Problem: When a rule with multi-check is evaluated, only the last result of checks is disaplyed and all other check results are ignored. Also, the rule is displayed only once in SCAP Workbench window. Moreover, there is no information displayed to the user that the rule consists of multiple checks. This is against XCCDF 1.2 specification Section 7.2.3.5.2, which states:
if an element leads to the execution of
multiple checks (i.e., an that lacks a @name attribute is used) and
the @multi-check attribute is set to true, each check executed MUST be reported separately.
In practice, this problem happens when evaluating rule "Security patches are up-to-date" in SCAP 1.3 content. The rule results displayed in SCAP Workbench are wrong, because it displays results for the last vulnerability in the CVE list and it doesn't even show which one.
I think the implementation of this feature in Workbench will not trivial.
Currently, SCAP Workbench first obtains a list of XCCDF rules and displays them in the main window (libopenscap API is used to get the list). During the evaluation it updates the result column based on parsing of oscap stdout. oscap is running in --progress mode.
My proposal is:
create a new API function in OpenSCAP library which will fetch rules including the used checks
change --progress output of openscap to show also check ID (OVAL ID) to distinguish between results of the same rule ID. Optionally create a new output format of oscap if change of --progress output format would break something.
change SCAP Workbench to use the previous 2 points.
Problem: When a rule with multi-check is evaluated, only the last result of checks is disaplyed and all other check results are ignored. Also, the rule is displayed only once in SCAP Workbench window. Moreover, there is no information displayed to the user that the rule consists of multiple checks. This is against XCCDF 1.2 specification Section 7.2.3.5.2, which states:
In practice, this problem happens when evaluating rule "Security patches are up-to-date" in SCAP 1.3 content. The rule results displayed in SCAP Workbench are wrong, because it displays results for the last vulnerability in the CVE list and it doesn't even show which one.
We have discovered this problem in Workbench when we were working on improving the standard output of OpenSCAP and HTML report for these types of rules - see https://bugzilla.redhat.com/show_bug.cgi?id=1771438 and https://github.com/OpenSCAP/openscap/pull/1426
I think the implementation of this feature in Workbench will not trivial.
Currently, SCAP Workbench first obtains a list of XCCDF rules and displays them in the main window (libopenscap API is used to get the list). During the evaluation it updates the result column based on parsing of
oscapstdout.oscapis running in--progressmode.My proposal is:
--progressoutput ofopenscapto show also check ID (OVAL ID) to distinguish between results of the same rule ID. Optionally create a new output format ofoscapif change of--progressoutput format would break something.