rpms/openscap
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import openscap-1.3.6-5.el8_7

Browse Source
This commit is contained in:
CentOS Sources 2023-02-21 08:49:45 +00:00 committed by Stepan Oksanichenko
parent 1b77493170
commit cc3c270e01
2 changed files with 137 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

132
SOURCES/openscap-1.3.7-PR-1891-xmlfilecontent.patch Normal file
View File

@ -0,0 +1,132 @@
From 9c2052febe494ca5fe8e3fef7996fd2c2c736785 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Wed, 2 Nov 2022 09:04:25 +0100
Subject: [PATCH] Don't emit items if XPath doesn't match
This commit fixes the behavior of the xmlfilecontent probe in situation
when the XPath query in xmlfilecontent_object doesn't match any node in
the given XML file and the query returns an empty node set. Currently,
in this situation, we emit an item in which we add an empty value_of
element. However, this value_of element has its datatype attribute set
to an empty string, which is invalid according to the OVAL schema. When
we try to make the OVAL results valid, we face the problem that it isn't
clear what should be the value of the datatype attribute for empty
elements. But as we can realize the XPath doesn't match anything means
that the requested object doesn't exist on the system, so a better
behavior would be to not produce a xmlfilecontent54_item. That is
consistent with eg. situation when a regular expression matched nothing
in textfilecontent54_object. This commit therefore stops the item
generation in this situation.
This commit also extends the existing test to cover the situation
of XPath queries for nonexistent element and nonexistent attribute.
Fixes: #1890, rhbz#2138884, rhbz#2139060
---
.../probes/independent/xmlfilecontent_probe.c | 5 +--
.../test_xmlfilecontent_probe.sh | 6 +++
.../test_xmlfilecontent_probe.xml | 38 +++++++++++++++++++
3 files changed, 46 insertions(+), 3 deletions(-)
diff --git a/src/OVAL/probes/independent/xmlfilecontent_probe.c b/src/OVAL/probes/independent/xmlfilecontent_probe.c
index 6c70b359ba..5d56afa0d4 100644
--- a/src/OVAL/probes/independent/xmlfilecontent_probe.c
+++ b/src/OVAL/probes/independent/xmlfilecontent_probe.c
@@ -296,10 +296,9 @@ static int process_file(const char *prefix, const char *path, const char *filena
node_cnt = nodes->nodeNr;
dD("node_cnt: %d.", node_cnt);
- if (node_cnt == 0) {
- probe_item_setstatus(item, SYSCHAR_STATUS_DOES_NOT_EXIST);
- probe_item_ent_add(item, "value_of", NULL, NULL);
- probe_itement_setstatus(item, "value_of", 1, SYSCHAR_STATUS_DOES_NOT_EXIST);
+ if (node_cnt <= 0) {
+ ret = -5;
+ goto cleanup;
} else {
node_tab = nodes->nodeTab;
for (i = 0; i < node_cnt; ++i) {
diff --git a/tests/probes/xmlfilecontent/test_xmlfilecontent_probe.sh b/tests/probes/xmlfilecontent/test_xmlfilecontent_probe.sh
index e3c56a8606..68138dad75 100755
--- a/tests/probes/xmlfilecontent/test_xmlfilecontent_probe.sh
+++ b/tests/probes/xmlfilecontent/test_xmlfilecontent_probe.sh
@@ -6,9 +6,15 @@ set -e -o pipefail
cp $srcdir/example.xml /tmp/
result=$(mktemp)
$OSCAP oval eval --results $result $srcdir/test_xmlfilecontent_probe.xml
+# Even if OSCAP_FULL_VALIDATION is set, an invalid OVAL result doesn't cause
+# the "oscap oval eval" to return a non-zero value, so let's run validation
+# as a separate command
+$OSCAP oval validate "$result"
assert_exists 1 '/oval_results/results/system/definitions/definition[@definition_id="oval:x:def:1" and @result="true"]'
assert_exists 1 '/oval_results/results/system/definitions/definition[@definition_id="oval:x:def:2" and @result="true"]'
assert_exists 1 '/oval_results/results/system/definitions/definition[@definition_id="oval:x:def:3" and @result="true"]'
assert_exists 1 '/oval_results/results/system/definitions/definition[@definition_id="oval:x:def:4" and @result="true"]'
assert_exists 1 '/oval_results/results/system/definitions/definition[@definition_id="oval:x:def:5" and @result="true"]'
+assert_exists 1 '/oval_results/results/system/definitions/definition[@definition_id="oval:x:def:6" and @result="true"]'
+assert_exists 1 '/oval_results/results/system/definitions/definition[@definition_id="oval:x:def:7" and @result="true"]'
rm -f $result
\ No newline at end of file
diff --git a/tests/probes/xmlfilecontent/test_xmlfilecontent_probe.xml b/tests/probes/xmlfilecontent/test_xmlfilecontent_probe.xml
index 3350df0c49..0a9708d4b6 100644
--- a/tests/probes/xmlfilecontent/test_xmlfilecontent_probe.xml
+++ b/tests/probes/xmlfilecontent/test_xmlfilecontent_probe.xml
@@ -66,6 +66,30 @@
<criterion test_ref="oval:x:tst:5" comment="test"/>
</criteria>
</definition>
+ <definition class="compliance" version="1" id="oval:x:def:6">
+ <metadata>
+ <title>A simple test OVAL for xmlfilecontent test - check nonexisting attribute</title>
+ <description>x</description>
+ <affected family="unix">
+ <platform>x</platform>
+ </affected>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:x:tst:6" comment="test"/>
+ </criteria>
+ </definition>
+ <definition class="compliance" version="1" id="oval:x:def:7">
+ <metadata>
+ <title>A simple test OVAL for xmlfilecontent test - check nonexisting element</title>
+ <description>x</description>
+ <affected family="unix">
+ <platform>x</platform>
+ </affected>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:x:tst:7" comment="test"/>
+ </criteria>
+ </definition>
</definitions>
<tests>
@@ -89,6 +113,12 @@
<ind:object object_ref="oval:x:obj:5"/>
<ind:state state_ref="oval:x:ste:5"/>
</ind:xmlfilecontent_test>
+ <ind:xmlfilecontent_test id="oval:x:tst:6" version="1" comment="test an xpath expression" check="all" check_existence="none_exist">
+ <ind:object object_ref="oval:x:obj:6"/>
+ </ind:xmlfilecontent_test>
+ <ind:xmlfilecontent_test id="oval:x:tst:7" version="1" comment="test an xpath expression" check="all" check_existence="none_exist">
+ <ind:object object_ref="oval:x:obj:7"/>
+ </ind:xmlfilecontent_test>
</tests>
<objects>
@@ -112,6 +142,14 @@
<ind:filepath>/tmp/example.xml</ind:filepath>
<ind:xpath>//*[@regid="mycoyote.com"]/@name</ind:xpath>
</ind:xmlfilecontent_object>
+ <ind:xmlfilecontent_object id="oval:x:obj:6" version="1" comment="xpath query">
+ <ind:filepath>/tmp/example.xml</ind:filepath>
+ <ind:xpath>/SoftwareIdentity/@thisattributedoesnotexist</ind:xpath>
+ </ind:xmlfilecontent_object>
+ <ind:xmlfilecontent_object id="oval:x:obj:7" version="1" comment="xpath query">
+ <ind:filepath>/tmp/example.xml</ind:filepath>
+ <ind:xpath>/SoftwareIdentity/thiselementdoesnotexist</ind:xpath>
+ </ind:xmlfilecontent_object>
</objects>
<states>

6
SPECS/openscap.spec
View File

@ -1,6 +1,6 @@
Name: openscap
Version: 1.3.6
Release: 4%{?dist}
Release: 5%{?dist}
Summary: Set of open source libraries enabling integration of the SCAP line of standards
Group: System Environment/Libraries
License: LGPLv2+
@ -13,6 +13,7 @@ Patch4: openscap-1.3.7-PR-1861-failed-to-check-available-memory.patch
Patch5: openscap-1.3.7-PR-1874-unit-test-read-common-sizet.patch
Patch6: openscap-1.3.7-PR-1875-reset-errno-strtol.patch
Patch7: openscap-1.3.7-PR-1876-disable-oscap-remediate.patch
Patch8: openscap-1.3.7-PR-1891-xmlfilecontent.patch
BuildRequires: cmake >= 2.6
BuildRequires: swig libxml2-devel libxslt-devel perl-generators perl-XML-Parser
BuildRequires: rpm-devel
@ -222,6 +223,9 @@ rm -rf $RPM_BUILD_ROOT
%{_bindir}/oscap-run-sce-script
%changelog
* Mon Jan 30 2023 Jan Černý <jcerny@redhat.com> - 1.3.6-5
- Don't emit xmlfilecontent items if XPath doesn't match (rhbz#2165577)
* Thu Jul 21 2022 Jan Černý <jcerny@redhat.com> - 1.3.6-4
- Fix potential invalid scan results in OpenSCAP (rhbz#2111040)
- Remove oscap-remediate service (rhbz#2111360)