Bug 1259037

Summary: Rebase OpenSCAP to 1.2.x
Product: Red Hat Enterprise Linux 6 Reporter: Ann Marie Rubin <arubin>
Component: openscapAssignee: Šimon Lukašík <slukasik>
Status: CLOSED ERRATA QA Contact: Marek Haicman <mhaicman>
Severity: high Docs Contact: Robert Krátký <rkratky>
Priority: high    
Version: 6.8CC: jcerny, mhaicman, openscap-maint, rkratky, salmy, slukasik
Target Milestone: rcKeywords: Rebase
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openscap-1.2.8-2.el6 Doc Type: Release Note
Doc Text:
_openscap_ rebased to version 1.2.8 OpenSCAP, a set of libraries providing a path for the integration of SCAP standards, has been rebased to 1.2.8, the latest upstream version. Notable enhancements include support for the OVAL-5.11 and OVAL-5.11.1 language versions, the introduction of a verbose mode, which helps to understand the details of running scans, two new commands, "oscap-ssh" and "oscap-vm", for scanning over SSH and scanning of inactive virtual systems respectively, native support for bz2 archives, and a modern interface for HTML reports and guides.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-10 20:53:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1269551, 1271982    

Description Ann Marie Rubin 2015-09-01 19:59:52 UTC 
Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 4 Šimon Lukašík 2015-10-29 16:39:37 UTC 
Some technical background behind the rebase:

Currently, in RHEL6 there is openscap-1.0.x version. Which is our family
gold certified on rhel5. The rebase to openscap-1.2.x gets us multiple new features, for example the latest OVAL 5.11.1 implementation. Engineering is quite confident with the rebase, as we have shipped 1.2.x in RHEL-7 and also in RHEL-6 through Satellite client tools channel. Further, our internal test suite and community of upstream users are consuming 1.2.x for almost year now.

I'll try to list the new features relevant to rhel6:
 * OVAL-5.11 and OVAL-5.11.1 support
 * redesigned HTML report and HTML guides (modern interface, many new javascript features, like search)
 * introduced oscap-ssh -- handy utility to run remote scan over ssh
 * introduced oscap-vm -- handy utility to run scan of cold virtal system
 * native bzip2 support (you can use file.xml.bz2 instead of unbzipping before)
 * minimized use of temp files, most of the operations complete from memory and redesign of DataStream processing
 * awful lot of smaller bugfixes

Full list of changes can be reviewed at https://github.com/OpenSCAP/openscap/blob/69d29ad1d9408721cb979c2588134e4216656be1/NEWS#L1-L149

With regards to the the test plan:
(1) I feel we have done good job with creating upstream tests for the majority of bugfixes and OVAL-5.11.x work. So, the upstream test suite (make check) should pass on the update.
(2) The new tools (oscap-ssh and oscap-vm) are not tested upstream (as they require a lot of set-up). If QA had cycles to create automation for oscap-ssh and oscap-vm tools it would highly appreciated.
(3) The new HTML report/guide is already heavily consumed through Satellite 6 interface by customers, however afraid that no automation exists. It may be challenging to create automation for interactive HTML page. But if QA selects to do this exercise, they will be highly regarded.

Let me know, if you have any specific questions.
Comment 6 Marek Haicman 2016-01-22 16:07:33 UTC 
Hello,
I have found two issues with the current build:

first:
mandatory test_passing_vars.sh not present in the upstream testsuite, and it fails

second:
guestunmount command that is utilized by the oscap-vm script is not available on rhel6.8 for now. Maybe "fusermount -u" could be used for unmount, as mentioned in guestmount man page?
this is tracked separately: https://bugzilla.redhat.com/show_bug.cgi?id=1300716
Comment 7 Jan Černý 2016-01-27 12:02:53 UTC 
Upstream fix for first issue is here: https://github.com/OpenSCAP/openscap/commit/461ba59368551c74c29c74e5c9755333eae21990
Comment 8 Šimon Lukašík 2016-01-28 10:46:31 UTC 
Thank You Marek for pointing out these issues.

I have included your patches wrt oscap-vm in openscap-1.2.8-2.el6. Thank You!

However, I would like to leave the testsuite issue unresolved. Here is my reasoning.
 * The bug is in the test suite not in the code
 * The bug represents itself only in certain configuration (make distcheck with --enable-sce).
 * The test suite is not being shipped to the customers
 * The fix is not easy to backport. The problem is when patching Makefile.am, the timestamp of the file changes and makes whole autotools to regenerate stuff from scratch. But such build process will fail because of different hardcode automake versions. (just try it ;-)). The best option is to create a patch that removes all the Makefile.in config.h.in files.

Let me know how do you feel about this.
Comment 10 Marek Haicman 2016-01-29 13:32:45 UTC 
Hello Simon,
I needed more time for analysis.

I am not sure we are on the same page here [my Makefile-related knowledge is limited to say the least]. Testsuite is shipped in src.rpm, and that is available to our customers. And --enable-sce is part of our spec file configuration, thus I understand is as "our preferred".

And to the fix - I did it manually for now, and I only added these missing files from github repository:

./tests/sce/test_passing_vars.sh
./tests/sce/test_check_engine_results.sh *
./tests/sce/test_passing_vars_xccdf.xml
./tests/sce/test_passing_vars_sce.sh
./tests/sce/empty_stdout.sh *

and fixed starred files, where shebang of the upstream is #!/usr/bin/bash. I would suggest to change that to /usr/bin/env bash ;)

Afterwards, whole test pack passed successfully. I would really appreciate if we could fix it, even though it is not a strict necessity :)

Thanks!
Comment 11 Marek Haicman 2016-02-23 11:20:10 UTC 
As make check is not mandatory to work out-of-the-box [workaroundable as described in Comment 10] for release, I confirm that version openscap-1.2.8-2.el6 contains features noted by Simon in Comment 4, plus fix for oscap-vm as requested in Comment 6.
Comment 13 errata-xmlrpc 2016-05-10 20:53:30 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-0806.html