Skip to content

Support DEB822 apt source format in apt_sources_list_official#14855

Open
rrskris wants to merge 1 commit into
ComplianceAsCode:masterfrom
rrskris:fix-debian-apt-deb822-sources
Open

Support DEB822 apt source format in apt_sources_list_official#14855
rrskris wants to merge 1 commit into
ComplianceAsCode:masterfrom
rrskris:fix-debian-apt-deb822-sources

Conversation

@rrskris

@rrskris rrskris commented Jul 6, 2026

Copy link
Copy Markdown

Description

The OVAL check for apt_sources_list_official only recognized the legacy one-line sources.list syntax (deb http://... suite component). A system using the DEB822 format — the default for new sources files since apt 2.x, e.g. /etc/apt/sources.list.d/debian.sources — was reported as not using official repositories even when it correctly was, exactly as described in this issue.

While investigating, I also found the existing filepath regex was broken independently of DEB822: it was written as ^/etc/apt/sources(.d\/[a-zA-Z0-9]+){0,1}.list$, which matches /etc/apt/sources.d/*.list, not the real Debian path /etc/apt/sources.list.d/*.list. So splitting repos into sources.list.d/*.list files was never detected by the legacy check either.

Fix

  • Corrected the filepath regex to match the real /etc/apt/sources.list.d/*.list path.
  • Added new DEB822-aware OVAL objects/states/tests that parse Types:/URIs:/Suites:/Components: stanzas from *.sources files, order-independent within a stanza, bounded so multiple stanzas in one file (as in the report) don't bleed into each other.
  • Combined the new DEB822 checks with the existing legacy checks via OR, so either format satisfies the rule.
  • Applied to debian11.xml, debian12.xml, and the generic shared.xml fallback.
  • Added test scenarios for: legacy format split across sources.list.d, DEB822 with base+security combined in one file (the reported scenario), DEB822 split across separate files, DEB822 with only a third-party repo (should still fail), and no repos configured (should still fail).

Testing

Built ssg-debian12-ds.xml from a clean checkout and verified with oscap xccdf eval inside an unmodified Debian 12 container:

  • The exact scenario from this issue (combined base+security DEB822 stanzas in one .sources file) fails against the unmodified upstream datastream and passes with this fix.
  • Legacy one-line format, split across sources.list.d: pass
  • DEB822 split across separate .sources files: pass
  • DEB822 file present but only a third-party repo: fail (correct)
  • No repos configured: fail (correct)
  • deb-src-only stanzas do not satisfy the check (regression guard, since deb-src alone doesn't provide binary package access)

Rationale field / rule.yml unchanged since the described requirement ("official repos configured") doesn't change, only the detection logic.

The OVAL check for apt_sources_list_official only matched the legacy
one-line sources.list syntax, so a system using the DEB822 format
(the default since apt 2.x, e.g. /etc/apt/sources.list.d/*.sources)
was reported as not using official repositories even when it was.

Also fix the filepath regex: it was written to match
/etc/apt/sources.d/*.list, which is not a real Debian path, instead
of the intended /etc/apt/sources.list.d/*.list, so repos split into
sources.list.d were never detected by the legacy check either.

Add DEB822-aware checks alongside the existing legacy ones (combined
with OR) for debian11, debian12, and the generic shared fallback, and
add test scenarios covering the legacy format, DEB822 with base and
security combined in one file (the originally reported case), DEB822
split across files, and DEB822 with only a third-party repo.

Fixes ComplianceAsCode#12509
@openshift-ci

openshift-ci Bot commented Jul 6, 2026

Copy link
Copy Markdown

Hi @rrskris. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-ci openshift-ci Bot added the needs-ok-to-test Used by openshift-ci bot. label Jul 6, 2026
@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff
OVAL for rule 'xccdf_org.ssgproject.content_rule_apt_sources_list_official' differs.
--- oval:ssg-apt_sources_list_official:def:1
+++ oval:ssg-apt_sources_list_official:def:1
@@ -1,3 +1,7 @@
 criteria AND
+criteria OR
 criterion oval:ssg-test_apt_sources_list_base_official:tst:1
+criterion oval:ssg-test_apt_sources_list_base_official_deb822:tst:1
+criteria OR
 criterion oval:ssg-test_apt_sources_list_security_official:tst:1
+criterion oval:ssg-test_apt_sources_list_security_official_deb822:tst:1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

needs-ok-to-test Used by openshift-ci bot.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants