Memnarch
commented
6 years ago Can you check the results.xml and generated system_characteristics.xml of Ovaldi? From what it looks like, it properly accesses the StringFileInfo. Maybe you can attach the dll here? Curios
EDIT: on my machine VBE7.dll looks like this:
FileVersion: 7.1.10.48 ProductVersion: 7.01.1048
Using GetFileVersionInfo and VerQueryValue for ProductVersion (stringtable) and VeryQueryValue to extract VSFixedFileInfo structure for FileVersion, i get the exact same values. Currently i'd consider it to be a BUG in Ovaldi if ProductVersion does not match what is displayed by windows(as ProductVersion is in the Stringtable).
Regarding fixed versions and strings: if i read the OVAL specification correctly, an Interpreter is supposed to parse a string that is declared as "version", only accounting for Numerical chars and each nonnumerical char is consider a seperator(parsing searches for the first number before starting, to ommit prefixes like "beta" or whatever the dev slapped in front of it)
ronl
In the criteria of definition "oval:org.cisecurity:def:1450", there is a criterion: ``
The referred test uses state "oval:org.cisecurity:ste:1692":`` The product version used to test is "7.01.1056". The information of the particular vbe7.dll on my machine is:
However, this file still make the test return "true" because, as I found out using a tool to read file version and product version of this vbe7.dll, the real product version OVAL Interpreter used to test is "7.1.10.68":
It seems that on Windows, product/file version can exist in two forms: string and fixed parts. The string form is to display information to user and can contain arbitrary content and is used by Windows Explorer to display file property. The fixed parts form is used by installer (machine) to decide whether a file need to be upgraded or not and only contain numbers that are separated by '.'. These two forms can contain different version information in some rare cases (mainly due to the developer of the file) such as the case above. The comments of the accepted answer in this link also talk about the difference between those two forms: https://stackoverflow.com/questions/45504622/programmatically-get-the-productversion-of-exe-using-getfileversioninfo-api-c Since "version" datatype in OVAL accepts only numbers between separation characters, I believe OVAL uses fixed parts form. It seems that the criterion, test and state above use information in string form that's displayed by Windows Explorer instead of the fixed form that is supposed to be processed by machine and create a false positive case. Could you please check it? I also think that other criteria, tests and states this definition uses only have this problem. Thank you.