Comment 4 for bug 2002551

Hello Eduardo,

I'm trying to build the scap-security-guide (ComplianceAsCode 0.1.64) on Ubuntu 18.04, Ubuntu 20.04 and Ubuntu 22.04.

On the 3 Ubuntu versions, the failure is always the same. The scap-security-guide uses openscap but, if the OVAL CVE/RPM data are not available, the build will fail.

ComplianceAsCode on version 0.1.63 was building fine.

This is one example of failure due to missing remote resources (but there are more).
All xcddf generate fix with embedded remote resources fail.

oscap xccdf generate fix --skip-valid --benchmark-id xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL --profile xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive --template urn:xccdf:fix:script:sh ./ssg-ubuntu1604-ds.xml

WARNING: Datastream component 'scap_org.open-scap_cref_-ubuntu-security-oval-com.ubuntu.xenial.cve.oval.xml' points out to the remote 'https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.xenial.cve.oval.xml'. Use '--fetch-remote-resources' option to download it.
WARNING: Skipping 'https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.xenial.cve.oval.xml' file which is referenced from datastream
OpenSCAP Error: Could not extract scap_org.open-scap_cref_ssg-ubuntu1604-xccdf-1.2.xml with all dependencies from datastream. [../../../src/DS/ds_sds_session.c:211]

If the --fetch-remote-resources option is not provided, the resources pointed by the components won't be downloaded. The provided patch allows the scan to continue without remote components.
The result of rules which reference the missing remote resource will be 'notchecked'.

The PR https://github.com/OpenSCAP/openscap/pull/1324 was done after 1.2.16 release and made available in openscap 1.2.18 and 1.3.1, so Ubuntu 20.04 but also Ubuntu 22.04 missed it.

For Ubuntu 18.04, that has openscap 1.2.15, the patch applies too (just with offset).

I hope this clarifies better the issue.