search

OpenSCAP / openscap

NIST Certified SCAP 1.2 toolkit
https://www.open-scap.org/tools/openscap-base
GNU Lesser General Public License v2.1
1.38k stars 380 forks source link

HTML Report Creation Fails With XPath error: growing nodeset hit limit #2082

Closed gfrizzo-rescale closed 9 months ago

gfrizzo-rescale commented 9 months ago

Description of Problem:

When running a scan oscap xccdf eval with --report oscap-results.html argument, the following error appears at the end and the report creation fails:

XPath error : Memory allocation failed : growing nodeset hit limit

growing nodeset hit limit

^
runtime error: file /openscap/xsl/xccdf-report.xsl line 91 element value-of
XPath evaluation returned no result.
OpenSCAP Error: Could not apply XSLT /openscap/xsl/xccdf-report.xsl to XML file: NONEXISTENT [/openscap/src/source/xslt.c:183]

OpenSCAP Version:

1.3.10 (also tried with 1.3.8. Same error)

Operating System & Version:

Red Hat Enterprise Linux 8.9 (Ootpa)

Steps to Reproduce:

  1. I believe this may be related to the number of files being scanned. So, have at least 318135 files in the system.
  2. Run: oscap xccdf eval --fetch-remote-resources --profile xccdf_org.ssgproject.content_profile_stig --report my-oscap-results.html --stig-viewer my-stig-viewer-results.xml /usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.2.xml
  3. Error shows at the end of the scan. XML report is successfully generated. HTML fails.

Actual Results:

HTML report is not generated.

Expected Results:

HTML report is generated.

Additional Information / Debugging Steps:

evgenyz commented 9 months ago

Well, you're in luck. Kinda. We have 2 workarounds: https://github.com/OpenSCAP/openscap/pull/2051 and https://github.com/OpenSCAP/openscap/pull/2052. Choose your poison.

gfrizzo-rescale commented 9 months ago

Thanks!

OSCAP_PROBE_MAX_COLLECTED_ITEMS works. Any recommendations for the default value? Based on #2051, 1000 is fine?

Also, not sure if this is the right place to ask but, do you know how long would take to the openscap 1.3.10 release to reach the official distribution channels (so, a simple yum install would install version 1.3.10)?

evgenyz commented 9 months ago

It all depends on the system. And you should understand that limiting collected items might yield false-negative results. Pick the biggest you possibly can.

evgenyz commented 9 months ago

Re: 1.3.10, sometime in the first half of the year, hopefully. No precise ETA yet.