[Open-scap] XSLT 1.0 transformation for XCCDF 1.1 to 1.2 migration

Peter Vrabec pvrabec at redhat.com
Fri Mar 30 19:59:30 UTC 2012 

Hi Dan,

this transformation is cool. I have tried it and it worked OK. Unfortunatelly 
it's in XSLT 2.0 which is a problem for us. We don't have any library, I mean 
C library, that could handle that. libxml supports only XSLT 1.0. :(

Peter.

On Friday 30 March 2012 21:00:00 Haynes, Dan wrote:
> As far as converting an SCAP 1.2 bundle to an SCAP 1.0 bundle, we have
> created an XSLT that takes an SCAP 1.2 data stream file and breaks it into
> its individual components.  Specifically, it will create a file for each
> OVAL, XCCDF, OCIL, and CPE component, as well as an OVAL external variables
> file for each XCCDF profile found.  The XSLT can be found at the following
> link.
> 
> http://sourceforge.net/projects/ovalutils/files/xsl_transforms/xsl_transfor
> m s_v1.0/
> 
> I also ran across the following SourceForge.net project which creates a
>  SCAP 1.2 data stream file from an SCAP 1.0 zip bundle which may be of
>  interest to some.  However, I haven't had an opportunity to try it out
>  yet.
> 
> http://sourceforge.net/p/scap-ds-creator/code/5/tree/trunk/src/main/resourc
> e s/
> 
> Hope this helps.
> 
> Thanks,
> 
> Danny
> 
> >-----Original Message-----
> >From: open-scap-list-bounces at redhat.com [mailto:open-scap-list-
> >bounces at redhat.com] On Behalf Of Peter Vrabec
> >Sent: Wednesday, March 21, 2012 8:31 AM
> >To: open-scap-list at redhat.com; Jeffrey Blank
> >Subject: Re: [Open-scap] XSLT 1.0 transformation for XCCDF 1.1 to 1.2
> >migration
> >
> >Hi,
> >
> >it seems it can handle scap-security guide too.
> >
> >$ xsltproc  --stringparam  reverse_DNS scap-security-guide
> >~/project/openscap/xsl/xccdf_1.1_to_1.2.xsl rhel6-xccdf-scap-security-
> >guide.xml > rhel6-xccdf12-scap-security-guide.xml
> >
> >$ xmllint --noout  --schema ~/tmp/xccdf_1.2.xsd
> 
> rhel6-xccdf12-scap-security-
> 
> >guide.xml
> >/home/pvrabec/tmp/cpe-language_2.3.xsd:6: element import: Schemas parser
> >warning : Element '{http://www.w3.org/2001/XMLSchema}import': Skipping
> >import
> >of schema located at 'http://www.w3.org/2001/xml.xsd' for the namespace
> >'http://www.w3.org/XML/1998/namespace', since this namespace was already
> >imported with the schema located at '/home/pvrabec/tmp/xml.xsd'.
> >rhel6-xccdf12-scap-security-guide.xml validates
> >
> >Peter.
> >
> >---
> >
> >And now we need a transformation that can convert SCAP 1.0 Zip Bundle to
> >SCAP
> >1.2 Data Stream and vice versa. In XSLT 1.0! ;)
> >
> >On Wednesday, March 21, 2012 07:43:59 AM Martin Preisler wrote:
> >> Hi,
> >> even though there is an XSLT 2.0 transformation provided [1] it is
> >> unsuitable for openscap because there are no lightweight XSLT 2.0
> >> transformators in the open source world (Saxon requires Java which is
> >> too heavy a dependency for us).
> >>
> >> Initially I tried to just port the provided transformation to XSLT 1.0
> >> (getting rid of xsl:attribute @select and other 2.0-only bits). This
> 
> proved
> 
> >> really hard to do as I had a lot of trouble following the flow of the
> >> provided transformation. So I have decided to write a new transformation
> >> from scratch instead.
> >>
> >> The result can be downloaded from the openscap git repository.
> >
> >http://git.fedorahosted.org/git?p=openscap.git;a=blob_plain;f=xsl/xccdf_1.
> >1
> 
> _
> 
> >> to_1.2.xsl
> >>
> >> Differences to the XSLT 2.0 transformation that I know of:
> >> - deprecated elements that have been removed from XCCDF 1.2 are
> >
> >commented
> >
> >> (surrounded by <!-- and -->) and a text saying that this element was
> >> removed from XCCDF 1.2 is added, instead of just moved to metadata -
> >
> >there
> >
> >> is no separate file to define the reverse DNS namespace in, it's passed
> 
> as
> 
> >> a parameter instead - it doesn't touch xsi:schemaLocation attributes at
> 
> all
> 
> >> - dangling/invalid references are migrated in a way that will fail XCCDF
> 
> 1.2
> 
> >> XSD validation (they will say 'dangling reference to $old_idref')
> >>
> >> Usage:
> >> $ xsltproc --stringparam reverse_DNS YOUR_REVERSE_DNS_NAMESPACE
> >> xccdf_1.1_to_1.2.xsl FILE_YOU_WANT_TO_MIGRATE > DESTINATION_FILE
> >>
> >> example:
> >> $ xsltproc --stringparam reverse_DNS org.open-scap xccdf_1.1_to_1.2.xsl
> >> ../dist/fedora/scap-fedora14-xccdf.xml > scap-fedora14-xccdf1.2.xml
> >>
> >> Hope this helps, I appreciate all comments!
> >>
> >> [1]
> >> http://making-security-measurable.1364806.n2.nabble.com/Converting-
> >
> >XCCDF-1-
> >
> >> 1-4-to-XCCDF-1-2-td7308782.html
> >
> >_______________________________________________
> >Open-scap-list mailing list
> >Open-scap-list at redhat.com
> >https://www.redhat.com/mailman/listinfo/open-scap-list
>

More information about the Open-scap-list mailing list