Support DEB822 apt source format in apt_sources_list_official#14855
Conversation
|
Hi @rrskris. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Regular contributors should join the org to skip this step. Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
This datastream diff is auto generated by the check Click here to see the full diffOVAL for rule 'xccdf_org.ssgproject.content_rule_apt_sources_list_official' differs.
--- oval:ssg-apt_sources_list_official:def:1
+++ oval:ssg-apt_sources_list_official:def:1
@@ -1,3 +1,7 @@
criteria AND
+criteria OR
criterion oval:ssg-test_apt_sources_list_base_official:tst:1
+criterion oval:ssg-test_apt_sources_list_base_official_deb822:tst:1
+criteria OR
criterion oval:ssg-test_apt_sources_list_security_official:tst:1
+criterion oval:ssg-test_apt_sources_list_security_official_deb822:tst:1 |
| @@ -0,0 +1,19 @@ | |||
| #!/bin/bash | |||
| # platform = multi_platform_debian | |||
There was a problem hiding this comment.
Shouldn't this test scenario be marked as only for Debian 12 since it uses "bookworm" repos?
There was a problem hiding this comment.
Good catch — done. All three bookworm-dependent scenarios are now # platform = Debian 12. This also turned out to be the root cause of the Automatus Fedora failure: content_test_filtering picked debian11 as the product, so the scenarios platform-matched and ran inside the Fedora test container, where /etc/apt doesn't exist and the setup scripts exited 1. The two format-agnostic .fail.sh scenarios stay multi_platform_debian and now create /etc/apt/sources.list.d in setup, so on a non-apt backend they evaluate as notapplicable instead of erroring.
| <ind:instance datatype="int" operation="greater than or equal">1</ind:instance> | ||
| </ind:textfilecontent54_object> | ||
| <ind:textfilecontent54_state id="state_apt_sources_deb822_base" version="1"> | ||
| <ind:text operation="pattern match">^(?=[\s\S]*\nURIs:\s*http://[a-z.]*\.debian\.org/debian/?(?=\s|$))(?=[\s\S]*\nSuites:[^\n]*\bbullseye(?=\s|$))(?=[\s\S]*\nComponents:[^\n]*\bmain(?=\s|$))Types:\s*deb(?=\s|$)</ind:text> |
There was a problem hiding this comment.
Should we add or change it to use HTTPS?
There was a problem hiding this comment.
Agreed — updated the URI patterns to https?:// so both plain and TLS mirrors are accepted. Applied consistently to the pre-existing one-line patterns as well as the new DEB822 states in debian11.xml, debian12.xml and shared.xml, and added a correct_deb822_https.pass.sh scenario. Re-verified locally against a freshly rebuilt ssg-debian12-ds.xml in a debian:12 container: https one-line and https DEB822 sources now pass; third-party-only, empty and deb-src-only configs still fail as expected.
The OVAL check for apt_sources_list_official only matched the legacy one-line sources.list syntax, so a system using the DEB822 format (the default since apt 2.x, e.g. /etc/apt/sources.list.d/*.sources) was reported as not using official repositories even when it was. Also fix the filepath regex: it was written to match /etc/apt/sources.d/*.list, which is not a real Debian path, instead of the intended /etc/apt/sources.list.d/*.list, so repos split into sources.list.d were never detected by the legacy check either. Add DEB822-aware checks alongside the existing legacy ones (combined with OR) for debian11, debian12, and the generic shared fallback, and add test scenarios covering the legacy format, DEB822 with base and security combined in one file (the originally reported case), DEB822 split across files, and DEB822 with only a third-party repo. Fixes ComplianceAsCode#12509
Address review comments on the DEB822 support PR: - Accept https:// in addition to http:// for official repository URIs, in both the pre-existing one-line patterns and the new DEB822 states (debian11, debian12, shared), and add an https DEB822 test scenario. - Mark the three bookworm-dependent test scenarios as Debian 12 only. - Create /etc/apt/sources.list.d in test setup so the remaining multi_platform_debian scenarios evaluate as notapplicable instead of erroring when the test backend is not an apt-based container (Automatus Fedora runs the debian11 product in a Fedora container).
90d1dd5 to
75a8695
Compare
jan-cerny
left a comment
There was a problem hiding this comment.
The CI fails are caused by infrastructure problems (failed to connect with Ansible Galaxy) and aren't caused by the content of this PR.
Description
The OVAL check for
apt_sources_list_officialonly recognized the legacy one-linesources.listsyntax (deb http://... suite component). A system using the DEB822 format — the default for new sources files since apt 2.x, e.g./etc/apt/sources.list.d/debian.sources— was reported as not using official repositories even when it correctly was, exactly as described in this issue.While investigating, I also found the existing filepath regex was broken independently of DEB822: it was written as
^/etc/apt/sources(.d\/[a-zA-Z0-9]+){0,1}.list$, which matches/etc/apt/sources.d/*.list, not the real Debian path/etc/apt/sources.list.d/*.list. So splitting repos intosources.list.d/*.listfiles was never detected by the legacy check either.Fix
/etc/apt/sources.list.d/*.listpath.Types:/URIs:/Suites:/Components:stanzas from*.sourcesfiles, order-independent within a stanza, bounded so multiple stanzas in one file (as in the report) don't bleed into each other.OR, so either format satisfies the rule.debian11.xml,debian12.xml, and the genericshared.xmlfallback.sources.list.d, DEB822 with base+security combined in one file (the reported scenario), DEB822 split across separate files, DEB822 with only a third-party repo (should still fail), and no repos configured (should still fail).Testing
Built
ssg-debian12-ds.xmlfrom a clean checkout and verified withoscap xccdf evalinside an unmodified Debian 12 container:.sourcesfile) fails against the unmodified upstream datastream and passes with this fix.sources.list.d: pass.sourcesfiles: passdeb-src-only stanzas do not satisfy the check (regression guard, sincedeb-srcalone doesn't provide binary package access)Rationale field / rule.yml unchanged since the described requirement ("official repos configured") doesn't change, only the detection logic.