ssg.build_remediations module

class ssg.build_remediations.AnacondaRemediation(file_path)[source]: Bases: Remediation

class ssg.build_remediations.AnsibleRemediation(file_path)[source]

Bases: Remediation

classmethod from_snippet_and_rule(snippet_fname, rule_fname)[source]

get_references()[source]

inject_package_facts_task(parsed_snippet)[source]: Injects a package_facts task only if the snippet has a task with a when clause with ansible_facts.packages, and the snippet doesn’t already have a package_facts task

parse_from_file(env_yaml, cpe_platforms)[source]

update(parsed, config, cpe_platforms)[source]

update_tags_from_config(to_update, config)[source]

update_tags_from_rule(to_update)[source]

update_when_from_rule(to_update, cpe_platforms)[source]

class ssg.build_remediations.BashRemediation(file_path)[source]

Bases: Remediation

parse_from_file(env_yaml, cpe_platforms)[source]

static wrap_conditionals_with_operators(conditionals)[source]

Wrap bash conditionals that contain operators to ensure proper short-circuit evaluation.

When multiple platform conditionals are joined with OR (||), each conditional that contains operators (&& or ||) must be wrapped in parentheses to ensure proper bash short-circuit evaluation.

Without proper wrapping:: grep … && { version_check } || grep … && { version_check }

causes all version checks to execute due to bash operator precedence.

With proper wrapping:: ( grep … && { version_check } ) || ( grep … && { version_check } )

ensures only the matching platform’s version check executes.

Parameters:: conditionals – List of bash conditional expressions
Returns:: List of conditionals with those containing operators wrapped in parentheses

class ssg.build_remediations.BlueprintRemediation(file_path)[source]

Bases: Remediation

This provides class for OSBuild Blueprint remediations

class ssg.build_remediations.BootcRemediation(file_path)[source]

Bases: Remediation

This provides class for Bootc remediations

class ssg.build_remediations.HummingbirdRemediation(file_path)[source]

Bases: Remediation

This provides class for Hummingbird remediations

class ssg.build_remediations.IgnitionRemediation(file_path)[source]: Bases: Remediation

class ssg.build_remediations.KickstartRemediation(file_path)[source]

Bases: Remediation

This provides class for Kickstart remediations

class ssg.build_remediations.KubernetesRemediation(file_path)[source]: Bases: Remediation

class ssg.build_remediations.PuppetRemediation(file_path)[source]: Bases: Remediation

class ssg.build_remediations.Remediation(file_path, remediation_type)[source]

Bases: object

associate_rule(rule_obj)[source]

expand_env_yaml_from_rule()[source]

get_inherited_conditionals(language, cpe_platforms)[source]

get_inherited_cpe_platform_names()[source]

get_rule_specific_conditionals(language, cpe_platforms)[source]

get_rule_specific_cpe_platform_names()[source]

get_stripped_conditionals(language, cpe_platform_names, cpe_platforms)[source]: collect conditionals of platforms defined by cpe_platform_names and strip them of white spaces

parse_from_file(env_yaml, cpe_platforms)[source]

class ssg.build_remediations.RemediationObject(contents, config)

Bases: tuple

config: Alias for field number 1

contents: Alias for field number 0

ssg.build_remediations.expand_xccdf_subs(fix, remediation_type)[source]

Expand the respective populate keywords of each remediation type with an <xccdf:sub> element

This routine translates any instance of the ‘type-populate’ keyword in the form of:

(type-populate variable_name)

where type can be either ansible, puppet, anaconda or bash, into

<sub idref=”variable_name”/>

ssg.build_remediations.get_rule_dir_remediations(dir_path, remediation_type, product=None)[source]

Gets a list of remediations of type remediation_type contained in a rule directory. If product is None, returns all such remediations. If product is not None, returns applicable remediations in order of priority:

{{{ product }}}.ext -> shared.ext

Only returns remediations which exist.

ssg.build_remediations.is_supported_filename(remediation_type, filename)[source]

Checks if filename has a supported extension for remediation_type.

Exits when remediation_type is of an unknown type.

ssg.build_remediations.load_compiled_remediations(fixes_dir)[source]

ssg.build_remediations.parse_from_file_with_jinja(file_path, env_yaml)[source]

Parses a remediation from a file. As remediations contain jinja macros, we need a env_yaml context to process these. In practice, no remediations use jinja in the configuration, so for extracting only the configuration, env_yaml can be an abritrary product.yml dictionary.

If the logic of configuration parsing changes significantly, please also update ssg.fixes.parse_platform(…).

ssg.build_remediations.parse_from_file_without_jinja(file_path)[source]: Parses a remediation from a file. Doesn’t process the Jinja macros. This function is useful in build phases in which all the Jinja macros are already resolved.

ssg.build_remediations.process(remediation, env_yaml, cpe_platforms)[source]

Process a fix, and return the processed fix iff the file is of a valid extension for the remediation type and the fix is valid for the current product.

Note that platform is a required field in the contents of the fix.

ssg.build_remediations.split_remediation_content_and_metadata(fix_file)[source]

ssg.build_remediations.write_fix_to_file(fix, file_path)[source]: Writes a single fix to the given file path.