Red Hat Bugzilla – Bug 1450249
[RFE] Out of the box OpenSCAP Images Report
Last modified: 2018-06-06 07:55:40 EDT
Description of problem: - CFME 5.7.1.3 - There are two different openscap results fields in the reports => Reports => New report => Base the report on "Container Images" Openscap rule Results: Name|Result|Severity Openscap Result.Openscap Rule Results: Name|Result|Severity => No explanation can be found on Red Hat documentation - If you create a report with "Openscap Rule Results: Name|Result|Severity" the report won't finish running - However, "Openscap rule Results: Name|Result|Severity "setup report works fine. Version-Release number of selected component (if applicable): CFME 5.7.1.3 How reproducible: 1. Reports => New report => Base the report on "Container Images" 2. Select field "Openscap Rule Results: Name|Result|Severity" the report 3. Run report Steps to Reproduce: 1. Reports => New report => Base the report on "Container Images" 2. Select field "Openscap Rule Results: Name|Result|Severity" the report 3. Run report Actual results: Report is not finished or returned error, just staying running status Expected results: 1. Finishing in reasonable timeframe 2. Document explanation for the difference Additional info:
It is also reported that completed report("Openscap rule Results: Name|Result|Severity ") also has a problem in its data. It's only returning a small subset of the data. ex) One openscap result is 443 items for pass and failed. However, if we generate 'working' report ("Openscap rule Results: Name|Result|Severity "), we can only see 3 items from it. Also if we set a filter to only show failed rule results, it shows nothing because it's showing no failed results. (even though there are failed results in almost all of the openscap reports that are finished already)
Correction in problem description - However, "Openscap rule Results: Name|Result|Severity "setup report works fine. + However, "Openscap Result.Openscap Rule Results: Name|Result|Severity" setup report works fine. Regards, Taeho
Indeed I can see these different fields in the report: Openscap Rule Results : Name Openscap Rule Results : Result Openscap Rule Results : Severity Openscap Result.Openscap Rule Results : Name Openscap Result.Openscap Rule Results : Result Openscap Result.Openscap Rule Results : Severity Mooli is there any difference? Should we hide any? Assigning this to Zahi in case we need to fix something.
Container images have OpenSCAP rule results associated in two ways that should be virtually identical: - container images have an openscap result and those have openscap rule results - container images have openscap rule results through openscap result [1] I'm not sure why ContainerImage.OpenscapRuleResults isn't behaving as expected Keenan, should a has has many through relationship work in reports? are both tables needed in miq_expression.yml? (Can you point us to where report results are being calculated? I could not find that Thanks [1] https://github.com/manageiq/manageiq/blob/3a37928b285917325d8b08bc4db3e14470e19687/app/models/container_image.rb#L23-L24
I wonder what happens if we remove openscap_rule_results OR openscap_result from miq_expression.yml[2]. The user does not really care about the openscap result, he just cares that openscap_rule_results association is what is expected (all results from the last scan) See also: ``` relats = MiqExpression.build_relats(:ContainerImage) relats[:reflections][:openscap_result] relats[:reflections][:openscap_rule_results] ``` [2] https://github.com/moolitayer/manageiq/blob/7cf0ef1c2b0f5c153142be8ef454b8aa57971ab7/config/miq_expression.yml
Hi Team Thanks for support on this issue. Do you have any update on this? Any update would be much appreciated ! Regards, Taeho
(In reply to Mooli Tayer from comment #13) > I wonder what happens if we remove openscap_rule_results OR openscap_result > from miq_expression.yml[2]. > > The user does not really care about the openscap result, he just cares that > openscap_rule_results association is what is expected (all results from the > last scan) Actually I don't know if that's the case. Tae, it is not clear what is the optimal report that the customer would like to produce (this may result in an RFE if ATM we can't produce the report they want). Are they looking for a per-image result: Image Name | OpenSCAP Result -- image1 | pass image2 | fail image3 | pass ... Or per-image per-rule result: Image Name | OpenSCAP Rule | Result -- image1 | rule1 | pass image1 | rule2 | fail image2 | rule1 | pass image2 | rule2 | pass ... The latter it is not only extremely verbose (for each image you have hundreds of lines) but also hard to produce, read and understand. Tae, please let us know what would be the optimal report they'd like to produce (personally I think the foremost: per-image).
Sorry for late reply Here is the feedback from customer. "I would be happy with either option working what ever doesn't need an RFE. Ideally we would be able to report on both scenarios." Please let me know if you need any further info. Regards, Taeho
What we could try to do (usable enough without an RFE but with some stabilization work) is a per-image per-rule report filtering/showing only the failed rules: Image Name | OpenSCAP Rule | Result -- image1 | rule2 | fail image2 | rule1 | fail image2 | rule2 | fail image7 | rule4 | fail ... Zahi can you check if this works and maybe send an OOTB report? Once that's finalized we'll see if it still has problem on the customer side.
Taeho, can you please take a look in https://github.com/ManageIQ/manageiq/pull/15210 I added a screenshot of the new report there. I included the severity column too, if you think it should be removed please let me know. Also, please let me know if anything else should be done in order the resolve this issue, thanks.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:0380