Refactor collecting rules, improving performance for admin baselines, fix issue with missing baseline#708
Merged
Merged
Conversation
platforms with differing enforcement methods are now correctly captured and generated
…forcement_info modules Extracts reference submodels (NistReferences, DisaReferences, CisReferences, bsiReferences, bzkReferences, hhsReferences, customReferences, References) into references.py and mobileconfig model + XML rendering utilities into mobileconfig.py. Consolidates duplicate _create_value_element/_create_static_value_element into a single create_value_element function. Adds Google-style docstrings throughout and widens ResultDef fields to accept "$ODV" on all three types.
- Add @model_validator to ShellCheck, ShellFix, DefaultStateShell enforcing that either shell or additional_info (or note) must be provided, and that result is required when shell is present on ShellCheck - Add OdvHint/OdvValidation models in odv.py and a @field_validator on Macsecurityrule.odv to catch missing hint fields (e.g. datatype) at runtime - Wrap Macsecurityrule construction in load_rules with ValidationError handler so bad rules are logged and skipped rather than crashing the process - Switch validate_rules to iter_errors so all failures per file are reported, not just the first; improve error output with field path and fix log message showing correct rules path; guard against missing id field with .get() - Fix schema: move if/then/else out of properties in ddmDef, fix declarationtype typo in conditional, move additionalProperties out of properties on iOS and visionOS, add sfr to disa references, widen anyOf constraints on check/fix/default_state to require shell or additional_info, clean up redundant type+$ref on array entry, update resultDef boolean to not allow $ODV
Add mscp admin remove subcommand that removes a platform version from mscp_data.yaml, all rule YAML files, and the JSON schema — the inverse of mscp admin update. Also renames --new_version to --version on the update subcommand for consistency.
Adds a GitHub Actions workflow that smoke-tests key CLI subcommands (baseline, guidance, scap, admin validate) on every push/PR to dev_2.0. Adds --no-docs flag to the guidance subcommand to skip asciidoctor/PDF/HTML generation, allowing CI to test the guidance pipeline without requiring the Ruby toolchain.
…inner - Rename Macsecurityrule.collect_all_rules -> collect_platform_rules to reflect that it filters by a specific OS type and version, not everything - Fix `baselines -l` to load rules via RuleLibrary.from_rules_dir() so benchmarks from all platforms (iOS, visionOS) appear in the listing - Add suppress_spinner flag to logging_config; set it in build_all_baselines so the spinner is fully suppressed during bulk baseline generation - Replace the suppressed yaspin object with a _NoOpSpinner shim so that sp.ok(), sp.fail(), and sp.text assignments are silently swallowed
Add a preloaded_rules kwarg to generate_baseline so callers can pass pre-collected rules and skip the collect_platform_rules filesystem walk. In build_all_baselines, load the full RuleLibrary once and slice it per platform filtered to args.os_version, matching the original single-call behavior but without re-reading the rules directory on every iteration. Fixes duplicate rule_ids that appeared when filtering by platform alone included rules from multiple OS versions. Also fixes the absolute import of RuleLibrary introduced by the linter.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Corrected an issue where a iOS-only benchmark was getting skipped, this also addressed the output of baseline -l to include all platforms in the output (as opposed to just those that happen to be on macOS AND another platform).
Improved performance when generating all the baselines with the admin utility.
Added a smoke-test workflow to run the CLI against a handful of scenarios to make sure it runs before merging.