Hello Shawn, ----- Original Message ----- > From: "Shawn Wells" <[email protected]> > To: [email protected] > Sent: Monday, July 7, 2014 5:43:53 PM > Subject: Re: [PATCH 1/2] [*/transforms/idtranslate.py] Allow shorthand format > to contain <ind:variable_object> > definition > > > On 7/7/14, 4:55 AM, Jan Lieskovsky wrote: > > ----- Original Message ----- > >> >From: "Shawn Wells"<[email protected]> > >> >To:[email protected] > >> >Sent: Thursday, July 3, 2014 8:19:33 PM > >> >Subject: Re: [PATCH 1/2] [*/transforms/idtranslate.py] Allow shorthand > >> >format to contain <ind:variable_object> > >> >definition > >> > > >> > > >> >On 7/3/14, 6:23 AM, Jan Lieskovsky wrote: > >> > > >> > > >> > > >> > > >> >Currently it's not possible the shorthand form of OVAL definition to > >> >contain > >> ><ind:variable_object> definition (based on previously defined > >> ><local_variable>). > >> > > >> >The reason behind this limitation being that idtranslate.py script (which > >> >is > >> >internally > >> >called by relabelids.py script, which is subsequently called during the > >> >benchmark > >> >build process) is not currently able to properly handle <ind:var_ref> > >> >element. > >> > > >> >When translating the OVAL ids idtranslate.py is able to correctly replace > >> >value of > >> >'var_ref' attribute, but not able to translate the id when 'var_ref' > >> >isn't an > >> >attribute, > >> >but rather an tag / element directly. The <variable_object> definition > >> >expects > >> >the form of: > >> > > >> ><ind:variable_object id="object_id" version="1"> > >> ><ind:var_ref>reference_to_previously_defined_variable_used_in_the_check</ind:var_ref> > >> ></ind:variable_object> > >> > > >> >Since (currently) value of <ind:var_ref> element isn't properly > >> >translated > >> >into > >> >real ID, during the benchmark build process the error like the following > >> >is > >> >raised: > >> > > >> >... [pattern] id 'variable_name' does not meet the expected pattern > >> >[oval:a-z...] > >> > > >> >This results in unability to successfully build the benchmark, when > >> >variable_object > >> >(containing by xsd required reference to var_ref) is used. > >> > > >> >Since I need the capability to define variable_objects (see the patch > >> >[2/2]), > >> >update > >> >idtranslate.py script (in RHEL/6 and also across the content) to be able > >> >to > >> >properly > >> >handle variable_objects (properly translate var_ref ids even in case it's > >> >listed as tag / element). > >> > > >> >The function / proper work of proposed change is confirmed by successful > >> >work > >> >of subsequent patch (see patch [2/2] for further details). > >> > > >> >Please review. > >> > > >> >Thank you && Regards, Jan. > >> >-- > >> >Jan iankko Lieskovsky / Red Hat Security Technologies Team > >> > > >> > > >> >0001-transforms-idtranslate.py-Allow-shorthand-format-to-.patch > >> > From 6666cca40efcf54711ed76ac1b1eb176ec62b271 Mon Sep 17 00:00:00 2001 > >> >From: Jan Lieskovsky<[email protected]> Date: Thu, 3 Jul 2014 11:21:39 > >> >+0200 > >> >Subject: [PATCH 1/2] [*/transforms/idtranslate.py] Allow shorthand format > >> >to > >> > contain <ind:variable_object> definition > >> > > >> >Signed-off-by: Jan Lieskovsky<[email protected]> --- > >> > Fedora/transforms/idtranslate.py | 3 +++ > >> > OpenStack/transforms/idtranslate.py | 3 +++ > >> > RHEL/6/transforms/idtranslate.py | 3 +++ > >> > RHEL/7/transforms/idtranslate.py | 3 +++ > >> > RHEVM3/transforms/idtranslate.py | 3 +++ > >> > 5 files changed, 15 insertions(+) > >> > > >> >diff --git a/Fedora/transforms/idtranslate.py > >> >b/Fedora/transforms/idtranslate.py > >> >index 77f078a..67c1cf4 100755 > >> >--- a/Fedora/transforms/idtranslate.py > >> >+++ b/Fedora/transforms/idtranslate.py > >> >@@ -123,6 +123,9 @@ class idtranslator: > >> > if element.tag == "{" + oval_ns + "}filter": > >> > element.text = self.assign_id("{" + > >> > oval_ns + "}state", > >> > element.text) > >> > continue > >> >+ if element.tag == "{" + oval_ns + > >> >"#independent}var_ref": > >> >+ element.text = self.assign_id("{" + oval_ns + > >> >"}variable", > >> >element.text) > >> >+ continue > >> > for attr in element.keys(): > >> > if attr in ovalrefattr_to_tag.keys(): > >> > > >> > element.set(attr,self.assign_id( "{" + oval_ns + "} " + > >> > ovalrefattr_to_tag[attr], > >> > element.get(attr))) > >> >diff --git a/OpenStack/transforms/idtranslate.py > >> >b/OpenStack/transforms/idtranslate.py > >> >index 77f078a..67c1cf4 100755 > >> >--- a/OpenStack/transforms/idtranslate.py > >> >+++ b/OpenStack/transforms/idtranslate.py > >> >@@ -123,6 +123,9 @@ class idtranslator: > >> > if element.tag == " {" + oval_ns + "}filter": > >> > element.text = self.assign_id("{" + > >> > oval_ns + "}state", > >> > element.text) > >> > continue > >> >+ if element.tag == "{" + oval_ns + > >> >"#independent}var_ref": > >> >+ element.text = self.assign_id("{" + oval_ns + > >> >"}variable", > >> >element.text) > >> >+ continue > >> > for attr in element.keys(): > >> > if attr in ovalrefattr_to_tag.keys(): > >> > > >> > element.set(attr,self.assign_id( "{" + oval_ns + "} " + > >> > ovalrefattr_to_tag[attr], > >> > element.get(attr))) > >> >diff --git a/RHEL/6/transforms/idtranslate.py > >> >b/RHEL/6/transforms/idtranslate.py > >> >index 77f078a..67c1cf4 100755 > >> >--- a/RHEL/6/transforms/idtranslate.py > >> >+++ b/RHEL/6/transforms/idtranslate.py > >> >@@ -123,6 +123,9 @@ class idtranslator: > >> > if element.tag == " {" + oval_ns + "}filter": > >> > element.text = self.assign_id("{" + > >> > oval_ns + "}state", > >> > element.text) > >> > continue > >> >+ if element.tag == "{" + oval_ns + > >> >"#independent}var_ref": > >> >+ element.text = self.assign_id("{" + oval_ns + > >> >"}variable", > >> >element.text) > >> >+ continue > >> > for attr in element.keys(): > >> > if attr in ovalrefattr_to_tag.keys(): > >> > > >> > element.set(attr,self.assign_id( "{" + oval_ns + "} " + > >> > ovalrefattr_to_tag[attr], > >> > element.get(attr))) > >> >diff --git a/RHEL/7/transforms/idtranslate.py > >> >b/RHEL/7/transforms/idtranslate.py > >> >index 77f078a..67c1cf4 100755 > >> >--- a/RHEL/7/transforms/idtranslate.py > >> >+++ b/RHEL/7/transforms/idtranslate.py > >> >@@ -123,6 +123,9 @@ class idtranslator: > >> > if element.tag == " {" + oval_ns + "}filter": > >> > element.text = self.assign_id("{" + > >> > oval_ns + "}state", > >> > element.text) > >> > continue > >> >+ if element.tag == "{" + oval_ns + > >> >"#independent}var_ref": > >> >+ element.text = self.assign_id("{" + oval_ns + > >> >"}variable", > >> >element.text) > >> >+ continue > >> > for attr in element.keys(): > >> > if attr in ovalrefattr_to_tag.keys(): > >> > > >> > element.set(attr,self.assign_id( "{" + oval_ns + "} " + > >> > ovalrefattr_to_tag[attr], > >> > element.get(attr))) > >> >diff --git a/RHEVM3/transforms/idtranslate.py > >> >b/RHEVM3/transforms/idtranslate.py > >> >index 77f078a..67c1cf4 100755 > >> >--- a/RHEVM3/transforms/idtranslate.py > >> >+++ b/RHEVM3/transforms/idtranslate.py > >> >@@ -123,6 +123,9 @@ class idtranslator: > >> > if element.tag == " {" + oval_ns + "}filter": > >> > element.text = self.assign_id("{" + > >> > oval_ns + "}state", > >> > element.text) > >> > continue > >> >+ if element.tag == "{" + oval_ns + > >> >"#independent}var_ref": > >> >+ element.text = self.assign_id("{" + oval_ns + > >> >"}variable", > >> >element.text) > >> >+ continue > >> > for attr in element.keys(): > >> > if attr in ovalrefattr_to_tag.keys(): > >> > > >> > element.set(attr,self.assign_id( "{" + oval_ns + "}" + > >> > ovalrefattr_to_tag[attr], > >> > element.get(attr))) > >> >-- > >> >1.8.3.1 > >> > > >> >ack > > Thanks, Shawn. Pushed. By any chance have you had found time to review / > > test also the second one? > > The second was a bit more detailed, so didn't have time last week. It's > on the to-do for today.
Sorry to bother you, but by any chance have you found time to check the second one too?: https://lists.fedorahosted.org/pipermail/scap-security-guide/2014-July/005783.html Wouldn't like it to fall out of the radar due to: * it's the last RHEL-6 causing 'make validate' to fail, * it has been tested & confirmed for work by Ray already (+ Ray found another issue with current XCCDF description which needs yet additional patch): https://lists.fedorahosted.org/pipermail/scap-security-guide/2014-July/005798.html So if there objections, could you (anyone else) express them, so they could be corrected & we could move on? Thank you a lot in advance && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team > -- > SCAP Security Guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > https://github.com/OpenSCAP/scap-security-guide/ -- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
