Bug 2126882
| Summary: | openscap errors when OVAL object component in a variable doesn't collect any data | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Matus Marhefka <mmarhefk> | ||||
| Component: | openscap | Assignee: | Jan Černý <jcerny> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Matus Marhefka <mmarhefk> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 8.7 | CC: | dapospis, ekolesni, mhaicman, mmarhefk | ||||
| Target Milestone: | rc | Keywords: | AutoVerified, Triaged | ||||
| Target Release: | --- | Flags: | pm-rhel:
mirror+
|
||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | openscap-1.3.7-1.el8 | Doc Type: | No Doc Update | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | |||||||
| : | 2126883 2171824 (view as bug list) | Environment: | |||||
| Last Closed: | 2023-05-16 08:41:34 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 2089955, 2126883, 2171824 | ||||||
| Attachments: |
|
||||||
|
Description
Matus Marhefka
2022-09-14 16:18:14 UTC
Successfully reproduced on RHEL 8. In verbose mode, we can see: Referenced variable has no values (oval:ssg-group_gid:var:1). Analysis: - We need to create a minimal reproducer OVAL that doesn't require the chroot to trigger the problem. - The key is that the state references a variable in on of the state entities and this variable is empty because the underlying object does not exist. Created attachment 1937258 [details]
easy reproducer
I have created a minimal reproducer and I have attached the reproducer as an attachment.
This reproducer doesn't depend on presence of ssh package and doesn't require using any chroot and doesn't require installing anything. It consists of a simple OVAL file and a short bash script that creates a directory with 2 files in /tmp. Then, it runs the `oscap oval eval` with that OVAL file.
The main point of the reproducer OVAL is to showcase the situation that triggers the error message "Failed to convert OVAL state to SEXP". The OVAL has been inspired by OVAL for the rule file_permissions_sshd_private_key from scap-security-guide, however it's simpler.
The OVAL construction that triggers the error is the following: We have an OVAL <object>, this object contains a <filter> that is specified by a <state>. This <state> in one of its child elements references a <local_variable>. This <local_variable> references a second <object>. The error happens if the second <object> describes an entity that doesn't exist on the system.
Therefore, this bug is generic and it's a bug in processing of any <filter> elements that reference variables.
a draft PR has been opened in upstream: https://github.com/OpenSCAP/openscap/pull/1916 a fix has been merged to upstream https://github.com/OpenSCAP/openscap/pull/1916 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (openscap bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:2892 |