Bug 1411785

Summary: OPENSCAP scan is not correctly working
Product: [Community] Spacewalk Reporter: Stepan Rogov <stepan.rogov>
Component: ServerAssignee: Michael Mráka <mmraka>
Status: CLOSED EOL QA Contact: Red Hat Satellite QA List <satellite-qa-list>
Severity: high Docs Contact:
Priority: unspecified    
Version: 2.6CC: matonb, risantam
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-10-21 13:26:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
Full trace none

Description Stepan Rogov 2017-01-10 13:32:54 UTC
Created attachment 1239108 [details]
Full trace

Description of problem:
When I try to scedule OPENSCAP scan , the next error has been accured:
xception Handler Information
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/spacewalk/server/apacheRequest.py", line 135, in call_function
    response = func(*params)
  File "/usr/share/rhn/server/handlers/xmlrpc/queue.py", line 509, in submit
    action_type=action_type)
  File "/usr/share/rhn/server/handlers/xmlrpc/queue.py", line 554, in process_extra_data
    result = method(self.server_id, action_id, data=data)
  File "/usr/lib/python2.7/site-packages/spacewalk/server/action_extra_data/scap.py", line 47, in xccdf_eval
    profiles[0], data['errors'])
  File "/usr/lib/python2.7/site-packages/spacewalk/server/action_extra_data/scap.py", line 70, in _process_testresult
    if not _process_ruleresults(testresult_id, tr):
  File "/usr/lib/python2.7/site-packages/spacewalk/server/action_extra_data/scap.py", line 94, in _process_ruleresults
    _store_idents(inserts)
  File "/usr/lib/python2.7/site-packages/spacewalk/server/action_extra_data/scap.py", line 116, in _store_idents
    rowcount = h.execute_bulk(data)
  File "/usr/lib/python2.7/site-packages/spacewalk/server/rhnSQL/sql_base.py", line 185, in execute_bulk
    ret = ret + self.executemany(**subdict)
  File "/usr/lib/python2.7/site-packages/spacewalk/server/rhnSQL/sql_base.py", line 160, in executemany
    return self._execute_wrapper(self._executemany, *p, **kw)
  File "/usr/lib/python2.7/site-packages/spacewalk/server/rhnSQL/driver_postgresql.py", line 296, in _execute_wrapper
    retval = function(*p, **kw)
  File "/usr/lib/python2.7/site-packages/spacewalk/server/rhnSQL/driver_postgresql.py", line 341, in _executemany
    self._real_cursor.executemany(self.sql, all_kwargs)
IntegrityError: new row for relation "rhnxccdfident" violates check constraint "vn_rhnxccdfident_identifier"
DETAIL:  Failing row contains (7, 2, ).
CONTEXT:  Error occurred on dblink connection named "at_conn": could not execute command.
SQL statement "SELECT dblink_exec('at_conn', in_sql, true)"
PL/pgSQL function pg_dblink_exec(character varying) line 8 at PERFORM
SQL statement "SELECT pg_dblink_exec(
                'insert into rhnXccdfIdent (id, identsystem_id, identifier) values (' ||
                xccdf_ident_id || ', ' || ident_sys_id || ', ' ||
                coalesce(quote_literal( identifier_in)) || ')')"
PL/pgSQL function lookup_xccdf_ident(character varying,character varying) line 31 at PERFORM


Version-Release number of selected component (if applicable):
client:
# rpm -qa |grep scap
openscap-scanner-1.2.10-2.el7.x86_64
scap-security-guide-0.1.30-3.el7.centos.0.3.noarch
perl-Pod-Escapes-1.04-291.el7.noarch
openscap-1.2.10-2.el7.x86_64
spacewalk-oscap-2.6.1-1.el7.noarch
openscap-utils-1.2.10-2.el7.x86_64
scap-workbench-1.1.2-1.el7.x86_64

server:
# rpm -qa |grep spacewalk
spacewalk-taskomatic-2.6.48-1.el7.noarch
spacewalk-schema-2.6.16-1.el7.noarch
spacewalk-postgresql-2.6.1-1.el7.noarch
spacewalk-utils-2.6.16-1.el7.noarch
spacewalk-backend-sql-postgresql-2.6.74-1.el7.noarch
spacewalk-backend-config-files-tool-2.6.74-1.el7.noarch
spacewalk-repo-2.6-0.el7.noarch
spacewalk-backend-libs-2.6.74-1.el7.noarch
spacewalk-search-2.6.1-1.el7.noarch
spacewalk-html-2.6.6-1.el7.noarch
spacewalk-setup-2.6.2-1.el7.noarch
spacewalk-admin-2.6.1-1.el7.noarch
spacewalk-selinux-2.3.2-1.el7.noarch
spacewalk-backend-2.6.74-1.el7.noarch
spacewalk-backend-config-files-common-2.6.74-1.el7.noarch
spacewalk-backend-iss-export-2.6.74-1.el7.noarch
spacewalk-backend-applet-2.6.74-1.el7.noarch
spacewalk-doc-indexes-2.5.2-1.el7.noarch
spacewalk-setup-jabberd-2.3.2-1.el7.noarch
spacewalk-certs-tools-2.5.3-1.el7.noarch
spacewalk-base-2.6.6-1.el7.noarch
spacewalk-base-minimal-config-2.6.6-1.el7.noarch
spacewalk-backend-server-2.6.74-1.el7.noarch
spacewalk-backend-app-2.6.74-1.el7.noarch
spacewalk-backend-iss-2.6.74-1.el7.noarch
spacewalk-setup-postgresql-2.6.2-1.el7.noarch
spacewalk-config-2.6.5-1.el7.noarch
spacewalk-branding-2.5.3-1.el7.noarch
rhn-org-httpd-ssl-key-pair-spacewalk.hosts-1.0-1.noarch
spacewalk-java-2.6.48-1.el7.noarch
spacewalk-backend-tools-2.6.74-1.el7.noarch
spacewalk-common-2.6.1-1.el7.noarch
spacewalk-base-minimal-2.6.6-1.el7.noarch
spacewalk-reports-2.6.3-1.el7.noarch
spacewalk-backend-sql-2.6.74-1.el7.noarch
spacewalk-backend-xmlrpc-2.6.74-1.el7.noarch
spacewalk-backend-config-files-2.6.74-1.el7.noarch
spacewalk-java-lib-2.6.48-1.el7.noarch
spacewalk-java-config-2.6.48-1.el7.noarch
spacewalk-jpp-workaround-2.3.5-1.el7.noarch
spacewalk-java-postgresql-2.6.48-1.el7.noarch
spacewalk-backend-xml-export-libs-2.6.74-1.el7.noarch
spacewalk-backend-package-push-server-2.6.74-1.el7.noarch
spacewalk-backend-usix-2.6.74-1.el7.noarch


How reproducible:
Scedule New XCCDF Scan for a host and run rhn_check on a client.
Path to XCCDF document: /usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml
Parameters: --fetch-remote-resources --profile ospp-rhel7-server

Actual results:
Traceback

Expected results:
Scan info in the UI

Additional info:

Comment 1 Brett Maton 2017-01-15 11:10:34 UTC
I'm experiencing the same problem

Command:                /usr/bin/oscap xccdf eval
Command-line Arguments: --profile common
Path to XCCDF document: /usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml

new row for relation "rhnxccdfident" violates check constraint "vn_rhnxccdfident_identifier"
DETAIL:  Failing row contains (4, 2, ).

I see the same constraint violation with various combinations of

Command-line Arguments: --profile common
Command-line Arguments: --profile server

Path to XCCDF document: /usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml
Path to XCCDF document: /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml


Spacewalk Client/Server 2.6
OS CentOS 7.3

Comment 2 Brett Maton 2017-01-15 11:12:00 UTC
OpenScap RPM's

openscap-scanner-1.2.10-2.el7.x86_64
openscap-1.2.10-2.el7.x86_64
spacewalk-oscap-2.6.1-1.el7.noarch
scap-security-guide-0.1.30-3.el7.centos.0.3.noarch

Comment 3 Brett Maton 2017-01-15 11:39:38 UTC
Tested against a CentOS 6 server, result as expected report returned to Spacewalk.

Comment 4 Brett Maton 2017-01-16 07:04:15 UTC
@Stepan Rogov

The latest SCAP security guide works with EL7 and Spacewalk 2.6:

https://copr-be.cloud.fedoraproject.org/results/openscapmaint/openscap-latest/epel-7-x86_64/00482175-scap-security-guide/

An official release would be nice though.

Comment 5 Stepan Rogov 2017-01-16 12:03:13 UTC
(In reply to Brett Maton from comment #4)
> @Stepan Rogov
> 
> The latest SCAP security guide works with EL7 and Spacewalk 2.6:
> 
> https://copr-be.cloud.fedoraproject.org/results/openscapmaint/openscap-
> latest/epel-7-x86_64/00482175-scap-security-guide/
> 
> An official release would be nice though.

Works for me too.
Thank you Brett!

Comment 6 Michael Mráka 2019-10-21 13:26:13 UTC
Spacewalk 2.8 (and older) has already reached it's End Of Life.

Thank you for reporting this issue and we are sorry that we were not
able to fix it before end of life. If you would still like
to see this bug fixed and are able to reproduce it against current version
of Spacewalk 2.9, you are encouraged change the 'version' and re-open it.