860984 – USGCB and SSG OVAL results validation issues

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 860984 - USGCB and SSG OVAL results validation issues

Summary: USGCB and SSG OVAL results validation issues

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	openscap
Sub Component:
Version:	6.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Šimon Lukašík
QA Contact:	Lukas "krteknet" Novy
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-09-27 09:15 UTC by Ondrej Moriš
Modified:	2015-05-04 12:28 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-11-21 09:43:27 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
USGCB OVAL results (1.05 MB, application/xml) 2012-09-27 09:16 UTC, Ondrej Moriš	no flags	Details
SSG OVAL results (1.49 MB, application/xml) 2012-09-27 09:16 UTC, Ondrej Moriš	no flags	Details
XCCDF content built from current SSG HEAD (1.12 MB, text/xml) 2013-09-25 14:43 UTC, Lukas "krteknet" Novy	no flags	Details
SSG OVAL results (1.39 MB, text/xml) 2013-09-25 14:46 UTC, Lukas "krteknet" Novy	no flags	Details
build SSG at 0ecda1bbeb735145801518aa19422668514b7960 (886.04 KB, application/x-gzip) 2013-09-27 14:47 UTC, Lukas "krteknet" Novy	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2013:1590	0	normal	SHIPPED_LIVE	openscap bug fix and enhancement update	2013-11-20 21:39:32 UTC

Description Ondrej Moriš 2012-09-27 09:15:18 UTC

Description of problem:

Please see attached results XML files. On RHEL6.3 with openscap-0.9.0-1.el6 I have got the following validation issues:

USGCB:

# oscap oval validate-xml --results --schematron usgcb-rhel5desktop-oval.xml.result.xml
xmlXPathCompOpEval: function exists not found
XPath error : Unregistered function
xmlXPathCompiledEval: 1 objects left on the stack.

(but exit code is 0, so it actually might not be a problem)

SSG:

# oscap oval validate-xml --results --schematron rhel6-oval-scap-security-guide.xml.result.xml
<?xml version="1.0"?>
oval:scap-security-guide:tst:440 - No state should be referenced when check_existence has a value of 'none_exist'.
oval:scap-security-guide:tst:439 - No state should be referenced when check_existence has a value of 'none_exist'.
oval:scap-security-guide:tst:390 - No state should be referenced when check_existence has a value of 'none_exist'.
oval:scap-security-guide:tst:293 - No state should be referenced when check_existence has a value of 'none_exist'.
oval:scap-security-guide:tst:1456 - No state should be referenced when check_existence has a value of 'none_exist'.
oval:scap-security-guide:tst:1394 - No state should be referenced when check_existence has a value of 'none_exist'.
oval:scap-security-guide:tst:1206 - No state should be referenced when check_existence has a value of 'none_exist'.
oval:scap-security-guide:tst:1205 - No state should be referenced when check_existence has a value of 'none_exist'.
oval:scap-security-guide:var:2721 - inconsistent datatype between the variable and an associated var_ref
oval:scap-security-guide:var:2708 - inconsistent datatype between the variable and an associated var_ref
oval:scap-security-guide:var:2704 - inconsistent datatype between the variable and an associated var_ref
oval:scap-security-guide:var:2696 - inconsistent datatype between the variable and an associated var_ref
oval:scap-security-guide:var:2685 - inconsistent datatype between the variable and an associated var_ref
oval:scap-security-guide:var:2684 - inconsistent datatype between the variable and an associated var_ref
oval:scap-security-guide:var:2680 - inconsistent datatype between the variable and an associated var_ref
oval:scap-security-guide:var:2679 - inconsistent datatype between the variable and an associated var_ref

oscap was unable to validate the XML document you provided.
Please ensure that the XML document is valid and well-formed, and try again.

(exit code is 2)

Comment 1 Ondrej Moriš 2012-09-27 09:16:06 UTC

Created attachment 617956 [details]
USGCB OVAL results

Comment 2 Ondrej Moriš 2012-09-27 09:16:56 UTC

Created attachment 617958 [details]
SSG OVAL results

Comment 4 RHEL Program Management 2012-12-14 07:00:19 UTC

This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.

Comment 7 Šimon Lukašík 2013-08-06 12:44:22 UTC

> seem to be fixed in the upstream.

openscap.git 742f2bc8650dbdcbd27735e554557e8dc51b21c6

Comment 9 Lukas "krteknet" Novy 2013-09-25 13:08:19 UTC

Testing blocked: https://fedorahosted.org/scap-security-guide/ticket/416

Comment 10 Lukas "krteknet" Novy 2013-09-25 13:35:34 UTC

As the type of error described in the ticked linked in comment 9 has no important effect on the evaluation of the xccdf content as a whole, this is not a testblocker, my fault, sorry.

Comment 11 Lukas "krteknet" Novy 2013-09-25 13:56:44 UTC

Validating oval results with openscap-0.9.12-1.el6, attached to comment 1 and comment 2 gains this outputs:

$ oscap oval validate-xml --results --schematron usgcb-rhel5desktop-oval.xml.result.xml 
<?xml version="1.0"?>
oval:gov.nist.usgcb.rhel:ste:20354 - a var_ref has been supplied for the ind-def:subexpression entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20353 - a var_ref has been supplied for the ind-def:subexpression entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20352 - a var_ref has been supplied for the ind-def:subexpression entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20351 - a var_ref has been supplied for the ind-def:subexpression entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20350 - a var_ref has been supplied for the ind-def:subexpression entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20349 - a var_ref has been supplied for the ind-def:subexpression entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20348 - a var_ref has been supplied for the ind-def:subexpression entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20347 - a var_ref has been supplied for the ind-def:subexpression entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20346 - a var_ref has been supplied for the ind-def:subexpression entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20330 - a var_ref has been supplied for the unix-def:uread entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20330 - a var_ref has been supplied for the unix-def:uwrite entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20330 - a var_ref has been supplied for the unix-def:uexec entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20330 - a var_ref has been supplied for the unix-def:gread entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20330 - a var_ref has been supplied for the unix-def:gwrite entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20330 - a var_ref has been supplied for the unix-def:gexec entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20330 - a var_ref has been supplied for the unix-def:oread entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20330 - a var_ref has been supplied for the unix-def:owrite entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20330 - a var_ref has been supplied for the unix-def:oexec entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20328 - a var_ref has been supplied for the unix-def:uread entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20328 - a var_ref has been supplied for the unix-def:uwrite entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20328 - a var_ref has been supplied for the unix-def:uexec entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20328 - a var_ref has been supplied for the unix-def:gread entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20328 - a var_ref has been supplied for the unix-def:gwrite entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20328 - a var_ref has been supplied for the unix-def:gexec entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20328 - a var_ref has been supplied for the unix-def:oread entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20328 - a var_ref has been supplied for the unix-def:owrite entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20328 - a var_ref has been supplied for the unix-def:oexec entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20327 - a var_ref has been supplied for the unix-def:uread entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20327 - a var_ref has been supplied for the unix-def:uwrite entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20327 - a var_ref has been supplied for the unix-def:uexec entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20327 - a var_ref has been supplied for the unix-def:gread entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20327 - a var_ref has been supplied for the unix-def:gwrite entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20327 - a var_ref has been supplied for the unix-def:gexec entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20327 - a var_ref has been supplied for the unix-def:oread entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20327 - a var_ref has been supplied for the unix-def:owrite entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20327 - a var_ref has been supplied for the unix-def:oexec entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20326 - a var_ref has been supplied for the unix-def:uread entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20326 - a var_ref has been supplied for the unix-def:uwrite entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20326 - a var_ref has been supplied for the unix-def:uexec entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20326 - a var_ref has been supplied for the unix-def:gread entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20326 - a var_ref has been supplied for the unix-def:gwrite entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20326 - a var_ref has been supplied for the unix-def:gexec entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20326 - a var_ref has been supplied for the unix-def:oread entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20326 - a var_ref has been supplied for the unix-def:owrite entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20326 - a var_ref has been supplied for the unix-def:oexec entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20325 - a var_ref has been supplied for the ind-def:subexpression entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20324 - a var_ref has been supplied for the ind-def:subexpression entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20315 - a var_ref has been supplied for the unix-def:uread entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20315 - a var_ref has been supplied for the unix-def:uwrite entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20315 - a var_ref has been supplied for the unix-def:uexec entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20315 - a var_ref has been supplied for the unix-def:gread entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20315 - a var_ref has been supplied for the unix-def:gwrite entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20315 - a var_ref has been supplied for the unix-def:gexec entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20315 - a var_ref has been supplied for the unix-def:oread entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20315 - a var_ref has been supplied for the unix-def:owrite entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20315 - a var_ref has been supplied for the unix-def:oexec entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20246 - a var_ref has been supplied for the ind-def:subexpression entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20239 - a var_ref has been supplied for the ind-def:subexpression entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20228 - a var_ref has been supplied for the unix-def:uread entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20228 - a var_ref has been supplied for the unix-def:uwrite entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20228 - a var_ref has been supplied for the unix-def:uexec entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20228 - a var_ref has been supplied for the unix-def:gread entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20228 - a var_ref has been supplied for the unix-def:gwrite entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20228 - a var_ref has been supplied for the unix-def:gexec entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20228 - a var_ref has been supplied for the unix-def:oread entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20228 - a var_ref has been supplied for the unix-def:owrite entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20228 - a var_ref has been supplied for the unix-def:oexec entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20227 - a var_ref has been supplied for the unix-def:uread entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20227 - a var_ref has been supplied for the unix-def:uwrite entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20227 - a var_ref has been supplied for the unix-def:uexec entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20227 - a var_ref has been supplied for the unix-def:gread entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20227 - a var_ref has been supplied for the unix-def:gwrite entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20227 - a var_ref has been supplied for the unix-def:gexec entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20227 - a var_ref has been supplied for the unix-def:oread entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20227 - a var_ref has been supplied for the unix-def:owrite entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20227 - a var_ref has been supplied for the unix-def:oexec entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20226 - a var_ref has been supplied for the unix-def:uread entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20226 - a var_ref has been supplied for the unix-def:uwrite entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20226 - a var_ref has been supplied for the unix-def:uexec entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20226 - a var_ref has been supplied for the unix-def:gread entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20226 - a var_ref has been supplied for the unix-def:gwrite entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20226 - a var_ref has been supplied for the unix-def:gexec entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20226 - a var_ref has been supplied for the unix-def:oread entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20226 - a var_ref has been supplied for the unix-def:owrite entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20226 - a var_ref has been supplied for the unix-def:oexec entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20225 - a var_ref has been supplied for the unix-def:uread entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20225 - a var_ref has been supplied for the unix-def:uwrite entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20225 - a var_ref has been supplied for the unix-def:uexec entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20225 - a var_ref has been supplied for the unix-def:gread entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20225 - a var_ref has been supplied for the unix-def:gwrite entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20225 - a var_ref has been supplied for the unix-def:gexec entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20225 - a var_ref has been supplied for the unix-def:oread entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20225 - a var_ref has been supplied for the unix-def:owrite entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20225 - a var_ref has been supplied for the unix-def:oexec entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20224 - a var_ref has been supplied for the unix-def:uread entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20224 - a var_ref has been supplied for the unix-def:uwrite entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20224 - a var_ref has been supplied for the unix-def:uexec entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20224 - a var_ref has been supplied for the unix-def:gread entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20224 - a var_ref has been supplied for the unix-def:gwrite entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20224 - a var_ref has been supplied for the unix-def:gexec entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20224 - a var_ref has been supplied for the unix-def:oread entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20224 - a var_ref has been supplied for the unix-def:owrite entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20224 - a var_ref has been supplied for the unix-def:oexec entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20213 - a var_ref has been supplied for the unix-def:uread entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20213 - a var_ref has been supplied for the unix-def:uwrite entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20213 - a var_ref has been supplied for the unix-def:uexec entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20213 - a var_ref has been supplied for the unix-def:gread entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20213 - a var_ref has been supplied for the unix-def:gwrite entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20213 - a var_ref has been supplied for the unix-def:gexec entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20213 - a var_ref has been supplied for the unix-def:oread entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20213 - a var_ref has been supplied for the unix-def:owrite entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20213 - a var_ref has been supplied for the unix-def:oexec entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20210 - a var_ref has been supplied for the unix-def:uread entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20210 - a var_ref has been supplied for the unix-def:uwrite entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20210 - a var_ref has been supplied for the unix-def:uexec entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20210 - a var_ref has been supplied for the unix-def:gread entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20210 - a var_ref has been supplied for the unix-def:gwrite entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20210 - a var_ref has been supplied for the unix-def:gexec entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20210 - a var_ref has been supplied for the unix-def:oread entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20210 - a var_ref has been supplied for the unix-def:owrite entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20210 - a var_ref has been supplied for the unix-def:oexec entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20145 - a var_ref has been supplied for the ind-def:subexpression entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20144 - a var_ref has been supplied for the ind-def:subexpression entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20143 - a var_ref has been supplied for the ind-def:subexpression entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20142 - a var_ref has been supplied for the ind-def:subexpression entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20141 - a var_ref has been supplied for the ind-def:subexpression entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20140 - a var_ref has been supplied for the ind-def:subexpression entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20139 - a var_ref has been supplied for the ind-def:subexpression entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20134 - a var_ref has been supplied for the ind-def:subexpression entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20126 - a var_ref has been supplied for the ind-def:subexpression entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20125 - a var_ref has been supplied for the ind-def:subexpression entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20124 - a var_ref has been supplied for the ind-def:subexpression entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20123 - a var_ref has been supplied for the ind-def:subexpression entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20122 - a var_ref has been supplied for the ind-def:subexpression entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20121 - a var_ref has been supplied for the ind-def:subexpression entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20120 - a var_ref has been supplied for the ind-def:subexpression entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20119 - a var_ref has been supplied for the ind-def:subexpression entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20118 - a var_ref has been supplied for the ind-def:subexpression entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20117 - a var_ref has been supplied for the ind-def:subexpression entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20116 - a var_ref has been supplied for the ind-def:subexpression entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20115 - a var_ref has been supplied for the ind-def:subexpression entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20107 - a var_ref has been supplied for the ind-def:subexpression entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20106 - a var_ref has been supplied for the ind-def:subexpression entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20103 - a var_ref has been supplied for the ind-def:value_of entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20102 - a var_ref has been supplied for the ind-def:subexpression entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20100 - a var_ref has been supplied for the ind-def:value_of entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20094 - a var_ref has been supplied for the unix-def:uread entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20094 - a var_ref has been supplied for the unix-def:uwrite entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20094 - a var_ref has been supplied for the unix-def:uexec entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20094 - a var_ref has been supplied for the unix-def:gread entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20094 - a var_ref has been supplied for the unix-def:gwrite entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20094 - a var_ref has been supplied for the unix-def:gexec entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20094 - a var_ref has been supplied for the unix-def:oread entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20094 - a var_ref has been supplied for the unix-def:owrite entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20094 - a var_ref has been supplied for the unix-def:oexec entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20087 - a var_ref has been supplied for the ind-def:subexpression entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:200842 - a var_ref has been supplied for the ind-def:subexpression entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:200833 - a var_ref has been supplied for the ind-def:subexpression entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20082 - a var_ref has been supplied for the unix-def:uread entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20082 - a var_ref has been supplied for the unix-def:uwrite entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20082 - a var_ref has been supplied for the unix-def:uexec entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20082 - a var_ref has been supplied for the unix-def:gread entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20082 - a var_ref has been supplied for the unix-def:gwrite entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20082 - a var_ref has been supplied for the unix-def:gexec entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20082 - a var_ref has been supplied for the unix-def:oread entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20082 - a var_ref has been supplied for the unix-def:owrite entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20082 - a var_ref has been supplied for the unix-def:oexec entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:200803 - a var_ref has been supplied for the ind-def:subexpression entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:200802 - a var_ref has been supplied for the ind-def:subexpression entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20071 - a var_ref has been supplied for the ind-def:subexpression entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20053 - a var_ref has been supplied for the ind-def:subexpression entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20045 - a var_ref has been supplied for the unix-def:uread entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20045 - a var_ref has been supplied for the unix-def:uwrite entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20045 - a var_ref has been supplied for the unix-def:uexec entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20045 - a var_ref has been supplied for the unix-def:gread entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20045 - a var_ref has been supplied for the unix-def:gwrite entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20045 - a var_ref has been supplied for the unix-def:gexec entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20045 - a var_ref has been supplied for the unix-def:oread entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20045 - a var_ref has been supplied for the unix-def:owrite entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20045 - a var_ref has been supplied for the unix-def:oexec entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20044 - a var_ref has been supplied for the unix-def:uread entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20044 - a var_ref has been supplied for the unix-def:uwrite entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20044 - a var_ref has been supplied for the unix-def:uexec entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20044 - a var_ref has been supplied for the unix-def:gread entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20044 - a var_ref has been supplied for the unix-def:gwrite entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20044 - a var_ref has been supplied for the unix-def:gexec entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20044 - a var_ref has been supplied for the unix-def:oread entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20044 - a var_ref has been supplied for the unix-def:owrite entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20044 - a var_ref has been supplied for the unix-def:oexec entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20043 - a var_ref has been supplied for the unix-def:uread entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20043 - a var_ref has been supplied for the unix-def:uwrite entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20043 - a var_ref has been supplied for the unix-def:uexec entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20043 - a var_ref has been supplied for the unix-def:gread entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20043 - a var_ref has been supplied for the unix-def:gwrite entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20043 - a var_ref has been supplied for the unix-def:gexec entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20043 - a var_ref has been supplied for the unix-def:oread entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20043 - a var_ref has been supplied for the unix-def:owrite entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20043 - a var_ref has been supplied for the unix-def:oexec entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20042 - a var_ref has been supplied for the unix-def:uread entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20042 - a var_ref has been supplied for the unix-def:uwrite entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20042 - a var_ref has been supplied for the unix-def:uexec entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20042 - a var_ref has been supplied for the unix-def:gread entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20042 - a var_ref has been supplied for the unix-def:gwrite entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20042 - a var_ref has been supplied for the unix-def:gexec entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20042 - a var_ref has been supplied for the unix-def:oread entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20042 - a var_ref has been supplied for the unix-def:owrite entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:20042 - a var_ref has been supplied for the unix-def:oexec entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:141130 - a var_ref has been supplied for the ind-def:subexpression entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:100006 - a var_ref has been supplied for the ind-def:subexpression entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:100005 - a var_ref has been supplied for the ind-def:subexpression entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:100003 - a var_ref has been supplied for the ind-def:subexpression entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:100002 - a var_ref has been supplied for the ind-def:subexpression entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:100001 - a var_ref has been supplied for the ind-def:subexpression entity so a var_check should also be provided
oval:gov.nist.usgcb.rhel:ste:100000 - a var_ref has been supplied for the ind-def:subexpression entity so a var_check should also be provided

Invalid OVAL Results content(5.8) in usgcb-rhel5desktop-oval.xml.result.xml.



$ oscap oval validate-xml --results --schematron rhel6-oval-scap-security-guide.xml.result.xml 
<?xml version="1.0"?>
oval:scap-security-guide:tst:440 - No state should be referenced when check_existence has a value of 'none_exist'.
oval:scap-security-guide:tst:439 - No state should be referenced when check_existence has a value of 'none_exist'.
oval:scap-security-guide:tst:390 - No state should be referenced when check_existence has a value of 'none_exist'.
oval:scap-security-guide:tst:293 - No state should be referenced when check_existence has a value of 'none_exist'.
oval:scap-security-guide:tst:1456 - No state should be referenced when check_existence has a value of 'none_exist'.
oval:scap-security-guide:tst:1394 - No state should be referenced when check_existence has a value of 'none_exist'.
oval:scap-security-guide:tst:1206 - No state should be referenced when check_existence has a value of 'none_exist'.
oval:scap-security-guide:tst:1205 - No state should be referenced when check_existence has a value of 'none_exist'.
oval:scap-security-guide:var:2721 - inconsistent datatype between the variable and an associated var_ref
oval:scap-security-guide:var:2708 - inconsistent datatype between the variable and an associated var_ref
oval:scap-security-guide:var:2704 - inconsistent datatype between the variable and an associated var_ref
oval:scap-security-guide:var:2696 - inconsistent datatype between the variable and an associated var_ref
oval:scap-security-guide:var:2685 - inconsistent datatype between the variable and an associated var_ref
oval:scap-security-guide:var:2684 - inconsistent datatype between the variable and an associated var_ref
oval:scap-security-guide:var:2680 - inconsistent datatype between the variable and an associated var_ref
oval:scap-security-guide:var:2679 - inconsistent datatype between the variable and an associated var_ref

Invalid OVAL Results content(5.10) in rhel6-oval-scap-security-guide.xml.result.xml.


Exit codes in both cases equals 2. My bet is, this means no error in tool but in the results itself, could you please confirm that? 

What are the valid outcomes for this bug to be verified? 
My guess is, the oval result validation works ok if either of these is true:
1. oscap oval validate-xml --results --schematron results.xml return 0, no output is printed and result.xml is know to be valid
2. oscap oval validate-xml --results --schematron results.xml return 2, results.xml is known not to be valid and errors are therefore printed

Are there any other possibilities? Should I check for some other assertion regarding the two situations I described?

Thanks.

Comment 12 Šimon Lukašík 2013-09-25 14:33:25 UTC

The result you get is expected.

Please disregard attachments from comment 1 and comment 2.

There files have been generated with older (buggy) version of OpenSCAP.
The new version creates a slightly different files which are more
valid.

Could you please use the new OpenSCAP package set to generate new result
files? Then, if these validate, we have improved the world.

Comment 13 Šimon Lukašík 2013-09-25 14:39:37 UTC

(In reply to Lukas -krtek.net- Novy from comment #11)
> 
> Exit codes in both cases equals 2. My bet is, this means no error in tool
> but in the results itself, could you please confirm that? 

The

    $ man oscap

teaches us that

    Validate given OVAL file against a XML schema. Every found error 
    is printed to the standard error. Return code is 0 if validation
    succeeds, 1 if validation could not be performed due to some error,
    2 if the OVAL document is not valid.

> 
> What are the valid outcomes for this bug to be verified? 
> My guess is, the oval result validation works ok if either of these is true:
> 1. oscap oval validate-xml --results --schematron results.xml return 0, no
> output is printed and result.xml is know to be valid
> 2. oscap oval validate-xml --results --schematron results.xml return 2,
> results.xml is known not to be valid and errors are therefore printed
> 

For this bug report we require oscap-oval-validate to return 0.

Basically, there were two problems described in comment 0.

 - (1) Ours schematron validation used incorrect non-existent
       function (`exists`). That caused any --schematron validation
       to fail
 - (2) We have exported invalid OVAL results (as attached in comment 1
       and 2). We have improved our exporting code to export more
       compliant result files.

Comment 14 Lukas "krteknet" Novy 2013-09-25 14:43:16 UTC

Created attachment 802896 [details]
XCCDF content built from current SSG HEAD

Built by issuing make in RHEL6 directory of
https://git.fedorahosted.org/cgit/scap-security-guide.git/commit/?id=27a6a0a90454d660b57c1262821db2a968246938 tree

Comment 16 Lukas "krteknet" Novy 2013-09-25 14:46:36 UTC

Created attachment 802898 [details]
SSG OVAL results

From evaluation of 'common' profile of XCCDF content
# oscap xccdf eval --profile common --results ssg-xccdf-results.xml --oval-results ssg/RHEL6/output/ssg-rhel6-xccdf.xml

Comment 17 Lukas "krteknet" Novy 2013-09-25 14:47:58 UTC

Validating OVAL results from comment 16 gains this output:

$ oscap oval validate-xml --results --schematron ssg-rhel6-oval.xml.result.xml
<?xml version="1.0"?>
oval:ssg:obj:1360 - The datatype for the ind-def:pid entity is 'int' but the value is not an integer.

Invalid OVAL Results content(5.10) in ssg-rhel6-oval.xml.result.xml.
$ echo $?
2

Comment 18 Lukas "krteknet" Novy 2013-09-25 14:53:16 UTC

Validation of OVAL results from evaluation of USGCB RHEL5 v. 1.0.5.0 gains no errors:

$ oscap oval validate-xml --results --schematron usgcb-rhel5desktop-oval.xml.result.xml
$ echo $?
0

We are almost there guys :)

Comment 20 Šimon Lukašík 2013-09-25 15:08:50 UTC

(In reply to Lukas -krtek.net- Novy from comment #17)
> $ oscap oval validate-xml --results --schematron
> ssg-rhel6-oval.xml.result.xml
> <?xml version="1.0"?>
> oval:ssg:obj:1360 - The datatype for the ind-def:pid entity is 'int' but the
> value is not an integer.

This is a bug. Very nice!

We are interested in fixing it. Although, I would rather consider this
to be a new bug. It is a different scenario (different input), under which
OpenSCAP exports invalid OVAL results.

Comment 22 Lukas "krteknet" Novy 2013-09-25 15:28:27 UTC

As of this bug, the USGCB OVAL results validation part is clearly fixed and verifiable. But for the SSG part to be verified either:
1. I need a SSG OVAL results file that fails validation on old oscap but passes on the new version of it.
or
2. I need a SSG XCCDF content that can be evaluated into invalid OVAL results with the old version and into valid OVAL results with new one.
or
3. I can use content attached to comment 14 as it (probably) generates invalid results file on the old version and will generate valid one when the issue from comment 17 is fixed.

I guess number 1 is not going to happen, so either we can get our hands on a content for number 2 and I will file a new bug for the comment 14 issue or we will go with the option number 3 and I will just switch this bug back to ASSIGNED.

Up to you :)

Comment 23 Šimon Lukašík 2013-09-26 09:43:44 UTC

(In reply to Lukas -krtek.net- Novy from comment #22)
> As of this bug, the USGCB OVAL results validation part is clearly fixed and
> verifiable. But for the SSG part to be verified either:

That's right.

> 1. I need a SSG OVAL results file that fails validation on old oscap but
> passes on the new version of it.

You can't have this for SSG. The SSG OVAL results are either correct
(compliant to validation requirement) or not. The problem with SSG was
that openscap has exported incorrect results.


> or
> 2. I need a SSG XCCDF content that can be evaluated into invalid OVAL
> results with the old version and into valid OVAL results with new one.

Yep, You can have this if you fetch scap-security-guide from around 
2012-09-27 date. Run this through older and newer package set. You'll
see the difference.

> or
> 3. I can use content attached to comment 14 as it (probably) generates
> invalid results file on the old version and will generate valid one when the
> issue from comment 17 is fixed.
> 

Alternatively, You can take current scap-security-guide content and workaround 
the new bug (you described in comment 17). That can be done by following patch
applied to OVAL Definitions file: ssg-rhel6-oval.xml (not the results file).

 -       <ind:pid xsi:nil="true" datatype="int"/>
 +       <ind:pid datatype="int">42</ind:pid>

That way you can verify, that other things (except for comment 7 are fixed).

> I guess number 1 is not going to happen, so either we can get our hands on a
> content for number 2 and I will file a new bug for the comment 14 issue or
> we will go with the option number 3 and I will just switch this bug back to
> ASSIGNED.
> 
> Up to you :)

Comment 24 Lukas "krteknet" Novy 2013-09-27 14:47:43 UTC

Created attachment 803981 [details]
build SSG at 0ecda1bbeb735145801518aa19422668514b7960

Comment 26 Lukas "krteknet" Novy 2013-09-27 14:56:35 UTC

We will got with option number 2.

Using SSG at commit 0ecda1bbeb735145801518aa19422668514b7960 as suggested in comment 23 fails verification of version 0.9.12(new) against 0.9.3(old):

$ oscap oval validate-xml --results --schematron rhel6-oval-scap-security-guide.xml.result.xml
<?xml version="1.0"?>
oval:scap-security-guide:tst:793 - No state should be referenced when check_existence has a value of 'none_exist'.
oval:scap-security-guide:tst:792 - No state should be referenced when check_existence has a value of 'none_exist'.
oval:scap-security-guide:tst:501 - No state should be referenced when check_existence has a value of 'none_exist'.
oval:scap-security-guide:tst:338 - No state should be referenced when check_existence has a value of 'none_exist'.
oval:scap-security-guide:tst:337 - No state should be referenced when check_existence has a value of 'none_exist'.
oval:scap-security-guide:tst:320 - No state should be referenced when check_existence has a value of 'none_exist'.
oval:scap-security-guide:tst:1428 - No state should be referenced when check_existence has a value of 'none_exist'.
oval:scap-security-guide:tst:1016 - No state should be referenced when check_existence has a value of 'none_exist'.
oval:scap-security-guide:var:2704 - inconsistent datatype between the variable and an associated var_ref
oval:scap-security-guide:var:2696 - inconsistent datatype between the variable and an associated var_ref
oval:scap-security-guide:var:2695 - inconsistent datatype between the variable and an associated var_ref
oval:scap-security-guide:var:2686 - inconsistent datatype between the variable and an associated var_ref
oval:scap-security-guide:var:2685 - inconsistent datatype between the variable and an associated var_ref
oval:scap-security-guide:var:2684 - inconsistent datatype between the variable and an associated var_ref
oval:scap-security-guide:var:2683 - inconsistent datatype between the variable and an associated var_ref
oval:scap-security-guide:var:2681 - inconsistent datatype between the variable and an associated var_ref

Invalid OVAL Results content(5.10) in rhel6-oval-scap-security-guide.xml.result.xml.

$ diff {old,new}/validate.log
[no differences are printed]
$ diff {old,new}/eval.log
43d42
< Ident (null)
103d101
< Ident (null)
108d105
< Ident (null)
113d109
< Ident (null)
118d113
< Ident (null)
463d457
< Ident (null)
468d461
< Ident (null)
473d465
< Ident (null)
478d469
< Ident (null)
935c926
< ResultOpenSCAP Error: Selector ID(ensure_logrotate_activated) does not exist in Benchmark. [xccdf_policy.c:1851]
---
> ResultOpenSCAP Error: Selector ID(ensure_logrotate_activated) does not exist in Benchmark. [xccdf_policy.c:1903]


$ diff {old,new}/version.txt
1,2c1,2
< OSCAP util (oscap) 0.9.3
< Copyright 2009-2012 Red Hat Inc., Durham, North Carolina.
---
> OpenSCAP command line tool (oscap) 0.9.12
> Copyright 2009--2013 Red Hat Inc., Durham, North Carolina.
19a20
> Red Hat Enterprise Linux - cpe:/o:redhat:enterprise_linux
21a23
> Red Hat Enterprise Linux 7 - cpe:/o:redhat:enterprise_linux:7
24a27,30
> Fedora 19 - cpe:/o:fedoraproject:fedora:19
> Fedora 20 - cpe:/o:fedoraproject:fedora:20
> Red Hat Enterprise Linux Optional Productivity Applications - cpe:/a:redhat:rhel_productivity
> Red Hat Enterprise Linux Optional Productivity Applications 5 - cpe:/a:redhat:rhel_productivity:5

Comment 27 Lukas "krteknet" Novy 2013-09-27 15:17:19 UTC

New bug created: Bug 1013011 - SSG OVAL results validation issue: ind-def:pid datatype

Comment 28 Šimon Lukašík 2013-09-30 07:15:02 UTC

(In reply to Lukas -krtek.net- Novy from comment #26)
> We will got with option number 2.
> 
> Using SSG at commit 0ecda1bbeb735145801518aa19422668514b7960 as suggested in
> comment 23 fails verification of version 0.9.12(new) against 0.9.3(old):
> 

Lukas, am I right supposing that you have used openscap 0.9.3 to generate 
rhel6-oval-scap-security-guide.xml.result.xml file from scap-security-guide
at 0ecda1bbeb735145801518aa19422668514b7960? And then you run the following 
command 

> $ oscap oval validate-xml --results --schematron
> rhel6-oval-scap-security-guide.xml.result.xml

on openscap 0.9.12?

Thanks for confirmation.

Comment 29 Lukas "krteknet" Novy 2013-09-30 07:23:35 UTC

I've run evaluation and validation independently on both 0.9.3 and 0.9.12

Comment 30 Šimon Lukašík 2013-09-30 07:55:29 UTC

(In reply to Lukas -krtek.net- Novy from comment #26)

> oval:scap-security-guide:var:2704 - inconsistent datatype between the
> variable and an associated var_ref
> oval:scap-security-guide:var:2696 - inconsistent datatype between the
> variable and an associated var_ref
> oval:scap-security-guide:var:2695 - inconsistent datatype between the
> variable and an associated var_ref
> oval:scap-security-guide:var:2686 - inconsistent datatype between the
> variable and an associated var_ref
> oval:scap-security-guide:var:2685 - inconsistent datatype between the
> variable and an associated var_ref
> oval:scap-security-guide:var:2684 - inconsistent datatype between the
> variable and an associated var_ref
> oval:scap-security-guide:var:2683 - inconsistent datatype between the
> variable and an associated var_ref
> oval:scap-security-guide:var:2681 - inconsistent datatype between the
> variable and an associated var_ref

These are problems in scap-security-guide. Unrelated to OpenSCAP. I have
fixed these issues in June, in scap-security-guide commit:

https://git.fedorahosted.org/cgit/scap-security-guide.git/commit/?id=2ddbbb7d598417e5fb529381bf9fb52837d3c775

Comment 31 Lukas "krteknet" Novy 2013-09-30 08:00:18 UTC

Okay, we can ignore that, how about the 'No state should be referenced when check_existence has a value of 'none_exist'?

Comment 32 Šimon Lukašík 2013-09-30 08:12:47 UTC

(In reply to Lukas -krtek.net- Novy from comment #26)

> oval:scap-security-guide:tst:793 - No state should be referenced when
> check_existence has a value of 'none_exist'.
> oval:scap-security-guide:tst:792 - No state should be referenced when
> check_existence has a value of 'none_exist'.
> oval:scap-security-guide:tst:501 - No state should be referenced when
> check_existence has a value of 'none_exist'.
> oval:scap-security-guide:tst:338 - No state should be referenced when
> check_existence has a value of 'none_exist'.
> oval:scap-security-guide:tst:337 - No state should be referenced when
> check_existence has a value of 'none_exist'.
> oval:scap-security-guide:tst:320 - No state should be referenced when
> check_existence has a value of 'none_exist'.
> oval:scap-security-guide:tst:1428 - No state should be referenced when
> check_existence has a value of 'none_exist'.
> oval:scap-security-guide:tst:1016 - No state should be referenced when
> check_existence has a value of 'none_exist'.

These are problems in scap-security-guide. Unrelated to OpenSCAP. They
have been fixed this June in scap-security-guide. Commits:

https://git.fedorahosted.org/cgit/scap-security-guide.git/commit/?id=fe7008e4fc74a7474fa9640dd04839cc70fe037b
https://git.fedorahosted.org/cgit/scap-security-guide.git/commit/?id=73f5ddcb58cd5c2c343396f5fdc3ae1773947c02
https://git.fedorahosted.org/cgit/scap-security-guide.git/commit/?id=6699d5a7fb8bc07267c1ee32e99f6a202313735c
https://git.fedorahosted.org/cgit/scap-security-guide.git/commit/?id=8f89e008dbfd7b7766af20e071f00775281f1241
https://git.fedorahosted.org/cgit/scap-security-guide.git/commit/?id=a8b3a2b7f1fab376762478284f6217e74af4974a

Comment 33 Lukas "krteknet" Novy 2013-09-30 08:25:30 UTC

So, this bug actualy fix only the USGCB OVAL results validation part? This is inconsistent with the your reaction in comment 23.

> > 2. I need a SSG XCCDF content that can be evaluated into invalid OVAL
> > results with the old version and into valid OVAL results with new one.

> Yep, You can have this if you fetch scap-security-guide from around 
> 2012-09-27 date. Run this through older and newer package set. You'll
> see the difference.

Comment 34 Šimon Lukašík 2013-09-30 08:30:26 UTC

Provided comment 30 and comment 32, we are unable to find a version
of scap-security-guide which is compliant with OVAL-Results XSD.

Given the confusion made by reoccuring scap-security-guide issues,
pasted here many times, we should remind ourselves, what has been
fixed as a part of this bugzilla:

 - First, it was the incorrect validation procedure. This issue has
   been triggered on USGCB content.

https://git.fedorahosted.org/cgit/openscap.git/commit/?id=742f2bc8650dbdcbd27735e554557e8dc51b21c6
https://git.fedorahosted.org/cgit/openscap.git/commit/?id=1191adbd43add15050d2bc0599c0ae23492ed259

 - Second, it was the exported of OVAL results, this issue has been
   triggered by SSG content.

https://git.fedorahosted.org/cgit/openscap.git/commit/?id=541a45f8f2eca2b9c6d6dc156d1f46dd968d10da

Comment 38 Šimon Lukašík 2013-09-30 12:50:48 UTC

Great! Anyway, I highly appreciate good arguing and that you have
found bug 1013011! Thanks!

Also, I am sorry that I lead you through verification of SSG content,
because comment 0 confused me, and I forget that it was not OpenSCAP bug.

Comment 42 errata-xmlrpc 2013-11-21 09:43:27 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1590.html

Note You need to log in before you can comment on or make changes to this bug.