Merge branch 'master' into oscap_source

Before we merge oscap_source to master we want to test
the-latest-greatest HEAD in oscap_source.

NEWS

@@ -1,3 +1,18 @@
+openscap-1.1.1                                                  26-09-2014
+ - Hint towards `oscap info` when profile is not found in oscap tool
+ - HTML report changes:
+   - Source OVAL results from ARF if available
+   - Highlight notchecked rules, treat them as rules that need attention
+ - HTML guide changes:
+   - Variable Substitution improvements
+   - Show benchmark title
+   - Show info about selected profile
+   - Avoid cdf12:notice, show only its contents
+ - bugfixes:
+   - improved handling of fqdn in XCCDF
+   - memory leaks
+   - static analysis fixes
+
 openscap-1.1.0                                                  03-09-2014
  - HTML report and guide redesign
  - dropped support for docbook

ac_probes/configure.ac.tpl

@@ -42,7 +42,7 @@ AC_PROG_SWIG([])
 LT_CURRENT=11
 
 ## increment any time the source changes; set 0 to if you increment CURRENT
-LT_REVISION=1
+LT_REVISION=2
 
 ## increment if any interfaces have been added; set to 0
 ## if any interfaces have been changed or removed. removal has

configure.ac

@@ -42,7 +42,7 @@ AC_PROG_SWIG([])
 LT_CURRENT=11
 
 ## increment any time the source changes; set 0 to if you increment CURRENT
-LT_REVISION=1
+LT_REVISION=2
 
 ## increment if any interfaces have been added; set to 0
 ## if any interfaces have been changed or removed. removal has

src/DS/rds.c

@@ -339,6 +339,7 @@ static xmlNodePtr ds_rds_add_ai_from_xccdf_results(xmlDocPtr doc, xmlNodePtr ass
 
 	xmlNodePtr test_result_child = test_result->children;
 
+	xmlNodePtr last_fqdn = NULL;
 	for (; test_result_child != NULL; test_result_child = test_result_child->next)
 	{
 		if (test_result_child->type != XML_ELEMENT_NODE)
@@ -347,7 +348,6 @@ static xmlNodePtr ds_rds_add_ai_from_xccdf_results(xmlDocPtr doc, xmlNodePtr ass
 		// Order for the output to be valid:
 		// 1) All fqdn-s
 		// 2) All hostnames
-		xmlNodePtr last_fqdn = NULL;
 		if (strcmp((const char*)(test_result_child->name), "target") == 0)
 		{
 			// content is a full copy

src/OVAL/probes/unix/linux/systemdunitproperty.c

@@ -106,7 +106,10 @@ static int get_all_properties_by_unit_path(DBusConnection *conn, const char *uni
 		dbus_message_iter_get_basic(&dict_entry, &value);
 		char *property_name = oscap_strdup(value.str);
 
-		dbus_message_iter_next(&dict_entry);
+		if (dbus_message_iter_next(&dict_entry) == false) {
+			dW("Expected another field in dict_entry.");
+			goto cleanup;
+		}
 
 		if (dbus_message_iter_get_arg_type(&dict_entry) != DBUS_TYPE_VARIANT) {
 			dI("Expected variant as value in dict_entry. Instead received: %s.\n", dbus_message_type_to_string(dbus_message_iter_get_arg_type(&dict_entry)));
@@ -270,6 +273,8 @@ int probe_main(probe_ctx *ctx, void *probe_arg)
 
 	if (dbus_conn == NULL) {
 		dbus_error_free(&dbus_error);
+		SEXP_free(property_entity);
+		SEXP_free(unit_entity);
 		return PROBE_ESYSTEM;
 	}
 

src/OVAL/probes/unix/process58.c

@@ -207,19 +207,11 @@ static int get_uids(int pid, struct result_info *r)
 	snprintf(buf, sizeof(buf), "/proc/%d/loginuid", pid);
 	sf = fopen(buf, "rt");
 	if (sf) {
-		fscanf(sf, "%u", &r->loginuid);
-		fclose(sf);
-	}
-
-	/* we get session id from /pros/id/stat (same as ps) */
-	/*
-	snprintf(buf, sizeof(buf), "/proc/%d/sessionid", pid);
-	sf = fopen(buf, "rt");
-	if (sf) {
-		fscanf(sf, "%d", &r->session_id);
+		if (fscanf(sf, "%u", &r->loginuid) < 1) {
+			dW("fscanf failed from %s\n", buf);
+		}
 		fclose(sf);
 	}
-	*/
 
 	return 0;
 }

src/XCCDF/tailoring.c

@@ -113,8 +113,8 @@ bool xccdf_tailoring_remove_profile(struct xccdf_tailoring *tailoring, struct xc
 				"Can't remove given profile '%s' from tailoring. Other profiles are inheriting from it!",
 				profile_id);
 
-			return false;
 			xccdf_profile_iterator_free(it);
+			return false;
 		}
 	}
 	xccdf_profile_iterator_free(it);

src/XCCDF_POLICY/xccdf_policy.c

@@ -195,6 +195,8 @@ char *xccdf_policy_get_readable_item_title(struct xccdf_policy *policy, struct x
 	struct oscap_text_iterator *title_it = xccdf_item_get_title(item);
 	char *unresolved = oscap_textlist_get_preferred_plaintext(title_it, preferred_lang);
 	oscap_text_iterator_free(title_it);
+	if (!unresolved)
+		return oscap_strdup("");
 	char *resolved = xccdf_policy_substitute(unresolved, policy);
 	oscap_free(unresolved);
 	return resolved;
@@ -206,6 +208,8 @@ char *xccdf_policy_get_readable_item_description(struct xccdf_policy *policy, st
 	struct oscap_text_iterator *description_it = xccdf_item_get_description(item);
 	struct oscap_text *unresolved_text = oscap_textlist_get_preferred_text(description_it, preferred_lang);
 	oscap_text_iterator_free(description_it);
+	if (!unresolved_text)
+		return oscap_strdup("");
 	const char *unresolved = oscap_text_get_text(unresolved_text);
 	/* Resolve <xccdf:sub> elements */
 	const char *resolved = xccdf_policy_substitute(unresolved, policy);

tests/API/XCCDF/guide/Makefile.am

@@ -10,4 +10,5 @@ TESTS = all.sh
 EXTRA_DIST = \
 	all.sh \
 	content-xccdf11.xml \
-	content-xccdf12.xml
+	content-xccdf12.xml \
+	content-value-xccdf11.xml

tests/API/XCCDF/guide/all.sh

@@ -28,11 +28,35 @@ function test_generate_guide {
     return 1
 }
 
+function test_generate_guide_profile {
+    local INPUT=$srcdir/$1
+    local PROFILE=$2
+    local EXPECTED_CONTENT=$3
+
+    local GENERATED_CONTENT=$($OSCAP xccdf generate guide --profile $PROFILE "$INPUT")
+    if [ "$?" != "0" ]; then
+        return 1
+    fi
+
+    echo "$GENERATED_CONTENT" | grep "$EXPECTED_CONTENT"
+    if [ "$?" == "0" ]; then
+        return 0
+    fi
+
+    echo "Generated content does not contain '$EXPECTED_CONTENT'!"
+    echo "Generated content:"
+    echo "$GENERATED_CONTENT"
+
+    return 1
+}
+
 # Testing.
 
 test_init "test_api_xccdf_guide.log"
 
 test_run "test_api_xccdf_guide_xccdf11" test_generate_guide content-xccdf11.xml xccdf_moc.elpmaxe.www_rule_1
 test_run "test_api_xccdf_guide_xccdf12" test_generate_guide content-xccdf12.xml xccdf_moc.elpmaxe.www_rule_1
+test_run "test_api_xccdf_guide_value_default_xccdf11" test_generate_guide content-value-xccdf11.xml off_default
+test_run "test_api_xccdf_guide_value_selector_xccdf11" test_generate_guide_profile content-value-xccdf11.xml default off_value
 
 test_exit

tests/API/XCCDF/guide/content-value-xccdf11.xml

@@ -0,0 +1,36 @@
+<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="benchmark" resolved="1" xml:lang="en-US">
+    <status date="2014-06-06">draft</status>
+    <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Test</title>
+    <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">test</description>
+    <version>0.1</version>
+    <model system="urn:xccdf:scoring:default"/>
+
+    <Profile id="default">
+        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Fedora defaults</title>
+        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This profile conform to default Fedora setting.</description>
+        <refine-value idref="value" selector="off"/>
+    </Profile>
+
+    <Group id="group">
+        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">group</title>
+
+        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
+            description
+        </description>
+
+        <Value id="value" type="string">
+            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">value_title</title>
+            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">value_description</description>
+            <value>off_default</value>
+            <value selector="on">on_value</value>
+            <value selector="off">off_value</value>
+        </Value>
+
+        <Rule id="rule" selected="true" severity="low">
+            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">rule_description</title>
+            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">rule_description</description>
+            <fix system="urn:xccdf:fix:script:sh">substituted value = "<sub idref="value"/>"
+            </fix>
+        </Rule>
+    </Group>
+</Benchmark>

utils/oscap-xccdf.c

@@ -434,6 +434,13 @@ static void _register_progress_callback(struct xccdf_session *session, bool prog
 	/* xccdf_policy_model_register_output_callback(policy_model, callback_syslog_result, NULL); */
 }
 
+static void report_missing_profile(const struct oscap_action *action)
+{
+	fprintf(stderr,
+		"Profile \"%s\" was not found. Get available profiles using:\n"
+		"$ oscap info \"%s\"\n", action->profile, action->f_xccdf);
+}
+
 /**
  * XCCDF Processing fucntion
  * @param action OSCAP Action structure
@@ -472,7 +479,7 @@ int app_evaluate_xccdf(const struct oscap_action *action)
 	/* Select profile */
 	if (!xccdf_session_set_profile_id(session, action->profile)) {
 		if (action->profile != NULL)
-			fprintf(stderr, "Profile \"%s\" was not found.\n", action->profile);
+			report_missing_profile(action);
 		else
 			fprintf(stderr, "No Policy was found for default profile.\n");
 		goto cleanup;
@@ -573,7 +580,7 @@ static int app_xccdf_export_oval_variables(const struct oscap_action *action)
 	policy = xccdf_policy_model_get_policy_by_id(xccdf_session_get_policy_model(session), action->profile);
 	if (policy == NULL) {
 		if (action->profile != NULL)
-			fprintf(stderr, "Profile \"%s\" was not found.\n", action->profile);
+			report_missing_profile(action);
 		else
 			fprintf(stderr, "No Policy was found for default profile.\n");
 		goto cleanup;
@@ -795,7 +802,7 @@ int app_generate_fix(const struct oscap_action *action)
 		goto cleanup;
 
 	if (!xccdf_session_set_profile_id(session, action->profile)) {
-		fprintf(stderr, "Profile \"%s\" was not found.\n", action->profile);
+		report_missing_profile(action);
 		goto cleanup;
 	}
 

xsl/xccdf-guide-impl.xsl

@@ -50,6 +50,20 @@ Authors:
     <div id="introduction"><a name="introduction"></a>
         <div class="row">
             <div class="col-md-8 well well-lg">
+                <h2>
+                    <xsl:choose>
+                        <xsl:when test="$benchmark/cdf:title">
+                            <xsl:apply-templates mode="sub-testresult" select="$benchmark/cdf:title[1]">
+                                <xsl:with-param name="benchmark" select="$benchmark"/>
+                                <xsl:with-param name="profile" select="$profile"/>
+                            </xsl:apply-templates>
+                        </xsl:when>
+                        <xsl:otherwise>
+                            <xsl:value-of select="$benchmark/@id"/>
+                        </xsl:otherwise>
+                    </xsl:choose>
+                </h2>
+
                 <xsl:if test="$benchmark/cdf:front-matter">
                     <div class="front-matter">
                         <xsl:apply-templates mode="sub-testresult" select="$benchmark/cdf:front-matter[1]">
@@ -78,6 +92,35 @@ Authors:
                         </div>
                     </xsl:for-each>
                 </xsl:if>
+
+                <h2>Selected profile</h2>
+                <table class="table table-bordered">
+                    <xsl:if test="$profile/cdf:title">
+                        <tr>
+                            <th>Title</th>
+                            <td>
+                                <xsl:apply-templates mode="sub-testresult" select="$profile/cdf:title[1]">
+                                    <xsl:with-param name="benchmark" select="$benchmark"/>
+                                    <xsl:with-param name="profile" select="$profile"/>
+                                </xsl:apply-templates>
+                            </td>
+                        </tr>
+                    </xsl:if>
+
+                    <tr>
+                        <th>ID</th>
+                        <td>
+                            <xsl:choose>
+                                <xsl:when test="$profile/@id">
+                                    <xsl:value-of select="$profile/@id"/>
+                                </xsl:when>
+                                <xsl:otherwise>
+                                    <abbr title="No profile was selected.">(default)</abbr>
+                                </xsl:otherwise>
+                            </xsl:choose>
+                        </td>
+                    </tr>
+                </table>
             </div>
             <div class="col-md-4">
                 <h2>Revision History</h2>

xsl/xccdf-report-impl.xsl

@@ -30,6 +30,7 @@ Authors:
     xmlns:ovalres="http://oval.mitre.org/XMLSchema/oval-results-5"
     xmlns:sceres="http://open-scap.org/page/SCE_result_file"
     xmlns:exsl="http://exslt.org/common"
+    xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1"
     exclude-result-prefixes="xsl cdf ovalres sceres exsl">
 
 <xsl:include href="xccdf-branding.xsl" />
@@ -314,7 +315,8 @@ Authors:
     <xsl:variable name="contained_rules_fail" select="count($item/descendant::cdf:Rule[@id = $testresult/cdf:rule-result[cdf:result/text() = 'fail']/@idref])"/>
     <xsl:variable name="contained_rules_error" select="count($item/descendant::cdf:Rule[@id = $testresult/cdf:rule-result[cdf:result/text() = 'error']/@idref])"/>
     <xsl:variable name="contained_rules_unknown" select="count($item/descendant::cdf:Rule[@id = $testresult/cdf:rule-result[cdf:result/text() = 'unknown']/@idref])"/>
-    <xsl:variable name="contained_rules_need_attention" select="$contained_rules_fail + $contained_rules_error + $contained_rules_unknown"/>
+    <xsl:variable name="contained_rules_notchecked" select="count($item/descendant::cdf:Rule[@id = $testresult/cdf:rule-result[cdf:result/text() = 'notchecked']/@idref])"/>
+    <xsl:variable name="contained_rules_need_attention" select="$contained_rules_fail + $contained_rules_error + $contained_rules_unknown + $contained_rules_notchecked"/>
 
     <tr data-tt-id="{$item/@id}">
         <xsl:if test="$item/parent::cdf:Group or $item/parent::cdf:Benchmark">
@@ -336,6 +338,7 @@ Authors:
                     <xsl:if test="$contained_rules_fail > 0">&#160;<span class="badge"><xsl:value-of select="$contained_rules_fail"/>x fail</span></xsl:if>
                     <xsl:if test="$contained_rules_error > 0">&#160;<span class="badge"><xsl:value-of select="$contained_rules_error"/>x error</span></xsl:if>
                     <xsl:if test="$contained_rules_unknown > 0">&#160;<span class="badge"><xsl:value-of select="$contained_rules_unknown"/>x unknown</span></xsl:if>
+                    <xsl:if test="$contained_rules_notchecked > 0">&#160;<span class="badge"><xsl:value-of select="$contained_rules_notchecked"/>x notchecked</span></xsl:if>
                 </xsl:when>
                 <xsl:otherwise>
                     <xsl:call-template name="item-title">
@@ -461,21 +464,47 @@ Authors:
         </xsl:choose>
     </xsl:variable>
 
-    <xsl:if test="$filename != ''">
-        <xsl:variable name="details">
+    <xsl:variable name="details">
+        <xsl:if test="$filename != ''">
             <xsl:apply-templates select="document($filename)/ovalres:oval_results" mode="brief">
                 <xsl:with-param name='definition-id' select='$check/cdf:check-content-ref/@name'/>
             </xsl:apply-templates>
-        </xsl:variable>
+        </xsl:if>
 
-        <xsl:if test="normalize-space($details)">
-            <span class="label label-default"><abbr title="OVAL details taken from '{$filename}'">OVAL details</abbr></span>
-            <div class="panel panel-default">
-                <div class="panel-body">
-                    <xsl:copy-of select="$details"/>
-                </div>
+        <!-- This is a very pragmatic solution to solve our users problem,
+             it is not guaranteed to do the right thing in all cases but
+             it does the right thing with ARFs generated from openscap.
+
+             potential problem:
+
+             ARF has tons of different assets and results in it
+               - this XSLT will source OVAL results that may or may
+                 not be related to that particular report
+
+               - there is nothing in the ARF to help us map OVAL results
+                 to XCCDF results, we have to guess!
+
+                 (You would think that check-content-ref/@href would help
+                  us locate the arf:report with the OVAL results but 370-1
+                  requirement makes the @href useless)
+
+             I believe the benefits greatly outweigh the drawbacks in this
+             case and the problem outlined will be encountered by a very
+             small group of users. Still, this needs to be fixed in future
+             versions!
+        -->
+        <xsl:apply-templates select="(/arf:asset-report-collection/arf:reports/arf:report/arf:content/ovalres:oval_results)[1]" mode="brief">
+            <xsl:with-param name='definition-id' select='$check/cdf:check-content-ref/@name'/>
+        </xsl:apply-templates>
+    </xsl:variable>
+
+    <xsl:if test="normalize-space($details)">
+        <span class="label label-default"><abbr title="OVAL details taken from '{$filename}'">OVAL details</abbr></span>
+        <div class="panel panel-default">
+            <div class="panel-body">
+                <xsl:copy-of select="$details"/>
             </div>
-        </xsl:if>
+        </div>
     </xsl:if>
 </xsl:template>