[ubuntu-hardened] OVAL shows vulnerabilities when software is not installed

Jesus Linares jesus at wazuh.com
Wed Jul 5 13:19:07 UTC 2017


Hi,

finally I found the issue:
http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L110

In that line there is an if-else. The *else *has the logic to add the
"negate" attribute, but the *if* doesn't have it.

It is neccesary to replace the lines 111 to 113, for:

negation_attribute = 'negate = "true" ' if 'negate' in test_refs[0] and
> test_refs[0]['negate'] else ''
> mapping['criteria'] = '<criterion test_ref="{0}" comment="{1}"
> {2}/>'.format(test_refs[0]['id'], escape(test_refs[0]['comment']),
> negation_attribute)


In this way, the scan reports 109 fails instead of 1750. Now, I'm going to
review these 109 fails.

Please, update the script ASAP.

Thanks.
Regards.


On Tue, Jul 4, 2017 at 7:50 PM, Jesus Linares <jesus at wazuh.com> wrote:

> Hi,
>
> I'm testing again the oval files for Xenial 16.04 (updated) and OpenSCAP
> reports 1750 *fails*... Something weird is happening. I will check out
> this issue again, but I would appreciate any help.
>
> Here an example:
>
>> <linux-def:dpkginfo_test id="oval:com.ubuntu.xenial:tst:20176919000"
>> version="1" check_existence="any_exist" check="all" comment="*Returns
>> true whether or not the 'drupal7' package exists.*">
>> <linux-def:object object_ref="oval:com.ubuntu.xenial:obj:20076752000"/>
>> </linux-def:dpkginfo_test>
>> <linux-def:dpkginfo_object id="oval:com.ubuntu.xenial:obj:20076752000"
>> version="1" comment="The 'drupal7' package.">
>> <linux-def:name>drupal7</linux-def:name>
>> </linux-def:dpkginfo_object>
>
>
> If the check return always true, it doesn't make sense...
>
> Thanks.
> Regards.
>
>
>
> On Wed, Nov 2, 2016 at 11:29 AM, Jesus Linares <jesus at wazuh.com> wrote:
>
>> Hi,
>>
>> this is from the specific CVE: xenial_libapache-mod-jk: not-affected (1:
>> 1.2.40+svn150520-1)
>>
>> So, if it is not affected for xenial, the check should include the
>> "negate" in order to return that is not a vulnerability, right?.
>>
>> Regards.
>>
>>
>> On Fri, Oct 28, 2016 at 9:10 PM, Seth Arnold <seth.arnold at canonical.com>
>> wrote:
>>
>>> On Fri, Oct 28, 2016 at 11:19:21AM +0200, Jesus Linares wrote:
>>> > I think this test should have the "negate" due to the comment "While
>>> > related to the CVE in some way, the 'libapache-mod-jk' package in*
>>> xenial
>>> > is not affected*". So, maybe the input of the script is wrong?. Where
>>> is
>>> > the input?.
>>>
>>> The input is from the ubuntu-cve-tracker bzr tree;
>>>
>>> https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master
>>>
>>> In the case of this specific CVE:
>>>
>>> http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-trac
>>> ker/master/view/head:/active/CVE-2014-8111
>>>
>>> Thanks
>>>
>>> --
>>> ubuntu-hardened mailing list
>>> ubuntu-hardened at lists.ubuntu.com
>>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
>>>
>>>
>>
>>
>> --
>> *Jesus Linares*
>> *IT Security Engineer*
>>
>>
>
>
> --
> *Jesus Linares*
> *IT Security Engineer*
>
>


-- 
*Jesus Linares*
*IT Security Engineer*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20170705/8808e707/attachment.html>


More information about the ubuntu-hardened mailing list