Merge branch 'maint-1.2'

Author: Martin Preisler

cpe/openscap-cpe-dict.xml

@@ -109,6 +109,10 @@
             <title xml:lang="en-us">Fedora 29</title>
             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="openscap-cpe-oval.xml">oval:org.open-scap.cpe.fedora:def:29</check>
       </cpe-item>
+      <cpe-item name="cpe:/o:fedoraproject:fedora:30">
+            <title xml:lang="en-us">Fedora 30</title>
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="openscap-cpe-oval.xml">oval:org.open-scap.cpe.fedora:def:30</check>
+      </cpe-item>
       <cpe-item name="cpe:/o:suse:sle">
             <title xml:lang="en-us">SUSE Linux Enterprise all versions</title>
             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="openscap-cpe-oval.xml">oval:org.open-scap.cpe.sle:def:1</check>

cpe/openscap-cpe-oval.xml

@@ -367,6 +367,19 @@
                         <criterion comment="Fedora 29 is installed" test_ref="oval:org.open-scap.cpe.fedora:tst:29"/>
                   </criteria>
             </definition>
+            <definition class="inventory" id="oval:org.open-scap.cpe.fedora:def:30" version="1">
+                  <metadata>
+                        <title>Fedora 30</title>
+                        <affected family="unix">
+                            <platform>Fedora 30</platform>
+                        </affected>
+                        <reference ref_id="cpe:/o:fedoraproject:fedora:30" source="CPE"/>
+                        <description>The operating system installed on the system is Fedora 30</description>
+                  </metadata>
+                  <criteria>
+                        <criterion comment="Fedora 30 is installed" test_ref="oval:org.open-scap.cpe.fedora:tst:30"/>
+                  </criteria>
+            </definition>
 
             <definition class="inventory" id="oval:org.open-scap.cpe.sle:def:1" version="1">
                   <metadata>
@@ -735,6 +748,11 @@
                   <object object_ref="oval:org.open-scap.cpe.fedora-release:obj:2"/>
                   <state state_ref="oval:org.open-scap.cpe.fedora:ste:29"/>
             </rpminfo_test>
+            <rpminfo_test check_existence="at_least_one_exists" id="oval:org.open-scap.cpe.fedora:tst:30" version="1" check="at least one" comment="fedora-release is version Fedora 30"
+                  xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
+                  <object object_ref="oval:org.open-scap.cpe.fedora-release:obj:2"/>
+                  <state state_ref="oval:org.open-scap.cpe.fedora:ste:30"/>
+            </rpminfo_test>
             <rpminfo_test check_existence="at_least_one_exists" id="oval:org.open-scap.cpe.sles:tst:1" version="1" check="at least one" comment="/etc/sles-release is provided by sles-release package"
                   xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
                   <object object_ref="oval:org.open-scap.cpe.sles-release:obj:1"/>
@@ -999,6 +1017,9 @@
             <rpminfo_state id="oval:org.open-scap.cpe.fedora:ste:29" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
                   <version operation="pattern match">^29$</version>
             </rpminfo_state>
+            <rpminfo_state id="oval:org.open-scap.cpe.fedora:ste:30" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
+                  <version operation="pattern match">^30$</version>
+            </rpminfo_state>
             <rpminfo_state id="oval:org.open-scap.cpe.sles:ste:1" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
                   <name operation="pattern match">^sles-release</name>
             </rpminfo_state>

src/CVRF/cvrf_priv.c

@@ -1983,6 +1983,7 @@ struct cvrf_product_tree *cvrf_product_tree_parse(xmlTextReaderPtr reader) {
 	struct cvrf_product_tree *tree = cvrf_product_tree_new();
 	if (xmlTextReaderIsEmptyElement(reader) == 1) {
 		cvrf_set_parsing_error("ProductTree");
+		cvrf_product_tree_free(tree);
 		return NULL;
 	}
 	xmlTextReaderNextElementWE(reader, TAG_PRODUCT_TREE);
@@ -2088,6 +2089,7 @@ struct cvrf_note *cvrf_note_parse(xmlTextReaderPtr reader) {
 	struct cvrf_note *note = cvrf_note_new();
 	if (xmlTextReaderIsEmptyElement(reader) == 1) {
 		cvrf_set_parsing_error("Note");
+		cvrf_note_free(note);
 		return NULL;
 	}
 
@@ -2146,6 +2148,7 @@ struct cvrf_doc_tracking *cvrf_doc_tracking_parse(xmlTextReaderPtr reader) {
 	struct cvrf_doc_tracking *tracking = cvrf_doc_tracking_new();
 	if (xmlTextReaderIsEmptyElement(reader) == 1) {
 		cvrf_set_parsing_error("DocumentTracking");
+		cvrf_doc_tracking_free(tracking);
 		return NULL;
 	}
 
@@ -2217,6 +2220,7 @@ struct cvrf_doc_publisher *cvrf_doc_publisher_parse(xmlTextReaderPtr reader) {
 	publisher->type = cvrf_doc_publisher_type_parse(reader);
 	if (publisher->type == CVRF_DOC_PUBLISHER_UNKNOWN && xmlTextReaderIsEmptyElement(reader) == 1) {
 		cvrf_set_parsing_error("DocumentPublisher");
+		cvrf_doc_publisher_free(publisher);
 		return NULL;
 	}
 	publisher->vendor_id = (char *)xmlTextReaderGetAttribute(reader, ATTR_VENDOR_ID);

src/OVAL/oval_message.c

@@ -65,7 +65,7 @@ struct oval_message *oval_message_clone(struct oval_message *old_message)
 	oval_message_level_t level = oval_message_get_level(old_message);
 	oval_message_set_level(new_message, level);
 	char *text = oval_message_get_text(old_message);
-	oval_message_set_text(new_message, oscap_strdup(text));
+	oval_message_set_text(new_message, text);
 	return new_message;
 }
 

src/OVAL/oval_sysEnt.c

@@ -77,7 +77,7 @@ struct oval_sysent *oval_sysent_clone(struct oval_syschar_model *new_model, stru
 
 	char *old_value = oval_sysent_get_value(old_item);
 	if (old_value) {
-		oval_sysent_set_value(new_item, oscap_strdup(old_value));
+		oval_sysent_set_value(new_item, old_value);
 	}
 
 	char *old_name = oval_sysent_get_name(old_item);

src/OVAL/probes/fsdev.c

@@ -408,6 +408,7 @@ fsdev_t *fsdev_strinit(const char *fs_names)
 	e = errno;
 	free(fs_arr);
 	errno = e;
+	free(pstr);
 
 	return (lfs);
 }

src/XCCDF_POLICY/xccdf_policy.c

@@ -2156,8 +2156,10 @@ void xccdf_policy_free(struct xccdf_policy * policy) {
 	/* A policy which is set to use default profile has its profile member set to NULL,
 	 * check it so we don't try to get the ID from a NULL profile.
 	 * */
-	if (policy->profile && xccdf_profile_get_id(policy->profile) == NULL)
-		/* If ID of policy's profile is NULL then this
+	if (policy->profile && (
+			(xccdf_profile_get_id(policy->profile) == NULL) ||
+			(strcmp(xccdf_profile_get_id(policy->profile), "(all)") == 0)))
+		/* If ID of policy's profile is NULL or "(all)" then this
 		 * profile is created by Policy layer and need
 		 * to be freed
 		 */

src/XCCDF_POLICY/xccdf_policy_model.c

@@ -31,6 +31,7 @@
 #include "xccdf_policy_model_priv.h"
 #include "xccdf_policy_priv.h"
 #include "XCCDF/item.h"
+#include "XCCDF/helpers.h"
 
 struct xccdf_policy *xccdf_policy_model_get_existing_policy_by_id(struct xccdf_policy_model *policy_model, const char *profile_id)
 {
@@ -46,6 +47,33 @@ struct xccdf_policy *xccdf_policy_model_get_existing_policy_by_id(struct xccdf_p
 	return NULL;
 }
 
+static void _add_selectors_for_all_xccdf_items(struct xccdf_profile *profile, struct xccdf_item *item)
+{
+	struct xccdf_item_iterator *children = NULL;
+	if (xccdf_item_get_type(item) == XCCDF_BENCHMARK) {
+		children = xccdf_benchmark_get_content(XBENCHMARK(item));
+	} else if (xccdf_item_get_type(item) == XCCDF_GROUP) {
+		children = xccdf_group_get_content(XGROUP(item));
+	}
+
+	if (xccdf_item_get_type(item) == XCCDF_RULE ||
+		xccdf_item_get_type(item) == XCCDF_GROUP)
+	{
+		struct xccdf_select *select = xccdf_select_new();
+		xccdf_select_set_item(select, xccdf_item_get_id(item));
+		xccdf_select_set_selected(select, true);
+		xccdf_profile_add_select(profile, select);
+	}
+
+	if (children) {
+		while (xccdf_item_iterator_has_more(children)) {
+			struct xccdf_item *current = xccdf_item_iterator_next(children);
+			_add_selectors_for_all_xccdf_items(profile, current);
+		}
+		xccdf_item_iterator_free(children);
+	}
+}
+
 struct xccdf_policy *xccdf_policy_model_create_policy_by_id(struct xccdf_policy_model *policy_model, const char *id)
 {
 	struct xccdf_profile *profile = NULL;
@@ -56,6 +84,9 @@ struct xccdf_policy *xccdf_policy_model_create_policy_by_id(struct xccdf_policy_
 		profile = xccdf_tailoring_get_profile_by_id(tailoring, id);
 	}
 
+	// The (default) and (all) profiles are de-facto owned by the xccdf_policy
+	// and will be freed by it when it's freed. See xccdf_policy_free.
+
 	if (!profile) {
 		if (id == NULL) {
 			profile = xccdf_profile_new();
@@ -64,16 +95,27 @@ struct xccdf_policy *xccdf_policy_model_create_policy_by_id(struct xccdf_policy_
 			oscap_text_set_text(title, "No profile (default benchmark)");
 			oscap_text_set_lang(title, "en");
 			xccdf_profile_add_title(profile, title);
-		}
-		else {
+		} else {
 			struct xccdf_benchmark *benchmark = xccdf_policy_model_get_benchmark(policy_model);
 			if (benchmark == NULL) {
 				assert(benchmark != NULL);
 				return NULL;
 			}
-			profile = xccdf_benchmark_get_profile_by_id(benchmark, id);
-			if (profile == NULL)
-				return NULL;
+
+			if (strcmp(id, "(all)") == 0) {
+				profile = xccdf_profile_new();
+				xccdf_profile_set_id(profile, "(all)");
+				struct oscap_text *title = oscap_text_new();
+				oscap_text_set_text(title, "(all) profile (all rules selected)");
+				oscap_text_set_lang(title, "en");
+				xccdf_profile_add_title(profile, title);
+
+				_add_selectors_for_all_xccdf_items(profile, XITEM(benchmark));
+			} else {
+				profile = xccdf_benchmark_get_profile_by_id(benchmark, id);
+				if (profile == NULL)
+					return NULL;
+			}
 		}
 	}
 

utils/oscap-docker.in

@@ -26,31 +26,18 @@ import sys
 from requests import exceptions
 
 
-class OscapDocker(object):
-    ''' Generic class to call the scans '''
-    def __init__(self):
-        pass
-
-    def set_args(self, args, unknown):
-        '''
-        Sets arguments for argparse into the oscapDocker class
-        '''
-        self.args = args
-        self.unknown_args = unknown
-
-    def cve_scan(self):
-        ''' Wrapper function for container/image scanning '''
-        OS = OscapScan()
-        result = OS.scan_cve(self.args.scan_target, self.unknown_args)
-        if result is not None:
-            print(result)
-
-    def scan(self):
-        ''' Wrapper functiopn to scan with openscap'''
-        OS = OscapScan()
-        result = OS.scan(self.args.scan_target, self.unknown_args)
-        if result is not None:
-            print(result)
+def cve_scan(scan_target, other_scan_args):
+    ''' Wrapper function for container/image scanning '''
+    OS = OscapScan()
+    result = OS.scan_cve(scan_target, other_scan_args)
+    return result
+
+
+def scan(scan_target, other_scan_args):
+    ''' Wrapper function to scan with openscap'''
+    OS = OscapScan()
+    result = OS.scan(scan_target, other_scan_args)
+    return result
 
 
 def ping_docker():
@@ -63,10 +50,8 @@ def ping_docker():
         client = docker.Client()
     client.ping()
 
-if __name__ == '__main__':
-
-    OD = OscapDocker()
 
+if __name__ == '__main__':
     parser = argparse.ArgumentParser(description='oscap docker',
                                      epilog='See `man oscap` to learn \
                                      more about OSCAP-ARGUMENTS')
@@ -75,32 +60,32 @@ if __name__ == '__main__':
     # Scan CVEs in image
     image_cve = subparser.add_parser('image-cve', help='Scan a docker image \
                                     for known vulnerabilities.')
-    image_cve.set_defaults(func=OD.cve_scan)
+    image_cve.set_defaults(func=cve_scan)
     image_cve.add_argument('scan_target', help='Container or image to scan')
 
     # Scan an Image
     image = subparser.add_parser('image', help='Scan a docker image')
     image.add_argument('scan_target',
                        help='Container or image to scan')
 
-    image.set_defaults(func=OD.scan)
+    image.set_defaults(func=scan)
     # Scan a container
     container = subparser.add_parser('container', help='Scan a running docker\
                                       container of given name.')
     container.add_argument('scan_target',
                            help='Container or image to scan')
-    container.set_defaults(func=OD.scan)
+    container.set_defaults(func=scan)
 
     # Scan CVEs in container
     container_cve = subparser.add_parser('container-cve', help='Scan a \
                                          running container for known \
                                          vulnerabilities.')
 
-    container_cve.set_defaults(func=OD.cve_scan)
+    container_cve.set_defaults(func=cve_scan)
     container_cve.add_argument('scan_target',
                                help='Container or image to scan')
 
-    args, unknown = parser.parse_known_args()
+    args, leftover_args = parser.parse_known_args()
 
     if "func" not in args:
         parser.print_help()
@@ -113,5 +98,10 @@ if __name__ == '__main__':
         print("The docker daemon does not appear to be running")
         sys.exit(1)
 
-    OD.set_args(args, unknown)
-    args.func()
+    try:
+        rc = args.func(args.scan_target, leftover_args)
+    except Exception as exc:
+        sys.exit(255)
+        raise exc
+
+    sys.exit(rc)