Move error at the beginning of evaluation

jan-cerny · jan-cerny · commit 3f00d7b2961a · 2025-03-12T13:16:51.000+01:00
We don't like the current behavior when user needs to wait for the
initial scan results just to see the error. We will move the error so it
is printed right away and the initial scan is not even performed.
diff --git a/src/XCCDF/xccdf_session.c b/src/XCCDF/xccdf_session.c
@@ -1906,32 +1906,6 @@ struct xccdf_rule_result_iterator *xccdf_session_get_rule_results(const struct x
 	return xccdf_result_get_rule_results(session->xccdf.result);
 }
 
-static bool _system_is_in_bootc_mode(void)
-{
-#ifdef OS_WINDOWS
-	return false;
-#else
-	#define BOOTC_PATH "/usr/bin/bootc"
-	struct stat statbuf;
-	if (stat(BOOTC_PATH, &statbuf) == -1) {
-		return false;
-	}
-	FILE *output = popen(BOOTC_PATH " status --format json 2>/dev/null", "r");
-	if (output == NULL) {
-		return false;
-	}
-	char buf[1024] = {0};
-	int c;
-	size_t i = 0;
-	while (i < sizeof(buf) && (c = fgetc(output)) != EOF) {
-		buf[i] = c;
-		i++;
-	}
-	pclose(output);
-	return *buf != '\0' && strstr(buf, "\"booted\":null") == NULL;
-#endif
-}
-
 int xccdf_session_remediate(struct xccdf_session *session)
 {
 	int res = 0;
@@ -1943,14 +1917,6 @@ int xccdf_session_remediate(struct xccdf_session *session)
 		oscap_seterr(OSCAP_EFAMILY_OSCAP, "Can't perform remediation in offline mode: not implemented");
 		return 1;
 	}
-	if (_system_is_in_bootc_mode()) {
-		oscap_seterr(OSCAP_EFAMILY_OSCAP,
-			"Detected running Image Mode operating system. OpenSCAP can't "
-			"perform remediation of this system because majority of the "
-			"system is read-only. Please apply remediation during bootable "
-			"container image build using 'oscap-im' instead.");
-		return 1;
-	}
 	xccdf_policy_model_unregister_engines(session->xccdf.policy_model, oval_sysname);
 	if ((res = xccdf_session_load_oval(session)) != 0)
 		return res;
diff --git a/utils/oscap-xccdf.c b/utils/oscap-xccdf.c
@@ -586,6 +586,33 @@ int xccdf_set_profile_or_report_bad_id(struct xccdf_session *session, const char
 	return return_code;
 }
 
+
+static bool _system_is_in_bootc_mode(void)
+{
+#ifdef OS_WINDOWS
+	return false;
+#else
+	#define BOOTC_PATH "/usr/bin/bootc"
+	struct stat statbuf;
+	if (stat(BOOTC_PATH, &statbuf) == -1) {
+		return false;
+	}
+	FILE *output = popen(BOOTC_PATH " status --format json 2>/dev/null", "r");
+	if (output == NULL) {
+		return false;
+	}
+	char buf[1024] = {0};
+	int c;
+	size_t i = 0;
+	while (i < sizeof(buf) && (c = fgetc(output)) != EOF) {
+		buf[i] = c;
+		i++;
+	}
+	pclose(output);
+	return *buf != '\0' && strstr(buf, "\"booted\":null") == NULL;
+#endif
+}
+
 /**
  * XCCDF Processing fucntion
  * @param action OSCAP Action structure
@@ -596,6 +623,16 @@ int app_evaluate_xccdf(const struct oscap_action *action)
 	struct xccdf_session *session = NULL;
 
 	int result = OSCAP_ERROR;
+
+	if (action->remediate && _system_is_in_bootc_mode()) {
+		fprintf(stderr,
+			"Detected running Image Mode operating system. OpenSCAP can't "
+			"perform remediation of this system because majority of the "
+			"system is read-only. Please apply remediation during bootable "
+			"container image build using 'oscap-im' instead.");
+		return result;
+	}
+
 #if defined(HAVE_SYSLOG_H)
 	int priority = LOG_NOTICE;
 
@@ -797,6 +834,14 @@ int app_xccdf_remediate(const struct oscap_action *action)
 {
 	struct xccdf_session *session = NULL;
 	int result = OSCAP_ERROR;
+	if (_system_is_in_bootc_mode()) {
+		fprintf(stderr,
+			"Detected running Image Mode operating system. OpenSCAP can't "
+			"perform remediation of this system because majority of the "
+			"system is read-only. Please apply remediation during bootable "
+			"container image build using 'oscap-im' instead.");
+		return result;
+	}
 	session = xccdf_session_new(action->f_xccdf);
 	if (session == NULL)
 		goto cleanup;
