Add option to Automatus to remove platforms from benchmark/profiles.

This new option --remove-platforms should be used instead of
add-platform option because it makes the content applicable in any
target. Previously the CPE injection relied on OpenSCAP's CPE
dictionaries that were not being updated anymore.

.gitpod.launch.json

@@ -61,8 +61,7 @@
           "--remove-ocp4-only",
           "--add-product-to-fips-certified",
           "fedora",
-          "--add-platform",
-          "&&CPE&&",
+          "--remove-platforms",
           "${command:content-navigator.getRuleId}"
       ],
       "env": {

.gitpod.yml

@@ -21,13 +21,11 @@ tasks:
         git+https://github.com/ggbecker/sphinxcontrib.jinjadomain.git#egg=sphinxcontrib-jinjadomain
       [ -z "$PRODUCT" ] && PRODUCT="fedora"
       [ -z "$CONTAINER" ] && CONTAINER=$PRODUCT
-      [ -z "$CONTAINER_VERSION" ] && CONTAINER_VERSION="$CONTAINER:34"
-      [ -z "$CPE" ] && CPE="cpe:/o:fedoraproject:fedora:34"
+      [ -z "$CONTAINER_VERSION" ] && CONTAINER_VERSION="$CONTAINER"
       mkdir -p .vscode && cp .gitpod.launch.json .vscode/launch.json
       CONTAINER_NAME=${CONTAINER}_container
       sed -i "s/&&CONTAINER_NAME&&/$CONTAINER_NAME/g" .vscode/launch.json
       sed -i "s/&&DEFAULT_PRODUCT&&/$PRODUCT/g" .vscode/launch.json
-      sed -i "s,&&CPE&&,$CPE,g" .vscode/launch.json
       PRIVATE_KEY_FOLDER=.ssh
       PRIVATE_KEY_FILEPATH=$PRIVATE_KEY_FOLDER/id_rsa
       sed -i "s,&&PRIVATE_KEY_FILEPATH&&,$PRIVATE_KEY_FILEPATH,g" .vscode/launch.json

docs/workshop/lab3_profiles.adoc

@@ -6,7 +6,6 @@
 
 // Variables
 :container_name: fedora_container
-:cpe_identifier: cpe:/o:fedoraproject:fedora:34
 
 == Introduction
 
@@ -647,7 +646,7 @@ You also add arguments to turn on full reporting, which generates XML and HTML r
             --datastream build/ssg-rhel8-ds.xml \
             --remediate-using bash \
             --remove-machine-only \
-            --add-platform "{cpe_identifier}" \
+            --remove-platforms \
             --logdir profile-log \
             travel
 ----

docs/workshop/lab5_oval.adoc

@@ -6,7 +6,6 @@
 
 // Variables
 :container_name: fedora_container
-:cpe_identifier: cpe:/o:fedoraproject:fedora:34
 
 
 == Introduction
@@ -277,7 +276,7 @@ With that in mind, execute the test suite:
             --datastream build/ssg-rhel8-ds.xml \
             --remediate-using bash \
             --remove-machine-only \
-            --add-platform "{cpe_identifier}" \
+            --remove-platforms \
             accounts_tmout
 ----
 +
@@ -307,7 +306,7 @@ The alternative mode is `profile` mode, which is simpler--there are no test scen
 
 * Finally, you specify what to test--a rule regular expression: `accounts_tmout` or `^accounts_tmout$`.
 
-* Other parameters are also used for supporting running tests in this kind of environment. For example, you use `--add-platform "{cpe_identifier}"` to make the RHEL8 content applicable to Fedora images.
+* Other parameters are also used for supporting running tests in this kind of environment. For example, you use `--remove-platforms` to make the RHEL8 content applicable to Fedora images.
 ====
 
 The output tells you the following:
@@ -433,7 +432,7 @@ TIP: You can use the `Up` arrow key to browse the command history so you do not
             --datastream build/ssg-rhel8-ds.xml \
             --remediate-using bash \
             --remove-machine-only \
-            --add-platform "{cpe_identifier}" \
+            --remove-platforms \
             accounts_tmout
 ----
 +
@@ -573,7 +572,7 @@ This way, you do not have to worry about possibly introducing those link:https:/
             --docker {container_name} \
             --remediate-using bash \
             --remove-machine-only \
-            --add-platform "{cpe_identifier}" \
+            --remove-platforms \
             accounts_tmout
 ----
 +
@@ -656,7 +655,7 @@ fi
             --docker {container_name} \
             --remediate-using bash \
             --remove-machine-only \
-            --add-platform "{cpe_identifier}" \
+            --remove-platforms \
             accounts_tmout
 ----
 +
@@ -705,7 +704,7 @@ This time, when rebuilt and executed again, the tests pass:
             --docker {container_name} \
             --remediate-using bash \
             --remove-machine-only \
-            --add-platform "{cpe_identifier}" \
+            --remove-platforms \
             accounts_tmout
 ----
 +
@@ -757,7 +756,7 @@ Execute the test suite again and expect the `ERROR - Script correct_value.pass.s
             --docker {container_name} \
             --remediate-using bash \
             --remove-machine-only \
-            --add-platform "{cpe_identifier}" \
+            --remove-platforms \
             accounts_tmout
 ----
 +
@@ -804,7 +803,7 @@ The non-capturing group that consists of `export` followed by at least one white
             --docker {container_name} \
             --remediate-using bash \
             --remove-machine-only \
-            --add-platform "{cpe_identifier}" \
+            --remove-platforms \
             accounts_tmout
 ----
 +

tests/README.md

@@ -398,7 +398,7 @@ Using Podman:
 ```
 
 or just call the `test_rule_in_container.sh` script that passes the backend options for you
-in addition to `--remove-machine-only` and `--add-platform`
+in addition to `--remove-machine-only` and `--remove-platforms`
 that remove some testing limitations of the container backend.
 
 Using Docker:

tests/automatus.py

@@ -70,7 +70,8 @@ def parse_args():
             "--add-platform",
             metavar="<CPE REGEX>",
             default=None,
-            help="Find all CPEs that are present in local OpenSCAP's CPE dictionary "
+            help="DEPRECATED: Use --remove-platforms instead; "
+            "Find all CPEs that are present in local OpenSCAP's CPE dictionary "
             "that match the provided regex, "
             "and add them as platforms to all datastream benchmarks. "
             "If the regex doesn't match anything, it will be treated "
@@ -81,6 +82,14 @@ def parse_args():
             default=None,
             help="Add installed_OS_is_$product extend_definition to the "
             "installed_OS_is_FIPS_certified OVAL criteria definition.")
+    common_parser.add_argument(
+            "--remove-platforms",
+            default=False,
+            action="store_true",
+            help="Remove any platforms from the Benchmark XML elements and Profile "
+            "XML elements, essentially making the content applicable to any platform. "
+            "Although more low level platforms such as packages or container/machine "
+            "CPE are still applicable.")
     common_parser.add_argument(
             "--remove-machine-only",
             default=False,
@@ -484,6 +493,8 @@ def main():
         options.datastream = stashed_datastream
 
         with xml_operations.datastream_root(stashed_datastream, stashed_datastream) as root:
+            if options.remove_platforms:
+                xml_operations.remove_platforms(root)
             if options.remove_machine_only:
                 xml_operations.remove_machine_platform(root)
                 xml_operations.remove_machine_remediation_condition(root)

tests/ssg_test_suite/xml_operations.py

@@ -81,13 +81,19 @@ def datastream_root(ds_location, save_location=None):
             tree.write(save_location)
 
 
-def remove_platforms_from_element(root, element_spec, platforms):
-    query = BENCHMARK_QUERY + "//{0}".format(element_spec)
-    elements = root.findall(query, PREFIX_TO_NS)
+def find_elements(root, element_spec=None):
+    query = BENCHMARK_QUERY
+    if element_spec is not None:
+        query = query + "//{0}".format(element_spec)
+    return root.findall(query, PREFIX_TO_NS)
+
+
+def remove_platforms_from_element(root, element_spec=None, platforms=None):
+    elements = find_elements(root, element_spec)
     for el in elements:
         platforms_xml = el.findall("./xccdf-1.2:platform", PREFIX_TO_NS)
         for p in platforms_xml:
-            if instance_in_platforms(p, platforms):
+            if platforms is None or instance_in_platforms(p, platforms):
                 el.remove(p)
 
 
@@ -103,6 +109,11 @@ def remove_machine_platform(root):
     remove_platforms_from_element(root, "xccdf-1.2:Group", "#machine")
 
 
+def remove_platforms(root):
+    remove_platforms_from_element(root)
+    remove_platforms_from_element(root, "xccdf-1.2:Profile")
+
+
 def remove_ocp4_platforms(root):
     remove_platforms_from_element(
         root, "xccdf-1.2:Rule",

tests/test_rule_in_container.sh

@@ -227,8 +227,6 @@ if test "$_arg_docker" = on; then
 fi
 
 $CONTAINER_BACKEND images | grep -q "$_arg_name" || die "Couldn't find the $CONTAINER_BACKEND image '$_arg_name'"
-test_image_cpe_product=$($CONTAINER_BACKEND run --rm "$_arg_name" sh -c '. /etc/os-release && echo "$CPE_NAME"')
-test -n "$test_image_cpe_product" || die "Unable to deduce the product CPE from the container's /etc/os-release file."
 
 additional_args=()
 test "$_arg_dontclean" = on && additional_args+=(--dontclean)
@@ -248,7 +246,7 @@ if test -n "$ADDITIONAL_SSGTS_OPTIONS"; then
 	ADDITIONAL_TEST_OPTIONS="$ADDITIONAL_SSGTS_OPTIONS"
 fi
 
-command=(python3 "${script_dir}/automatus.py" rule ${ADDITIONAL_TEST_OPTIONS} --remove-machine-only --remove-ocp4-only "${additional_args[@]}" --add-platform "$test_image_cpe_product" "$CONTAINER_OPT" "$_arg_name" -- "${_arg_rule[@]}")
+command=(python3 "${script_dir}/automatus.py" rule ${ADDITIONAL_TEST_OPTIONS} --remove-platforms --remove-machine-only --remove-ocp4-only "${additional_args[@]}" "$CONTAINER_OPT" "$_arg_name" -- "${_arg_rule[@]}")
 if test "$_arg_dry_run" = on; then
 	printf '%s\n' "${command[*]}"
 else