From 5bf1556bc867401e664de67a0b2ccaa8e7c86ce4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Tue, 7 May 2019 12:33:31 +0200 Subject: [PATCH 1/9] Add SCAP 1.3 source datastream schema Downloaded from https://csrc.nist.gov/schema/scap/1.3/scap-source-data-stream_1.3.xsd Converted the EOLs to Unix using `dos2unix` tool. --- schemas/Makefile.am | 3 + .../sds/1.3/scap-source-data-stream_1.3.xsd | 230 ++++++++++++++++++ 2 files changed, 233 insertions(+) create mode 100644 schemas/sds/1.3/scap-source-data-stream_1.3.xsd diff --git a/schemas/Makefile.am b/schemas/Makefile.am index 5a5cf015e..2ca4851e6 100644 --- a/schemas/Makefile.am +++ b/schemas/Makefile.am @@ -15,6 +15,7 @@ xccdf11dir = $(pkgdatadir)/schemas/xccdf/1.1/ xccdf11tailoringdir = $(pkgdatadir)/schemas/xccdf/1.1-tailoring/ xccdf12dir = $(pkgdatadir)/schemas/xccdf/1.2/ sds12dir = $(pkgdatadir)/schemas/sds/1.2/ +sds13dir = $(pkgdatadir)/schemas/sds/1.3/ arf11dir = $(pkgdatadir)/schemas/arf/1.1/ ocil20dir = $(pkgdatadir)/schemas/ocil/2.0/ cpe20dir = $(pkgdatadir)/schemas/cpe/2.0/ @@ -46,6 +47,7 @@ xccdf11tailoring_DATA = $(wildcard $(srcdir)/xccdf/1.1-tailoring/*.xsd $(srcdir) xccdf12_DATA = $(wildcard $(srcdir)/xccdf/1.2/*.xsd $(srcdir)/xccdf/1.2/*.dtd $(srcdir)/xccdf/1.2/*.xsl) sds12_DATA = $(wildcard $(srcdir)/sds/1.2/*.xsd $(srcdir)/sds/1.2/*.dtd) +sds13_DATA = $(wildcard $(srcdir)/sds/1.3/*.xsd $(srcdir)/sds/1.3/*.dtd) arf11_DATA = $(wildcard $(srcdir)/arf/1.1/*.xsd) ocil20_DATA = $(wildcard $(srcdir)/ocil/2.0/*.xsd $(srcdir)/sds/2.0/*.dtd) @@ -77,6 +79,7 @@ EXTRA_DIST = \ $(xccdf11tailoring_DATA) \ $(xccdf12_DATA) \ $(sds12_DATA) \ + $(sds13_DATA) \ $(arf11_DATA) \ $(ocil20_DATA) \ $(cpe20_DATA) \ diff --git a/schemas/sds/1.3/scap-source-data-stream_1.3.xsd b/schemas/sds/1.3/scap-source-data-stream_1.3.xsd new file mode 100644 index 000000000..4a933ba2e --- /dev/null +++ b/schemas/sds/1.3/scap-source-data-stream_1.3.xsd @@ -0,0 +1,230 @@ + + + + + SCAP 1.3 Source Data Stream Collection + Adam Halbardier, David Waltermire + 1.3 + 2016-12-01 + + + + + + + + + + + + Holds a collection of data streams and components. + + + + + + + + + A digital signature of a data stream. + + + + + + This MUST be a globally unique ID. + + + + + + + + + + The version of the requirements Schematron ruleset to which the instance + conforms. + + + + + + + An SCAP data stream containing pointers to all of the components composing the data + stream. + + + + + + Holds pointers to dictionary components. + + + + + Holds pointers to checklist components. + + + + + Holds pointers to check components. + + + + + Holds pointers to non-standard SCAP components captured as extended-component + elements. + + + + + + This MUST be a globally unique ID. + + + + + + + + + + The SCAP capability being expressed by this data stream. The type is expressed to allow for + future use of this schema while indicating the currently acceptable values. + + + + + + + + The version of SCAP expressed by this data stream. The type is expressed to allow for future + use of this schema while indicating the currently acceptable values. + + + + + + + + The time when the data stream was created or last modified. + + + + + + + A component that is used by an SCAP data stream. + + + + + + + + + + + + This MUST be a globally unique ID. + + + + + + + + + + The time when the component was created or last modified. + + + + + + + + + + + A component that holds non-standard SCAP content. + + + + + + + + This MUST be a globally unique ID. + + + + + + + + + + The time when the component was created or last modified. + + + + + + + An XLink element that points to a component. + + + + + + + + This MUST be a globally unique ID. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + From a005cfd40e2dd217e779102d6347384ec0e4a4d6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Tue, 7 May 2019 14:03:53 +0200 Subject: [PATCH 2/9] Move OASIS XML Catalog schema to the common directory This way we can reuse the OASIS XML Catalog schema in other schemas. --- schemas/{sds/1.2 => common}/catalog.xsd | 0 schemas/sds/1.2/scap-source-data-stream_1.2.xsd | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) rename schemas/{sds/1.2 => common}/catalog.xsd (100%) diff --git a/schemas/sds/1.2/catalog.xsd b/schemas/common/catalog.xsd similarity index 100% rename from schemas/sds/1.2/catalog.xsd rename to schemas/common/catalog.xsd diff --git a/schemas/sds/1.2/scap-source-data-stream_1.2.xsd b/schemas/sds/1.2/scap-source-data-stream_1.2.xsd index 606a92445..0dd91f010 100644 --- a/schemas/sds/1.2/scap-source-data-stream_1.2.xsd +++ b/schemas/sds/1.2/scap-source-data-stream_1.2.xsd @@ -14,7 +14,7 @@ - + From 61b89c3c9314be3f606bdb7f1b156a7a8359719e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Tue, 7 May 2019 14:08:53 +0200 Subject: [PATCH 3/9] Move W3C Xlink schema to common directory This way the schema can be reused in multiple different schemas. --- .../arf/1.1/asset-reporting-format_1.1.0.xsd | 2 +- schemas/{arf/1.1 => common}/xlink.xsd | 2 +- .../sds/1.2/scap-source-data-stream_1.2.xsd | 2 +- schemas/sds/1.2/xlink.xsd | 270 ------------------ 4 files changed, 3 insertions(+), 273 deletions(-) rename schemas/{arf/1.1 => common}/xlink.xsd (96%) delete mode 100644 schemas/sds/1.2/xlink.xsd diff --git a/schemas/arf/1.1/asset-reporting-format_1.1.0.xsd b/schemas/arf/1.1/asset-reporting-format_1.1.0.xsd index 3617e854f..7e60eb4f6 100644 --- a/schemas/arf/1.1/asset-reporting-format_1.1.0.xsd +++ b/schemas/arf/1.1/asset-reporting-format_1.1.0.xsd @@ -104,7 +104,7 @@ - + diff --git a/schemas/arf/1.1/xlink.xsd b/schemas/common/xlink.xsd similarity index 96% rename from schemas/arf/1.1/xlink.xsd rename to schemas/common/xlink.xsd index ea77d428f..0b2645e90 100644 --- a/schemas/arf/1.1/xlink.xsd +++ b/schemas/common/xlink.xsd @@ -24,7 +24,7 @@ constructs, e.g. ]]> - + diff --git a/schemas/sds/1.2/scap-source-data-stream_1.2.xsd b/schemas/sds/1.2/scap-source-data-stream_1.2.xsd index 0dd91f010..72de4f98e 100644 --- a/schemas/sds/1.2/scap-source-data-stream_1.2.xsd +++ b/schemas/sds/1.2/scap-source-data-stream_1.2.xsd @@ -15,7 +15,7 @@ - + Holds a collection of data streams and components. diff --git a/schemas/sds/1.2/xlink.xsd b/schemas/sds/1.2/xlink.xsd deleted file mode 100644 index ea77d428f..000000000 --- a/schemas/sds/1.2/xlink.xsd +++ /dev/null @@ -1,270 +0,0 @@ - - - - - This schema document provides attribute declarations and -attribute group, complex type and simple type definitions which can be used in -the construction of user schemas to define the structure of particular linking -constructs, e.g. - - - - - - - ... - - ... - - - ... -]]> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Intended for use as the type of user-declared elements to make them - simple links. - - - - - - - - - - - - - - - - - - - - - - - - - Intended for use as the type of user-declared elements to make them - extended links. - Note that the elements referenced in the content model are all abstract. - The intention is that by simply declaring elements with these as their - substitutionGroup, all the right things will happen. - - - - - - - - - - - - - - xml:lang is not required, but provides much of the - motivation for title elements in addition to attributes, and so - is provided here for convenience. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - label is not required, but locators have no particular - XLink function if they are not labeled. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - from and to have default behavior when values are missing - - - - - - - - - - - - - - - - - From 9aeca3c095e10e5aa4d19516283bafb4f7ac567a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Tue, 7 May 2019 14:15:18 +0200 Subject: [PATCH 4/9] Use local XSDs in SCAP 1.3 source data stream schema Similar to acef6dd61270546aec9f2213f9b8d71ae9aab73b --- schemas/sds/1.3/scap-source-data-stream_1.3.xsd | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/schemas/sds/1.3/scap-source-data-stream_1.3.xsd b/schemas/sds/1.3/scap-source-data-stream_1.3.xsd index 4a933ba2e..7d6e2b177 100644 --- a/schemas/sds/1.3/scap-source-data-stream_1.3.xsd +++ b/schemas/sds/1.3/scap-source-data-stream_1.3.xsd @@ -14,18 +14,18 @@ + schemaLocation="../../xccdf/1.2/xccdf_1.2.xsd"/> + schemaLocation="../../oval/5.11.2/oval-definitions-schema.xsd"/> + schemaLocation="../../cpe/2.3/cpe-dictionary_2.3.xsd"/> + schemaLocation="../../ocil/2.0/ocil-2.0.xsd"/> + schemaLocation="../../common/xmldsig-core-schema.xsd"/> - + schemaLocation="../../common/catalog.xsd"/> + Holds a collection of data streams and components. From b967d10ca3af64539367c3c6280f6dbb9fc2fd64 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Thu, 9 May 2019 09:42:21 +0200 Subject: [PATCH 5/9] Fix schematron-version attribute in test datastreams The data-stream-collection@schematron-version attribute should conform to the SCAP version. --- tests/API/XCCDF/tailoring/simple-ds.xml | 2 +- tests/API/XCCDF/unittests/test_xccdf_overrides.arf.xml | 2 +- tests/DS/cpe_in_ds/sds.xml | 2 +- tests/DS/ds_sds_index/sds.xml | 2 +- tests/DS/ds_sds_index/sds_multiple.xml | 2 +- tests/DS/eval_benchmark_id_conflict/sds.xml | 2 +- tests/DS/eval_cpe/sds.xml | 2 +- tests/DS/eval_invalid/sds-oval.xml | 2 +- tests/DS/eval_invalid/sds.xml | 2 +- tests/DS/eval_just_oval/sds.xml | 2 +- tests/DS/eval_oval_id/sds.xml | 2 +- tests/DS/eval_simple/sds.xml | 2 +- tests/DS/eval_xccdf_id/sds-complex.xml | 2 +- tests/DS/eval_xccdf_id/sds.xml | 2 +- tests/DS/rds_index_simple/arf.xml | 2 +- tests/DS/rds_simple/sds.xml | 2 +- tests/DS/rds_split_simple/report-request.xml | 2 +- tests/DS/rds_testresult/sds.xml | 2 +- tests/DS/sds_external_xccdf/sds.ds.xml | 2 +- tests/DS/sds_external_xccdf/xccdf.sds.xml | 2 +- tests/DS/sds_tailoring/sds.ds.xml | 2 +- tests/DS/signed/sds-signed-fake-x509.xml | 2 +- tests/DS/signed/sds-signed.xml | 2 +- tests/DS/validate/rds-invalid.xml | 2 +- tests/DS/validate/rds-valid.xml | 2 +- tests/DS/validate/sds-invalid-oval.xml | 2 +- tests/DS/validate/sds-invalid-xccdf.xml | 2 +- tests/DS/validate/sds-invalid.xml | 2 +- tests/DS/validate/sds-valid.xml | 2 +- tests/sce/test_sce_in_ds.xml | 2 +- 30 files changed, 30 insertions(+), 30 deletions(-) diff --git a/tests/API/XCCDF/tailoring/simple-ds.xml b/tests/API/XCCDF/tailoring/simple-ds.xml index a8092096c..e5e515a70 100644 --- a/tests/API/XCCDF/tailoring/simple-ds.xml +++ b/tests/API/XCCDF/tailoring/simple-ds.xml @@ -1,5 +1,5 @@ - + diff --git a/tests/API/XCCDF/unittests/test_xccdf_overrides.arf.xml b/tests/API/XCCDF/unittests/test_xccdf_overrides.arf.xml index 84dad69b9..3f0ca8ca8 100644 --- a/tests/API/XCCDF/unittests/test_xccdf_overrides.arf.xml +++ b/tests/API/XCCDF/unittests/test_xccdf_overrides.arf.xml @@ -1,5 +1,5 @@ -collection1asset0 +collection1asset0 python 2.6.6 diff --git a/tests/DS/cpe_in_ds/sds.xml b/tests/DS/cpe_in_ds/sds.xml index dbc57605a..a77389703 100644 --- a/tests/DS/cpe_in_ds/sds.xml +++ b/tests/DS/cpe_in_ds/sds.xml @@ -1,5 +1,5 @@ - + diff --git a/tests/DS/ds_sds_index/sds.xml b/tests/DS/ds_sds_index/sds.xml index 0e438a39d..574046d24 100644 --- a/tests/DS/ds_sds_index/sds.xml +++ b/tests/DS/ds_sds_index/sds.xml @@ -1,5 +1,5 @@ - + diff --git a/tests/DS/ds_sds_index/sds_multiple.xml b/tests/DS/ds_sds_index/sds_multiple.xml index a24e6f385..069202331 100644 --- a/tests/DS/ds_sds_index/sds_multiple.xml +++ b/tests/DS/ds_sds_index/sds_multiple.xml @@ -1,5 +1,5 @@ - + diff --git a/tests/DS/eval_benchmark_id_conflict/sds.xml b/tests/DS/eval_benchmark_id_conflict/sds.xml index f3a075615..612eecb0c 100644 --- a/tests/DS/eval_benchmark_id_conflict/sds.xml +++ b/tests/DS/eval_benchmark_id_conflict/sds.xml @@ -1,5 +1,5 @@ - + diff --git a/tests/DS/eval_cpe/sds.xml b/tests/DS/eval_cpe/sds.xml index fa568690a..a73403f74 100644 --- a/tests/DS/eval_cpe/sds.xml +++ b/tests/DS/eval_cpe/sds.xml @@ -1,5 +1,5 @@ - + diff --git a/tests/DS/eval_invalid/sds-oval.xml b/tests/DS/eval_invalid/sds-oval.xml index d4e1b2900..e77e1aaea 100644 --- a/tests/DS/eval_invalid/sds-oval.xml +++ b/tests/DS/eval_invalid/sds-oval.xml @@ -1,5 +1,5 @@ - + diff --git a/tests/DS/eval_invalid/sds.xml b/tests/DS/eval_invalid/sds.xml index f9be5cb0c..e97592354 100644 --- a/tests/DS/eval_invalid/sds.xml +++ b/tests/DS/eval_invalid/sds.xml @@ -1,3 +1,3 @@ - + diff --git a/tests/DS/eval_just_oval/sds.xml b/tests/DS/eval_just_oval/sds.xml index 976c1d2ee..3093b1c4a 100644 --- a/tests/DS/eval_just_oval/sds.xml +++ b/tests/DS/eval_just_oval/sds.xml @@ -1,5 +1,5 @@ - + diff --git a/tests/DS/eval_oval_id/sds.xml b/tests/DS/eval_oval_id/sds.xml index 8380c68b8..ea72b4d3b 100644 --- a/tests/DS/eval_oval_id/sds.xml +++ b/tests/DS/eval_oval_id/sds.xml @@ -1,5 +1,5 @@ - + diff --git a/tests/DS/eval_simple/sds.xml b/tests/DS/eval_simple/sds.xml index d3c4a6a5d..826a72629 100644 --- a/tests/DS/eval_simple/sds.xml +++ b/tests/DS/eval_simple/sds.xml @@ -1,5 +1,5 @@ - + draft Example of SCAP Security Guidance This example security guidance has been created to demonstrate SCAP functionality diff --git a/tests/DS/eval_xccdf_id/sds-complex.xml b/tests/DS/eval_xccdf_id/sds-complex.xml index 5b69cd765..9ef6170e4 100644 --- a/tests/DS/eval_xccdf_id/sds-complex.xml +++ b/tests/DS/eval_xccdf_id/sds-complex.xml @@ -1,5 +1,5 @@ - + diff --git a/tests/DS/signed/sds-signed-fake-x509.xml b/tests/DS/signed/sds-signed-fake-x509.xml index 0431a42ca..592bfb3c2 100644 --- a/tests/DS/signed/sds-signed-fake-x509.xml +++ b/tests/DS/signed/sds-signed-fake-x509.xml @@ -1,5 +1,5 @@ - + draft Example of SCAP Security Guidance This example security guidance has been created to demonstrate SCAP functionality diff --git a/tests/DS/signed/sds-signed.xml b/tests/DS/signed/sds-signed.xml index 1863e5f18..3e862dd82 100644 --- a/tests/DS/signed/sds-signed.xml +++ b/tests/DS/signed/sds-signed.xml @@ -1,5 +1,5 @@ - + draft Example of SCAP Security Guidance This example security guidance has been created to demonstrate SCAP functionality diff --git a/tests/DS/validate/rds-invalid.xml b/tests/DS/validate/rds-invalid.xml index 7351e0cb2..f98d13ada 100644 --- a/tests/DS/validate/rds-invalid.xml +++ b/tests/DS/validate/rds-invalid.xml @@ -19,7 +19,7 @@ xmlns:cat="urn:oasis:names:tc:entity:xmlns:xml:catalog" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - id="scap_cdf_collection_fedora.zip" schematron-version="1.0" + id="scap_cdf_collection_fedora.zip" schematron-version="1.2" xsi:schemaLocation="http://scap.nist.gov/schema/scap/source/1.2 http://scap.nist.gov/schema/scap/1.2/scap-source-data-stream_1.2-draft.xsd"> diff --git a/tests/DS/validate/rds-valid.xml b/tests/DS/validate/rds-valid.xml index e08672a3a..22dadccbf 100644 --- a/tests/DS/validate/rds-valid.xml +++ b/tests/DS/validate/rds-valid.xml @@ -20,7 +20,7 @@ xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="scap_cdf_collection_fedora.zip" - schematron-version="1.0" + schematron-version="1.2" xsi:schemaLocation="http://scap.nist.gov/schema/scap/source/1.2 http://scap.nist.gov/schema/scap/1.2/scap-source-data-stream_1.2-draft.xsd"> diff --git a/tests/DS/validate/sds-invalid-oval.xml b/tests/DS/validate/sds-invalid-oval.xml index c9ac98b48..e8be9abcf 100644 --- a/tests/DS/validate/sds-invalid-oval.xml +++ b/tests/DS/validate/sds-invalid-oval.xml @@ -1,5 +1,5 @@ - + draft Example of SCAP Security Guidance This example security guidance has been created to demonstrate SCAP functionality diff --git a/tests/DS/validate/sds-invalid-xccdf.xml b/tests/DS/validate/sds-invalid-xccdf.xml index 64df3a13d..cf3017070 100644 --- a/tests/DS/validate/sds-invalid-xccdf.xml +++ b/tests/DS/validate/sds-invalid-xccdf.xml @@ -1,5 +1,5 @@ - + Example of SCAP Security Guidance This example security guidance has been created to demonstrate SCAP functionality on Linux. diff --git a/tests/DS/validate/sds-invalid.xml b/tests/DS/validate/sds-invalid.xml index 3a7d67ca6..51a2ed03a 100644 --- a/tests/DS/validate/sds-invalid.xml +++ b/tests/DS/validate/sds-invalid.xml @@ -1,5 +1,5 @@ - + draft Example of SCAP Security Guidance This example security guidance has been created to demonstrate SCAP functionality diff --git a/tests/DS/validate/sds-valid.xml b/tests/DS/validate/sds-valid.xml index d3c4a6a5d..826a72629 100644 --- a/tests/DS/validate/sds-valid.xml +++ b/tests/DS/validate/sds-valid.xml @@ -1,5 +1,5 @@ - + draft Example of SCAP Security Guidance This example security guidance has been created to demonstrate SCAP functionality diff --git a/tests/sce/test_sce_in_ds.xml b/tests/sce/test_sce_in_ds.xml index 14e0876e6..62c45781c 100644 --- a/tests/sce/test_sce_in_ds.xml +++ b/tests/sce/test_sce_in_ds.xml @@ -1,5 +1,5 @@ - + From 190ca9d3db7049879be4308c5194f2406cc5f70b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Thu, 9 May 2019 09:44:06 +0200 Subject: [PATCH 6/9] Detect source datastream version Instead of hard-coding SCAP 1.2, we will use data-stream-collection@schematron-version attribute to detect the SCAP version of datastream and we will choose the right XML schema accordingly. So far, only 1.2 and 1.3 datastreams are supported. --- src/DS/sds.c | 26 ++++++++++++++++++++++++++ src/DS/sds_priv.h | 4 ++++ src/source/Makefile.am | 1 + src/source/oscap_source.c | 3 ++- src/source/validate.c | 1 + 5 files changed, 34 insertions(+), 1 deletion(-) diff --git a/src/DS/sds.c b/src/DS/sds.c index b7c33a2e5..c4271b26e 100644 --- a/src/DS/sds.c +++ b/src/DS/sds.c @@ -1265,3 +1265,29 @@ int ds_sds_compose_from_xccdf(const char *xccdf_file, const char *target_datastr xmlFreeDoc(doc); return 0; } + +char *ds_sds_detect_version(xmlTextReader *reader) +{ + /* find root element */ + while (xmlTextReaderRead(reader) == 1 && xmlTextReaderNodeType(reader) != XML_READER_TYPE_ELEMENT) + ; + + char *element_name = (char *) xmlTextReaderConstLocalName(reader); + if (!element_name) { + oscap_setxmlerr(xmlGetLastError()); + return NULL; + } + if (strcmp(element_name, "data-stream-collection")) { + oscap_seterr(OSCAP_EFAMILY_OSCAP, + "Expected root element name for SCAP source datastream is" \ + "'data-stream-collection' but actual root element name is '%s'.", + element_name); + return NULL; + } + char *schematron_version = (char *) xmlTextReaderGetAttribute(reader, BAD_CAST "schematron-version"); + if (!schematron_version) { + oscap_setxmlerr(xmlGetLastError()); + return NULL; + } + return schematron_version; +} diff --git a/src/DS/sds_priv.h b/src/DS/sds_priv.h index 0ba2e8cb7..39c36da9f 100644 --- a/src/DS/sds_priv.h +++ b/src/DS/sds_priv.h @@ -26,6 +26,7 @@ #endif #include +#include #include "common/public/oscap.h" #include "common/util.h" #include "ds_sds_session.h" @@ -45,5 +45,8 @@ xmlDocPtr ds_sds_compose_xmlDoc_from_xccdf(const char *xccdf_file); xmlDocPtr ds_sds_compose_xmlDoc_from_xccdf_source(struct oscap_source *xccdf_source); +char *ds_sds_detect_version(xmlTextReader *reader); + OSCAP_HIDDEN_END; + #endif diff --git a/src/source/Makefile.am b/src/source/Makefile.am index 446bf4596..ad37ba6f6 100644 --- a/src/source/Makefile.am +++ b/src/source/Makefile.am @@ -19,6 +19,7 @@ liboscapsource_la_CPPFLAGS = \ @xml2_CFLAGS@ @xslt_CFLAGS@ @exslt_CFLAGS@ \ -I$(srcdir)/public \ -I$(top_srcdir)/src \ + -I$(top_srcdir)/src/DS/public \ -I$(top_srcdir)/src/CPE/public \ -I$(top_srcdir)/src/OVAL/probes/SEAP/public \ -I$(top_srcdir)/src/common/public diff --git a/src/source/oscap_source.c b/src/source/oscap_source.c index 3b7282ed3..228dc049b 100644 --- a/src/source/oscap_source.c +++ b/src/source/oscap_source.c @@ -51,6 +51,7 @@ #include "source/validate_priv.h" #include "XCCDF/elements.h" #include "XCCDF/public/xccdf_benchmark.h" +#include "DS/sds_priv.h" typedef enum oscap_source_type { OSCAP_SRC_FROM_USER_XML_FILE = 1, ///< The source originated from XML file supplied by user @@ -360,7 +361,7 @@ const char *oscap_source_get_schema_version(struct oscap_source *source) } switch (oscap_source_get_scap_type(source)) { case OSCAP_DOCUMENT_SDS: - source->origin.version = oscap_strdup("1.2"); + source->origin.version = ds_sds_detect_version(reader); break; case OSCAP_DOCUMENT_ARF: source->origin.version = oscap_strdup("1.1"); diff --git a/src/source/validate.c b/src/source/validate.c index 4c7aa98c4..730d44b2f 100644 --- a/src/source/validate.c +++ b/src/source/validate.c @@ -220,6 +220,7 @@ struct oscap_schema_table_entry OSCAP_SCHEMAS_TABLE[] = { {OSCAP_DOCUMENT_XCCDF_TAILORING, "1.2", "xccdf/1.2/xccdf_1.2.xsd"}, {OSCAP_DOCUMENT_XCCDF_TAILORING, "1.1", "xccdf/1.1-tailoring/xccdf-1.1-tailoring.xsd"}, // unofficial openscap extension! {OSCAP_DOCUMENT_SDS, "1.2", "sds/1.2/scap-source-data-stream_1.2.xsd"}, + {OSCAP_DOCUMENT_SDS, "1.3", "sds/1.3/scap-source-data-stream_1.3.xsd"}, {OSCAP_DOCUMENT_ARF, "1.1", "arf/1.1/asset-reporting-format_1.1.0.xsd"}, {OSCAP_DOCUMENT_CPE_DICTIONARY, "2.0", "cpe/2.0/cpe-dictionary_2.0.xsd"}, {OSCAP_DOCUMENT_CPE_DICTIONARY, "2.1", "cpe/2.1/cpe-dictionary_2.1.xsd"}, From 8457c924957f16b43921ed488a0268d868d94ac4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Fri, 10 May 2019 09:48:46 +0200 Subject: [PATCH 7/9] Add a simple test for oscap info This test tests if `oscap` is able to detect the version of SCAP source datastream (if DS is SCAP 1.2 or 1.3). --- configure.ac | 1 + tests/DS/Makefile.am | 2 +- tests/DS/sds_detect_version/Makefile.am | 13 +++++ tests/DS/sds_detect_version/scap-1.2-ds.xml | 51 +++++++++++++++++++ tests/DS/sds_detect_version/scap-1.3-ds.xml | 51 +++++++++++++++++++ .../sds_detect_version/test_detect_version.sh | 27 ++++++++++ 7 files changed, 145 insertions(+), 1 deletion(-) create mode 100644 tests/DS/sds_detect_version/Makefile.am create mode 100644 tests/DS/sds_detect_version/scap-1.2-ds.xml create mode 100644 tests/DS/sds_detect_version/scap-1.3-ds.xml create mode 100755 tests/DS/sds_detect_version/test_detect_version.sh diff --git a/configure.ac b/configure.ac index dd02507da..91fba1390 100644 --- a/configure.ac +++ b/configure.ac @@ -1548,6 +1548,7 @@ AC_CONFIG_FILES([Makefile src/DS/Makefile tests/DS/Makefile tests/DS/ds_sds_index/Makefile + tests/DS/sds_detect_version/Makefile tests/DS/signed/Makefile tests/DS/validate/Makefile diff --git a/tests/DS/Makefile.am b/tests/DS/Makefile.am index ea742386d..e0f63348c 100644 --- a/tests/DS/Makefile.am +++ b/tests/DS/Makefile.am @@ -60,4 +60,4 @@ EXTRA_DIST = test_ds.sh \ sds_subdir/subdir/scap-fedora14-xccdf.xml \ sds_tailoring/sds.ds.xml -SUBDIRS = ds_sds_index signed validate +SUBDIRS = ds_sds_index signed validate sds_detect_version diff --git a/tests/DS/sds_detect_version/Makefile.am b/tests/DS/sds_detect_version/Makefile.am new file mode 100644 index 000000000..087888742 --- /dev/null +++ b/tests/DS/sds_detect_version/Makefile.am @@ -0,0 +1,13 @@ +DISTCLEANFILES = *.log *.results oscap_debug.log.* +CLEANFILES = *.log *.results oscap_debug.log.* + +TESTS_ENVIRONMENT= \ + builddir=$(top_builddir) \ + OSCAP_FULL_VALIDATION=1 \ + $(top_builddir)/run + +TESTS = test_detect_version.sh + +EXTRA_DIST = test_detect_version.sh \ + scap-1.2-ds.xml \ + scap-1.3-ds.xml diff --git a/tests/DS/sds_detect_version/scap-1.2-ds.xml b/tests/DS/sds_detect_version/scap-1.2-ds.xml new file mode 100644 index 000000000..12e4954ae --- /dev/null +++ b/tests/DS/sds_detect_version/scap-1.2-ds.xml @@ -0,0 +1,51 @@ + + + + + + + + + + + combine_ovals.py from SCAP Security Guide + ssg: [0, 1, 44], python: 3.7.3 + 5.10 + 2019-05-10T06:18:18 + + + + + Red Hat Enterprise Linux 8 + + Red Hat Enterprise Linux 8 + + + The operating system installed on the system is + Red Hat Enterprise Linux 8 + + + + + + + + + + + + + + + + redhat-release + + + + + ^8.*$ + + + + + diff --git a/tests/DS/sds_detect_version/scap-1.3-ds.xml b/tests/DS/sds_detect_version/scap-1.3-ds.xml new file mode 100644 index 000000000..5d4af29a3 --- /dev/null +++ b/tests/DS/sds_detect_version/scap-1.3-ds.xml @@ -0,0 +1,51 @@ + + + + + + + + + + + combine_ovals.py from SCAP Security Guide + ssg: [0, 1, 44], python: 3.7.3 + 5.11 + 2019-05-10T06:18:18 + + + + + Red Hat Enterprise Linux 8 + + Red Hat Enterprise Linux 8 + + + The operating system installed on the system is + Red Hat Enterprise Linux 8 + + + + + + + + + + + + + + + + redhat-release + + + + + ^8.*$ + + + + + diff --git a/tests/DS/sds_detect_version/test_detect_version.sh b/tests/DS/sds_detect_version/test_detect_version.sh new file mode 100755 index 000000000..607aac261 --- /dev/null +++ b/tests/DS/sds_detect_version/test_detect_version.sh @@ -0,0 +1,27 @@ +#!/bin/bash + +# Copyright 2019 Red Hat Inc., Durham, North Carolina. +# All Rights Reserved. +# +# OpenSCAP Test Suite +# +# Authors: +# Jan Černý + +. $builddir/tests/test_common.sh + +set -e -o pipefail + +function test_oscap_info { + version="$1" + stdout="$(mktemp)" + stderr="$(mktemp)" + $OSCAP info $srcdir/scap-$version-ds.xml > $stdout 2> $stderr + [ ! -s $stderr ] + grep -q "Version: $version" $stdout + rm $stdout + rm $stderr +} + +test_oscap_info "1.2" +test_oscap_info "1.3" From 475b387ad359549645b9d7595eefdeea104cdf81 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Fri, 10 May 2019 10:11:59 +0200 Subject: [PATCH 8/9] Add simple tests for validating SCAP 1.3 datastreams Tests if `oscap ds sds-validate` can validate SCAP 1.3 datastreams against XML schema. The test uses a simple valid datastream and a simple invalid datastream. --- tests/DS/validate/Makefile.am | 14 ++++---- tests/DS/validate/all.sh | 2 ++ tests/DS/validate/sds-1.3-invalid.xml | 48 +++++++++++++++++++++++++ tests/DS/validate/sds-1.3-valid.xml | 51 +++++++++++++++++++++++++++ 4 files changed, 109 insertions(+), 6 deletions(-) create mode 100644 tests/DS/validate/sds-1.3-invalid.xml create mode 100644 tests/DS/validate/sds-1.3-valid.xml diff --git a/tests/DS/validate/Makefile.am b/tests/DS/validate/Makefile.am index 0ebe28559..6cca84f98 100644 --- a/tests/DS/validate/Makefile.am +++ b/tests/DS/validate/Makefile.am @@ -9,9 +9,11 @@ TESTS_ENVIRONMENT= \ TESTS = all.sh EXTRA_DIST = all.sh \ - sds-valid.xml \ - sds-invalid.xml \ - sds-invalid-xccdf.xml \ - sds-invalid-oval.xml \ - rds-valid.xml \ - rds-invalid.xml + rds-invalid.xml \ + rds-valid.xml \ + sds-1.3-invalid.xml \ + sds-1.3-valid.xml \ + sds-invalid-oval.xml \ + sds-invalid-xccdf.xml \ + sds-invalid.xml \ + sds-valid.xml diff --git a/tests/DS/validate/all.sh b/tests/DS/validate/all.sh index b6c2de011..8d5845dff 100755 --- a/tests/DS/validate/all.sh +++ b/tests/DS/validate/all.sh @@ -18,7 +18,9 @@ function test_validation { test_init test_validation.log test_run "valid-sds" test_validation sds sds-valid.xml 0 +test_run "valid-1.3-sds" test_validation sds sds-1.3-valid.xml 0 test_run "invalid-sds" test_validation sds sds-invalid.xml 1 +test_run "invalid-1.3-sds" test_validation sds sds-1.3-invalid.xml 1 test_run "invalid-xccdf-sds" test_validation sds sds-invalid-xccdf.xml 1 test_run "invalid-oval-sds" test_validation sds sds-invalid-oval.xml 1 diff --git a/tests/DS/validate/sds-1.3-invalid.xml b/tests/DS/validate/sds-1.3-invalid.xml new file mode 100644 index 000000000..0f540925f --- /dev/null +++ b/tests/DS/validate/sds-1.3-invalid.xml @@ -0,0 +1,48 @@ + + + + + + + + combine_ovals.py from SCAP Security Guide + ssg: [0, 1, 44], python: 3.7.3 + 5.11 + 2019-05-10T06:18:18 + + + + + Red Hat Enterprise Linux 8 + + Red Hat Enterprise Linux 8 + + + The operating system installed on the system is + Red Hat Enterprise Linux 8 + + + + + + + + + + + + + + + + redhat-release + + + + + ^8.*$ + + + + + diff --git a/tests/DS/validate/sds-1.3-valid.xml b/tests/DS/validate/sds-1.3-valid.xml new file mode 100644 index 000000000..5d4af29a3 --- /dev/null +++ b/tests/DS/validate/sds-1.3-valid.xml @@ -0,0 +1,51 @@ + + + + + + + + + + + combine_ovals.py from SCAP Security Guide + ssg: [0, 1, 44], python: 3.7.3 + 5.11 + 2019-05-10T06:18:18 + + + + + Red Hat Enterprise Linux 8 + + Red Hat Enterprise Linux 8 + + + The operating system installed on the system is + Red Hat Enterprise Linux 8 + + + + + + + + + + + + + + + + redhat-release + + + + + ^8.*$ + + + + + From 09d00acda9153c4012dca5a05ee226fc05ba2080 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Mon, 27 May 2019 10:58:47 +0200 Subject: [PATCH 9/9] Change OVAL version to 5.11.2 The SCAP 1.3 source datastream schema imports OVAL 5.11.2. --- tests/DS/sds_detect_version/scap-1.3-ds.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/DS/sds_detect_version/scap-1.3-ds.xml b/tests/DS/sds_detect_version/scap-1.3-ds.xml index 5d4af29a3..2e4ff31b0 100644 --- a/tests/DS/sds_detect_version/scap-1.3-ds.xml +++ b/tests/DS/sds_detect_version/scap-1.3-ds.xml @@ -10,7 +10,7 @@ combine_ovals.py from SCAP Security Guide ssg: [0, 1, 44], python: 3.7.3 - 5.11 + 5.11.2 2019-05-10T06:18:18