Bug 1192428

Summary: STIG, OVAL validating: var_check has been supplied, var_ref missing
Product: Red Hat Enterprise Linux 6 Reporter: Martin Žember <mzember>
Component: openscapAssignee: Šimon Lukašík <slukasik>
Status: CLOSED ERRATA QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: low Docs Contact:
Priority: low    
Version: 6.8CC: ebenes, matyc, openscap-maint
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openscap-1.0.10-1.el6 Doc Type: Bug Fix
Doc Text:
Cause: OVAL standard requires that content var_check XML attribute included within any XML elements that has var_ref attribute. OpenSCAP scanner has omitted var_check attribute in some cases (default/implicit values). Consequence: Strict schematron validation of OVAL results warned user. Fix: OVAL module has been amended to export var_check explicitly whenever exporting var_ref. Result: Strict schematron validation passes.
 Story Points: ---
Clone Of:
: 1192431 (view as bug list) Environment:
Last Closed: 2015-07-22 06:29:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Martin Žember 2015-02-13 10:37:30 UTC 
Description of problem:
Validating of OVAL results displays:
oval:mil.disa.fso.redhat.rhel6:obj:3184 - a var_ref has been supplied for the ind-def:pattern entity so a var_check should also be provided

Version-Release number of selected component (if applicable):
openscap-1.0.8-1.el6_5.1

How reproducible:
Always

Steps to Reproduce:
1. Downloading :: actually running 'wget http://iase.disa.mil/stigs/Documents/u_redhat_6_v1r5_stig_scap_1-1_benchmark.zip'
2. Unzipping :: actually running 'unzip u_redhat_6_v1r5_stig_scap_1-1_benchmark.zip -d stig'
3. Evaluating STIG profile :: actually running 'oscap xccdf eval --profile MAC-1_Public --report stig-xccdf-results.html --results stig-xccdf-results.xml --oval-results --cpe stig/U_RedHat_6_V1R5_Benchmark-cpe-dictionary.xml stig/U_RedHat_6_V1R5_Benchmark-xccdf.xml stig/U_RedHat_6_V1R5_Benchmark-oval.xml'
4. Validating XCCDF results :: actually running 'oscap xccdf validate-xml stig-xccdf-results.xml'
5. Validating OVAL results :: actually running 'oscap oval validate-xml --results --schematron       U_RedHat_6_V1R5_Benchmark-oval.xml.result.xml'


Actual results:
<?xml version="1.0"?>
oval:mil.disa.fso.redhat.rhel6:obj:3184 - a var_ref has been supplied for the ind-def:pattern entity so a var_check should also be provided

Invalid OVAL Results content(5.8) in U_RedHat_6_V1R5_Benchmark-oval.xml.result.xml.
(return code 2)

Expected results:
Nothing (return code 0)

Additional info:
Comment 2 Šimon Lukašík 2015-02-16 15:32:28 UTC 
Note to myself: This is clone of bug 1182242 and bug 1182242.

Fixed upstream in aebc254a4e6993ef79a549c2f71b5a6a4eb3ed01 and 0e3c7e6833630d55d00ac3e91cdb2ae067fabcb6.
Comment 8 errata-xmlrpc 2015-07-22 06:29:18 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1317.html