Add a script for finding unused rules#12110
Conversation
|
Start a new ephemeral environment with changes proposed in this pull request: Fedora Environment Oracle Linux 8 Environment |
|
🤖 A k8s content image for this PR is available at: Click here to see how to deploy itIf you alread have Compliance Operator deployed: Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and: |
19ec07d to
5d14c90
Compare
jan-cerny
left a comment
There was a problem hiding this comment.
The script prints for example rule ensure_amazon_gpgkey_installed which isn't used in a data stream but it is linked as a related rule in a control in the cis_al2023 control file. This means we need to be careful when removing rules, we can't remove all of the rules produced by this script.
2fbb3fd to
d8274c9
Compare
|
/packit retest-failed |
jan-cerny
left a comment
There was a problem hiding this comment.
I have run the script and it works great.
But, you still have some typos left.
| Example useage: | ||
|
|
||
| ```bash | ||
| $ ./build_products --derivatives |
There was a problem hiding this comment.
It's better than build_project, but the correct name is build_product.
| $ ./utils/ansible_playbook_to_role.py --dry-run output | ||
| ``` | ||
|
|
||
| ### `utils/find_unused_rules.py` – List Rules That Are Not Used In Any Datastream |
| ### `utils/find_unused_rules.py` – List Rules That Are Not Used In Any Datastream | ||
|
|
||
| This script will output rules are not in any data streams. | ||
| To prevent false positives the script will not run if the number of build datas treams less than the total number of products in the project. |
| It requires that all products (and derivatives) are built. | ||
| To do this run ./build_product --derivatives | ||
| The script has the following return codes: | ||
| 0 - All rules are used in the datastreams, |
| To do this run ./build_product --derivatives | ||
| The script has the following return codes: | ||
| 0 - All rules are used in the datastreams, | ||
| 1 - Some rules are not used in the datastreams, |
| The script works by adding off the rule ids from the data streams to a `set`. | ||
| Then the script converts the keys of `rule_dirs.json` to a set. | ||
| The set of rules in the data stream is subtracted to from the set of rules in `rule_dirs.json`. | ||
| The differnce is then output to the user. |
| The set of rules in the data stream is subtracted to from the set of rules in `rule_dirs.json`. | ||
| The differnce is then output to the user. | ||
|
|
||
| Example useage: |
| BUILD_DIR = SSG_ROOT.joinpath("build") | ||
| RULE_DIR_JSON = BUILD_DIR.joinpath("rule_dirs.json") | ||
| EPILOG = """ | ||
| This script lists rules that are not used in any datastreams. |
| ds_products.add(ds.name.split("-")[1]) | ||
| if products_count > len(datastream_files): | ||
| print("Not all products are built, cowardly refusing to continue.", file=sys.stderr) | ||
| print(f"Products: {products_count}, Datastreams: {len(datastream_files)}", file=sys.stderr) |
|
|
||
| This script will output rules are not in any data streams. | ||
| To prevent false positives the script will not run if the number of build datas treams less than the total number of products in the project. | ||
| The script assumes that `./build_project --derivatives` will be ran before the script is used. |
d8274c9 to
329047c
Compare
|
Code Climate has analyzed commit 329047c and detected 1 issue on this pull request. Here's the issue category breakdown:
The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 59.4% (0.0% change). View more on Code Climate. |
jan-cerny
left a comment
There was a problem hiding this comment.
I have followed the steps in the Example usage doc text. I have reviewed the generated output. This is a great enhancement.
|
The CI fail on OL 7 isn't caused by the contents of this PR. I am fine with the line exceeding its length in this case. |
Description:
Add a script for finding unused rules
Rationale:
To help find outdated rules when removing a product.
Review Hints:
Remove or adjusting profiles is out of scope of this PR. This needs to be addressed on a case-by-case basis.