|
 |
8b65ee |
From b8b90b4c04a130d9174148486b40bfc8454a290b Mon Sep 17 00:00:00 2001
|
|
|
8b65ee |
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
|
|
|
8b65ee |
Date: Tue, 5 Jan 2021 16:31:04 +0100
|
|
|
8b65ee |
Subject: [PATCH 1/5] Fix a segmentation fault
|
|
|
8b65ee |
|
|
|
8b65ee |
When generating results with --stig-viewer a segmentation fault
|
|
|
8b65ee |
occured. This segfault has been caused by
|
|
|
8b65ee |
9b40767967e533bdb340ca4c91f2fd1192694820.
|
|
|
8b65ee |
|
|
|
8b65ee |
The patch makes the usage of benchmark and cloned benchmark in this
|
|
|
8b65ee |
`if` block consistent with the previous `if` block above.
|
|
|
8b65ee |
---
|
|
|
8b65ee |
src/XCCDF/xccdf_session.c | 5 ++++-
|
|
|
8b65ee |
1 file changed, 4 insertions(+), 1 deletion(-)
|
|
|
8b65ee |
|
|
|
8b65ee |
diff --git a/src/XCCDF/xccdf_session.c b/src/XCCDF/xccdf_session.c
|
|
|
8b65ee |
index c88d90be05..9e54a98e9e 100644
|
|
|
8b65ee |
--- a/src/XCCDF/xccdf_session.c
|
|
|
8b65ee |
+++ b/src/XCCDF/xccdf_session.c
|
|
|
8b65ee |
@@ -1393,9 +1393,12 @@ static int _build_xccdf_result_source(struct xccdf_session *session)
|
|
|
8b65ee |
}
|
|
|
8b65ee |
|
|
|
8b65ee |
if (session->export.xccdf_stig_viewer_file != NULL) {
|
|
|
8b65ee |
+ struct xccdf_benchmark *cloned_benchmark = xccdf_benchmark_clone(benchmark);
|
|
|
8b65ee |
struct xccdf_result *cloned_result = xccdf_result_clone(session->xccdf.result);
|
|
|
8b65ee |
+ xccdf_benchmark_add_result(cloned_benchmark, cloned_result);
|
|
|
8b65ee |
struct oscap_source * stig_result = xccdf_result_stig_viewer_export_source(cloned_result, session->export.xccdf_stig_viewer_file);
|
|
|
8b65ee |
- xccdf_result_free(cloned_result);
|
|
|
8b65ee |
+ // cloned_result is freed during xccdf_benchmark_free
|
|
|
8b65ee |
+ xccdf_benchmark_free(cloned_benchmark);
|
|
|
8b65ee |
if (oscap_source_save_as(stig_result, NULL) != 0) {
|
|
|
8b65ee |
oscap_seterr(OSCAP_EFAMILY_OSCAP, "Could not save file: %s",
|
|
|
8b65ee |
oscap_source_readable_origin(stig_result));
|
|
|
8b65ee |
|
|
|
8b65ee |
From 0a73539af773ce261e2b5eb71ca6b2b83ff6e386 Mon Sep 17 00:00:00 2001
|
|
|
8b65ee |
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
|
|
|
8b65ee |
Date: Tue, 5 Jan 2021 16:47:13 +0100
|
|
|
8b65ee |
Subject: [PATCH 2/5] Fix test for --stig-viewer
|
|
|
8b65ee |
|
|
|
8b65ee |
The test masked the segfault in oscap command by ignoring the oscap
|
|
|
8b65ee |
return code. Moreover, it ignored any failure in the Python script
|
|
|
8b65ee |
stig-viewer-equivalence.py. The commit also adds an improvement to
|
|
|
8b65ee |
test if the produced file isn't empty.
|
|
|
8b65ee |
---
|
|
|
8b65ee |
tests/API/XCCDF/unittests/test_single_rule_stigw.sh | 6 ++++--
|
|
|
8b65ee |
1 file changed, 4 insertions(+), 2 deletions(-)
|
|
|
8b65ee |
|
|
|
8b65ee |
diff --git a/tests/API/XCCDF/unittests/test_single_rule_stigw.sh b/tests/API/XCCDF/unittests/test_single_rule_stigw.sh
|
|
|
8b65ee |
index 15803ab94c..e258e72dd1 100755
|
|
|
8b65ee |
--- a/tests/API/XCCDF/unittests/test_single_rule_stigw.sh
|
|
|
8b65ee |
+++ b/tests/API/XCCDF/unittests/test_single_rule_stigw.sh
|
|
|
8b65ee |
@@ -19,8 +19,10 @@ echo "Result file = $result"
|
|
|
8b65ee |
# evaluated when '--rule' option is not specified.
|
|
|
8b65ee |
|
|
|
8b65ee |
# One of the rules is supposed to fail, so the return code of this line has to be 0 so the test can continue
|
|
|
8b65ee |
-$OSCAP xccdf eval --stig-viewer "$result" "$srcdir/${name}.xccdf.xml" 2> "$stderr" || true
|
|
|
8b65ee |
+$OSCAP xccdf eval --stig-viewer "$result" "$srcdir/${name}.xccdf.xml" 2> "$stderr" || ret=$?
|
|
|
8b65ee |
+[ $ret == 2 ]
|
|
|
8b65ee |
[ -f $stderr ]; [ ! -s $stderr ]; :> $stderr
|
|
|
8b65ee |
+[ -s "$result" ]
|
|
|
8b65ee |
|
|
|
8b65ee |
-"${PYTHON:-python}" "$srcdir/stig-viewer-equivalence.py" "$result" "$srcdir/correct_stigw_result.xml" 2> "$stderr" || ret=$?
|
|
|
8b65ee |
+"${PYTHON:-python}" "$srcdir/stig-viewer-equivalence.py" "$result" "$srcdir/correct_stigw_result.xml" 2> "$stderr"
|
|
|
8b65ee |
rm "$result"
|
|
|
8b65ee |
|
|
|
8b65ee |
From 7011a6fc960515ff626f411349b8b8a267b80c02 Mon Sep 17 00:00:00 2001
|
|
|
8b65ee |
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
|
|
|
8b65ee |
Date: Wed, 6 Jan 2021 12:08:31 +0100
|
|
|
8b65ee |
Subject: [PATCH 3/5] Fix segmentation fault
|
|
|
8b65ee |
|
|
|
8b65ee |
The function call oscap_reference_get_href(ref) can return NULL
|
|
|
8b65ee |
because href attribute of reference element is optional.
|
|
|
8b65ee |
---
|
|
|
8b65ee |
src/XCCDF/result.c | 10 ++++++----
|
|
|
8b65ee |
1 file changed, 6 insertions(+), 4 deletions(-)
|
|
|
8b65ee |
|
|
|
8b65ee |
diff --git a/src/XCCDF/result.c b/src/XCCDF/result.c
|
|
|
8b65ee |
index 21b93fba74..a4fdec6cee 100644
|
|
|
8b65ee |
--- a/src/XCCDF/result.c
|
|
|
8b65ee |
+++ b/src/XCCDF/result.c
|
|
|
8b65ee |
@@ -1154,7 +1154,9 @@ void xccdf_result_to_dom(struct xccdf_result *result, xmlNode *result_node, xmlD
|
|
|
8b65ee |
struct oscap_reference_iterator *references = xccdf_item_get_references(item);
|
|
|
8b65ee |
while (oscap_reference_iterator_has_more(references)) {
|
|
|
8b65ee |
struct oscap_reference *ref = oscap_reference_iterator_next(references);
|
|
|
8b65ee |
- if (strcmp(oscap_reference_get_href(ref), DISA_STIG_VIEWER_HREF) == 0) {
|
|
|
8b65ee |
+ const char *href = oscap_reference_get_href(ref);
|
|
|
8b65ee |
+ if (href && (strcmp(href, DISA_STIG_VIEWER_HREF[0]) == 0 ||
|
|
|
8b65ee |
+ strcmp(href, DISA_STIG_VIEWER_HREF[1]) == 0)) {
|
|
|
8b65ee |
const char *stig_rule_id = oscap_reference_get_title(ref);
|
|
|
8b65ee |
|
|
|
8b65ee |
xccdf_test_result_type_t other_res = (xccdf_test_result_type_t)oscap_htable_detach(nodes_by_rule_id, stig_rule_id);
|
|
|
8b65ee |
@@ -1367,8 +1368,9 @@ void xccdf_rule_result_to_dom(struct xccdf_rule_result *result, xmlDoc *doc, xml
|
|
|
8b65ee |
struct oscap_reference_iterator *references = xccdf_item_get_references(item);
|
|
|
8b65ee |
while (oscap_reference_iterator_has_more(references)) {
|
|
|
8b65ee |
struct oscap_reference *ref = oscap_reference_iterator_next(references);
|
|
|
8b65ee |
- if (strcmp(oscap_reference_get_href(ref), DISA_STIG_VIEWER_HREF[0]) == 0 ||
|
|
|
8b65ee |
- strcmp(oscap_reference_get_href(ref), DISA_STIG_VIEWER_HREF[1]) == 0) {
|
|
|
8b65ee |
+ const char *href = oscap_reference_get_href(ref);
|
|
|
8b65ee |
+ if (href && (strcmp(href, DISA_STIG_VIEWER_HREF[0]) == 0 ||
|
|
|
8b65ee |
+ strcmp(href, DISA_STIG_VIEWER_HREF[1]) == 0)) {
|
|
|
8b65ee |
const char *stig_rule_id = oscap_reference_get_title(ref);
|
|
|
8b65ee |
|
|
|
8b65ee |
xccdf_test_result_type_t expected_res = (xccdf_test_result_type_t)oscap_htable_get(nodes_by_rule_id, stig_rule_id);
|
|
|
8b65ee |
|
|
|
8b65ee |
From 7ae1dd586128889bbaa8b3a20937d00feabd2ac0 Mon Sep 17 00:00:00 2001
|
|
|
8b65ee |
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
|
|
|
8b65ee |
Date: Wed, 6 Jan 2021 13:35:36 +0100
|
|
|
8b65ee |
Subject: [PATCH 4/5] Test reference elements without href attribute
|
|
|
8b65ee |
|
|
|
8b65ee |
The href attribute is optional within xccdf:reference element.
|
|
|
8b65ee |
Moreover, reference elements can contain Dublin Core elements instead of
|
|
|
8b65ee |
a simple atomic value. Some SCAP content uses xccdf:reference without
|
|
|
8b65ee |
href attribute, for example DISA STIG for RHEL 7 V3R1. There was a
|
|
|
8b65ee |
segmentation fault because oscap expected the href attribute to be
|
|
|
8b65ee |
present. See RHBZ #1911999 for more information.
|
|
|
8b65ee |
---
|
|
|
8b65ee |
tests/API/XCCDF/unittests/test_single_rule.xccdf.xml | 10 +++++++++-
|
|
|
8b65ee |
1 file changed, 9 insertions(+), 1 deletion(-)
|
|
|
8b65ee |
|
|
|
8b65ee |
diff --git a/tests/API/XCCDF/unittests/test_single_rule.xccdf.xml b/tests/API/XCCDF/unittests/test_single_rule.xccdf.xml
|
|
|
8b65ee |
index c942aac18a..c41b86173a 100644
|
|
|
8b65ee |
--- a/tests/API/XCCDF/unittests/test_single_rule.xccdf.xml
|
|
|
8b65ee |
+++ b/tests/API/XCCDF/unittests/test_single_rule.xccdf.xml
|
|
|
8b65ee |
@@ -1,5 +1,5 @@
|
|
|
8b65ee |
|
|
|
8b65ee |
-<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_com.example.www_benchmark_dummy" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1 xccdf-1.1.4.xsd" resolved="false" xml:lang="en-US">
|
|
|
8b65ee |
+<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:dc="http://purl.org/dc/elements/1.1/" id="xccdf_com.example.www_benchmark_dummy" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1 xccdf-1.1.4.xsd" resolved="false" xml:lang="en-US">
|
|
|
8b65ee |
<status>accepted</status>
|
|
|
8b65ee |
<version>1.0</version>
|
|
|
8b65ee |
|
|
|
8b65ee |
@@ -26,6 +26,14 @@
|
|
|
8b65ee |
</Value>
|
|
|
8b65ee |
<Rule selected="true" id="xccdf_com.example.www_rule_test-pass">
|
|
|
8b65ee |
<title>This rule always pass</title>
|
|
|
8b65ee |
+ <reference>Clever book, page 18, section 3</reference>
|
|
|
8b65ee |
+ <reference>
|
|
|
8b65ee |
+ <dc:title>Test reference without href attribute</dc:title>
|
|
|
8b65ee |
+ <dc:publisher>OpenSCAP Project</dc:publisher>
|
|
|
8b65ee |
+ <dc:type>Dummy reference</dc:type>
|
|
|
8b65ee |
+ <dc:subject>Random subject</dc:subject>
|
|
|
8b65ee |
+ <dc:identifier>12345</dc:identifier>
|
|
|
8b65ee |
+ </reference>
|
|
|
8b65ee |
<reference href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040800</reference>
|
|
|
8b65ee |
<reference href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86937r1_rule</reference>
|
|
|
8b65ee |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
|
|
8b65ee |
|