distro: add oscap packages to build root

Conditionally add the required packages to the build
root in order to run the OpenSCAP remediation at build
time.

internal/distro/fedora/images.go

@@ -7,6 +7,7 @@ import (
 	"github.com/osbuild/osbuild-composer/internal/distro"
 	"github.com/osbuild/osbuild-composer/internal/image"
 	"github.com/osbuild/osbuild-composer/internal/manifest"
+	"github.com/osbuild/osbuild-composer/internal/osbuild"
 	"github.com/osbuild/osbuild-composer/internal/rpmmd"
 	"github.com/osbuild/osbuild-composer/internal/workload"
 )
@@ -90,6 +91,18 @@ func osCustomizations(
 		osc.SElinux = "targeted"
 	}
 
+	if oscapConfig := c.GetOpenSCAP(); oscapConfig != nil {
+		if t.rpmOstree {
+			panic("unexpected oscap options for ostree image type")
+		}
+		osc.OpenSCAPConfig = osbuild.NewOscapRemediationStageOptions(
+			osbuild.OscapConfig{
+				Datastream: oscapConfig.DataStream,
+				ProfileID:  oscapConfig.ProfileID,
+			},
+		)
+	}
+
 	osc.Grub2Config = imageConfig.Grub2Config
 	osc.Sysconfig = imageConfig.Sysconfig
 	osc.SystemdLogind = imageConfig.SystemdLogind

internal/distro/rhel8/distro.go

@@ -454,6 +454,15 @@ func (t *imageType) PackageSets(bp blueprint.Blueprint, options distro.ImageOpti
 		mergedSets[buildPkgsKey] = mergedSets[buildPkgsKey].Append(extraPkgs)
 	}
 
+	// if oscap customizations are enabled we need to add `openscap-scanner`
+	// and `scap-security-guides` packages to build root
+	if bp.Customizations.GetOpenSCAP() != nil {
+		mergedSets[buildPkgsKey] = mergedSets[buildPkgsKey].Append(rpmmd.PackageSet{Include: []string{
+			"openscap-scanner",
+			"scap-security-guide",
+		}})
+	}
+
 	// depsolve bp packages separately
 	// bp packages aren't restricted by exclude lists
 	mergedSets[blueprintPkgsKey] = rpmmd.PackageSet{Include: bpPackages}

internal/distro/rhel8/pipelines.go

@@ -673,6 +673,19 @@ func osPipeline(t *imageType,
 		p.AddStage(bootloader)
 	}
 
+	if oscapConfig := c.GetOpenSCAP(); oscapConfig != nil {
+		if t.rpmOstree {
+			return nil, fmt.Errorf("unexpected oscap options for ostree image type")
+		}
+		remediationOptions := osbuild.NewOscapRemediationStageOptions(
+			osbuild.OscapConfig{
+				Datastream: oscapConfig.DataStream,
+				ProfileID:  oscapConfig.ProfileID,
+			},
+		)
+		p.AddStage(osbuild.NewOscapRemediationStage(remediationOptions))
+	}
+
 	if !imageConfig.NoSElinux {
 		p.AddStage(osbuild.NewSELinuxStage(selinuxStageOptions(false)))
 	}

internal/distro/rhel90/distro.go

@@ -390,6 +390,15 @@ func (t *imageType) PackageSets(bp blueprint.Blueprint, options distro.ImageOpti
 		mergedSets[buildPkgsKey] = mergedSets[buildPkgsKey].Append(extraPkgs)
 	}
 
+	// if oscap customizations are enabled we need to add `openscap-scanner`
+	// and `scap-security-guides` packages to build root
+	if bp.Customizations.GetOpenSCAP() != nil {
+		mergedSets[buildPkgsKey] = mergedSets[buildPkgsKey].Append(rpmmd.PackageSet{Include: []string{
+			"openscap-scanner",
+			"scap-security-guide",
+		}})
+	}
+
 	// depsolve bp packages separately
 	// bp packages aren't restricted by exclude lists
 	mergedSets[blueprintPkgsKey] = rpmmd.PackageSet{Include: bpPackages}

internal/distro/rhel90/pipelines.go

@@ -671,6 +671,19 @@ func osPipeline(t *imageType,
 		p.AddStage(bootloader)
 	}
 
+	if oscapConfig := c.GetOpenSCAP(); oscapConfig != nil {
+		if t.rpmOstree {
+			return nil, fmt.Errorf("unexpected oscap options for ostree image type")
+		}
+		remediationOptions := osbuild.NewOscapRemediationStageOptions(
+			osbuild.OscapConfig{
+				Datastream: oscapConfig.DataStream,
+				ProfileID:  oscapConfig.ProfileID,
+			},
+		)
+		p.AddStage(osbuild.NewOscapRemediationStage(remediationOptions))
+	}
+
 	if !imageConfig.NoSElinux {
 		p.AddStage(osbuild.NewSELinuxStage(selinuxStageOptions(false)))
 	}

internal/manifest/os.go

@@ -186,6 +186,9 @@ func (p *OS) getBuildPackages() []string {
 		packages = append(packages, "policycoreutils")
 		packages = append(packages, fmt.Sprintf("selinux-policy-%s", p.SElinux))
 	}
+	if p.OpenSCAPConfig != nil {
+		packages = append(packages, "openscap-scanner", "scap-security-guide")
+	}
 	return packages
 }