Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix xccdf_value substitution with dotnotation #12217

Merged
merged 2 commits into from
Aug 5, 2024

Conversation

sluetze
Copy link
Contributor

@sluetze sluetze commented Jul 24, 2024

Description:

fix xccdf_variable substitution with dotnotation

Rationale:

there are multiple rules which use xccdf_value notation to refer to variables in the ocil field. these result in an empty string in the compliance operator. example in the case of api_server_request_timeout

api_server_request_timeout defines the variable var_api_min_request_timeout

    Run the following command:
    <pre>$ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments["min-request-timeout"]'</pre>
    The output should return <pre> {{{ xccdf_value("var_api_min_request_timeout") }}} </pre>.

this results in a build/rules/ of


    <pre>$ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r ''.data["config.yaml"]''
    | jq ''.apiServerArguments["min-request-timeout"]''</pre>

    The output should return <pre> <sub idref="var_api_min_request_timeout" /> </pre>.'

BUT in the CO CCR the instruction (which seems to map to ocil) is:

  Run the following command:
  $ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments["min-request-timeout"]'
  The output should return   .

so the variable does not get inserted into the field.

this is consistent also in other checks. But the same method works for the description field.

Review Hints:

to check the result, you have to check the output of the instruction field in the compliancecheckresult resource of each rule

also there may be the same issue with ocil_clause fields, but I do not have the output of ocil_clause

@openshift-ci openshift-ci bot added the needs-ok-to-test Used by openshift-ci bot. label Jul 24, 2024
Copy link

openshift-ci bot commented Jul 24, 2024

Hi @sluetze. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@sluetze sluetze changed the title fix xccdf_variable substitution with dotnotation fix xccdf_value substitution with dotnotation Jul 24, 2024
Copy link

Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

Copy link

github-actions bot commented Jul 24, 2024

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:12217
This image was built from commit: eda052c

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:12217

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:12217 make deploy-local

@yuumasato yuumasato self-assigned this Jul 26, 2024
Copy link
Member

@yuumasato yuumasato left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks,
there are extra spaces around the double curly braces that can be removed.
Since we are touching these lines, could you remove them?

@yuumasato yuumasato added this to the 0.1.74 milestone Jul 26, 2024
Co-authored-by: Watson Yuuma Sato <[email protected]>
@sluetze sluetze requested a review from yuumasato July 27, 2024 14:26
Copy link

codeclimate bot commented Jul 27, 2024

Code Climate has analyzed commit eda052c and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.4% (0.0% change).

View more on Code Climate.

@Mab879 Mab879 modified the milestones: 0.1.74, 0.1.75 Jul 29, 2024
@marcusburghardt marcusburghardt added the OpenShift OpenShift product related. label Jul 31, 2024
Copy link
Member

@yuumasato yuumasato left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!

@yuumasato yuumasato merged commit f14e083 into ComplianceAsCode:master Aug 5, 2024
90 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
needs-ok-to-test Used by openshift-ci bot. OpenShift OpenShift product related.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants