Description of Problem:
Template xsl/xccdf_1.1_to_1.2.xsl, which converts XCCDF 1.1 to XCCDF 1.2, cannot handle a situation if a profile has a same ID as a group in Benchmark.
This problem has been discovered when we tried to achieve SCAP 1.3 content compliance for Oracle Linux 7 content. SCAPVal 1.3.2 reported a violation of requirement SRC-330. For more details, please see ComplianceAsCode/content#4327 where you also can find SCAPVal HTML reports in a ZIP file.
The proper fix is to fix the XSLT templates in OpenSCAP. A workaround in ComplianceAsCode/content is to rename either the sap Group or rename sap OL7 profile so that the 2 names don't conflict.
We need the proper fix as the xsl/xccdf_1.1_to_1.2.xsl should be usable in general to transform any XCCDF 1.1 content.
OpenSCAP Version:
1.3.0
Operating System & Version:
Fedora 29
Steps to Reproduce:
- checkout ComplianceAsCode git tag for 0.1.44
- build OL7 content
xsltproc --stringparam reverse_DNS "org.ssgproject.content" --output /tmp/xccdf12.xml ~/openscap/xsl/xccdf_1.1_to_1.2.xsl build/ssg-ol7-xccdf.xml .- Check the profiles selections. You will see that
<select idref="sap" selected="false"/> is incorrectly translated to <select idref="xccdf_org.ssgproject.content_profile_sap" selected="false"/>. A proper fix is to fix the XSLT templates in OpenSCAP. A workaround is to rename either the sap Group or rename sap OL7 profile so that the 2 names don't conflict.
Actual Results
groups are confused with profiles
Expected Results:
groups are not confused with profiles
Additional Information / Debugging Steps:
Description of Problem:
Template
xsl/xccdf_1.1_to_1.2.xsl, which converts XCCDF 1.1 to XCCDF 1.2, cannot handle a situation if a profile has a same ID as a group in Benchmark.This problem has been discovered when we tried to achieve SCAP 1.3 content compliance for Oracle Linux 7 content. SCAPVal 1.3.2 reported a violation of requirement SRC-330. For more details, please see ComplianceAsCode/content#4327 where you also can find SCAPVal HTML reports in a ZIP file.
The proper fix is to fix the XSLT templates in OpenSCAP. A workaround in ComplianceAsCode/content is to rename either the sap Group or rename sap OL7 profile so that the 2 names don't conflict.
We need the proper fix as the
xsl/xccdf_1.1_to_1.2.xslshould be usable in general to transform any XCCDF 1.1 content.OpenSCAP Version:
1.3.0
Operating System & Version:
Fedora 29
Steps to Reproduce:
xsltproc --stringparam reverse_DNS "org.ssgproject.content" --output /tmp/xccdf12.xml ~/openscap/xsl/xccdf_1.1_to_1.2.xsl build/ssg-ol7-xccdf.xml .<select idref="sap" selected="false"/>is incorrectly translated to<select idref="xccdf_org.ssgproject.content_profile_sap" selected="false"/>. A proper fix is to fix the XSLT templates in OpenSCAP. A workaround is to rename either the sap Group or rename sap OL7 profile so that the 2 names don't conflict.Actual Results
groups are confused with profiles
Expected Results:
groups are not confused with profiles
Additional Information / Debugging Steps: