Rudder

The techniques generated by rudderc do not force the methods to be executed in a specific cfengine "pass".
In cases where a method call uses an undefined variable, cfengine will "loop" several times on the bundle and try each time to execute the method call.
If some policy mode override were defined, the push/pop logic will only be applied on the first "pass", meaning that if a variable is defined after its first usage in a technique,
the cfengine code will execute the method 2 times, but the policy mode override will only be applied to the first occurence.

id: testing_the_audit_bug
name: Testing the audit bug
version: '1.0'
category: ncf_techniques
items:
  - id: b68fe09a-469f-439a-97ca-4e5f72f13a0b
    name: ''
    method: file_content
    params:
      path: /tmp/fda_test
      lines: ${fda.var}
      enforce: 'true'
    policy_mode_override: audit
  - id: 4e2a7f80-aa34-4928-a929-5a1c96c49efb
    name: ''
    method: variable_string
    params:
      prefix: fda
      name: var
      value: plouf

Will produce:

A| non-compliant testing_the_audit_bug     File content              /tmp/fda_test      Insert content into /tmp/fda_test was not correct
E| compliant     testing_the_audit_bug     Variable string           var                Set the string fda.var to value plouf was correct
E| repaired      testing_the_audit_bug     Variable string           var                Insert content into /tmp/fda_test was repaired

A quick and dirty fix to avoid this issue is to force the main bundle of a technique to only do method call in the third and last pass, this way, we are sure that the re-execution is not possible.