openscap icon indicating copy to clipboard operation
openscap copied to clipboard
verified publisher icon OpenSCAP

oscap xccdf validate - flood of warnings in validation of "oscap xccdf eval" results

Open mildas opened this issue 4 years ago • 4 comments

Description of Problem:

When XCCDF results from oscap xccdf eval are being validated, a lot of warnings is printed out.

OpenSCAP Version:

openscap-1.3.5-2.el8

Operating System & Version:

RHEL 8

Steps to Reproduce:

  1. oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig --report xccdf_org.ssgproject.content_profile_stig.html --results-arf xccdf_org.ssgproject.content_profile_stig-xccdf-arf-results.xml --results xccdf_org.ssgproject.content_profile_stig-xccdf-results.xml --oval-results /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
  2. oscap xccdf validate xccdf_org.ssgproject.content_profile_stig-xccdf-results.xml

Actual Results:

<?xml version="1.0"?>
Warning: The 'cpe:/' prefix (CPE URI binding) is allowed within an @idref attribute, but the CPE Formatted String binding is preferred. See the XCCDF 1.2.1 specification, Section 6.2.5.
Warning: The 'cpe:/' prefix (CPE URI binding) is allowed within an @idref attribute, but the CPE Formatted String binding is preferred. See the XCCDF 1.2.1 specification, Section 6.2.5.
....
Warning: All 'value' or 'complex-value' elements have non-empty @selector attribute values. The default selection will be the first of these elements. To explicitly designate a default, remove the selector of the default element. See the XCCDF 1.2.1 specification, Section 6.4.5.5.
Warning: A 'rule-result' element should have exactly one child 'check' or 'complex-check' element. This is the conventional way of linking to the checking-system results for this Rule.
...

Expected Results:

No warnings.

mildas avatar May 10 '21 15:05 mildas

This is related to the fact that we have started to perform the schematron validation by default. It looks like that the produced XCCDF results are not valid according to the schematron.

jan-cerny avatar May 11 '21 07:05 jan-cerny

Actually, there are only 4 distinct messages but they repeat many times.

  1. Warning: All 'value' or 'complex-value' elements have non-empty @selector attribute values. The default selection will be the first of these elements. To explicitly designate a default, remove the selector of the default element. See the XCCDF 1.2.1 specification, Section 6.4.5.5.
  2. Warning: A 'rule-result' element should have exactly one child 'check' or 'complex-check' element. This is the conventional way of linking to the checking-system results for this Rule.
  3. Warning: The 'cpe:/' prefix (CPE URI binding) is allowed within an @idref attribute, but the CPE Formatted String binding is preferred. See the XCCDF 1.2.1 specification, Section 6.2.5.
  4. Warning: The @idref attribute in a 'conflicts' element should match the @id attribute of a different 'Rule' or 'Group' element. See the XCCDF 1.2.1 specification, Section 6.4.1.

jan-cerny avatar May 17 '21 14:05 jan-cerny

ad 2: check _xccdf_policy_rule_evaluate in xxcdf_policy.c

jan-cerny avatar May 17 '21 14:05 jan-cerny

@jan-cerny @mildas issue still actual?

evgenyz avatar Feb 10 '24 02:02 evgenyz