Bug 1716354

Summary: Atomic Scan scanning of containers does not support RHEL8 images
Product: Red Hat Enterprise Linux 7 Reporter: Marek Haicman <mhaicman>
Component: openscap-containerAssignee: Jan Černý <jcerny>
Status: CLOSED ERRATA QA Contact: Matus Marhefka <mmarhefk>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.7CC: jcerny, matyc, mhaicman, mthacker, tborcin, wsato
Target Milestone: rcKeywords: FutureFeature, Rebase, Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openscap-container-7.8.0-2 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-01 00:23:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1777860, 1777862, 1777868    
Bug Blocks:    

Description Marek Haicman 2019-06-03 10:04:13 UTC 
Description of problem:
At the moment, using `atomic scan` to assess configuration compliance is limited to RHEL6 and RHEL7 targets. When scanning RHEL8, errors are printed out, and no scan is performed.

Version-Release number of selected component (if applicable):
https://access.redhat.com/containers/#/registry.access.redhat.com/rhel7/openscap/images/7.6.4-5


How reproducible:
reliably

Steps to Reproduce:
1. atomic scan --verbose ubi8/ubi
2.
3.

Actual results:

ERROR:Failed to scan target 'chroot:///scanin/4a0518848c7a1332f3c39bf548e4a77bcce0481e2fea088404026122dedc3379' for vulnerabilities.
Traceback (most recent call last):
  File "/usr/bin/oscapd-evaluate", line 146, in scan_worker
    es.evaluate(config)
  File "/usr/lib/python2.7/site-packages/openscap_daemon/evaluation_spec.py", line 521, in evaluate
    wip_result = self.evaluate_into_dir(config)
  File "/usr/lib/python2.7/site-packages/openscap_daemon/evaluation_spec.py", line 518, in evaluate_into_dir
    return oscap_helpers.evaluate(self, config)
  File "/usr/lib/python2.7/site-packages/openscap_daemon/oscap_helpers.py", line 323, in evaluate
    args = get_evaluation_args(spec, config)
  File "/usr/lib/python2.7/site-packages/openscap_daemon/oscap_helpers.py", line 298, in get_evaluation_args
    ret.extend(spec.get_oscap_arguments(config))
  File "/usr/lib/python2.7/site-packages/openscap_daemon/evaluation_spec.py", line 482, in get_oscap_arguments
    ret.append(config.get_cve_feed(self.get_cpe_ids(config)))
  File "/usr/lib/python2.7/site-packages/openscap_daemon/config.py", line 460, in get_cve_feed
    return self.cve_feed_manager.get_cve_feed(cpe_ids)
  File "/usr/lib/python2.7/site-packages/openscap_daemon/cve_feed_manager.py", line 219, in get_cve_feed
    "Can't find a supported CPE ID in %s" % (", ".join(cpe_ids))
RuntimeError: Can't find a supported CPE ID in cpe:/o:redhat:enterprise_linux

Expected results:
Target supported by the scan

Additional info:
Comment 1 Marek Haicman 2019-06-03 10:29:10 UTC 
Note: As a workaround, it's possible to use alternative command `oscap-docker` which can consume arbitrary content.

1. Download ssg-rhel8-ds.xml from RHEL8 shipped package scap-security-guide-0.1.42-11.el8.noarch
2. oscap-docker image ubi8/ubi xccdf eval --profile ospp ./ssg-rhel8-ds.xml

This results in valid outcomes.
Comment 6 Jan Černý 2019-11-28 11:28:02 UTC 
Hi, to enable scanning of RHEL8 containers on RHEL7 hosts using atomic, we will need to:
* start shipping RHEL 8 content in scap-security-guide
* update openscap-daemon (patch doesn't exist at this moment) because openscap-daemon contains logic to right CVE data based on the container OS version
* update openscap, specifically extend the CPE dictionary and OVAL CPE definitions with RHEL 8, because openscap-daemon uses these files to determine container OS version
* extend the test coverage
Comment 7 Jan Černý 2019-11-28 11:38:27 UTC 
Hi, to enable scanning of RHEL8 containers on RHEL7 hosts using atomic, we will need to:
* start shipping RHEL 8 content in scap-security-guide
* update openscap-daemon (patch doesn't exist at this moment) because openscap-daemon contains logic to right CVE data based on the container OS version
* update openscap, specifically extend the CPE dictionary and OVAL CPE definitions with RHEL 8, because openscap-daemon uses these files to determine container OS version
* extend the test coverage
Comment 13 errata-xmlrpc 2020-04-01 00:23:12 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1242