Skip to content

Support DEB822 apt source format in apt_sources_list_official#14855

Merged
jan-cerny merged 2 commits into
ComplianceAsCode:masterfrom
rrskris:fix-debian-apt-deb822-sources
Jul 8, 2026
Merged

Support DEB822 apt source format in apt_sources_list_official#14855
jan-cerny merged 2 commits into
ComplianceAsCode:masterfrom
rrskris:fix-debian-apt-deb822-sources

Conversation

@rrskris

@rrskris rrskris commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Description

The OVAL check for apt_sources_list_official only recognized the legacy one-line sources.list syntax (deb http://... suite component). A system using the DEB822 format — the default for new sources files since apt 2.x, e.g. /etc/apt/sources.list.d/debian.sources — was reported as not using official repositories even when it correctly was, exactly as described in this issue.

While investigating, I also found the existing filepath regex was broken independently of DEB822: it was written as ^/etc/apt/sources(.d\/[a-zA-Z0-9]+){0,1}.list$, which matches /etc/apt/sources.d/*.list, not the real Debian path /etc/apt/sources.list.d/*.list. So splitting repos into sources.list.d/*.list files was never detected by the legacy check either.

Fix

  • Corrected the filepath regex to match the real /etc/apt/sources.list.d/*.list path.
  • Added new DEB822-aware OVAL objects/states/tests that parse Types:/URIs:/Suites:/Components: stanzas from *.sources files, order-independent within a stanza, bounded so multiple stanzas in one file (as in the report) don't bleed into each other.
  • Combined the new DEB822 checks with the existing legacy checks via OR, so either format satisfies the rule.
  • Applied to debian11.xml, debian12.xml, and the generic shared.xml fallback.
  • Added test scenarios for: legacy format split across sources.list.d, DEB822 with base+security combined in one file (the reported scenario), DEB822 split across separate files, DEB822 with only a third-party repo (should still fail), and no repos configured (should still fail).

Testing

Built ssg-debian12-ds.xml from a clean checkout and verified with oscap xccdf eval inside an unmodified Debian 12 container:

  • The exact scenario from this issue (combined base+security DEB822 stanzas in one .sources file) fails against the unmodified upstream datastream and passes with this fix.
  • Legacy one-line format, split across sources.list.d: pass
  • DEB822 split across separate .sources files: pass
  • DEB822 file present but only a third-party repo: fail (correct)
  • No repos configured: fail (correct)
  • deb-src-only stanzas do not satisfy the check (regression guard, since deb-src alone doesn't provide binary package access)

Rationale field / rule.yml unchanged since the described requirement ("official repos configured") doesn't change, only the detection logic.

@openshift-ci

openshift-ci Bot commented Jul 6, 2026

Copy link
Copy Markdown

Hi @rrskris. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-ci openshift-ci Bot added the needs-ok-to-test Used by openshift-ci bot. label Jul 6, 2026
@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff
OVAL for rule 'xccdf_org.ssgproject.content_rule_apt_sources_list_official' differs.
--- oval:ssg-apt_sources_list_official:def:1
+++ oval:ssg-apt_sources_list_official:def:1
@@ -1,3 +1,7 @@
 criteria AND
+criteria OR
 criterion oval:ssg-test_apt_sources_list_base_official:tst:1
+criterion oval:ssg-test_apt_sources_list_base_official_deb822:tst:1
+criteria OR
 criterion oval:ssg-test_apt_sources_list_security_official:tst:1
+criterion oval:ssg-test_apt_sources_list_security_official_deb822:tst:1

@@ -0,0 +1,19 @@
#!/bin/bash
# platform = multi_platform_debian

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't this test scenario be marked as only for Debian 12 since it uses "bookworm" repos?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch — done. All three bookworm-dependent scenarios are now # platform = Debian 12. This also turned out to be the root cause of the Automatus Fedora failure: content_test_filtering picked debian11 as the product, so the scenarios platform-matched and ran inside the Fedora test container, where /etc/apt doesn't exist and the setup scripts exited 1. The two format-agnostic .fail.sh scenarios stay multi_platform_debian and now create /etc/apt/sources.list.d in setup, so on a non-apt backend they evaluate as notapplicable instead of erroring.

<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_state id="state_apt_sources_deb822_base" version="1">
<ind:text operation="pattern match">^(?=[\s\S]*\nURIs:\s*http://[a-z.]*\.debian\.org/debian/?(?=\s|$))(?=[\s\S]*\nSuites:[^\n]*\bbullseye(?=\s|$))(?=[\s\S]*\nComponents:[^\n]*\bmain(?=\s|$))Types:\s*deb(?=\s|$)</ind:text>

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we add or change it to use HTTPS?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed — updated the URI patterns to https?:// so both plain and TLS mirrors are accepted. Applied consistently to the pre-existing one-line patterns as well as the new DEB822 states in debian11.xml, debian12.xml and shared.xml, and added a correct_deb822_https.pass.sh scenario. Re-verified locally against a freshly rebuilt ssg-debian12-ds.xml in a debian:12 container: https one-line and https DEB822 sources now pass; third-party-only, empty and deb-src-only configs still fail as expected.

rrskris added 2 commits July 7, 2026 13:38
The OVAL check for apt_sources_list_official only matched the legacy
one-line sources.list syntax, so a system using the DEB822 format
(the default since apt 2.x, e.g. /etc/apt/sources.list.d/*.sources)
was reported as not using official repositories even when it was.

Also fix the filepath regex: it was written to match
/etc/apt/sources.d/*.list, which is not a real Debian path, instead
of the intended /etc/apt/sources.list.d/*.list, so repos split into
sources.list.d were never detected by the legacy check either.

Add DEB822-aware checks alongside the existing legacy ones (combined
with OR) for debian11, debian12, and the generic shared fallback, and
add test scenarios covering the legacy format, DEB822 with base and
security combined in one file (the originally reported case), DEB822
split across files, and DEB822 with only a third-party repo.

Fixes ComplianceAsCode#12509
Address review comments on the DEB822 support PR:

- Accept https:// in addition to http:// for official repository URIs,
  in both the pre-existing one-line patterns and the new DEB822 states
  (debian11, debian12, shared), and add an https DEB822 test scenario.
- Mark the three bookworm-dependent test scenarios as Debian 12 only.
- Create /etc/apt/sources.list.d in test setup so the remaining
  multi_platform_debian scenarios evaluate as notapplicable instead of
  erroring when the test backend is not an apt-based container
  (Automatus Fedora runs the debian11 product in a Fedora container).
@rrskris rrskris force-pushed the fix-debian-apt-deb822-sources branch from 90d1dd5 to 75a8695 Compare July 7, 2026 08:10
@jan-cerny jan-cerny self-assigned this Jul 8, 2026
@jan-cerny jan-cerny added this to the 0.1.82 milestone Jul 8, 2026

@jan-cerny jan-cerny left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The CI fails are caused by infrastructure problems (failed to connect with Ansible Galaxy) and aren't caused by the content of this PR.

@jan-cerny jan-cerny merged commit ac07f81 into ComplianceAsCode:master Jul 8, 2026
55 of 58 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

needs-ok-to-test Used by openshift-ci bot.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants