From 24553a974dbb99e49e3023e4b690815f35f3b8ef Mon Sep 17 00:00:00 2001
From: zhangzhang <zhangzhang911007@163.com>
Date: Fri, 6 Feb 2026 13:28:15 +0800
Subject: [PATCH 1/2] openscap testsuite

---
 lava-job-template/lpi4a/lpi4a-openscap.yaml   | 59 +++++++++++++++
 lava-job-template/qemu/qemu-openscap.yaml     | 70 ++++++++++++++++++
 lava-job-template/sg2042/sg2042-openscap.yaml | 72 +++++++++++++++++++
 .../security-test/openscap/openscap.sh        | 38 ++++++++++
 .../security-test/openscap/openscap.yaml      | 21 ++++++
 5 files changed, 260 insertions(+)
 create mode 100644 lava-job-template/lpi4a/lpi4a-openscap.yaml
 create mode 100644 lava-job-template/qemu/qemu-openscap.yaml
 create mode 100644 lava-job-template/sg2042/sg2042-openscap.yaml
 create mode 100644 lava-testcases/security-test/openscap/openscap.sh
 create mode 100644 lava-testcases/security-test/openscap/openscap.yaml

diff --git a/lava-job-template/lpi4a/lpi4a-openscap.yaml b/lava-job-template/lpi4a/lpi4a-openscap.yaml
new file mode 100644
index 0000000..abfc03b
--- /dev/null
+++ b/lava-job-template/lpi4a/lpi4a-openscap.yaml
@@ -0,0 +1,59 @@
+device_type: lpi4a
+job_name: ${job_name}
+timeouts:
+  job:
+    minutes: 10250
+  action:
+   minutes: 10249
+  actions:
+    power-off:
+      seconds: 60
+priority: medium
+visibility: public
+metadata:
+  # please change these fields when modifying this job for your own tests.
+  format: Lava-Test Test Definition 1.0
+  name: lpi4a-test
+  description: "test for lpi4a"
+  version: "1.0"
+# ACTION_BLOCK
+actions:
+# DEPLOY_BLOCK
+- deploy:
+    timeout:
+      minutes: 120
+    to: tftp
+    dtb:
+      url: ${dtb_url}
+    kernel:
+      url: ${kernel_image_url}
+      type: image
+    nfsrootfs:
+      url: ${rootfs_image_url}
+      compression: gz
+# BOOT_BLOCK
+- boot:
+    timeout:
+      minutes: 20
+    method: u-boot
+    commands: nfs
+    soft_reboot:
+    - root
+    - openEuler
+    - reboot
+    - The system will reboot now!
+    prompts: ["root@openeuler-riscv64", "login:", "Password:"]
+    auto_login:
+      login_prompt: "(.*)openeuler-riscv64 login:(.*)"
+      username: root
+      password_prompt: "Password:"
+      password: openEuler12#$
+# TEST_BLOCK
+- test:
+      timeout:
+        minutes: 10109
+      definitions:
+        - repository: ${testcase_repo}
+          from: git
+          name: ${testitem_name}
+          path: ${testcase_path}
diff --git a/lava-job-template/qemu/qemu-openscap.yaml b/lava-job-template/qemu/qemu-openscap.yaml
new file mode 100644
index 0000000..bb4347a
--- /dev/null
+++ b/lava-job-template/qemu/qemu-openscap.yaml
@@ -0,0 +1,70 @@
+# Your first LAVA JOB definition for an riscv_64 QEMU
+device_type: qemu
+job_name: ${job_name}
+timeouts:
+  job:
+    minutes: 10150
+  action:
+    minutes: 10140
+  connection:
+    minutes: 10
+priority: medium
+visibility: public
+# context allows specific values to be overridden or included
+context:
+  # tell the qemu template which architecture is being tested
+  # the template uses that to ensure that qemu-system-riscv64 is executed.
+  arch: riscv64
+  machine: virt
+  guestfs_interface: virtio
+  extra_options:
+    - -machine virt
+    - -nographic
+    - -smp 8
+    - -m 8G
+    - -device virtio-blk-device,drive=hd0
+    - -append "root=/dev/vda rw console=ttyS0 selinux=0"
+    - -device virtio-net-device,netdev=usernet
+    - -netdev user,id=usernet,hostfwd=tcp::10001-:22
+metadata:
+  # please change these fields when modifying this job for your own tests.
+  format: Lava-Test Test Definition 1.0
+  name: qemu-riscv64-test
+  description: "test for riscv64 qemu"
+  version: "1.0"
+# ACTION_BLOCK
+actions:
+# DEPLOY_BLOCK
+- deploy:
+    timeout:
+      minutes: 20
+    to: tmpfs
+    images:
+      kernel:
+        image_arg: -kernel {kernel}
+        url: ${kernel_image_url}
+      rootfs:
+        image_arg: -drive file={rootfs},format=raw,id=hd0,if=none
+        url: ${rootfs_image_url}
+        compression: zstd
+# BOOT_BLOCK
+- boot:
+    timeout:
+      minutes: 20
+    method: qemu
+    media: tmpfs
+    prompts: ["root@openeuler-riscv64"]
+    auto_login:
+      login_prompt: "openeuler-riscv64 login:"
+      username: root
+      password_prompt: "Password:"
+      password: openEuler12#$
+# TEST_BLOCK
+- test:
+    timeout:
+      minutes: 10100
+    definitions:
+    - from: git
+      name: ${testitem_name}
+      path: ${testcase_path}
+      repository: ${testcase_repo}
diff --git a/lava-job-template/sg2042/sg2042-openscap.yaml b/lava-job-template/sg2042/sg2042-openscap.yaml
new file mode 100644
index 0000000..c5a0516
--- /dev/null
+++ b/lava-job-template/sg2042/sg2042-openscap.yaml
@@ -0,0 +1,72 @@
+device_type: sg2042
+job_name: ${job_name}
+timeouts:
+  job:
+    minutes: 10300
+  action:
+   minutes: 10299
+  actions:
+    power-off:
+      seconds: 60
+priority: medium
+visibility: public
+metadata:
+  # please change these fields when modifying this job for your own tests.
+  format: Lava-Test Test Definition 1.0
+  name: sg2042-test
+  description: "test for sg2042"
+  version: "1.0"
+# ACTION_BLOCK
+actions:
+- command:
+    name: pre_os_command
+    timeout:
+      minutes: 20
+# DEPLOY_BLOCK
+- deploy:
+    timeout:
+      minutes: 120
+    to: tftp
+    kernel:
+      url: ${kernel_image_url}
+      type: image
+    ramdisk:
+      url: ${ramdisk_url}
+      install_overlay: False
+      install_modules: False
+    dtb:
+      url: ${dtb_url}
+    persistent_nfs:
+      address: "{FILE_SERVER_IP}:/var/lib/lava/dispatcher/tmp/sg2042_rootfs"
+- command:
+    name: pxelinux_generate
+    timeout:
+      minutes: 20
+# BOOT_BLOCK
+- boot:
+    timeout:
+      minutes: 30
+    method: u-boot
+    commands:
+      - "dhclient -ipv6=false eth0"
+      - "pxeboot -file tftp://{SERVER_IP}/pxelinux.cfg -server {SERVER_IP}"
+    soft_reboot:
+    - root
+    - openEuler
+    - reboot
+    - The system will reboot now!
+    prompts: ["root@openeuler-riscv64", "login:", "Password:"]
+    auto_login:
+      login_prompt: "(.*)openeuler-riscv64 login:(.*)"
+      username: root
+      password_prompt: "Password:"
+      password: openEuler12#$
+- test:
+      timeout:
+        minutes: 10109
+      definitions:
+        - repository: ${testcase_repo}
+          from: git
+          name: ${testitem_name}
+          path: ${testcase_path}
+          
\ No newline at end of file
diff --git a/lava-testcases/security-test/openscap/openscap.sh b/lava-testcases/security-test/openscap/openscap.sh
new file mode 100644
index 0000000..a821caa
--- /dev/null
+++ b/lava-testcases/security-test/openscap/openscap.sh
@@ -0,0 +1,38 @@
+#!/bin/bash
+
+set -x
+
+
+TEST_TMPDIR="/root/openscap"
+RESULT_FILE="${OUTPUT}/result.txt"
+
+# 安装测试工具
+yum install -y openscap scap-security-guide
+mkdir -p "${TEST_TMPDIR}"
+cd "${TEST_TMPDIR}"
+# 获取系统版本
+VERSION_ID=$(grep '^VERSION_ID=' /etc/os-release | cut -d'=' -f2 | tr -d '"')
+VERSION_NUM=$("$VERSION_ID" | tr -d '.')
+echo "$VERSION_NUM"
+
+# 执行oscap扫描，输出扫描结果到oscap-result.xml文件
+oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_standard --results oscap-result.xml /usr/share/xml/scap/ssg/content/ssg-openeuler"$VERSION_NUM"-ds.xml || TRUE
+
+# 用 xmlstarlet 提取规则 ID 和结果，转化为lava解析脚本所需出的纯文本格式（如test_name pass/fail）
+# 结果值标准化：OpenSCAP 的结果包括 pass, fail, error, notapplicable, notchecked 等，LAVA脚本支持pass|fail|skip|unknown，故需将结果文件中的notapplicable/notchecked → skip，error → fail 或 unknown
+sudo dnf install -y xmlstarlet
+xmlstarlet sel \
+  -N x="http://checklists.nist.gov/xccdf/1.2" \
+  -t \
+  -m "//x:TestResult/x:rule-result" \
+  -v "@idref" -o " " -v "x:result" -n \
+  oscap-result.xml | awk '
+{
+  rule = tolower( $ 1); res = tolower( $ 2)
+  if (res == "pass") out = "pass"
+  else if (res == "fail") out = "fail"
+  else if (res == "error") out = "fail"
+  else if (res ~ /^(notapplicable|notchecked|informational|notselected)$/) out = "skip"
+  else out = "unknown"
+  print rule " " out
+}' > $RESULT_FILE
\ No newline at end of file
diff --git a/lava-testcases/security-test/openscap/openscap.yaml b/lava-testcases/security-test/openscap/openscap.yaml
new file mode 100644
index 0000000..588bb14
--- /dev/null
+++ b/lava-testcases/security-test/openscap/openscap.yaml
@@ -0,0 +1,21 @@
+metadata:
+  name: openscap
+  format: "Lava-Test Test Definition 1.0"
+  description: "Run fio on RISC-V device"
+  maintainer:
+    - zhangju@iscas.ac.cn
+  os:
+    - openEuler-riscv64
+  scope:
+      - security
+  devices:
+    - qemu
+    - lpi4a
+    - sg2042
+
+run:
+  steps:
+    - cd lava-testcases/security-test/openscap
+    - bash openscap.sh
+    - chmod +x ../../utils/send-to-lava.sh
+    - ../../utils/send-to-lava.sh ./output/result.txt
\ No newline at end of file

From 7e6e8c3c9a3a7673834d2ce36fbb171a5ba5f76e Mon Sep 17 00:00:00 2001
From: zhangju1 <zhangju@iscas.ac.cn>
Date: Tue, 24 Feb 2026 16:18:29 +0800
Subject: [PATCH 2/2] osv-scanner

---
 lava-job-template/lpi4a/lpi4a-osvscanner.yaml | 59 ++++++++++++
 lava-job-template/qemu/qemu-osvscanner.yaml   | 70 ++++++++++++++
 .../sg2042/sg2042-osvscanner.yaml             | 72 ++++++++++++++
 .../security-test/osv-scanner/osv-scanner.sh  | 95 +++++++++++++++++++
 .../osv-scanner/osv-scanner.yaml              | 21 ++++
 5 files changed, 317 insertions(+)
 create mode 100644 lava-job-template/lpi4a/lpi4a-osvscanner.yaml
 create mode 100644 lava-job-template/qemu/qemu-osvscanner.yaml
 create mode 100644 lava-job-template/sg2042/sg2042-osvscanner.yaml
 create mode 100644 lava-testcases/security-test/osv-scanner/osv-scanner.sh
 create mode 100644 lava-testcases/security-test/osv-scanner/osv-scanner.yaml

diff --git a/lava-job-template/lpi4a/lpi4a-osvscanner.yaml b/lava-job-template/lpi4a/lpi4a-osvscanner.yaml
new file mode 100644
index 0000000..abfc03b
--- /dev/null
+++ b/lava-job-template/lpi4a/lpi4a-osvscanner.yaml
@@ -0,0 +1,59 @@
+device_type: lpi4a
+job_name: ${job_name}
+timeouts:
+  job:
+    minutes: 10250
+  action:
+   minutes: 10249
+  actions:
+    power-off:
+      seconds: 60
+priority: medium
+visibility: public
+metadata:
+  # please change these fields when modifying this job for your own tests.
+  format: Lava-Test Test Definition 1.0
+  name: lpi4a-test
+  description: "test for lpi4a"
+  version: "1.0"
+# ACTION_BLOCK
+actions:
+# DEPLOY_BLOCK
+- deploy:
+    timeout:
+      minutes: 120
+    to: tftp
+    dtb:
+      url: ${dtb_url}
+    kernel:
+      url: ${kernel_image_url}
+      type: image
+    nfsrootfs:
+      url: ${rootfs_image_url}
+      compression: gz
+# BOOT_BLOCK
+- boot:
+    timeout:
+      minutes: 20
+    method: u-boot
+    commands: nfs
+    soft_reboot:
+    - root
+    - openEuler
+    - reboot
+    - The system will reboot now!
+    prompts: ["root@openeuler-riscv64", "login:", "Password:"]
+    auto_login:
+      login_prompt: "(.*)openeuler-riscv64 login:(.*)"
+      username: root
+      password_prompt: "Password:"
+      password: openEuler12#$
+# TEST_BLOCK
+- test:
+      timeout:
+        minutes: 10109
+      definitions:
+        - repository: ${testcase_repo}
+          from: git
+          name: ${testitem_name}
+          path: ${testcase_path}
diff --git a/lava-job-template/qemu/qemu-osvscanner.yaml b/lava-job-template/qemu/qemu-osvscanner.yaml
new file mode 100644
index 0000000..bb4347a
--- /dev/null
+++ b/lava-job-template/qemu/qemu-osvscanner.yaml
@@ -0,0 +1,70 @@
+# Your first LAVA JOB definition for an riscv_64 QEMU
+device_type: qemu
+job_name: ${job_name}
+timeouts:
+  job:
+    minutes: 10150
+  action:
+    minutes: 10140
+  connection:
+    minutes: 10
+priority: medium
+visibility: public
+# context allows specific values to be overridden or included
+context:
+  # tell the qemu template which architecture is being tested
+  # the template uses that to ensure that qemu-system-riscv64 is executed.
+  arch: riscv64
+  machine: virt
+  guestfs_interface: virtio
+  extra_options:
+    - -machine virt
+    - -nographic
+    - -smp 8
+    - -m 8G
+    - -device virtio-blk-device,drive=hd0
+    - -append "root=/dev/vda rw console=ttyS0 selinux=0"
+    - -device virtio-net-device,netdev=usernet
+    - -netdev user,id=usernet,hostfwd=tcp::10001-:22
+metadata:
+  # please change these fields when modifying this job for your own tests.
+  format: Lava-Test Test Definition 1.0
+  name: qemu-riscv64-test
+  description: "test for riscv64 qemu"
+  version: "1.0"
+# ACTION_BLOCK
+actions:
+# DEPLOY_BLOCK
+- deploy:
+    timeout:
+      minutes: 20
+    to: tmpfs
+    images:
+      kernel:
+        image_arg: -kernel {kernel}
+        url: ${kernel_image_url}
+      rootfs:
+        image_arg: -drive file={rootfs},format=raw,id=hd0,if=none
+        url: ${rootfs_image_url}
+        compression: zstd
+# BOOT_BLOCK
+- boot:
+    timeout:
+      minutes: 20
+    method: qemu
+    media: tmpfs
+    prompts: ["root@openeuler-riscv64"]
+    auto_login:
+      login_prompt: "openeuler-riscv64 login:"
+      username: root
+      password_prompt: "Password:"
+      password: openEuler12#$
+# TEST_BLOCK
+- test:
+    timeout:
+      minutes: 10100
+    definitions:
+    - from: git
+      name: ${testitem_name}
+      path: ${testcase_path}
+      repository: ${testcase_repo}
diff --git a/lava-job-template/sg2042/sg2042-osvscanner.yaml b/lava-job-template/sg2042/sg2042-osvscanner.yaml
new file mode 100644
index 0000000..c5a0516
--- /dev/null
+++ b/lava-job-template/sg2042/sg2042-osvscanner.yaml
@@ -0,0 +1,72 @@
+device_type: sg2042
+job_name: ${job_name}
+timeouts:
+  job:
+    minutes: 10300
+  action:
+   minutes: 10299
+  actions:
+    power-off:
+      seconds: 60
+priority: medium
+visibility: public
+metadata:
+  # please change these fields when modifying this job for your own tests.
+  format: Lava-Test Test Definition 1.0
+  name: sg2042-test
+  description: "test for sg2042"
+  version: "1.0"
+# ACTION_BLOCK
+actions:
+- command:
+    name: pre_os_command
+    timeout:
+      minutes: 20
+# DEPLOY_BLOCK
+- deploy:
+    timeout:
+      minutes: 120
+    to: tftp
+    kernel:
+      url: ${kernel_image_url}
+      type: image
+    ramdisk:
+      url: ${ramdisk_url}
+      install_overlay: False
+      install_modules: False
+    dtb:
+      url: ${dtb_url}
+    persistent_nfs:
+      address: "{FILE_SERVER_IP}:/var/lib/lava/dispatcher/tmp/sg2042_rootfs"
+- command:
+    name: pxelinux_generate
+    timeout:
+      minutes: 20
+# BOOT_BLOCK
+- boot:
+    timeout:
+      minutes: 30
+    method: u-boot
+    commands:
+      - "dhclient -ipv6=false eth0"
+      - "pxeboot -file tftp://{SERVER_IP}/pxelinux.cfg -server {SERVER_IP}"
+    soft_reboot:
+    - root
+    - openEuler
+    - reboot
+    - The system will reboot now!
+    prompts: ["root@openeuler-riscv64", "login:", "Password:"]
+    auto_login:
+      login_prompt: "(.*)openeuler-riscv64 login:(.*)"
+      username: root
+      password_prompt: "Password:"
+      password: openEuler12#$
+- test:
+      timeout:
+        minutes: 10109
+      definitions:
+        - repository: ${testcase_repo}
+          from: git
+          name: ${testitem_name}
+          path: ${testcase_path}
+          
\ No newline at end of file
diff --git a/lava-testcases/security-test/osv-scanner/osv-scanner.sh b/lava-testcases/security-test/osv-scanner/osv-scanner.sh
new file mode 100644
index 0000000..fbd281c
--- /dev/null
+++ b/lava-testcases/security-test/osv-scanner/osv-scanner.sh
@@ -0,0 +1,95 @@
+#!/bin/bash
+
+set -x
+
+
+TEST_TMPDIR="/root/osv-scanner"
+RESULT_FILE="${OUTPUT}/result.txt"
+
+#安装扫描工具
+dnf install -y go jq
+go install github.com/google/osv-scanner/v2/cmd/osv-scanner@latest
+cp $(go env GOPATH)/bin/osv-scanner /usr/local/bin
+mkdir -p "${TEST_TMPDIR}"
+cd "${TEST_TMPDIR}"
+
+#执行系统软件包漏洞扫描，输出扫描结果到result.json文件中
+osv-scanner scan /var/lib/rpm --experimental-plugins os/rpm --format json --output "report.json"
+
+# 处理扫描结果为lava可识别的结果
+
+if [ ! -f "report.json" ]; then
+    echo "Error: File $RESULT_JSON not found."
+    exit 1
+fi
+
+# --- 提取包名、版本号和严重等级 ---
+data=$(jq -r '
+  .results[]? | 
+  .packages[]? | 
+  . as $pkg_info |
+  .vulnerabilities[]? | 
+  . as $vuln |
+  select(.affected != null) |
+  .affected[]? |
+  select(.package != null and .package.name != null) |
+  # 拼接 包名-版本号 作为唯一标识，同时提取严重等级
+  "\($pkg_info.package.name)-\($pkg_info.package.version)\t\($vuln.database_specific.severity // "Unknown")"
+' "report.json")
+
+# 定义严重等级映射值
+get_severity_score() {
+    local level="$1"
+    case "$(echo "$level" | tr '[:upper:]' '[:lower:]')" in
+        critical) echo 4 ;;
+        high)     echo 3 ;;
+        medium)   echo 2 ;;
+        low)      echo 1 ;;
+        *)        echo 0 ;;
+    esac
+}
+
+score_to_level() {
+    local score="$1"
+    case "$score" in
+        4) echo "Critical" ;;
+        3) echo "High" ;;
+        2) echo "Medium" ;;
+        1) echo "Low" ;;
+        *) echo "Unknown" ;;
+    esac
+}
+
+declare -A pkg_max_score
+declare -A pkg_has_vuln
+
+# 如果 data 为空，写入 pass 并退出
+if [ -z "$data" ]; then
+    echo "osv-scanner pass" > "$RESULT_FILE"
+    exit 0
+fi
+
+# 遍历数据并聚合最高等级
+while IFS=$'\t' read -r pkg_ver severity; do
+    [ -z "$pkg_ver" ] && continue
+    
+    pkg_has_vuln["$pkg_ver"]=1
+    current_score=$(get_severity_score "$severity")
+    
+    if [ -z "${pkg_max_score[$pkg_ver]}" ] || [ "$current_score" -gt "${pkg_max_score[$pkg_ver]}" ]; then
+        pkg_max_score["$pkg_ver"]=$current_score
+    fi
+done <<< "$data"
+
+# 获取所有包名-版本列表
+all_packages=$(echo "$data" | cut -f1 | sort -u)
+
+for pkg_ver in $all_packages; do
+    if [ "${pkg_has_vuln[$pkg_ver]}" == "1" ]; then
+        # 取最高等级，但只输出 fail
+        echo "${pkg_ver} fail" >> "$RESULT_FILE"
+    else
+        echo "${pkg_ver} pass" >> "$RESULT_FILE"
+    fi
+done
+
diff --git a/lava-testcases/security-test/osv-scanner/osv-scanner.yaml b/lava-testcases/security-test/osv-scanner/osv-scanner.yaml
new file mode 100644
index 0000000..687f2ca
--- /dev/null
+++ b/lava-testcases/security-test/osv-scanner/osv-scanner.yaml
@@ -0,0 +1,21 @@
+metadata:
+  name: osv-scanner
+  format: "Lava-Test Test Definition 1.0"
+  description: "Run fio on RISC-V device"
+  maintainer:
+    - zhangju@iscas.ac.cn
+  os:
+    - openEuler-riscv64
+  scope:
+      - security
+  devices:
+    - qemu
+    - lpi4a
+    - sg2042
+
+run:
+  steps:
+    - cd lava-testcases/security-test/osv-scanner
+    - bash osv-scanner.sh
+    - chmod +x ../../utils/send-to-lava.sh
+    - ../../utils/send-to-lava.sh ./output/result.txt