Fix schema ordering when adding tailoring to ARF files #2298
Conversation
jan-cerny
left a comment
jan-cerny
left a comment
There was a problem hiding this comment.
The fix is wrong. The problem isn't that the tailoring is wrapped in a component element. The problem is that the component element that contains the tailoring is put after extended-component elements.
You can try it yourself, take the ARF from the reproducer in the issue description and move manually the component element containing the tailoring before all the extended-component elements . Then run the oscap xccdf generate fix again, it will start working.
The SCAP source data stream XML schema enforces ordering of child elements of data-stream-collection element. It requires that all component elements go first and extended-component elements should go after that. But they cant be interleaved.
I think the issue started to happen after the scap-security-guide started to ship data streams with SCEs. Before inclusion of SCEs there weren't any extended-component elements, there were only component elements, so it couldn't happen that the component element with tailoring would be appended after extedend-component elements.
The Tailoring element shall be wrapped in the component element, not in the extended-component element. According to SCAP 1.3 specification (sections 3.1.1 and 3.1.2), component is for items that are part of SCAP standard, and extended-extended component is for items that aren't part of SCAP standard. Tailoring is listed in the specification as an item that should be a child of the component element.
I suggest fixing the code that generates ARF so that the component element with tailoring is injected after the component with XCCDF but before all the extended-component elements.
tests/API/XCCDF/tailoring/all.sh
Outdated
| # Validate the ARF against schema (most important - this was failing before the fix) | ||
| $OSCAP ds rds-validate $result 2>$stderr |
There was a problem hiding this comment.
It doesn't fail before the fix. Not with this test data. To make it fail before the fix you need different test data. You need to create an input file that is a SCAP source data stream, not a plain XCCDF, and in this SCAP source data stream there need to be some extended-component elements. For example elements containing SCEs as the latest scap-security-guide data streams. But don't include the whole scap-security-guide data stream in the openscap test suite, please create a minimal reproducer data stream that will fail before the fix and pass after the fix.
tests/API/XCCDF/tailoring/all.sh
Outdated
| # Validate the ARF against schema (most important - this was failing before the fix) | ||
| $OSCAP ds rds-validate $result 2>$stderr |
There was a problem hiding this comment.
I'd prefer to have oscap xccdf generate fix command, that would be closer to the steps to reproduce the reporter's issue.
src/DS/rds.c
Outdated
| &tailoring_res_node, doc, NULL, 1, 0); | ||
| xmlNsPtr sds_ns = sds_res_node->ns; | ||
| xmlNodePtr tailoring_component = xmlNewNode(sds_ns, BAD_CAST "component"); | ||
| xmlNodePtr tailoring_component = xmlNewNode(sds_ns, BAD_CAST "extended-component"); |
There was a problem hiding this comment.
It needs to stay "component".
Now the tailoring is added just before the extended-components (i.e. SCE). Created in part by Claude Code. Fixes OpenSCAP#2260
Mab879
changed the title
2 participants
Fixes #2260
This will be backported 1.3.14 as well.