Merge pull request #1448 from jan-cerny/ocil_warning

evgenyz · web-flow · commit 43bb99a2e981 · 2020-01-08T12:27:44.000+01:00
Do not emit warning when a rule has only OCIL or SCE
diff --git a/src/XCCDF_POLICY/xccdf_policy.c b/src/XCCDF_POLICY/xccdf_policy.c
@@ -583,6 +583,10 @@ _xccdf_policy_rule_get_applicable_check(struct xccdf_policy *policy, struct xccd
 				result = check;
 			} else if (strcmp("http://oval.mitre.org/XMLSchema/oval-definitions-5", check->system) == 0) {
 				print_oval_warning = true;
+			} else if (strcmp("http://scap.nist.gov/schema/ocil/2", check->system) == 0) {
+				dI("This rule requires an OCIL check. OCIL checks are not supported by OpenSCAP.");
+			} else if (strcmp("http://open-scap.org/page/SCE", check->system) == 0) {
+				dI("This rule requires a SCE check but the SCE plugin was disabled.");
 			} else {
 				print_general_warning = true;
 				warning_check_system = check->system;
diff --git a/tests/API/XCCDF/unittests/CMakeLists.txt b/tests/API/XCCDF/unittests/CMakeLists.txt
@@ -32,6 +32,7 @@ add_oscap_test("test_xccdf_check_negate.sh")
 add_oscap_test("test_xccdf_check_multi_check.sh")
 add_oscap_test("test_xccdf_check_multi_check2.sh")
 add_oscap_test("test_xccdf_check_multi_check_zero_definitions.sh")
+add_oscap_test("test_xccdf_check_ocil.sh")
 add_oscap_test("test_xccdf_check_content_ref_without_name_attr.sh")
 add_oscap_test("test_xccdf_check_without_content_refs.sh")
 add_oscap_test("test_xccdf_refine_rule.sh")
diff --git a/tests/API/XCCDF/unittests/test_xccdf_check_ocil.sh b/tests/API/XCCDF/unittests/test_xccdf_check_ocil.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+. $builddir/tests/test_common.sh
+
+set -e
+set -o pipefail
+
+result=`mktemp`
+stderr=`mktemp`
+$OSCAP xccdf eval --results $result $srcdir/test_xccdf_check_ocil.xml 2> $stderr
+[ ! -s "$stderr" ]
+$OSCAP xccdf validate $result
+assert_exists 1 '//rule-result[@idref="xccdf_moc.elpmaxe.www_rule_1"]/result[text()="notchecked"]'
+rm $stderr
+rm $result
+
+stderr=`mktemp`
+$OSCAP xccdf eval --verbose INFO $srcdir/test_xccdf_check_ocil.xml 2> $stderr
+grep -q "This rule requires an OCIL check. OCIL checks are not supported by OpenSCAP." $stderr
+rm $stderr
diff --git a/tests/API/XCCDF/unittests/test_xccdf_check_ocil.xml b/tests/API/XCCDF/unittests/test_xccdf_check_ocil.xml
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" id="xccdf_moc.elpmaxe.www_benchmark_test">
+  <status>incomplete</status>
+  <version>1.0</version>
+  <Rule selected="true" id="xccdf_moc.elpmaxe.www_rule_1">
+    <title>Rule with OCIL check</title>
+    <check system="http://scap.nist.gov/schema/ocil/2">
+      <check-content-ref href="test_xccdf_check_ocil.ocil.xml"/>
+    </check>
+  </Rule>
+</Benchmark>
