[Open-scap] Noticed path construction problem with XCCDF's generate custom --stylesheet Option

Sun Nov 4 09:40:12 UTC 2012

On 11/02/2012 09:24 PM, Maura Dailey wrote:
> In the recent openscap-0.9.1 release, the XCCDF custom option that let
> you specify your own XSL stylesheets is broken. I just confirmed it
> today in the git repository as well. I haven't tracked exactly when the
> problem cropped up, but in the oscap_apply_xslt_path function, the
> contents of the path specified with the --stylesheet option are incorrectly
> appended to the compile time configured XSL directory. On RHEL 6, that
> defaults to /usr/share/openscap/xsl/.
> 
> 
> The command I have used successfully in the past, as part of the RHEL6
> scap-security-guide project, is:
> $ oscap xccdf generate custom --stylesheet
> /home/maura/myxsls/transform.xsl --profile allrules
> scap-security-guide/RHEL6/output/ssg-rhel6-xccdf.xml > somehtml.html
> 
> 
> Now I get the following error messages:
> 
> (When I use the openscap-0.9.1 rpm provided by EPEL):
> OpenSCAP Error:: XSLT file '/home/maura/myxsls/transform.xsl' not found
> in path '/usr/share/openscap/xsl' when trying to transformation
> 'scap-security-guide/RHEL6/output/ssg-rhel6-xccdf.xml' [oscapxml.c:329]
> 
> This looks in an actual folder that was probably specified at compile time.
> 
> 
> (When I use a fresh git checkout configured with the prefix /home/maura):
> OpenSCAP Error:: XSLT file '/home/maura/myxsls/transform.xsl' not found
> in path '/home/maura/share/openscap/xsl' when trying to transformation
> 'scap-security-guide/RHEL6/output/ssg-rhel6-xccdf.xml' [oscapxml.c:337]
> 
> Same story, different compile time path.
> 
> 
> For testing purposes, I actually copied the entire xsl directory that is
> installed by OpenSCAP and normally used by default when the generate
> guide option is specified. The only change I made was to rename
> security-guide.xsl to transform.xsl. The behavior in a previous release
> was to take either a relative or absolute path to an XSL file that it
> would then attempt to apply. This exact same command did create a
> property formatted HTML file a few weeks ago. It only broke when our
> systems got upgraded to the latest release.
> 
> I haven't had the time to trace back exactly how much of the code makes
> this fundamental assumption about file paths or figure out where to
> insert branches that could catch the use of the stylesheet option and
> react accordingly, but the line "char * xsltpath =
> oscap_sprintf("%s%s%s", path_to, "/", xsltfile);" seems to indicate that
> there is an assumption that XSL files will always be in compile time
> configured paths (the function oscap_apply_xslt_path is always called
> with path_to set to either OSCAP_XSLT_PATH or OSCAP_SCHEMA_PATH).
> 
> - Maura Dailey
> 

It is valid bug. I have created ticket #263 for this. -- As I believe,
we could have it fixed in next release.

Thank You for report and sorry for troubles.

-- 
Simon Lukasik
Security Technologies