Issue with windows:peheader_[state/item] entities

[solind]

The entity image_file_16bit_machine doesn't seem to have a corresponding documented characteristic. See https://msdn.microsoft.com/en-us/library/windows/desktop/ms680313(v=vs.85).aspx

Similarly, the characteristic IMAGE_FILE_NET_RUN_FROM_SWAP (0x0800) doesn't seem to have a corresponding entity.

Perhaps the former should be deprecated, and the latter added?

[solind]

Turns out the image_file_16bit_machine flag is (was) 0x0040. We should still add a characteristic for IMAGE_FILE_NET_RUN_FROM_SWAP.

I wonder about the design choice to have boolean entities for all the different characteristics, but have a multi-valued integer entity for the dll_characteristics. Typically in OVAL we'd implement all flags using multi-valued specifically-typed entities restricted to an enumeration.

@djhaynes - Can you comment at all on the design choice? Was this test created for an artifact-hunting use-case?

[solind]

Additional note: the header_signature entity should be changed to an Entity[State/Item]IntType (i.e., a custom datatype accommodating both string and int for backwards-compatibility, and an accompanying schematron warning for strings).

[solind]

Perhaps we should also add an enumeration type for DLL characteristics, and deprecate the existing dll_characteristics entity.

[solind]

Also... Entity[State/Item]PeTargetMachineType is missing an entry for 0x8664 (i.e., AMD64) -- probably THE SINGLE MOST COMMON machine type! The enumeration must be expanded to include this value (minimum).

[zport]

Issue moved to OVAL-Community/OVAL #25 via ZenHub