Skip to content

ROX-31406: Update just the broken default categories #18046

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ajheflin merged 2 commits into from
Dec 5, 2025
Merged

ROX-31406: Update just the broken default categories #18046

ajheflin merged 2 commits into from
Dec 5, 2025
+49 −2

Conversation

@ajheflin
Copy link
Contributor

@ajheflin ajheflin commented Dec 3, 2025
edited
Loading

Description

This is a fix for what was originally in #17804 that is less invasive, so that it only updates default policy categories that were broken, not any user-created ones.

User-facing documentation

Testing and quality

  • the change is production ready: the change is GA, or otherwise the functionality is gated by a feature flag
  • CI results are inspected

Automated testing

  • added unit tests
  • added e2e tests
  • added regression tests
  • added compatibility tests
  • modified existing tests

How I validated my change

Worked in a cluster when tested. Removed Docker Cis and Devops Best Practices.
Before changes (Using 4.10.x-nightly-20251028):

central_active=# SELECT p.name, pc.name FROM policies p 
RIGHT JOIN policy_category_edges pce ON p.id = pce.policyid 
RIGHT JOIN policy_categories pc ON pc.id = pce.categoryid 
WHERE lower(pc.name) = 'docker cis' OR lower(pc.name) = 'devops best practices' 
ORDER BY pc.name ASC, p.name ASC;
                                       name                                        |         name          
-----------------------------------------------------------------------------------+-----------------------
 90-Day Image Age                                                                  | Devops Best Practices
 ADD Command used instead of COPY                                                  | Devops Best Practices
 Deployments with externally exposed endpoints                                     | Devops Best Practices
 Drop All Capabilities                                                             | Devops Best Practices
 Improper Usage of Orchestrator Secrets Volume                                     | Devops Best Practices
 Latest tag                                                                        | Devops Best Practices
 No CPU request or memory limit specified                                          | Devops Best Practices
 Process with UID 0                                                                | Devops Best Practices
 Required Annotation: Email                                                        | Devops Best Practices
 Required Annotation: Owner/Team                                                   | Devops Best Practices
 Required Image Label                                                              | Devops Best Practices
 Required Label: Owner/Team                                                        | Devops Best Practices
                                                                                   | DevOps Best Practices
 ADD Command used instead of COPY                                                  | Docker Cis
 Container using read-write root filesystem                                        | Docker Cis
 Docker CIS 4.1: Ensure That a User for the Container Has Been Created             | Docker Cis
 Docker CIS 4.4: Ensure images are scanned and rebuilt to include security patches | Docker Cis
 Docker CIS 4.7: Alert on Update Instruction                                       | Docker Cis
 Docker CIS 5.15: Ensure that the host's process namespace is not shared           | Docker Cis
 Docker CIS 5.16: Ensure that the host's IPC namespace is not shared               | Docker Cis
 Docker CIS 5.19: Ensure mount propagation mode is not enabled                     | Docker Cis
 Docker CIS 5.1 Ensure that, if applicable, an AppArmor Profile is enabled         | Docker Cis
 Docker CIS 5.21: Ensure the default seccomp profile is not disabled               | Docker Cis
 Docker CIS 5.7: Ensure privileged ports are not mapped within containers          | Docker Cis
 Docker CIS 5.9 and 5.20: Ensure that the host's network namespace is not shared   | Docker Cis
 No CPU request or memory limit specified                                          | Docker Cis
 Privileged Container                                                              | Docker Cis
 Secure Shell Server (sshd) Execution                                              | Docker Cis
                                                                                   | Docker CIS
(29 rows)

After changes:

central_active=# SELECT p.name, pc.name FROM policies p 
RIGHT JOIN policy_category_edges pce ON p.id = pce.policyid 
RIGHT JOIN policy_categories pc ON pc.id = pce.categoryid 
WHERE lower(pc.name) = 'docker cis' OR lower(pc.name) = 'devops best practices' 
ORDER BY pc.name ASC, p.name ASC;
                                       name                                        |         name          
-----------------------------------------------------------------------------------+-----------------------
 90-Day Image Age                                                                  | DevOps Best Practices
 ADD Command used instead of COPY                                                  | DevOps Best Practices
 Deployments with externally exposed endpoints                                     | DevOps Best Practices
 Drop All Capabilities                                                             | DevOps Best Practices
 Improper Usage of Orchestrator Secrets Volume                                     | DevOps Best Practices
 Latest tag                                                                        | DevOps Best Practices
 No CPU request or memory limit specified                                          | DevOps Best Practices
 Process with UID 0                                                                | DevOps Best Practices
 Required Annotation: Email                                                        | DevOps Best Practices
 Required Annotation: Owner/Team                                                   | DevOps Best Practices
 Required Image Label                                                              | DevOps Best Practices
 Required Label: Owner/Team                                                        | DevOps Best Practices
 ADD Command used instead of COPY                                                  | Docker CIS
 Container using read-write root filesystem                                        | Docker CIS
 Docker CIS 4.1: Ensure That a User for the Container Has Been Created             | Docker CIS
 Docker CIS 4.4: Ensure images are scanned and rebuilt to include security patches | Docker CIS
 Docker CIS 4.7: Alert on Update Instruction                                       | Docker CIS
 Docker CIS 5.15: Ensure that the host's process namespace is not shared           | Docker CIS
 Docker CIS 5.16: Ensure that the host's IPC namespace is not shared               | Docker CIS
 Docker CIS 5.19: Ensure mount propagation mode is not enabled                     | Docker CIS
 Docker CIS 5.1 Ensure that, if applicable, an AppArmor Profile is enabled         | Docker CIS
 Docker CIS 5.21: Ensure the default seccomp profile is not disabled               | Docker CIS
 Docker CIS 5.7: Ensure privileged ports are not mapped within containers          | Docker CIS
 Docker CIS 5.9 and 5.20: Ensure that the host's network namespace is not shared   | Docker CIS
 No CPU request or memory limit specified                                          | Docker CIS
 Privileged Container                                                              | Docker CIS
 Secure Shell Server (sshd) Execution                                              | Docker CIS
(27 rows)

The two extra rows in the first query are the duplicate categories that have no policies in them, as you can see in the second query they're now the only category that exists as the "Incorrect" ones are gone

@ajheflin
Copy link
Contributor Author

ajheflin commented Dec 3, 2025

This change is part of the following stack:

Change managed by git-spice.

@ajheflin ajheflin mentioned this pull request Dec 3, 2025
Merged
9 tasks
@openshift-ci
Copy link

openshift-ci bot commented Dec 3, 2025

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@rhacs-bot
Copy link
Contributor

rhacs-bot commented Dec 3, 2025

Images are ready for the commit at 32eb261.

To use with deploy scripts, first export MAIN_IMAGE_TAG=4.10.x-487-g32eb261fdb.

@codecov
Copy link

codecov bot commented Dec 3, 2025

Codecov Report

❌ Patch coverage is 0% with 33 lines in your changes missing coverage. Please review.
✅ Project coverage is 49.36%. Comparing base (618c01a) to head (32eb261).

Files with missing lines Patch % Lines
central/policy/datastore/singleton.go 0.00% 33 Missing ⚠️
Additional details and impacted files 
@@                      Coverage Diff                       @@
##           ajheflin/revert-ed9c7ab230   #18046      +/-   ##
==============================================================
- Coverage                       49.37%   49.36%   -0.01%     
==============================================================
  Files                            2698     2698              
  Lines                          198848   198879      +31     
==============================================================
+ Hits                            98177    98180       +3     
- Misses                          93052    93080      +28     
  Partials                         7619     7619
Flag Coverage Δ
go-unit-tests 49.36% <0.00%> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@ajheflin ajheflin marked this pull request as ready for review December 3, 2025 20:22
@ajheflin ajheflin requested a review from a team as a code owner December 3, 2025 20:22
clickboo
clickboo reviewed Dec 5, 2025
View reviewed changes
clickboo
clickboo reviewed Dec 5, 2025
View reviewed changes
Copy link
Contributor

@clickboo clickboo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

left a comment

@ajheflin ajheflin merged commit 3cb8d2d into ajheflin/revert-ed9c7ab230 Dec 5, 2025
86 of 87 checks passed
@ajheflin ajheflin deleted the ajheflin/only-fix-default-categories branch December 5, 2025 16:08
@ajheflin ajheflin added backport release-4.8 backport release-4.9 https://spaces.redhat.com/spaces/StackRox/pages/558727298 labels Dec 5, 2025
rhacs-bot pushed a commit that referenced this pull request Dec 5, 2025
@ajheflin @github-actions
ROX-31406: Update just the broken default categories (#18046)
3901ef2 
(cherry picked from commit 3cb8d2d)
@rhacs-bot
Copy link
Contributor

rhacs-bot commented Dec 5, 2025

The backport to release-4.8 failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-release-4.8 release-4.8
# Navigate to the new working tree
cd .worktrees/backport-release-4.8
# Create a new branch
git switch --create backport-18046-to-release-4.8
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 3cb8d2dea48d36c7e4e8de29840a91696a0f58bb
# Push it to GitHub
git push --set-upstream origin backport-18046-to-release-4.8
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-release-4.8

Then, create a pull request where the base branch is release-4.8 and the compare/head branch is backport-18046-to-release-4.8.

@rhacs-bot rhacs-bot mentioned this pull request Dec 5, 2025
Closed
ajheflin added a commit that referenced this pull request Dec 5, 2025
@ajheflin
ROX-31406: Update just the broken default categories (#18046)
d049a6b 
(cherry picked from commit 3cb8d2d)
dashrews78
dashrews78 reviewed Dec 5, 2025
View reviewed changes
central/policy/datastore/singleton.go
panic(err)
}

// ROX-31406: Fix categories that were impacted by previous bug
Copy link
Contributor

@dashrews78 dashrews78 Dec 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

probably going to want a few more words than that to simplify life for future maintainers

@ajheflin ajheflin restored the ajheflin/only-fix-default-categories branch December 5, 2025 18:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dashrews78 dashrews78 dashrews78 left review comments

@clickboo clickboo clickboo approved these changes

Assignees

No one assigned

Labels

area/central backport release-4.8 backport release-4.9 https://spaces.redhat.com/spaces/StackRox/pages/558727298

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ajheflin @rhacs-bot @clickboo @dashrews78