iankko
commented
9 years ago Requests to Modify Existing OVAL Constructs
What construct needs to be modified?
rpmverifyfile_object and rpmverifypackage_object from linux-definitions-schema.xsd schema file. More exactly the MinOccurs='1' attributes of epoch, version, release, and arch entities of these objects.
Why does it need to be modified (e.g. missing or ambiguous documentation, datatype does not match the value, incorrect minimum/maximum occurrences, etc.)?
In the case OVAL content attempts to inspect more than one RPM package objects (IOW ^.*$ pattern is used in the filepath entity) it's not possible to construct rpmverifyfile_object and rpmverifypackage_object objects without omitting the epoch, version, release, and arch entities (like it was possible in e.g. OVAL language 5.10 version).
This introduces OVAL content compatibility issues in the case particular OVAL content needs to be supported on multiple OVAL language versions.
Does it break backwards compatibility with previous versions of the OVAL Language?
Yes. In OVAL language X <= 5.10 version the MinOccurs= attribute value requirement was defined to '0' (zero) for epoch, version, release, and arch entities of rpmverifyfile_object and rpmverifypackage_object objects.
If so, should it be considered under the Exceptions clause of the OVAL Language Versioning Methodology? Please see OVAL Language Versioning Methodology for more information.
No
Present the improvements
With the change from http://oval.mitre.org/language/version5.10.1/#32680 being reverted it will be possible to maintain OVAL content supported on different OVAL language versions without significant changes required to be performed to the content of the form of OVAL 5.10 language version.
Revised or additional documentation
We have considered also other options:
- like introduction of
<xsi:nil>ability for theepoch, version, release, and archentities of these two objects. But this scenario does not solve the problem in the case the OVAL content needs to be supported on both OVAL 5.10 and OVAL 5.11 versions (though the content would work on OVAL 5.11 language with<xsi:nil>add-on, the same content wouldn't work on OVAL 5.10 version - since the schema doesn't allow<xsi:nil>value yet). - to our knowledge the proposed change shouldn't have negative impact on the issue described in: http://making-security-measurable.1364806.n2.nabble.com/Changes-to-the-RPM-Based-Tests-for-the-Red-Hat-EL-5-USGCB-Content-td6730519.html
since the extended_name entity would be preserved.
Describe changes to the schema
See reply to the What construct needs to be modified? question above.
OPTIONAL: Implementing the changes in the schema is recommended, but not required.
Schema implementation changes draft can be provided if found to be required.
zport
Based on: [1] http://making-security-measurable.1364806.n2.nabble.com/Issues-with-the-linux-def-rpmverifyfile-test-and-linux-def-rpmverifypackage-test-in-OVAL-5-10-td7055684.html
and upstream ticket: [2] http://oval.mitre.org/language/version5.10.1/#32680
the OVAL 5.10.1 version of the OVAL language: [3] https://oval.mitre.org/language/version5.10.1/ovaldefinition/documentation/linux-definitions-schema.html#rpmverifyfile_object
introduced the requirement
'MinOccurs=1'forepoch, version, release, andarchentities. Similarly forrpmverifypackage_object: [4] https://oval.mitre.org/language/version5.10.1/ovaldefinition/documentation/linux-definitions-schema.html#rpmverifypackage_objectthe
MinOccurs=1requirement has been introduced forepoch, version, release, andarchentities [*]The justification for this change was (from [1]):
When we looked into this issue, we also discovered that the name, epoch, version, release, and arch entities in the rpmverifyfile_object and rpmverifypackage_object have a minOccurs="0" rather than a minOccurs="1" like every other object entity. While this does not impact the functionality of the language, it does open the opportunity for content authors to create rpmverifyfile_objects and rpmverifypackage_objects without any entities. This could result in tools behaving unexpectedly if they are expecting those entities to be there.While the change introduced in 5.10.1 via ticket [2] might solve the 'unexpected tools behavior' the introduced change makes the generated OVAL 5.10 vs OVAL 5.10.1 up to OVAL 5.11 incompatible (meaning the
epoch, version, release, andarchentities are now required elements forrpmverifyfile_objectandrpmverifypackage_objectobjects.Under the requirement to provide OVAL content that would work on both versions, the solution seems to be to add all of the aforementioned elements for each already defined
rpmverifyfile_objectandrpmverifypackage_objectobjects already used in the content (this way it seems to provide content compatible / valid with both versions.But since the existing OVAL content might in wide way utilize the
rpmverifyfile_objectandrpmverifypackage_objectobjects, to convert the content to be supported on both OVAL language versions will be a non-trivial task.Therefore we propose to revert the change introduced in OVAL 5.10.1 version of the OVAL language and in the upcoming minor version of the OVAL language (OVAL 5.11.1) to return back to the state where
epoch, version, release, andarchentities of therpmverifyfile_objectandrpmverifypackage_objectwould require the value ofMinOccursattribute to be set to '0'.Please review the proposal.
Thank you && Regards, Jan Lieskovsky
[*] Compare the output 5.10.1 output for both objects with the output from OVAL 5.10 version:
to compare the differences in the required value of
MinOccursattribute.P.S.: Please let me know if the change implementation in the schema is required for this proposal to be applied for consideration.