Control: tags -1 + wontfix fixed-upstream buster
Hi Marina On Thu, 12 Jan 2023 11:11:01 +0100 Marina Latini <marina.lat...@suse.com> wrote: > Package: libopenscap8 > Version: 1.2.16-2+b2 > Severity: normal > > Dear Maintainer, > > I'm trying to build the scap-security-guide (ComplianceAsCode 0.1.64) on > Debian > 10. > https://github.com/ComplianceAsCode/content > > but currently the build is failing. > I'm am not able to reproduce this. With or without the patch, it generates the same files. Though without the patch, it clearly shows that openscap exits with a non-zero exit code, which isn't good, but the build still completes. I tested with these commands: cd build cmake ../ make ubuntu1604 > Note: I reported this issue also for Ubuntu as > https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/2002551 and > libopenscap8 provided in Debian 10 (2.1.16) is also affected. > > > The openscap versions 1.2.16 is missing the patch > https://github.com/OpenSCAP/openscap/commit/bbcbffcf6f901cb67ca5645307d170a32504a491.patch > provided via https://github.com/OpenSCAP/openscap/pull/1324 > > Without this patch openscap isn't able to build ComplianceAsCode > (https://github.com/ComplianceAsCode/content). > > * What led up to the situation? > > The PR https://github.com/OpenSCAP/openscap/pull/1324 was done after 1.2.16 > release and made available in openscap 1.2.18 and 1.3.1, so Debian 10 missed > it. > > * What exactly did you do (or not do) that was effective (or > ineffective)? > > The scap-security-guide uses openscap but, if the OVAL CVE/RPM data are not > available, the build fails. > > ComplianceAsCode on version 0.1.63 was building fine. > > This is one example of failure due to missing remote resources (but there are > more). > All xcddf generate fix with embedded remote resources fail. > > oscap xccdf generate fix --skip-valid --benchmark-id > xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL --profile > xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive --template > urn:xccdf:fix:script:sh ./ssg-ubuntu1604-ds.xml > > WARNING: Datastream component 'scap_org.open-scap_cref_-ubuntu-security-oval- > com.ubuntu.xenial.cve.oval.xml' points out to the remote > 'https://people.canonical.com/~ubuntu- > security/oval/com.ubuntu.xenial.cve.oval.xml'. Use '--fetch-remote-resources' > option to download it. > WARNING: Skipping 'https://people.canonical.com/~ubuntu- > security/oval/com.ubuntu.xenial.cve.oval.xml' file which is referenced from > datastream > OpenSCAP Error: Could not extract scap_org.open-scap_cref_ssg- > ubuntu1604-xccdf-1.2.xml with all dependencies from datastream. > [../../../src/DS/ds_sds_session.c:211] > > If the --fetch-remote-resources option is not provided, the resources pointed > by the components won't be downloaded. The provided patch allows the scan to > continue without remote components. > The result of rules which reference the missing remote resource will be > 'notchecked'. > > * What was the outcome of this action? > > The scap-security-guide uses openscap but, if the OVAL CVE/RPM data are not > available, the build will fail. > > * What outcome did you expect instead? > > If the --fetch-remote-resources option is not provided, the resources pointed > by the components won't be downloaded and the build should pass with remarks. I have marked this as 'wontfix', since buster has become LTS. If there is issues I have overlooked I can change this, but the final decision resides with the LTS team. I tested the proposed upstream patch, it is easily applied and will not create any regression. Regards, Håvard
