|
 |
cdbd50 |
From 9c2052febe494ca5fe8e3fef7996fd2c2c736785 Mon Sep 17 00:00:00 2001
|
|
|
cdbd50 |
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
|
|
|
cdbd50 |
Date: Wed, 2 Nov 2022 09:04:25 +0100
|
|
|
cdbd50 |
Subject: [PATCH] Don't emit items if XPath doesn't match
|
|
|
cdbd50 |
|
|
|
cdbd50 |
This commit fixes the behavior of the xmlfilecontent probe in situation
|
|
|
cdbd50 |
when the XPath query in xmlfilecontent_object doesn't match any node in
|
|
|
cdbd50 |
the given XML file and the query returns an empty node set. Currently,
|
|
|
cdbd50 |
in this situation, we emit an item in which we add an empty value_of
|
|
|
cdbd50 |
element. However, this value_of element has its datatype attribute set
|
|
|
cdbd50 |
to an empty string, which is invalid according to the OVAL schema. When
|
|
|
cdbd50 |
we try to make the OVAL results valid, we face the problem that it isn't
|
|
|
cdbd50 |
clear what should be the value of the datatype attribute for empty
|
|
|
cdbd50 |
elements. But as we can realize the XPath doesn't match anything means
|
|
|
cdbd50 |
that the requested object doesn't exist on the system, so a better
|
|
|
cdbd50 |
behavior would be to not produce a xmlfilecontent54_item. That is
|
|
|
cdbd50 |
consistent with eg. situation when a regular expression matched nothing
|
|
|
cdbd50 |
in textfilecontent54_object. This commit therefore stops the item
|
|
|
cdbd50 |
generation in this situation.
|
|
|
cdbd50 |
|
|
|
cdbd50 |
This commit also extends the existing test to cover the situation
|
|
|
cdbd50 |
of XPath queries for nonexistent element and nonexistent attribute.
|
|
|
cdbd50 |
|
|
|
cdbd50 |
Fixes: #1890, rhbz#2138884, rhbz#2139060
|
|
|
cdbd50 |
---
|
|
|
cdbd50 |
.../probes/independent/xmlfilecontent_probe.c | 5 +--
|
|
|
cdbd50 |
.../test_xmlfilecontent_probe.sh | 6 +++
|
|
|
cdbd50 |
.../test_xmlfilecontent_probe.xml | 38 +++++++++++++++++++
|
|
|
cdbd50 |
3 files changed, 46 insertions(+), 3 deletions(-)
|
|
|
cdbd50 |
|
|
|
cdbd50 |
diff --git a/src/OVAL/probes/independent/xmlfilecontent_probe.c b/src/OVAL/probes/independent/xmlfilecontent_probe.c
|
|
|
cdbd50 |
index 6c70b359ba..5d56afa0d4 100644
|
|
|
cdbd50 |
--- a/src/OVAL/probes/independent/xmlfilecontent_probe.c
|
|
|
cdbd50 |
+++ b/src/OVAL/probes/independent/xmlfilecontent_probe.c
|
|
|
cdbd50 |
@@ -296,10 +296,9 @@ static int process_file(const char *prefix, const char *path, const char *filena
|
|
|
cdbd50 |
|
|
|
cdbd50 |
node_cnt = nodes->nodeNr;
|
|
|
cdbd50 |
dD("node_cnt: %d.", node_cnt);
|
|
|
cdbd50 |
- if (node_cnt == 0) {
|
|
|
cdbd50 |
- probe_item_setstatus(item, SYSCHAR_STATUS_DOES_NOT_EXIST);
|
|
|
cdbd50 |
- probe_item_ent_add(item, "value_of", NULL, NULL);
|
|
|
cdbd50 |
- probe_itement_setstatus(item, "value_of", 1, SYSCHAR_STATUS_DOES_NOT_EXIST);
|
|
|
cdbd50 |
+ if (node_cnt <= 0) {
|
|
|
cdbd50 |
+ ret = -5;
|
|
|
cdbd50 |
+ goto cleanup;
|
|
|
cdbd50 |
} else {
|
|
|
cdbd50 |
node_tab = nodes->nodeTab;
|
|
|
cdbd50 |
for (i = 0; i < node_cnt; ++i) {
|
|
|
cdbd50 |
diff --git a/tests/probes/xmlfilecontent/test_xmlfilecontent_probe.sh b/tests/probes/xmlfilecontent/test_xmlfilecontent_probe.sh
|
|
|
cdbd50 |
index e3c56a8606..68138dad75 100755
|
|
|
cdbd50 |
--- a/tests/probes/xmlfilecontent/test_xmlfilecontent_probe.sh
|
|
|
cdbd50 |
+++ b/tests/probes/xmlfilecontent/test_xmlfilecontent_probe.sh
|
|
|
cdbd50 |
@@ -6,9 +6,15 @@ set -e -o pipefail
|
|
|
cdbd50 |
cp $srcdir/example.xml /tmp/
|
|
|
cdbd50 |
result=$(mktemp)
|
|
|
cdbd50 |
$OSCAP oval eval --results $result $srcdir/test_xmlfilecontent_probe.xml
|
|
|
cdbd50 |
+# Even if OSCAP_FULL_VALIDATION is set, an invalid OVAL result doesn't cause
|
|
|
cdbd50 |
+# the "oscap oval eval" to return a non-zero value, so let's run validation
|
|
|
cdbd50 |
+# as a separate command
|
|
|
cdbd50 |
+$OSCAP oval validate "$result"
|
|
|
cdbd50 |
assert_exists 1 '/oval_results/results/system/definitions/definition[@definition_id="oval:x:def:1" and @result="true"]'
|
|
|
cdbd50 |
assert_exists 1 '/oval_results/results/system/definitions/definition[@definition_id="oval:x:def:2" and @result="true"]'
|
|
|
cdbd50 |
assert_exists 1 '/oval_results/results/system/definitions/definition[@definition_id="oval:x:def:3" and @result="true"]'
|
|
|
cdbd50 |
assert_exists 1 '/oval_results/results/system/definitions/definition[@definition_id="oval:x:def:4" and @result="true"]'
|
|
|
cdbd50 |
assert_exists 1 '/oval_results/results/system/definitions/definition[@definition_id="oval:x:def:5" and @result="true"]'
|
|
|
cdbd50 |
+assert_exists 1 '/oval_results/results/system/definitions/definition[@definition_id="oval:x:def:6" and @result="true"]'
|
|
|
cdbd50 |
+assert_exists 1 '/oval_results/results/system/definitions/definition[@definition_id="oval:x:def:7" and @result="true"]'
|
|
|
cdbd50 |
rm -f $result
|
|
|
cdbd50 |
\ No newline at end of file
|
|
|
cdbd50 |
diff --git a/tests/probes/xmlfilecontent/test_xmlfilecontent_probe.xml b/tests/probes/xmlfilecontent/test_xmlfilecontent_probe.xml
|
|
|
cdbd50 |
index 3350df0c49..0a9708d4b6 100644
|
|
|
cdbd50 |
--- a/tests/probes/xmlfilecontent/test_xmlfilecontent_probe.xml
|
|
|
cdbd50 |
+++ b/tests/probes/xmlfilecontent/test_xmlfilecontent_probe.xml
|
|
|
cdbd50 |
@@ -66,6 +66,30 @@
|
|
|
cdbd50 |
<criterion test_ref="oval:x:tst:5" comment="test"/>
|
|
|
cdbd50 |
</criteria>
|
|
|
cdbd50 |
</definition>
|
|
|
cdbd50 |
+ <definition class="compliance" version="1" id="oval:x:def:6">
|
|
|
cdbd50 |
+ <metadata>
|
|
|
cdbd50 |
+ <title>A simple test OVAL for xmlfilecontent test - check nonexisting attribute</title>
|
|
|
cdbd50 |
+ <description>x</description>
|
|
|
cdbd50 |
+ <affected family="unix">
|
|
|
cdbd50 |
+ <platform>x</platform>
|
|
|
cdbd50 |
+ </affected>
|
|
|
cdbd50 |
+ </metadata>
|
|
|
cdbd50 |
+ <criteria>
|
|
|
cdbd50 |
+ <criterion test_ref="oval:x:tst:6" comment="test"/>
|
|
|
cdbd50 |
+ </criteria>
|
|
|
cdbd50 |
+ </definition>
|
|
|
cdbd50 |
+ <definition class="compliance" version="1" id="oval:x:def:7">
|
|
|
cdbd50 |
+ <metadata>
|
|
|
cdbd50 |
+ <title>A simple test OVAL for xmlfilecontent test - check nonexisting element</title>
|
|
|
cdbd50 |
+ <description>x</description>
|
|
|
cdbd50 |
+ <affected family="unix">
|
|
|
cdbd50 |
+ <platform>x</platform>
|
|
|
cdbd50 |
+ </affected>
|
|
|
cdbd50 |
+ </metadata>
|
|
|
cdbd50 |
+ <criteria>
|
|
|
cdbd50 |
+ <criterion test_ref="oval:x:tst:7" comment="test"/>
|
|
|
cdbd50 |
+ </criteria>
|
|
|
cdbd50 |
+ </definition>
|
|
|
cdbd50 |
</definitions>
|
|
|
cdbd50 |
|
|
|
cdbd50 |
<tests>
|
|
|
cdbd50 |
@@ -89,6 +113,12 @@
|
|
|
cdbd50 |
<ind:object object_ref="oval:x:obj:5"/>
|
|
|
cdbd50 |
<ind:state state_ref="oval:x:ste:5"/>
|
|
|
cdbd50 |
</ind:xmlfilecontent_test>
|
|
|
cdbd50 |
+ <ind:xmlfilecontent_test id="oval:x:tst:6" version="1" comment="test an xpath expression" check="all" check_existence="none_exist">
|
|
|
cdbd50 |
+ <ind:object object_ref="oval:x:obj:6"/>
|
|
|
cdbd50 |
+ </ind:xmlfilecontent_test>
|
|
|
cdbd50 |
+ <ind:xmlfilecontent_test id="oval:x:tst:7" version="1" comment="test an xpath expression" check="all" check_existence="none_exist">
|
|
|
cdbd50 |
+ <ind:object object_ref="oval:x:obj:7"/>
|
|
|
cdbd50 |
+ </ind:xmlfilecontent_test>
|
|
|
cdbd50 |
</tests>
|
|
|
cdbd50 |
|
|
|
cdbd50 |
<objects>
|
|
|
cdbd50 |
@@ -112,6 +142,14 @@
|
|
|
cdbd50 |
<ind:filepath>/tmp/example.xml</ind:filepath>
|
|
|
cdbd50 |
<ind:xpath>//*[@regid="mycoyote.com"]/@name</ind:xpath>
|
|
|
cdbd50 |
</ind:xmlfilecontent_object>
|
|
|
cdbd50 |
+ <ind:xmlfilecontent_object id="oval:x:obj:6" version="1" comment="xpath query">
|
|
|
cdbd50 |
+ <ind:filepath>/tmp/example.xml</ind:filepath>
|
|
|
cdbd50 |
+ <ind:xpath>/SoftwareIdentity/@thisattributedoesnotexist</ind:xpath>
|
|
|
cdbd50 |
+ </ind:xmlfilecontent_object>
|
|
|
cdbd50 |
+ <ind:xmlfilecontent_object id="oval:x:obj:7" version="1" comment="xpath query">
|
|
|
cdbd50 |
+ <ind:filepath>/tmp/example.xml</ind:filepath>
|
|
|
cdbd50 |
+ <ind:xpath>/SoftwareIdentity/thiselementdoesnotexist</ind:xpath>
|
|
|
cdbd50 |
+ </ind:xmlfilecontent_object>
|
|
|
cdbd50 |
</objects>
|
|
|
cdbd50 |
|
|
|
cdbd50 |
<states>
|