Bug 1440192

Summary: xccdf scan requires remote content from RedHat, which errors out
Product: Red Hat Enterprise Linux 7 Reporter: Przemek Klosowski <przemek>
Component: openscapAssignee: Jan Černý <jcerny>
Status: CLOSED ERRATA QA Contact: Marek Haicman <mhaicman>
Severity: medium Docs Contact: Mirek Jahoda <mjahoda>
Priority: high    
Version: 7.3CC: brubisch, mhaicman, mjahoda, mpreisle, openscap-maint
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
*OpenSCAP* now handles also uncompressed XML files in a CVE OVAL feed Previously, the *OpenSCAP* tool was able to handle only compressed CVE OVAL files from a feed. As a consequence, the CVE OVAL feed provided by Red Hat cannot be used as a base for vulnerability scanning. With this update, *OpenSCAP* supports not only ZIP and BZIP2 files but also uncompressed XML files in a CVE OVAL feed, and the CVE OVAL-based scanning works properly without additional steps.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 08:45:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Przemek Klosowski 2017-04-07 14:17:16 UTC 
Description of problem:
xccdf scan using the common profile requires remote content from RedHat. When this is enabled by --fetch-remote-resources, an XML parse error appears and scan is aborted

Version-Release number of selected component (if applicable):
openscap-scanner-1.2.10-3.el7_3.x86_64

How reproducible: every time


Steps to Reproduce:
1. oscap xccdf eval --fetch-remote-resources --profile xccdf_org.ssgproject.content_profile_common --report /tmp/report-remote.html /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml


Actual results:
Downloading: http://www.redhat.com/security/data/oval/Red_Hat_Enterprise_Linux_7.xml ... ok
OpenSCAP Error: Unable to parse XML from user memory buffer [oscap_source.c:254]
Failed to create OVAL definition model from: 'http://www.redhat.com/security/data/oval/Red_Hat_Enterprise_Linux_7.xml'. [xccdf_session.c:787]

Expected results: successful scan
Comment 2 Jan Černý 2017-04-18 13:56:33 UTC 
This was fixed in OpenSCAP 1.2.11 by this patch: https://github.com/OpenSCAP/openscap/commit/bc9db8a31a977d8f7a89ff3d98df939d9269007b

A workaround is to use compressed version of the remote XML file:
# sed -i "s@http://www.redhat.com/security/data/oval/Red_Hat_Enterprise_Linux_7.xml@https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2@" /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
Comment 7 Marek Haicman 2017-06-06 21:36:17 UTC 
Verified version openscap-1.2.14-2.el7.x86_64 fixes the issue

OLD:
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Test of bz2 (default)
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Command 'oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_standard_customized --fetch-remote-resources --tailoring-file tailoring-xccdf.xml ssg-rhel7-ds.xml' (Expected 0,2, got 2)
:: [   PASS   ] :: File 'output' should contain '^Downloading: ' 
:: [   LOG    ] :: Duration: 4s
:: [   LOG    ] :: Assertions: 2 good, 0 bad
:: [   PASS   ] :: RESULT: Test of bz2 (default)

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Test of xml (old default)
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   FAIL   ] :: Command 'oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_standard_customized --fetch-remote-resources --tailoring-file tailoring-xccdf.xml ssg-rhel7-ds-plain.xml' (Expected 0,2, got 1)
:: [   PASS   ] :: File 'output' should contain '^Downloading: ' 
:: [   LOG    ] :: Duration: 1s
:: [   LOG    ] :: Assertions: 1 good, 1 bad
:: [   FAIL   ] :: RESULT: Test of xml (old default)

NEW:
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Test of bz2 (default)
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Command 'oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_standard_customized --fetch-remote-resources --tailoring-file tailoring-xccdf.xml ssg-rhel7-ds.xml' (Expected 0,2, got 2)
:: [   PASS   ] :: File 'output' should contain '^Downloading: ' 
:: [   LOG    ] :: Duration: 4s
:: [   LOG    ] :: Assertions: 2 good, 0 bad
:: [   PASS   ] :: RESULT: Test of bz2 (default)

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Test of xml (old default)
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Command 'oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_standard_customized --fetch-remote-resources --tailoring-file tailoring-xccdf.xml ssg-rhel7-ds-plain.xml' (Expected 0,2, got 2)
:: [   PASS   ] :: File 'output' should contain '^Downloading: ' 
:: [   LOG    ] :: Duration: 5s
:: [   LOG    ] :: Assertions: 2 good, 0 bad
:: [   PASS   ] :: RESULT: Test of xml (old default)


Please note, that the issue is also mitigated by use of newer SCAP Security Guide, for example scap-security-guide-0.1.33-5.el7.noarch (because it uses bz2 by default)
Comment 8 errata-xmlrpc 2017-08-01 08:45:48 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2291