Bug#1028521: libopenscap8: openscap 1.2.16 not able to build ComplianceAsCode

Marina Latini Thu, 12 Jan 2023 02:15:17 -0800

Package: libopenscap8
Version: 1.2.16-2+b2
Severity: normal

Dear Maintainer,


I'm trying to build the scap-security-guide (ComplianceAsCode 0.1.64) on Debian
10.
https://github.com/ComplianceAsCode/content

but currently the build is failing.

Note: I reported this issue also for Ubuntu as
https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/2002551 and
libopenscap8 provided in Debian 10 (2.1.16) is also affected.


The openscap versions 1.2.16 is missing the patch
https://github.com/OpenSCAP/openscap/commit/bbcbffcf6f901cb67ca5645307d170a32504a491.patch
provided via https://github.com/OpenSCAP/openscap/pull/1324

Without this patch openscap isn't able to build ComplianceAsCode
(https://github.com/ComplianceAsCode/content).

   * What led up to the situation?

The PR https://github.com/OpenSCAP/openscap/pull/1324 was done after 1.2.16
release and made available in openscap 1.2.18 and 1.3.1, so Debian 10 missed
it.

   * What exactly did you do (or not do) that was effective (or
     ineffective)?

The scap-security-guide uses openscap but, if the OVAL CVE/RPM data are not
available, the build fails.

ComplianceAsCode on version 0.1.63 was building fine.

This is one example of failure due to missing remote resources (but there are
more).
All xcddf generate fix with embedded remote resources fail.

oscap xccdf generate fix --skip-valid --benchmark-id
xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL --profile
xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive --template
urn:xccdf:fix:script:sh ./ssg-ubuntu1604-ds.xml

WARNING: Datastream component 'scap_org.open-scap_cref_-ubuntu-security-oval-
com.ubuntu.xenial.cve.oval.xml' points out to the remote
'https://people.canonical.com/~ubuntu-
security/oval/com.ubuntu.xenial.cve.oval.xml'. Use '--fetch-remote-resources'
option to download it.
WARNING: Skipping 'https://people.canonical.com/~ubuntu-
security/oval/com.ubuntu.xenial.cve.oval.xml' file which is referenced from
datastream
OpenSCAP Error: Could not extract scap_org.open-scap_cref_ssg-
ubuntu1604-xccdf-1.2.xml with all dependencies from datastream.
[../../../src/DS/ds_sds_session.c:211]

If the --fetch-remote-resources option is not provided, the resources pointed
by the components won't be downloaded. The provided patch allows the scan to
continue without remote components.
The result of rules which reference the missing remote resource will be
'notchecked'.

   * What was the outcome of this action?

The scap-security-guide uses openscap but, if the OVAL CVE/RPM data are not
available, the build will fail.

   * What outcome did you expect instead?

If the --fetch-remote-resources option is not provided, the resources pointed
by the components won't be downloaded and the build should pass with remarks.



-- System Information:
Debian Release: 10.13
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-23-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libopenscap8 depends on:
ii  libapt-pkg5.0  1.8.2.3
ii  libbz2-1.0     1.0.6-9.2~deb10u2
ii  libc6          2.28-10+deb10u2
ii  libcap2        1:2.25-2
ii  libcurl4       7.64.0-4+deb10u3
ii  libdbus-1-3    1.12.24-0+deb10u1
ii  libgcc1        1:8.3.0-6
ii  libgcrypt20    1.8.4-5+deb10u1
ii  libldap-2.4-2  2.4.47+dfsg-3+deb10u7
ii  libpcre3       2:8.39-12
ii  libselinux1    2.8-1+b1
ii  libstdc++6     8.3.0-6
ii  libxml2        2.9.4+dfsg1-7+deb10u5
ii  libxslt1.1     1.1.32-2.2~deb10u2

libopenscap8 recommends no packages.

libopenscap8 suggests no packages.

-- no debconf information

>From bbcbffcf6f901cb67ca5645307d170a32504a491 Mon Sep 17 00:00:00 2001
From: Watson Sato <ws...@redhat.com>
Date: Tue, 30 Apr 2019 18:30:53 +0200
Subject: [PATCH] Allow DS session to continue without remote resources

---
 src/DS/sds.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/DS/sds.c b/src/DS/sds.c
index 2511e89d9d..b7c33a2e58 100644
--- a/src/DS/sds.c
+++ b/src/DS/sds.c
@@ -412,6 +412,7 @@ static int ds_sds_dump_component_by_href(struct 
ds_sds_session *session, char* x
                        }
 
                        ds_sds_session_remote_resources_progress(session)(true, 
"WARNING: Skipping '%s' file which is referenced from datastream\n", url);
+                       // -2 means that remote resources were not downloaded
                        return -2;
                }
 
@@ -444,8 +445,12 @@ int ds_sds_dump_component_ref_as(const xmlNodePtr 
component_ref, struct ds_sds_s
        xmlFree(xlink_href);
        xmlFree(cref_id);
 
-       if (ret != 0) {
-
+       if (ret == -2) {
+               // A remote component was not dumped
+               // It should be ok to continue without it
+               free(target_filename_dirname);
+               return 0;
+       } else if (ret != 0) {
                free(target_filename_dirname);
                return -1;
        }

Bug#1028521: libopenscap8: openscap 1.2.16 not able to build ComplianceAsCode

Reply via email to