Bug 599093
| Summary: | XCCDF: xccdf_fix_get_content does not return dereferenced sub element | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Ed Sealing <ed.sealing> |
| Component: | openscap | Assignee: | Lukas Kuklinek <lkukline> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 14 | CC: | lkukline, pvrabec, theinric |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | openscap-0.7.1-1.fc15 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-03-21 20:55:56 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Ed Sealing
2010-06-02 17:00:13 UTC
The problem is that the model itself (i.e. xccdf_benchmark and its sub-structures) represents a static in-memory representation of a XCCDF document. If <sub/> element points to a XCCDF Value element, its true value (i.e. text to be substituted) depends on selector being set on the value, which in turn depends on selected XCCDF Profile, so it is intentional that the text returns verbatim 'unexpanded' piece of XML. Note: You may have noticed that xccdf_value maintains an "active selector". This pseudofeature kind of breaks stateless-ness and purity of the data model and will be removed soon (patches are already on the way). View at a model with respect to a profile is called xccdf_policy in OpenScap terminology. Therefore, expanding <sub/> elements should be done on the policy level of the API. So there are actually two separate issues: 1. xccdf_fix_get_content should return full contents of the element, it shouldn't stop at the first <sub/> element. This is a bug. 2. xccdf_policy is not able to substitute <sub/> elements. This is a missing feature. Proposed solution: 1. Fix issue #1 (I'll do it. :)) 2. Implement feature #2, function could look like this: char *xccdf_expand(xccdf_policy *policy, const char *input); It returns a newly allocated string with all <sub/> elements in input being substituted with proper values with respect to given policy (i.e. roughly a xccdf profile). Example usage: char *fix_content = xccdf_expand(my_policy, xccdf_fix_get_content(my_fix)); This bug appears to have been reported against 'rawhide' during the Fedora 14 development cycle. Changing version to '14'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping This issue has been resolved by commits 970f353d32 and fd3c41a1277 by adding following function: char* xccdf_policy_substitute(const char *text, struct xccdf_policy *policy); Which would return a string 'text' with substitutions being replaced with actual values with respect to given XCCDF policy. these changes will be available in new openscap release 0.7.1 which is planned for this week. openscap-0.7.1-1.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/openscap-0.7.1-1.fc15 openscap-0.7.1-1.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/openscap-0.7.1-1.fc14 openscap-0.7.1-1.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report. openscap-0.7.1-1.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report. |