Do not emit warning when a rule has only OCIL or SCE

OCIL is a valid SCAP check, we only don't support it in OpenSCAP.  SCE
is supported by OpenSCAP, but users can use OpenSCAP without SCE plugin.
Instead we will display an info message (in verbose mode). We will still
keep the warning for really invalid check systems. Problem with warning
messages is that they're understood as errors by SCAP Workbench and the
diagnostic window pops up when they're produced.

Author: jan-cerny

src/XCCDF_POLICY/xccdf_policy.c

@@ -584,6 +584,10 @@ _xccdf_policy_rule_get_applicable_check(struct xccdf_policy *policy, struct xccd
 				result = check;
 			} else if (strcmp("http://oval.mitre.org/XMLSchema/oval-definitions-5", check->system) == 0) {
 				print_oval_warning = true;
+			} else if (strcmp("http://scap.nist.gov/schema/ocil/2", check->system) == 0) {
+				dI("This rule requires an OCIL check. OCIL checks are not supported by OpenSCAP.");
+			} else if (strcmp("http://open-scap.org/page/SCE", check->system) == 0) {
+				dI("This rule requires a SCE check but the SCE plugin was disabled.");
 			} else {
 				print_general_warning = true;
 				warning_check_system = check->system;

tests/API/XCCDF/unittests/CMakeLists.txt

@@ -32,6 +32,7 @@ add_oscap_test("test_xccdf_check_negate.sh")
 add_oscap_test("test_xccdf_check_multi_check.sh")
 add_oscap_test("test_xccdf_check_multi_check2.sh")
 add_oscap_test("test_xccdf_check_multi_check_zero_definitions.sh")
+add_oscap_test("test_xccdf_check_ocil.sh")
 add_oscap_test("test_xccdf_check_content_ref_without_name_attr.sh")
 add_oscap_test("test_xccdf_check_without_content_refs.sh")
 add_oscap_test("test_xccdf_refine_rule.sh")

tests/API/XCCDF/unittests/test_xccdf_check_ocil.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+. $builddir/tests/test_common.sh
+
+set -e
+set -o pipefail
+
+result=`mktemp`
+stderr=`mktemp`
+$OSCAP xccdf eval --results $result $srcdir/test_xccdf_check_ocil.xml 2> $stderr
+[ ! -s "$stderr" ]
+$OSCAP xccdf validate $result
+assert_exists 1 '//rule-result[@idref="xccdf_moc.elpmaxe.www_rule_1"]/result[text()="notchecked"]'
+rm $stderr
+rm $result
+
+stderr=`mktemp`
+$OSCAP xccdf eval --verbose INFO $srcdir/test_xccdf_check_ocil.xml 2> $stderr
+grep -q "This rule requires an OCIL check. OCIL checks are not supported by OpenSCAP." $stderr
+rm $stderr

tests/API/XCCDF/unittests/test_xccdf_check_ocil.xml

@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" id="xccdf_moc.elpmaxe.www_benchmark_test">
+  <status>incomplete</status>
+  <version>1.0</version>
+  <Rule selected="true" id="xccdf_moc.elpmaxe.www_rule_1">
+    <title>Rule with OCIL check</title>
+    <check system="http://scap.nist.gov/schema/ocil/2">
+      <check-content-ref href="test_xccdf_check_ocil.ocil.xml"/>
+    </check>
+  </Rule>
+</Benchmark>