Merge pull request #1410 from DominiqueDevinci/contrib1403

jan-cerny · web-flow · commit da4610ee8df3 · 2019-10-25T14:02:15.000+02:00
Remediation verbosity : don't apply fix for multicheck ? issue #1403
diff --git a/src/XCCDF/result.c b/src/XCCDF/result.c
@@ -532,8 +532,16 @@ void xccdf_message_free(struct xccdf_message *msg)
     }
 }
 
+bool xccdf_message_set_content(struct xccdf_message *obj, const char *newval){
+	// in debug mode, we handle all new messages in case where the xccdf_message is never displayed
+	dD("XCCDF_SET_MESSAGE: %s", newval);
+	free(obj->content);
+	obj->content=oscap_strdup(newval);
+	return true;
+}
+
 OSCAP_ACCESSOR_SIMPLE(xccdf_message_severity_t, xccdf_message, severity)
-OSCAP_ACCESSOR_STRING(xccdf_message, content)
+OSCAP_GETTER(const char*, xccdf_message, content)
 
 struct xccdf_target_fact* xccdf_target_fact_new(void)
 {
diff --git a/src/XCCDF_POLICY/xccdf_policy_remediate.c b/src/XCCDF_POLICY/xccdf_policy_remediate.c
@@ -63,6 +63,7 @@ static int _rule_add_info_message(struct xccdf_rule_result *rr, ...)
 
 	msg = xccdf_message_new();
 	xccdf_message_set_content(msg, text);
+	dI("[%s]->msg: %s", xccdf_rule_result_get_idref(rr), text);
 	free(text);
 	xccdf_message_set_severity(msg, XCCDF_MSG_INFO);
 	xccdf_rule_result_add_message(rr, msg);
@@ -379,9 +380,11 @@ static inline int _xccdf_fix_decode_xml(struct xccdf_fix *fix, char **result)
 #if defined(unix) || defined(__unix__) || defined(__unix)
 static inline int _xccdf_fix_execute(struct xccdf_rule_result *rr, struct xccdf_fix *fix)
 {
-	if (fix == NULL || rr == NULL || oscap_streq(xccdf_fix_get_content(fix), NULL))
+	if (fix == NULL || rr == NULL || oscap_streq(xccdf_fix_get_content(fix), NULL)) {
+		_rule_add_info_message(rr, "No fix available.");
 		return 1;
-
+	}
+	
 	const char *interpret = NULL;
 	if ((interpret = _get_supported_interpret(xccdf_fix_get_system(fix), NULL)) == NULL) {
 		_rule_add_info_message(rr, "Not supported xccdf:fix/@system='%s' or missing interpreter.",
@@ -478,10 +481,13 @@ static inline int _xccdf_fix_execute(struct xccdf_rule_result *rr, struct xccdf_
 #else
 static inline int _xccdf_fix_execute(struct xccdf_rule_result *rr, struct xccdf_fix *fix)
 {
-	if (fix == NULL || rr == NULL || oscap_streq(xccdf_fix_get_content(fix), NULL))
+	if (fix == NULL || rr == NULL || oscap_streq(xccdf_fix_get_content(fix), NULL)) {
+		_rule_add_info_message(rr, "No fix available.");
 		return 1;
-	else
+	} else {
 		_rule_add_info_message(rr, "Cannot execute the fix script: not implemented");
+	}
+	
 	return 1;
 }
 #endif
@@ -493,39 +499,48 @@ int xccdf_policy_rule_result_remediate(struct xccdf_policy *policy, struct xccdf
 	if (xccdf_rule_result_get_result(rr) != XCCDF_RESULT_FAIL)
 		return 0;
 
+	// if a miscellaneous error happens (fix unsuitable or if we want to skip it for any reason
+	// we set misc_error to one, and the fix will be reported as error (and not skipped without log like before)
+	int misc_error=0;
+
 	if (fix == NULL) {
 		fix = _find_suitable_fix(policy, rr);
-		if (fix == NULL)
-			// We may want to append xccdf:message about missing fix.
-			return 0;
+		if (fix == NULL) {
+			// We want to append xccdf:message about missing fix.
+			_rule_add_info_message(rr, "No suitable fix found.");
+			xccdf_rule_result_set_result(rr, XCCDF_RESULT_FAIL);
+			misc_error=1;
+		}
 	}
 
 	struct xccdf_check *check = NULL;
 	struct xccdf_check_iterator *check_it = xccdf_rule_result_get_checks(rr);
 	while (xccdf_check_iterator_has_more(check_it))
 		check = xccdf_check_iterator_next(check_it);
 	xccdf_check_iterator_free(check_it);
-	if (check != NULL && xccdf_check_get_multicheck(check))
-		// Do not try to apply fix for multi-check.
-		return 0;
-
-	/* Initialize the fix. */
-	struct xccdf_fix *cfix = xccdf_fix_clone(fix);
-	int res = xccdf_policy_resolve_fix_substitution(policy, cfix, rr, test_result);
-	xccdf_rule_result_add_fix(rr, cfix);
-	if (res != 0) {
-		_rule_add_info_message(rr, "Fix execution was aborted: Text substitution failed.");
-		return res;
-	}
 
-	/* Execute the fix. */
-	res = _xccdf_fix_execute(rr, cfix);
-	if (res != 0) {
-		_rule_add_info_message(rr, "Fix was not executed. Execution was aborted.");
-		return res;
+	if(misc_error == 0){
+		/* Initialize the fix. */
+		struct xccdf_fix *cfix = xccdf_fix_clone(fix);
+		int res = xccdf_policy_resolve_fix_substitution(policy, cfix, rr, test_result);
+		xccdf_rule_result_add_fix(rr, cfix);
+		if (res != 0) {
+			_rule_add_info_message(rr, "Fix execution was aborted: Text substitution failed.");
+			xccdf_rule_result_set_result(rr, XCCDF_RESULT_ERROR);
+			misc_error=1;
+		}else{
+
+			/* Execute the fix. */
+			res = _xccdf_fix_execute(rr, cfix);
+			if (res != 0) {
+				_rule_add_info_message(rr, "Fix was not executed. Execution was aborted.");
+				xccdf_rule_result_set_result(rr, XCCDF_RESULT_ERROR);
+				misc_error=1;
+			}
+		}
 	}
 
-	/* We report rule during remediation only when the fix was actually executed */
+	/* We report rule during remediation even if fix isn't executed due to a miscellaneous error */
 	int report = 0;
 	struct xccdf_rule *rule = _lookup_rule_by_rule_result(policy, rr);
 	if (rule == NULL) {
@@ -538,18 +553,20 @@ int xccdf_policy_rule_result_remediate(struct xccdf_policy *policy, struct xccdf
 			return report;
 	}
 
-	/* Verify applied fix by calling OVAL again */
-	if (check == NULL) {
-		xccdf_rule_result_set_result(rr, XCCDF_RESULT_ERROR);
-		_rule_add_info_message(rr, "Failed to verify applied fix: Missing xccdf:check.");
-	} else {
-		int new_result = xccdf_policy_check_evaluate(policy, check);
-		if (new_result == XCCDF_RESULT_PASS)
-			xccdf_rule_result_set_result(rr, XCCDF_RESULT_FIXED);
-		else {
+	if(misc_error == 0){
+		/* Verify fix if applied by calling OVAL again */
+		if (check == NULL) {
 			xccdf_rule_result_set_result(rr, XCCDF_RESULT_ERROR);
-			_rule_add_info_message(rr, "Failed to verify applied fix: Checking engine returns: %s",
-				new_result <= 0 ? "internal error" : xccdf_test_result_type_get_text(new_result));
+			_rule_add_info_message(rr, "Failed to verify applied fix: Missing xccdf:check.");
+		} else {
+			int new_result = xccdf_policy_check_evaluate(policy, check);
+			if (new_result == XCCDF_RESULT_PASS)
+				xccdf_rule_result_set_result(rr, XCCDF_RESULT_FIXED);
+			else {
+				xccdf_rule_result_set_result(rr, XCCDF_RESULT_ERROR);
+				_rule_add_info_message(rr, "Failed to verify applied fix: Checking engine returns: %s",
+					new_result <= 0 ? "internal error" : xccdf_test_result_type_get_text(new_result));
+			}
 		}
 	}
 
diff --git a/tests/API/XCCDF/applicability/test_remediate_fix_notapplicable.sh b/tests/API/XCCDF/applicability/test_remediate_fix_notapplicable.sh
@@ -27,7 +27,9 @@ assert_exists 1 '//TestResult[@id="xccdf_org.open-scap_testresult_default-profil
 assert_exists 1 '//TestResult[@id="xccdf_org.open-scap_testresult_default-profile001"]/rule-result/result'
 assert_exists 1 '//TestResult[@id="xccdf_org.open-scap_testresult_default-profile001"]/rule-result/result[text()="fail"]'
 assert_exists 0 '//TestResult[@id="xccdf_org.open-scap_testresult_default-profile001"]/rule-result/fix'
-assert_exists 0 '//TestResult[@id="xccdf_org.open-scap_testresult_default-profile001"]/rule-result/message'
+
+# one message expected signalling no suitable fix found.
+assert_exists 1 '//TestResult[@id="xccdf_org.open-scap_testresult_default-profile001"]/rule-result/message'
 
 #
 # Second, make sure that the fix is applied, when CPE is recognized as appplicable
diff --git a/tests/API/XCCDF/unittests/test_remediate_unresolved.sh b/tests/API/XCCDF/unittests/test_remediate_unresolved.sh
@@ -24,7 +24,7 @@ assert_exists 2 '//TestResult'
 assert_exists 1 '//TestResult[@id="xccdf_org.open-scap_testresult_default-profile001"]'
 assert_exists 1 '//TestResult[@id="xccdf_org.open-scap_testresult_default-profile001"]/rule-result'
 assert_exists 1 '//TestResult[@id="xccdf_org.open-scap_testresult_default-profile001"]/rule-result/result'
-assert_exists 1 '//TestResult[@id="xccdf_org.open-scap_testresult_default-profile001"]/rule-result/result[text()="fail"]'
+assert_exists 1 '//TestResult[@id="xccdf_org.open-scap_testresult_default-profile001"]/rule-result/result[text()="error"]'
 assert_exists 1 '//TestResult[@id="xccdf_org.open-scap_testresult_default-profile001"]/rule-result/fix'
 assert_exists 1 '//TestResult[@id="xccdf_org.open-scap_testresult_default-profile001"]/rule-result/fix/something'
 assert_exists 0 '//TestResult[@id="xccdf_org.open-scap_testresult_default-profile001"]/rule-result/fix/object'
diff --git a/tests/API/XCCDF/unittests/test_remediation_fix_without_system.sh b/tests/API/XCCDF/unittests/test_remediation_fix_without_system.sh
@@ -23,7 +23,7 @@ assert_exists 1 '//rule-result'
 assert_exists 1 '//rule-result/result'
 assert_exists 1 '//rule-result/result[text()="fail"]'
 assert_exists 0 '//rule-result/fix'
-assert_exists 0 '//rule-result/message'
+assert_exists 1 '//rule-result/message[text()="No suitable fix found."]'
 assert_exists 1 '//score'
 assert_exists 1 '//score[text()="0.000000"]'
 
diff --git a/tests/API/XCCDF/unittests/test_remediation_subs_unresolved.sh b/tests/API/XCCDF/unittests/test_remediation_subs_unresolved.sh
@@ -48,7 +48,7 @@ assert_exists 0 '/Benchmark/Rule/fix/sub'
 assert_exists 1 '/Benchmark/Rule/fix/instance'
 assert_exists 1 '//rule-result'
 assert_exists 1 '//rule-result/result'
-assert_exists 1 '//rule-result/result[text()="fail"]'
+assert_exists 1 '//rule-result/result[text()="error"]'
 assert_exists 1 '//rule-result/fix'
 assert_exists 1 '//rule-result/fix[@system="urn:xccdf:fix:script:sh"]'
 assert_exists 1 '//rule-result/fix/instance'

Original file line number	Diff line number	Diff line change
`@@ -532,8 +532,16 @@ void xccdf_message_free(struct xccdf_message *msg)`
`532`	`532`	`}`
`533`	`533`	`}`
`534`	`534`
	`535`	`+bool xccdf_message_set_content(struct xccdf_message obj, const char newval){`
	`536`	`+ // in debug mode, we handle all new messages in case where the xccdf_message is never displayed`
	`537`	`+ dD("XCCDF_SET_MESSAGE: %s", newval);`
	`538`	`+ free(obj->content);`
	`539`	`+ obj->content=oscap_strdup(newval);`
	`540`	`+ return true;`
	`541`	`+}`
	`542`	`+`
`535`	`543`	`OSCAP_ACCESSOR_SIMPLE(xccdf_message_severity_t, xccdf_message, severity)`
`536`		`-OSCAP_ACCESSOR_STRING(xccdf_message, content)`
	`544`	`+OSCAP_GETTER(const char*, xccdf_message, content)`
`537`	`545`
`538`	`546`	`struct xccdf_target_fact* xccdf_target_fact_new(void)`
`539`	`547`	`{`