From fa2dd61bfc113363bc9576bb625cd02d573ec1b1 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Aug 06 2019 11:07:28 +0000 Subject: import openscap-1.2.17-4.el7 --- diff --git a/SOURCES/add_oval_results_to_test.patch b/SOURCES/add_oval_results_to_test.patch new file mode 100644 index 0000000..0c9fedd --- /dev/null +++ b/SOURCES/add_oval_results_to_test.patch @@ -0,0 +1,32 @@ +From 293a2da756796cba8bcf3d9b7a153e685030594f Mon Sep 17 00:00:00 2001 +From: Matus Marhefka +Date: Mon, 27 May 2019 10:29:54 +0200 +Subject: [PATCH] Add --oval-results to the + ds_continue_without_remote_resources test + +--- + tests/DS/test_ds.sh | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/tests/DS/test_ds.sh b/tests/DS/test_ds.sh +index 1383ad87a..43ea43797 100755 +--- a/tests/DS/test_ds.sh ++++ b/tests/DS/test_ds.sh +@@ -418,14 +418,15 @@ function test_ds_continue_without_remote_resources() { + local DS="${srcdir}/$1" + local PROFILE="$2" + local result=$(mktemp) ++ local oval_result="test_single_rule.oval.xml.result.xml" + +- $OSCAP xccdf eval --profile "$PROFILE" --results "$result" "$DS" ++ $OSCAP xccdf eval --oval-results --profile "$PROFILE" --results "$result" "$DS" + + assert_exists 1 '//rule-result[@idref="xccdf_com.example.www_rule_test-pass"]/result[text()="pass"]' + assert_exists 1 '//rule-result[@idref="xccdf_com.example.www_rule_test-remote_res"]/result[text()="notchecked"]' + assert_exists 1 '//rule-result[@idref="xccdf_com.example.www_rule_test-pass2"]/result[text()="pass"]' + +- rm -f "$result" ++ rm -f "$result" "$oval_result" + } + + diff --git a/SOURCES/add_scap_1_3_schema_and_detect_version.patch b/SOURCES/add_scap_1_3_schema_and_detect_version.patch new file mode 100644 index 0000000..413223e --- /dev/null +++ b/SOURCES/add_scap_1_3_schema_and_detect_version.patch @@ -0,0 +1,1576 @@ +From 5bf1556bc867401e664de67a0b2ccaa8e7c86ce4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Tue, 7 May 2019 12:33:31 +0200 +Subject: [PATCH 1/9] Add SCAP 1.3 source datastream schema + +Downloaded from +https://csrc.nist.gov/schema/scap/1.3/scap-source-data-stream_1.3.xsd +Converted the EOLs to Unix using `dos2unix` tool. +--- + schemas/Makefile.am | 3 + + .../sds/1.3/scap-source-data-stream_1.3.xsd | 230 ++++++++++++++++++ + 2 files changed, 233 insertions(+) + create mode 100644 schemas/sds/1.3/scap-source-data-stream_1.3.xsd + +diff --git a/schemas/Makefile.am b/schemas/Makefile.am +index 5a5cf015e..2ca4851e6 100644 +--- a/schemas/Makefile.am ++++ b/schemas/Makefile.am +@@ -15,6 +15,7 @@ xccdf11dir = $(pkgdatadir)/schemas/xccdf/1.1/ + xccdf11tailoringdir = $(pkgdatadir)/schemas/xccdf/1.1-tailoring/ + xccdf12dir = $(pkgdatadir)/schemas/xccdf/1.2/ + sds12dir = $(pkgdatadir)/schemas/sds/1.2/ ++sds13dir = $(pkgdatadir)/schemas/sds/1.3/ + arf11dir = $(pkgdatadir)/schemas/arf/1.1/ + ocil20dir = $(pkgdatadir)/schemas/ocil/2.0/ + cpe20dir = $(pkgdatadir)/schemas/cpe/2.0/ +@@ -46,6 +47,7 @@ xccdf11tailoring_DATA = $(wildcard $(srcdir)/xccdf/1.1-tailoring/*.xsd $(srcdir) + xccdf12_DATA = $(wildcard $(srcdir)/xccdf/1.2/*.xsd $(srcdir)/xccdf/1.2/*.dtd $(srcdir)/xccdf/1.2/*.xsl) + + sds12_DATA = $(wildcard $(srcdir)/sds/1.2/*.xsd $(srcdir)/sds/1.2/*.dtd) ++sds13_DATA = $(wildcard $(srcdir)/sds/1.3/*.xsd $(srcdir)/sds/1.3/*.dtd) + arf11_DATA = $(wildcard $(srcdir)/arf/1.1/*.xsd) + + ocil20_DATA = $(wildcard $(srcdir)/ocil/2.0/*.xsd $(srcdir)/sds/2.0/*.dtd) +@@ -77,6 +79,7 @@ EXTRA_DIST = \ + $(xccdf11tailoring_DATA) \ + $(xccdf12_DATA) \ + $(sds12_DATA) \ ++ $(sds13_DATA) \ + $(arf11_DATA) \ + $(ocil20_DATA) \ + $(cpe20_DATA) \ +diff --git a/schemas/sds/1.3/scap-source-data-stream_1.3.xsd b/schemas/sds/1.3/scap-source-data-stream_1.3.xsd +new file mode 100644 +index 000000000..4a933ba2e +--- /dev/null ++++ b/schemas/sds/1.3/scap-source-data-stream_1.3.xsd +@@ -0,0 +1,230 @@ ++ ++ ++ ++ ++ SCAP 1.3 Source Data Stream Collection ++ Adam Halbardier, David Waltermire ++ 1.3 ++ 2016-12-01 ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ Holds a collection of data streams and components. ++ ++ ++ ++ ++ ++ ++ ++ ++ A digital signature of a data stream. ++ ++ ++ ++ ++ ++ This MUST be a globally unique ID. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ The version of the requirements Schematron ruleset to which the instance ++ conforms. ++ ++ ++ ++ ++ ++ ++ An SCAP data stream containing pointers to all of the components composing the data ++ stream. ++ ++ ++ ++ ++ ++ Holds pointers to dictionary components. ++ ++ ++ ++ ++ Holds pointers to checklist components. ++ ++ ++ ++ ++ Holds pointers to check components. ++ ++ ++ ++ ++ Holds pointers to non-standard SCAP components captured as extended-component ++ elements. ++ ++ ++ ++ ++ ++ This MUST be a globally unique ID. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ The SCAP capability being expressed by this data stream. The type is expressed to allow for ++ future use of this schema while indicating the currently acceptable values. ++ ++ ++ ++ ++ ++ ++ ++ The version of SCAP expressed by this data stream. The type is expressed to allow for future ++ use of this schema while indicating the currently acceptable values. ++ ++ ++ ++ ++ ++ ++ ++ The time when the data stream was created or last modified. ++ ++ ++ ++ ++ ++ ++ A component that is used by an SCAP data stream. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ This MUST be a globally unique ID. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ The time when the component was created or last modified. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ A component that holds non-standard SCAP content. ++ ++ ++ ++ ++ ++ ++ ++ This MUST be a globally unique ID. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ The time when the component was created or last modified. ++ ++ ++ ++ ++ ++ ++ An XLink element that points to a component. ++ ++ ++ ++ ++ ++ ++ ++ This MUST be a globally unique ID. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ + +From a005cfd40e2dd217e779102d6347384ec0e4a4d6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Tue, 7 May 2019 14:03:53 +0200 +Subject: [PATCH 2/9] Move OASIS XML Catalog schema to the common directory + +This way we can reuse the OASIS XML Catalog schema in +other schemas. +--- + schemas/{sds/1.2 => common}/catalog.xsd | 0 + schemas/sds/1.2/scap-source-data-stream_1.2.xsd | 2 +- + 2 files changed, 1 insertion(+), 1 deletion(-) + rename schemas/{sds/1.2 => common}/catalog.xsd (100%) + +diff --git a/schemas/sds/1.2/catalog.xsd b/schemas/common/catalog.xsd +similarity index 100% +rename from schemas/sds/1.2/catalog.xsd +rename to schemas/common/catalog.xsd +diff --git a/schemas/sds/1.2/scap-source-data-stream_1.2.xsd b/schemas/sds/1.2/scap-source-data-stream_1.2.xsd +index 606a92445..0dd91f010 100644 +--- a/schemas/sds/1.2/scap-source-data-stream_1.2.xsd ++++ b/schemas/sds/1.2/scap-source-data-stream_1.2.xsd +@@ -14,7 +14,7 @@ + + + +- ++ + + + + +From 61b89c3c9314be3f606bdb7f1b156a7a8359719e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Tue, 7 May 2019 14:08:53 +0200 +Subject: [PATCH 3/9] Move W3C Xlink schema to common directory + +This way the schema can be reused in multiple different schemas. +--- + .../arf/1.1/asset-reporting-format_1.1.0.xsd | 2 +- + schemas/{arf/1.1 => common}/xlink.xsd | 2 +- + .../sds/1.2/scap-source-data-stream_1.2.xsd | 2 +- + schemas/sds/1.2/xlink.xsd | 270 ------------------ + 4 files changed, 3 insertions(+), 273 deletions(-) + rename schemas/{arf/1.1 => common}/xlink.xsd (96%) + delete mode 100644 schemas/sds/1.2/xlink.xsd + +diff --git a/schemas/arf/1.1/asset-reporting-format_1.1.0.xsd b/schemas/arf/1.1/asset-reporting-format_1.1.0.xsd +index 3617e854f..7e60eb4f6 100644 +--- a/schemas/arf/1.1/asset-reporting-format_1.1.0.xsd ++++ b/schemas/arf/1.1/asset-reporting-format_1.1.0.xsd +@@ -104,7 +104,7 @@ + + + +- ++ + + + +diff --git a/schemas/arf/1.1/xlink.xsd b/schemas/common/xlink.xsd +similarity index 96% +rename from schemas/arf/1.1/xlink.xsd +rename to schemas/common/xlink.xsd +index ea77d428f..0b2645e90 100644 +--- a/schemas/arf/1.1/xlink.xsd ++++ b/schemas/common/xlink.xsd +@@ -24,7 +24,7 @@ constructs, e.g. + ]]> + + +- ++ + + + +diff --git a/schemas/sds/1.2/scap-source-data-stream_1.2.xsd b/schemas/sds/1.2/scap-source-data-stream_1.2.xsd +index 0dd91f010..72de4f98e 100644 +--- a/schemas/sds/1.2/scap-source-data-stream_1.2.xsd ++++ b/schemas/sds/1.2/scap-source-data-stream_1.2.xsd +@@ -15,7 +15,7 @@ + + + +- ++ + + + Holds a collection of data streams and components. +diff --git a/schemas/sds/1.2/xlink.xsd b/schemas/sds/1.2/xlink.xsd +deleted file mode 100644 +index ea77d428f..000000000 +--- a/schemas/sds/1.2/xlink.xsd ++++ /dev/null +@@ -1,270 +0,0 @@ +- +- +- +- +- This schema document provides attribute declarations and +-attribute group, complex type and simple type definitions which can be used in +-the construction of user schemas to define the structure of particular linking +-constructs, e.g. +- +- +- +- +- +- +- ... +- +- ... +- +- +- ... +-]]> +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- Intended for use as the type of user-declared elements to make them +- simple links. +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- Intended for use as the type of user-declared elements to make them +- extended links. +- Note that the elements referenced in the content model are all abstract. +- The intention is that by simply declaring elements with these as their +- substitutionGroup, all the right things will happen. +- +- +- +- +- +- +- +- +- +- +- +- +- +- xml:lang is not required, but provides much of the +- motivation for title elements in addition to attributes, and so +- is provided here for convenience. +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- label is not required, but locators have no particular +- XLink function if they are not labeled. +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- from and to have default behavior when values are missing +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- + +From 9aeca3c095e10e5aa4d19516283bafb4f7ac567a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Tue, 7 May 2019 14:15:18 +0200 +Subject: [PATCH 4/9] Use local XSDs in SCAP 1.3 source data stream schema + +Similar to acef6dd61270546aec9f2213f9b8d71ae9aab73b +--- + schemas/sds/1.3/scap-source-data-stream_1.3.xsd | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/schemas/sds/1.3/scap-source-data-stream_1.3.xsd b/schemas/sds/1.3/scap-source-data-stream_1.3.xsd +index 4a933ba2e..7d6e2b177 100644 +--- a/schemas/sds/1.3/scap-source-data-stream_1.3.xsd ++++ b/schemas/sds/1.3/scap-source-data-stream_1.3.xsd +@@ -14,18 +14,18 @@ + + + ++ schemaLocation="../../xccdf/1.2/xccdf_1.2.xsd"/> + ++ schemaLocation="../../oval/5.11.2/oval-definitions-schema.xsd"/> + ++ schemaLocation="../../cpe/2.3/cpe-dictionary_2.3.xsd"/> + ++ schemaLocation="../../ocil/2.0/ocil-2.0.xsd"/> + ++ schemaLocation="../../common/xmldsig-core-schema.xsd"/> + +- ++ schemaLocation="../../common/catalog.xsd"/> ++ + + + Holds a collection of data streams and components. + +From b967d10ca3af64539367c3c6280f6dbb9fc2fd64 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Thu, 9 May 2019 09:42:21 +0200 +Subject: [PATCH 5/9] Fix schematron-version attribute in test datastreams + +The data-stream-collection@schematron-version attribute +should conform to the SCAP version. +--- + tests/API/XCCDF/tailoring/simple-ds.xml | 2 +- + tests/API/XCCDF/unittests/test_xccdf_overrides.arf.xml | 2 +- + tests/DS/cpe_in_ds/sds.xml | 2 +- + tests/DS/ds_sds_index/sds.xml | 2 +- + tests/DS/ds_sds_index/sds_multiple.xml | 2 +- + tests/DS/eval_benchmark_id_conflict/sds.xml | 2 +- + tests/DS/eval_cpe/sds.xml | 2 +- + tests/DS/eval_invalid/sds-oval.xml | 2 +- + tests/DS/eval_invalid/sds.xml | 2 +- + tests/DS/eval_just_oval/sds.xml | 2 +- + tests/DS/eval_oval_id/sds.xml | 2 +- + tests/DS/eval_simple/sds.xml | 2 +- + tests/DS/eval_xccdf_id/sds-complex.xml | 2 +- + tests/DS/eval_xccdf_id/sds.xml | 2 +- + tests/DS/rds_index_simple/arf.xml | 2 +- + tests/DS/rds_simple/sds.xml | 2 +- + tests/DS/rds_split_simple/report-request.xml | 2 +- + tests/DS/rds_testresult/sds.xml | 2 +- + tests/DS/sds_external_xccdf/sds.ds.xml | 2 +- + tests/DS/sds_external_xccdf/xccdf.sds.xml | 2 +- + tests/DS/sds_tailoring/sds.ds.xml | 2 +- + tests/DS/signed/sds-signed-fake-x509.xml | 2 +- + tests/DS/signed/sds-signed.xml | 2 +- + tests/DS/validate/rds-invalid.xml | 2 +- + tests/DS/validate/rds-valid.xml | 2 +- + tests/DS/validate/sds-invalid-oval.xml | 2 +- + tests/DS/validate/sds-invalid-xccdf.xml | 2 +- + tests/DS/validate/sds-invalid.xml | 2 +- + tests/DS/validate/sds-valid.xml | 2 +- + tests/sce/test_sce_in_ds.xml | 2 +- + 30 files changed, 30 insertions(+), 30 deletions(-) + +diff --git a/tests/API/XCCDF/tailoring/simple-ds.xml b/tests/API/XCCDF/tailoring/simple-ds.xml +index a8092096c..e5e515a70 100644 +--- a/tests/API/XCCDF/tailoring/simple-ds.xml ++++ b/tests/API/XCCDF/tailoring/simple-ds.xml +@@ -1,5 +1,5 @@ + +- ++ + + + +diff --git a/tests/API/XCCDF/unittests/test_xccdf_overrides.arf.xml b/tests/API/XCCDF/unittests/test_xccdf_overrides.arf.xml +index 84dad69b9..3f0ca8ca8 100644 +--- a/tests/API/XCCDF/unittests/test_xccdf_overrides.arf.xml ++++ b/tests/API/XCCDF/unittests/test_xccdf_overrides.arf.xml +@@ -1,5 +1,5 @@ + +-collection1asset0 ++collection1asset0 + + python + 2.6.6 +diff --git a/tests/DS/cpe_in_ds/sds.xml b/tests/DS/cpe_in_ds/sds.xml +index dbc57605a..a77389703 100644 +--- a/tests/DS/cpe_in_ds/sds.xml ++++ b/tests/DS/cpe_in_ds/sds.xml +@@ -1,5 +1,5 @@ + +- ++ + + + +diff --git a/tests/DS/ds_sds_index/sds.xml b/tests/DS/ds_sds_index/sds.xml +index 0e438a39d..574046d24 100644 +--- a/tests/DS/ds_sds_index/sds.xml ++++ b/tests/DS/ds_sds_index/sds.xml +@@ -1,5 +1,5 @@ + +- ++ + + + +diff --git a/tests/DS/ds_sds_index/sds_multiple.xml b/tests/DS/ds_sds_index/sds_multiple.xml +index a24e6f385..069202331 100644 +--- a/tests/DS/ds_sds_index/sds_multiple.xml ++++ b/tests/DS/ds_sds_index/sds_multiple.xml +@@ -1,5 +1,5 @@ + +- ++ + + + +diff --git a/tests/DS/eval_benchmark_id_conflict/sds.xml b/tests/DS/eval_benchmark_id_conflict/sds.xml +index f3a075615..612eecb0c 100644 +--- a/tests/DS/eval_benchmark_id_conflict/sds.xml ++++ b/tests/DS/eval_benchmark_id_conflict/sds.xml +@@ -1,5 +1,5 @@ + +- ++ + + + +diff --git a/tests/DS/eval_cpe/sds.xml b/tests/DS/eval_cpe/sds.xml +index fa568690a..a73403f74 100644 +--- a/tests/DS/eval_cpe/sds.xml ++++ b/tests/DS/eval_cpe/sds.xml +@@ -1,5 +1,5 @@ + +- ++ + + + +diff --git a/tests/DS/eval_invalid/sds-oval.xml b/tests/DS/eval_invalid/sds-oval.xml +index d4e1b2900..e77e1aaea 100644 +--- a/tests/DS/eval_invalid/sds-oval.xml ++++ b/tests/DS/eval_invalid/sds-oval.xml +@@ -1,5 +1,5 @@ + +- ++ + + + +diff --git a/tests/DS/eval_invalid/sds.xml b/tests/DS/eval_invalid/sds.xml +index f9be5cb0c..e97592354 100644 +--- a/tests/DS/eval_invalid/sds.xml ++++ b/tests/DS/eval_invalid/sds.xml +@@ -1,3 +1,3 @@ + +- ++ + +diff --git a/tests/DS/eval_just_oval/sds.xml b/tests/DS/eval_just_oval/sds.xml +index 976c1d2ee..3093b1c4a 100644 +--- a/tests/DS/eval_just_oval/sds.xml ++++ b/tests/DS/eval_just_oval/sds.xml +@@ -1,5 +1,5 @@ + +- ++ + + + +diff --git a/tests/DS/eval_oval_id/sds.xml b/tests/DS/eval_oval_id/sds.xml +index 8380c68b8..ea72b4d3b 100644 +--- a/tests/DS/eval_oval_id/sds.xml ++++ b/tests/DS/eval_oval_id/sds.xml +@@ -1,5 +1,5 @@ + +- ++ + + + +diff --git a/tests/DS/eval_simple/sds.xml b/tests/DS/eval_simple/sds.xml +index d3c4a6a5d..826a72629 100644 +--- a/tests/DS/eval_simple/sds.xml ++++ b/tests/DS/eval_simple/sds.xml +@@ -1,5 +1,5 @@ + +- ++ + draft + Example of SCAP Security Guidance + This example security guidance has been created to demonstrate SCAP functionality +diff --git a/tests/DS/eval_xccdf_id/sds-complex.xml b/tests/DS/eval_xccdf_id/sds-complex.xml +index 5b69cd765..9ef6170e4 100644 +--- a/tests/DS/eval_xccdf_id/sds-complex.xml ++++ b/tests/DS/eval_xccdf_id/sds-complex.xml +@@ -1,5 +1,5 @@ + +- ++ + + +diff --git a/tests/DS/signed/sds-signed-fake-x509.xml b/tests/DS/signed/sds-signed-fake-x509.xml +index 0431a42ca..592bfb3c2 100644 +--- a/tests/DS/signed/sds-signed-fake-x509.xml ++++ b/tests/DS/signed/sds-signed-fake-x509.xml +@@ -1,5 +1,5 @@ + +- ++ + draft + Example of SCAP Security Guidance + This example security guidance has been created to demonstrate SCAP functionality +diff --git a/tests/DS/signed/sds-signed.xml b/tests/DS/signed/sds-signed.xml +index 1863e5f18..3e862dd82 100644 +--- a/tests/DS/signed/sds-signed.xml ++++ b/tests/DS/signed/sds-signed.xml +@@ -1,5 +1,5 @@ + +- ++ + draft + Example of SCAP Security Guidance + This example security guidance has been created to demonstrate SCAP functionality +diff --git a/tests/DS/validate/rds-invalid.xml b/tests/DS/validate/rds-invalid.xml +index 7351e0cb2..f98d13ada 100644 +--- a/tests/DS/validate/rds-invalid.xml ++++ b/tests/DS/validate/rds-invalid.xml +@@ -19,7 +19,7 @@ + xmlns:cat="urn:oasis:names:tc:entity:xmlns:xml:catalog" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" +- id="scap_cdf_collection_fedora.zip" schematron-version="1.0" ++ id="scap_cdf_collection_fedora.zip" schematron-version="1.2" + xsi:schemaLocation="http://scap.nist.gov/schema/scap/source/1.2 http://scap.nist.gov/schema/scap/1.2/scap-source-data-stream_1.2-draft.xsd"> + + +diff --git a/tests/DS/validate/rds-valid.xml b/tests/DS/validate/rds-valid.xml +index e08672a3a..22dadccbf 100644 +--- a/tests/DS/validate/rds-valid.xml ++++ b/tests/DS/validate/rds-valid.xml +@@ -20,7 +20,7 @@ + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + id="scap_cdf_collection_fedora.zip" +- schematron-version="1.0" ++ schematron-version="1.2" + xsi:schemaLocation="http://scap.nist.gov/schema/scap/source/1.2 http://scap.nist.gov/schema/scap/1.2/scap-source-data-stream_1.2-draft.xsd"> + + +diff --git a/tests/DS/validate/sds-invalid-oval.xml b/tests/DS/validate/sds-invalid-oval.xml +index c9ac98b48..e8be9abcf 100644 +--- a/tests/DS/validate/sds-invalid-oval.xml ++++ b/tests/DS/validate/sds-invalid-oval.xml +@@ -1,5 +1,5 @@ + +- ++ + draft + Example of SCAP Security Guidance + This example security guidance has been created to demonstrate SCAP functionality +diff --git a/tests/DS/validate/sds-invalid-xccdf.xml b/tests/DS/validate/sds-invalid-xccdf.xml +index 64df3a13d..cf3017070 100644 +--- a/tests/DS/validate/sds-invalid-xccdf.xml ++++ b/tests/DS/validate/sds-invalid-xccdf.xml +@@ -1,5 +1,5 @@ + +- ++ + Example of SCAP Security Guidance + This example security guidance has been created to demonstrate SCAP functionality + on Linux. +diff --git a/tests/DS/validate/sds-invalid.xml b/tests/DS/validate/sds-invalid.xml +index 3a7d67ca6..51a2ed03a 100644 +--- a/tests/DS/validate/sds-invalid.xml ++++ b/tests/DS/validate/sds-invalid.xml +@@ -1,5 +1,5 @@ + +- ++ + draft + Example of SCAP Security Guidance + This example security guidance has been created to demonstrate SCAP functionality +diff --git a/tests/DS/validate/sds-valid.xml b/tests/DS/validate/sds-valid.xml +index d3c4a6a5d..826a72629 100644 +--- a/tests/DS/validate/sds-valid.xml ++++ b/tests/DS/validate/sds-valid.xml +@@ -1,5 +1,5 @@ + +- ++ + draft + Example of SCAP Security Guidance + This example security guidance has been created to demonstrate SCAP functionality +diff --git a/tests/sce/test_sce_in_ds.xml b/tests/sce/test_sce_in_ds.xml +index 14e0876e6..62c45781c 100644 +--- a/tests/sce/test_sce_in_ds.xml ++++ b/tests/sce/test_sce_in_ds.xml +@@ -1,5 +1,5 @@ + +- ++ + + + + +From 190ca9d3db7049879be4308c5194f2406cc5f70b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Thu, 9 May 2019 09:44:06 +0200 +Subject: [PATCH 6/9] Detect source datastream version + +Instead of hard-coding SCAP 1.2, we will use +data-stream-collection@schematron-version attribute to detect the SCAP +version of datastream and we will choose the right XML schema +accordingly. So far, only 1.2 and 1.3 datastreams are supported. +--- + src/DS/sds.c | 26 ++++++++++++++++++++++++++ + src/DS/sds_priv.h | 4 ++++ + src/source/Makefile.am | 1 + + src/source/oscap_source.c | 3 ++- + src/source/validate.c | 1 + + 5 files changed, 34 insertions(+), 1 deletion(-) + +diff --git a/src/DS/sds.c b/src/DS/sds.c +index b7c33a2e5..c4271b26e 100644 +--- a/src/DS/sds.c ++++ b/src/DS/sds.c +@@ -1265,3 +1265,29 @@ int ds_sds_compose_from_xccdf(const char *xccdf_file, const char *target_datastr + xmlFreeDoc(doc); + return 0; + } ++ ++char *ds_sds_detect_version(xmlTextReader *reader) ++{ ++ /* find root element */ ++ while (xmlTextReaderRead(reader) == 1 && xmlTextReaderNodeType(reader) != XML_READER_TYPE_ELEMENT) ++ ; ++ ++ char *element_name = (char *) xmlTextReaderConstLocalName(reader); ++ if (!element_name) { ++ oscap_setxmlerr(xmlGetLastError()); ++ return NULL; ++ } ++ if (strcmp(element_name, "data-stream-collection")) { ++ oscap_seterr(OSCAP_EFAMILY_OSCAP, ++ "Expected root element name for SCAP source datastream is" \ ++ "'data-stream-collection' but actual root element name is '%s'.", ++ element_name); ++ return NULL; ++ } ++ char *schematron_version = (char *) xmlTextReaderGetAttribute(reader, BAD_CAST "schematron-version"); ++ if (!schematron_version) { ++ oscap_setxmlerr(xmlGetLastError()); ++ return NULL; ++ } ++ return schematron_version; ++} +diff --git a/src/DS/sds_priv.h b/src/DS/sds_priv.h +index 0ba2e8cb7..39c36da9f 100644 +--- a/src/DS/sds_priv.h ++++ b/src/DS/sds_priv.h +@@ -26,6 +26,7 @@ + #endif + + #include ++#include + #include "common/public/oscap.h" + #include "common/util.h" + #include "ds_sds_session.h" +@@ -45,5 +45,8 @@ + xmlDocPtr ds_sds_compose_xmlDoc_from_xccdf(const char *xccdf_file); + xmlDocPtr ds_sds_compose_xmlDoc_from_xccdf_source(struct oscap_source *xccdf_source); + ++char *ds_sds_detect_version(xmlTextReader *reader); ++ + OSCAP_HIDDEN_END; ++ + #endif +diff --git a/src/source/Makefile.am b/src/source/Makefile.am +index 446bf4596..ad37ba6f6 100644 +--- a/src/source/Makefile.am ++++ b/src/source/Makefile.am +@@ -19,6 +19,7 @@ liboscapsource_la_CPPFLAGS = \ + @xml2_CFLAGS@ @xslt_CFLAGS@ @exslt_CFLAGS@ \ + -I$(srcdir)/public \ + -I$(top_srcdir)/src \ ++ -I$(top_srcdir)/src/DS/public \ + -I$(top_srcdir)/src/CPE/public \ + -I$(top_srcdir)/src/OVAL/probes/SEAP/public \ + -I$(top_srcdir)/src/common/public +diff --git a/src/source/oscap_source.c b/src/source/oscap_source.c +index 3b7282ed3..228dc049b 100644 +--- a/src/source/oscap_source.c ++++ b/src/source/oscap_source.c +@@ -51,6 +51,7 @@ + #include "source/validate_priv.h" + #include "XCCDF/elements.h" + #include "XCCDF/public/xccdf_benchmark.h" ++#include "DS/sds_priv.h" + + typedef enum oscap_source_type { + OSCAP_SRC_FROM_USER_XML_FILE = 1, ///< The source originated from XML file supplied by user +@@ -360,7 +361,7 @@ const char *oscap_source_get_schema_version(struct oscap_source *source) + } + switch (oscap_source_get_scap_type(source)) { + case OSCAP_DOCUMENT_SDS: +- source->origin.version = oscap_strdup("1.2"); ++ source->origin.version = ds_sds_detect_version(reader); + break; + case OSCAP_DOCUMENT_ARF: + source->origin.version = oscap_strdup("1.1"); +diff --git a/src/source/validate.c b/src/source/validate.c +index 4c7aa98c4..730d44b2f 100644 +--- a/src/source/validate.c ++++ b/src/source/validate.c +@@ -220,6 +220,7 @@ struct oscap_schema_table_entry OSCAP_SCHEMAS_TABLE[] = { + {OSCAP_DOCUMENT_XCCDF_TAILORING, "1.2", "xccdf/1.2/xccdf_1.2.xsd"}, + {OSCAP_DOCUMENT_XCCDF_TAILORING, "1.1", "xccdf/1.1-tailoring/xccdf-1.1-tailoring.xsd"}, // unofficial openscap extension! + {OSCAP_DOCUMENT_SDS, "1.2", "sds/1.2/scap-source-data-stream_1.2.xsd"}, ++ {OSCAP_DOCUMENT_SDS, "1.3", "sds/1.3/scap-source-data-stream_1.3.xsd"}, + {OSCAP_DOCUMENT_ARF, "1.1", "arf/1.1/asset-reporting-format_1.1.0.xsd"}, + {OSCAP_DOCUMENT_CPE_DICTIONARY, "2.0", "cpe/2.0/cpe-dictionary_2.0.xsd"}, + {OSCAP_DOCUMENT_CPE_DICTIONARY, "2.1", "cpe/2.1/cpe-dictionary_2.1.xsd"}, + +From 8457c924957f16b43921ed488a0268d868d94ac4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Fri, 10 May 2019 09:48:46 +0200 +Subject: [PATCH 7/9] Add a simple test for oscap info + +This test tests if `oscap` is able to detect the version +of SCAP source datastream (if DS is SCAP 1.2 or 1.3). +--- + configure.ac | 1 + + tests/DS/Makefile.am | 2 +- + tests/DS/sds_detect_version/Makefile.am | 13 +++++ + tests/DS/sds_detect_version/scap-1.2-ds.xml | 51 +++++++++++++++++++ + tests/DS/sds_detect_version/scap-1.3-ds.xml | 51 +++++++++++++++++++ + .../sds_detect_version/test_detect_version.sh | 27 ++++++++++ + 7 files changed, 145 insertions(+), 1 deletion(-) + create mode 100644 tests/DS/sds_detect_version/Makefile.am + create mode 100644 tests/DS/sds_detect_version/scap-1.2-ds.xml + create mode 100644 tests/DS/sds_detect_version/scap-1.3-ds.xml + create mode 100755 tests/DS/sds_detect_version/test_detect_version.sh + +diff --git a/configure.ac b/configure.ac +index dd02507da..91fba1390 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1548,6 +1548,7 @@ AC_CONFIG_FILES([Makefile + src/DS/Makefile + tests/DS/Makefile + tests/DS/ds_sds_index/Makefile ++ tests/DS/sds_detect_version/Makefile + tests/DS/signed/Makefile + tests/DS/validate/Makefile + +diff --git a/tests/DS/Makefile.am b/tests/DS/Makefile.am +index ea742386d..e0f63348c 100644 +--- a/tests/DS/Makefile.am ++++ b/tests/DS/Makefile.am +@@ -60,4 +60,4 @@ EXTRA_DIST = test_ds.sh \ + sds_subdir/subdir/scap-fedora14-xccdf.xml \ + sds_tailoring/sds.ds.xml + +-SUBDIRS = ds_sds_index signed validate ++SUBDIRS = ds_sds_index signed validate sds_detect_version +diff --git a/tests/DS/sds_detect_version/Makefile.am b/tests/DS/sds_detect_version/Makefile.am +new file mode 100644 +index 000000000..087888742 +--- /dev/null ++++ b/tests/DS/sds_detect_version/Makefile.am +@@ -0,0 +1,13 @@ ++DISTCLEANFILES = *.log *.results oscap_debug.log.* ++CLEANFILES = *.log *.results oscap_debug.log.* ++ ++TESTS_ENVIRONMENT= \ ++ builddir=$(top_builddir) \ ++ OSCAP_FULL_VALIDATION=1 \ ++ $(top_builddir)/run ++ ++TESTS = test_detect_version.sh ++ ++EXTRA_DIST = test_detect_version.sh \ ++ scap-1.2-ds.xml \ ++ scap-1.3-ds.xml +diff --git a/tests/DS/sds_detect_version/scap-1.2-ds.xml b/tests/DS/sds_detect_version/scap-1.2-ds.xml +new file mode 100644 +index 000000000..12e4954ae +--- /dev/null ++++ b/tests/DS/sds_detect_version/scap-1.2-ds.xml +@@ -0,0 +1,51 @@ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ combine_ovals.py from SCAP Security Guide ++ ssg: [0, 1, 44], python: 3.7.3 ++ 5.10 ++ 2019-05-10T06:18:18 ++ ++ ++ ++ ++ Red Hat Enterprise Linux 8 ++ ++ Red Hat Enterprise Linux 8 ++ ++ ++ The operating system installed on the system is ++ Red Hat Enterprise Linux 8 ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ redhat-release ++ ++ ++ ++ ++ ^8.*$ ++ ++ ++ ++ ++ +diff --git a/tests/DS/sds_detect_version/scap-1.3-ds.xml b/tests/DS/sds_detect_version/scap-1.3-ds.xml +new file mode 100644 +index 000000000..5d4af29a3 +--- /dev/null ++++ b/tests/DS/sds_detect_version/scap-1.3-ds.xml +@@ -0,0 +1,51 @@ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ combine_ovals.py from SCAP Security Guide ++ ssg: [0, 1, 44], python: 3.7.3 ++ 5.11 ++ 2019-05-10T06:18:18 ++ ++ ++ ++ ++ Red Hat Enterprise Linux 8 ++ ++ Red Hat Enterprise Linux 8 ++ ++ ++ The operating system installed on the system is ++ Red Hat Enterprise Linux 8 ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ redhat-release ++ ++ ++ ++ ++ ^8.*$ ++ ++ ++ ++ ++ +diff --git a/tests/DS/sds_detect_version/test_detect_version.sh b/tests/DS/sds_detect_version/test_detect_version.sh +new file mode 100755 +index 000000000..607aac261 +--- /dev/null ++++ b/tests/DS/sds_detect_version/test_detect_version.sh +@@ -0,0 +1,27 @@ ++#!/bin/bash ++ ++# Copyright 2019 Red Hat Inc., Durham, North Carolina. ++# All Rights Reserved. ++# ++# OpenSCAP Test Suite ++# ++# Authors: ++# Jan Černý ++ ++. $builddir/tests/test_common.sh ++ ++set -e -o pipefail ++ ++function test_oscap_info { ++ version="$1" ++ stdout="$(mktemp)" ++ stderr="$(mktemp)" ++ $OSCAP info $srcdir/scap-$version-ds.xml > $stdout 2> $stderr ++ [ ! -s $stderr ] ++ grep -q "Version: $version" $stdout ++ rm $stdout ++ rm $stderr ++} ++ ++test_oscap_info "1.2" ++test_oscap_info "1.3" + +From 475b387ad359549645b9d7595eefdeea104cdf81 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Fri, 10 May 2019 10:11:59 +0200 +Subject: [PATCH 8/9] Add simple tests for validating SCAP 1.3 datastreams + +Tests if `oscap ds sds-validate` can validate SCAP 1.3 datastreams +against XML schema. The test uses a simple valid datastream and +a simple invalid datastream. +--- + tests/DS/validate/Makefile.am | 14 ++++---- + tests/DS/validate/all.sh | 2 ++ + tests/DS/validate/sds-1.3-invalid.xml | 48 +++++++++++++++++++++++++ + tests/DS/validate/sds-1.3-valid.xml | 51 +++++++++++++++++++++++++++ + 4 files changed, 109 insertions(+), 6 deletions(-) + create mode 100644 tests/DS/validate/sds-1.3-invalid.xml + create mode 100644 tests/DS/validate/sds-1.3-valid.xml + +diff --git a/tests/DS/validate/Makefile.am b/tests/DS/validate/Makefile.am +index 0ebe28559..6cca84f98 100644 +--- a/tests/DS/validate/Makefile.am ++++ b/tests/DS/validate/Makefile.am +@@ -9,9 +9,11 @@ TESTS_ENVIRONMENT= \ + TESTS = all.sh + + EXTRA_DIST = all.sh \ +- sds-valid.xml \ +- sds-invalid.xml \ +- sds-invalid-xccdf.xml \ +- sds-invalid-oval.xml \ +- rds-valid.xml \ +- rds-invalid.xml ++ rds-invalid.xml \ ++ rds-valid.xml \ ++ sds-1.3-invalid.xml \ ++ sds-1.3-valid.xml \ ++ sds-invalid-oval.xml \ ++ sds-invalid-xccdf.xml \ ++ sds-invalid.xml \ ++ sds-valid.xml +diff --git a/tests/DS/validate/all.sh b/tests/DS/validate/all.sh +index b6c2de011..8d5845dff 100755 +--- a/tests/DS/validate/all.sh ++++ b/tests/DS/validate/all.sh +@@ -18,7 +18,9 @@ function test_validation { + + test_init test_validation.log + test_run "valid-sds" test_validation sds sds-valid.xml 0 ++test_run "valid-1.3-sds" test_validation sds sds-1.3-valid.xml 0 + test_run "invalid-sds" test_validation sds sds-invalid.xml 1 ++test_run "invalid-1.3-sds" test_validation sds sds-1.3-invalid.xml 1 + test_run "invalid-xccdf-sds" test_validation sds sds-invalid-xccdf.xml 1 + test_run "invalid-oval-sds" test_validation sds sds-invalid-oval.xml 1 + +diff --git a/tests/DS/validate/sds-1.3-invalid.xml b/tests/DS/validate/sds-1.3-invalid.xml +new file mode 100644 +index 000000000..0f540925f +--- /dev/null ++++ b/tests/DS/validate/sds-1.3-invalid.xml +@@ -0,0 +1,48 @@ ++ ++ ++ ++ ++ ++ ++ ++ combine_ovals.py from SCAP Security Guide ++ ssg: [0, 1, 44], python: 3.7.3 ++ 5.11 ++ 2019-05-10T06:18:18 ++ ++ ++ ++ ++ Red Hat Enterprise Linux 8 ++ ++ Red Hat Enterprise Linux 8 ++ ++ ++ The operating system installed on the system is ++ Red Hat Enterprise Linux 8 ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ redhat-release ++ ++ ++ ++ ++ ^8.*$ ++ ++ ++ ++ ++ +diff --git a/tests/DS/validate/sds-1.3-valid.xml b/tests/DS/validate/sds-1.3-valid.xml +new file mode 100644 +index 000000000..5d4af29a3 +--- /dev/null ++++ b/tests/DS/validate/sds-1.3-valid.xml +@@ -0,0 +1,51 @@ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ combine_ovals.py from SCAP Security Guide ++ ssg: [0, 1, 44], python: 3.7.3 ++ 5.11 ++ 2019-05-10T06:18:18 ++ ++ ++ ++ ++ Red Hat Enterprise Linux 8 ++ ++ Red Hat Enterprise Linux 8 ++ ++ ++ The operating system installed on the system is ++ Red Hat Enterprise Linux 8 ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ redhat-release ++ ++ ++ ++ ++ ^8.*$ ++ ++ ++ ++ ++ + +From 09d00acda9153c4012dca5a05ee226fc05ba2080 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Mon, 27 May 2019 10:58:47 +0200 +Subject: [PATCH 9/9] Change OVAL version to 5.11.2 + +The SCAP 1.3 source datastream schema imports OVAL 5.11.2. +--- + tests/DS/sds_detect_version/scap-1.3-ds.xml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/DS/sds_detect_version/scap-1.3-ds.xml b/tests/DS/sds_detect_version/scap-1.3-ds.xml +index 5d4af29a3..2e4ff31b0 100644 +--- a/tests/DS/sds_detect_version/scap-1.3-ds.xml ++++ b/tests/DS/sds_detect_version/scap-1.3-ds.xml +@@ -10,7 +10,7 @@ + + combine_ovals.py from SCAP Security Guide + ssg: [0, 1, 44], python: 3.7.3 +- 5.11 ++ 5.11.2 + 2019-05-10T06:18:18 + + diff --git a/SOURCES/autofs_entries_in_mtab.patch b/SOURCES/autofs_entries_in_mtab.patch new file mode 100644 index 0000000..35a290b --- /dev/null +++ b/SOURCES/autofs_entries_in_mtab.patch @@ -0,0 +1,192 @@ +From 309f8230d67f229b6091876c3ace62370fb3d451 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Fri, 17 May 2019 10:25:08 +0200 +Subject: [PATCH 1/2] Handle autofs entries in /etc/mtab + +Some file systems can be mounted using autofs, which should be +considered during analysis of /etc/mtab.F or more details, +please see the comment introduced in this patch. +--- + src/OVAL/probes/fsdev.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/src/OVAL/probes/fsdev.c b/src/OVAL/probes/fsdev.c +index ca6304890..29250f2bf 100644 +--- a/src/OVAL/probes/fsdev.c ++++ b/src/OVAL/probes/fsdev.c +@@ -125,6 +125,20 @@ is_local_fs(struct mntent *ment) + #if 1 + char *s; + ++ /* ++ * When type of the filesystem is autofs, it means the mtab entry ++ * describes the autofs configuration, which means ment->mnt_fsname ++ * is a path to the relevant autofs map, eg. /etc/auto.misc. In this ++ * situation, the following code which analyses ment->mnt_type would ++ * not work. When the filesystem handled by autofs is mounted, there ++ * is another different entry in mtab which contains the real block ++ * special device or remote filesystem in ment->mnt_fsname, and that ++ * will be parsed in a different call of this function. ++ */ ++ if (!strcmp(ment->mnt_type, "autofs")) { ++ return 0; ++ } ++ + s = ment->mnt_fsname; + /* If the fsname begins with "//", it is probably CIFS. */ + if (s[0] == '/' && s[1] == '/') + +From fff58197d9747a08d0fc23914a31fefbe44f07ea Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Fri, 17 May 2019 16:16:23 +0200 +Subject: [PATCH 2/2] Test is_local_fs + +Adds a simple unit test that checks whether autofs entries in +/etc/mtab are not considered local. +--- + src/OVAL/probes/fsdev.c | 6 ++-- + src/OVAL/probes/public/fsdev.h | 14 ++++++++ + tests/API/probes/Makefile.am | 6 ++-- + tests/API/probes/all.sh | 1 + + tests/API/probes/test_fsdev_is_local_fs.c | 41 +++++++++++++++++++++++ + 5 files changed, 62 insertions(+), 6 deletions(-) + create mode 100644 tests/API/probes/test_fsdev_is_local_fs.c + +diff --git a/src/OVAL/probes/fsdev.c b/src/OVAL/probes/fsdev.c +index 29250f2bf..d455b39c4 100644 +--- a/src/OVAL/probes/fsdev.c ++++ b/src/OVAL/probes/fsdev.c +@@ -118,8 +118,7 @@ static int match_fs(const char *fsname, const char **fs_arr, size_t fs_cnt) + #define DEVID_ARRAY_ADD 8 + + #if defined(__linux__) +-static int +-is_local_fs(struct mntent *ment) ++int is_local_fs(struct mntent *ment) + { + // todo: would it be usefull to provide the choice during build-time? + #if 1 +@@ -169,8 +168,7 @@ is_local_fs(struct mntent *ment) + } + + #elif defined(_AIX) +-static int +-is_local_fs(struct mntent *ment) ++int is_local_fs(struct mntent *ment) + { + int i; + struct vfs_ent *e; +diff --git a/src/OVAL/probes/public/fsdev.h b/src/OVAL/probes/public/fsdev.h +index 382ec536b..aeb455df1 100644 +--- a/src/OVAL/probes/public/fsdev.h ++++ b/src/OVAL/probes/public/fsdev.h +@@ -36,6 +36,10 @@ + #include + #include + ++#if defined(__linux__) || defined(_AIX) ++#include ++#endif ++ + /** + * Filesystem device structure. + */ +@@ -88,5 +92,15 @@ int fsdev_path(fsdev_t * lfs, const char *path); + */ + int fsdev_fd(fsdev_t * lfs, int fd); + ++#if defined(__linux__) || defined(_AIX) ++/** ++ * Detemines whether a given mtab entry is a local file system. ++ * @param ment Structure returned by getmntent (see `man 3 getmntent`). ++ * @retval 1 if local ++ * @retval 0 otherwise ++ */ ++int is_local_fs(struct mntent *ment); ++#endif ++ + #endif /* FSDEV_H */ + /// @} +diff --git a/tests/API/probes/Makefile.am b/tests/API/probes/Makefile.am +index e26a47e63..70442bcc3 100644 +--- a/tests/API/probes/Makefile.am ++++ b/tests/API/probes/Makefile.am +@@ -26,14 +26,16 @@ TESTS_ENVIRONMENT = \ + $(top_builddir)/run + + TESTS = all.sh +-check_PROGRAMS = test_api_probes_smoke oval_fts_list ++check_PROGRAMS = test_api_probes_smoke oval_fts_list test_fsdev_is_local_fs + + test_api_probes_smoke_SOURCES = test_api_probes_smoke.c + oval_fts_list_CFLAGS= -I$(top_srcdir)/src/OVAL/probes + oval_fts_list_SOURCES= oval_fts_list.c ++test_fsdev_is_local_fs_SOURCES = test_fsdev_is_local_fs.c + + EXTRA_DIST += \ + all.sh \ + fts.sh \ + gentree.sh \ +- test_api_probes_smoke.c ++ test_api_probes_smoke.c \ ++ test_fsdev_is_local_fs.c +diff --git a/tests/API/probes/all.sh b/tests/API/probes/all.sh +index e0c35de88..46c680667 100755 +--- a/tests/API/probes/all.sh ++++ b/tests/API/probes/all.sh +@@ -7,6 +7,7 @@ test_init "test_api_probes.log" + if [ -z ${CUSTOM_OSCAP+x} ] ; then + test_run "fts test" $srcdir/fts.sh + test_run "probe api smoke test" ./test_api_probes_smoke ++ test_run "fsdev is_local_fs unit test" ./test_fsdev_is_local_fs + fi + + test_exit +diff --git a/tests/API/probes/test_fsdev_is_local_fs.c b/tests/API/probes/test_fsdev_is_local_fs.c +new file mode 100644 +index 000000000..bcc596442 +--- /dev/null ++++ b/tests/API/probes/test_fsdev_is_local_fs.c +@@ -0,0 +1,41 @@ ++/* ++ * Copyright 2019 Red Hat Inc., Durham, North Carolina. ++ * All Rights Reserved. ++ * ++ * This library is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU Lesser General Public ++ * License as published by the Free Software Foundation; either ++ * version 2.1 of the License, or (at your option) any later version. ++ * ++ * This library is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * Lesser General Public License for more details. ++ * ++ * You should have received a copy of the GNU Lesser General Public ++ * License along with this library; if not, write to the Free Software ++ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA ++ * ++ * Authors: ++ * "Jan Černý" ++ */ ++ ++#ifdef HAVE_CONFIG_H ++#include ++#endif ++ ++#include ++#include ++#include ++#include "fsdev.h" ++ ++int main(int argc, char *argv[]) ++{ ++ struct mntent ment; ++ ment.mnt_type = "autofs"; ++ int ret = is_local_fs(&ment); ++ if (ret != 0) { ++ return 1; ++ } ++ return 0; ++} +\ No newline at end of file diff --git a/SOURCES/do_not_skip_fs_binfmt_misc.patch b/SOURCES/do_not_skip_fs_binfmt_misc.patch new file mode 100644 index 0000000..692b90e --- /dev/null +++ b/SOURCES/do_not_skip_fs_binfmt_misc.patch @@ -0,0 +1,33 @@ +From 7774511d5438e5bbfc0d0142b7656da0498e7126 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Wed, 29 May 2019 14:54:02 +0200 +Subject: [PATCH] Do not skip 'fs.binfmt_misc.status' by sysctl probe + +Directory /proc/sys/fs/binfmt_misc is a separate file system, +mounted by systemd-automout and is represented by an autofs +entry in /etc/mtab. /proc/sys/fs/binfmt_misc is mounted +on demand when accessed. If accessed the first time, we don't +have a way to determine the if the autofs is remote or local. +See 309f8230d67f229b6091876c3ace62370fb3d451. +However, we don't see a reason why not to traverse the whole +/proc/sys regardless the type of file systems mounted there. +--- + src/OVAL/probes/unix/sysctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/OVAL/probes/unix/sysctl.c b/src/OVAL/probes/unix/sysctl.c +index 3001bfd76..bc53b43fc 100644 +--- a/src/OVAL/probes/unix/sysctl.c ++++ b/src/OVAL/probes/unix/sysctl.c +@@ -76,7 +76,7 @@ int probe_main(probe_ctx *ctx, void *probe_arg) + */ + ent_attrs = probe_attr_creat("max_depth", r0 = SEXP_string_newf("%d", PROC_SYS_MAXDEPTH), + "recurse_direction", r1 = SEXP_string_new("down", 4), +- "recurse_file_system", r2 = SEXP_string_new("local", 7), ++ "recurse_file_system", r2 = SEXP_string_new("all", 3), + "recurse", r3 = SEXP_string_new("symlinks and directories", 24), + NULL); + bh_entity = probe_ent_creat1("behaviors", ent_attrs, NULL); +-- +2.20.1 + diff --git a/SOURCES/ds_session_without_remote_resources.patch b/SOURCES/ds_session_without_remote_resources.patch new file mode 100644 index 0000000..703d8da --- /dev/null +++ b/SOURCES/ds_session_without_remote_resources.patch @@ -0,0 +1,36 @@ +From bbcbffcf6f901cb67ca5645307d170a32504a491 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 30 Apr 2019 18:30:53 +0200 +Subject: [PATCH] Allow DS session to continue without remote resources + +--- + src/DS/sds.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/src/DS/sds.c b/src/DS/sds.c +index 2511e89d9..b7c33a2e5 100644 +--- a/src/DS/sds.c ++++ b/src/DS/sds.c +@@ -412,6 +412,7 @@ static int ds_sds_dump_component_by_href(struct ds_sds_session *session, char* x + } + + ds_sds_session_remote_resources_progress(session)(true, "WARNING: Skipping '%s' file which is referenced from datastream\n", url); ++ // -2 means that remote resources were not downloaded + return -2; + } + +@@ -444,8 +445,12 @@ int ds_sds_dump_component_ref_as(const xmlNodePtr component_ref, struct ds_sds_s + xmlFree(xlink_href); + xmlFree(cref_id); + +- if (ret != 0) { +- ++ if (ret == -2) { ++ // A remote component was not dumped ++ // It should be ok to continue without it ++ free(target_filename_dirname); ++ return 0; ++ } else if (ret != 0) { + free(target_filename_dirname); + return -1; + } diff --git a/SOURCES/extend_unit_test_for_is_local_fs.patch b/SOURCES/extend_unit_test_for_is_local_fs.patch new file mode 100644 index 0000000..532651d --- /dev/null +++ b/SOURCES/extend_unit_test_for_is_local_fs.patch @@ -0,0 +1,144 @@ +From 673f338641ca90b31f00e0787cdcbb5fb19a49a1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Thu, 23 May 2019 09:07:17 +0200 +Subject: [PATCH 1/2] Extend unit test for is_local_fs from fsdev.h + +The test uses a fake `mtab` file which contains 1 entry for a local +filesystem, 1 entry for a direct autofs map and 1 entry for a NFS +system mounted using autofs. By parsing the `mtab` file only 1 local +filesystem should be found. It will help us to test +https://github.com/OpenSCAP/openscap/pull/1329 +--- + tests/API/probes/Makefile.am | 2 ++ + tests/API/probes/fake_mtab | 3 ++ + tests/API/probes/test_fsdev_is_local_fs.c | 36 +++++++++++++++++++++-- + 3 files changed, 38 insertions(+), 3 deletions(-) + create mode 100644 tests/API/probes/fake_mtab + +diff --git a/tests/API/probes/Makefile.am b/tests/API/probes/Makefile.am +index 70442bcc3..459e5f3af 100644 +--- a/tests/API/probes/Makefile.am ++++ b/tests/API/probes/Makefile.am +@@ -1,4 +1,5 @@ + AM_CPPFLAGS = \ ++ -DDATADIR=\"$(srcdir)/\" \ + -I$(top_srcdir)/src \ + -I$(top_srcdir)/src/CCE/public \ + -I$(top_srcdir)/src/CPE/public \ +@@ -35,6 +36,7 @@ test_fsdev_is_local_fs_SOURCES = test_fsdev_is_local_fs.c + + EXTRA_DIST += \ + all.sh \ ++ fake_mtab \ + fts.sh \ + gentree.sh \ + test_api_probes_smoke.c \ +diff --git a/tests/API/probes/fake_mtab b/tests/API/probes/fake_mtab +new file mode 100644 +index 000000000..26d6918bb +--- /dev/null ++++ b/tests/API/probes/fake_mtab +@@ -0,0 +1,3 @@ ++/dev/mapper/fedora-root / ext4 rw,seclabel,relatime 0 0 ++/etc/mount.map /nfs/test autofs rw,relatime,fd=17,pgrp=11111,timeout=5,minproto=5,maxproto=5,direct,pipe_ino=1246883 0 0 ++192.168.122.231:/test /nfs/test nfs4 rw,relatime,vers=4.2,rsize=262144,wsize=262144,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=192.168.122.1,local_lock=none,addr=192.168.122.231 0 0 +diff --git a/tests/API/probes/test_fsdev_is_local_fs.c b/tests/API/probes/test_fsdev_is_local_fs.c +index bcc596442..143030070 100644 +--- a/tests/API/probes/test_fsdev_is_local_fs.c ++++ b/tests/API/probes/test_fsdev_is_local_fs.c +@@ -29,13 +29,43 @@ + #include + #include "fsdev.h" + +-int main(int argc, char *argv[]) ++static int test_single_call() + { + struct mntent ment; + ment.mnt_type = "autofs"; + int ret = is_local_fs(&ment); +- if (ret != 0) { ++ /* autofs entry is never considered local */ ++ return (ret == 0); ++} ++ ++static int test_multiple_calls() ++{ ++ /* fake mtab contains only 1 local filesystem */ ++ FILE *f = setmntent(DATADIR "fake_mtab", "r"); ++ if (f == NULL) { ++ fprintf(stderr, "fake_mtab could not be open\n"); ++ return 0; ++ } ++ struct mntent *ment; ++ unsigned int locals = 0; ++ while ((ment = getmntent(f)) != NULL) { ++ if (is_local_fs(ment)) { ++ locals++; ++ } ++ } ++ endmntent(f); ++ return (locals == 1); ++} ++ ++int main(int argc, char *argv[]) ++{ ++ if (!test_single_call()) { ++ fprintf(stderr, "test_single_call has failed\n"); ++ return 1; ++ } ++ if (!test_multiple_calls()) { ++ fprintf(stderr, "test_multiple_calls has failed\n"); + return 1; + } + return 0; +-} +\ No newline at end of file ++} + +From 4f8fcd1a85c6840895672b7912592cc9f3c92b01 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Fri, 24 May 2019 13:48:59 +0200 +Subject: [PATCH 2/2] Add more entries into fake mtab + +--- + tests/API/probes/fake_mtab | 4 ++++ + tests/API/probes/test_fsdev_is_local_fs.c | 7 +++++-- + 2 files changed, 9 insertions(+), 2 deletions(-) + +diff --git a/tests/API/probes/fake_mtab b/tests/API/probes/fake_mtab +index 26d6918bb..94b1fe295 100644 +--- a/tests/API/probes/fake_mtab ++++ b/tests/API/probes/fake_mtab +@@ -1,3 +1,7 @@ + /dev/mapper/fedora-root / ext4 rw,seclabel,relatime 0 0 ++tmpfs /tmp tmpfs rw,seclabel,nosuid,nodev 0 0 + /etc/mount.map /nfs/test autofs rw,relatime,fd=17,pgrp=11111,timeout=5,minproto=5,maxproto=5,direct,pipe_ino=1246883 0 0 + 192.168.122.231:/test /nfs/test nfs4 rw,relatime,vers=4.2,rsize=262144,wsize=262144,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=192.168.122.1,local_lock=none,addr=192.168.122.231 0 0 ++/dev/mapper/fedora-home /home ext4 rw,seclabel,relatime 0 0 ++proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0 ++//192.168.0.5/storage /media/movies cifs guest,uid=myuser,iocharset=utf8,file_mode=0777,dir_mode=0777,noperm 0 0 +diff --git a/tests/API/probes/test_fsdev_is_local_fs.c b/tests/API/probes/test_fsdev_is_local_fs.c +index 143030070..e3b4691db 100644 +--- a/tests/API/probes/test_fsdev_is_local_fs.c ++++ b/tests/API/probes/test_fsdev_is_local_fs.c +@@ -40,7 +40,10 @@ static int test_single_call() + + static int test_multiple_calls() + { +- /* fake mtab contains only 1 local filesystem */ ++ /* ++ * fake mtab contains only 4 local filesystems: ++ * /, /tmp, /home and /proc ++ */ + FILE *f = setmntent(DATADIR "fake_mtab", "r"); + if (f == NULL) { + fprintf(stderr, "fake_mtab could not be open\n"); +@@ -54,7 +57,7 @@ static int test_multiple_calls() + } + } + endmntent(f); +- return (locals == 1); ++ return (locals == 4); + } + + int main(int argc, char *argv[]) diff --git a/SOURCES/fix_invalid_oval_in_test.patch b/SOURCES/fix_invalid_oval_in_test.patch new file mode 100644 index 0000000..2b9705c --- /dev/null +++ b/SOURCES/fix_invalid_oval_in_test.patch @@ -0,0 +1,51 @@ +From 919170300b1d05a807ad59c22ef6c4ab48c2f1c9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Tue, 21 May 2019 13:21:45 +0200 +Subject: [PATCH] Fix invalid OVAL in test ds_continue_without_remote_resources + +Addressing: +$ oscap ds sds-split remote_content_1.2.ds.xml /tmp/xxx +$ oscap oval validate --schematron /tmp/xxx/test_single_rule.oval.xml + +oval:x:obj:1 - referenced variable oval:x:var:1 not found. The var_ref entity must hold a variable id that exists in the document. +--- + .../remote_content_1.2.ds.xml | 7 +++++++ + .../remote_content_1.3.ds.xml | 7 +++++++ + 2 files changed, 14 insertions(+) + +diff --git a/tests/DS/ds_continue_without_remote_resources/remote_content_1.2.ds.xml b/tests/DS/ds_continue_without_remote_resources/remote_content_1.2.ds.xml +index 31d4fc770..503b688ec 100644 +--- a/tests/DS/ds_continue_without_remote_resources/remote_content_1.2.ds.xml ++++ b/tests/DS/ds_continue_without_remote_resources/remote_content_1.2.ds.xml +@@ -43,6 +43,13 @@ + oval:x:var:1 + + ++ ++ ++ ++ 100 ++ ++ ++ + + + +diff --git a/tests/DS/ds_continue_without_remote_resources/remote_content_1.3.ds.xml b/tests/DS/ds_continue_without_remote_resources/remote_content_1.3.ds.xml +index 3cf15f8df..bea285bc1 100644 +--- a/tests/DS/ds_continue_without_remote_resources/remote_content_1.3.ds.xml ++++ b/tests/DS/ds_continue_without_remote_resources/remote_content_1.3.ds.xml +@@ -45,6 +45,13 @@ + oval:x:var:1 + + ++ ++ ++ ++ 100 ++ ++ ++ + + + diff --git a/SOURCES/make_is_local_fs_static_again.patch b/SOURCES/make_is_local_fs_static_again.patch new file mode 100644 index 0000000..0029922 --- /dev/null +++ b/SOURCES/make_is_local_fs_static_again.patch @@ -0,0 +1,85 @@ +From 535c48739dc89efc76bfd267d3f39dca05cbebd1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Thu, 6 Jun 2019 09:14:20 +0200 +Subject: [PATCH] Make is_local_fs static again + +It isn't necessary to expose this function in public API. +The function has been accidentaly introduced to public API +in fff58197d9747a08d0fc23914a31fefbe44f07ea which hasn't +been released yet, so it can be safe to remove it. +--- + src/OVAL/probes/fsdev.c | 4 ++-- + src/OVAL/probes/public/fsdev.h | 10 ---------- + tests/API/probes/Makefile.am | 3 ++- + tests/API/probes/test_fsdev_is_local_fs.c | 1 + + 4 files changed, 5 insertions(+), 13 deletions(-) + +diff --git a/src/OVAL/probes/fsdev.c b/src/OVAL/probes/fsdev.c +index 9646cac80..f5f14ac2f 100644 +--- a/src/OVAL/probes/fsdev.c ++++ b/src/OVAL/probes/fsdev.c +@@ -79,7 +79,7 @@ static int fsdev_cmp(const void *a, const void *b) + #define DEVID_ARRAY_ADD 8 + + #if defined(__linux__) +-int is_local_fs(struct mntent *ment) ++static int is_local_fs(struct mntent *ment) + { + // todo: would it be usefull to provide the choice during build-time? + #if 1 +@@ -129,7 +129,7 @@ int is_local_fs(struct mntent *ment) + } + + #elif defined(_AIX) +-int is_local_fs(struct mntent *ment) ++static int is_local_fs(struct mntent *ment) + { + int i; + struct vfs_ent *e; +diff --git a/src/OVAL/probes/public/fsdev.h b/src/OVAL/probes/public/fsdev.h +index bbead1aee..29a0462c8 100644 +--- a/src/OVAL/probes/public/fsdev.h ++++ b/src/OVAL/probes/public/fsdev.h +@@ -86,15 +86,5 @@ int fsdev_path(fsdev_t * lfs, const char *path); + */ + int fsdev_fd(fsdev_t * lfs, int fd); + +-#if defined(__linux__) || defined(_AIX) +-/** +- * Detemines whether a given mtab entry is a local file system. +- * @param ment Structure returned by getmntent (see `man 3 getmntent`). +- * @retval 1 if local +- * @retval 0 otherwise +- */ +-int is_local_fs(struct mntent *ment); +-#endif +- + #endif /* FSDEV_H */ + /// @} +diff --git a/tests/API/probes/Makefile.am b/tests/API/probes/Makefile.am +index 459e5f3af..fa9c26b54 100644 +--- a/tests/API/probes/Makefile.am ++++ b/tests/API/probes/Makefile.am +@@ -5,8 +5,9 @@ AM_CPPFLAGS = \ + -I$(top_srcdir)/src/CPE/public \ + -I$(top_srcdir)/src/CVE/public \ + -I${top_srcdir}/src/CVSS/public \ +- -I$(top_srcdir)/src/OVAL/probes/SEAP/public \ ++ -I$(top_srcdir)/src/OVAL/probes \ + -I$(top_srcdir)/src/OVAL/probes/public \ ++ -I$(top_srcdir)/src/OVAL/probes/SEAP/public \ + -I$(top_srcdir)/src/OVAL/public \ + -I$(top_srcdir)/src/XCCDF/public \ + -I$(top_srcdir)/src/common/public \ +diff --git a/tests/API/probes/test_fsdev_is_local_fs.c b/tests/API/probes/test_fsdev_is_local_fs.c +index e3b4691db..085a02a31 100644 +--- a/tests/API/probes/test_fsdev_is_local_fs.c ++++ b/tests/API/probes/test_fsdev_is_local_fs.c +@@ -28,6 +28,7 @@ + #include + #include + #include "fsdev.h" ++#include "fsdev.c" + + static int test_single_call() + { diff --git a/SOURCES/oval_5_11_2_parsing_issues.patch b/SOURCES/oval_5_11_2_parsing_issues.patch new file mode 100644 index 0000000..5fa016f --- /dev/null +++ b/SOURCES/oval_5_11_2_parsing_issues.patch @@ -0,0 +1,164 @@ +From 3d081a4345b2b4f838e5e9fb4fab78b1bad717a9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Wed, 22 May 2019 15:03:52 +0200 +Subject: [PATCH] Resolve parsing issues with OVAL 5.11.2 schemas + +Similar to 8ba623120fc9f479285f9d6032cb925db420011d but for OVAL 5.11.2. +The missing namespace imports have already been fixed in +32d4d9be295084f95bfbaec07ea84373b3b4aeb7. Addressing: +``` +File '/root/openscap/schemas/oval/5.11.2/oval-definitions-schema.xsd' +line 1446: local union type: A type, derived by list or union, must have +the simple ur-type definition as base type, not +'{http://oval.mitre.org/XMLSchema/oval-definitions-5}(NULL)'. +File '/root/openscap/schemas/oval/5.11.2/oval-definitions-schema.xsd' +line 1459: local union type: A type, derived by list or union, must have +the simple ur-type definition as base type, not +'{http://oval.mitre.org/XMLSchema/oval-definitions-5}(NULL)'. +File '/root/openscap/schemas/oval/5.11.2/oval-definitions-schema.xsd' +line 1472: local union type: A type, derived by list or union, must have +the simple ur-type definition as base type, not +'{http://oval.mitre.org/XMLSchema/oval-definitions-5}(NULL)'. +File '/root/openscap/schemas/oval/5.11.2/oval-definitions-schema.xsd' +line 1485: local union type: A type, derived by list or union, must have +the simple ur-type definition as base type, not +'{http://oval.mitre.org/XMLSchema/oval-definitions-5}(NULL)'. +File '/root/openscap/schemas/oval/5.11.2/oval-definitions-schema.xsd' +line 1652: local union type: A type, derived by list or union, must have +the simple ur-type definition as base type, not +'{http://oval.mitre.org/XMLSchema/oval-definitions-5}(NULL)'. +File '/root/openscap/schemas/oval/5.11.2/oval-definitions-schema.xsd' +line 1665: local union type: A type, derived by list or union, must have +the simple ur-type definition as base type, not +'{http://oval.mitre.org/XMLSchema/oval-definitions-5}(NULL)'. +File '/root/openscap/schemas/oval/5.11.2/oval-definitions-schema.xsd' +line 1678: local union type: A type, derived by list or union, must have +the simple ur-type definition as base type, not +'{http://oval.mitre.org/XMLSchema/oval-definitions-5}(NULL)'. +File '/root/openscap/schemas/oval/5.11.2/oval-definitions-schema.xsd' +line 1691: local union type: A type, derived by list or union, must have +the simple ur-type definition as base type, not +'{http://oval.mitre.org/XMLSchema/oval-definitions-5}(NULL)'. +OpenSCAP Error: Could not parse XML schema [validate.c:113] +``` +--- + schemas/oval/5.11.2/oval-definitions-schema.xsd | 16 ++++++++-------- + .../oval-system-characteristics-schema.xsd | 8 ++++---- + 2 files changed, 12 insertions(+), 12 deletions(-) + +diff --git a/schemas/oval/5.11.2/oval-definitions-schema.xsd b/schemas/oval/5.11.2/oval-definitions-schema.xsd +index 9aa338603..42c238e1e 100644 +--- a/schemas/oval/5.11.2/oval-definitions-schema.xsd ++++ b/schemas/oval/5.11.2/oval-definitions-schema.xsd +@@ -1450,7 +1450,7 @@ + + + +- ++ + + + +@@ -1463,7 +1463,7 @@ + + + +- ++ + + + +@@ -1476,7 +1476,7 @@ + + + +- ++ + + + +@@ -1489,7 +1489,7 @@ + + + +- ++ + + + +@@ -1656,7 +1656,7 @@ + + + +- ++ + + + +@@ -1669,7 +1669,7 @@ + + + +- ++ + + + +@@ -1682,7 +1682,7 @@ + + + +- ++ + + + +@@ -1695,7 +1695,7 @@ + + + +- ++ + + + +diff --git a/schemas/oval/5.11.2/oval-system-characteristics-schema.xsd b/schemas/oval/5.11.2/oval-system-characteristics-schema.xsd +index 030274c4a..c71de366a 100644 +--- a/schemas/oval/5.11.2/oval-system-characteristics-schema.xsd ++++ b/schemas/oval/5.11.2/oval-system-characteristics-schema.xsd +@@ -493,7 +493,7 @@ + + + +- ++ + + + +@@ -506,7 +506,7 @@ + + + +- ++ + + + +@@ -519,7 +519,7 @@ + + + +- ++ + + + +@@ -532,7 +532,7 @@ + + + +- ++ + + + diff --git a/SOURCES/test_ds_session_without_remote_resources.patch b/SOURCES/test_ds_session_without_remote_resources.patch new file mode 100644 index 0000000..2d45912 --- /dev/null +++ b/SOURCES/test_ds_session_without_remote_resources.patch @@ -0,0 +1,255 @@ +From 8645604c8e5285c5b5bec538a50d3b4f6b13c9a5 Mon Sep 17 00:00:00 2001 +From: Matus Marhefka +Date: Tue, 14 May 2019 15:38:50 +0200 +Subject: [PATCH] Add test for DS session and SCAP 1.3 remote resources + +* Test for PR#1324 which verifies that DS session does not quit + when SCAP 1.3 content contains remote component but + `--fetch-remote-resources` option is not provided. The test is + also extended to verify that scans utilizing SCAP 1.2 and 1.3 + datastreams produce the same results. +--- + tests/DS/Makefile.am | 2 + + .../remote_content_1.2.ds.xml | 87 ++++++++++++++++++ + .../remote_content_1.3.ds.xml | 89 +++++++++++++++++++ + tests/DS/test_ds.sh | 17 ++++ + 4 files changed, 195 insertions(+) + create mode 100644 tests/DS/ds_continue_without_remote_resources/remote_content_1.2.ds.xml + create mode 100644 tests/DS/ds_continue_without_remote_resources/remote_content_1.3.ds.xml + +diff --git a/tests/DS/Makefile.am b/tests/DS/Makefile.am +index 616f24d24..ea742386d 100644 +--- a/tests/DS/Makefile.am ++++ b/tests/DS/Makefile.am +@@ -11,6 +11,8 @@ TESTS_ENVIRONMENT= \ + TESTS = test_ds.sh + + EXTRA_DIST = test_ds.sh \ ++ ds_continue_without_remote_resources/remote_content_1.2.ds.xml \ ++ ds_continue_without_remote_resources/remote_content_1.3.ds.xml \ + eval_invalid/sds.xml \ + eval_invalid/sds-oval.xml \ + eval_simple/sds.xml \ +diff --git a/tests/DS/ds_continue_without_remote_resources/remote_content_1.2.ds.xml b/tests/DS/ds_continue_without_remote_resources/remote_content_1.2.ds.xml +new file mode 100644 +index 000000000..31d4fc770 +--- /dev/null ++++ b/tests/DS/ds_continue_without_remote_resources/remote_content_1.2.ds.xml +@@ -0,0 +1,87 @@ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ 5.10 ++ 2009-01-12T10:41:00-05:00 ++ ++ ++ ++ ++ ++ PASS ++ pass ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ oval:x:var:1 ++ ++ ++ ++ ++ ++ ++ ++ accepted ++ 1.0 ++ ++ ++ xccdf_test_profile ++ This profile is for testing. ++ ++ ++ ++ ++ test value ++ foo ++ 50 ++ 100 ++ ++ ++ This rule always pass ++ ++ ++ ++ ++ ++ This rule checks remote resource ++ ++ ++ ++ ++ ++ This rule always pass ++ ++ ++ ++ ++ ++ ++ +diff --git a/tests/DS/ds_continue_without_remote_resources/remote_content_1.3.ds.xml b/tests/DS/ds_continue_without_remote_resources/remote_content_1.3.ds.xml +new file mode 100644 +index 000000000..3cf15f8df +--- /dev/null ++++ b/tests/DS/ds_continue_without_remote_resources/remote_content_1.3.ds.xml +@@ -0,0 +1,89 @@ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ 5.11 ++ 2009-01-12T10:41:00-05:00 ++ ++ ++ ++ ++ ++ PASS ++ pass ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ oval:x:var:1 ++ ++ ++ ++ ++ ++ ++ ++ accepted ++ 1.0 ++ ++ ++ xccdf_test_profile ++ This profile is for testing. ++ ++ ++ ++ ++ test value ++ foo ++ 50 ++ 100 ++ ++ ++ This rule always pass ++ ++ ++ ++ ++ ++ This rule checks remote resource ++ ++ ++ ++ ++ ++ This rule always pass ++ ++ ++ ++ ++ ++ ++ +diff --git a/tests/DS/test_ds.sh b/tests/DS/test_ds.sh +index 22cafe6c9..1383ad87a 100755 +--- a/tests/DS/test_ds.sh ++++ b/tests/DS/test_ds.sh +@@ -414,6 +414,21 @@ function test_sds_tailoring { + rm -f "$result" + } + ++function test_ds_continue_without_remote_resources() { ++ local DS="${srcdir}/$1" ++ local PROFILE="$2" ++ local result=$(mktemp) ++ ++ $OSCAP xccdf eval --profile "$PROFILE" --results "$result" "$DS" ++ ++ assert_exists 1 '//rule-result[@idref="xccdf_com.example.www_rule_test-pass"]/result[text()="pass"]' ++ assert_exists 1 '//rule-result[@idref="xccdf_com.example.www_rule_test-remote_res"]/result[text()="notchecked"]' ++ assert_exists 1 '//rule-result[@idref="xccdf_com.example.www_rule_test-pass2"]/result[text()="pass"]' ++ ++ rm -f "$result" ++} ++ ++ + # Testing. + test_init "test_ds.log" + +@@ -454,6 +469,8 @@ test_run "rds_split_simple" test_rds_split rds_split_simple report-request.xml r + + test_run "test_eval_complex" test_eval_complex + test_run "sds_add_multiple_oval_twice_in_row" sds_add_multiple_twice ++test_run "test_ds_1_2_continue_without_remote_resources" test_ds_continue_without_remote_resources ds_continue_without_remote_resources/remote_content_1.2.ds.xml xccdf_com.example.www_profile_test_remote_res ++test_run "test_ds_1_3_continue_without_remote_resources" test_ds_continue_without_remote_resources ds_continue_without_remote_resources/remote_content_1.3.ds.xml xccdf_com.example.www_profile_test_remote_res + + test_exit + diff --git a/SOURCES/textfilecontent54_behaviors_ignored.patch b/SOURCES/textfilecontent54_behaviors_ignored.patch new file mode 100644 index 0000000..2d576aa --- /dev/null +++ b/SOURCES/textfilecontent54_behaviors_ignored.patch @@ -0,0 +1,58 @@ +From 7d31c404ab6c90d19c378aaefdd70baf1a62f142 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Mon, 18 Mar 2019 16:35:45 +0100 +Subject: [PATCH] Don't ignore file behaviors if filepath is specified + +The effect of the code removed by this patch is that the +max_depth, recurse, recurse_direction and recurse_file_system +attributes of the behaviors element are completely ignored +and reset to their default values if filepath element is specified +in the textfilecontent54_object. This is against OVAL specification +and it is inconsistent with file probe, from where a similar +code has been removed in 93d5f1416f232d6fa21fe8f2ad771d003749ea7b. +--- + .../probes/independent/textfilecontent54.c | 31 ------------------- + 1 file changed, 31 deletions(-) + +diff --git a/src/OVAL/probes/independent/textfilecontent54.c b/src/OVAL/probes/independent/textfilecontent54.c +index fc0f944e5..5f5890e15 100644 +--- a/src/OVAL/probes/independent/textfilecontent54.c ++++ b/src/OVAL/probes/independent/textfilecontent54.c +@@ -415,37 +415,6 @@ int probe_main(probe_ctx *ctx, void *arg) + m_val = "1"; + */ + +- /* reset filebehavior attributes if 'filepath' entity is used */ +- if (filepath_ent != NULL && bh_ent != NULL) { +- SEXP_t *r1, *r2, *r3; +- r1 = r2 = r3 = NULL; +- if (probe_ent_attrexists(bh_ent, "ignore_case")) { +- r1 = probe_ent_getattrval(bh_ent, "ignore_case"); +- } +- if (probe_ent_attrexists(bh_ent, "multiline")) { +- r2 = probe_ent_getattrval(bh_ent, "multiline"); +- } +- if (probe_ent_attrexists(bh_ent, "singleline")) { +- r3 = probe_ent_getattrval(bh_ent, "singleline"); +- } +- r0 = SEXP_list_new(NULL); +- SEXP_free(bh_ent); +- bh_ent = probe_ent_creat1("behaviors", r0, NULL); +- SEXP_free(r0); +- if (r1) { +- probe_ent_attr_add(bh_ent, "ignore_case", r1); +- SEXP_free(r1); +- } +- if (r2) { +- probe_ent_attr_add(bh_ent, "multiline", r2); +- SEXP_free(r2); +- } +- if (r3) { +- probe_ent_attr_add(bh_ent, "singleline", r3); +- SEXP_free(r3); +- } +- } +- + probe_tfc54behaviors_canonicalize(&bh_ent); + + pfd.instance_ent = inst_ent; diff --git a/SPECS/openscap.spec b/SPECS/openscap.spec index 0284bf3..0808baa 100644 --- a/SPECS/openscap.spec +++ b/SPECS/openscap.spec @@ -6,13 +6,24 @@ restorecon -R /usr/bin/oscap /usr/libexec/openscap; \ Name: openscap Version: 1.2.17 -Release: 2%{?dist} +Release: 4%{?dist} Summary: Set of open source libraries enabling integration of the SCAP line of standards Group: System Environment/Libraries License: LGPLv2+ URL: http://www.open-scap.org/ Source0: https://github.com/OpenSCAP/openscap/releases/download/%{version}/%{name}-%{version}.tar.gz -Patch1: openscap-1.2.17-filehash58_probe_test.patch +Patch1: openscap-1.2.17-filehash58_probe_test.patch +Patch2: textfilecontent54_behaviors_ignored.patch +Patch3: autofs_entries_in_mtab.patch +Patch4: extend_unit_test_for_is_local_fs.patch +Patch5: ds_session_without_remote_resources.patch +Patch6: test_ds_session_without_remote_resources.patch +Patch7: fix_invalid_oval_in_test.patch +Patch8: oval_5_11_2_parsing_issues.patch +Patch9: add_scap_1_3_schema_and_detect_version.patch +Patch10: add_oval_results_to_test.patch +Patch11: do_not_skip_fs_binfmt_misc.patch +Patch12: make_is_local_fs_static_again.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: swig libxml2-devel libxslt-devel perl-XML-Parser BuildRequires: rpm-devel @@ -22,6 +33,7 @@ BuildRequires: libacl-devel BuildRequires: libselinux-devel libcap-devel BuildRequires: libblkid-devel BuildRequires: bzip2-devel +BuildRequires: libtool %if %{?_with_check:1}%{!?_with_check:0} BuildRequires: perl-XML-XPath %endif @@ -128,6 +140,17 @@ Tool for scanning Atomic containers. %prep %setup -q %patch1 -p1 -b .filehash58_probe_test +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 +%patch10 -p1 +%patch11 -p1 +%patch12 -p1 %build %ifarch sparc64 @@ -139,11 +162,15 @@ export CFLAGS="$RPM_OPT_FLAGS -fpie" export LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" %endif +autoreconf -is %configure --enable-sce make %{?_smp_mflags} # Remove shebang from bash-completion script sed -i '/^#!.*bin/,+1 d' dist/bash_completion.d/oscap +# Change permissions of test_detect_version.sh +# Please remove it after rebase to OpenSCAP 1.2.18 or newer. +chmod 755 tests/DS/sds_detect_version/test_detect_version.sh %check #to run make check use "--with check" @@ -279,6 +306,13 @@ rm -rf $RPM_BUILD_ROOT %changelog +* Thu Jun 06 2019 Jan Černý - 1.2.17-4 +- Make is_local_fs static again to avoid API changes between releases + +* Mon May 27 2019 Jan Černý - 1.2.17-3 +- Fix unwanted recursion into mounted remote filesystems (#1655943) +- Evaluate SCAP 1.3 datastreams without downloading remote data (#1709423) + * Tue Aug 14 2018 Matěj Týč - 1.2.17-2 - Patched to include tests for filehash58 probe.