[ubuntu-hardened] OVAL shows vulnerabilities when software is not installed

Jesus Linares jesus at wazuh.com
Thu Oct 20 15:38:01 UTC 2016


Hi,

you are right, if the test had "negate", it would be false. So, openscap
will not show it as a vulnerability. I do not understand why the py script
does not print the "negate" string.

Also, why create a test that always return false?.

is this list the proper site to talk about the oval files of Ubuntu?.

Right now, these oval files are totally useless due to this issue.

Thanks.
Regards.


On Thu, Oct 20, 2016 at 4:03 PM, Seth Arnold <seth.arnold at canonical.com>
wrote:

> On Thu, Oct 20, 2016 at 12:48:04PM +0200, Jesus Linares wrote:
> > The oval is checking if I have installed tomcat 6 or 7. It is not
> installed
> > in my system, but the check returns always *true*. It is due to the
> > attribute *check_existence="any_exist" (*
>
> > Is it a bug?
>
> I don't know the OVAL format well, but this does look like a bug:
>
> http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-
> tracker/master/view/head:/scripts/oval_lib.py
>
> Search for 'negate' in the code base and I think you'll agree that the
> only use of 'check_existence="any_exist"' is also supposed to add
> 'negate = "True"' to the conditions but that string doesn't appear in any
> of the precise, trusty, or xenial oval files.
>
> Any advice is appreciated.
>
> Thanks
>
> --
> ubuntu-hardened mailing list
> ubuntu-hardened at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
>
>


-- 
*Jesus Linares*
*IT Security Engineer*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20161020/601aa078/attachment.html>


More information about the ubuntu-hardened mailing list