[Open-scap] Trouble Scanning OVAL from CIS Repository

Wed, 14 Aug 2019 20:48:27 -0700

Another issue has come up while attempting to scan a Fedora-based system using the quasi-official OVAL collection at CIS: 

https://oval.cisecurity.org/repository/download/5.11.2/all/oval.xml.zip

After extracting the XML and using a command such as:
oscap oval eval --report report.html --results results.xml --fetch-remote-resources oval.xml
the oscap utility spends about an hour and a half parsing the 213MB of data, then says in the end that the definitions are invalid and so refuses to do the scan.
When I use --fetch-remote-resources, the following message is repeated 158 times. Alas the code apparently does not contemplate OVAL files with more than 65535 lines, so the line numbers are all the same (the actual number of lines is about 3 million):
File 'oval.xml' line 65535: Element '{http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}version_string': This element is not expected. Expected is one of ( {http://www.w3.org/2000/09/xmldsig#}Signature, {http://oval.mitre.org/XMLSchema/oval-common-5}notes, {http://oval.mitre.org/XMLSchema/oval-definitions-5}notes, {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}platform, {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}rp, {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}pkg, {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}major_release, {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}release, {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}rebuild, {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}ios_release ).
If I omit --fetch-remote-resources, there are a few different errors, but I guess those don't matter so much?
So... what to do? Adding --skip-valid to the command doesn't seem like a solution. If I do that the scan fails almost immediately with: 

W: oscap: Unknown OVAL family subtype: interim_fix
OpenSCAP Error: Unknown test type oval:org.cisecurity:tst:6710. [/builddir/build/BUILD/openscap-1.3.1/src/OVAL/oval_test.c:395] Failed to import the OVAL Definitions from 'oval.xml'. [/builddir/build/BUILD/openscap-1.3.1/src/OVAL/oval_session.c:248] 

Are there some additional definitions that need to be pulled in somehow?

Thanks!





_______________________________________________
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

Reply via email to