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -157,6 +157,7 @@ N:	Alexis Lothoré <alexis.lothore@bootlin.com>
 F:	package/libxmlsec1/
 F:	package/openscap/
 F:	package/compliance-as-code/
+F:	support/testing/tests/package/test_compliance_as_code.py
 
 N:	Alistair Francis <alistair@alistair23.me>
 F:	board/sifive/
diff --git a/support/testing/tests/package/test_compliance_as_code.py b/support/testing/tests/package/test_compliance_as_code.py
new file mode 100644
index 0000000000000000000000000000000000000000..10a53c12d0c26dcf124ee64d260ab6adb4765c0e
--- /dev/null
+++ b/support/testing/tests/package/test_compliance_as_code.py
@@ -0,0 +1,23 @@
+import os
+from infra.basetest import BRTest, BASIC_TOOLCHAIN_CONFIG
+
+
+class TestComplianceAsCode(BRTest):
+    config = BASIC_TOOLCHAIN_CONFIG + \
+        """
+        BR2_PACKAGE_COMPLIANCE_AS_CODE=y
+        BR2_PACKAGE_COMPLIANCE_AS_CODE_PRODUCTS="debian12"
+        BR2_TARGET_ROOTFS_CPIO=y
+        # BR2_TARGET_ROOTFS_TAR is not set
+        """
+
+    def test_run(self):
+        cpio_file = os.path.join(self.builddir, "images", "rootfs.cpio")
+        self.emulator.boot(arch="armv5",
+                           kernel="builtin",
+                           options=["-initrd", cpio_file])
+        self.emulator.login()
+
+        # Check that oscap can parse the generated datastream
+        self.assertRunOk(
+                "oscap info /etc/openscap/ssg-debian12-ds.xml", timeout=10)

-- 
2.51.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v3 0/5] package/compliance-as-code: introduce new package

[Tim Hammer]

C2 - Confidential

On Thu, Oct 16, 2025 at 04:46:33PM +0200, Alexis Lothoré wrote:
> Hello,
> this is the v3 of the series bringing in Compliance As Code policies [1]
> (CaC) on a target. v2 has not received any new review since it has been
> sent, but in the mean time, I found some small issues (either at build
> time or runtime, due to a lack in my testing setup) so this new revision
> acts both as an update and a resend.
>
> This project aims to provide security policy content on systems: this
> content brings data files describing checks standards and automations
> for system configuration.  Those files come in various formats (XCCDF,
> OVAL, SCAP).  This project is tightly coupled to the OpenSCAP tool [2]:
> - to build the data files to embed on the target system
> - and to perform analysis on the system, by consuming the data files
>
> CaC then depends on both openscap and host-openscap.
> The series brings in the following commits:
> - commit 1 brings libxmsec1, one of openscap dependencies
> - commit 2 brings back host-libcurl (which has been supported and later
>   removed from BR, as there was no user anymore), since host-openscap
>   needs host-libcurl
> - commit 3 brings openscap package
> - commit 4 brings CaC package
>
> The new CaC package brings a minimal feature set for now: it only brings
> the security policy data files (ie: XML files) on the target. It can be
> extended later as needed to bring in for example generated bash script,
> ansible playbooks, etc.
>
> Testing output:
> $ ./utils/test-pkg -c cac.config -p compliance-as-code
>    bootlin-armv5-uclibc [1/6]: OK
>    bootlin-armv7-glibc [2/6]: OK
>    bootlin-armv7m-uclibc [3/6]: SKIPPED
>    bootlin-x86-64-musl [4/6]: OK
>    br-arm-full-static [5/6]: SKIPPED
>    arm-aarch64 [6/6]: OK
>
> [1] https://github.com/ComplianceAsCode/content
> [2] https://github.com/OpenSCAP/openscap
>
> Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>

Reviewed-by: Tim Hammer <Tim.Hammer@nav-timing.safrangroup.com>

--
Tim D. Hammer, Safran Trusted 4D
https://safran-navigation-timing.com/
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v3 0/5] package/compliance-as-code: introduce new package

[Alexis Lothoré via buildroot]

Hello,

On Thu Oct 16, 2025 at 4:46 PM CEST, Alexis Lothoré wrote:
> Hello,
> this is the v3 of the series bringing in Compliance As Code policies [1]
> (CaC) on a target. v2 has not received any new review since it has been
> sent, but in the mean time, I found some small issues (either at build
> time or runtime, due to a lack in my testing setup) so this new revision
> acts both as an update and a resend.

It's been a month since last revision, and aside from a R-B, no new request
for change has been posted. Any new opinion on those additions ? If not,
could we please move forward with this series ?

Thanks,

Alexis

-- 
Alexis Lothoré, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v3 0/5] package/compliance-as-code: introduce new package

[Alexis Lothoré via buildroot]

Hello buildroot maintainers,

On Mon Nov 17, 2025 at 3:25 PM CET, Alexis Lothoré wrote:
> Hello,
>
> On Thu Oct 16, 2025 at 4:46 PM CEST, Alexis Lothoré wrote:
>> Hello,
>> this is the v3 of the series bringing in Compliance As Code policies [1]
>> (CaC) on a target. v2 has not received any new review since it has been
>> sent, but in the mean time, I found some small issues (either at build
>> time or runtime, due to a lack in my testing setup) so this new revision
>> acts both as an update and a resend.
>
> It's been a month since last revision, and aside from a R-B, no new request
> for change has been posted. Any new opinion on those additions ? If not,
> could we please move forward with this series ?

It's been now more than two months since by last ping, without any
comment or change requesst on the series. What is preventing it from
being merged ?

Thanks,

Alexis


-- 
Alexis Lothoré, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot