[Bug 2004476] Re: Allow openscap to be less strict about epoch digit and able to build security certification projects

Wed Feb 1 17:50:42 UTC 2023

** Patch added: "openscap_1.2.15-1ubuntu0.4.debdiff"
   https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/2004476/+attachment/5644306/+files/openscap_1.2.15-1ubuntu0.4.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2004476

Title:
  Allow openscap to be less strict about epoch digit and able to build
  security certification projects

Status in openscap package in Ubuntu:
  New
Status in openscap source package in Trusty:
  New
Status in openscap source package in Xenial:
  New
Status in openscap source package in Bionic:
  New
Status in openscap source package in Focal:
  New
Status in openscap source package in Jammy:
  New
Status in openscap source package in Kinetic:
  New

Bug description:
  [Impact]
  Back in [1] where we added dpkg version comparison algorithm, we were too strict about the epoch number, where oscap would return an error message if no epoch number was provided. This SRU backports the fix provided to upstream [2] and released with openscap 1.3.7, meaning lunar is not affected by it.

  This SRU also includes the fix for [3]. The Ubuntu Security Team needs
  this fix to better provide support on ComplianceAsCode and Ubuntu
  Security Guide (USG [4])

  [Test Case]
  Attached to this bug is a zip file that contains OVAL data for one package (expat) and data of one CVE (CVE-2022-43680). The OVAL data is in both OCI
  and non-OCI format.

  The test consists of comparing the installed version of the mentioned
  packages, to different versions where the CVE could have been fixed.

  Testing procedure (Bionic):
  $ sudo apt update
  $ sudo apt install libopenscap8
  $ sudo apt install libexpat1
  $ tar -xzf test-data.tar.gz
  $ cd test-data/
  $ ./run.sh

  Here is the output of the test, with current openscap in jammy:
  $ ./run.sh 
  oscap oval eval com.ubuntu.jammy.cve.oval.xml
  Definition oval:com.ubuntu.jammy:def:2022436800000000: error
  Definition oval:com.ubuntu.jammy:def:100: true
  OpenSCAP Error: Invalid epoch. [../../../../src/OVAL/results/oval_cmp_evr_string.c:399]
  oscap oval eval oci.com.ubuntu.jammy.cve.oval.xml
  Definition oval:com.ubuntu.jammy:def:2022436800000000: error
  OpenSCAP Error: Invalid epoch. [../../../../src/OVAL/results/oval_cmp_evr_string.c:399]

  and the output of the test, with patched openscap in jammy:
  $ ./run.sh 
  oscap oval eval com.ubuntu.jammy.cve.oval.xml
  Definition oval:com.ubuntu.jammy:def:2022436800000000: false
  Definition oval:com.ubuntu.jammy:def:100: true
  Evaluation done.
  oscap oval eval oci.com.ubuntu.jammy.cve.oval.xml
  Definition oval:com.ubuntu.jammy:def:2022436800000000: false
  Evaluation done.

  [Where problems could occur]

  The first patch touch the comparison algorithm, so any regressions
  that it might have, might impact the comparison and scanning results.
  The second patch allows the build of USG/ComplianceAsCode for other
  platforms, which currently isn't possible.

  [Other Info]

  Both issues affect all releases from Bionic to Kinetic.
  The epoch issue affects also Trusty ESM and Xenial ESM and we will be handling those in the ESM PPAs.

  The versioning algorithm implemented is based on dpkg's algorithm.

  Upstream accepted and merged the Debian epoch fix to its maint-1.3
  branch and it already made into 1.3.7 version [5]

  [1] https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1911791
  [2] https://github.com/OpenSCAP/openscap/pull/1901
  [3] https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/2002551
  [4] https://launchpad.net/usg
  [5] https://github.com/OpenSCAP/openscap/releases/tag/1.3.7

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/2004476/+subscriptions