9

.github/workflows/automatus-ubuntu2204.yaml

@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Install Deps
-        run: sudo apt-get update && sudo apt-get install -y cmake ninja-build libopenscap8 python3-yaml python3-jinja2 git python3-deepdiff python3-requests jq python3-pip libxml2-utils xsltproc
+        run: sudo apt-get update && sudo apt-get install -y cmake ninja-build python3-yaml python3-jinja2 git python3-deepdiff python3-requests jq python3-pip libxml2-utils xsltproc ansible-lint wget libdbus-1-dev libdbus-glib-1-dev libcurl4-openssl-dev libgcrypt20-dev libselinux1-dev libxslt1-dev libgconf2-dev libacl1-dev libblkid-dev libcap-dev libxml2-dev libldap2-dev libpcre3-dev python3 swig libxml-parser-perl libxml-xpath-perl libperl-dev libbz2-dev librpm-dev g++ libyaml-dev libxmlsec1-dev libxmlsec1-openssl
       - name: Install deps python
         run: pip3 install gitpython xmldiff compliance-trestle==2.4.0 lxml lxml-stubs requests
       - name: Checkout
@@ -23,15 +23,15 @@ jobs:
       - name: Checkout (CTF)
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
         with:
-          repository: alanmcanonical/content-test-filtering
+          repository: ComplianceAsCode/content-test-filtering
           path: ctf
       # https://github.com/actions/checkout/issues/766
       - name: Set git safe directory
         run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
       - name: Find forking point
         env:
           BASE_BRANCH: ${{ github.base_ref }}
-        run: echo $pwd && echo "FORK_POINT=$(git merge-base origin/$BASE_BRANCH ${{ github.event.pull_request.head.sha }})" >> $GITHUB_OUTPUT
+        run: echo "FORK_POINT=$(git merge-base origin/$BASE_BRANCH ${{ github.event.pull_request.head.sha }})" >> $GITHUB_OUTPUT
         id: fork_point
       - name: Detect content changes in the PR
         run: python3 ./ctf/content_test_filtering.py pr --base ${{ steps.fork_point.outputs.FORK_POINT }} --remote_repo ${{ github.server_url }}/${{ github.repository }}  --verbose --rule --output json ${{ github.event.pull_request.number }} > output.json
@@ -53,6 +53,15 @@ jobs:
         with:
           path: 'output.json'
           prop_path: 'product'
+      - name: Download OpenSCAP
+        run: wget https://github.com/OpenSCAP/openscap/releases/download/1.3.10/openscap-1.3.10.tar.gz
+      - name: Extract OpenSCAP
+        run: tar xf openscap-1.3.10.tar.gz
+      - name: Build OpenSCAP
+        run: |
+          cd openscap-1.3.10
+          cmake -Bbuild -DCMAKE_INSTALL_PREFIX=/usr .
+          sudo cmake --build build --target install
       - name: Build product
         if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
         run: ./build_product ubuntu2204
@@ -68,15 +77,6 @@ jobs:
     steps:
       - name: Install Deps
         run: sudo apt update && sudo apt install -y cmake ninja-build libxml2-utils xsltproc python3-jinja2 python3-yaml ansible-lint podman wget libdbus-1-dev libdbus-glib-1-dev libcurl4-openssl-dev libgcrypt20-dev libselinux1-dev libxslt1-dev libgconf2-dev libacl1-dev libblkid-dev libcap-dev libxml2-dev libldap2-dev libpcre3-dev python3 swig libxml-parser-perl libxml-xpath-perl libperl-dev libbz2-dev librpm-dev g++ libyaml-dev libxmlsec1-dev libxmlsec1-openssl
-      - name: Download OpenSCAP
-        run: wget https://github.com/OpenSCAP/openscap/releases/download/1.3.10/openscap-1.3.10.tar.gz
-      - name: Extract OpenSCAP
-        run: tar xf openscap-1.3.10.tar.gz
-      - name: Build OpenSCAP
-        run: |
-          cd openscap-1.3.10
-          cmake -Bbuild -DCMAKE_INSTALL_PREFIX=/usr .
-          sudo cmake --build build --target install
       - name: Checkout
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
       - name: Get cached CTF output
@@ -87,6 +87,15 @@ jobs:
         # continue even if the file is unavailable that
         # means there are no changes detected by CTF in the previous job
         continue-on-error: true
+      - name: Download OpenSCAP
+        run: wget https://github.com/OpenSCAP/openscap/releases/download/1.3.10/openscap-1.3.10.tar.gz
+      - name: Extract OpenSCAP
+        run: tar xf openscap-1.3.10.tar.gz
+      - name: Build OpenSCAP
+        run: |
+          cd openscap-1.3.10
+          cmake -Bbuild -DCMAKE_INSTALL_PREFIX=/usr .
+          sudo cmake --build build --target install
       - name: Test if there are no content changes
         if: ${{ steps.get_ctf_output.outcome == 'success' }}
         run: echo "CTF_OUTPUT_SIZE=$(stat --printf="%s" output.json)" >> $GITHUB_OUTPUT
@@ -141,13 +150,11 @@ jobs:
         if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
         with:
           name: ${{ env.DATASTREAM }}
-      - name: Get the profile name
-        if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
-        run: echo "PROFILE=$(basename -s .profile `grep -rlE "\-\s+${{join(fromJSON(steps.rules.outputs.prop))}}$)` products/ubuntu2204/profiles/ | head -n 1)" >> $GITHUB_OUTPUT
-        id: profile
       - name: Run tests in a container - Bash
         if: ${{steps.bash.outputs.prop == 'True' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
-        run: python3 ./tests/automatus.py rule --profile ${{ steps.profile.outputs.PROFILE }} --duplicate-templates --remove-fips-certified --dontclean --container ssg_test_suite --datastream ssg-ubuntu2204-ds.xml --remediate-using bash --logdir logs_bash --remove-ocp4-only ${{join(fromJSON(steps.rules.outputs.prop))}}
+        run: tests/test_rule_in_container.sh --no-remove-machine-only --dontclean --logdir logs_bash --remediate-using bash --name ssg_test_suite --datastream $DATASTREAM ${{join(fromJSON(steps.rules.outputs.prop))}}
+        env:
+          ADDITIONAL_TEST_OPTIONS: "--duplicate-templates --remove-fips-certified"
       - name: Check for ERROR in logs
         if: ${{steps.bash.outputs.prop == 'True' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
         run: grep -q "^ERROR" logs_bash/test_suite.log
@@ -166,7 +173,9 @@ jobs:
           path: logs_bash/
       - name: Run tests in a container - Ansible
         if: ${{ steps.ansible.outputs.prop == 'True' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
-        run: python3 ./tests/automatus.py rule --dontclean --logdir logs_ansible --remediate-using ansible --container ssg_test_suite --datastream ssg-ubuntu2204-ds.xml --profile ${{ steps.profile.outputs.PROFILE }} ${{join(fromJSON(steps.rules.outputs.prop))}}
+        run: tests/test_rule_in_container.sh --no-remove-machine-only --dontclean --logdir logs_ansible --remediate-using ansible --name ssg_test_suite --datastream $DATASTREAM ${{join(fromJSON(steps.rules.outputs.prop))}}
+        env:
+          ADDITIONAL_TEST_OPTIONS: "--duplicate-templates --remove-fips-certified --product ubuntu2204"
       - name: Check for ERROR in logs
         if: ${{steps.ansible.outputs.prop == 'True' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
         run: grep -q "^ERROR" logs_ansible/test_suite.log

tests/ssg_test_suite/oscap.py

@@ -535,6 +535,9 @@ def _find_rule_result_in_output(self):
         # oscap --progress options outputs rule results to stdout in
         # following format:
         # xccdf_org....rule_accounts_password_minlen_login_defs:pass
+        print(self.rule_id)
+        print("=================")
+        print(self._oscap_output)
         match = re.findall('{0}:(.*)$'.format(self.rule_id),
                            self._oscap_output,
                            re.MULTILINE)
@@ -570,6 +573,7 @@ def _analyze_output_of_oscap_call(self):
                     'Wrong profile selected in test scenario or '
                     'there has been problem starting the evaluation. '
                     'Please inspect the log file {1} for details.'
+                    'Rule_selected vs self_content'
                     .format(self.rule_id, self.verbose_path))
             else:
                 msg = (