Hide Forgot
Description of problem: At the moment, using `atomic scan` to assess configuration compliance is limited to RHEL6 and RHEL7 targets. When scanning RHEL8, errors are printed out, and no scan is performed. Version-Release number of selected component (if applicable): https://access.redhat.com/containers/#/registry.access.redhat.com/rhel7/openscap/images/7.6.4-5 How reproducible: reliably Steps to Reproduce: 1. atomic scan --verbose ubi8/ubi 2. 3. Actual results: ERROR:Failed to scan target 'chroot:///scanin/4a0518848c7a1332f3c39bf548e4a77bcce0481e2fea088404026122dedc3379' for vulnerabilities. Traceback (most recent call last): File "/usr/bin/oscapd-evaluate", line 146, in scan_worker es.evaluate(config) File "/usr/lib/python2.7/site-packages/openscap_daemon/evaluation_spec.py", line 521, in evaluate wip_result = self.evaluate_into_dir(config) File "/usr/lib/python2.7/site-packages/openscap_daemon/evaluation_spec.py", line 518, in evaluate_into_dir return oscap_helpers.evaluate(self, config) File "/usr/lib/python2.7/site-packages/openscap_daemon/oscap_helpers.py", line 323, in evaluate args = get_evaluation_args(spec, config) File "/usr/lib/python2.7/site-packages/openscap_daemon/oscap_helpers.py", line 298, in get_evaluation_args ret.extend(spec.get_oscap_arguments(config)) File "/usr/lib/python2.7/site-packages/openscap_daemon/evaluation_spec.py", line 482, in get_oscap_arguments ret.append(config.get_cve_feed(self.get_cpe_ids(config))) File "/usr/lib/python2.7/site-packages/openscap_daemon/config.py", line 460, in get_cve_feed return self.cve_feed_manager.get_cve_feed(cpe_ids) File "/usr/lib/python2.7/site-packages/openscap_daemon/cve_feed_manager.py", line 219, in get_cve_feed "Can't find a supported CPE ID in %s" % (", ".join(cpe_ids)) RuntimeError: Can't find a supported CPE ID in cpe:/o:redhat:enterprise_linux Expected results: Target supported by the scan Additional info:
Note: As a workaround, it's possible to use alternative command `oscap-docker` which can consume arbitrary content. 1. Download ssg-rhel8-ds.xml from RHEL8 shipped package scap-security-guide-0.1.42-11.el8.noarch 2. oscap-docker image ubi8/ubi xccdf eval --profile ospp ./ssg-rhel8-ds.xml This results in valid outcomes.
Hi, to enable scanning of RHEL8 containers on RHEL7 hosts using atomic, we will need to: * start shipping RHEL 8 content in scap-security-guide * update openscap-daemon (patch doesn't exist at this moment) because openscap-daemon contains logic to right CVE data based on the container OS version * update openscap, specifically extend the CPE dictionary and OVAL CPE definitions with RHEL 8, because openscap-daemon uses these files to determine container OS version * extend the test coverage
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:1242