Bug when evaluating presence of debian virtual packages

[a-skr]

On debian systems, some packages provides equivalent functions. For example, syslog can be provided by onte of the following packages:

• syslog-ng-core
• socklog-run
• rsyslog
• inetutils-syslogd
• busybox-syslogd

To prevent deployment conflict and check syslog function presence, a virtual package is defined (system-log-daemon).

This is the relevant code from ComplianceAsCode macro to test for debian package presence:

{{% elif pkg_system == "dpkg" %}}
  <linux:dpkginfo_test check="all" check_existence="all_exist"
  id="{{{ test_id }}}" version="1"
  comment="package {{{ package }}} is installed">
    <linux:object object_ref="obj_{{{ test_id }}}" />
    {{% if evr %}}
      <linux:state state_ref="ste_{{{ test_id }}}" />
    {{% endif %}}
  </linux:dpkginfo_test>
  <linux:dpkginfo_object id="obj_{{{ test_id }}}" version="1">
    <linux:name>{{{ package }}}</linux:name>
  </linux:dpkginfo_object>
  {{% if evr %}}
    <linux:dpkginfo_state id="ste_{{{ test_id }}}" version="1">
      <linux:evr datatype="evr_string" operation="{{{ evr_op }}}">{{{ evr }}}</linux:evr>
    </linux:dpkginfo_state>
  {{% endif %}}
{{% endif %}}

This part works with simple packages but always declare virtual packages as undeployed (logs included. look for system-log-daemon string for relevant messages)

openscap version:

OpenSCAP command line tool (oscap) 1.3.7
Copyright 2009--2021 Red Hat Inc., Durham, North Carolina.

==== Supported specifications ====
SCAP Version: 1.3
XCCDF Version: 1.2
OVAL Version: 5.11.1
CPE Version: 2.3
CVSS Version: 2.0
CVE Version: 2.0
Asset Identification Version: 1.1
Asset Reporting Format Version: 1.1
CVRF Version: 1.1

==== Capabilities added by auto-loaded plugins ====
SCE Version: 1.0 (from libopenscap_sce.so.25)

==== Paths ====
Schema files: /usr/share/openscap/schemas
Default CPE files: /usr/share/openscap/cpe

==== Inbuilt CPE names ====
Red Hat Enterprise Linux - cpe:/o:redhat:enterprise_linux:-
Red Hat Enterprise Linux 5 - cpe:/o:redhat:enterprise_linux:5
Red Hat Enterprise Linux 6 - cpe:/o:redhat:enterprise_linux:6
Red Hat Enterprise Linux 7 - cpe:/o:redhat:enterprise_linux:7
Red Hat Enterprise Linux 8 - cpe:/o:redhat:enterprise_linux:8
Community Enterprise Operating System 5 - cpe:/o:centos:centos:5
Community Enterprise Operating System 6 - cpe:/o:centos:centos:6
Community Enterprise Operating System 7 - cpe:/o:centos:centos:7
Community Enterprise Operating System 8 - cpe:/o:centos:centos:8
Fedora 32 - cpe:/o:fedoraproject:fedora:32
Fedora 33 - cpe:/o:fedoraproject:fedora:33
Fedora 34 - cpe:/o:fedoraproject:fedora:34
Fedora 35 - cpe:/o:fedoraproject:fedora:35

==== Supported OVAL objects and associated OpenSCAP probes ====
OVAL family   OVAL object                  OpenSCAP probe
----------    ----------                   ----------
independent   environmentvariable          probe_environmentvariable
independent   environmentvariable58        probe_environmentvariable58
independent   family                       probe_family
independent   filehash                     probe_filehash (MD5, SHA-1)
independent   filehash58                   probe_filehash58 (MD5, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512)
independent   sql                          probe_sql
independent   sql57                        probe_sql57
independent   system_info                  probe_system_info
independent   textfilecontent              probe_textfilecontent
independent   textfilecontent54            probe_textfilecontent54
independent   variable                     probe_variable
independent   xmlfilecontent               probe_xmlfilecontent
independent   yamlfilecontent              probe_yamlfilecontent
linux         dpkginfo                     probe_dpkginfo
linux         iflisteners                  probe_iflisteners
linux         inetlisteningservers         probe_inetlisteningservers
linux         partition                    probe_partition
linux         rpminfo                      probe_rpminfo
linux         rpmverify                    probe_rpmverify
linux         rpmverifyfile                probe_rpmverifyfile
linux         rpmverifypackage             probe_rpmverifypackage
linux         selinuxboolean               probe_selinuxboolean
linux         selinuxsecuritycontext       probe_selinuxsecuritycontext
linux         systemdunitdependency        probe_systemdunitdependency
linux         systemdunitproperty          probe_systemdunitproperty
unix          dnscache                     probe_dnscache
unix          file                         probe_file
unix          fileextendedattribute        probe_fileextendedattribute
unix          interface                    probe_interface
unix          password                     probe_password
unix          process                      probe_process
unix          process58                    probe_process58
unix          routingtable                 probe_routingtable
unix          runlevel                     probe_runlevel
unix          shadow                       probe_shadow
unix          symlink                      probe_symlink
unix          sysctl                       probe_sysctl
unix          uname                        probe_uname
unix          xinetd                       probe_xinetd

log.txt

[evgenyz]

Ping @0intro.

[0intro]

I'll take a look.
The bug predates the rewrite of the dpkg probe, so thankfully, it's not a regression.

[0intro]

I believe handling of virtual package could be implemented by parsing the Provides field of /var/lib/dpkg/status.
I should be able to work on this in the next few weeks.

[evgenyz]

Great! Thank you!

[a-skr]

By the way, virtual packages don't have version numbers, so some fields in dpkginfo_state cannot be filled in.

[0intro]

I'm proposing this change: #2255
This is currently a work-in-progress.

For now, I've kept the version of the actually installed package, but I think we can let the field empty if it's better.

Please give a try and let me know if it works for you.

A drawback of this implementation is that it now requires allocation/free of the reply structure for every package listed in /var/lib/dpkg/status (so we keep track of information parsed before the "Provides" field).