Bug 1783200

Summary: The xml results generated from content for stig viewer do not contain rule results
Product: Red Hat Enterprise Linux 7 Reporter: Matus Marhefka <mmarhefk>
Component: openscapAssignee: Jan Černý <jcerny>
Status: CLOSED ERRATA QA Contact: Matus Marhefka <mmarhefk>
Severity: high Docs Contact:
Priority: high    
Version: 7.8CC: ggasparb, mhaicman, mmarhefk, openscap-maint, tborcin, wsato
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openscap-1.2.17-9.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-31 20:11:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Matus Marhefka 2019-12-13 09:49:19 UTC 
Description of problem:
When generating XML results using `--stig-viewer` option, the resulting XML file does not contain rule result elements. Following tests point to some change in content which prevents openscap to generate results in stig viewer format:

RHEL-7.7 packages:
openscap-1.2.17-4.el7.x86_64
scap-security-guide-0.1.43-13.el7.noarch

RHEL-7.8 packages:
openscap-1.2.17-8.el7.x86_64
scap-security-guide-0.1.46-11.el7.noarch


1. Scan with openscap-1.2.17-4.el7 and ssg-0.1.43-13.el7:
===================================================================
# oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa --rule xccdf_org.ssgproject.content_rule_service_sshd_enabled --stig-viewer stig.xml ssg-rhel7-ds.xml

Title   Enable the OpenSSH Service
Rule    xccdf_org.ssgproject.content_rule_service_sshd_enabled
Ident   CCE-80216-5
Result  pass

# grep '<result>pass' -B1 -A4 stig.xml
  <rule-result idref="SV-86859r3_rule" time="2019-12-13T04:19:02" severity="medium" weight="1.000000">
    <result>pass</result>
    <ident system="https://nvd.nist.gov/cce/index.cfm">CCE-80216-5</ident>
    <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
      <check-content-ref name="oval:ssg-service_sshd_enabled:def:1" href="ssg-rhel7-oval.xml"/>
    </check>
#
===================================================================

2. Scan with openscap-1.2.17-4.el7 and ssg-0.1.46-11.el7 (both 1.2 and 1.3 datastreams):
===================================================================
# oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig --rule xccdf_org.ssgproject.content_rule_service_sshd_enabled --stig-viewer stig.xml ssg-rhel7-ds.xml

Title   Enable the OpenSSH Service
Rule    xccdf_org.ssgproject.content_rule_service_sshd_enabled
Ident   CCE-80216-5
Result  pass

# grep '<result>pass' -B1 -A4 stig.xml
#
===================================================================

3. Scan with openscap-1.2.17-8.el7 and ssg-0.1.46-11.el7 (both 1.2 and 1.3 datastreams):
===================================================================
# oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig --rule xccdf_org.ssgproject.content_rule_service_sshd_enabled --stig-viewer stig.xml ssg-rhel7-ds.xml

Title   Enable the OpenSSH Service
Rule    xccdf_org.ssgproject.content_rule_service_sshd_enabled
Ident   CCE-80216-5
Result  pass

# grep '<result>pass' -B1 -A4 stig.xml
#
===================================================================

4. Scan with openscap-1.2.17-8.el7 and ssg-0.1.43-13.el7:
===================================================================
# oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa --rule xccdf_org.ssgproject.content_rule_service_sshd_enabled --stig-viewer stig.xml ssg-rhel7-ds.xml

Title   Enable the OpenSSH Service
Rule    xccdf_org.ssgproject.content_rule_service_sshd_enabled
Ident   CCE-80216-5
Result  pass

# grep '<result>pass' -B1 -A4 stig.xml
  <rule-result idref="SV-86859r3_rule" time="2019-12-13T04:28:47" severity="medium" weight="1.000000">
    <result>pass</result>
    <ident system="https://nvd.nist.gov/cce/index.cfm">CCE-80216-5</ident>
    <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
      <check-content-ref name="oval:ssg-service_sshd_enabled:def:1" href="ssg-rhel7-oval.xml"/>
    </check>
#
===================================================================



Version-Release number of selected component (if applicable):
scap-security-guide-0.1.46-11.el7.noarch


How reproducible:
always


Actual results:
The xml results generated from content for stig viewer DO NOT contain rule results.


Expected results:
The xml results generated from content for stig viewer contain rule results.
Comment 4 Watson Yuuma Sato 2019-12-19 13:35:51 UTC 
This is actually an issue on the scanner.

Fix is available in upstream: https://github.com/OpenSCAP/openscap/pull/1404
Comment 7 Watson Yuuma Sato 2020-01-06 10:15:45 UTC 
This happens because the DISA URI in the content changed in https://github.com/ComplianceAsCode/content/pull/4392 and now the scanner fails to identify the STIG rules and generate the results.
Comment 12 errata-xmlrpc 2020-03-31 20:11:09 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1183