Bug 2223178

Summary: The /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml file contains reference to an URL that no longer exist.
Product: Red Hat Enterprise Linux 9 Reporter: mkenjale
Component: scap-security-guideAssignee: Vojtech Polasek <vpolasek>
Status: VERIFIED --- QA Contact: Milan Lysonek <mlysonek>
Severity: medium Docs Contact:
Priority: medium    
Version: 9.2CC: ekolesni, ggasparb, jcerny, jjaburek, mhaicman, mlysonek, mmarhefk, openscap-maint, paygupta, vbhope, vpolasek
Target Milestone: rcKeywords: AutoVerified, Triaged, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: scap-security-guide-0.1.69-1.el9 Doc Type: Bug Fix
Doc Text:
.Red Hat CVE feeds have been moved The version 1 of Red Hat CVE feeds at https://access.redhat.com/security/data/oval/ has been sunset and replaced by the version 2 of the CVE feeds located at https://access.redhat.com/security/data/oval/v2/. Consequently, the links in SCAP source data streams provided by the `scap-security-guide` package have been updated to link the new version of the Red Hat CVE feeds.
 Story Points: ---
Clone Of:
: 2228469 2228470 (view as bug list) Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2228469, 2228470    

Description mkenjale 2023-07-16 08:39:47 UTC 
Description of problem:
-----------------------
# oscap info --fetch-remote-resources /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
Document type: Source Data Stream
Imported: 2023-07-16T13:38:03

Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhel9-xccdf.xml
Generated: (null)
Version: 1.3
Checklists:
	Ref-Id: scap_org.open-scap_cref_ssg-rhel9-xccdf.xml
Downloading: https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL9.xml.bz2 ... error
OpenSCAP Error: Download failed: HTTP response code said error: 404 [/builddir/build/BUILD/openscap-1.3.7/src/common/oscap_acquire.c:403]
Could not extract scap_org.open-scap_cref_ssg-rhel9-xccdf.xml with all dependencies from datastream. [/builddir/build/BUILD/openscap-1.3.7/src/DS/ds_sds_session.c:228]

Version-Release number of selected component (if applicable):
-------------------------------------------------------------
# rpm -q scap-security-guide
scap-security-guide-0.1.66-1.el9_1.noarch
# rpm -qf /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
scap-security-guide-0.1.66-1.el9_1.noarch

Steps to Reproduce:
-------------------
# oscap info --fetch-remote-resources /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml 

Actual results:
---------------
# oscap info --fetch-remote-resources /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
Document type: Source Data Stream
Imported: 2023-07-16T13:38:03

Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhel9-xccdf.xml
Generated: (null)
Version: 1.3
Checklists:
	Ref-Id: scap_org.open-scap_cref_ssg-rhel9-xccdf.xml
Downloading: https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL9.xml.bz2 ... error
OpenSCAP Error: Download failed: HTTP response code said error: 404 [/builddir/build/BUILD/openscap-1.3.7/src/common/oscap_acquire.c:403]
Could not extract scap_org.open-scap_cref_ssg-rhel9-xccdf.xml with all dependencies from datastream. [/builddir/build/BUILD/openscap-1.3.7/src/DS/ds_sds_session.c:228]

Expected results:
------------------
# oscap info --fetch-remote-resources /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
Document type: Source Data Stream
Imported: 2023-07-16T14:04:52

Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhel9-xccdf.xml
Generated: (null)
Version: 1.3
Checklists:
	Ref-Id: scap_org.open-scap_cref_ssg-rhel9-xccdf.xml
Downloading: https://access.redhat.com/security/data/oval/v2/RHEL9/rhel-9.oval.xml.bz2 ... ok
		Status: draft
		Generated: 2023-02-14
		Resolved: true
		Profiles:
			Title: ANSSI-BP-028 (enhanced)
				Id: xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced
			Title: ANSSI-BP-028 (high)
				Id: xccdf_org.ssgproject.content_profile_anssi_bp28_high
			Title: ANSSI-BP-028 (intermediary)
				Id: xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary
			Title: ANSSI-BP-028 (minimal)
				Id: xccdf_org.ssgproject.content_profile_anssi_bp28_minimal
			Title: CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Server
				Id: xccdf_org.ssgproject.content_profile_cis
			Title: CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Server
				Id: xccdf_org.ssgproject.content_profile_cis_server_l1
			Title: CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Workstation
				Id: xccdf_org.ssgproject.content_profile_cis_workstation_l1
			Title: CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Workstation
				Id: xccdf_org.ssgproject.content_profile_cis_workstation_l2
			Title: [DRAFT] Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)
				Id: xccdf_org.ssgproject.content_profile_cui
			Title: Australian Cyber Security Centre (ACSC) Essential Eight
				Id: xccdf_org.ssgproject.content_profile_e8
			Title: Health Insurance Portability and Accountability Act (HIPAA)
				Id: xccdf_org.ssgproject.content_profile_hipaa
			Title: Australian Cyber Security Centre (ACSC) ISM Official
				Id: xccdf_org.ssgproject.content_profile_ism_o
			Title: Protection Profile for General Purpose Operating Systems
				Id: xccdf_org.ssgproject.content_profile_ospp
			Title: PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 9
				Id: xccdf_org.ssgproject.content_profile_pci-dss
			Title: [DRAFT] DISA STIG for Red Hat Enterprise Linux 9
				Id: xccdf_org.ssgproject.content_profile_stig
			Title: [DRAFT] DISA STIG with GUI for Red Hat Enterprise Linux 9
				Id: xccdf_org.ssgproject.content_profile_stig_gui
		Referenced check files:
			ssg-rhel9-oval.xml
				system: http://oval.mitre.org/XMLSchema/oval-definitions-5
			ssg-rhel9-ocil.xml
				system: http://scap.nist.gov/schema/ocil/2
			security-data-oval-com.redhat.rhsa-RHEL9.xml.bz2
				system: http://oval.mitre.org/XMLSchema/oval-definitions-5
Checks:
	Ref-Id: scap_org.open-scap_cref_ssg-rhel9-oval.xml
	Ref-Id: scap_org.open-scap_cref_ssg-rhel9-ocil.xml
	Ref-Id: scap_org.open-scap_cref_ssg-rhel9-cpe-oval.xml
	Ref-Id: scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL9.xml.bz2
Dictionaries:
	Ref-Id: scap_org.open-scap_cref_ssg-rhel9-cpe-dictionary.xml

Additional info:
---------------
Manually modifying the /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml file resolves the issue.

# cp /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml.backup

# vim /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml

# grep -n com.redhat.rhsa-RHEL9.xml.bz2 /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
16:          <cat:uri name="security-data-oval-com.redhat.rhsa-RHEL9.xml.bz2" uri="#scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL9.xml.bz2"/>
24:      <ds:component-ref id="scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL9.xml.bz2" xlink:href="https://access.redhat.com/security/data/oval/v2/RHEL9/rhel-9.oval.xml.bz2"/>
21590:                <xccdf-1.2:check-content-ref href="security-data-oval-com.redhat.rhsa-RHEL9.xml.bz2"/>

#  oscap info --fetch-remote-resources /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
Document type: Source Data Stream
Imported: 2023-07-16T14:04:52

Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhel9-xccdf.xml
Generated: (null)
Version: 1.3
Checklists:
	Ref-Id: scap_org.open-scap_cref_ssg-rhel9-xccdf.xml
Downloading: https://access.redhat.com/security/data/oval/v2/RHEL9/rhel-9.oval.xml.bz2 ... ok
		Status: draft
		Generated: 2023-02-14
		Resolved: true
		Profiles:
			Title: ANSSI-BP-028 (enhanced)
				Id: xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced
			Title: ANSSI-BP-028 (high)
				Id: xccdf_org.ssgproject.content_profile_anssi_bp28_high
			Title: ANSSI-BP-028 (intermediary)
				Id: xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary
			Title: ANSSI-BP-028 (minimal)
				Id: xccdf_org.ssgproject.content_profile_anssi_bp28_minimal
			Title: CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Server
				Id: xccdf_org.ssgproject.content_profile_cis
			Title: CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Server
				Id: xccdf_org.ssgproject.content_profile_cis_server_l1
			Title: CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Workstation
				Id: xccdf_org.ssgproject.content_profile_cis_workstation_l1
			Title: CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Workstation
				Id: xccdf_org.ssgproject.content_profile_cis_workstation_l2
			Title: [DRAFT] Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)
				Id: xccdf_org.ssgproject.content_profile_cui
			Title: Australian Cyber Security Centre (ACSC) Essential Eight
				Id: xccdf_org.ssgproject.content_profile_e8
			Title: Health Insurance Portability and Accountability Act (HIPAA)
				Id: xccdf_org.ssgproject.content_profile_hipaa
			Title: Australian Cyber Security Centre (ACSC) ISM Official
				Id: xccdf_org.ssgproject.content_profile_ism_o
			Title: Protection Profile for General Purpose Operating Systems
				Id: xccdf_org.ssgproject.content_profile_ospp
			Title: PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 9
				Id: xccdf_org.ssgproject.content_profile_pci-dss
			Title: [DRAFT] DISA STIG for Red Hat Enterprise Linux 9
				Id: xccdf_org.ssgproject.content_profile_stig
			Title: [DRAFT] DISA STIG with GUI for Red Hat Enterprise Linux 9
				Id: xccdf_org.ssgproject.content_profile_stig_gui
		Referenced check files:
			ssg-rhel9-oval.xml
				system: http://oval.mitre.org/XMLSchema/oval-definitions-5
			ssg-rhel9-ocil.xml
				system: http://scap.nist.gov/schema/ocil/2
			security-data-oval-com.redhat.rhsa-RHEL9.xml.bz2
				system: http://oval.mitre.org/XMLSchema/oval-definitions-5
Checks:
	Ref-Id: scap_org.open-scap_cref_ssg-rhel9-oval.xml
	Ref-Id: scap_org.open-scap_cref_ssg-rhel9-ocil.xml
	Ref-Id: scap_org.open-scap_cref_ssg-rhel9-cpe-oval.xml
	Ref-Id: scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL9.xml.bz2
Dictionaries:
	Ref-Id: scap_org.open-scap_cref_ssg-rhel9-cpe-dictionary.xml
Comment 1 Jan Černý 2023-07-19 08:16:21 UTC 
A fix has been merged upstream by https://github.com/ComplianceAsCode/content/pull/10842.

Switching this BZ to a correct component.
Comment 2 Jan Černý 2023-07-24 09:22:42 UTC 
*** Bug 2222984 has been marked as a duplicate of this bug. ***