libopenscap8: missing dependency resulting in missing OVAL objects support

Bug #1661401 reported by Alan Guan on 2017-02-02
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openscap (Debian)
Fix Released
Unknown
openscap (Ubuntu)
Undecided
Unassigned

Bug Description

[Impact]

The "libdbus-1-dev" package is missing from the "Build-Depends" in the "debian/control" file, and as a result, the OVAL object support for "systemdunitproperty" and "systemdunitdependency" is missing. About 10~15% of the SCAP content based on CIS benchmark relies on these two OVAL objects - they are important and should be supported. Simply adding the missing dependency will enable these OVAL objects for OpenSCAP.

[Test Case]

Run the command "oscap --v", and without the "libdbus-1-dev" dependency, content under "Supported OVAL objects and associated OpenSCAP probes" will NOT include the "systemdunitproperty" and "systemdunitdependency". Once the "libdbus-1-dev" dependency is added and libopenscap8 rebuilt, the command "oscap --v" will show "systemdunitproperty" and "systemdunitdependency" as supported.

[Regression Potential]

The changes proposed enables new functionality that is already included in the source package, and does not change the behavior of existing code significantly.

Using the same patch attached to this bug report, Canonical security certification team has created a PPA here: https://launchpad.net/~guanym/+archive/ubuntu/ppa.

The team is actively using the PPA to develop SCAP content with and without the proposed changes:
 -- Without the proposed changes, ran scans using OpenSCAP against SCAP content with 40+ diverse rules based on CIS benchmark, and saved the xml scan result. The content included a rule that requires "systemdunitproperty" support, and the rule simply evaluated to "unknown", which is expected
 -- With the proposed changes, ran scan against the same SCAP content, and saved the xml scan result. The result was identical with the only exception that the "systemdunitproperty" dependent rule evaluated properly.

We are also running similar scans against an ever growing SCAP content base 20~30 times on a daily basis, and OpenSCAP behaved normally.

[Other Info]

A similar bug report has been submitted to Debian.

Changed in openscap (Debian):
status: Unknown → New

The attachment "enable systemdunit support by adding libdbus-1-dev as a required build dependency" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Alan Guan (guanym) wrote :

A PPA to address both this bug and #1658792 is available here: https://launchpad.net/~fips-cc-stig/+archive/ubuntu/fipsdevppa

Changed in openscap (Debian):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.