Merge pull request #1901 from dodys/dpkg-version-compare

oval_cmp_evr_string: Make epoch comparison less strict for dpkg

Author: evgenyz

src/OVAL/results/oval_cmp_evr_string.c

@@ -408,12 +408,10 @@ oval_result_t oval_debian_evr_string_cmp(const char *state, const char *sys, ova
 	parseEVR(a_copy, &a_epoch, &a_version, &a_release);
 	parseEVR(b_copy, &b_epoch, &b_version, &b_release);
 
-	if (!a_epoch || !b_epoch) {
-		oscap_seterr(OSCAP_EFAMILY_OVAL, "Invalid epoch.");
-		free(a_copy);
-		free(b_copy);
-		return OVAL_RESULT_ERROR;
-	}
+	if (!a_epoch)
+		a_epoch = "0";
+	if (!b_epoch)
+		b_epoch = "0";
 
 	aux = strtol(a_epoch, NULL, 10);
 	if (aux < INT_MIN || aux > INT_MAX) {
@@ -453,7 +451,7 @@ oval_result_t oval_debian_evr_string_cmp(const char *state, const char *sys, ova
 	case OVAL_OPERATION_LESS_THAN_OR_EQUAL:
 		return ((result <= 0) ? OVAL_RESULT_TRUE : OVAL_RESULT_FALSE);
 	default:
-		oscap_seterr(OSCAP_EFAMILY_OVAL, "Invalid type of operation in rpm version comparison: %d.", operation);
+		oscap_seterr(OSCAP_EFAMILY_OVAL, "Invalid type of operation in dpkg version comparison: %d.", operation);
 	}
 
 	return OVAL_RESULT_ERROR;

tests/API/OVAL/unittests/CMakeLists.txt

@@ -4,6 +4,8 @@ add_oscap_test("test_cim_datetime.sh")
 add_oscap_test("test_circular_extend_def.sh")
 add_oscap_test("test_comment.sh")
 add_oscap_test("test_count_function.sh")
+add_oscap_test("test_debian_evr_string_comparison.sh")
+add_oscap_test("test_debian_evr_string_missing_epoch.sh")
 add_oscap_test("test_deprecated_def.sh")
 add_oscap_test("test_directives.sh")
 add_oscap_test("test_empty_filename.sh")

tests/API/OVAL/unittests/test_debian_evr_string_comparison.oval.xml

@@ -0,0 +1,46 @@
+<oval_definitions
+    xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5"
+    xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"
+    xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5"
+    xmlns:unix="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"
+    xmlns:linux="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd   http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd   http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd   http://oval.mitre.org/XMLSchema/oval-definitions-5#unix unix-definitions-schema.xsd   http://oval.mitre.org/XMLSchema/oval-definitions-5#macos linux-definitions-schema.xsd">
+    <generator>
+        <oval:product_name>Canonical USN OVAL Generator</oval:product_name>
+        <oval:product_version>1</oval:product_version>
+        <oval:schema_version>5.11.1</oval:schema_version>
+        <oval:timestamp>2022-12-19T14:35:51</oval:timestamp>
+    </generator>
+    <definitions>
+        <definition id="oval:com.ubuntu.jammy:def:54471000000" version="1" class="patch">
+           <metadata>
+              <title>logrotate vulnerability</title>
+	      <description>none</description>
+           </metadata>
+           <criteria operator="OR">
+              <criterion test_ref="oval:com.ubuntu.jammy:tst:544710000000" comment="logrotate is earlier than 0:3.18.0-2ubuntu1.1" />
+           </criteria>
+        </definition>
+    </definitions>
+    <tests>
+        <linux:dpkginfo_test id="oval:com.ubuntu.jammy:tst:544710000000" version="1" check_existence="at_least_one_exists" check="at least one" comment="logrotate is earlier than 0:3.18.0-2ubuntu1.1">
+           <linux:object object_ref="oval:com.ubuntu.jammy:obj:544710000000"/>
+           <linux:state state_ref="oval:com.ubuntu.jammy:ste:544710000000"/>
+        </linux:dpkginfo_test>
+    </tests>
+    <objects>
+        <linux:dpkginfo_object id="oval:com.ubuntu.jammy:obj:544710000000" version="1" comment="logrotate object">
+           <linux:name var_ref="oval:com.ubuntu.jammy:var:544710000000" var_check="at least one" />
+        </linux:dpkginfo_object>
+    </objects>
+    <states>
+        <linux:dpkginfo_state id="oval:com.ubuntu.jammy:ste:544710000000" version="1" comment="logrotate version">
+           <linux:evr datatype="debian_evr_string" operation="less than">0:3.18.0-2ubuntu1.1</linux:evr>
+        </linux:dpkginfo_state>
+    </states>
+    <variables>
+        <constant_variable id="oval:com.ubuntu.jammy:var:544710000000" version="1" datatype="string" comment="logrotate">
+           <value>logrotate</value>
+        </constant_variable>
+    </variables>
+</oval_definitions>

tests/API/OVAL/unittests/test_debian_evr_string_comparison.sh

@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+. $builddir/tests/test_common.sh
+
+set -e -o pipefail
+
+name=$(basename $0 .sh)
+result=$(mktemp ${name}.out.XXXXXX)
+echo "result file: $result"
+stderr=$(mktemp ${name}.err.XXXXXX)
+echo "stderr file: $stderr"
+
+echo "Analysing syschar content."
+$OSCAP oval analyse --results $result $srcdir/$name.oval.xml $srcdir/$name.syschar.xml 2> $stderr
+[ -f $stderr ]; [ ! -s $stderr ]; rm $stderr
+[ -f $result ]
+
+assert_exists 1 '/oval_results'
+assert_exists 1 '/oval_results/generator'
+assert_exists 1 '/oval_results/generator/oval:product_name'
+assert_exists 1 '/oval_results/generator/oval:product_name[text()="cpe:/a:open-scap:oscap"]'
+assert_exists 1 '/oval_results/generator/oval:schema_version'
+assert_exists 1 '/oval_results/generator/oval:schema_version[text()="5.11.1"]'
+assert_exists 1 '/oval_results/generator/oval:timestamp'
+assert_exists 1 '/oval_results/directives'
+assert_exists 1 '/oval_results/oval_definitions'
+assert_exists 1 '/oval_results/results'
+assert_exists 1 '/oval_results/results/system'
+assert_exists 1 '/oval_results/results/system/definitions'
+assert_exists 1 '/oval_results/results/system/definitions/definition'
+assert_exists 1 '/oval_results/results/system/definitions/definition[@result="false"]'
+assert_exists 1 '/oval_results/results/system/definitions/definition/criteria'
+assert_exists 1 '/oval_results/results/system/definitions/definition/criteria/criterion'
+assert_exists 1 '/oval_results/results/system/definitions/definition/criteria/criterion[@result="false"]'
+assert_exists 1 '/oval_results/results/system/tests'
+assert_exists 1 '/oval_results/results/system/tests/test'
+assert_exists 1 '/oval_results/results/system/tests/test[@result="false"]'
+assert_exists 1 '/oval_results/results/system/tests/test/tested_item'
+assert_exists 1 '/oval_results/results/system/tests/test/tested_item[@result="false"]'
+
+rm $result

tests/API/OVAL/unittests/test_debian_evr_string_comparison.syschar.xml

@@ -0,0 +1,38 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<oval_system_characteristics xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:unix-sys="http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#unix" xmlns:ind-sys="http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#independent" xmlns:lin-sys="http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#linux" xmlns:win-sys="http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#windows" xmlns="http://oval.mitre.org/XMLSchema/oval-system-characteristics-5" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-system-characteristics-5 oval-system-characteristics-schema.xsd http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#independent independent-system-characteristics-schema.xsd http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#unix unix-system-characteristics-schema.xsd http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#linux linux-system-characteristics-schema.xsd http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd">
+  <generator>
+    <oval:product_name>cpe:/a:open-scap:oscap</oval:product_name>
+    <oval:product_version>1</oval:product_version>
+    <oval:schema_version>5.11.1</oval:schema_version>
+    <oval:timestamp>2022-12-19T16:39:11</oval:timestamp>
+  </generator>
+  <system_info>
+    <os_name>Linux</os_name>
+    <os_version>#59-Ubuntu SMP Mon Oct 17 18:53:30 UTC 2022</os_version>
+    <architecture>x86_64</architecture>
+    <primary_host_name>you.know.it</primary_host_name>
+    <interfaces>
+      <interface>
+        <interface_name>lo</interface_name>
+        <ip_address>127.0.0.1</ip_address>
+        <mac_address>00:00:00:00:00:00</mac_address>
+      </interface>
+    </interfaces>
+  </system_info>
+  <collected_objects>
+    <object id="oval:com.ubuntu.jammy:obj:544710000000" version="1" flag="complete">
+      <variable_value variable_id="oval:com.ubuntu.jammy:var:544710000000">logrotate</variable_value>
+      <reference item_ref="101854166"/>
+    </object>
+  </collected_objects>
+  <system_data>
+    <lin-sys:dpkginfo_item id="101854166" status="exists">
+      <lin-sys:name>logrotate</lin-sys:name>
+      <lin-sys:arch>amd64</lin-sys:arch>
+      <lin-sys:epoch>0</lin-sys:epoch>
+      <lin-sys:release>2ubuntu1.1</lin-sys:release>
+      <lin-sys:version>3.18.0</lin-sys:version>
+      <lin-sys:evr datatype="debian_evr_string">0:3.18.0-2ubuntu1.1</lin-sys:evr>
+    </lin-sys:dpkginfo_item>
+  </system_data>
+</oval_system_characteristics>

tests/API/OVAL/unittests/test_debian_evr_string_missing_epoch.oval.xml

@@ -0,0 +1,46 @@
+<oval_definitions
+    xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5"
+    xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"
+    xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5"
+    xmlns:unix="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"
+    xmlns:linux="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd   http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd   http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd   http://oval.mitre.org/XMLSchema/oval-definitions-5#unix unix-definitions-schema.xsd   http://oval.mitre.org/XMLSchema/oval-definitions-5#macos linux-definitions-schema.xsd">
+    <generator>
+        <oval:product_name>Canonical USN OVAL Generator</oval:product_name>
+        <oval:product_version>1</oval:product_version>
+        <oval:schema_version>5.11.1</oval:schema_version>
+        <oval:timestamp>2022-12-19T14:35:51</oval:timestamp>
+    </generator>
+    <definitions>
+        <definition id="oval:com.ubuntu.jammy:def:54471000000" version="1" class="patch">
+           <metadata>
+              <title>logrotate vulnerability</title>
+	      <description>none</description>
+           </metadata>
+           <criteria operator="OR">
+              <criterion test_ref="oval:com.ubuntu.jammy:tst:544710000000" comment="logrotate is earlier than 3.19.0-1ubuntu1.1" />
+           </criteria>
+        </definition>
+    </definitions>
+    <tests>
+        <linux:dpkginfo_test id="oval:com.ubuntu.jammy:tst:544710000000" version="1" check_existence="at_least_one_exists" check="at least one" comment="logrotate is earlier than 3.19.0-1ubuntu1.1">
+           <linux:object object_ref="oval:com.ubuntu.jammy:obj:544710000000"/>
+           <linux:state state_ref="oval:com.ubuntu.jammy:ste:544710000000"/>
+        </linux:dpkginfo_test>
+    </tests>
+    <objects>
+        <linux:dpkginfo_object id="oval:com.ubuntu.jammy:obj:544710000000" version="1" comment="logrotate object">
+           <linux:name var_ref="oval:com.ubuntu.jammy:var:544710000000" var_check="at least one" />
+        </linux:dpkginfo_object>
+    </objects>
+    <states>
+        <linux:dpkginfo_state id="oval:com.ubuntu.jammy:ste:544710000000" version="1" comment="logrotate version">
+           <linux:evr datatype="debian_evr_string" operation="less than">3.19.0-1ubuntu1.1</linux:evr>
+        </linux:dpkginfo_state>
+    </states>
+    <variables>
+        <constant_variable id="oval:com.ubuntu.jammy:var:544710000000" version="1" datatype="string" comment="logrotate">
+           <value>logrotate</value>
+        </constant_variable>
+    </variables>
+</oval_definitions>

tests/API/OVAL/unittests/test_debian_evr_string_missing_epoch.sh

@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+. $builddir/tests/test_common.sh
+
+set -e -o pipefail
+
+name=$(basename $0 .sh)
+result=$(mktemp ${name}.out.XXXXXX)
+echo "result file: $result"
+stderr=$(mktemp ${name}.err.XXXXXX)
+echo "stderr file: $stderr"
+
+echo "Analysing syschar content."
+$OSCAP oval analyse --results $result $srcdir/$name.oval.xml $srcdir/$name.syschar.xml 2> $stderr
+[ -f $stderr ]; [ ! -s $stderr ]; rm $stderr
+[ -f $result ]
+
+assert_exists 1 '/oval_results'
+assert_exists 1 '/oval_results/generator'
+assert_exists 1 '/oval_results/generator/oval:product_name'
+assert_exists 1 '/oval_results/generator/oval:product_name[text()="cpe:/a:open-scap:oscap"]'
+assert_exists 1 '/oval_results/generator/oval:schema_version'
+assert_exists 1 '/oval_results/generator/oval:schema_version[text()="5.11.1"]'
+assert_exists 1 '/oval_results/generator/oval:timestamp'
+assert_exists 1 '/oval_results/directives'
+assert_exists 1 '/oval_results/oval_definitions'
+assert_exists 1 '/oval_results/results'
+assert_exists 1 '/oval_results/results/system'
+assert_exists 1 '/oval_results/results/system/definitions'
+assert_exists 1 '/oval_results/results/system/definitions/definition'
+assert_exists 1 '/oval_results/results/system/definitions/definition[@result="false"]'
+assert_exists 1 '/oval_results/results/system/definitions/definition/criteria'
+assert_exists 1 '/oval_results/results/system/definitions/definition/criteria/criterion'
+assert_exists 1 '/oval_results/results/system/definitions/definition/criteria/criterion[@result="false"]'
+assert_exists 1 '/oval_results/results/system/tests'
+assert_exists 1 '/oval_results/results/system/tests/test'
+assert_exists 1 '/oval_results/results/system/tests/test[@result="false"]'
+assert_exists 1 '/oval_results/results/system/tests/test/tested_item'
+assert_exists 1 '/oval_results/results/system/tests/test/tested_item[@result="false"]'
+
+rm $result

tests/API/OVAL/unittests/test_debian_evr_string_missing_epoch.syschar.xml

@@ -0,0 +1,38 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<oval_system_characteristics xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:unix-sys="http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#unix" xmlns:ind-sys="http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#independent" xmlns:lin-sys="http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#linux" xmlns:win-sys="http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#windows" xmlns="http://oval.mitre.org/XMLSchema/oval-system-characteristics-5" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-system-characteristics-5 oval-system-characteristics-schema.xsd http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#independent independent-system-characteristics-schema.xsd http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#unix unix-system-characteristics-schema.xsd http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#linux linux-system-characteristics-schema.xsd http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd">
+  <generator>
+    <oval:product_name>cpe:/a:open-scap:oscap</oval:product_name>
+    <oval:product_version>1</oval:product_version>
+    <oval:schema_version>5.11.1</oval:schema_version>
+    <oval:timestamp>2022-12-19T16:39:11</oval:timestamp>
+  </generator>
+  <system_info>
+    <os_name>Linux</os_name>
+    <os_version>#59-Ubuntu SMP Mon Oct 17 18:53:30 UTC 2022</os_version>
+    <architecture>x86_64</architecture>
+    <primary_host_name>you.know.it</primary_host_name>
+    <interfaces>
+      <interface>
+        <interface_name>lo</interface_name>
+        <ip_address>127.0.0.1</ip_address>
+        <mac_address>00:00:00:00:00:00</mac_address>
+      </interface>
+    </interfaces>
+  </system_info>
+  <collected_objects>
+    <object id="oval:com.ubuntu.jammy:obj:544710000000" version="1" flag="complete">
+      <variable_value variable_id="oval:com.ubuntu.jammy:var:544710000000">logrotate</variable_value>
+      <reference item_ref="101854166"/>
+    </object>
+  </collected_objects>
+  <system_data>
+    <lin-sys:dpkginfo_item id="101854166" status="exists">
+      <lin-sys:name>logrotate</lin-sys:name>
+      <lin-sys:arch>amd64</lin-sys:arch>
+      <lin-sys:epoch>0</lin-sys:epoch>
+      <lin-sys:release>1ubuntu1.1</lin-sys:release>
+      <lin-sys:version>3.19.0</lin-sys:version>
+      <lin-sys:evr datatype="debian_evr_string">0:3.19.0-1ubuntu1.1</lin-sys:evr>
+    </lin-sys:dpkginfo_item>
+  </system_data>
+</oval_system_characteristics>

tests/mitre/linux-def_dpkginfo_test.xml

@@ -53,23 +53,23 @@
       <epoch operation="pattern match">.*</epoch>
       <release operation="pattern match">.*</release>
       <version operation="pattern match">.*</version>
-      <evr datatype="evr_string" operation="greater than">0:0-0</evr>
-    </dpkginfo_state>
+      <evr datatype="debian_evr_string" operation="greater than">0:0-0</evr>
+	</dpkginfo_state>
     <dpkginfo_state id="oval:org.mitre.oval.test:ste:499" version="2" comment="This state represents dpkginfo_items that have a name not equal to 'libapt-pkg-dev', and an arch, epoch, release, version, evr, and signature_keyid that match the regular expression '.*'." xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
       <name operation="not equal">libapt-pkg-dev</name>
       <arch operation="pattern match">.*</arch>
       <epoch operation="pattern match">.*</epoch>
       <release operation="pattern match">.*</release>
       <version operation="pattern match">.*</version>
-      <evr datatype="evr_string" operation="greater than">0:0-0</evr>
+      <evr datatype="debian_evr_string" operation="greater than">0:0-0</evr>
     </dpkginfo_state>
     <dpkginfo_state id="oval:org.mitre.oval.test:ste:718" version="2" comment="This state represents dpkginfo_items that have a name that matches the regular expression '^libapt.pkg.dev$', and an arch, epoch, release, version, evr, and signature_keyid that match the regular expression '.*'." xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
       <name operation="pattern match">^libapt.pkg.dev$</name>
       <arch operation="pattern match">.*</arch>
       <epoch operation="pattern match">.*</epoch>
       <release operation="pattern match">.*</release>
       <version operation="pattern match">.*</version>
-      <evr datatype="evr_string" operation="greater than">0:0-0</evr>
+      <evr datatype="debian_evr_string" operation="greater than">0:0-0</evr>
     </dpkginfo_state>
   </states>
-</oval_definitions>
+</oval_definitions>