openscap and osv-scanner testcases

lava-testcases/security-test/openscap/openscap.sh

@@ -0,0 +1,61 @@
+#!/bin/bash
+
+set -x
+
+
+#TEST_TMPDIR="/root/openscap"
+OUTPUT="$(pwd)/output"
+mkdir -p "$OUTPUT"
+RESULT_FILE="${OUTPUT}/result.txt"
+
+
+# 安装测试工具
+yum install -y openscap scap-security-guide
+# mkdir -p "${TEST_TMPDIR}"
+# cd "${TEST_TMPDIR}"
+
+# 获取系统版本
+cat /etc/os-release
+VERSION_ID=$(grep '^VERSION_ID=' /etc/os-release | cut -d'=' -f2 | tr -d '"')
+VERSION_NUM=$(echo "$VERSION_ID" | tr -d '.')
+echo "$VERSION_NUM"
+
+# 执行oscap扫描，输出扫描结果到oscap-result.xml文件
+#ls /usr/share/xml/scap/ssg/content/ssg-openeuler*-ds.xml
+
+oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_standard --results oscap-result.xml /usr/share/xml/scap/ssg/content/ssg-openeuler"$VERSION_NUM"-ds.xml || TRUE
+
+# 用 xmlstarlet 提取规则 ID 和结果，转化为lava解析脚本所需出的纯文本格式（如test_name pass/fail）
+# 结果值标准化：OpenSCAP 的结果包括 pass, fail, error, notapplicable, notchecked 等，LAVA脚本支持pass|fail|skip|unknown，故需将结果文件中的notapplicable/notchecked → skip，error → fail 或 unknown
+sudo dnf install -y xmlstarlet
+xmlstarlet sel \
+  -N x="http://checklists.nist.gov/xccdf/1.2" \
+  -t \
+  -m "//x:TestResult/x:rule-result" \
+  -v "@idref" -o " " \
+  -v "@severity" -o " " \
+  -v "x:result" -n \
+  oscap-result.xml | awk '
+BEGIN {
+  # 定义 severity 到分数的映射
+  score["critical"] = 1
+  score["high"]      = 2
+  score["medium"]  = 3
+  score["low"]       = 4
+  # 默认未定义的 severity 得分为 -1
+}
+{
+  rule = tolower( $ 1)
+  sev = tolower ($2)
+  res = tolower( $ 3)
+  if (res == "pass") out = "pass"
+  else if (res == "fail") out = "fail"
+  else if (res == "error") out = "fail"
+  else if (res ~ /^(notapplicable|notchecked|informational|notselected)$/) out = "skip"
+  else out = "unknown"
+  # 获取分数（若 severity 不存在于映射，默认为 -1）
+  s = (sev in score) ? score[sev] : -1
+  # 输出格式为 rule fail/pass 1 critical
+  print rule " " out " " s " " sev
+}' > $RESULT_FILE
+

lava-testcases/security-test/openscap/openscap.yaml

@@ -0,0 +1,21 @@
+metadata:
+  name: openscap
+  format: "Lava-Test Test Definition 1.0"
+  description: "Run fio on RISC-V device"
+  maintainer:
+    - zhangju@iscas.ac.cn
+  os:
+    - openEuler-riscv64
+  scope:
+      - security
+  devices:
+    - qemu
+    - lpi4a
+    - sg2042
+    - spacemit-k1-bananapi-f3
+run:
+  steps:
+    - cd lava-testcases/security-test/openscap
+    - bash openscap.sh
+    - chmod +x ../../utils/send-to-lava.sh
+    - ../../utils/send-to-lava.sh ./output/result.txt

lava-testcases/security-test/osv-scanner/osv-scanner.sh

@@ -0,0 +1,101 @@
+#!/bin/bash
+
+set -x
+
+
+#TEST_TMPDIR="/root/osv-scanner"
+OUTPUT="$(pwd)/output"
+mkdir -p "$OUTPUT"
+RESULT_FILE="${OUTPUT}/result.txt"
+
+#安装扫描工具
+dnf install -y go jq
+go install github.com/google/osv-scanner/v2/cmd/osv-scanner@latest
+cp $(go env GOPATH)/bin/osv-scanner /usr/local/bin
+#mkdir -p "${TEST_TMPDIR}"
+#cd "${TEST_TMPDIR}"
+
+#执行系统软件包漏洞扫描，输出扫描结果到result.json文件中
+osv-scanner scan /var/lib/rpm --experimental-plugins os/rpm --format json --output "report.json"
+
+# 处理扫描结果为lava可识别的结果
+
+if [ ! -f "report.json" ]; then
+    echo "Error: File $RESULT_JSON not found."
+    exit 1
+fi
+
+# --- 提取包名、版本号和严重等级 ---
+data=$(jq -r '
+  .results[]? | 
+  .packages[]? | 
+  . as $pkg_info |
+  .vulnerabilities[]? | 
+  . as $vuln |
+  select(.affected != null) |
+  .affected[]? |
+  select(.package != null and .package.name != null) |
+  # 拼接 包名-版本号 作为唯一标识，同时提取严重等级
+  "\($pkg_info.package.name)-\($pkg_info.package.version)\t\($vuln.database_specific.severity // "Unknown")"
+' "report.json")
+
+# 定义严重等级映射值
+get_severity_score() {
+    local level="$1"
+    case "$(echo "$level" | tr '[:upper:]' '[:lower:]')" in
+        critical) echo 1 ;;
+        high)     echo 2 ;;
+        medium)   echo 3 ;;
+        low)      echo 4 ;;
+        *)        echo 99 ;;
+    esac
+}
+
+score_to_level() {
+    local score="$1"
+    case "$score" in
+        1) echo "Critical" ;;
+        2) echo "High" ;;
+        3) echo "Medium" ;;
+        4) echo "Low" ;;
+        *) echo "Unknown" ;;
+    esac
+}
+
+declare -A pkg_max_score
+declare -A pkg_has_vuln
+
+# 如果 data 为空，写入 pass 并退出
+if [ -z "$data" ]; then
+    echo "osv-scanner pass" |tee -a "$RESULT_FILE"
+    exit 0
+fi
+
+# 遍历数据并聚合最高等级
+while IFS=$'\t' read -r pkg_ver severity; do
+    [ -z "$pkg_ver" ] && continue
+
+    pkg_has_vuln["$pkg_ver"]=1
+    current_score=$(get_severity_score "$severity")
+
+    if [ -z "${pkg_max_score[$pkg_ver]}" ] || [ "$current_score" -lt "${pkg_max_score[$pkg_ver]}" ]; then
+        pkg_max_score["$pkg_ver"]=$current_score
+    fi
+done <<< "$data"
+
+# 获取所有包名-版本列表
+all_packages=$(echo "$data" | cut -f1 | sort -u)
+
+for pkg_ver in $all_packages; do
+    if [ "${pkg_has_vuln[$pkg_ver]}" == "1" ]; then
+        # 获取该包的最高风险分数
+        max_score=${pkg_max_score[$pkg_ver]}
+        # 将分数转换为文本等级 (Critical/High/Medium/Low)
+        level_text=$(score_to_level "$max_score") 
+        # 这里我们将 分数 作为 measurement， 等级文本 作为units
+        # 输出格式: pkg-ver fail 1 Critical
+        echo "${pkg_ver} fail ${max_score} ${level_text}" | tee -a "$RESULT_FILE"
+    else
+        echo "${pkg_ver} pass 0 None" | tee -a "$RESULT_FILE"
+    fi
+done

lava-testcases/security-test/osv-scanner/osv-scanner.yaml

@@ -0,0 +1,21 @@
+metadata:
+  name: osv-scanner
+  format: "Lava-Test Test Definition 1.0"
+  description: "Run fio on RISC-V device"
+  maintainer:
+    - zhangju@iscas.ac.cn
+  os:
+    - openEuler-riscv64
+  scope:
+      - security
+  devices:
+    - qemu
+    - lpi4a
+    - sg2042
+    - spacemit-k1-bananapi-f3
+run:
+  steps:
+    - cd lava-testcases/security-test/osv-scanner
+    - bash osv-scanner.sh
+    - chmod +x ../../utils/send-to-lava.sh
+    - ../../utils/send-to-lava.sh ./output/result.txt