[Open-scap] Noticed path construction problem with XCCDF's generate custom --stylesheet Option

Maura Dailey maura at eclipse.ncsc.mil
Fri Nov 2 20:24:24 UTC 2012 

In the recent openscap-0.9.1 release, the XCCDF custom option that let 
you specify your own XSL stylesheets is broken. I just confirmed it 
today in the git repository as well. I haven't tracked exactly when the 
problem cropped up, but in the oscap_apply_xslt_path function, the 
contents of the path specified with the --stylesheet option are incorrectly
appended to the compile time configured XSL directory. On RHEL 6, that 
defaults to /usr/share/openscap/xsl/.


The command I have used successfully in the past, as part of the RHEL6 
scap-security-guide project, is:
$ oscap xccdf generate custom --stylesheet 
/home/maura/myxsls/transform.xsl --profile allrules 
scap-security-guide/RHEL6/output/ssg-rhel6-xccdf.xml > somehtml.html


Now I get the following error messages:

(When I use the openscap-0.9.1 rpm provided by EPEL):
OpenSCAP Error:: XSLT file '/home/maura/myxsls/transform.xsl' not found 
in path '/usr/share/openscap/xsl' when trying to transformation 
'scap-security-guide/RHEL6/output/ssg-rhel6-xccdf.xml' [oscapxml.c:329]

This looks in an actual folder that was probably specified at compile time.


(When I use a fresh git checkout configured with the prefix /home/maura):
OpenSCAP Error:: XSLT file '/home/maura/myxsls/transform.xsl' not found 
in path '/home/maura/share/openscap/xsl' when trying to transformation 
'scap-security-guide/RHEL6/output/ssg-rhel6-xccdf.xml' [oscapxml.c:337]

Same story, different compile time path.


For testing purposes, I actually copied the entire xsl directory that is 
installed by OpenSCAP and normally used by default when the generate 
guide option is specified. The only change I made was to rename 
security-guide.xsl to transform.xsl. The behavior in a previous release 
was to take either a relative or absolute path to an XSL file that it 
would then attempt to apply. This exact same command did create a 
property formatted HTML file a few weeks ago. It only broke when our 
systems got upgraded to the latest release.

I haven't had the time to trace back exactly how much of the code makes 
this fundamental assumption about file paths or figure out where to 
insert branches that could catch the use of the stylesheet option and 
react accordingly, but the line "char * xsltpath = 
oscap_sprintf("%s%s%s", path_to, "/", xsltfile);" seems to indicate that 
there is an assumption that XSL files will always be in compile time 
configured paths (the function oscap_apply_xslt_path is always called 
with path_to set to either OSCAP_XSLT_PATH or OSCAP_SCHEMA_PATH).

- Maura Dailey

More information about the Open-scap-list mailing list