SCAP Workbench does not support nameless multi-check rules #242
Description
Problem: When a rule with multi-check is evaluated, only the last result of checks is disaplyed and all other check results are ignored. Also, the rule is displayed only once in SCAP Workbench window. Moreover, there is no information displayed to the user that the rule consists of multiple checks. This is against XCCDF 1.2 specification Section 7.2.3.5.2, which states:
if an xccdf:check element leads to the execution of
multiple checks (i.e., an xccdf:check-content-ref that lacks a @name attribute is used) and
the @multi-check attribute is set to true, each check executed MUST be reported separately.
In practice, this problem happens when evaluating rule "Security patches are up-to-date" in SCAP 1.3 content. The rule results displayed in SCAP Workbench are wrong, because it displays results for the last vulnerability in the CVE list and it doesn't even show which one.
We have discovered this problem in Workbench when we were working on improving the standard output of OpenSCAP and HTML report for these types of rules - see https://bugzilla.redhat.com/show_bug.cgi?id=1771438 and OpenSCAP/openscap#1426
I think the implementation of this feature in Workbench will not trivial.
Currently, SCAP Workbench first obtains a list of XCCDF rules and displays them in the main window (libopenscap API is used to get the list). During the evaluation it updates the result column based on parsing of oscap stdout. oscap is running in --progress mode.
My proposal is:
- create a new API function in OpenSCAP library which will fetch rules including the used checks
- change
--progressoutput ofopenscapto show also check ID (OVAL ID) to distinguish between results of the same rule ID. Optionally create a new output format ofoscapif change of--progressoutput format would break something. - change SCAP Workbench to use the previous 2 points.