Update all dependencies
This MR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| ComplianceAsCode/content | ironbank-github | patch |
v0.1.72 -> v0.1.73
|
| anchore/syft | ironbank-github | minor |
v1.0.1 -> v1.4.1
|
| sigstore/cosign | ironbank-github | patch |
v2.2.3 -> v2.2.4
|
Release Notes
ComplianceAsCode/content (ComplianceAsCode/content)
v0.1.73: Content 0.1.73
Important Highlights
- CMP 2417: Implement PCI-DSS v4.0 outline for OpenShift (#11651)
- Disable RHEL 10 content for 0.1.73 release (#11989)
- Generate rule references from control files (#11540)
- Initial implementation of STIG V1R1 profile for Ubuntu 22.04 LTS (#11820)
New Rules and Profiles
- Add and modify rules file/dir_permissions_system_journal (#11840)
- Add ANSSI Profiles for RHEL 10 (#11787)
- Add initial RHEL 10 PCI DSS profile (#11872)
- Add new rule file_permissions_sudo (#11584)
- Add new templated rules for System.map files (#11640)
- ANSSI R31 updates (#11560)
- Audit watch on /etc/sysconfig/network-scripts (#11724)
- CMP 2417: Implement PCI-DSS v4.0 outline for OpenShift (#11651)
- CMP-2375: Implement a new rule for checking audit logging is enabled (#11731)
- Implement ANSSI requirement R69 for RHEL (#11663)
- Improve ANSSI R28 (#11626)
- Inital RHEL 10 STIG (#11793)
- Initial implementation of STIG V1R1 profile for Ubuntu 22.04 LTS (#11820)
- Openembedded fixes (#11652)
- Update ANSSI R50 (#11588)
Updated Rules and Profiles
- [Stabilization]: Ensure that security_patches_up_to_date is not built with remediations (#11993)
- accounts_umask_etc_bashrc: extend handled cases of umask (#11822)
- Add a note to ANSSI R23 (#11571)
- Add a warning to sshd_limit_user_access (#11507)
- Add automation to enable faillock rules (#11458)
- Add platform machine to systctl.d rules (#11622)
- Add rule set_password_hashing_algorithm_systemauth to Ubuntu STIG profile (#11864)
- Additional updates in kernel_module_disabled template (#11508)
- Align chronyd_sync_clock to Ubuntu 22.04 STIG (#11883)
- Align rule encrypt_partitions with Ubuntu 22.04 STIG (#11889)
- Align var_accounts_tmout to Ubuntu 22.04 STIG V1R1 (#11843)
- ANSSI R31 updates (#11560)
- api_server_encryption_provider_cipher rule.yml has bad jsonpath (#11099)
- CMP 2453 pci dss requirement 1 (#11725)
- CMP-2365: Fix check for rotating kubelet server certificates (#11543)
- CMP-2372: Remove info override for virtual syscall rules (#11544)
- CMP-2378: Fix OCP version regex (#11499)
- CMP-2454: PCI-DSS v4 Requirement 2 (#11825)
- CMP-2471: Disable rules on s390x (#11743)
- Corrections in aide_periodic_cron_checking and aide_scan_notification… (#11665)
- Do not require existence of /var/tmp/tmp-inst (#11762)
- Drop retired PCI-DSS 3.2.1 for sle15 (#11798)
- ensure that var_sshd_set_keepalive is not set to 0 in rhel8 and rhel9 profiles (#11851)
- extend the explanation why ANSSI R52 requirement is manual (#11629)
- Fix #11895 issue (#11897)
- Fix #11898 issue (#11899)
- Fix #11902 issue (#11905)
- Fix dconf package name for Ubuntu (#11821)
- Fix description for auditd_max_log_file_action (#11585)
- Fix kdump service name on Ubuntu 22.04 (#11914)
- Fix OCP node OVN check (#11861)
- Fix rule for accounts_authorized_local_users in SLE15 (#11602)
- Fix SCE check for ip6tables_rules_for_open_ports (#11849)
- Fix SCE checks for iptables_loopback_traffic (#11850)
- HIPAA profile for SLE 15 - update (#11582)
- Implement ANSSI requirement R69 for RHEL (#11663)
- Improve ANSSI R28 (#11626)
- Improve Rsyslog Rainer regex to find log files (#11808)
- Improve title of CCN profiles for RHEL9 (#11852)
- Make package installation for iptables and nftables mutually exclusive (#11191)
- mount_option_remote_systems: make rule not applicable if mounts not found (#11761)
- Move to /bin/false in Ubuntu remediation for wireless_disable_interface (#11490)
- oauth_or_oauthclient_token_maxage: Use variable for remediation of rule (#11603)
- OCP4: Add container_security_operator_exists to PCIDSS profile (#11776)
- OCP4: Add rule to check ACS sensor deployed (#11675)
- OCP4: Fix rules with both platform and platforms (#11760)
- OCPBUGS-18331: Include sshd config directories in remediation template (#11551)
- OCPBUGS-20015: Add remediation for RHCOS banners (#11470)
- OCPBUGS-26193: Fix missing OCP4 STIG selections (#11423)
- OCPBUGS-28797: Clarify banner instructions for RHCOS nodes (#11635)
- Openembedded fixes (#11652)
- put exec back to configure_bashrc_exec_tmux (#11561)
- Remove
disabling_ipv6_autoconfigrule (#11550) - Replace dead HTML links for the chronyd project (#11799)
- RHEL-09-232045: align with STIG (#11890)
- Rule had incorrect CRD reference rule.yml (#11823)
- Set the
requirestosshd_set_keepaliveonsshd_set_idle_timeout(#11815) - sysctl template: allow skipping of runtime checks (#11574)
- trivial: fix linting issue (#11711)
- trivial: Update link to audit profile documentation link (#11732)
- Try 4110 for file_permissions_sudo (#11805)
- ubuntu2204: cis_level1_workstation: Add missing !package_cups_removed (#11715)
- Update ANSSI R29 requirement (#11633)
- Update ANSSI R32 (#11570)
- Update ANSSI R36 requirement (#11632)
- Update ANSSI R40 (#11563)
- Update ANSSI R50 (#11588)
- Update ANSSI R67 requirement (#11642)
- Update ANSSI R68 (#11580)
- Update ANSSI R71 (#11578)
- Update audit_ospp_general (#11519)
- Update CIS requirement status (#11784)
- Update CIS RHEL7 requirement 3.4.4.3.4 (#11502)
- Update CIS RHEL8 requirements related to crypto (#11506)
- update cryptopolicy used in CUI profile to fips (#11792)
- Update notes in ANSSI R3 (#11680)
- update notes of the R36 requirement for ANSSI (#11639)
- Update ol8 pcidss (#11867)
- Update ol8 profiles (#11829)
- Update ol8 stig (#11828)
- Update ol8 stig reference (#11884)
- Update ol9 pcidss (#11873)
- Update ol9 profiles (#11846)
- Update RHEL 8 STIG to V1R14 (#11878)
- Update RHEL9 STIG to V1R3 (#11877)
- Update SLE12 STIG to V2R13 (#11599)
- Update SLE15 STIG to V1R12 (#11598)
- update sles oval feed url (#11461)
- Update SRG GPOS Control File (#11634)
- Update sssd ldap related rules to check /etc/sssd/conf.d/*.conf files (#11474)
- Update sssd_enable_smartcards & sssd_offline_cred_expiration (#11473)
- Update STIG PSC Content (#11664)
- Update sudo_dedicated_group (#11586)
- Use
stringinstead ofnumberin oauth variable (#11613) - Use controls to assign ANSSI references (#11556)
Changes in Remediations
- [stabilization] do not restrict Ansible remediation of zipl_bootmap_is_up_to_date to RHEL 8 only (#11935)
- [stabilization] Recollect facts in mount_option_nodev_nonroot_local_partitions (#11956)
- [Stabilization]: add when conditional to Ansible remediation of sssd_enable_pam_services (#11979)
- [Stabilization]: Ensure that security_patches_up_to_date is not built with remediations (#11993)
- accounts_passwords_pam_tally2_deny_root fix (#11676)
- Add Ansible remediation to sssd_enable_pam_services (#11796)
- Add Ansible Remediations (#11763)
- Add root user to interactive users (#11729)
- Add rule set_password_hashing_algorithm_systemauth to Ubuntu STIG profile (#11864)
- Additional updates in kernel_module_disabled template (#11508)
- Align
securetty_root_login_console_onlyremediations with OVAL/rule description (#11716) - Align wireless_disable_interfaces with Ubuntu 22.04 STIG (#11886)
- Changes in template service_disabled - ansible part (#11645)
- Disallow spaces in SSSD certificate_verification option (#11728)
- Enable ansible in SLE for dconf_gnome_session_idle_user_locks (#11655)
- Fix ansible lint for SLE platforms (#11911)
- fix ansible SLES stig remediations in check mode (#11248)
- Fix Bash remediation of firewalld-based rules for offline mode (#11868)
- Fix configure_bashrc_exec_tmux missing parenthesis (#11448)
- Fix non-idempotent bash remediation for sysctl template (#11671)
- fix regex in Ansible remediation of configure_ssh_crypto_policy (#11526)
- Fix rule mount_option_nodev_nonroot_local_partitions Bash remediation (#11827)
- Fix ubuntu remediation for pam_faildelay (#11532)
- Fix Ubuntu remediation for pam_faillock rules (#11488)
- Fix Ubuntu remediation for smartcard_pam_enabled (#11489)
- Issue when using set -e with grep commands (#11712)
- Make Blueprint for service_disabled template to mask services (#11679)
- OCPBUGS-28242: Fix remediation for service_debug-shell_disabled (#11638)
- pam_options ansible template dry-run fix (#11677)
- Remove kubernetes hardcoded solution for templated service_debug rules (#11370)
- remove prodtype from add_kubernetes_rule (#11500)
- Remove restrictions in sshd_use_approved_ciphers remediation (#11527)
- Return condition to test firewalld service state in firewalld_loopback_traffic rules (#11894)
- set indent to 4 (#11530)
- Simplify output of ip link show command (#11657)
- update links and unify documentation in kickstart files (#11765)
- Update links for Ansible role (#11737)
- Update sssd ldap related rules to check /etc/sssd/conf.d/*.conf files (#11474)
- use
failed_when:falsefor Ansibleregister:checks (#11782)
Changes in Checks
- accounts_passwords_pam_tally2_deny_root fix (#11676)
- Add root user to interactive users (#11729)
- Add rule set_password_hashing_algorithm_systemauth to Ubuntu STIG profile (#11864)
- all_apparmor_profiles_in_enforce_complain_mode: Fix OVAL logic (#11672)
- App armor oval check (#11273)
- Correction in oval part ensure_gpgcheck_globally_activated (#11709)
- Disallow spaces in SSSD certificate_verification option (#11728)
- Enforce explicit setting in password-auth (#11742)
- Enforce explicit setting in system-auth (#11740)
- Fix handling of grub.d configs in grub2_bootloader_argument (#11726)
- Fix macro for extracting local interactive users (#11589)
- Fix regression in grub2_bootloader_argument (#11768)
- Make additional check if selinux is enabled and operational (#11510)
- Red Hat product security is on the path of deprecating the OVAL CVE feed (#11547)
- Remove OVAL version restrictions from auditd_audispd_configure_sufficiently_large_partition (#11816)
- Restrict the list of accepted shells in no_shelllogin_for_systemaccounts (#11896)
- Revert MR 11816 (#11917)
- Update ANSSI R67 requirement (#11642)
- Update sssd_enable_smartcards & sssd_offline_cred_expiration (#11473)
Changes in the Infrastructure
- Account for non-existent 'build' dir in build_product (#11606)
- Add new test to ensure that CCEs are removed from the avail file (#11590)
- Add RHEL 9 support for playbook to role conversion utility (#11542)
- Add RHEL 9 to Ansible Gating (#11624)
- Add Script to Import DISA STIG to Policy Specific Content (#11611)
- Add stigrefs after references from controls (#11591)
- add the "components" test among quick tests (#11668)
- Bump paambaati/codeclimate-action from 5.0.0 to 6.0.0 (#11912)
- Change the metric of the
most-used-components(#11738) - Clean up check_eof (#11757)
- Disable RHEL 10 content for 0.1.73 release (#11989)
- Ensure that components not in datastream are not mentioned by profiles (#11811)
- Extend the stable-profiles test (#11617)
- Extension of the
most-used-rulesandmost-used-componentssubcommands of theprofile_tool.pyscript to specify a list of products to be considered (#11733) - Fix broken exception message (#11842)
- Fix content_diff when a rule is removed (#11855)
- Fix deprecation warning in ssg/build_derivatives.py (#11666)
- Fix SCE finding XPath to allow nesting with OCILs (#11682)
- Fix TypeError in get_implemented_stigs (#11596)
- Improve github workflow for building OCP MR image (#11492)
- Improve playbook script and documention (#11747)
- k8s content image: Image from MR should not be tagged
latest(#11643) - k8s image content from MRs: Fix
idin job step (#11604) - k8s image content from MRs: remove token from action parameters (#11608)
- Move auditing group (#11789)
- Move to use main branch and OpenSCAP 1.4.0 for building on Windows (#11734)
- OCP: Fix e2e remediation for container_security_operator_exists (#11545)
- OCP4: Fix pr image workflow (#11533)
- OCP4: use utf-8 as default xml encoding (#11614)
- Prevent conflicts in references (#11555)
- profile_tool.py: Fix traceback in sub command (#11637)
- Re-organize
tests/fmf-plansinto a more concise format (#11809) - Reduce OCIL size (#11577)
- Reduce XCCDF (#11800)
- Reduce XML reformatting (#11641)
- Reduction of CPE content in DS (#11648)
- Refactoring: Remove all references to prodtype (code/tests/docs) (#11505)
- Remove CNSS REF URL (#11714)
- Removing unused variables from the datastream (#11858)
- Rework of
cpe_generate.py(#11644) - Run Contest test instead of Fedora project beakerlib tests (#11419)
- Speed up build of thin data streams (#11618)
- Stabilize resolved profiles (#11727)
- Test that all rules have references (#11610)
- Thin DS: Command Line Interface (#11549)
- Tool for identifying the most used components (#11730)
- Tool for identifying the most used rules (#11439)
- Update entities/common.py to use CDumper (#11541)
- Update MR workflow actions to run only on latest push (#11616)
- Use control files to generate references (#11594)
- utils/gen_rendered_policies_index.py: read compiled control files (#11667)
Changes in the Test Suite
- Add RHEL 10 Install Command to Automatus (#11797)
- CMP-2366: Update service_autofs_disabled default e2e result (#11546)
- Disallow spaces in SSSD certificate_verification option (#11728)
- extend misleading Automatus error message (#11658)
- Fix ANSSI Ansible fmf test plan (#11791)
- Fix Automatus in CI (#11494)
- Fix tests for file_permissions, file_owner, file_groupowner (#11814)
- Flush automatus test logs before outputting results (#11605)
- OCP4: Fix rules with both platform and platforms (#11760)
- Split out TMT plans to separate Packit jobs (#11860)
- Thin DS tests (#11755)
- Update crypto_policy test scenario for CIS RHEL8 (#11513)
Documentation
- Add docs how to build thin ds (#11900)
- Add RHEL 10 to SRG Mapping Table Action (#11881)
- Bump master branch version to 0.1.73 (#11496)
- Improve playbook script and documention (#11747)
- release_helper script updates (#11504)
- Remove prodtype from rule schema (#11493)
- Update links for Ansible role (#11737)
- update list of contributors before releasing 0.1.73 (#11888)
- update meaning of the "automated" status in control files (#11646)
- Update RHEL 9 SCAP references to V1R1 (#11673)
anchore/syft (anchore/syft)
v1.4.1
Bug Fixes
- Fix redundant package deletions when considering ELF packages [#2862 @wagoodman]
v1.4.0
Added Features
- Add detection for newer version of ErLang/OTP [#2829 @LaurentGoderre]
- Add missing CPE for traefik, memcached, and postgres binaries [#2845 @LaurentGoderre]
- Add binary classifier for ArangoDB [#2830 @LaurentGoderre]
- Add relationships to ELF packages [#2715 @brian-ebarb @cdivers18 ]
- Add relationships for ALPM packages (arch linux) [#2851 @wagoodman]
Bug Fixes
- close temp rpmdb file [#2792 @testwill]
- fix Windows file paths in local go mod cache [#2654 @willmurphyscode]
- Package Count doesn't match list of packages [#2304 #2839 @wagoodman]
- New version 1.3.0 leads to "too many open files" while scanning bigger images [#2819 #2823 @willmurphyscode]
-
license_info_in_fileis mandatory in SPDX-2.2 [#2163 #2168 @kzantow] - Wrong CPE for dnsmasq [#2636 #2659 @kzantow]
- SPDX originator is not always populated [#2632 #2822 @wagoodman]
Additional Changes
- Improve linting for
defer Closetype issues [#2826] - use ruleguard to test for missing defer statements [#2837 @willmurphyscode]
- Publish security policy [#2835 @wagoodman]
- fix function name in comment [#2771 @camcui]
- enable go-critic deferInLoop lint [#2825 @willmurphyscode]
v1.3.0
Added Features
- index known CPEs for go modules [#2816 @westonsteimel]
- support multiple known CPEs in index [#2813 @westonsteimel]
- index known CPEs for PHP Composer packagist.org packages [#2804 @westonsteimel]
- index known cpes for PHP extensions [#2777 @westonsteimel]
Bug Fixes
- re-use embedded union reader if possible [#2814 @willmurphyscode]
- prefer non-deprecated CPEs and include jenkins plugins from plugins.jenkins.io [#2806 @westonsteimel]
- improvements to known CPE index construction [#2801 @westonsteimel]
- Syft panics when scanning OCI image that contains packaged helm chart [#2745 #2757 @willmurphyscode]
- Pom parser not resolving all dependency versions [#2776 #2781 @willmurphyscode]
- exclude known instrumentation jars from being erroneously identified [#2796 @kzantow]
- return empty string if dereferncing pom var fails [#2797 @willmurphyscode]
v1.2.0
Added Features
- Differentiate between JRE and JDK [#2748 @LaurentGoderre]
- Add support for dnf packages [#2758]
Bug Fixes
- more robust go main version extraction [#2767 @kzantow]
- Regression in 1.1 cataloging openjdk: generates version containing a null byte [#2750 #2766 @LaurentGoderre]
v1.1.1
Bug Fixes
- update anchore/packageurl-go to use latest commits [#2746 @spiffcs]
- fix panic scanning binaries without symtab [#2736 #2739 @kzantow]
v1.1.0
Added Features
- Adding the ability to retrieve remote licenses from package-lock.json [#2708 @coheigea]
- Show binary exports, entrypoint, and imports [#2626 @wagoodman]
- Add detection for Oracle GraalVM [#2705 @LaurentGoderre]
Bug Fixes
- reduce duplicate case SwiftPkg [#2696 @testwill]
sigstore/cosign (sigstore/cosign)
v2.2.4
Bug Fixes
- Fixes for GHSA-88jx-383q-w4qc and GHSA-95pr-fxf5-86gv (#3661)
- ErrNoSignaturesFound should be used when there is no signature attached to an image. (#3526)
- fix semgrep issues for dgryski.semgrep-go ruleset (#3541)
- Honor creation timestamp for signatures again (#3549)
Features
- Adds Support for Fulcio Client Credentials Flow, and Argument to Set Flow Explicitly (#3578)
Documentation
- add oci bundle spec (#3622)
- Correct help text of triangulate cmd (#3551)
- Correct help text of verify-attestation policy argument (#3527)
- feat: add OVHcloud MPR registry tested with cosign (#3639)
Testing
Configuration
-
If you want to rebase/retry this MR, check this box
This MR has been generated by Renovate Bot.
Edited by POPs-renovate-tools_06Dec2023_203438