Red Hat Bugzilla – Bug 599093
XCCDF: xccdf_fix_get_content does not return dereferenced sub element
Last modified: 2011-03-21 23:47:00 EDT
Description of problem:
The <fix> element within an XCCDF Rule allows for a <sub /> element for referencing values. In openscap, the xccdf_fix_get_content() function uses a MACRO to define this function. This fails to dereference the <sub /> element.
When using xccdf_fix_get_content(), it will only return a string up-to the <sub/> element, and nothing else.
This problem will also occur in the associated clone function.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
Dereference the <sub/> element and return the string + any referenced values.
The problem is that the model itself (i.e. xccdf_benchmark and its sub-structures) represents a static in-memory representation of a XCCDF document. If <sub/> element points to a XCCDF Value element, its true value (i.e. text to be substituted) depends on selector being set on the value, which in turn depends on selected XCCDF Profile, so it is intentional that the text returns verbatim 'unexpanded' piece of XML.
Note: You may have noticed that xccdf_value maintains an "active selector". This pseudofeature kind of breaks stateless-ness and purity of the data model and will be removed soon (patches are already on the way).
View at a model with respect to a profile is called xccdf_policy in OpenScap terminology. Therefore, expanding <sub/> elements should be done on the policy level of the API.
So there are actually two separate issues:
1. xccdf_fix_get_content should return full contents of the element, it shouldn't stop at the first <sub/> element. This is a bug.
2. xccdf_policy is not able to substitute <sub/> elements. This is a missing feature.
1. Fix issue #1 (I'll do it. :))
2. Implement feature #2, function could look like this:
char *xccdf_expand(xccdf_policy *policy, const char *input);
It returns a newly allocated string with all <sub/> elements in input being substituted with proper values with respect to given policy (i.e. roughly a xccdf profile).
char *fix_content = xccdf_expand(my_policy, xccdf_fix_get_content(my_fix));
This bug appears to have been reported against 'rawhide' during the Fedora 14 development cycle.
Changing version to '14'.
More information and reason for this action is here:
This issue has been resolved by commits 970f353d32 and fd3c41a1277 by adding following function:
char* xccdf_policy_substitute(const char *text, struct xccdf_policy *policy);
Which would return a string 'text' with substitutions being replaced with actual values with respect to given XCCDF policy.
these changes will be available in new openscap release 0.7.1 which is planned for this week.
openscap-0.7.1-1.fc15 has been submitted as an update for Fedora 15.
openscap-0.7.1-1.fc14 has been submitted as an update for Fedora 14.
openscap-0.7.1-1.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.
openscap-0.7.1-1.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.