forked from ComplianceAsCode/content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathrun_scapval.py
executable file
·142 lines (123 loc) · 5.08 KB
/
run_scapval.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
#!/usr/bin/python3
from __future__ import print_function
import argparse
import subprocess
import os
import xml.etree.ElementTree as ET
import sys
scapval_results_ns = "http://csrc.nist.gov/ns/decima/results/1.0"
oval_unix_ns = "http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"
xccdf_ns = "http://checklists.nist.gov/xccdf/1.2"
XML_SCHEMA_REQUIREMENT = "SRC-329"
K8S_PRODUCTS = set((
"ocp4",
"eks",
))
def parse_args():
parser = argparse.ArgumentParser(
description="Runs SCAP Validation of our data streams using SCAP"
"Validation Tool (SCAPVal)")
parser.add_argument(
"--scap-version",
help="SCAP Version (Only 1.2 and 1.3 supported)",
choices=["1.2", "1.3"], required=True)
parser.add_argument(
"--scapval-path",
help="Full path to the SCAPVal JAR archive", required=True)
input_group = parser.add_mutually_exclusive_group(required=True)
input_group.add_argument(
"--build-dir",
help="Full path to the ComplianceAsCode build directory")
input_group.add_argument("--datastream", help="Full path to the ComplianceAsCode data stream")
return parser.parse_args()
def ds_is_k8s_related(result_path):
for prodname in K8S_PRODUCTS:
ds_basename_stem = "ssg-{prodname}-ds".format(prodname=prodname)
if ds_basename_stem in result_path:
return True
return False
def print_requirement_feedback(req_id, message):
print(" %s: %s" % (req_id, message))
def process_results(result_path):
ret_val = True
tree = ET.parse(result_path)
root = tree.getroot()
results = root.find("./{%s}results" % scapval_results_ns)
for base_req in results.findall(
"./{%s}base-requirement" % scapval_results_ns):
scapval_requirement_id = base_req.get("id")
status = base_req.find("./{%s}status" % scapval_results_ns).text
if status == "FAIL":
if ds_is_k8s_related(result_path) and scapval_requirement_id == XML_SCHEMA_REQUIREMENT:
warning = "WARNING (Contains non-standardized yamlfilecontent_test)"
print_requirement_feedback(scapval_requirement_id, warning)
else:
print_requirement_feedback(scapval_requirement_id, status)
ret_val = False
if status == "PASS":
if ds_is_k8s_related(result_path) and scapval_requirement_id == XML_SCHEMA_REQUIREMENT:
msg = ("FAIL (yamlfilecontent_test is probably standardized by now."
"You should update the waiver.)")
print_requirement_feedback(scapval_requirement_id, msg)
return ret_val
def test_datastream(datastream_path, scapval_path, scap_version):
result_path = datastream_path + ".result.xml"
report_path = datastream_path + ".report.html"
scapval_command = [
"java",
"-Xmx1024m",
"-Djava.protocol.handler.pkgs=sun.net.www.protocol",
"-jar", scapval_path,
"-scapversion", scap_version,
"-file", datastream_path,
"-valresultfile", result_path,
"-valreportfile", report_path
]
try:
subprocess.check_output(scapval_command, stderr=subprocess.STDOUT)
except subprocess.CalledProcessError as e:
scapval_output = e.output.decode("utf-8")
# Workaround: SCAPVal 1.3.2 can't generate HTML report because
# it throws a NullPointerException, but we don't need the HTML
# report for this test, so we can ignore this error.
# TODO: Remove this when this is fixed in SCAPVal
last_line = scapval_output.splitlines()[-1]
if not last_line.endswith(
"ERROR SCAPVal has encountered a problem and cannot continue "
"with this validation. - java.lang.NullPointerException: "
"XSLTemplateExtension cannot be null"):
sys.stderr.write("Command '{0}' returned {1}:\n{2}\n".format(
" ".join(e.cmd), e.returncode, scapval_output))
sys.exit(1)
return process_results(result_path)
def main():
overall_result = True
args = parse_args()
if args.datastream is not None:
build_dir = os.path.dirname(args.datastream)
files = [os.path.basename(args.datastream), ]
else:
build_dir = args.build_dir
files = os.listdir(build_dir)
print("Build dir: %s" % build_dir)
if args.scap_version == "1.2":
ds_suffix = "-ds-1.2.xml"
elif args.scap_version == "1.3":
ds_suffix = "-ds.xml"
for filename in files:
if filename.endswith(ds_suffix):
print("Testing %s ..." % filename)
datastream_path = os.path.join(build_dir, filename)
datastream_result = test_datastream(
datastream_path, args.scapval_path, args.scap_version)
if datastream_result:
print("%s: PASS" % filename)
else:
print("%s: FAIL" % filename)
overall_result = False
if overall_result:
sys.exit(0)
else:
sys.exit(1)
if __name__ == "__main__":
main()