Description of problem:
When scan is performed based on http://www.redhat.com/security/data/metrics/com.redhat.rhsa-all.xccdf.xml scanner might run out of memory when composing results.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
0. prepare machine with 2 gigs of RAM
1. wget http://www.redhat.com/security/data/metrics/com.redhat.rhsa-all.xccdf.xml
2. oscap xccdf eval --oval-results --results results.xml --report report.html com.redhat.rhsa-all.xccdf.xml
Evaluation is performed (output on screen), but then machine freeze being out of memory.
Evaluation is performed and command exits successfully, with report and results files present in the directory
I have noticed that we can be ineffective when we generate an report with OVAL details (in other words when '--oval-results' is used).
If '--oval-results' is requested, we internally create an ARF. We do it this way: We create a new source datastream, then we internally save it as a file into a temporary directory. The we load this source datastream again, and we build from it and from results an ARF.
See functions xccdf_session_export_xccdf and namely xccdf_session_create_arf_source in src/XCCDF/xccdf_session.c.
I think it should be possible to get all the data from the memory.
Moreover, it shows a warning:
W: oscap: Exporting ARF from XCCDF 1.1 is not allowed by SCAP specification. The resulting ARF will not validate. Convert the input to XCCDF 1.2 to get valid ARF results. The xccdf_1.1_to_1.2.xsl transformation.that ships with OpenSCAP can do that automatically.
This warning was confusing for me because the reproducer command 2 doesn't want to create ARF, but only XCCDF result. User can't know that we create ARF internally.
https://github.com/OpenSCAP/openscap/pull/812 is a partial fix merged upstream.
The issue is not resolved completely, but the 1.2.16 release for 7.5 should perform better in this regard.
The complete fix is not available yet, so I am postponing this to 7.6
This issue was not selected to be included in Red Hat Enterprise Linux 7.7 because it is seen either as low or moderate impact to a small number of use-cases. The next release will be in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available. We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; otherwise, we recommend moving the request to Red Hat Enterprise Linux 8 if applicable.