[Open-scap] XSLT 1.0 transformation for XCCDF 1.1 to 1.2 migration
Haynes, Dan
dhaynes at mitre.org
Fri Mar 30 19:00:00 UTC 2012
As far as converting an SCAP 1.2 bundle to an SCAP 1.0 bundle, we have
created an XSLT that takes an SCAP 1.2 data stream file and breaks it into
its individual components. Specifically, it will create a file for each
OVAL, XCCDF, OCIL, and CPE component, as well as an OVAL external variables
file for each XCCDF profile found. The XSLT can be found at the following
link.
http://sourceforge.net/projects/ovalutils/files/xsl_transforms/xsl_transform
s_v1.0/
I also ran across the following SourceForge.net project which creates a SCAP
1.2 data stream file from an SCAP 1.0 zip bundle which may be of interest to
some. However, I haven't had an opportunity to try it out yet.
http://sourceforge.net/p/scap-ds-creator/code/5/tree/trunk/src/main/resource
s/
Hope this helps.
Thanks,
Danny
>-----Original Message-----
>From: open-scap-list-bounces at redhat.com [mailto:open-scap-list-
>bounces at redhat.com] On Behalf Of Peter Vrabec
>Sent: Wednesday, March 21, 2012 8:31 AM
>To: open-scap-list at redhat.com; Jeffrey Blank
>Subject: Re: [Open-scap] XSLT 1.0 transformation for XCCDF 1.1 to 1.2
>migration
>
>Hi,
>
>it seems it can handle scap-security guide too.
>
>$ xsltproc --stringparam reverse_DNS scap-security-guide
>~/project/openscap/xsl/xccdf_1.1_to_1.2.xsl rhel6-xccdf-scap-security-
>guide.xml > rhel6-xccdf12-scap-security-guide.xml
>
>$ xmllint --noout --schema ~/tmp/xccdf_1.2.xsd
rhel6-xccdf12-scap-security-
>guide.xml
>/home/pvrabec/tmp/cpe-language_2.3.xsd:6: element import: Schemas parser
>warning : Element '{http://www.w3.org/2001/XMLSchema}import': Skipping
>import
>of schema located at 'http://www.w3.org/2001/xml.xsd' for the namespace
>'http://www.w3.org/XML/1998/namespace', since this namespace was already
>imported with the schema located at '/home/pvrabec/tmp/xml.xsd'.
>rhel6-xccdf12-scap-security-guide.xml validates
>
>Peter.
>
>---
>
>And now we need a transformation that can convert SCAP 1.0 Zip Bundle to
>SCAP
>1.2 Data Stream and vice versa. In XSLT 1.0! ;)
>
>
>
>
>On Wednesday, March 21, 2012 07:43:59 AM Martin Preisler wrote:
>> Hi,
>> even though there is an XSLT 2.0 transformation provided [1] it is
>> unsuitable for openscap because there are no lightweight XSLT 2.0
>> transformators in the open source world (Saxon requires Java which is too
>> heavy a dependency for us).
>>
>> Initially I tried to just port the provided transformation to XSLT 1.0
>> (getting rid of xsl:attribute @select and other 2.0-only bits). This
proved
>> really hard to do as I had a lot of trouble following the flow of the
>> provided transformation. So I have decided to write a new transformation
>> from scratch instead.
>>
>> The result can be downloaded from the openscap git repository.
>>
>>
>http://git.fedorahosted.org/git?p=openscap.git;a=blob_plain;f=xsl/xccdf_1.1
_
>> to_1.2.xsl
>>
>> Differences to the XSLT 2.0 transformation that I know of:
>> - deprecated elements that have been removed from XCCDF 1.2 are
>commented
>> (surrounded by <!-- and -->) and a text saying that this element was
>> removed from XCCDF 1.2 is added, instead of just moved to metadata -
>there
>> is no separate file to define the reverse DNS namespace in, it's passed
as
>> a parameter instead - it doesn't touch xsi:schemaLocation attributes at
all
>> - dangling/invalid references are migrated in a way that will fail XCCDF
1.2
>> XSD validation (they will say 'dangling reference to $old_idref')
>>
>> Usage:
>> $ xsltproc --stringparam reverse_DNS YOUR_REVERSE_DNS_NAMESPACE
>> xccdf_1.1_to_1.2.xsl FILE_YOU_WANT_TO_MIGRATE > DESTINATION_FILE
>>
>> example:
>> $ xsltproc --stringparam reverse_DNS org.open-scap xccdf_1.1_to_1.2.xsl
>> ../dist/fedora/scap-fedora14-xccdf.xml > scap-fedora14-xccdf1.2.xml
>>
>> Hope this helps, I appreciate all comments!
>>
>> [1]
>> http://making-security-measurable.1364806.n2.nabble.com/Converting-
>XCCDF-1-
>> 1-4-to-XCCDF-1-2-td7308782.html
>
>_______________________________________________
>Open-scap-list mailing list
>Open-scap-list at redhat.com
>https://www.redhat.com/mailman/listinfo/open-scap-list
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 7065 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/open-scap-list/attachments/20120330/05797810/attachment.p7s>
More information about the Open-scap-list
mailing list