search

OpenSCAP / openscap

NIST Certified SCAP 1.2 toolkit
https://www.open-scap.org/tools/openscap-base
GNU Lesser General Public License v2.1
1.36k stars 374 forks source link

oscap xccdf validate - flood of warnings in validation of "oscap xccdf eval" results #1752

Open mildas opened 3 years ago

mildas commented 3 years ago

Description of Problem:

When XCCDF results from oscap xccdf eval are being validated, a lot of warnings is printed out.

OpenSCAP Version:

openscap-1.3.5-2.el8

Operating System & Version:

RHEL 8

Steps to Reproduce:

  1. oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig --report xccdf_org.ssgproject.content_profile_stig.html --results-arf xccdf_org.ssgproject.content_profile_stig-xccdf-arf-results.xml --results xccdf_org.ssgproject.content_profile_stig-xccdf-results.xml --oval-results /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
  2. oscap xccdf validate xccdf_org.ssgproject.content_profile_stig-xccdf-results.xml

Actual Results:

<?xml version="1.0"?>
Warning: The 'cpe:/' prefix (CPE URI binding) is allowed within an @idref attribute, but the CPE Formatted String binding is preferred. See the XCCDF 1.2.1 specification, Section 6.2.5.
Warning: The 'cpe:/' prefix (CPE URI binding) is allowed within an @idref attribute, but the CPE Formatted String binding is preferred. See the XCCDF 1.2.1 specification, Section 6.2.5.
....
Warning: All 'value' or 'complex-value' elements have non-empty @selector attribute values. The default selection will be the first of these elements. To explicitly designate a default, remove the selector of the default element. See the XCCDF 1.2.1 specification, Section 6.4.5.5.
Warning: A 'rule-result' element should have exactly one child 'check' or 'complex-check' element. This is the conventional way of linking to the checking-system results for this Rule.
...

Expected Results:

No warnings.

jan-cerny commented 3 years ago

This is related to the fact that we have started to perform the schematron validation by default. It looks like that the produced XCCDF results are not valid according to the schematron.

jan-cerny commented 3 years ago

Actually, there are only 4 distinct messages but they repeat many times.

  1. Warning: All 'value' or 'complex-value' elements have non-empty @selector attribute values. The default selection will be the first of these elements. To explicitly designate a default, remove the selector of the default element. See the XCCDF 1.2.1 specification, Section 6.4.5.5.
  2. Warning: A 'rule-result' element should have exactly one child 'check' or 'complex-check' element. This is the conventional way of linking to the checking-system results for this Rule.
  3. Warning: The 'cpe:/' prefix (CPE URI binding) is allowed within an @idref attribute, but the CPE Formatted String binding is preferred. See the XCCDF 1.2.1 specification, Section 6.2.5.
  4. Warning: The @idref attribute in a 'conflicts' element should match the @id attribute of a different 'Rule' or 'Group' element. See the XCCDF 1.2.1 specification, Section 6.4.1.
jan-cerny commented 3 years ago

ad 2: check _xccdf_policy_rule_evaluate in xxcdf_policy.c

evgenyz commented 8 months ago

@jan-cerny @mildas issue still actual?