[Buildroot] [PATCH v3 3/5] package/openscap: new package

Alexis Lothoré alexis.lothore at bootlin.com
Thu Oct 16 14:46:36 UTC 2025 

Introduce the openscap package. openscap is a command line tool allowing
to scan a system configuration to perform security compliance checks.
The tool consumes XCCDF and OVAL files to perform system evaluation
against a list of policies.

The package provides both a target and a host build configuration, as it
is needed on both sides:
- it is needed on the host to allow building the security policy files
  to be embedded on the target
- it is needed on the target to actually parse and evaluate those
  security policy files.

Signed-off-by: Alexis Lothoré <alexis.lothore at bootlin.com>
---
Changes in v3:
- add missing CONFIG_BR2_PACKAGE_PCRE_UTF dependency to prevent runtime
  failure

Changes in v2:
- reword commit title and message
- add DEVELOPERS entry
- update comment on Config.in deps
- reorder and reformat various variables and Kconfig entries
- drop uneeded selects on host Config entries
- add a comment about the toolchain configuration in Config.in
- drop duplicate comment in hash file
- drop additional license file reference
- use assign rather than concat for package conf opts
- drop python dependency
---
 DEVELOPERS                     |  1 +
 package/Config.in              |  1 +
 package/openscap/Config.in     | 22 ++++++++++++++
 package/openscap/openscap.hash |  3 ++
 package/openscap/openscap.mk   | 69 ++++++++++++++++++++++++++++++++++++++++++
 5 files changed, 96 insertions(+)

diff --git a/DEVELOPERS b/DEVELOPERS
index 474de36ead5f929d43f64bbf32a5b212149a3519..321cb876802e86a58e490cf59a2ebcb72b273ac8 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -155,6 +155,7 @@ F:	package/zabbix/
 
 N:	Alexis Lothoré <alexis.lothore at bootlin.com>
 F:	package/libxmlsec1/
+F:	package/openscap/
 
 N:	Alistair Francis <alistair at alistair23.me>
 F:	board/sifive/
diff --git a/package/Config.in b/package/Config.in
index fed47b6291d13033ce3807ead8fede9b048b9787..e78229ea172ad60903d53b3ea3c54a1fb8365913 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -2339,6 +2339,7 @@ menu "Security"
 	source "package/libselinux/Config.in"
 	source "package/libsemanage/Config.in"
 	source "package/libsepol/Config.in"
+	source "package/openscap/Config.in"
 	source "package/safeclib/Config.in"
 	source "package/softhsm2/Config.in"
 endmenu
diff --git a/package/openscap/Config.in b/package/openscap/Config.in
new file mode 100644
index 0000000000000000000000000000000000000000..fc40cdee59a8dd326e4999ae7d5055ab5a5ddf66
--- /dev/null
+++ b/package/openscap/Config.in
@@ -0,0 +1,22 @@
+config BR2_PACKAGE_OPENSCAP
+	bool "openscap"
+	depends on BR2_PACKAGE_LIBGPG_ERROR_ARCH_SUPPORTS  # libgcrypt
+	depends on !BR2_STATIC_LIBS # dlfcn.h
+	select BR2_PACKAGE_LIBCURL
+	select BR2_PACKAGE_LIBGCRYPT
+	select BR2_PACKAGE_LIBXML2
+	select BR2_PACKAGE_LIBXMLSEC1
+	select BR2_PACKAGE_MUSL_FTS if !BR2_TOOLCHAIN_USES_GLIBC
+	select BR2_PACKAGE_OPENSSL
+	select BR2_PACKAGE_PCRE
+	select BR2_PACKAGE_PCRE_UTF
+	help
+	  The purpose of this project is to create security policy
+	  content for various platforms
+
+	  https://www.open-scap.org/
+	  https://github.com/OpenSCAP/openscap
+
+comment "openscap needs a toolchain w/ dynamic library"
+	depends on BR2_PACKAGE_LIBGPG_ERROR_ARCH_SUPPORTS
+	depends on BR2_STATIC_LIBS
diff --git a/package/openscap/openscap.hash b/package/openscap/openscap.hash
new file mode 100644
index 0000000000000000000000000000000000000000..e98631372d517c1ce96058477b11d8add35342b1
--- /dev/null
+++ b/package/openscap/openscap.hash
@@ -0,0 +1,3 @@
+# Locally computed
+sha256  6e61913fca3a74d310d7cf9354973eeaefa42be909ae649af1df48c3c08bc6ff  openscap-1.3.12.tar.gz
+sha256  5df07007198989c622f5d41de8d703e7bef3d0e79d62e24332ee739a452af62a  COPYING
diff --git a/package/openscap/openscap.mk b/package/openscap/openscap.mk
new file mode 100644
index 0000000000000000000000000000000000000000..84dd3fe48456497cfe2539c9ed24a7f93fe7a9eb
--- /dev/null
+++ b/package/openscap/openscap.mk
@@ -0,0 +1,69 @@
+################################################################################
+#
+# openscap
+#
+################################################################################
+
+OPENSCAP_VERSION = 1.3.12
+OPENSCAP_SITE = https://github.com/OpenSCAP/openscap/releases/download/$(OPENSCAP_VERSION)
+OPENSCAP_LICENSE = LGPL-2.1+
+OPENSCAP_LICENSE_FILES = COPYING
+OPENSCAP_SUPPORTS_IN_SOURCE_BUILD = NO
+OPENSCAP_INSTALL_STAGING = YES
+OPENSCAP_DEPENDENCIES = \
+	host-pkgconf \
+	libcurl \
+	libgcrypt \
+	libxml2 \
+	libxmlsec1 \
+	libxslt \
+	openssl \
+	pcre
+
+HOST_OPENSCAP_DEPENDENCIES = \
+	host-pkgconf \
+	host-libcurl \
+	host-libgcrypt \
+	host-libxml2 \
+	host-libxmlsec1 \
+	host-libxslt \
+	host-openssl \
+	host-pcre
+
+OPENSCAP_CONF_OPTS = \
+	-DENABLE_OSCAP_UTIL=ON \
+	-DENABLE_OSCAP_UTIL_DOCKER=OFF \
+	-DENABLE_OSCAP_UTIL_CHROOT=OFF \
+	-DENABLE_OSCAP_UTIL_PODMAN=OFF \
+	-DENABLE_OSCAP_UTIL_VM=OFF \
+	-DENABLE_PROBES_WINDOWS=OFF \
+	-DENABLE_TESTS=OFF \
+	-DWITH_CRYPTO=gcrypt \
+	-DENABLE_PYTHON3=OFF
+
+HOST_OPENSCAP_CONF_OPTS = \
+	-DENABLE_OSCAP_UTIL=ON \
+	-DENABLE_OSCAP_UTIL_DOCKER=OFF \
+	-DENABLE_OSCAP_UTIL_CHROOT=OFF \
+	-DENABLE_OSCAP_UTIL_PODMAN=OFF \
+	-DENABLE_OSCAP_UTIL_VM=OFF \
+	-DENABLE_PROBES_WINDOWS=OFF \
+	-DENABLE_TESTS=OFF \
+	-DWITH_CRYPTO=gcrypt \
+	-DENABLE_PYTHON3=OFF
+
+ifeq ($(BR2_PACKAGE_ACL),y)
+OPENSCAP_DEPENDENCIES += acl
+endif
+
+ifeq ($(BR2_PACKAGE_LIBCAP),y)
+OPENSCAP_DEPENDENCIES += libcap
+endif
+
+ifneq ($(BR2_TOOLCHAIN_USES_GLIBC),y)
+OPENSCAP_DEPENDENCIES += musl-fts
+OPENSCAP_CONF_OPTS += -DCMAKE_EXE_LINKER_FLAGS=-lfts
+endif
+
+$(eval $(cmake-package))
+$(eval $(host-cmake-package))

-- 
2.51.0

More information about the buildroot mailing list