From b97c728ad511d0ded4043153d9f348e5edd42f47 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Tue, 30 Jul 2024 11:21:16 +0200 Subject: [PATCH] Process CPE AL platforms if CPE dict isn't part of DS With this change, we will be able to process SCAP source data streams which use CPE AL platforms in XCCDF rules but at the same time there is no CPE dictionary present in the SCAP source data stream. Definition of a CPE dictionary isn't mandatory for platforms to be evaluated. A small test for this situation is introduced as well. Fixes: #1962 --- src/XCCDF/xccdf_session.c | 2 +- tests/DS/CMakeLists.txt | 1 + tests/DS/ds_without_cpe_dict/CMakeLists.txt | 1 + .../ds_without_cpe_dict.sh | 13 ++ .../ds_without_cpe_dict.xml | 112 ++++++++++++++++++ 5 files changed, 128 insertions(+), 1 deletion(-) create mode 100644 tests/DS/ds_without_cpe_dict/CMakeLists.txt create mode 100755 tests/DS/ds_without_cpe_dict/ds_without_cpe_dict.sh create mode 100644 tests/DS/ds_without_cpe_dict/ds_without_cpe_dict.xml diff --git a/src/XCCDF/xccdf_session.c b/src/XCCDF/xccdf_session.c index 5ec127be68..c4a391d39d 100644 --- a/src/XCCDF/xccdf_session.c +++ b/src/XCCDF/xccdf_session.c @@ -945,6 +945,7 @@ int xccdf_session_load_cpe(struct xccdf_session *session) } if (xccdf_session_is_sds(session)) { + _connect_cpe_session_with_sds(session); struct ds_sds_index *sds_idx = xccdf_session_get_sds_idx(session); if (sds_idx == NULL) { return -1; @@ -963,7 +964,6 @@ int xccdf_session_load_cpe(struct xccdf_session *session) oscap_string_iterator_free(cpe_it); return 1; } - _connect_cpe_session_with_sds(session); while (oscap_string_iterator_has_more(cpe_it)) { const char* cpe_filename = oscap_string_iterator_next(cpe_it); diff --git a/tests/DS/CMakeLists.txt b/tests/DS/CMakeLists.txt index 11f74a19b0..944e4bc943 100644 --- a/tests/DS/CMakeLists.txt +++ b/tests/DS/CMakeLists.txt @@ -10,3 +10,4 @@ add_subdirectory("schematron") add_subdirectory("sds_detect_version") add_subdirectory("signed") add_subdirectory("validate") +add_subdirectory("ds_without_cpe_dict") diff --git a/tests/DS/ds_without_cpe_dict/CMakeLists.txt b/tests/DS/ds_without_cpe_dict/CMakeLists.txt new file mode 100644 index 0000000000..11fb4cd041 --- /dev/null +++ b/tests/DS/ds_without_cpe_dict/CMakeLists.txt @@ -0,0 +1 @@ +add_oscap_test("ds_without_cpe_dict.sh") diff --git a/tests/DS/ds_without_cpe_dict/ds_without_cpe_dict.sh b/tests/DS/ds_without_cpe_dict/ds_without_cpe_dict.sh new file mode 100755 index 0000000000..429bc954fa --- /dev/null +++ b/tests/DS/ds_without_cpe_dict/ds_without_cpe_dict.sh @@ -0,0 +1,13 @@ +#!/usr/bin/env bash + +. $builddir/tests/test_common.sh +set -e -o pipefail + +stdout=$(mktemp) +stderr=$(mktemp) +$OSCAP xccdf eval --progress $srcdir/ds_without_cpe_dict.xml > $stdout 2> $stderr +[ -e $stderr ] +grep -q "xccdf_moc.elpmaxe.www_rule_1:pass" $stdout +! grep -q "xccdf_moc.elpmaxe.www_rule_1:notapplicable" $stdout +! grep -q "Can't import OVAL definition model 'cpe-oval.xml' for CPE applicability checking" $stderr +rm -rf $stdout $stderr diff --git a/tests/DS/ds_without_cpe_dict/ds_without_cpe_dict.xml b/tests/DS/ds_without_cpe_dict/ds_without_cpe_dict.xml new file mode 100644 index 0000000000..451f7ba410 --- /dev/null +++ b/tests/DS/ds_without_cpe_dict/ds_without_cpe_dict.xml @@ -0,0 +1,112 @@ + + + + + + + + + + + + + + + + + + + + 5.11.1 + 0001-01-01T00:00:00+00:00 + + + + + x + x + + x + + + + + + + + + + + + + + + oval:x:var:1 + + + + + x + + + + + + + + 5.11.1 + 0001-01-01T00:00:00+00:00 + + + + + x + x + + x + + + + + + + + + + + + + + + oval:x:var:1 + + + + + x + + + + + + + incomplete + + + Test Platform 1 + + + + + + 1.0 + + Test Rule + + + + + + + +