Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[GSoC23] - A - Implement OVAL parser #7227

Closed
wants to merge 9 commits into from
Closed

[GSoC23] - A - Implement OVAL parser #7227

wants to merge 9 commits into from

Conversation

HoussemNasri
Copy link
Collaborator

@HoussemNasri HoussemNasri commented Jul 1, 2023
edited
Loading

What does this PR change?

Overview

This PR implements the OVAL parser component as stated in the CVE Auditing with OVAL RFC. The parser is responsible for transforming an OVAL file to an OVALRootType Java object from which we can access all OVAL constructs from Java. The OVAL types are defined under the ovaltypes package. The types don't always have the same name as stated in the OVAL specs to have more compact names (.e.g. CheckEnum instead of CheckEnumeration) but they can be easily inferred by eye or by looking at the @XmlType annotation above the type definition.

Another important addition of the PR is an implementation of the Test evaluation algorithm stated in the OVAL specification. The implementation is capable of the evaluation of rpminfo_test and dpkginfo_test types, which are basically tests for checking the existence of certain RPM or DPKG packages (with specific versions sometimes) on systems. It is a very limited implementation but with it, we can evaluate all the tests that exist in the OVAL files we're aiming at consuming.

This also implements the evaluation of criteria trees by the delegation of test evaluations to TestEvaluator. See CriteriaType#evaluate and CriterionType#evaluate.

Usage

Given that the parser is currently detached from the rest of the codebase and can't be accessed from UI, this is a small guide on how to play around with the parser:

Parse an OVAL file

OvalParser ovalParser = new OvalParser();
OvalRootType rootType = ovalParser.parse(new File("<path to oval file>"));
// Initialize state, object, and test OVAL managers to be able to look them up by id efficiently
OvalStateManager ovalStateManager = new OvalStateManager(rootType.getStates().getStates());
OvalObjectManager ovalObjectManager = new OvalObjectManager(rootType.getObjects().getObjects());
OvalTestManager ovalTestManager = new OvalTestManager(rootType.getTests().getTests());

Get TestType by id

TestType testType = ovalTestManager.get("oval:org.opensuse.security:tst:2009669927");

Evaluate criteria tree

// Get a fake list of CVE patch statues
List<UyuniAPI.CVEPatchStatus> cvePatchStatusList = UyuniAPI.listSystemsByPatchStatus(null, null)
        .collect(Collectors.toList());

// Initialize test evaluator
TestEvaluator testEvaluator = new TestEvaluator(
        ovalTestManager, ovalObjectManager, ovalStateManager,
        cvePatchStatusList
);

// Evaluate
CriteriaType criteriaType = rootType.getDefinitions().get(0).getCriteria();
criteriaType.evaluate(testEvaluator);

Note

Please note that this is not the final parser to be used in production. As stated in #7108, JAXB-based parsers, which is what the current parser is based on, are memory hangry and can cause performance problems in production environments with limited memory constraints. However, to keep this pull request small and concise I decided to implement the StAX-based OVAL parser at a later stage. In the meantime, I haven't encountered any performance degradation while using the current parser.

TODO

  • Fix checkstyle errors
  • Make OvalRootType#getObjects return List<ObjectType>
  • Use better names for the test cases

GUI diff

No difference.

  • DONE

Documentation

No documentation needed

  • DONE

Test coverage

Unit tests were added

  • DONE

Links

openSUSE/mentoring#197

  • DONE

Changelogs

Make sure the changelogs entries you are adding are compliant with https://github.com/uyuni-project/uyuni/wiki/Contributing#changelogs and https://github.com/uyuni-project/uyuni/wiki/Contributing#uyuni-projectuyuni-repository

If you don't need a changelog check, please mark this checkbox:

  • No changelog needed

If you uncheck the checkbox after the PR is created, you will need to re-run changelog_test (see below)

Re-run a test

If you need to re-run a test, please mark the related checkbox, it will be unchecked automatically once it has re-run:

  • Re-run test "changelog_test"
  • Re-run test "backend_unittests_pgsql"
  • Re-run test "java_pgsql_tests"
  • Re-run test "schema_migration_test_pgsql"
  • Re-run test "susemanager_unittests"
  • Re-run test "javascript_lint"
  • Re-run test "spacecmd_unittests"

@HoussemNasri
Add basic oval types
ab6087a
@HoussemNasri
Create OVAL objects, states and tests managers
123bc8d 
- It's an optimization to enable faster lookups of OVAL resources
@HoussemNasri
Create a facade class that offers mock implementations for Uyuni APIs
e95f3a8 
- This class is temporary and will be removed when the integration with Uyuni is complete.
@HoussemNasri
Implement the OVAL test evaluation algorithm
32ac87c
@HoussemNasri
Add OVAL Criteria and Criterion types
f3f88ad 
- Also, implemented the composite design pattern to enable the evaluation of the criteria tree
@HoussemNasri
Create OVAL Linux extension types
68012c3
@HoussemNasri
Implement the OVAL parser
1ae1e4b 
- This is a temporary implementation based on JAXB API which consumes a lot of memory. I plan to rewrite it with StAX for better performance.
@HoussemNasri
Test TestEvaluatorTest
4ce39a8
@HoussemNasri
Refactor getDefinitions() method
c565947
@HoussemNasri HoussemNasri requested a review from a team as a code owner July 1, 2023 07:18
@github-actions
Copy link
Contributor

github-actions bot commented Jul 1, 2023

Suggested tests to cover this Pull Request

@HoussemNasri HoussemNasri changed the title Implement OVAL parser [GSoC23] - A - Implement OVAL parser Jul 1, 2023
@admd admd requested review from cbosdo, rjmateus and parlt91 and removed request for a team July 3, 2023 15:27
@HoussemNasri HoussemNasri mentioned this pull request Jul 10, 2023
Merged
@HoussemNasri HoussemNasri marked this pull request as draft July 19, 2023 14:46
@HoussemNasri
Copy link
Collaborator Author

Closed by #7335

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cbosdo cbosdo Awaiting requested review from cbosdo

@rjmateus rjmateus Awaiting requested review from rjmateus

@parlt91 parlt91 Awaiting requested review from parlt91

Assignees
No one assigned
Labels
java_lint_checkstyle java_pgsql_tests java
Projects
OVAL security content consumption - GSOC
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@HoussemNasri