oeqa: openscap test

Add basic openscap test. This looks for an existing profile and run a basic scan. Openscap scans return 1 in case of failure, 0 in case of success and 2 when a vulnerability has been found. As this does not aim to check openscap reports, 2 is considered as a successful test. Signed-off-by: Louis Rannou <louis.rannou@non.se.com> (added to test image) Signed-off-by: Scott Murray <scott.murray@konsulko.com>
author: Louis Rannou <louis.rannou@non.se.com> 2025-11-14 09:26:45 +0100
committer: Scott Murray <scott.murray@konsulko.com> 2025-11-21 09:10:00 -0500
commit: a043f0b8eded3444d6ac520a5fab02b191d43cf0 (patch)
tree: e5e19e3713100a6c3110a121264103b8b3923876 /lib/oeqa/runtime
parent: 3b0ee6a7b6dc0df85b237ada0a292905f13553c7 (diff)
download: meta-security-a043f0b8eded3444d6ac520a5fab02b191d43cf0.tar.gz
1 files changed, 48 insertions, 0 deletions
diff --git a/lib/oeqa/runtime/cases/openscap.py b/lib/oeqa/runtime/cases/openscap.py
new file mode 100644
index 0000000..7012b6b
--- /dev/null
+++ b/lib/oeqa/runtime/cases/openscap.py
@@ -0,0 +1,48 @@
+# SPDX-License-Identifier: MIT
+#
+from oeqa.runtime.case import OERuntimeTestCase
+from oeqa.core.decorator.depends import OETestDepends
+from oeqa.runtime.decorator.package import OEHasPackage
+class OpenscapTest(OERuntimeTestCase):
+    @OEHasPackage(["openscap"])
+    @OETestDepends(["ssh.SSHTest.test_ssh"])
+    def test_openscap_basic(self):
+        status, output = self.target.run("oscap -V")
+        msg = (
+            "`oscap -V` command does not work as expected. "
+            "Status and output:%s and %s" % (status, output)
+        )
+        self.assertEqual(status, 0, msg=msg)
+    @OEHasPackage(["openscap"])
+    @OEHasPackage(["scap-security-guide"])
+    @OETestDepends(["ssh.SSHTest.test_ssh"])
+    def test_openscap_scan(self):
+        SCAP_SOURCE = "/usr/share/xml/scap/ssg/content/ssg-openembedded-xccdf.xml"
+        CPE_DICT = "/usr/share/xml/scap/ssg/content/ssg-openembedded-cpe-dictionary.xml"
+        cmd = "oscap info --profiles %s" % SCAP_SOURCE
+        status, output = self.target.run(cmd)
+        msg = (
+            "oscap info` command does not work as expected.\n"
+            "Command: %s\n" % cmd + "Status and output:%s and %s" % (status, output)
+        )
+        self.assertEqual(status, 0, msg=msg)
+        for p in output.split("\n"):
+            profile = p.split(":")[0]
+            cmd = "oscap xccdf eval --cpe %s --profile %s %s" % (
+                CPE_DICT,
+                profile,
+                SCAP_SOURCE,
+            )
+            status, output = self.target.run(cmd)
+            msg = (
+                "`oscap xccdf eval` does not work as expected.\n"
+                "Command: %s\n" % cmd + "Status and output:%s and %s" % (status, output)
+            )
+            self.assertNotEqual(status, 1, msg=msg)
author	Louis Rannou <louis.rannou@non.se.com>	2025-11-14 09:26:45 +0100
committer	Scott Murray <scott.murray@konsulko.com>	2025-11-21 09:10:00 -0500
commit	a043f0b8eded3444d6ac520a5fab02b191d43cf0 (patch)
tree	e5e19e3713100a6c3110a121264103b8b3923876 /lib/oeqa/runtime
parent	3b0ee6a7b6dc0df85b237ada0a292905f13553c7 (diff)
download	meta-security-a043f0b8eded3444d6ac520a5fab02b191d43cf0.tar.gz

diff --git a/lib/oeqa/runtime/cases/openscap.py b/lib/oeqa/runtime/cases/openscap.py new file mode 100644 index 0000000..7012b6b --- /dev/null +++ b/lib/oeqa/runtime/cases/openscap.py
@@ -0,0 +1,48 @@
	1	# SPDX-License-Identifier: MIT
	2	#
	3
	4	from oeqa.runtime.case import OERuntimeTestCase
	5	from oeqa.core.decorator.depends import OETestDepends
	6	from oeqa.runtime.decorator.package import OEHasPackage
	7
	8
	9	class OpenscapTest(OERuntimeTestCase):
	10
	11	@OEHasPackage(["openscap"])
	12	@OETestDepends(["ssh.SSHTest.test_ssh"])
	13	def test_openscap_basic(self):
	14	status, output = self.target.run("oscap -V")
	15	msg = (
	16	"`oscap -V` command does not work as expected. "
	17	"Status and output:%s and %s" % (status, output)
	18	)
	19	self.assertEqual(status, 0, msg=msg)
	20
	21	@OEHasPackage(["openscap"])
	22	@OEHasPackage(["scap-security-guide"])
	23	@OETestDepends(["ssh.SSHTest.test_ssh"])
	24	def test_openscap_scan(self):
	25	SCAP_SOURCE = "/usr/share/xml/scap/ssg/content/ssg-openembedded-xccdf.xml"
	26	CPE_DICT = "/usr/share/xml/scap/ssg/content/ssg-openembedded-cpe-dictionary.xml"
	27
	28	cmd = "oscap info --profiles %s" % SCAP_SOURCE
	29	status, output = self.target.run(cmd)
	30	msg = (
	31	"oscap info` command does not work as expected.\n"
	32	"Command: %s\n" % cmd + "Status and output:%s and %s" % (status, output)
	33	)
	34	self.assertEqual(status, 0, msg=msg)
	35
	36	for p in output.split("\n"):
	37	profile = p.split(":")[0]
	38	cmd = "oscap xccdf eval --cpe %s --profile %s %s" % (
	39	CPE_DICT,
	40	profile,
	41	SCAP_SOURCE,
	42	)
	43	status, output = self.target.run(cmd)
	44	msg = (
	45	"`oscap xccdf eval` does not work as expected.\n"
	46	"Command: %s\n" % cmd + "Status and output:%s and %s" % (status, output)
	47	)
	48	self.assertNotEqual(status, 1, msg=msg)