Package: libopenscap8 Version: 1.2.16-2+b2 Severity: normal Dear Maintainer,
I'm trying to build the scap-security-guide (ComplianceAsCode 0.1.64) on Debian 10. https://github.com/ComplianceAsCode/content but currently the build is failing. Note: I reported this issue also for Ubuntu as https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/2002551 and libopenscap8 provided in Debian 10 (2.1.16) is also affected. The openscap versions 1.2.16 is missing the patch https://github.com/OpenSCAP/openscap/commit/bbcbffcf6f901cb67ca5645307d170a32504a491.patch provided via https://github.com/OpenSCAP/openscap/pull/1324 Without this patch openscap isn't able to build ComplianceAsCode (https://github.com/ComplianceAsCode/content). * What led up to the situation? The PR https://github.com/OpenSCAP/openscap/pull/1324 was done after 1.2.16 release and made available in openscap 1.2.18 and 1.3.1, so Debian 10 missed it. * What exactly did you do (or not do) that was effective (or ineffective)? The scap-security-guide uses openscap but, if the OVAL CVE/RPM data are not available, the build fails. ComplianceAsCode on version 0.1.63 was building fine. This is one example of failure due to missing remote resources (but there are more). All xcddf generate fix with embedded remote resources fail. oscap xccdf generate fix --skip-valid --benchmark-id xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL --profile xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive --template urn:xccdf:fix:script:sh ./ssg-ubuntu1604-ds.xml WARNING: Datastream component 'scap_org.open-scap_cref_-ubuntu-security-oval- com.ubuntu.xenial.cve.oval.xml' points out to the remote 'https://people.canonical.com/~ubuntu- security/oval/com.ubuntu.xenial.cve.oval.xml'. Use '--fetch-remote-resources' option to download it. WARNING: Skipping 'https://people.canonical.com/~ubuntu- security/oval/com.ubuntu.xenial.cve.oval.xml' file which is referenced from datastream OpenSCAP Error: Could not extract scap_org.open-scap_cref_ssg- ubuntu1604-xccdf-1.2.xml with all dependencies from datastream. [../../../src/DS/ds_sds_session.c:211] If the --fetch-remote-resources option is not provided, the resources pointed by the components won't be downloaded. The provided patch allows the scan to continue without remote components. The result of rules which reference the missing remote resource will be 'notchecked'. * What was the outcome of this action? The scap-security-guide uses openscap but, if the OVAL CVE/RPM data are not available, the build will fail. * What outcome did you expect instead? If the --fetch-remote-resources option is not provided, the resources pointed by the components won't be downloaded and the build should pass with remarks. -- System Information: Debian Release: 10.13 APT prefers oldstable-updates APT policy: (500, 'oldstable-updates'), (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-23-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages libopenscap8 depends on: ii libapt-pkg5.0 1.8.2.3 ii libbz2-1.0 1.0.6-9.2~deb10u2 ii libc6 2.28-10+deb10u2 ii libcap2 1:2.25-2 ii libcurl4 7.64.0-4+deb10u3 ii libdbus-1-3 1.12.24-0+deb10u1 ii libgcc1 1:8.3.0-6 ii libgcrypt20 1.8.4-5+deb10u1 ii libldap-2.4-2 2.4.47+dfsg-3+deb10u7 ii libpcre3 2:8.39-12 ii libselinux1 2.8-1+b1 ii libstdc++6 8.3.0-6 ii libxml2 2.9.4+dfsg1-7+deb10u5 ii libxslt1.1 1.1.32-2.2~deb10u2 libopenscap8 recommends no packages. libopenscap8 suggests no packages. -- no debconf information
>From bbcbffcf6f901cb67ca5645307d170a32504a491 Mon Sep 17 00:00:00 2001 From: Watson Sato <ws...@redhat.com> Date: Tue, 30 Apr 2019 18:30:53 +0200 Subject: [PATCH] Allow DS session to continue without remote resources --- src/DS/sds.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/src/DS/sds.c b/src/DS/sds.c index 2511e89d9d..b7c33a2e58 100644 --- a/src/DS/sds.c +++ b/src/DS/sds.c @@ -412,6 +412,7 @@ static int ds_sds_dump_component_by_href(struct ds_sds_session *session, char* x } ds_sds_session_remote_resources_progress(session)(true, "WARNING: Skipping '%s' file which is referenced from datastream\n", url); + // -2 means that remote resources were not downloaded return -2; } @@ -444,8 +445,12 @@ int ds_sds_dump_component_ref_as(const xmlNodePtr component_ref, struct ds_sds_s xmlFree(xlink_href); xmlFree(cref_id); - if (ret != 0) { - + if (ret == -2) { + // A remote component was not dumped + // It should be ok to continue without it + free(target_filename_dirname); + return 0; + } else if (ret != 0) { free(target_filename_dirname); return -1; }