app-forensics/openscap: resurrected and modernized from hardened project

Goes with: * https://gitweb.gentoo.org/proj/hardened-docs.git/tree/xml/SCAP * https://gitweb.gentoo.org/repo/gentoo.git/tree/app-forensics/openscap?id=b31f832fb473f5cff5bc7443da4eb5c55adefddd Signed-off-by: Stephen L Arnold <sarnold@vctlabs.com>
VCTLabs · Jul 13, 2023 · d284d6c · d284d6c
1 parent 7a7b696
commit d284d6c
Show file tree

Hide file tree

Showing 7 changed files with 249 additions and 0 deletions.
diff --git a/README.rst b/README.rst
@@ -10,6 +10,7 @@ Portage overlay for embedded tools and (extra) Python packages.
 
 Interesting/useful items:
 
+* app-forensics/openscap - NIST Certified SCAP 1.2 toolkit
 * dev-embedded/abc - A system for sequential logic synthesis and formal verification
 * dev-embedded/chiptools - A utility to automate FPGA build and verification
 * dev-embedded/yosys - A framework for Verilog RTL synthesis

diff --git a/app-forensics/openscap/Manifest b/app-forensics/openscap/Manifest
@@ -0,0 +1 @@
+DIST openscap-1.3.7.tar.gz 14032390 BLAKE2B b57fa7daa52841936daf414426eb01e55f9a3a777c6038ae5b79cb10363b0798cabdad49c34b6dddf1d44fa926d88f75ea38073efedee39a35e45454da71717a SHA512 64dcceadbbb5b6045d2ebaca89287c80c26e05d7247fc0dd31cd9bff98398c7a26d6ed0e9191dcd2fd01f0711181f15d34fe9784bd043ccd0854baa17397cd88
diff --git a/app-forensics/openscap/files/openscap-fix-QA-warnings-with-newer-toolchain.patch b/app-forensics/openscap/files/openscap-fix-QA-warnings-with-newer-toolchain.patch
@@ -0,0 +1,71 @@
+From 5830090eb9c58bd7dacbb5a82934a73fc65b1983 Mon Sep 17 00:00:00 2001
+From: Stephen L Arnold <sarnold@vctlabs.com>
+Date: Wed, 12 Jul 2023 17:30:19 -0700
+Subject: [PATCH] fix QA warnings with newer toolchain, add missing rpm header
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+* mainly implicit declaration of function ‘rpmFreeCrypto’
+
+Signed-off-by: Stephen L Arnold <sarnold@vctlabs.com>
+---
+ src/OVAL/probes/unix/linux/rpminfo_probe.c          | 3 +++
+ src/OVAL/probes/unix/linux/rpmverify_probe.c        | 1 +
+ src/OVAL/probes/unix/linux/rpmverifyfile_probe.c    | 1 +
+ src/OVAL/probes/unix/linux/rpmverifypackage_probe.c | 1 +
+ 4 files changed, 6 insertions(+)
+
+diff --git a/src/OVAL/probes/unix/linux/rpminfo_probe.c b/src/OVAL/probes/unix/linux/rpminfo_probe.c
+index 46ad1d971..1eaf5dfe7 100644
+--- a/src/OVAL/probes/unix/linux/rpminfo_probe.c
++++ b/src/OVAL/probes/unix/linux/rpminfo_probe.c
+@@ -62,6 +62,9 @@
+ /* RPM headers */
+ #include "rpm-helper.h"
+
++/* Individual RPM headers */
++#include <rpm/rpmpgp.h>
++
+ /* SEAP */
+ #include "_seap.h"
+ #include <probe-api.h>
+diff --git a/src/OVAL/probes/unix/linux/rpmverify_probe.c b/src/OVAL/probes/unix/linux/rpmverify_probe.c
+index 14ee57d89..4dca3022d 100644
+--- a/src/OVAL/probes/unix/linux/rpmverify_probe.c
++++ b/src/OVAL/probes/unix/linux/rpmverify_probe.c
+@@ -46,6 +46,7 @@
+ /* Individual RPM headers */
+ #include <rpm/rpmfi.h>
+ #include <rpm/rpmcli.h>
++#include <rpm/rpmpgp.h>
+
+ /* SEAP */
+ #include <probe-api.h>
+diff --git a/src/OVAL/probes/unix/linux/rpmverifyfile_probe.c b/src/OVAL/probes/unix/linux/rpmverifyfile_probe.c
+index a61f44e39..6273ac9e7 100644
+--- a/src/OVAL/probes/unix/linux/rpmverifyfile_probe.c
++++ b/src/OVAL/probes/unix/linux/rpmverifyfile_probe.c
+@@ -49,6 +49,7 @@
+ /* Individual RPM headers */
+ #include <rpm/rpmfi.h>
+ #include <rpm/rpmcli.h>
++#include <rpm/rpmpgp.h>
+
+ /* SEAP */
+ #include <probe-api.h>
+diff --git a/src/OVAL/probes/unix/linux/rpmverifypackage_probe.c b/src/OVAL/probes/unix/linux/rpmverifypackage_probe.c
+index b56fd43d1..df95a17e5 100644
+--- a/src/OVAL/probes/unix/linux/rpmverifypackage_probe.c
++++ b/src/OVAL/probes/unix/linux/rpmverifypackage_probe.c
+@@ -49,6 +49,7 @@
+ /* Individual RPM headers */
+ #include <rpm/rpmfi.h>
+ #include <rpm/rpmcli.h>
++#include <rpm/rpmpgp.h>
+ #include <popt.h>
+
+ /* SEAP */
+-- 
+2.41.0
+
diff --git a/app-forensics/openscap/files/openscap-fix-default-perl-install-path.patch b/app-forensics/openscap/files/openscap-fix-default-perl-install-path.patch
@@ -0,0 +1,37 @@
+From 8cc098b67bc61ed7c5fe5486b461b28bf4fa21d6 Mon Sep 17 00:00:00 2001
+From: Stephen L Arnold <sarnold@vctlabs.com>
+Date: Tue, 11 Jul 2023 17:49:10 -0700
+Subject: [PATCH 1/2] make default perl install path respect
+ CMAKE_INSTALL_PREFIX
+
+Signed-off-by: Stephen L Arnold <sarnold@vctlabs.com>
+---
+ swig/perl/CMakeLists.txt | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/swig/perl/CMakeLists.txt b/swig/perl/CMakeLists.txt
+index 057b365bf..5ce41e9fa 100644
+--- a/swig/perl/CMakeLists.txt
++++ b/swig/perl/CMakeLists.txt
+@@ -1,6 +1,8 @@
+ include(UseSWIG)
+ include(FindPerlLibs)
+
++string(SUBSTRING "${PERL_VERSION_STRING}" 0 4 PERL_VERSION_MINOR)
++
+ set(CMAKE_SWIG_FLAGS "-module" "openscap_pm")
+ if (${CMAKE_VERSION} VERSION_LESS "3.8.0")
+ 	swig_add_module(openscap_pm perl5 ../openscap.i)
+@@ -20,7 +22,7 @@ if (APPLE OR (${CMAKE_SYSTEM_NAME} STREQUAL "FreeBSD"))
+                 DESTINATION ${CMAKE_INSTALL_DATADIR}/perl5/vendor_perl)
+ else()
+         install(TARGETS ${SWIG_MODULE_openscap_pm_REAL_NAME}
+-               DESTINATION ${PERL_VENDORLIB})
++               DESTINATION ${CMAKE_INSTALL_LIBDIR}/perl5/${PERL_VERSION_MINOR})
+         install(PROGRAMS ${CMAKE_CURRENT_BINARY_DIR}/openscap_pm.pm
+-               DESTINATION ${PERL_VENDORARCH})
++               DESTINATION ${CMAKE_INSTALL_LIBDIR}/perl5/vendor_perl/${PERL_VERSION_MINOR})
+ endif()
+-- 
+2.41.0
+
diff --git a/app-forensics/openscap/files/run-a-minor-testsuite.patch b/app-forensics/openscap/files/run-a-minor-testsuite.patch
@@ -0,0 +1,42 @@
+From: =?utf-8?b?IkjDpXZhcmQgRi4gQWFzZW4i?= <havard.f.aasen@pfft.no>
+Date: Sat, 30 Jul 2022 07:57:36 +0200
+Subject: run a minor testsuite
+
+Forwarded: not-needed
+---
+ tests/CMakeLists.txt | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
+index ae8c4f2..fa78bd5 100644
+--- a/tests/CMakeLists.txt
++++ b/tests/CMakeLists.txt
+@@ -22,20 +22,20 @@ endfunction()
+
+ configure_file("test_common.sh.in" "test_common.sh" @ONLY)
+
+-add_subdirectory("API")
++#add_subdirectory("API")
+ add_subdirectory("bindings")
+-add_subdirectory("bz2")
++#add_subdirectory("bz2")
+ add_subdirectory("codestyle")
+-add_subdirectory("curl")
++#add_subdirectory("curl")
+ add_subdirectory("CPE")
+-add_subdirectory("DS")
++#add_subdirectory("DS")
+ add_subdirectory("mitre")
+-add_subdirectory("nist")
++#add_subdirectory("nist")
+ add_subdirectory("oscap_string")
+ add_subdirectory("oval_details")
+-add_subdirectory("probes")
+-add_subdirectory("report")
+-add_subdirectory("sce")
++#add_subdirectory("probes")
++#add_subdirectory("report")
++#add_subdirectory("sce")
+ add_subdirectory("schemas")
+ add_subdirectory("sources")
+ add_subdirectory("utils")
diff --git a/app-forensics/openscap/metadata.xml b/app-forensics/openscap/metadata.xml
@@ -0,0 +1,20 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<maintainer type="person">
+		<email>nerdboy@gentoo.org</email>
+		<name>Steve Arnold</name>
+	</maintainer>
+	<use>
+		<flag name="nss">Prefer NSS over libgcrypt as the crypto engine</flag>
+		<flag name="rpm">Compiles the RPM probes</flag>
+		<flag name="sce">Enables Script Check Engine (SCE) support</flag>
+		<flag name="sql">Build the sql independant probes</flag>
+	</use>
+	<longdescription lang="en">
+		The oscap program is a command line tool that allows users to load, scan, validate, edit, and export SCAP documents.
+	</longdescription>
+	<upstream>
+		<remote-id type="github">OpenSCAP/openscap</remote-id>
+	</upstream>
+</pkgmetadata>
diff --git a/app-forensics/openscap/openscap-1.3.7.ebuild b/app-forensics/openscap/openscap-1.3.7.ebuild
@@ -0,0 +1,77 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+PYTHON_COMPAT=( python3_{9..11} )
+
+inherit cmake bash-completion-r1 python-single-r1
+
+HOMEPAGE="https://www.open-scap.org/tools/openscap-base"
+DESCRIPTION="NIST Certified SCAP 1.2 toolkit"
+
+if [[ ${PV} != *9999* ]]; then
+	SRC_URI="https://github.com/OpenSCAP/openscap/releases/download/${PV}/${P}.tar.gz"
+	KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~riscv ~x86"
+else
+	inherit git-r3
+	EGIT_REPO_URI="https://github.com/OpenSCAP/openscap.git"
+fi
+
+LICENSE="LGPL-2.1"
+SLOT="0/1"
+IUSE="+acl +caps debug doc ldap nss +pcre perl python rpm selinux sce sql test +xattr"
+
+RDEPEND="!nss? ( dev-libs/libgcrypt:0 )
+	nss? ( dev-libs/nss )
+	acl? ( virtual/acl )
+	caps? ( sys-libs/libcap )
+	ldap? ( net-nds/openldap )
+	pcre? ( dev-libs/libpcre )
+	rpm? ( >=app-arch/rpm-4.9 )
+	sql? ( dev-db/opendbx )
+	xattr? ( sys-apps/attr )
+	dev-libs/libpcre
+	dev-libs/libxml2
+	dev-libs/libxslt
+	dev-libs/xmlsec
+	dev-libs/dbus-glib
+	dev-libs/glib
+	dev-libs/popt
+	net-misc/curl
+	sys-apps/dbus
+	${PYTHON_DEPS}"
+
+DEPEND="${RDEPEND}
+	doc? ( app-doc/doxygen )
+	perl? ( dev-lang/swig )
+	python? ( dev-lang/swig )
+	test? (
+		app-arch/unzip
+		dev-perl/XML-XPath
+		net-misc/ipcalc
+		sys-apps/grep )"
+
+RESTRICT="!test? ( test )"
+
+REQUIRED_USE="${PYTHON_REQUIRED_USE}"
+PATCHES=(
+	"${FILESDIR}/${PN}-fix-default-perl-install-path.patch"
+	"${FILESDIR}/run-a-minor-testsuite.patch"
+	"${FILESDIR}/${PN}-fix-QA-warnings-with-newer-toolchain.patch"
+)
+
+DOCS=( README.md )
+
+src_configure() {
+	local mycmakeargs=(
+		-DENABLE_OSCAP_REMEDIATE_SERVICE=OFF
+		-DENABLE_PERL="$(usex perl)"
+		-DOPENSCAP_PROBE_UNIX_GCONF=OFF
+		-DGCONF_LIBRARY=
+		-DENABLE_DOCS="$(usex doc)"
+	)
+
+
+	cmake_src_configure
+}