[GSOC23] - A - Implement a fully functional CVE auditing feature based on OVAL data

[HoussemNasri]

What does this PR change?

This is the first pull request of my GSoC project. The primary goal of the PR is to implement and test the OVAL-based CVE auditing algorithm as described in the associated RFC. It also includes a partial (but sufficient given the OVAL files we aim to consume) implementation of the OVAL definition schema specification.

This implementation addresses OVALs produced by SUSE, RedHat, and Debian. Ubuntu will be addressed in a follow-up pull request.

Usage guide

Since the download and syncing of OVAL data will be handled in a different PR, for now, you'll need to do it manually among other steps. This is important to ensure the CVE auditing is accurate. So, here's a guide on what you need to do to test the changes in this PR.

Step 1: Download and save OVAL data to the database

1. Download the OVAL file that corresponds to the OS of the client to audit (check out the vulnerable package extractor javadoc .e.g. SUSEVulnerablePackageExtractor for sources to download from) and place it somewhere on the Uyuni server.
2. Run this Java code and replace <path_to_oval.xml> with the path to the OVAL file you downloaded:

OvalParser parser = new OvalParser();
OvalRootType root = parser.parse(new File("<path_to_oval.xml>"));
OVALCleaner.cleanup(root, OsFamily.DEBIAN, "11");
OVALCachingFactory.savePlatformsVulnerablePackages(root);

Step 2: Refresh package list of clients to audit

This step is required in order to acquire the newly added CPE grain and store it in the database.

TODO

• Replace log.error() with log.debug()
• Fix checkstyle errors
• Add a usage guide to the PR description
• Add before and after screenshots
• Fix cucumber failing tests

What is missing

These are known limitations that will be addressed in subsequent pull requests.

• UI Integration (Python and React)
• Ubuntu support
• The downloading and synchronization of OVAL data
• Testing of the vulnerable package extractors
• Falling back to the old CVE auditing code if OVAL not available

Useful links

• The RFC

GUI diff

Before

After

• DONE

Documentation

• API documentation added.
• Documentation PR
• DONE

Test coverage

• Unit tests were added
• DONE

Links

• DONE

Changelogs

Make sure the changelogs entries you are adding are compliant with https://github.com/uyuni-project/uyuni/wiki/Contributing#changelogs and https://github.com/uyuni-project/uyuni/wiki/Contributing#uyuni-projectuyuni-repository

If you don't need a changelog check, please mark this checkbox:

• No changelog needed

If you uncheck the checkbox after the PR is created, you will need to re-run changelog_test (see below)

Re-run a test

If you need to re-run a test, please mark the related checkbox, it will be unchecked automatically once it has re-run:

• Re-run test "changelog_test"
• Re-run test "backend_unittests_pgsql"
• Re-run test "java_pgsql_tests"
• Re-run test "schema_migration_test_pgsql"
• Re-run test "susemanager_unittests"
• Re-run test "javascript_lint"
• Re-run test "spacecmd_unittests"

[github-actions]

Suggested tests to cover this Pull Request

• proxy_branch_network
• srv_rename_hostname
• proxy_cobbler_pxeboot
• allcli_sanity
• srv_monitoring
• min_deblike_openscap_audit
• sle_minion
• min_salt_software_states
• min_empty_system_profiles
• srv_virtual_host_manager
• min_config_state_channel
• srv_menu
• min_deblike_salt_install_package
• srv_manage_channels_page
• minssh_ansible_control_node
• srv_datepicker
• proxy_register_as_minion_with_script
• buildhost_osimage_build_image
• srv_restart
• min_ssh_tunnel
• srv_power_management_api
• min_rhlike_salt_install_package_and_patch
• proxy_retail_pxeboot_and_mass_import
• min_salt_install_package
• min_retracted_patches
• min_bootstrap_api
• srv_advanced_search
• minssh_bootstrap_api
• min_rhlike_monitoring
• min_monitoring
• min_salt_formulas
• min_salt_lock_packages
• min_action_chain
• srv_reportdb
• min_salt_minions_page
• min_rhlike_openscap_audit
• min_salt_openscap_audit
• min_salt_minion_details
• allcli_action_chain
• srv_docker_cve_audit
• srv_power_management
• minssh_move_from_and_to_proxy
• min_salt_mgrcompat_state
• min_deblike_monitoring
• min_cve_id_new_syntax
• srv_scc_user_credentials
• min_bootstrap_script
• proxy_as_pod_basic_tests
• allcli_system_group
• srv_cobbler_distro
• buildhost_bootstrap
• min_rhlike_salt
• min_config_state_channel_subscriptions
• allcli_config_channel
• min_custom_pkg_download_endpoint
• minssh_salt_install_package
• srv_cobbler_profile
• min_recurring_action
• min_ansible_control_node
• min_virthost
• srv_group_union_intersection
• min_salt_formulas_advanced
• min_salt_user_states
• min_project_lotus
• srv_power_management_redfish
• min_salt_pkgset_beacon
• min_check_patches_install
• srv_user_configuration_salt_states
• sle_ssh_minion
• min_salt_install_with_staging
• allcli_reboot
• buildhost_docker_auth_registry
• srv_manage_activationkey
• min_deblike_salt_install_with_staging
• min_rhlike_ssh
• min_rhlike_remote_command
• min_config_state_channel_api
• min_deblike_salt
• min_cve_audit
• allcli_overview_systems_details
• srv_distro_cobbler
• min_deblike_ssh
• min_deblike_remote_command
• buildhost_docker_build_image
• min_change_software_channel
• srv_custom_system_info
• min_move_from_and_to_proxy
• minssh_action_chain
• allcli_software_channels_dependencies
• minkvm_guests
• min_activationkey
• min_bootstrap_negative
• srv_maintenance_windows
• min_salt_migration
• min_bootstrap_reactivation
• min_bootstrap_ssh_key
• allcli_software_channels
• min_timezone
• srv_first_settings
• srv_create_repository
• srv_push_package
• srv_handle_software_channels_with_ISS_v2
• srv_check_sync_source_packages
• srv_delete_channel_from_ui
• srv_check_channels_page
• srv_clone_channel_npn
• allcli_update_activationkeys

[parlt91]

@ktsamis A small testsuite change was required to make the tests pass and now review from qe is needed, could you have a quick look at it? Thank you

[ktsamis]

Looks good for the testsuite change