Re: [PATCH 1/2] [*/transforms/idtranslate.py] Allow shorthand format to contain definition

[Shawn Wells]

On 7/7/14, 4:55 AM, Jan Lieskovsky wrote:
----- Original Message -----
>From: "Shawn Wells"<sh...@redhat.com>
>To:scap-security-guide@lists.fedorahosted.org
>Sent: Thursday, July 3, 2014 8:19:33 PM
>Subject: Re: [PATCH 1/2] [*/transforms/idtranslate.py] Allow shorthand format       
to contain <ind:variable_object>
>definition
>
>
>On 7/3/14, 6:23 AM, Jan Lieskovsky wrote:
>
>
>
>
>Currently it's not possible the shorthand form of OVAL definition to contain
><ind:variable_object> definition (based on previously defined
><local_variable>).
>
>The reason behind this limitation being that idtranslate.py script (which is
>internally
>called by relabelids.py script, which is subsequently called during the
>benchmark
>build process) is not currently able to properly handle <ind:var_ref>
>element.
>
>When translating the OVAL ids idtranslate.py is able to correctly replace
>value of
>'var_ref' attribute, but not able to translate the id when 'var_ref' isn't an
>attribute,
>but rather an tag / element directly. The <variable_object> definition
>expects
>the form of:
>
><ind:variable_object id="object_id" version="1">
><ind:var_ref>reference_to_previously_defined_variable_used_in_the_check</ind:var_ref>
></ind:variable_object>
>
>Since (currently) value of <ind:var_ref> element isn't properly translated
>into
>real ID, during the benchmark build process the error like the following is
>raised:
>
>... [pattern] id 'variable_name' does not meet the expected pattern
>[oval:a-z...]
>
>This results in unability to successfully build the benchmark, when
>variable_object
>(containing by xsd required reference to var_ref) is used.
>
>Since I need the capability to define variable_objects (see the patch [2/2]),
>update
>idtranslate.py script (in RHEL/6 and also across the content) to be able to
>properly
>handle variable_objects (properly translate var_ref ids even in case it's
>listed as tag / element).
>
>The function / proper work of proposed change is confirmed by successful work
>of subsequent patch (see patch [2/2] for further details).
>
>Please review.
>
>Thank you && Regards, Jan.
>--
>Jan iankko Lieskovsky / Red Hat Security Technologies Team
>
>
>0001-transforms-idtranslate.py-Allow-shorthand-format-to-.patch
> From 6666cca40efcf54711ed76ac1b1eb176ec62b271 Mon Sep 17 00:00:00 2001
>From: Jan Lieskovsky<jlies...@redhat.com>  Date: Thu, 3 Jul 2014 11:21:39
>+0200
>Subject: [PATCH 1/2] [*/transforms/idtranslate.py] Allow shorthand format to
>  contain <ind:variable_object> definition
>
>Signed-off-by: Jan Lieskovsky<jlies...@redhat.com>  ---
>  Fedora/transforms/idtranslate.py    | 3 +++
>  OpenStack/transforms/idtranslate.py | 3 +++
>  RHEL/6/transforms/idtranslate.py    | 3 +++
>  RHEL/7/transforms/idtranslate.py    | 3 +++
>  RHEVM3/transforms/idtranslate.py    | 3 +++
>  5 files changed, 15 insertions(+)
>
>diff --git a/Fedora/transforms/idtranslate.py
>b/Fedora/transforms/idtranslate.py
>index 77f078a..67c1cf4 100755
>--- a/Fedora/transforms/idtranslate.py
>+++ b/Fedora/transforms/idtranslate.py
>@@ -123,6 +123,9 @@ class idtranslator:
>                    if element.tag == "{" + oval_ns + "}filter":
>                            element.text = self.assign_id("{" + oval_ns + 
"}state", element.text)
>                            continue
>+                   if element.tag == "{" + oval_ns + "#independent}var_ref":
>+                           element.text = self.assign_id("{" + oval_ns + 
"}variable", element.text)
>+                           continue
>                    for attr in element.keys():
>                            if attr in ovalrefattr_to_tag.keys():
>                                    element.set(attr,self.assign_id( "{" + oval_ns + 
"} " +
>                                    ovalrefattr_to_tag[attr], 
element.get(attr)))
>diff --git a/OpenStack/transforms/idtranslate.py
>b/OpenStack/transforms/idtranslate.py
>index 77f078a..67c1cf4 100755
>--- a/OpenStack/transforms/idtranslate.py
>+++ b/OpenStack/transforms/idtranslate.py
>@@ -123,6 +123,9 @@ class idtranslator:
>                    if element.tag == " {" + oval_ns + "}filter":
>                            element.text = self.assign_id("{" + oval_ns + 
"}state", element.text)
>                            continue
>+                   if element.tag == "{" + oval_ns + "#independent}var_ref":
>+                           element.text = self.assign_id("{" + oval_ns + 
"}variable", element.text)
>+                           continue
>                    for attr in element.keys():
>                            if attr in ovalrefattr_to_tag.keys():
>                                    element.set(attr,self.assign_id( "{" + oval_ns + 
"} " +
>                                    ovalrefattr_to_tag[attr], 
element.get(attr)))
>diff --git a/RHEL/6/transforms/idtranslate.py
>b/RHEL/6/transforms/idtranslate.py
>index 77f078a..67c1cf4 100755
>--- a/RHEL/6/transforms/idtranslate.py
>+++ b/RHEL/6/transforms/idtranslate.py
>@@ -123,6 +123,9 @@ class idtranslator:
>                    if element.tag == " {" + oval_ns + "}filter":
>                            element.text = self.assign_id("{" + oval_ns + 
"}state", element.text)
>                            continue
>+                   if element.tag == "{" + oval_ns + "#independent}var_ref":
>+                           element.text = self.assign_id("{" + oval_ns + 
"}variable", element.text)
>+                           continue
>                    for attr in element.keys():
>                            if attr in ovalrefattr_to_tag.keys():
>                                    element.set(attr,self.assign_id( "{" + oval_ns + 
"} " +
>                                    ovalrefattr_to_tag[attr], 
element.get(attr)))
>diff --git a/RHEL/7/transforms/idtranslate.py
>b/RHEL/7/transforms/idtranslate.py
>index 77f078a..67c1cf4 100755
>--- a/RHEL/7/transforms/idtranslate.py
>+++ b/RHEL/7/transforms/idtranslate.py
>@@ -123,6 +123,9 @@ class idtranslator:
>                    if element.tag == " {" + oval_ns + "}filter":
>                            element.text = self.assign_id("{" + oval_ns + 
"}state", element.text)
>                            continue
>+                   if element.tag == "{" + oval_ns + "#independent}var_ref":
>+                           element.text = self.assign_id("{" + oval_ns + 
"}variable", element.text)
>+                           continue
>                    for attr in element.keys():
>                            if attr in ovalrefattr_to_tag.keys():
>                                    element.set(attr,self.assign_id( "{" + oval_ns + 
"} " +
>                                    ovalrefattr_to_tag[attr], 
element.get(attr)))
>diff --git a/RHEVM3/transforms/idtranslate.py
>b/RHEVM3/transforms/idtranslate.py
>index 77f078a..67c1cf4 100755
>--- a/RHEVM3/transforms/idtranslate.py
>+++ b/RHEVM3/transforms/idtranslate.py
>@@ -123,6 +123,9 @@ class idtranslator:
>                    if element.tag == " {" + oval_ns + "}filter":
>                            element.text = self.assign_id("{" + oval_ns + 
"}state", element.text)
>                            continue
>+                   if element.tag == "{" + oval_ns + "#independent}var_ref":
>+                           element.text = self.assign_id("{" + oval_ns + 
"}variable", element.text)
>+                           continue
>                    for attr in element.keys():
>                            if attr in ovalrefattr_to_tag.keys():
>                                    element.set(attr,self.assign_id( "{" + oval_ns + 
"}" +
>                                    ovalrefattr_to_tag[attr], 
element.get(attr)))
>--
>1.8.3.1
>
>ack
Thanks, Shawn. Pushed. By any chance have you had found time to review / test 
also the second one?

The second was a bit more detailed, so didn't have time last week. It's 
on the to-do for today.
--
SCAP Security Guide mailing list
scap-security-guide@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
https://github.com/OpenSCAP/scap-security-guide/