Fix issues with OpenSCAP policy #18189
Conversation
|
Checked commits lfu/manageiq@25460e7~...5b674f6 with ruby 2.3.3, rubocop 0.52.1, haml-lint 0.20.0, and yamllint 1.10.0 |
|
cc @moolitayer @cben |
mkanoor
changed the title
There was a problem hiding this comment.
Cool, this was a long-standing problem.
Corner case to consider: some users copy this policy to customize it (the docs suggest how to do it). In this case the policy they actually run won't be affected by the .yml seed.
But all they'd miss is the condition text fix; the functional fix is in ManageIQ/manageiq-providers-kubernetes#303 NOT raising scan complete event when it failed, which will affect them just the same 👍
| - name: if container image has high severity openscap rule results | ||
| description: Has high severity OpenSCAP rule results | ||
| - name: if container image has no high severity failure in openscap rule results | ||
| description: No high severity failure in OpenSCAP rule results |
There was a problem hiding this comment.
LGTM.
I tried to find history why test was opposite to reality but got lost in the double-negative you untangled in https://github.com/ManageIQ/manageiq/pull/16213/files#diff-1cc86ebb35ea7f32ab4c185735cd3612 ... 🙇♂️
Once we had "annotate" action only on scan finding high severity issues; then we expanded to annotating both outcomes and I guess we forgot to update text then...
Fix issues with OpenSCAP policy (cherry picked from commit 22baeb0) https://bugzilla.redhat.com/show_bug.cgi?id=1499161
|
Hammer backport details: |
Fix the name and description of OpenSCAP policy.
Add containerimage_scan_abort event.
Blocks ManageIQ/manageiq-providers-kubernetes#303.
https://bugzilla.redhat.com/show_bug.cgi?id=1499161
@miq-bot assign @gmcculloug
@miq-bot add_label bug, hammer/yes