CPE seems to be broken on group/rule level

[ggbecker]

Description of problem:

:: [ 10:24:59 ] :: [   PASS   ] :: Uninstall postfix package (Expected 0, got 0)
:: [ 10:24:59 ] :: [  BEGIN   ] :: Scanning postfix rules without installed postfix :: actually running 'oscap xccdf eval --progress /tmp/tmp.5BxKguE6rF/ssg-rhel8-xccdf.xml'
WARNING: Datastream component 'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL8.xml.bz2' points out to the remote 'https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2'. Use '--fetch-remote-resources' option to download it.
WARNING: Skipping 'https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2' file which is referenced from datastream
WARNING: Skipping ./security-data-oval-com.redhat.rhsa-RHEL8.xml.bz2 file which is referenced from XCCDF content
xccdf_org.ssgproject.content_rule_postfix_client_configure_relayhost:notchecked
xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled:pass
xccdf_org.ssgproject.content_rule_postfix_server_banner:fail
xccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay:fail
:: [ 10:25:04 ] :: [   PASS   ] :: Scanning postfix rules without installed postfix (Expected 0,2, got 2)
:: [ 10:25:04 ] :: [   FAIL   ] :: File '/var/tmp/rlRun_LOG.zPkDSqS2' should contain ':notapplicable' 
xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled:pass
xccdf_org.ssgproject.content_rule_postfix_server_banner:fail
xccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay:fail
:: [ 10:25:04 ] :: [   FAIL   ] :: File '/var/tmp/rlRun_LOG.zPkDSqS2' should not contain '(:pass|:fail|:error)' 

Rule that should be evaluated as notapplicable are returning fail/pass.

Potentially related to https://github.com/ComplianceAsCode/content/pull/9465

[ggbecker]

Apparently there's even more and on a rule level as well:

:: [ 04:25:00 ] :: [  BEGIN   ] :: Testing 'xccdf_org.ssgproject.content_rule_audit_delete_success_ppc64le' applicability on x86_64 :: actually running 'oscap xccdf eval --progress --profile '(all)' --rule xccdf_org.ssgproject.content_rule_audit_delete_success_ppc64le /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml 1>std.out 2>std.err'
:: [ 04:25:02 ] :: [   PASS   ] :: Testing 'xccdf_org.ssgproject.content_rule_audit_delete_success_ppc64le' applicability on x86_64 (Expected 0,2, got 2)
:: [ 04:25:02 ] :: [  BEGIN   ] :: Running 'cat std.out'
xccdf_org.ssgproject.content_rule_audit_delete_success_ppc64le:fail
:: [ 04:25:02 ] :: [   PASS   ] :: Command 'cat std.out' (Expected 0, got 0)
:: [ 04:25:02 ] :: [   PASS   ] :: File 'std.err' should not contain '(^E:|error)' 
:: [ 04:25:02 ] :: [   FAIL   ] :: File 'std.out' should contain 'xccdf_org.ssgproject.content_rule_audit_delete_success_ppc64le:notapplicable$' 

[ggbecker]

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Verify there are no unexpected rules with info severity in OSPP profile
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

xccdf_org.ssgproject.content_rule_audit_access_success_aarch64:informational
xccdf_org.ssgproject.content_rule_audit_access_success_ppc64le:informational
:: [ 04:25:02 ] :: [   FAIL   ] :: File 'stdout' should not contain ':informational' 

[vojtapolasek]

I probably know where is the problem. The inherited_cpe_names should be kept separate out of cpe_names structure for Rule class. However, during processing they get mixed together. Therefore they appear in resulting XCCDF rule element. This should not happen. I am working on a fix.

[matejak]

I agree, Bash and Ansible are fine, but XCCDF needs to take into the account explicit platforms and inherited platforms.

[evgenyz]

I probably know where is the problem. The inherited_cpe_names should be kept separate out of cpe_names structure for Rule class. However, during processing they get mixed together. Therefore they appear in resulting XCCDF rule element. This should not happen. I am working on a fix.

Moreover, inherited_cpe_names and cpe_names from the Rule itself should form a single platform with all conditions joined by CPE-ALs and.

[vojtapolasek]

Well, this is IMO still just planed, but not implemented.

[evgenyz]

Ah, so it wasn't supposed to be working until CPE-AL is merged?