You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
OpenSCAP can't process CPE AL platforms in a SCAP source data stream if the SCAP source data stream does not contain at least one CPE dictionary component.
The popular SCAP source data streams provided by SCAP Security Guide upstream project use <cpe-lang:check-fact-ref> for the <cpe-lang:platform> definition for a large majority of <xccdf-1.2:platform> applicability checks. However, there still exists product-wide platforms that reference a CPE item within a CPE dictionary, for example <xccdf-1.2:platform idref="cpe:/o:redhat:enterprise_linux:9"/>. These platforms could be easily changed to also reference a <cpe-lang:platform> instead. If all the <xccdf-1.2:platform> would reference a <cpe-lang:platform> then none of them would reference a CPE dictionary item and therefore the CPE dictionary wouldn't be needed. That means that the SCAP source data stream will not contain any CPE dictionary.
A SCAP source data stream with no CPE dictionary is a valid SCAP source data stream. However, I have found that OpenSCAP can't find the OVAL checks referenced from <cpe-lang:check-fact-ref> if there isn't at least a minimalist CPE dictionary in that SCAP source data stream. Evaluation of SCAP data streams where solely <cpe-lang:check-fact-ref> is used but no CPE dictionary is available terminates with errors, see Actual results below.
OpenSCAP Version:
openscap-1.3.7-1.fc37.x86_64
This issue is also reproducible from upstream maint-1.3 branch as of 2023-03-22 as of HEAD a6d6753.
--- Starting Evaluation ---
Title Test Rule
Rule xccdf_moc.elpmaxe.www_rule_1
Result notapplicable
OpenSCAP Error: Unable to open file: 'cpe-oval.xml' [/builddir/build/BUILD/openscap-1.3.7/src/source/oscap_source.c:288]
Can't import OVAL definition model 'cpe-oval.xml' for CPE applicability checking [/builddir/build/BUILD/openscap-1.3.7/src/CPE/cpe_session.c:113]
Expected Results:
No errors.
--- Starting Evaluation ---
Title Test Rule
Rule xccdf_moc.elpmaxe.www_rule_1
Result notapplicable
Additional Information / Debugging Steps:
The error seems to be related to the fact that when a SCAP source data stream is processed the XCCDF session loads a CPE session only if there is a CPE dictionary present in the SCAP source data stream. Take a look into xccdf_session_load_cpe in xccdf_session.c. There you will see that the insertion of CPE session (_connect_cpe_session_with_sds) happens only if there is at least one CPE dictionary because its done inside a code block starting by if (oscap_string_iterator_has_more(cpe_it)). It seems that moving the _connect_cpe_session_with_sds call to the line before if (oscap_string_iterator_has_more(cpe_it)) fixes the issue.
The text was updated successfully, but these errors were encountered:
Description of Problem:
OpenSCAP can't process CPE AL platforms in a SCAP source data stream if the SCAP source data stream does not contain at least one CPE dictionary component.
The popular SCAP source data streams provided by SCAP Security Guide upstream project use
<cpe-lang:check-fact-ref>
for the<cpe-lang:platform>
definition for a large majority of<xccdf-1.2:platform>
applicability checks. However, there still exists product-wide platforms that reference a CPE item within a CPE dictionary, for example<xccdf-1.2:platform idref="cpe:/o:redhat:enterprise_linux:9"/>
. These platforms could be easily changed to also reference a<cpe-lang:platform>
instead. If all the<xccdf-1.2:platform>
would reference a<cpe-lang:platform>
then none of them would reference a CPE dictionary item and therefore the CPE dictionary wouldn't be needed. That means that the SCAP source data stream will not contain any CPE dictionary.A SCAP source data stream with no CPE dictionary is a valid SCAP source data stream. However, I have found that OpenSCAP can't find the OVAL checks referenced from
<cpe-lang:check-fact-ref>
if there isn't at least a minimalist CPE dictionary in that SCAP source data stream. Evaluation of SCAP data streams where solely<cpe-lang:check-fact-ref>
is used but no CPE dictionary is available terminates with errors, see Actual results below.OpenSCAP Version:
openscap-1.3.7-1.fc37.x86_64
This issue is also reproducible from upstream maint-1.3 branch as of 2023-03-22 as of HEAD a6d6753.
Operating System & Version:
F 37
Steps to Reproduce:
Actual Results:
Expected Results:
No errors.
Additional Information / Debugging Steps:
The error seems to be related to the fact that when a SCAP source data stream is processed the XCCDF session loads a CPE session only if there is a CPE dictionary present in the SCAP source data stream. Take a look into
xccdf_session_load_cpe
inxccdf_session.c
. There you will see that the insertion of CPE session (_connect_cpe_session_with_sds
) happens only if there is at least one CPE dictionary because its done inside a code block starting byif (oscap_string_iterator_has_more(cpe_it))
. It seems that moving the_connect_cpe_session_with_sds
call to the line beforeif (oscap_string_iterator_has_more(cpe_it))
fixes the issue.The text was updated successfully, but these errors were encountered: