[Open-scap] <check-content> affected by XCCDF resolve

[Jeffrey Blank]

Hi OpenSCAP developers,

The XCCDF specification says that a <check-content> element can have any
XML inside it.

Quoting:
"""
Holds the actual code of a check, in the language or system specified by the
<xccdf:check> element’s @system attribute. The body of this element
MAY be any XML, but SHALL NOT contain any XCCDF elements. It is
OPTIONAL for benchmark consumers to process this element; typically it will
be passed to a checking system or engine.
If both <xccdf:check-content-ref> and <xccdf:check-content>
elements appear in a single <xccdf:check> element, benchmark
consumers SHOULD use the <xccdf:check-content> element only if
none of the references can be resolved to provide content.
"""


In the content at scap-security-guide, I'm trying to store manual
checking text (as check system="ocil-transitional") inside a
<check-content>.  Any XHTML elements (and all following elements and
text) are removed during execution of "oscap xccdf resolve".

To see, do a "make content-stig" and then compare (in output):
unlinked-rhel6-xccdf.xml and
unlinked-resolved-rhel6-xccdf.xml

You'll see that the xccdf resolve operation removed the text from
<check-content> following the first XHTML tag.  Look for "Run the
following command to verify that"

(XHTML is not allowed in OCIL text, but hopefully that will also be
fixed; I'm currently stripping it out when creating valid OCIL, but it's
still useful in other presentations such as tables.)

"oscap xccdf resolve" is also removing comments, which is not desirable,
but perhaps permitted.

I've also lately wanted oscap to execute the first check-content-ref (if
multiple are available, such as both OVAL and OCIL in
ssg-ocilrefs-rhel6-xccdf.xml), but it results in (null) or another error.

Thanks / sorry if there are already tickets for this.  I assumed I was
doing some strange things that perhaps no one else has tried.

Thanks again for all the great work on OpenSCAP,
Jeff