From 79ff8dfcd53f68d88c106e7a91c344ac841ac37c Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Thu, 8 Sep 2022 14:00:52 +0300 Subject: [PATCH 01/10] fix: spec: simple sync from fedora --- openscap.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openscap.spec b/openscap.spec index 2638811025..a4ee9f1176 100644 --- a/openscap.spec +++ b/openscap.spec @@ -1,8 +1,8 @@ # This spec file is not synchronized to the Fedora downstream. # It serves as Fedora CI configuration and as support for downstream updates. Name: openscap +Version: 1.3.6 Release: 0%{?dist} -Version: 1.3.0 Epoch: 1 Summary: Set of open source libraries enabling integration of the SCAP line of standards License: LGPLv2+ From 175f8d88115739a6fc3a606769e0d81830dd7530 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sun, 4 Sep 2022 11:46:26 +0300 Subject: [PATCH 02/10] bugfix: spec: consistently require same version in subpackages --- openscap.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openscap.spec b/openscap.spec index a4ee9f1176..832f07171b 100644 --- a/openscap.spec +++ b/openscap.spec @@ -116,7 +116,7 @@ for developing applications that use %{name}-engine-sce. %package containers Summary: Utils for scanning containers Requires: %{name} = %{epoch}:%{version}-%{release} -Requires: %{name}-scanner +Requires: %{name}-scanner%{?_isa} = %{epoch}:%{version}-%{release} BuildArch: noarch %description containers From b4e87fe3cbd1e55518e177ae5bd4812fa4916b0b Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Wed, 7 Sep 2022 12:58:43 +0300 Subject: [PATCH 03/10] fix: cmake: add oscap-run-sce-script only if ENABLE_SCE --- utils/CMakeLists.txt | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/utils/CMakeLists.txt b/utils/CMakeLists.txt index 93ce1f2a9d..e23ba0ec03 100644 --- a/utils/CMakeLists.txt +++ b/utils/CMakeLists.txt @@ -1,6 +1,8 @@ -install(PROGRAMS "oscap-run-sce-script" - DESTINATION ${CMAKE_INSTALL_BINDIR} -) +if(ENABLE_SCE) + install(PROGRAMS "oscap-run-sce-script" + DESTINATION ${CMAKE_INSTALL_BINDIR} + ) +endif() if(ENABLE_OSCAP_UTIL) file(GLOB UTILS_SOURCES "*.c") From 3bdfd1b3679e2bd06b1b3b7efac63830fee304b8 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sun, 4 Sep 2022 11:23:57 +0300 Subject: [PATCH 04/10] fix: spec: use %ctest macro no parallel Multiple tests share test file names. If tests are run parallel, they will fail. BuildRequire programs used in ctests. Use %{with check} --- openscap.spec | 25 +++++++++++++++++++++---- 1 file changed, 21 insertions(+), 4 deletions(-) diff --git a/openscap.spec b/openscap.spec index 832f07171b..6a65f0d6c5 100644 --- a/openscap.spec +++ b/openscap.spec @@ -28,9 +28,24 @@ BuildRequires: dbus-devel BuildRequires: libyaml-devel BuildRequires: xmlsec1-devel xmlsec1-openssl-devel BuildRequires: systemd -%if %{?_with_check:1}%{!?_with_check:0} -BuildRequires: perl-XML-XPath +%if %{with check} BuildRequires: bzip2 +BuildRequires: chkconfig +BuildRequires: diffutils +BuildRequires: findutils +BuildRequires: gawk +BuildRequires: hostname +BuildRequires: ipcalc +BuildRequires: iproute +BuildRequires: libselinux-utils +BuildRequires: lua +BuildRequires: openssl +BuildRequires: perl(XML::Parser) +BuildRequires: perl(XML::XPath) +BuildRequires: procps +BuildRequires: rpm-build +BuildRequires: tar +BuildRequires: tcpdump %endif Requires: bash Requires: bzip2-libs @@ -138,8 +153,10 @@ Tool for scanning Atomic containers. make docs %check -%if %{?_with_check:1}%{!?_with_check:0} -ctest -V %{?_smp_mflags} +%if %{with check} +# Tests use common files. Running tests parallel causes failed tests because of that. +%undefine _smp_mflags +%ctest %endif %install From 91a2d1e499ce5278a81a164f19255c3905456ee5 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sun, 4 Sep 2022 11:31:23 +0300 Subject: [PATCH 05/10] fix: spec: drop old fixes when fedora ldconfig_scriptlets needed if support pre Fedora 28. https://fedoraproject.org/wiki/Changes/Removing_ldconfig_scriptlets redhat-rpm-config can mangle shebangs - added v90 la files are handled automatically: https://fedoraproject.org/wiki/Changes/RemoveLaFiles service bugs are fixed, see relevant bugs --- openscap.spec | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/openscap.spec b/openscap.spec index 6a65f0d6c5..727d895334 100644 --- a/openscap.spec +++ b/openscap.spec @@ -162,6 +162,7 @@ make docs %install %cmake_install +%if "0%{?!fedora:1}" find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';' # fix python shebangs @@ -174,6 +175,7 @@ pathfix.py -i %{__python3} -p -n $RPM_BUILD_ROOT%{_bindir}/scap-as-rpm # https://bugzilla.redhat.com/show_bug.cgi?id=1833176 mkdir -p %{buildroot}%{_unitdir}/system-update.target.wants/ ln -sf ../oscap-remediate.service %{buildroot}%{_unitdir}/system-update.target.wants/oscap-remediate.service +%endif %files %doc AUTHORS NEWS README.md @@ -209,7 +211,9 @@ ln -sf ../oscap-remediate.service %{buildroot}%{_unitdir}/system-update.target.w %{_sysconfdir}/bash_completion.d %{_libexecdir}/oscap-remediate %{_unitdir}/oscap-remediate.service +%if "0%{?!fedora:1}" %{_unitdir}/system-update.target.wants/ +%endif %files utils %doc docs/oscap-scan.cron From 493b43aacbe2cfa5ad6e8bbe3998ce690e9754e3 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sun, 4 Sep 2022 11:39:26 +0300 Subject: [PATCH 06/10] fix: spec: support yaml-filter --- openscap.spec | 2 ++ 1 file changed, 2 insertions(+) diff --git a/openscap.spec b/openscap.spec index 727d895334..d91c38a311 100644 --- a/openscap.spec +++ b/openscap.spec @@ -8,6 +8,7 @@ Summary: Set of open source libraries enabling integration of the SCAP li License: LGPLv2+ URL: http://www.open-scap.org/ Source0: https://github.com/OpenSCAP/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz +Source1: https://github.com/OpenSCAP/yaml-filter/archive/refs/tags/v0.2.0.tar.gz BuildRequires: make BuildRequires: cmake >= 2.6 BuildRequires: gcc @@ -139,6 +140,7 @@ Tool for scanning Atomic containers. %prep %autosetup -p1 +tar xvzf %{SOURCE1} --directory=yaml-filter --strip-components=1 %build %undefine __cmake_in_source_build From 37fc4199edbc2e67b99a9904f6d2d4cc55fbb50a Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sun, 4 Sep 2022 11:41:11 +0300 Subject: [PATCH 07/10] fix: spec: %files reorder, do not use exclude It is better to list files explicitly. Order bin, then man. Move oscap-run-sce-script to engine-sce. --- openscap.spec | 31 ++++++++++++++++++------------- 1 file changed, 18 insertions(+), 13 deletions(-) diff --git a/openscap.spec b/openscap.spec index d91c38a311..cff888553e 100644 --- a/openscap.spec +++ b/openscap.spec @@ -202,14 +202,11 @@ ln -sf ../oscap-remediate.service %{buildroot}%{_unitdir}/system-update.target.w %{_includedir}/openscap %exclude %{_includedir}/openscap/sce_engine_api.h -%files engine-sce-devel -%{_libdir}/libopenscap_sce.so -%{_includedir}/openscap/sce_engine_api.h - %files scanner -%{_mandir}/man8/oscap.8* %{_bindir}/oscap %{_bindir}/oscap-chroot +%{_mandir}/man8/oscap.8* +%{_mandir}/man8/oscap-chroot.8* %{_sysconfdir}/bash_completion.d %{_libexecdir}/oscap-remediate %{_unitdir}/oscap-remediate.service @@ -219,23 +216,31 @@ ln -sf ../oscap-remediate.service %{buildroot}%{_unitdir}/system-update.target.w %files utils %doc docs/oscap-scan.cron -%{_mandir}/man8/* -%exclude %{_mandir}/man8/oscap.8* -%exclude %{_mandir}/man8/oscap-docker.8* -%{_bindir}/* -%exclude %{_bindir}/oscap -%exclude %{_bindir}/oscap-docker -%exclude %{_bindir}/oscap-chroot +%{_bindir}/autotailor +%{_bindir}/oscap-remediate-offline +%{_bindir}/oscap-ssh +%{_bindir}/oscap-vm +%{_bindir}/scap-as-rpm +%{_mandir}/man8/autotailor.8* +%{_mandir}/man8/oscap-remediate-offline.8* +%{_mandir}/man8/oscap-ssh.8* +%{_mandir}/man8/oscap-vm.8* +%{_mandir}/man8/scap-as-rpm.8* %files engine-sce +%{_bindir}/oscap-run-sce-script %{_libdir}/libopenscap_sce.so.* +%files engine-sce-devel +%{_libdir}/libopenscap_sce.so +%{_includedir}/openscap/sce_engine_api.h + %files containers %{_bindir}/oscap-docker %{_mandir}/man8/oscap-docker.8* -%{python3_sitelib}/oscap_docker_python/* %{_bindir}/oscap-podman %{_mandir}/man8/oscap-podman.8* +%{python3_sitelib}/oscap_docker_python/* %changelog %autochangelog From 0459c09f2b5dbaad7fae8672f3d6c39ad4b4601f Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sun, 4 Sep 2022 11:45:35 +0300 Subject: [PATCH 08/10] fix: spec: build system changes - use ninja-build - ensure pkg-config is used - systemd-rpm-macros are used in spec - cmake requirement now: cmake_minimum_required(VERSION 2.8...3.19) --- openscap.spec | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/openscap.spec b/openscap.spec index cff888553e..b2f6c362ec 100644 --- a/openscap.spec +++ b/openscap.spec @@ -10,7 +10,10 @@ URL: http://www.open-scap.org/ Source0: https://github.com/OpenSCAP/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz Source1: https://github.com/OpenSCAP/yaml-filter/archive/refs/tags/v0.2.0.tar.gz BuildRequires: make -BuildRequires: cmake >= 2.6 +BuildRequires: cmake >= 2.8 +BuildRequires: ninja-build +BuildRequires: pkg-config +BuildRequires: systemd-rpm-macros BuildRequires: gcc BuildRequires: gcc-c++ BuildRequires: swig libxml2-devel libxslt-devel perl-generators perl-XML-Parser @@ -146,11 +149,12 @@ tar xvzf %{SOURCE1} --directory=yaml-filter --strip-components=1 %undefine __cmake_in_source_build # gconf is a legacy system not used any more, and it blocks testing of oscap-anaconda-addon # as gconf is no longer part of the installation medium -%cmake \ +%cmake -G Ninja \ -DENABLE_PERL=OFF \ -DENABLE_DOCS=ON \ -DOPENSCAP_PROBE_UNIX_GCONF=OFF \ -DGCONF_LIBRARY= + %cmake_build make docs From fd1cfb2534e6722f3e9071ac19a879544dd98e1a Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sun, 4 Sep 2022 11:47:11 +0300 Subject: [PATCH 09/10] fix: spec: use pkgconfig macros Do not sprinkle BuildRequires between subpackages, instead try to follow CMakeLists.txt order of dependencies. Handle gconf using 'with'. Handle perl using 'with'. --- openscap.spec | 90 +++++++++++++++++++++++++++++---------------------- 1 file changed, 52 insertions(+), 38 deletions(-) diff --git a/openscap.spec b/openscap.spec index b2f6c362ec..6d4dd98775 100644 --- a/openscap.spec +++ b/openscap.spec @@ -1,3 +1,10 @@ +# gconf is a legacy system not used any more, and it blocks testing of oscap-anaconda-addon +# as gconf is no longer part of the installation medium +%bcond_with gconf + +# By default do not build perl swig bindings +%bcond_with perl + # This spec file is not synchronized to the Fedora downstream. # It serves as Fedora CI configuration and as support for downstream updates. Name: openscap @@ -16,22 +23,46 @@ BuildRequires: pkg-config BuildRequires: systemd-rpm-macros BuildRequires: gcc BuildRequires: gcc-c++ -BuildRequires: swig libxml2-devel libxslt-devel perl-generators perl-XML-Parser -BuildRequires: rpm-devel -BuildRequires: libgcrypt-devel -BuildRequires: pcre-devel -BuildRequires: libacl-devel -BuildRequires: libselinux-devel -BuildRequires: libcap-devel -BuildRequires: libblkid-devel -BuildRequires: bzip2-devel + +# Try to follow CMakeLists.txt order +BuildRequires: pkgconfig(libacl) +BuildRequires: pkgconfig(blkid) +BuildRequires: pkgconfig(libcap) +BuildRequires: pkgconfig(libcurl) +BuildRequires: pkgconfig(dbus-1) +BuildRequires: doxygen +%if %{with gconf} +BuildRequires: pkgconfig(glib-2.0) +BuildRequires: pkgconfig(gobject-2.0) +BuildRequires: pkgconfig(gconf-2.0) +%endif +BuildRequires: pkgconfig(ldap) +BuildRequires: pkgconfig(opendbx) +BuildRequires: pkgconfig(libpcre) +%if %{with perl} +BuildRequires: perl-devel +# BuildRequires: perl-generators +%endif +BuildRequires: pkgconfig(popt) +BuildRequires: pkgconfig(libsystemd) +BuildRequires: pkgconfig(libprocps) +BuildRequires: pkgconfig(python3) +BuildRequires: pkgconfig(rpm) +BuildRequires: pkgconfig(libselinux) +BuildRequires: swig +BuildRequires: pkgconfig(libxml-2.0) +BuildRequires: pkgconfig(libxslt) +BuildRequires: pkgconfig(xmlsec1) +BuildRequires: pkgconfig(xmlsec1-openssl) +BuildRequires: pkgconfig(openssl) +BuildRequires: pkgconfig(bzip2) +BuildRequires: pkgconfig(libgcrypt) +BuildRequires: pkgconfig(yaml-0.1) BuildRequires: asciidoc -BuildRequires: openldap-devel -BuildRequires: glib2-devel -BuildRequires: dbus-devel -BuildRequires: libyaml-devel -BuildRequires: xmlsec1-devel xmlsec1-openssl-devel +BuildRequires: git +BuildRequires: sed BuildRequires: systemd + %if %{with check} BuildRequires: bzip2 BuildRequires: chkconfig @@ -51,19 +82,6 @@ BuildRequires: rpm-build BuildRequires: tar BuildRequires: tcpdump %endif -Requires: bash -Requires: bzip2-libs -Requires: dbus -Requires: glib2 -Requires: libacl -Requires: libblkid -Requires: libcap -Requires: libselinux -Requires: openldap -Requires: popt -# Fedora has procps-ng, which provides procps -Requires: procps -Requires: xmlsec1 xmlsec1-openssl %description OpenSCAP is a set of open source libraries providing an easier path @@ -74,9 +92,6 @@ for the expression of Computer Network Defense related information. %package devel Summary: Development files for %{name} Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release} -Requires: libxml2-devel -Requires: pkgconfig -BuildRequires: doxygen %description devel The %{name}-devel package contains libraries and header files for @@ -85,7 +100,6 @@ developing applications that use %{name}. %package python3 Summary: Python 3 bindings for %{name} Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release} -BuildRequires: python3-devel %description python3 The %{name}-python3 package contains the bindings so that %{name} @@ -94,8 +108,6 @@ libraries can be used by python3. %package scanner Summary: OpenSCAP Scanner Tool (oscap) Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release} -Requires: libcurl >= 7.12.0 -BuildRequires: libcurl-devel >= 7.12.0 %description scanner The %{name}-scanner package contains oscap command-line tool. The oscap @@ -105,6 +117,7 @@ compliance checking using SCAP content. %package utils Summary: OpenSCAP Utilities Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release} +# These not probed from: scap-as-rpm Requires: rpmdevtools rpm-build Requires: %{name}-scanner%{?_isa} = %{epoch}:%{version}-%{release} @@ -126,7 +139,6 @@ commands using a scripting language (Bash, Perl, Python, Ruby, ...). Summary: Development files for %{name}-engine-sce Requires: %{name}-devel%{?_isa} = %{epoch}:%{version}-%{release} Requires: %{name}-engine-sce%{?_isa} = %{epoch}:%{version}-%{release} -Requires: pkgconfig %description engine-sce-devel The %{name}-engine-sce-devel package contains libraries and header files @@ -147,13 +159,15 @@ tar xvzf %{SOURCE1} --directory=yaml-filter --strip-components=1 %build %undefine __cmake_in_source_build -# gconf is a legacy system not used any more, and it blocks testing of oscap-anaconda-addon -# as gconf is no longer part of the installation medium %cmake -G Ninja \ - -DENABLE_PERL=OFF \ -DENABLE_DOCS=ON \ +%if ! %{with gconf} -DOPENSCAP_PROBE_UNIX_GCONF=OFF \ - -DGCONF_LIBRARY= + -DGCONF_LIBRARY= \ +%endif +%if ! %{with perl} + -DENABLE_PERL=OFF \ +%endif %cmake_build make docs From 84a4ce91386caba8fd1e43a7e1fbbafe168e68c9 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sun, 4 Sep 2022 19:06:27 +0300 Subject: [PATCH 10/10] feature: spec: asan build As this spec is used for testing and program is complex C/C++ program, it seems prudent to use asan. Also enables ubsan. By default do not detect leaks as there was way too many to fix. --- CMakeLists.txt | 7 +++++++ openscap.spec | 26 ++++++++++++++++++++++++++ 2 files changed, 33 insertions(+) diff --git a/CMakeLists.txt b/CMakeLists.txt index f501673366..e5785f5674 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -347,6 +347,7 @@ option(ENABLE_MITRE "enables MITRE tests -- requires specific environment suppor # ---------- LANGUAGE BINDINGS cmake_dependent_option(ENABLE_PYTHON3 "if enabled, the python3 swig bindings will be built" ON "PYTHONINTERP_FOUND;SWIG_FOUND;PYTHONLIBS_FOUND" OFF) cmake_dependent_option(ENABLE_PERL "if enabled, the perl swig bindings will be built" ON "PERLLIBS_FOUND;SWIG_FOUND" OFF) +option(ENABLE_ASAN "if enabled, the build using asan" FALSE) # ---------- NO IDEA WHAT THIS IS FOR set(WANT_BASE64 TRUE CACHE BOOL "wants builtin Base64") @@ -535,6 +536,12 @@ if(APPLE) add_definitions(-D_DARWIN_C_SOURCE) endif() +if(ENABLE_ASAN) + add_compile_options(-fno-common -fno-omit-frame-pointer -fsanitize=address -fsanitize-address-use-after-scope -fsanitize=pointer-compare -fsanitize=pointer-subtract -fsanitize=undefined) + add_link_options(-fno-common -fno-omit-frame-pointer -fsanitize=address -static-libasan -fsanitize-address-use-after-scope -fsanitize=pointer-compare -fsanitize=pointer-subtract -fsanitize=undefined) +endif() + + include_directories( "compat/" "src/" diff --git a/openscap.spec b/openscap.spec index 6d4dd98775..304843be55 100644 --- a/openscap.spec +++ b/openscap.spec @@ -1,3 +1,7 @@ +# build with asan +# - bindings/sce fail to work because of some asan linkage issues presumed +%bcond_with asan + # gconf is a legacy system not used any more, and it blocks testing of oscap-anaconda-addon # as gconf is no longer part of the installation medium %bcond_with gconf @@ -23,6 +27,11 @@ BuildRequires: pkg-config BuildRequires: systemd-rpm-macros BuildRequires: gcc BuildRequires: gcc-c++ +%if %{with asan} +BuildRequires: libasan +BuildRequires: libasan-static +BuildRequires: libubsan +%endif # Try to follow CMakeLists.txt order BuildRequires: pkgconfig(libacl) @@ -126,6 +135,7 @@ The %{name}-utils package contains command-line tools build on top of OpenSCAP library. Historically, openscap-utils included oscap tool which is now separated to %{name}-scanner sub-package. +%if ! %{with asan} %package engine-sce Summary: Script Check Engine plug-in for OpenSCAP Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release} @@ -143,6 +153,7 @@ Requires: %{name}-engine-sce%{?_isa} = %{epoch}:%{version}-%{release} %description engine-sce-devel The %{name}-engine-sce-devel package contains libraries and header files for developing applications that use %{name}-engine-sce. +%endif %package containers Summary: Utils for scanning containers @@ -161,6 +172,12 @@ tar xvzf %{SOURCE1} --directory=yaml-filter --strip-components=1 %undefine __cmake_in_source_build %cmake -G Ninja \ -DENABLE_DOCS=ON \ +%if %{with asan} + -DENABLE_ASAN=TRUE \ + -DENABLE_PERL=OFF \ + -DENABLE_PYTHON=OFF \ + -DENABLE_SCE=OFF \ +%endif %if ! %{with gconf} -DOPENSCAP_PROBE_UNIX_GCONF=OFF \ -DGCONF_LIBRARY= \ @@ -176,6 +193,11 @@ make docs %if %{with check} # Tests use common files. Running tests parallel causes failed tests because of that. %undefine _smp_mflags +%if %{with asan} +# https://github.com/google/sanitizers/wiki/AddressSanitizer +# - but do not detect leaks, program is not long running, also numerous leaks so fix these completely would require some effort +export ASAN_OPTIONS=detect_leaks=0:strict_string_checks=1:detect_stack_use_after_return=1:check_initialization_order=1:strict_init_order=1:detect_invalid_pointer_pairs=2 +%endif %ctest %endif @@ -218,7 +240,9 @@ ln -sf ../oscap-remediate.service %{buildroot}%{_unitdir}/system-update.target.w %{_libdir}/libopenscap.so %{_libdir}/pkgconfig/*.pc %{_includedir}/openscap +%if ! %{with asan} %exclude %{_includedir}/openscap/sce_engine_api.h +%endif %files scanner %{_bindir}/oscap @@ -245,6 +269,7 @@ ln -sf ../oscap-remediate.service %{buildroot}%{_unitdir}/system-update.target.w %{_mandir}/man8/oscap-vm.8* %{_mandir}/man8/scap-as-rpm.8* +%if ! %{with asan} %files engine-sce %{_bindir}/oscap-run-sce-script %{_libdir}/libopenscap_sce.so.* @@ -252,6 +277,7 @@ ln -sf ../oscap-remediate.service %{buildroot}%{_unitdir}/system-update.target.w %files engine-sce-devel %{_libdir}/libopenscap_sce.so %{_includedir}/openscap/sce_engine_api.h +%endif %files containers %{_bindir}/oscap-docker