Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Shift the limit of OVAL items in HTML report #2058

Open
jan-cerny opened this issue Nov 24, 2023 · 1 comment
Open

Shift the limit of OVAL items in HTML report #2058

jan-cerny opened this issue Nov 24, 2023 · 1 comment
Labels
memory solution

Comments

@jan-cerny
Copy link
Member

Description of Problem:

During the review of #2051 where we introduced a limit of collected items by OpenSCAP probe we discussed in the comments also other possible approaches to limiting collected items.

The original problem that we tried to mitigate by #2051 was that the OpenSCAP failed to generate HTML report. The XSLT template that creates the HTML report failed because libxslt didn't have enough memory to process it. The reason was the input XML tree of the XSLT template was too large. That is probably caused by too many OVAL items collected.

Currently, OpenSCAP internally creates an ARF XML tree, applies XSLT on that to create HTML report, saves the HTML to a file and then saves the ARF file.

The amount of rendered items in HTML report is limited to 100 items per OVAL object. See

openscap/xsl/xccdf-report-oval-details.xsl

Lines 105 to 119 in c27e108

<!-- table body (possibly item-type-specific) -->
<!-- limited to 100 lines -->
<tbody>
<xsl:for-each select='$items'>
<xsl:if test="not(position() > 100)">
<xsl:for-each select='key("oval-items", @item_id)'>
<xsl:apply-templates select='.' mode='item-body'/>
</xsl:for-each>
</xsl:if>
</xsl:for-each>
</tbody>
</table>
<xsl:if test="count($items) > 100">
... and <xsl:value-of select="count($items)-100"/> more items.
</xsl:if>

However, this limitation is present in the XSLT template, so it reduces the size of the final HTML report, but doesn't affect the internal ARF, so it doesn't prevent the fail of libxslt as described above.

The limit introduced in #2051 limits the amount of collected items by OpenSCAP probes. Therefore, it also affects output ARF, it is effective also when no HTML is created. This limit can cause incomplete or missing results depending on the specific OVAL. There was an idea by @evgenyz to try and throw out elements from the tree before trying to render them with XSLT instead of not collecting them at all. With this approach the ARF and XCCDF results would stay correct.

We can easily limit the amount of the items in the ARF during the serialization into OVAL results DOM. I look into that and it could be done by modifying oval_syschar_model_to_dom and oval_syschar_to_dom.

openscap/src/OVAL/oval_sysModel.c

Lines 360 to 390 in c27e108

struct oval_string_map *sysitem_map = oval_string_map_new();
if (oval_syschar_iterator_has_more(syschars)) {
xmlNode *tag_objects = xmlNewTextChild(root_node, ns_syschar, BAD_CAST "collected_objects", NULL);
while (oval_syschar_iterator_has_more(syschars)) {
struct oval_syschar *syschar = oval_syschar_iterator_next(syschars);
struct oval_object *object = oval_syschar_get_object(syschar);
if (oval_syschar_get_flag(syschar) == SYSCHAR_FLAG_UNKNOWN /* Skip unneeded syschars */
|| oval_object_get_base_obj(object)) /* Skip internal objects */
continue;
oval_syschar_to_dom(syschar, doc, tag_objects);
struct oval_sysitem_iterator *sysitems = oval_syschar_get_sysitem(syschar);
while (oval_sysitem_iterator_has_more(sysitems)) {
struct oval_sysitem *sysitem = oval_sysitem_iterator_next(sysitems);
oval_string_map_put(sysitem_map, oval_sysitem_get_id(sysitem), sysitem);
}
oval_sysitem_iterator_free(sysitems);
}
}
oval_smc_free0(resolved_smc);
oval_syschar_iterator_free(syschars);
struct oval_iterator *sysitems = oval_string_map_values(sysitem_map);
if (oval_collection_iterator_has_more(sysitems)) {
xmlNode *tag_items = xmlNewTextChild(root_node, ns_syschar, BAD_CAST "system_data", NULL);
while (oval_collection_iterator_has_more(sysitems)) {
struct oval_sysitem *sysitem = (struct oval_sysitem *)
oval_collection_iterator_next(sysitems);
oval_sysitem_to_dom(sysitem, doc, tag_items);
}
}

Due to the way how it works now it would cause a problem that also ARF file would be incomplete, which you probably don't want. But we can avoid it by creating a dedicated ARF tree just for the purpose of HTML creation, ie. first a full ARF tree would be created and saved to file and then another tree with reduced items would be created passed to XSLT to create a HTML output.

OpenSCAP Version:

1.3.9

Operating System & Version:

all

Steps to Reproduce:

This is a general issue about the logic executed during command:

  1. oscap xccdf eval --results-arf arf.xml --report report.html ....

Actual Results:

  • ARF contains complete results.
  • The collected items above certain limit are not propageted by XSLT to HTML.
  • HTML report contains max N items for each OVAL object.

Expected Results:

  • ARF contains complete results.
  • The collected items are strip off from the OVAL results in ARF before ARF is passed it XSLT, the template consumes a smaller tree as an input.
  • HTML report contains max N items for each OVAL object.

Additional Information / Debugging Steps:

https://issues.redhat.com/browse/RHEL-11925, https://issues.redhat.com/browse/RHEL-4141
@jan-cerny jan-cerny mentioned this issue Nov 24, 2023
Merged
@evgenyz
Copy link
Contributor

evgenyz commented Feb 9, 2024

Sorry, never mind. Carry on.

@evgenyz evgenyz mentioned this issue Apr 2, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
memory solution
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@evgenyz @jan-cerny