Possible issue with SRC-330-3

[dragosprisaca]

Hello Scott,

The attached content fails validation, but there is just one warning (SRC-330-3): "Warning | 'Warning: The 'cpe:/' prefix (CPE URI binding) is allowed within an @idref attribute, but the CPE Formatted String binding is preferred. See the XCCDF 1.2.1 specification, Section 6.2.5. - TEST: false()'" Is this the requirement that triggers the error?

Thanks, _Dragos. content-and-val-results.zip

[gscottwilson]

Thank you for reporting this. There are a couple of issue here.

First, the SRC-330-3 has a total of 128 hits of varying severity from information to error. However after 10 results they are truncated in the html report. The overall result of SRC-330-3 will ultimately be assigned the most severe error status found, in this case error, it is just within the 118 truncated results so the specific error result is not visible in the HTML report. This is a known issue and is being tracked with https://github.com/usnistgov/decima/issues/7 In the meantime you can view the xml results file for complete results

Second, the error text "the value of lockout_duration must be greater than or equal to zero - TEST: string-length(.) = 0 or number(.) < 0" comes from a schematron TEST for OVAL 5.11.2 content. It appears to be a bug as the message says ' must be greater than or equal to zero' while the actual check is '&lt; 0' where &lt (less than) 0.

[gscottwilson]

Dragos, you can track the first issue at https://github.com/usnistgov/decima/issues/7 The second issue will need to be worked out with the OVAL community. I've assigned you to this ticket as well for updates. Thanks

[dragosprisaca]

Cross reference to OVAL Language issue: https://github.com/OVALProject/Language/issues/304

[dragosprisaca]

Hello Scott,

Can you please update the schematron rules in SCAPVAL as done in https://github.com/OVALProject/Language/issues/302 ? This should take care of the issues described above.

Thanks, _Dragos.