Merge branch 'c8' into a8

This commit is contained in:
eabdullin 2023-09-28 11:11:00 +03:00
commit 480dc485b2
12 changed files with 59 additions and 720 deletions

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/openscap-1.3.6.tar.gz SOURCES/openscap-1.3.8.tar.gz

View File

@ -1 +1 @@
8c1b41bb7c32c22d541a6881ab8c5b8bef06890f SOURCES/openscap-1.3.6.tar.gz 1d1370ea1c4ada69eb4cd591bd4f411bd7a19a1a SOURCES/openscap-1.3.8.tar.gz

View File

@ -1,104 +0,0 @@
From f141dfd0311ec2be4c4c27814d9d6693551cfd76 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Thu, 27 Jan 2022 15:00:33 +0100
Subject: [PATCH 1/3] Fix shellcheck warning
Addressing:
Error: SHELLCHECK_WARNING (CWE-138): [#def1]
/usr/libexec/oscap-remediate:110:12: error[SC2145]: Argument mixes string and array. Use * or separate argument.
108| args+=( "--remediate" )
109| args+=( "${OSCAP_REMEDIATE_DS}" )
110|-> log "Args: ${args[@]}"
111|
112| # Now we are good to go
---
utils/oscap-remediate | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/utils/oscap-remediate b/utils/oscap-remediate
index fc0b7715f..52e29aa66 100755
--- a/utils/oscap-remediate
+++ b/utils/oscap-remediate
@@ -107,7 +107,7 @@ args+=( ${OSCAP_REMEDIATE_HTML_REPORT:+"--report=${OSCAP_REMEDIATE_HTML_REPORT}"
args+=( "--progress-full" )
args+=( "--remediate" )
args+=( "${OSCAP_REMEDIATE_DS}" )
-log "Args: ${args[@]}"
+log "Args: ${args[*]}"
# Now we are good to go
header="OpenSCAP is checking the system for compliance using"$'\n'"${profile_title}"$'\n\n'"Evaluating..."
From d3e7d5be1fcd55ef396de6070f877df0f2c2c58e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Thu, 27 Jan 2022 15:09:02 +0100
Subject: [PATCH 2/3] Remove superfluous strdup
We can do this because xccdf_session_set_rule calls strdup on the rule
parameter internally.
Addressing:
Error: RESOURCE_LEAK (CWE-772): [#def2] [important]
openscap-1.3.6/build/swig/python3/CMakeFiles/_openscap_py.dir/openscapPYTHON_wrap.c:4148: alloc_fn: Storage is returned from allocation function "strdup".
openscap-1.3.6/build/swig/python3/CMakeFiles/_openscap_py.dir/openscapPYTHON_wrap.c:4148: var_assign: Assigning: "n_rule" = storage returned from "strdup(rule)".
openscap-1.3.6/build/swig/python3/CMakeFiles/_openscap_py.dir/openscapPYTHON_wrap.c:4149: noescape: Resource "n_rule" is not freed or pointed-to in "xccdf_session_set_rule".
openscap-1.3.6/build/swig/python3/CMakeFiles/_openscap_py.dir/openscapPYTHON_wrap.c:4150: leaked_storage: Variable "n_rule" going out of scope leaks the storage it points to.
4148| char *n_rule = strdup(rule);
4149| xccdf_session_set_rule(sess, n_rule);
4150|-> }
4151|
4152| void xccdf_session_free_py(struct xccdf_session *sess){
---
swig/openscap.i | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/swig/openscap.i b/swig/openscap.i
index 2fe1cce99..158a22675 100644
--- a/swig/openscap.i
+++ b/swig/openscap.i
@@ -559,8 +559,7 @@ struct xccdf_session {
};
void xccdf_session_set_rule_py(struct xccdf_session *sess, char *rule) {
- char *n_rule = strdup(rule);
- xccdf_session_set_rule(sess, n_rule);
+ xccdf_session_set_rule(sess, rule);
}
void xccdf_session_free_py(struct xccdf_session *sess){
From 6ef54336a018566a32f6a95177635ada7f20794e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Thu, 27 Jan 2022 15:16:02 +0100
Subject: [PATCH 3/3] Add a missing free
Addressing:
Error: RESOURCE_LEAK (CWE-772): [#def4] [important]
openscap-1.3.6/src/XCCDF_POLICY/xccdf_policy.c:2144: alloc_fn: Storage is returned from allocation function "oscap_htable_iterator_new".
openscap-1.3.6/src/XCCDF_POLICY/xccdf_policy.c:2144: var_assign: Assigning: "rit" = storage returned from "oscap_htable_iterator_new(policy->rules)".
openscap-1.3.6/src/XCCDF_POLICY/xccdf_policy.c:2145: noescape: Resource "rit" is not freed or pointed-to in "oscap_htable_iterator_has_more".
openscap-1.3.6/src/XCCDF_POLICY/xccdf_policy.c:2146: noescape: Resource "rit" is not freed or pointed-to in "oscap_htable_iterator_next_key".
openscap-1.3.6/src/XCCDF_POLICY/xccdf_policy.c:2150: leaked_storage: Variable "rit" going out of scope leaks the storage it points to.
2148| oscap_seterr(OSCAP_EFAMILY_XCCDF,
2149| "Rule '%s' not found in selected profile.", rule_id);
2150|-> return NULL;
2151| }
2152| }
---
src/XCCDF_POLICY/xccdf_policy.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/XCCDF_POLICY/xccdf_policy.c b/src/XCCDF_POLICY/xccdf_policy.c
index b63853a38..4d4b7ad0a 100644
--- a/src/XCCDF_POLICY/xccdf_policy.c
+++ b/src/XCCDF_POLICY/xccdf_policy.c
@@ -2147,6 +2147,7 @@ struct xccdf_result * xccdf_policy_evaluate(struct xccdf_policy * policy)
if (oscap_htable_get(policy->rules_found, rule_id) == NULL) {
oscap_seterr(OSCAP_EFAMILY_XCCDF,
"Rule '%s' not found in selected profile.", rule_id);
+ oscap_htable_iterator_free(rit);
return NULL;
}
}

View File

@ -1,32 +0,0 @@
From e49669a0dde7e3a9123925347fbf3234602371ee Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 31 Jan 2022 13:45:15 +0100
Subject: [PATCH] Prevent fails of test_ds_misc.sh
The SOURCE_DATE_EPOCH environment variable is effective only when it's
set to a value that's older than mtime of the processed file. See the
implementation in ds_sds_compose_add_component_internal in src/DS/sds.c.
However, the file in our test suite has originally been created before
(in 2019) and this mtime can be used when a tarball is produced. To
avoid the test failing, we can modify the mtime using the touch command
just before we run the tests.
---
tests/DS/test_ds_misc.sh | 2 ++
1 file changed, 2 insertions(+)
diff --git a/tests/DS/test_ds_misc.sh b/tests/DS/test_ds_misc.sh
index 159007518..cffbef303 100755
--- a/tests/DS/test_ds_misc.sh
+++ b/tests/DS/test_ds_misc.sh
@@ -269,6 +269,8 @@ function test_source_date_epoch() {
local timestamp="2020-03-05T12:09:37"
export SOURCE_DATE_EPOCH="1583410177"
export TZ=UTC
+ # ensure the file mtime is always newer than the $timestamp
+ touch -c "$xccdf"
$OSCAP ds sds-compose "$xccdf" "$result"
assert_exists 3 '//ds:component[@timestamp="'$timestamp'"]'
rm -f "$result"
--
2.34.1

View File

@ -1,27 +0,0 @@
From 650656bdac5e8e4df30c11bb4dbc830aab8baa78 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Tue, 1 Feb 2022 15:06:33 +0100
Subject: [PATCH] Prevent fails of test_ds_misc.sh
Other files from which the datastream is composed might also
affect the timestamp attributes in result document depending
on their mtime.
---
tests/DS/test_ds_misc.sh | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/tests/DS/test_ds_misc.sh b/tests/DS/test_ds_misc.sh
index cffbef303..1777c44f4 100755
--- a/tests/DS/test_ds_misc.sh
+++ b/tests/DS/test_ds_misc.sh
@@ -270,7 +270,9 @@ function test_source_date_epoch() {
export SOURCE_DATE_EPOCH="1583410177"
export TZ=UTC
# ensure the file mtime is always newer than the $timestamp
- touch -c "$xccdf"
+ touch -c "$srcdir/sds_multiple_oval/first-oval.xml"
+ touch -c "$srcdir/sds_multiple_oval/multiple-oval-xccdf.xml"
+ touch -c "$srcdir/sds_multiple_oval/second-oval.xml"
$OSCAP ds sds-compose "$xccdf" "$result"
assert_exists 3 '//ds:component[@timestamp="'$timestamp'"]'
rm -f "$result"

View File

@ -1,22 +0,0 @@
From 12f9c02a612bb1687676b74a4739126b1913b1fe Mon Sep 17 00:00:00 2001
From: Ajay Nair <ajaynair59@gmail.com>
Date: Mon, 9 May 2022 13:31:47 -0400
Subject: [PATCH] Reset errno before call to strtoll
---
src/common/memusage.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/common/memusage.c b/src/common/memusage.c
index c6755f21f1..ffa70b662b 100644
--- a/src/common/memusage.c
+++ b/src/common/memusage.c
@@ -71,6 +71,8 @@ static int read_common_sizet(void *szp, char *strval)
return (-1);
*end = '\0';
+
+ errno = 0;
*(size_t *)szp = strtoll(strval, NULL, 10);
if (errno == EINVAL ||

View File

@ -1,233 +0,0 @@
From 07486e9033d8cc1fd03962994b3359cb611a9ac9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Fri, 22 Jul 2022 16:50:01 +0200
Subject: [PATCH 1/3] Add unit test for read_common_sizet function
The unit test will cover the missing set errno
to 0 which was the root cause of:
https://github.com/OpenSCAP/openscap/issues/1867
Therefore, this test can be used during verification of:
https://bugzilla.redhat.com/show_bug.cgi?id=2109485
---
tests/API/probes/CMakeLists.txt | 9 +++++
tests/API/probes/test_memusage.c | 67 +++++++++++++++++++++++++++++++
tests/API/probes/test_memusage.sh | 9 +++++
3 files changed, 85 insertions(+)
create mode 100644 tests/API/probes/test_memusage.c
create mode 100755 tests/API/probes/test_memusage.sh
diff --git a/tests/API/probes/CMakeLists.txt b/tests/API/probes/CMakeLists.txt
index ae3c7212a0..2ac4081ac2 100644
--- a/tests/API/probes/CMakeLists.txt
+++ b/tests/API/probes/CMakeLists.txt
@@ -38,3 +38,12 @@ target_include_directories(oval_fts_list PUBLIC
)
target_link_libraries(oval_fts_list openscap)
add_oscap_test("fts.sh")
+
+add_oscap_test_executable(test_memusage
+ "test_memusage.c"
+ "${CMAKE_SOURCE_DIR}/src/common/bfind.c"
+)
+target_include_directories(test_memusage PUBLIC
+ "${CMAKE_SOURCE_DIR}/src/common"
+)
+add_oscap_test("test_memusage.sh")
diff --git a/tests/API/probes/test_memusage.c b/tests/API/probes/test_memusage.c
new file mode 100644
index 0000000000..5dced98f03
--- /dev/null
+++ b/tests/API/probes/test_memusage.c
@@ -0,0 +1,67 @@
+/*
+ * Copyright 2022 Red Hat Inc., Durham, North Carolina.
+ * All Rights Reserved.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ *
+ * Authors:
+ * "Jan Černý" <jcerny@redhat.com>
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include "memusage.h"
+#include "memusage.c"
+#define OS_LINUX
+
+static int test_basic()
+{
+ size_t size;
+ char *strval = strdup("17 MB");
+ read_common_sizet(&size, strval);
+ free(strval);
+ return (size == 17);
+}
+
+static int test_errno()
+{
+ size_t size;
+ char *strval = strdup("17 MB");
+
+ /* Test that setting errno outside of the read_common_sizet function
+ * doesn't influence the function and doesn't make the function fail.
+ */
+ errno = EINVAL;
+
+ int ret = read_common_sizet(&size, strval);
+ free(strval);
+ return (ret != -1);
+}
+
+int main(int argc, char *argv[])
+{
+ if (!test_basic()) {
+ fprintf(stderr, "test_basic has failed\n");
+ return 1;
+ }
+ if (!test_errno()) {
+ fprintf(stderr, "test_errno has failed\n");
+ return 1;
+ }
+ return 0;
+}
diff --git a/tests/API/probes/test_memusage.sh b/tests/API/probes/test_memusage.sh
new file mode 100755
index 0000000000..4c76bdc0ac
--- /dev/null
+++ b/tests/API/probes/test_memusage.sh
@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+
+. $builddir/tests/test_common.sh
+
+if [ -n "${CUSTOM_OSCAP+x}" ] ; then
+ exit 255
+fi
+
+./test_memusage
From 2cc649d5e9fbf337bbfca69c21313657a5b8a7cf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 25 Jul 2022 09:00:36 +0200
Subject: [PATCH 2/3] Replace license by SPDX ID
---
tests/API/probes/test_memusage.c | 22 +---------------------
1 file changed, 1 insertion(+), 21 deletions(-)
diff --git a/tests/API/probes/test_memusage.c b/tests/API/probes/test_memusage.c
index 5dced98f03..db2915f6d5 100644
--- a/tests/API/probes/test_memusage.c
+++ b/tests/API/probes/test_memusage.c
@@ -1,24 +1,4 @@
-/*
- * Copyright 2022 Red Hat Inc., Durham, North Carolina.
- * All Rights Reserved.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
- *
- * Authors:
- * "Jan Černý" <jcerny@redhat.com>
- */
+// SPDX-License-Identifier: LGPL-2.1-or-later
#ifdef HAVE_CONFIG_H
#include <config.h>
From caadd89e61f5d70e251180055686a3b52c763c66 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 25 Jul 2022 09:00:45 +0200
Subject: [PATCH 3/3] Improve unit test for read_common_sizet
Check for multiple different situations.
---
tests/API/probes/test_memusage.c | 34 ++++++++++++++++++++++++++++----
1 file changed, 30 insertions(+), 4 deletions(-)
diff --git a/tests/API/probes/test_memusage.c b/tests/API/probes/test_memusage.c
index db2915f6d5..b9db865d45 100644
--- a/tests/API/probes/test_memusage.c
+++ b/tests/API/probes/test_memusage.c
@@ -12,16 +12,34 @@
static int test_basic()
{
size_t size;
- char *strval = strdup("17 MB");
- read_common_sizet(&size, strval);
+ char *strval = strdup("17 kB\n");
+ int ret = read_common_sizet(&size, strval);
free(strval);
- return (size == 17);
+ return (size == 17 && ret == 0);
+}
+
+static int test_no_unit()
+{
+ size_t size;
+ char *strval = strdup("42");
+ int ret = read_common_sizet(&size, strval);
+ free(strval);
+ return (ret == -1);
+}
+
+static int test_invalid_number()
+{
+ size_t size;
+ char *strval = strdup("www kB\n");
+ int ret = read_common_sizet(&size, strval);
+ free(strval);
+ return (size == 0 && ret == 0);
}
static int test_errno()
{
size_t size;
- char *strval = strdup("17 MB");
+ char *strval = strdup("17 kB\n");
/* Test that setting errno outside of the read_common_sizet function
* doesn't influence the function and doesn't make the function fail.
@@ -39,6 +57,14 @@ int main(int argc, char *argv[])
fprintf(stderr, "test_basic has failed\n");
return 1;
}
+ if (!test_no_unit()) {
+ fprintf(stderr, "test_no_unit has failed\n");
+ return 1;
+ }
+ if (!test_invalid_number()) {
+ fprintf(stderr, "test_invalid_number has failed\n");
+ return 1;
+ }
if (!test_errno()) {
fprintf(stderr, "test_errno has failed\n");
return 1;

View File

@ -1,71 +0,0 @@
From 55b09ba184c1803a5e1454c44e9e9a5c578dd741 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 25 Jul 2022 17:10:17 +0200
Subject: [PATCH] Reset errno before strtol
This sets errno to 0 before strotol calls after which the errno
is being checked.
Per man 3 strtol:
Since strtol() can legitimately return 0, LONG_MAX, or
LONG_MIN (LLONG_MAX or LLONG_MIN for strtoll()) on both success and
failure, the calling program should set errno to 0 before the call, and
then determine if an error occurred by checking whether errno has a
nonzero value after the call.
This is inspired by https://github.com/OpenSCAP/openscap/pull/1861.
---
src/OVAL/probes/independent/sql57_probe.c | 1 +
src/OVAL/probes/independent/sql_probe.c | 1 +
src/OVAL/probes/oval_fts.c | 1 +
src/OVAL/probes/unix/xinetd_probe.c | 1 +
4 files changed, 4 insertions(+)
diff --git a/src/OVAL/probes/independent/sql57_probe.c b/src/OVAL/probes/independent/sql57_probe.c
index ce1466635c..2b35750ee2 100644
--- a/src/OVAL/probes/independent/sql57_probe.c
+++ b/src/OVAL/probes/independent/sql57_probe.c
@@ -216,6 +216,7 @@ static int dbURIInfo_parse(dbURIInfo_t *info, const char *conn)
matchitem1(tok, 'c',
"onnecttimeout", tmp);
if (tmp != NULL) {
+ errno = 0;
info->conn_timeout = strtol(tmp, NULL, 10);
if (errno == ERANGE || errno == EINVAL)
diff --git a/src/OVAL/probes/independent/sql_probe.c b/src/OVAL/probes/independent/sql_probe.c
index 2ede89d031..71ba3c08c3 100644
--- a/src/OVAL/probes/independent/sql_probe.c
+++ b/src/OVAL/probes/independent/sql_probe.c
@@ -216,6 +216,7 @@ static int dbURIInfo_parse(dbURIInfo_t *info, const char *conn)
matchitem1(tok, 'c',
"onnecttimeout", tmp);
if (tmp != NULL) {
+ errno = 0;
info->conn_timeout = strtol(tmp, NULL, 10);
if (errno == ERANGE || errno == EINVAL)
diff --git a/src/OVAL/probes/oval_fts.c b/src/OVAL/probes/oval_fts.c
index 1364159c90..f9d0a0c1fd 100644
--- a/src/OVAL/probes/oval_fts.c
+++ b/src/OVAL/probes/oval_fts.c
@@ -729,6 +729,7 @@ OVAL_FTS *oval_fts_open_prefixed(const char *prefix, SEXP_t *path, SEXP_t *filen
/* max_depth */
PROBE_ENT_AREF(behaviors, r0, "max_depth", return NULL;);
SEXP_string_cstr_r(r0, cstr_buff, sizeof cstr_buff - 1);
+ errno = 0;
max_depth = strtol(cstr_buff, NULL, 10);
if (errno == EINVAL || errno == ERANGE) {
dE("Invalid value of the `%s' attribute: %s", "recurse_direction", cstr_buff);
diff --git a/src/OVAL/probes/unix/xinetd_probe.c b/src/OVAL/probes/unix/xinetd_probe.c
index b3375500db..703a07f513 100644
--- a/src/OVAL/probes/unix/xinetd_probe.c
+++ b/src/OVAL/probes/unix/xinetd_probe.c
@@ -1280,6 +1280,7 @@ int op_assign_bool(void *var, char *val)
*((bool *)(var)) = false;
} else {
char *endptr = NULL;
+ errno = 0;
*((bool *)(var)) = (bool) strtol (val, &endptr, 2);
if (errno == EINVAL || errno == ERANGE) {
return -1;

View File

@ -1,82 +0,0 @@
From 140d60bc751e6c0e4138ab3a2e8e9b130264f905 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Wed, 27 Jul 2022 09:40:29 +0200
Subject: [PATCH] Add CMake option to disable oscap-remediate service
This patch introduces a new CMake build option
ENABLE_OSCAP_REMEDIATE_SERVICE which can be used to disable the
installation of the files related to the oscap-remediate systemd
service. Downstream packagers can use this option to disable shipping
the oscap-remediate service in their RPM spec files.
Resolves: rhbz#2111358
Resolves: rhbz#2111360
---
CMakeLists.txt | 15 +++++++++------
utils/CMakeLists.txt | 20 +++++++++++---------
2 files changed, 20 insertions(+), 15 deletions(-)
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 61c57d7a3e..48e19e5203 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -327,6 +327,7 @@ cmake_dependent_option(ENABLE_OSCAP_UTIL_VM "enables the oscap-vm utility, this
cmake_dependent_option(ENABLE_OSCAP_UTIL_PODMAN "enables the oscap-podman utility, this lets you scan Podman containers and container images" ON "NOT WIN32" OFF)
cmake_dependent_option(ENABLE_OSCAP_UTIL_CHROOT "enables the oscap-chroot utility, this lets you scan entire chroots using offline scanning" ON "NOT WIN32" OFF)
option(ENABLE_OSCAP_UTIL_AUTOTAILOR "enables the autotailor utility that is able to perform command-line tailoring" TRUE)
+option(ENABLE_OSCAP_REMEDIATE_SERVICE "enables the oscap-remediate service" TRUE)
# ---------- TEST-SUITE SWITCHES
@@ -609,12 +610,14 @@ if(NOT WIN32)
DESTINATION ${CMAKE_INSTALL_LIBDIR}/pkgconfig
)
if(WITH_SYSTEMD)
- # systemd service for offline (boot-time) remediation
- configure_file("oscap-remediate.service.in" "oscap-remediate.service" @ONLY)
- install(FILES
- ${CMAKE_CURRENT_BINARY_DIR}/oscap-remediate.service
- DESTINATION ${SYSTEMD_UNITDIR}
- )
+ if(ENABLE_OSCAP_REMEDIATE_SERVICE)
+ # systemd service for offline (boot-time) remediation
+ configure_file("oscap-remediate.service.in" "oscap-remediate.service" @ONLY)
+ install(FILES
+ ${CMAKE_CURRENT_BINARY_DIR}/oscap-remediate.service
+ DESTINATION ${SYSTEMD_UNITDIR}
+ )
+ endif()
endif()
endif()
diff --git a/utils/CMakeLists.txt b/utils/CMakeLists.txt
index 3f199eaabc..93ce1f2a9d 100644
--- a/utils/CMakeLists.txt
+++ b/utils/CMakeLists.txt
@@ -59,15 +59,17 @@ if(ENABLE_OSCAP_UTIL)
)
if(WITH_SYSTEMD)
- install(PROGRAMS "oscap-remediate"
- DESTINATION ${CMAKE_INSTALL_LIBEXECDIR}
- )
- install(PROGRAMS "oscap-remediate-offline"
- DESTINATION ${CMAKE_INSTALL_BINDIR}
- )
- install(FILES "oscap-remediate-offline.8"
- DESTINATION "${CMAKE_INSTALL_MANDIR}/man8"
- )
+ if (ENABLE_OSCAP_REMEDIATE_SERVICE)
+ install(PROGRAMS "oscap-remediate"
+ DESTINATION ${CMAKE_INSTALL_LIBEXECDIR}
+ )
+ install(PROGRAMS "oscap-remediate-offline"
+ DESTINATION ${CMAKE_INSTALL_BINDIR}
+ )
+ install(FILES "oscap-remediate-offline.8"
+ DESTINATION "${CMAKE_INSTALL_MANDIR}/man8"
+ )
+ endif()
endif()
endif()
endif()

View File

@ -1,132 +0,0 @@
From 9c2052febe494ca5fe8e3fef7996fd2c2c736785 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Wed, 2 Nov 2022 09:04:25 +0100
Subject: [PATCH] Don't emit items if XPath doesn't match
This commit fixes the behavior of the xmlfilecontent probe in situation
when the XPath query in xmlfilecontent_object doesn't match any node in
the given XML file and the query returns an empty node set. Currently,
in this situation, we emit an item in which we add an empty value_of
element. However, this value_of element has its datatype attribute set
to an empty string, which is invalid according to the OVAL schema. When
we try to make the OVAL results valid, we face the problem that it isn't
clear what should be the value of the datatype attribute for empty
elements. But as we can realize the XPath doesn't match anything means
that the requested object doesn't exist on the system, so a better
behavior would be to not produce a xmlfilecontent54_item. That is
consistent with eg. situation when a regular expression matched nothing
in textfilecontent54_object. This commit therefore stops the item
generation in this situation.
This commit also extends the existing test to cover the situation
of XPath queries for nonexistent element and nonexistent attribute.
Fixes: #1890, rhbz#2138884, rhbz#2139060
---
.../probes/independent/xmlfilecontent_probe.c | 5 +--
.../test_xmlfilecontent_probe.sh | 6 +++
.../test_xmlfilecontent_probe.xml | 38 +++++++++++++++++++
3 files changed, 46 insertions(+), 3 deletions(-)
diff --git a/src/OVAL/probes/independent/xmlfilecontent_probe.c b/src/OVAL/probes/independent/xmlfilecontent_probe.c
index 6c70b359ba..5d56afa0d4 100644
--- a/src/OVAL/probes/independent/xmlfilecontent_probe.c
+++ b/src/OVAL/probes/independent/xmlfilecontent_probe.c
@@ -296,10 +296,9 @@ static int process_file(const char *prefix, const char *path, const char *filena
node_cnt = nodes->nodeNr;
dD("node_cnt: %d.", node_cnt);
- if (node_cnt == 0) {
- probe_item_setstatus(item, SYSCHAR_STATUS_DOES_NOT_EXIST);
- probe_item_ent_add(item, "value_of", NULL, NULL);
- probe_itement_setstatus(item, "value_of", 1, SYSCHAR_STATUS_DOES_NOT_EXIST);
+ if (node_cnt <= 0) {
+ ret = -5;
+ goto cleanup;
} else {
node_tab = nodes->nodeTab;
for (i = 0; i < node_cnt; ++i) {
diff --git a/tests/probes/xmlfilecontent/test_xmlfilecontent_probe.sh b/tests/probes/xmlfilecontent/test_xmlfilecontent_probe.sh
index e3c56a8606..68138dad75 100755
--- a/tests/probes/xmlfilecontent/test_xmlfilecontent_probe.sh
+++ b/tests/probes/xmlfilecontent/test_xmlfilecontent_probe.sh
@@ -6,9 +6,15 @@ set -e -o pipefail
cp $srcdir/example.xml /tmp/
result=$(mktemp)
$OSCAP oval eval --results $result $srcdir/test_xmlfilecontent_probe.xml
+# Even if OSCAP_FULL_VALIDATION is set, an invalid OVAL result doesn't cause
+# the "oscap oval eval" to return a non-zero value, so let's run validation
+# as a separate command
+$OSCAP oval validate "$result"
assert_exists 1 '/oval_results/results/system/definitions/definition[@definition_id="oval:x:def:1" and @result="true"]'
assert_exists 1 '/oval_results/results/system/definitions/definition[@definition_id="oval:x:def:2" and @result="true"]'
assert_exists 1 '/oval_results/results/system/definitions/definition[@definition_id="oval:x:def:3" and @result="true"]'
assert_exists 1 '/oval_results/results/system/definitions/definition[@definition_id="oval:x:def:4" and @result="true"]'
assert_exists 1 '/oval_results/results/system/definitions/definition[@definition_id="oval:x:def:5" and @result="true"]'
+assert_exists 1 '/oval_results/results/system/definitions/definition[@definition_id="oval:x:def:6" and @result="true"]'
+assert_exists 1 '/oval_results/results/system/definitions/definition[@definition_id="oval:x:def:7" and @result="true"]'
rm -f $result
\ No newline at end of file
diff --git a/tests/probes/xmlfilecontent/test_xmlfilecontent_probe.xml b/tests/probes/xmlfilecontent/test_xmlfilecontent_probe.xml
index 3350df0c49..0a9708d4b6 100644
--- a/tests/probes/xmlfilecontent/test_xmlfilecontent_probe.xml
+++ b/tests/probes/xmlfilecontent/test_xmlfilecontent_probe.xml
@@ -66,6 +66,30 @@
<criterion test_ref="oval:x:tst:5" comment="test"/>
</criteria>
</definition>
+ <definition class="compliance" version="1" id="oval:x:def:6">
+ <metadata>
+ <title>A simple test OVAL for xmlfilecontent test - check nonexisting attribute</title>
+ <description>x</description>
+ <affected family="unix">
+ <platform>x</platform>
+ </affected>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:x:tst:6" comment="test"/>
+ </criteria>
+ </definition>
+ <definition class="compliance" version="1" id="oval:x:def:7">
+ <metadata>
+ <title>A simple test OVAL for xmlfilecontent test - check nonexisting element</title>
+ <description>x</description>
+ <affected family="unix">
+ <platform>x</platform>
+ </affected>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:x:tst:7" comment="test"/>
+ </criteria>
+ </definition>
</definitions>
<tests>
@@ -89,6 +113,12 @@
<ind:object object_ref="oval:x:obj:5"/>
<ind:state state_ref="oval:x:ste:5"/>
</ind:xmlfilecontent_test>
+ <ind:xmlfilecontent_test id="oval:x:tst:6" version="1" comment="test an xpath expression" check="all" check_existence="none_exist">
+ <ind:object object_ref="oval:x:obj:6"/>
+ </ind:xmlfilecontent_test>
+ <ind:xmlfilecontent_test id="oval:x:tst:7" version="1" comment="test an xpath expression" check="all" check_existence="none_exist">
+ <ind:object object_ref="oval:x:obj:7"/>
+ </ind:xmlfilecontent_test>
</tests>
<objects>
@@ -112,6 +142,14 @@
<ind:filepath>/tmp/example.xml</ind:filepath>
<ind:xpath>//*[@regid="mycoyote.com"]/@name</ind:xpath>
</ind:xmlfilecontent_object>
+ <ind:xmlfilecontent_object id="oval:x:obj:6" version="1" comment="xpath query">
+ <ind:filepath>/tmp/example.xml</ind:filepath>
+ <ind:xpath>/SoftwareIdentity/@thisattributedoesnotexist</ind:xpath>
+ </ind:xmlfilecontent_object>
+ <ind:xmlfilecontent_object id="oval:x:obj:7" version="1" comment="xpath query">
+ <ind:filepath>/tmp/example.xml</ind:filepath>
+ <ind:xpath>/SoftwareIdentity/thiselementdoesnotexist</ind:xpath>
+ </ind:xmlfilecontent_object>
</objects>
<states>

View File

@ -0,0 +1,45 @@
From 299e344b245e8d1b3a31a58275e0e8d0aa01ed77 Mon Sep 17 00:00:00 2001
From: Evgeny Kolesnikov <ekolesni@redhat.com>
Date: Sat, 8 Jul 2023 07:05:31 +0200
Subject: [PATCH] OVAL/sysctl: Fix offline mode
The initial implementation was buggy: after correctly traversing
prefixed PREFIX/proc/sys directory tree it would incorrectly read
the data from the non-prefixed directory tree.
---
src/OVAL/probes/unix/sysctl_probe.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/src/OVAL/probes/unix/sysctl_probe.c b/src/OVAL/probes/unix/sysctl_probe.c
index 65d4bd0609..b7c68a0378 100644
--- a/src/OVAL/probes/unix/sysctl_probe.c
+++ b/src/OVAL/probes/unix/sysctl_probe.c
@@ -150,10 +150,14 @@ int sysctl_probe_main(probe_ctx *ctx, void *probe_arg)
while ((ofts_ent = oval_fts_read(ofts)) != NULL) {
SEXP_t *se_mib;
char mibpath[PATH_MAX], *mib;
- size_t miblen;
+ size_t miblen, mibstart;
struct stat file_stat;
- snprintf(mibpath, sizeof mibpath, "%s/%s", ofts_ent->path, ofts_ent->file);
+ if (prefix != NULL) {
+ snprintf(mibpath, sizeof mibpath, "%s/%s/%s", prefix, ofts_ent->path, ofts_ent->file);
+ } else {
+ snprintf(mibpath, sizeof mibpath, "%s/%s", ofts_ent->path, ofts_ent->file);
+ }
/* Skip write-only files, eg. /proc/sys/net/ipv4/route/flush */
if (stat(mibpath, &file_stat) == -1) {
@@ -168,7 +172,10 @@ int sysctl_probe_main(probe_ctx *ctx, void *probe_arg)
continue;
}
- mib = strdup(mibpath + strlen(PROC_SYS_DIR) + 1);
+ mibstart = 0;
+ mibstart += prefix != NULL ? strlen(prefix)+1 : 0;
+ mibstart += strlen(PROC_SYS_DIR)+1;
+ mib = strdup(mibpath + mibstart);
miblen = strlen(mib);
while (miblen > 0) {

View File

@ -1,25 +1,16 @@
Name: openscap Name: openscap
Version: 1.3.6 Version: 1.3.8
Release: 5%{?dist}.alma Release: 1%{?dist}.alma.1
Summary: Set of open source libraries enabling integration of the SCAP line of standards Summary: Set of open source libraries enabling integration of the SCAP line of standards
Group: System Environment/Libraries Group: System Environment/Libraries
License: LGPLv2+ License: LGPLv2+
URL: http://www.open-scap.org/ URL: http://www.open-scap.org/
Source0: https://github.com/OpenSCAP/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz Source0: https://github.com/OpenSCAP/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz
Patch1: openscap-1.3.7-PR-1841-coverity.patch Patch0: openscap-1.3.9-PR-1996-fix-sysctl-offline.patch
Patch2: openscap-1.3.7-PR-1843-fix-test-ds-misc.patch
Patch3: openscap-1.3.7-PR-1844-fix-test-ds-misc-2.patch
Patch4: openscap-1.3.7-PR-1861-failed-to-check-available-memory.patch
Patch5: openscap-1.3.7-PR-1874-unit-test-read-common-sizet.patch
Patch6: openscap-1.3.7-PR-1875-reset-errno-strtol.patch
Patch7: openscap-1.3.7-PR-1876-disable-oscap-remediate.patch
Patch8: openscap-1.3.7-PR-1891-xmlfilecontent.patch
# Add AlmaLinux definitions # Add AlmaLinux definitions
Patch100: openscap-1.3.5-almalinux.patch Patch100: openscap-1.3.5-almalinux.patch
BuildRequires: cmake >= 2.6 BuildRequires: cmake >= 2.6
BuildRequires: swig libxml2-devel libxslt-devel perl-generators perl-XML-Parser BuildRequires: swig libxml2-devel libxslt-devel perl-generators perl-XML-Parser
BuildRequires: rpm-devel BuildRequires: rpm-devel
@ -229,11 +220,17 @@ rm -rf $RPM_BUILD_ROOT
%{_bindir}/oscap-run-sce-script %{_bindir}/oscap-run-sce-script
%changelog %changelog
* Tue Feb 21 2023 Andrew Lukoshko <alukoshko@almalinux.org> - 1.3.6-5.alma * Thu Sep 28 2023 Eduard Abdullin <eabdullin@almalinux.org> - 1.3.8-1.alma.1
- Add AlmaLinux definitions - Add AlmaLinux definitions
* Mon Jan 30 2023 Jan Černý <jcerny@redhat.com> - 1.3.6-5 * Fri Jul 14 2023 Evgenii Kolesnikov <ekolesni@redhat.com> - 1.3.8-1
- Don't emit xmlfilecontent items if XPath doesn't match (rhbz#2165577) - Upgrade to the latest upstream release (rhbz#2222864)
- Fix systemd* probes unit enumeration (rhbz#2223547)
* Fri Jan 27 2023 Jan Černý <jcerny@redhat.com> - 1.3.7-1
- Upgrade to the latest upstream release (rhbz#2159290)
- Fix error when processing OVAL filters (rhbz#2126882)
- Don't emit xmlfilecontent items if XPath doesn't match (rhbz#2139060)
* Thu Jul 21 2022 Jan Černý <jcerny@redhat.com> - 1.3.6-4 * Thu Jul 21 2022 Jan Černý <jcerny@redhat.com> - 1.3.6-4
- Fix potential invalid scan results in OpenSCAP (rhbz#2111040) - Fix potential invalid scan results in OpenSCAP (rhbz#2111040)