Remediate does not work if called separately from eval cmd

[StevenYGui]

• Is this an issue with SCAP Workbench?
  • If so, report it here: https://github.com/OpenSCAP/scap-workbench/issues
• Is this an issue with SCAP Security Guide (i.e., related to the content of scans, not the scanner proper)?
  • If so, report it here: https://github.com/OpenSCAP/scap-security-guide/issues
• Is this an issue during the OS installation process?
  • If so, report it here: https://github.com/OpenSCAP/oscap-anaconda-addon/issues

Thanks!

Description of Problem:

if I type cmd as below, fail items can be fixed correctly. # oscap xccdf eval --remediate --profile xccdf_org.ssgproject.content_profile_standard --results scan_results.xml ssg-xxx-ds.xml

but if I seperate it into 2 cmds as below, fix will fail. # oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_standard --results scan_results.xml ssg-xxx-ds.xml

# oscap xccdf remediate scan_results.xml

So, what's the mistake in my cmd?

OpenSCAP Version:

1.3.9

Operating System & Version:

Steps to Reproduce:

Actual Results:

Expected Results:

Additional Information / Debugging Steps:

[jan-cerny]

I have investigated this issue. I have found that we have a bug related to CPE applicability of fixes. The remediation isn't performed because the fix is resolved as not applicable. Internally, it can't find any applicable fix. But, the XCCDF results file doesn't contain CPE definitions or CPE dictionaries, so it can't resolve the applicability.

Unfortunately, the oscap xccdf remediate module doesn't consume ARFs.

I'm not sure about how we can fix it. We can replace the call of _filter_fixes_by_applicability in src/XCCDF_POLICY/xccdf_policy_remediate.c in _find_suitable_fix by _get_fixes, which is a function that doesn't check CPE applicability. But this change would make the assertions in tests/API/XCCDF/applicability/test_remediate_fix_notapplicable.sh invalid.