Bug 1485876

Summary: oscap might run out of memory, when scanning for CVE vulnerabilities
Product: Red Hat Enterprise Linux 7 Reporter: Marek Haicman <mhaicman>
Component: openscapAssignee: Jan Černý <jcerny>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: high Docs Contact:
Priority: high    
Version: 7.4CC: matyc, mhaicman, mmarhefk, openscap-maint, wsato
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-03-12 14:31:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Marek Haicman 2017-08-28 10:50:42 UTC 
Description of problem:
When scan is performed based on http://www.redhat.com/security/data/metrics/com.redhat.rhsa-all.xccdf.xml scanner might run out of memory when composing results.

Version-Release number of selected component (if applicable):
openscap-1.2.14-2.el7

How reproducible:
reliably

Steps to Reproduce:
0. prepare machine with 2 gigs of RAM
1. wget http://www.redhat.com/security/data/metrics/com.redhat.rhsa-all.xccdf.xml
2. oscap xccdf eval --oval-results --results results.xml --report report.html com.redhat.rhsa-all.xccdf.xml

Actual results:
Evaluation is performed (output on screen), but then machine freeze being out of memory.

Expected results:
Evaluation is performed and command exits successfully, with report and results files present in the directory

Additional info:
Comment 2 Jan Černý 2017-08-28 11:31:19 UTC 
I have noticed that we can be ineffective when we generate an report with OVAL details (in other words when '--oval-results' is used).

If '--oval-results' is requested, we internally create an ARF. We do it this way: We create a new source datastream, then we internally save it as a file into a temporary directory. The we load this source datastream again, and we build from it and from results an ARF. 

See functions xccdf_session_export_xccdf and namely xccdf_session_create_arf_source in src/XCCDF/xccdf_session.c.

I think it should be possible to get all the data from the memory.

Moreover, it shows a warning:

W: oscap: Exporting ARF from XCCDF 1.1 is not allowed by SCAP specification. The resulting ARF will not validate. Convert the input to XCCDF 1.2 to get valid ARF results. The xccdf_1.1_to_1.2.xsl transformation.that ships with OpenSCAP can do that automatically.

This warning was confusing for me because the reproducer command 2 doesn't want to create ARF, but only XCCDF result. User can't know that we create ARF internally.
Comment 3 Martin Preisler 2017-09-06 15:49:34 UTC 
https://github.com/OpenSCAP/openscap/pull/812 is a partial fix merged upstream.
Comment 4 Matěj Týč 2017-11-23 15:31:12 UTC 
The issue is not resolved completely, but the 1.2.16 release for 7.5 should perform better in this regard.
The complete fix is not available yet, so I am postponing this to 7.6
Comment 5 Marek Haicman 2019-03-12 14:31:41 UTC 
This issue was not selected to be included in Red Hat Enterprise Linux 7.7 because it is seen either as low or moderate impact to a small number of use-cases. The next release will be in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available. We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; otherwise, we recommend moving the request to Red Hat Enterprise Linux 8 if applicable.