Bug 1485876
Summary: | oscap might run out of memory, when scanning for CVE vulnerabilities | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Marek Haicman <mhaicman> |
Component: | openscap | Assignee: | Jan Černý <jcerny> |
Status: | CLOSED WONTFIX | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 7.4 | CC: | matyc, mhaicman, mmarhefk, openscap-maint, wsato |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-03-12 14:31:41 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Marek Haicman
2017-08-28 10:50:42 UTC
I have noticed that we can be ineffective when we generate an report with OVAL details (in other words when '--oval-results' is used). If '--oval-results' is requested, we internally create an ARF. We do it this way: We create a new source datastream, then we internally save it as a file into a temporary directory. The we load this source datastream again, and we build from it and from results an ARF. See functions xccdf_session_export_xccdf and namely xccdf_session_create_arf_source in src/XCCDF/xccdf_session.c. I think it should be possible to get all the data from the memory. Moreover, it shows a warning: W: oscap: Exporting ARF from XCCDF 1.1 is not allowed by SCAP specification. The resulting ARF will not validate. Convert the input to XCCDF 1.2 to get valid ARF results. The xccdf_1.1_to_1.2.xsl transformation.that ships with OpenSCAP can do that automatically. This warning was confusing for me because the reproducer command 2 doesn't want to create ARF, but only XCCDF result. User can't know that we create ARF internally. https://github.com/OpenSCAP/openscap/pull/812 is a partial fix merged upstream. The issue is not resolved completely, but the 1.2.16 release for 7.5 should perform better in this regard. The complete fix is not available yet, so I am postponing this to 7.6 This issue was not selected to be included in Red Hat Enterprise Linux 7.7 because it is seen either as low or moderate impact to a small number of use-cases. The next release will be in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available. We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; otherwise, we recommend moving the request to Red Hat Enterprise Linux 8 if applicable. |