Bug 1440192 - xccdf scan requires remote content from RedHat, which errors out
Summary: xccdf scan requires remote content from RedHat, which errors out
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: openscap
Version: 7.3
Hardware: All
OS: Linux
high
medium
Target Milestone: rc
: ---
Assignee: Jan Černý
QA Contact: Marek Haicman
Mirek Jahoda
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-04-07 14:17 UTC by Przemek Klosowski
Modified: 2017-08-04 14:52 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
*OpenSCAP* now handles also uncompressed XML files in a CVE OVAL feed Previously, the *OpenSCAP* tool was able to handle only compressed CVE OVAL files from a feed. As a consequence, the CVE OVAL feed provided by Red Hat cannot be used as a base for vulnerability scanning. With this update, *OpenSCAP* supports not only ZIP and BZIP2 files but also uncompressed XML files in a CVE OVAL feed, and the CVE OVAL-based scanning works properly without additional steps.
Clone Of:
Environment:
Last Closed: 2017-08-01 08:45:48 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2291 normal SHIPPED_LIVE openscap bug fix update 2017-08-01 12:38:59 UTC
Red Hat Knowledge Base (Solution) 3039241 None None None 2017-05-19 08:47:34 UTC

Description Przemek Klosowski 2017-04-07 14:17:16 UTC
Description of problem:
xccdf scan using the common profile requires remote content from RedHat. When this is enabled by --fetch-remote-resources, an XML parse error appears and scan is aborted

Version-Release number of selected component (if applicable):
openscap-scanner-1.2.10-3.el7_3.x86_64

How reproducible: every time


Steps to Reproduce:
1. oscap xccdf eval --fetch-remote-resources --profile xccdf_org.ssgproject.content_profile_common --report /tmp/report-remote.html /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml


Actual results:
Downloading: http://www.redhat.com/security/data/oval/Red_Hat_Enterprise_Linux_7.xml ... ok
OpenSCAP Error: Unable to parse XML from user memory buffer [oscap_source.c:254]
Failed to create OVAL definition model from: 'http://www.redhat.com/security/data/oval/Red_Hat_Enterprise_Linux_7.xml'. [xccdf_session.c:787]

Expected results: successful scan

Comment 2 Jan Černý 2017-04-18 13:56:33 UTC
This was fixed in OpenSCAP 1.2.11 by this patch: https://github.com/OpenSCAP/openscap/commit/bc9db8a31a977d8f7a89ff3d98df939d9269007b

A workaround is to use compressed version of the remote XML file:
# sed -i "s@http://www.redhat.com/security/data/oval/Red_Hat_Enterprise_Linux_7.xml@https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2@" /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml

Comment 7 Marek Haicman 2017-06-06 21:36:17 UTC
Verified version openscap-1.2.14-2.el7.x86_64 fixes the issue

OLD:
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Test of bz2 (default)
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Command 'oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_standard_customized --fetch-remote-resources --tailoring-file tailoring-xccdf.xml ssg-rhel7-ds.xml' (Expected 0,2, got 2)
:: [   PASS   ] :: File 'output' should contain '^Downloading: ' 
:: [   LOG    ] :: Duration: 4s
:: [   LOG    ] :: Assertions: 2 good, 0 bad
:: [   PASS   ] :: RESULT: Test of bz2 (default)

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Test of xml (old default)
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   FAIL   ] :: Command 'oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_standard_customized --fetch-remote-resources --tailoring-file tailoring-xccdf.xml ssg-rhel7-ds-plain.xml' (Expected 0,2, got 1)
:: [   PASS   ] :: File 'output' should contain '^Downloading: ' 
:: [   LOG    ] :: Duration: 1s
:: [   LOG    ] :: Assertions: 1 good, 1 bad
:: [   FAIL   ] :: RESULT: Test of xml (old default)

NEW:
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Test of bz2 (default)
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Command 'oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_standard_customized --fetch-remote-resources --tailoring-file tailoring-xccdf.xml ssg-rhel7-ds.xml' (Expected 0,2, got 2)
:: [   PASS   ] :: File 'output' should contain '^Downloading: ' 
:: [   LOG    ] :: Duration: 4s
:: [   LOG    ] :: Assertions: 2 good, 0 bad
:: [   PASS   ] :: RESULT: Test of bz2 (default)

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Test of xml (old default)
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Command 'oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_standard_customized --fetch-remote-resources --tailoring-file tailoring-xccdf.xml ssg-rhel7-ds-plain.xml' (Expected 0,2, got 2)
:: [   PASS   ] :: File 'output' should contain '^Downloading: ' 
:: [   LOG    ] :: Duration: 5s
:: [   LOG    ] :: Assertions: 2 good, 0 bad
:: [   PASS   ] :: RESULT: Test of xml (old default)


Please note, that the issue is also mitigated by use of newer SCAP Security Guide, for example scap-security-guide-0.1.33-5.el7.noarch (because it uses bz2 by default)

Comment 8 errata-xmlrpc 2017-08-01 08:45:48 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2291


Note You need to log in before you can comment on or make changes to this bug.