[Open-scap] OpenSCAP 0.8.5 Issue - xccdf_benchmark_get_item return value

Francisco Slavin fslavin at tresys.com
Thu Sep 13 19:39:53 UTC 2012 

Hello,

We have recently begun testing SecState with the latest OpenSCAP build (0.8.5) to pull in bug fixes.  We have found an issue which seems to break our XCCDF profile selection & manipulation handling.  I have included an example script which demonstrates the issue.

The error our team is seeing regarding profile selection appears to be caused by the xccdf_benchmark_get_item function.  We are seeing the xccdf_benchmark_get_item function return "NULL" both when the specified item exists and when the item does not exist.

According to the API Docs: http://open-scap.et.redhat.com/doc/group__XCCDF.html#ga92afdc66eed4d0c691327da277e9766b
It looks like the xccdf_benchmark_get_item function is supposed to return an item if the specified item exists, or 'NULL' if it fails to find an item.  In 0.8.0, this was the behavior we saw; we based our profile manipulation & error handling around this behavior accordingly.  It appears that in 0.8.5 this function no longer behaves as documented.

I hope you guys can point me in the right direction for a resolution on this.  Has the function call been updated, and is our usage now out of date?  Or is this a bug?

Thank you
- Francisco Slavin

Below is a short code example Yulian Khodorkovskiy put together to demonstrate & reproduce the issue.
On a system with OpenSCAP 0.8.0, run on SCAP Security Guide content, this script succeeds and prints "Successfully imported".
On a system with OpenSCAP 0.8.5, run on the same SSG content, this script fails and prints "Import failed: profile test does not exist".
Note that a profiles named 'test' does exist in the SSG content we are using.

---
#!/usr/bin/env python
import openscap_api as oscap
import sys

def test(benchmark_file):
    try:
        benchmark = oscap.xccdf.benchmark_import(benchmark_file)
        if benchmark == None:
            print "Error importing benchmark %s" % benchmark_file
            return

        test_profile = 'test'

        prof_item = benchmark.get_item(test_profile)
        if prof_item == None:
            print "Import failed: profile %s does not exist" % test_profile
            return
        else:
            print "Successfully imported"

    except TypeError:
        print "\nThe file %s passed in is not an xccdf benchmark file." % sys.argv[1]
        print "Please provide the path to an xccdf benchmark file"
        return

if len(sys.argv) == 2:
    test(sys.argv[1])
else:
    print "Please provide a path to a xccdf benchmark xml file"
    print "usage: ./test.py <path to xccdf benchmark xml file>"

---

More information about the Open-scap-list mailing list