Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1485876 - oscap might run out of memory, when scanning for CVE vulnerabilities
Summary: oscap might run out of memory, when scanning for CVE vulnerabilities
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: openscap
Version: 7.4
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Jan Černý
QA Contact: BaseOS QE Security Team
Depends On:
TreeView+ depends on / blocked
Reported: 2017-08-28 10:50 UTC by Marek Haicman
Modified: 2019-03-12 14:31 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-03-12 14:31:41 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Marek Haicman 2017-08-28 10:50:42 UTC
Description of problem:
When scan is performed based on http://www.redhat.com/security/data/metrics/com.redhat.rhsa-all.xccdf.xml scanner might run out of memory when composing results.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
0. prepare machine with 2 gigs of RAM
1. wget http://www.redhat.com/security/data/metrics/com.redhat.rhsa-all.xccdf.xml
2. oscap xccdf eval --oval-results --results results.xml --report report.html com.redhat.rhsa-all.xccdf.xml

Actual results:
Evaluation is performed (output on screen), but then machine freeze being out of memory.

Expected results:
Evaluation is performed and command exits successfully, with report and results files present in the directory

Additional info:

Comment 2 Jan Černý 2017-08-28 11:31:19 UTC
I have noticed that we can be ineffective when we generate an report with OVAL details (in other words when '--oval-results' is used).

If '--oval-results' is requested, we internally create an ARF. We do it this way: We create a new source datastream, then we internally save it as a file into a temporary directory. The we load this source datastream again, and we build from it and from results an ARF. 

See functions xccdf_session_export_xccdf and namely xccdf_session_create_arf_source in src/XCCDF/xccdf_session.c.

I think it should be possible to get all the data from the memory.

Moreover, it shows a warning:

W: oscap: Exporting ARF from XCCDF 1.1 is not allowed by SCAP specification. The resulting ARF will not validate. Convert the input to XCCDF 1.2 to get valid ARF results. The xccdf_1.1_to_1.2.xsl transformation.that ships with OpenSCAP can do that automatically.

This warning was confusing for me because the reproducer command 2 doesn't want to create ARF, but only XCCDF result. User can't know that we create ARF internally.

Comment 3 Martin Preisler 2017-09-06 15:49:34 UTC
https://github.com/OpenSCAP/openscap/pull/812 is a partial fix merged upstream.

Comment 4 Matěj Týč 2017-11-23 15:31:12 UTC
The issue is not resolved completely, but the 1.2.16 release for 7.5 should perform better in this regard.
The complete fix is not available yet, so I am postponing this to 7.6

Comment 5 Marek Haicman 2019-03-12 14:31:41 UTC
This issue was not selected to be included in Red Hat Enterprise Linux 7.7 because it is seen either as low or moderate impact to a small number of use-cases. The next release will be in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available. We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; otherwise, we recommend moving the request to Red Hat Enterprise Linux 8 if applicable.

Note You need to log in before you can comment on or make changes to this bug.