convert xccdf_results2hdf: TypeError: Cannot read properties of undefined (reading 'match')

mitre / saf

The MITRE Security Automation Framework (SAF) Command Line Interface (CLI) brings together applications, techniques, libraries, and tools developed by MITRE and the security community to streamline security automation for systems and DevOps pipelines

https://saf-cli.mitre.org

Other

133 stars 37 forks source link

convert xccdf_results2hdf: TypeError: Cannot read properties of undefined (reading 'match') #1183

Open candrews opened 1 year ago

candrews commented 1 year ago

Given this report.xml (which is, as far as I can, a valid xccdf report produced by openscap) run: npx @mitre/saf@1.2.7 convert xccdf_results2hdf -i report.xml -o report.hdf

Expected: The conversion should complete successfully.

Actual:

$ npx @mitre/saf@1.2.7 convert xccdf_results2hdf -i report.xml -o report.hdf
(node:86425) NOTE: We are formalizing our plans to enter AWS SDK for JavaScript (v2) into maintenance mode in 2023.

Please migrate your code to use AWS SDK for JavaScript (v3).
For more information, check the migration guide at https://a.co/7PzMCcy
(Use `node --trace-warnings ...` to show where the warning was created)
    TypeError: Cannot read properties of undefined (reading 'match')
[1]

The conversion failed with TypeError: Cannot read properties of undefined (reading 'match')

candrews commented 1 year ago

@aaronlippold or anyone else - can you please take a look at this error? It's very easy to reproduce, so hopefully that helps with resolving it quickly.

candrews commented 1 year ago

It appears this bug is in @mitre/hdf-converters, and I found the source for that package at https://github.com/mitre/heimdall2/tree/master/libs/hdf-converters

candrews commented 1 year ago

The only place where match is read/called is https://github.com/mitre/heimdall2/blob/v2.6.41/libs/hdf-converters/src/xccdf-results-mapper.ts#L190 so that must be where this error occurs.

em-c-rod commented 1 year ago

Thank you @candrews for the issue and for uploading the results file. Which SCAP content and profile were you running? That way we can reproduce it on our side because this file looks different than others we have seen.

em-c-rod commented 1 year ago

https://github.com/mitre/heimdall2/pull/4254

candrews commented 1 year ago

Which SCAP content and profile were you running? That way we can reproduce it on our side because this file looks different than others we have seen.

This file was generated using this comment: oscap-podman ubuntu:18.04 xccdf eval --results report.xml --profile xccdf_org.ssgproject.content_profile_cis /usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds.xml

/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds.xm is provided by https://github.com/ComplianceAsCode/content/releases/tag/v0.1.66 which is packaged in Fedora as scap-security-guide as well as in many other distributions.

candrews commented 1 year ago

I think this problem is really an indicator of the converter not implementing major parts of the XCCDF specification correctly, including nested groups. I've submitted an MR which implements that feature, fixes this issue, and makes other improvements: https://github.com/mitre/heimdall2/pull/4255