feat: allow use of OpenSCAP result files in task xccdf_result_to_osca…

…l_ar (#1411) * feat: Allow use of OpenSCAP result files in task xccdf_result_to_oscal_ar Before this commit if you wanted to use result files from OpenSCAP in the task xccdf_result_to_oscal_ar you had to extract the `TestResult` element and place it as the root of the XML document, otherwise the resulting OSCAL document would be blank. Thus making it impossible to directly use output from OpenSCAP with the task. With this commit the task will detect that the root element is not `TestResult` and then it will find the `TestResult` element in the XML document. This allows the use of files created by OpenSCAP using the `--results` and `--results-arf` switches. Signed-off-by: Matthew Burket <[email protected]> * Add tests for OpenSCAP results files for task xccdf_result_to_oscal_ar_test Signed-off-by: Matthew Burket <[email protected]> --------- Signed-off-by: Matthew Burket <[email protected]>
oscal-compass · Dec 11, 2023 · eeb715c · eeb715c
1 parent 72b0f6f
commit eeb715c
Show file tree

Hide file tree

Showing 8 changed files with 478 additions and 1 deletion.
diff --git a/tests/data/tasks/xccdf/input-oscap-arf-results/results_arf.xml b/tests/data/tasks/xccdf/input-oscap-arf-results/results_arf.xml
@@ -0,0 +1,49 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<arf:asset-report-collection xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1"
+  xmlns:core="http://scap.nist.gov/schema/reporting-core/1.1"
+  xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1">
+  <arf:reports>
+    <arf:report id="xccdf1">
+      <arf:content>
+        <TestResult xmlns="http://checklists.nist.gov/xccdf/1.2" id="xccdf_org.open-scap_testresult_xccdf_org.ssgproject.content_profile_cis" start-time="2021-06-08T02:35:55+00:00" end-time="2021-06-08T02:54:51+00:00" version="0.1.57" test-system="cpe:/a:redhat:openscap:1.3.3">
+          <benchmark href="/content/ssg-rhel7-ds.xml" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"/>
+          <title>OSCAP Scan Result</title>
+          <profile idref="xccdf_org.ssgproject.content_profile_cis"/>
+          <target>kube-c18ler8d06m877hrn7jg-roks8-default-00000319.iks.mycorp</target>
+          <target-facts>
+            <fact name="urn:xccdf:fact:identifier" type="string">chroot:///host</fact>
+            <fact name="urn:xccdf:fact:scanner:name" type="string">OpenSCAP</fact>
+            <fact name="urn:xccdf:fact:scanner:version" type="string">1.3.3</fact>
+          </target-facts>
+          <target-id-ref system="http://scap.nist.gov/schema/asset-identification/1.1" name="asset0" href=""/>
+          <platform idref="cpe:/a:pam"/>
+          <platform idref="cpe:/o:redhat:enterprise_linux:7::workstation"/>
+          <platform idref="cpe:/o:redhat:enterprise_linux:7::client"/>
+          <platform idref="cpe:/o:redhat:enterprise_linux:7::server"/>
+          <platform idref="cpe:/a:grub2"/>
+          <platform idref="cpe:/o:redhat:enterprise_linux:7::computenode"/>
+          <platform idref="cpe:/o:redhat:enterprise_linux:7"/>
+          <platform idref="cpe:/a:login_defs"/>
+          <platform idref="cpe:/a:non-uefi"/>
+          <platform idref="cpe:/a:machine"/>
+          <platform idref="cpe:/a:yum"/>
+
+          <rule-result idref="xccdf_org.ssgproject.content_rule_prefer_64bit_os" role="full" time="2021-06-08T02:35:55+00:00" severity="medium" weight="1.000000">
+            <result>notselected</result>
+            <ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83691-6</ident>
+          </rule-result>
+          <rule-result idref="xccdf_org.ssgproject.content_rule_disable_prelink" role="full" time="2021-06-08T02:35:55+00:00" severity="medium" weight="1.000000">
+            <result>pass</result>
+            <ident system="https://nvd.nist.gov/cce/index.cfm">CCE-27078-5</ident>
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <check-content-ref name="oval:ssg-disable_prelink:def:1" href="#oval0"/>
+            </check>
+          </rule-result>
+
+          <score system="urn:xccdf:scoring:default" maximum="100.000000">74.713684</score>
+        </TestResult>
+
+      </arf:content>
+    </arf:report>
+  </arf:reports>
+</arf:asset-report-collection>
diff --git a/tests/data/tasks/xccdf/input-oscap-results/results.xml b/tests/data/tasks/xccdf/input-oscap-results/results.xml
@@ -0,0 +1,39 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_org.ssgproject.content_benchmark_FEDORA" resolved="1" xml:lang="en-US" style="SCAP_1.2">
+  <TestResult xmlns="http://checklists.nist.gov/xccdf/1.2" id="xccdf_org.open-scap_testresult_xccdf_org.ssgproject.content_profile_cis" start-time="2021-06-08T02:35:55+00:00" end-time="2021-06-08T02:54:51+00:00" version="0.1.57" test-system="cpe:/a:redhat:openscap:1.3.3">
+    <benchmark href="/content/ssg-rhel7-ds.xml" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"/>
+    <title>OSCAP Scan Result</title>
+    <profile idref="xccdf_org.ssgproject.content_profile_cis"/>
+    <target>kube-c18ler8d06m877hrn7jg-roks8-default-00000319.iks.mycorp</target>
+    <target-facts>
+      <fact name="urn:xccdf:fact:identifier" type="string">chroot:///host</fact>
+      <fact name="urn:xccdf:fact:scanner:name" type="string">OpenSCAP</fact>
+      <fact name="urn:xccdf:fact:scanner:version" type="string">1.3.3</fact>
+    </target-facts>
+    <target-id-ref system="http://scap.nist.gov/schema/asset-identification/1.1" name="asset0" href=""/>
+    <platform idref="cpe:/a:pam"/>
+    <platform idref="cpe:/o:redhat:enterprise_linux:7::workstation"/>
+    <platform idref="cpe:/o:redhat:enterprise_linux:7::client"/>
+    <platform idref="cpe:/o:redhat:enterprise_linux:7::server"/>
+    <platform idref="cpe:/a:grub2"/>
+    <platform idref="cpe:/o:redhat:enterprise_linux:7::computenode"/>
+    <platform idref="cpe:/o:redhat:enterprise_linux:7"/>
+    <platform idref="cpe:/a:login_defs"/>
+    <platform idref="cpe:/a:non-uefi"/>
+    <platform idref="cpe:/a:machine"/>
+    <platform idref="cpe:/a:yum"/>
+
+    <rule-result idref="xccdf_org.ssgproject.content_rule_prefer_64bit_os" role="full" time="2021-06-08T02:35:55+00:00" severity="medium" weight="1.000000">
+      <result>notselected</result>
+      <ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83691-6</ident>
+    </rule-result>
+    <rule-result idref="xccdf_org.ssgproject.content_rule_disable_prelink" role="full" time="2021-06-08T02:35:55+00:00" severity="medium" weight="1.000000">
+      <result>pass</result>
+      <ident system="https://nvd.nist.gov/cce/index.cfm">CCE-27078-5</ident>
+      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+        <check-content-ref name="oval:ssg-disable_prelink:def:1" href="#oval0"/>
+      </check>
+    </rule-result>
+    <score system="urn:xccdf:scoring:default" maximum="100.000000">74.713684</score>
+  </TestResult>
+</Benchmark>
diff --git a/tests/data/tasks/xccdf/output-oscap-arf-results/results_arf.oscal.json b/tests/data/tasks/xccdf/output-oscap-arf-results/results_arf.oscal.json
@@ -0,0 +1,165 @@
+{
+  "results": [
+    {
+      "uuid": "56666738-0f9a-4e38-9aac-c0fad00a5821",
+      "title": "XCCDF",
+      "description": "XCCDF Scan Results",
+      "start": "2021-06-08T02:35:55+00:00",
+      "end": "2021-06-08T02:35:55+00:00",
+      "local-definitions": {
+        "components": [
+          {
+            "uuid": "56666738-0f9a-4e38-9aac-c0fad00a5821",
+            "type": "Service",
+            "title": "rhel7",
+            "description": "rhel7",
+            "status": {
+              "state": "operational"
+            }
+          }
+        ],
+        "inventory-items": [
+          {
+            "uuid": "56666738-0f9a-4e38-9aac-c0fad00a5821",
+            "description": "inventory",
+            "props": [
+              {
+                "name": "target",
+                "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/ar/OpenSCAP",
+                "value": "kube-c18ler8d06m877hrn7jg-roks8-default-00000319.iks.mycorp"
+              },
+              {
+                "name": "target_type",
+                "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/ar/OpenSCAP",
+                "value": "rhel7"
+              }
+            ],
+            "implemented-components": [
+              {
+                "component-uuid": "56666738-0f9a-4e38-9aac-c0fad00a5821"
+              }
+            ]
+          }
+        ],
+        "assessment-assets": {
+          "components": [
+            {
+              "uuid": "56666738-0f9a-4e38-9aac-c0fad00a5821",
+              "type": "Validator",
+              "title": "OpenSCAP",
+              "description": "OpenSCAP",
+              "props": [
+                {
+                  "name": "scanner_name",
+                  "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/ar/OpenSCAP",
+                  "value": "OpenSCAP"
+                },
+                {
+                  "name": "scanner_version",
+                  "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/ar/OpenSCAP",
+                  "value": "1.3.3"
+                },
+                {
+                  "name": "version",
+                  "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/ar/OpenSCAP"
+                },
+                {
+                  "name": "severity",
+                  "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/ar/OpenSCAP",
+                  "value": "medium"
+                },
+                {
+                  "name": "weight",
+                  "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/ar/OpenSCAP",
+                  "value": "1.000000"
+                },
+                {
+                  "name": "benchmark_id",
+                  "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/ar/OpenSCAP",
+                  "value": "xccdf_org.ssgproject.content_benchmark_RHEL-7"
+                },
+                {
+                  "name": "benchmark_href",
+                  "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/ar/OpenSCAP",
+                  "value": "/content/ssg-rhel7-ds.xml"
+                },
+                {
+                  "name": "id",
+                  "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/ar/OpenSCAP",
+                  "value": "xccdf_org.open-scap_testresult_xccdf_org.ssgproject.content_profile_cis"
+                }
+              ],
+              "status": {
+                "state": "operational"
+              }
+            }
+          ],
+          "assessment-platforms": [
+            {
+              "uuid": "56666738-0f9a-4e38-9aac-c0fad00a5821"
+            }
+          ]
+        }
+      },
+      "reviewed-controls": {
+        "control-selections": [
+          {}
+        ]
+      },
+      "observations": [
+        {
+          "uuid": "56666738-0f9a-4e38-9aac-c0fad00a5821",
+          "description": "xccdf_org.ssgproject.content_rule_prefer_64bit_os",
+          "props": [
+            {
+              "name": "idref",
+              "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/ar/OpenSCAP",
+              "value": "xccdf_org.ssgproject.content_rule_prefer_64bit_os"
+            },
+            {
+              "name": "result",
+              "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/ar/OpenSCAP",
+              "value": "notselected"
+            }
+          ],
+          "methods": [
+            "TEST-AUTOMATED"
+          ],
+          "subjects": [
+            {
+              "subject-uuid": "56666738-0f9a-4e38-9aac-c0fad00a5821",
+              "type": "inventory-item"
+            }
+          ],
+          "collected": "2023-11-30T23:00:03+00:00"
+        },
+        {
+          "uuid": "56666738-0f9a-4e38-9aac-c0fad00a5821",
+          "description": "xccdf_org.ssgproject.content_rule_disable_prelink",
+          "props": [
+            {
+              "name": "idref",
+              "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/ar/OpenSCAP",
+              "value": "xccdf_org.ssgproject.content_rule_disable_prelink"
+            },
+            {
+              "name": "result",
+              "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/ar/OpenSCAP",
+              "value": "pass"
+            }
+          ],
+          "methods": [
+            "TEST-AUTOMATED"
+          ],
+          "subjects": [
+            {
+              "subject-uuid": "56666738-0f9a-4e38-9aac-c0fad00a5821",
+              "type": "inventory-item"
+            }
+          ],
+          "collected": "2023-11-30T23:00:03+00:00"
+        }
+      ]
+    }
+  ]
+}