I'm trying to build the scap-security-guide (ComplianceAsCode 0.1.64) on Ubuntu 18.04, Ubuntu 20.04 and Ubuntu 22.04.
On the 3 Ubuntu versions, the failure is always the same. The scap-security-guide uses openscap but, if the OVAL CVE/RPM data are not available, the build will fail.
ComplianceAsCode on version 0.1.63 was building fine.
This is one example of failure due to missing remote resources (but there are more).
All xcddf generate fix with embedded remote resources fail.
If the --fetch-remote-resources option is not provided, the resources pointed by the components won't be downloaded. The provided patch allows the scan to continue without remote components.
The result of rules which reference the missing remote resource will be 'notchecked'.
Hello Eduardo,
I'm trying to build the scap-security-guide (ComplianceAsCode 0.1.64) on Ubuntu 18.04, Ubuntu 20.04 and Ubuntu 22.04.
On the 3 Ubuntu versions, the failure is always the same. The scap-security-guide uses openscap but, if the OVAL CVE/RPM data are not available, the build will fail.
ComplianceAsCode on version 0.1.63 was building fine.
This is one example of failure due to missing remote resources (but there are more).
All xcddf generate fix with embedded remote resources fail.
oscap xccdf generate fix --skip-valid --benchmark-id xccdf_org. ssgproject. content_ benchmark_ UBUNTU- XENIAL --profile xccdf_org. ssgproject. content_ profile_ anssi_np_ nt28_restrictiv e --template urn:xccdf: fix:script: sh ./ssg-ubuntu160 4-ds.xml
WARNING: Datastream component 'scap_org. open-scap_ cref_-ubuntu- security- oval-com. ubuntu. xenial. cve.oval. xml' points out to the remote 'https:/ /people. canonical. com/~ubuntu- security/ oval/com. ubuntu. xenial. cve.oval. xml'. Use '--fetch- remote- resources' option to download it. /people. canonical. com/~ubuntu- security/ oval/com. ubuntu. xenial. cve.oval. xml' file which is referenced from datastream open-scap_ cref_ssg- ubuntu1604- xccdf-1. 2.xml with all dependencies from datastream. [../../ ../src/ DS/ds_sds_ session. c:211]
WARNING: Skipping 'https:/
OpenSCAP Error: Could not extract scap_org.
If the --fetch- remote- resources option is not provided, the resources pointed by the components won't be downloaded. The provided patch allows the scan to continue without remote components.
The result of rules which reference the missing remote resource will be 'notchecked'.
The PR https:/ /github. com/OpenSCAP/ openscap/ pull/1324 was done after 1.2.16 release and made available in openscap 1.2.18 and 1.3.1, so Ubuntu 20.04 but also Ubuntu 22.04 missed it.
For Ubuntu 18.04, that has openscap 1.2.15, the patch applies too (just with offset).
I hope this clarifies better the issue.