Add CY25Q4 Updates

[Mab879]

Summary by CodeRabbit

• New Features

  • Added support for new products: Rancher RKE2, SRG API, and TOSS4.
  • Added a detailed RKE2 security benchmark and a MitigationPolicy for Windows executables.
  • Published new STIG revisions across multiple platforms (AlmaLinux, macOS, OCP, Oracle Linux, RHEL, Ubuntu, Ubuntu 22.04, Windows 10/11/Server).

• Chores

  • Import tool updated to recognize additional product identifiers when ingesting packages.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Adds or updates STIG release entries across many products (Nov 2025 dates), introduces three new product TOMLs (rke2, srg-api, toss4), adds a comprehensive RKE2 v2r4 STIG XML and a Win10 v3r5 mitigation XML, and extends the import utility mapping to recognize new product keys.

Changes

Cohort / File(s)	Change Summary
Existing Products — STIG Version Additions products/alma9/product.toml, products/macos14/product.toml, products/macos15/product.toml, products/ocp/product.toml, products/ol8/product.toml, products/ol9/product.toml, products/rhel8/product.toml, products/rhel9/product.toml, products/ubuntu2204/product.toml, products/win10/product.toml, products/win11/product.toml, products/winserv2019/product.toml, products/winserv2022/product.toml	Added new [stigs.*] version blocks with release_date entries (November 2025) to extend STIG version sequences.
IIS 10 products/iis10/product.toml	Updated full_name (added " - Server") and added new [stigs.v3r5] with release_date = 2025-11-26.
New Products — Configuration Files products/rke2/product.toml, products/srg-api/product.toml, products/toss4/product.toml	Added new product TOMLs with full_name, short_name, and initial [stigs.*] release entries.
RKE2 STIG Content products/rke2/v2r4.xml	Added comprehensive RKE2 v2r4 STIG benchmark XML: numerous Groups with descriptions, remediation (fixtext), checks, commands, file edits, and pod/security/admission configurations.
Windows 10 Mitigation Policy products/win10/v3r5.xml	Added MitigationPolicy XML enumerating application-specific DEP/ASLR/ROP/ImageLoad/ChildProcess settings for many executables.
Import Utility utils/import_zips.py	Expanded disa_to_shortname mapping with "TOSS_4" → "toss4", "API" → "srg-api", "RGS_RKE2" → "rke2", and switched to using a matches_dict for filename-derived fields in lookup logic.

Sequence Diagram(s)

sequenceDiagram
  participant Import as utils/import_zips.py
  participant Filename as "ZIP filename"
  participant Regex as "filename regex"
  participant Matches as "matches_dict"
  participant Mapping as "disa_to_shortname"
  participant Product as "product lookup / create"

  Note over Filename,Regex: ZIP processed
  Filename->>Regex: apply regex
  Regex-->>Matches: extract groups (product key, version, etc.)
  Import->>Mapping: look up Matches.product_key
  Mapping-->>Import: short_name (e.g., "rke2")
  Import->>Product: resolve target product directory using short_name
  Product-->>Import: resolved path / metadata write
  Note over Product,Mapping: New keys added (TOSS_4, API, RGS_RKE2)

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

• Files requiring focused review:
  • products/rke2/v2r4.xml — large, dense security rules, remediation steps, and commands; verify technical accuracy and scope.
  • utils/import_zips.py — ensure regex group names and new mapping keys align with ZIP filename patterns and downstream expectations.
  • New TOMLs (products/rke2/product.toml, products/srg-api/product.toml, products/toss4/product.toml) — validate schema, naming consistency, and STIG version fields.
  • Cross-check release_date consistency and STIG version sequencing across all updated TOMLs.

Possibly related PRs

• Aug 2025 update #178 — modifies similar product TOML STIG entries and extends disa_to_shortname in utils/import_zips.py; strong code-level overlap with mapping and product recognition changes.

Poem

🐰
I hopped through TOMLs, seeds in paw,
New STIGs sprouted—one, two, more,
RKE2 blossoms, XML roars,
Mappings learn three names anew,
November harvest — hop hooray! 🥕

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Add CY25Q4 Updates' accurately summarizes the main purpose of the changeset, which introduces Q4 2025 updates across multiple product TOML files and new STIG XML benchmarks.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch cy25q4_update

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between e97c709 and 4730768.

📒 Files selected for processing (1)

• products/srg-api/product.toml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: deploy
• GitHub Check: deploy

🔇 Additional comments (1)

products/srg-api/product.toml (1)

1-6: Valid TOML structure with verified naming and mapping consistency.

The file is well-formed and aligns with codebase conventions:

1. Mapping verified: short_name "srg-api" correctly maps to "API" in utils/import_zips.py ✓
2. Structure consistency: Single STIG version (v1r1) matches the pattern of other new SRG products (srg-kubernetes, srg-firewall, srg-ctr) and recently introduced products (rke2, toss4)
3. Format: Follows standard product.toml structure with proper TOML syntax and unquoted release date format

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

products/alma9/product.toml (1)

6-6: Minor: Inconsistent date format in release_date values.

Line 6 uses a quoted date string "2024-12-03" while lines 8, 10, and 12 use unquoted date literals (e.g., 2025-04-07). Both parse correctly in TOML, but prefer consistent formatting throughout the file.

Consider removing quotes from line 6 to match the rest of the file:

-release_date = "2024-12-03"
+release_date = 2024-12-03

Also applies to: 11-12

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 23d04c4 and e97c709.

📒 Files selected for processing (20)

• products/alma9/product.toml (1 hunks)
• products/iis10/product.toml (2 hunks)
• products/macos14/product.toml (1 hunks)
• products/macos15/product.toml (1 hunks)
• products/ocp/product.toml (1 hunks)
• products/ol8/product.toml (1 hunks)
• products/ol9/product.toml (1 hunks)
• products/rhel8/product.toml (1 hunks)
• products/rhel9/product.toml (1 hunks)
• products/rke2/product.toml (1 hunks)
• products/rke2/v2r4.xml (1 hunks)
• products/srg-api/product.toml (1 hunks)
• products/toss4/product.toml (1 hunks)
• products/ubuntu2204/product.toml (1 hunks)
• products/win10/product.toml (1 hunks)
• products/win10/v3r5.xml (1 hunks)
• products/win11/product.toml (1 hunks)
• products/winserv2019/product.toml (1 hunks)
• products/winserv2022/product.toml (1 hunks)
• utils/import_zips.py (2 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

utils/import_zips.py (1)

stigaview_static/models.py (1)

• short_version (78-79)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: deploy
• GitHub Check: deploy

🔇 Additional comments (21)

products/winserv2019/product.toml (1)

19-20: Well-formatted STIG version entry.

The new v3r6 release is correctly structured, chronologically ordered (following v3r5's August 2025 date), and aligns with the PR's CY25Q4 update objective.

products/rhel9/product.toml (1)

21-22: LGTM!

Straightforward addition of new STIG version following established pattern. Release date aligns with CY25Q4 update scope.

products/winserv2022/product.toml (1)

19-20: LGTM!

Standard STIG version addition maintaining consistency with other product updates.

products/ol8/product.toml (1)

35-36: LGTM!

Consistent with CY25Q4 update pattern.

products/macos14/product.toml (1)

15-16: LGTM!

New STIG version addition follows expected pattern. Release date (2025-11-25) aligns with CY25Q4 scope.

products/ol9/product.toml (1)

9-10: LGTM!

Straightforward version addition consistent with CY25Q4 update pattern.

products/win11/product.toml (1)

17-18: LGTM!

Standard version addition maintaining CY25Q4 consistency across Windows products.

products/iis10/product.toml (2)

1-1: Verify the full_name change rationale.

The product name was updated to include "- Server" suffix. Please confirm this aligns with official product naming conventions and whether similar updates are needed for consistency across other IIS versions or related products.

---

10-11: LGTM!

STIG version addition is consistent with CY25Q4 update pattern.

products/macos15/product.toml (1)

11-12: Based on my investigation, I can now provide the rewritten review comment:

---

v1r4 STIG release missing from macOS 15 product configuration.

The version sequence jumps from [stigs.v1r3] (2025-04-07) directly to [stigs.v1r5] (2025-11-26), skipping v1r4 entirely. No v1r4.xml file exists in the macos15 directory either.

While other STIG products (rhel8, ol8, alma9, winserv2022) consistently include v1r4 in their release sequences, macos15 lacks both the v1r4 entry and the corresponding XML content file.

Verify whether DISA released v1r4 for macOS 15 STIG. If the release exists, both the product.toml entry and the v1r4.xml file must be added.

products/win10/product.toml (1)

17-18: LGTM!

The new STIG version v3r5 is correctly appended with a consistent release date that maintains chronological ordering.

products/rhel8/product.toml (1)

39-40: LGTM!

The new STIG version v2r5 is correctly appended with proper chronological ordering.

products/ocp/product.toml (1)

13-14: LGTM!

The new STIG version v2r4 is correctly appended with proper chronological ordering.

products/win10/v3r5.xml (1)

1-127: XML structure is well‑formed and valid.

The new MitigationPolicy file has correct XML syntax with proper nesting and valid attributes. The 37 executable configurations follow consistent patterns for DEP, ASLR, Payload, ImageLoad, and ChildProcess overrides.

Verify that the override flag values and mitigation settings align with Windows 10 v3r5 STIG requirements, if a schema or validation guide is available.

products/srg-api/product.toml (2)

5-6: Verify release date consistency for srg-api.

The release_date is 2025-11-25, while most other new STIG versions in this PR use 2025-11-26. Confirm whether this date difference is intentional (e.g., separate release cycle for the API SRG) or should be aligned with the rest of the CY25Q4 updates.

---

1-6: Product mapping for srg-api is correctly registered in utils/import_zips.py.

The verification confirms that line 47 of utils/import_zips.py contains the required mapping: "API": "srg-api". The new product file is properly integrated with the import utility.

products/toss4/product.toml (1)

1-6: Product mapping confirmed in utils/import_zips.py.

The toss4 product mapping has been verified at line 46 of utils/import_zips.py with the entry "TOSS_4": "toss4", confirming that the product will be properly recognized during ZIP imports. The new product configuration file follows established patterns and is correctly registered.

products/rke2/product.toml (1)

1-6: LGTM!

The product configuration for RKE2 is properly structured with appropriate metadata and STIG version information that aligns with the new v2r4.xml file and the import utility mappings.

utils/import_zips.py (2)

46-48: LGTM!

The new product mappings for TOSS_4, API, and RGS_RKE2 correctly align with the new product configurations introduced in this PR.

---

68-80: Verify the refactoring to use matches_dict.

The logic correctly uses matches_dict derived from product_regex_matches.groupdict(), which is a good refactoring. However, this depends on line 62 being fixed first.

products/rke2/v2r4.xml (1)

1-800: LGTM!

The RKE2 STIG v2r4 XML file is well-formed and contains comprehensive security technical implementation guidance from DISA. The benchmark includes 24 security requirements (V-254553 through V-268321) covering critical areas such as TLS configuration, authentication, authorization, audit logging, file permissions, and PPSM compliance. The content aligns with the product.toml configuration and represents authoritative DISA STIG guidance.