[Bug 2004476] Re: [SRU] Allow openscap to be less strict about epoch digit and able to build security certification projects

Eduardo Barretto 2004476 at bugs.launchpad.net
Fri Feb 17 09:07:48 UTC 2023 

** Changed in: openscap (Ubuntu Trusty)
       Status: Confirmed => In Progress

** Changed in: openscap (Ubuntu Xenial)
       Status: Confirmed => In Progress

** Description changed:

  [Impact]
  Back in [1] where we added dpkg version comparison algorithm, we were too strict about the epoch number, where oscap would return an error message if no epoch number was provided. This SRU backports the fix provided to upstream [2] and released with openscap 1.3.7, meaning lunar is not affected by it.
- 
- This SRU also includes the fix for [3]. The Ubuntu Security Team needs
- this fix to better provide support on ComplianceAsCode and Ubuntu
- Security Guide (USG [4])
  
  [Test Case]
  Attached to this bug is a zip file that contains OVAL data for one package (expat) and data of one CVE (CVE-2022-43680). The OVAL data is in both OCI
  and non-OCI format.
  
  The test consists of comparing the installed version of the mentioned
  packages, to different versions where the CVE could have been fixed.
  
  Testing procedure (Bionic):
  $ sudo apt update
  $ sudo apt install libopenscap8
  $ sudo apt install libexpat1
  $ tar -xzf test-data.tar.gz
  $ cd test-data/
  $ ./run.sh
  
  Here is the output of the test, with current openscap in jammy:
  $ ./run.sh
  oscap oval eval com.ubuntu.jammy.cve.oval.xml
  Definition oval:com.ubuntu.jammy:def:2022436800000000: error
  Definition oval:com.ubuntu.jammy:def:100: true
  OpenSCAP Error: Invalid epoch. [../../../../src/OVAL/results/oval_cmp_evr_string.c:399]
  oscap oval eval oci.com.ubuntu.jammy.cve.oval.xml
  Definition oval:com.ubuntu.jammy:def:2022436800000000: error
  OpenSCAP Error: Invalid epoch. [../../../../src/OVAL/results/oval_cmp_evr_string.c:399]
  
  and the output of the test, with patched openscap in jammy:
  $ ./run.sh
  oscap oval eval com.ubuntu.jammy.cve.oval.xml
  Definition oval:com.ubuntu.jammy:def:2022436800000000: false
  Definition oval:com.ubuntu.jammy:def:100: true
  Evaluation done.
  oscap oval eval oci.com.ubuntu.jammy.cve.oval.xml
  Definition oval:com.ubuntu.jammy:def:2022436800000000: false
  Evaluation done.
  
- For the ComplianceAsCode, here is some instructions how to test it:
- $ git clone https://github.com/ComplianceAsCode/content
- $ cd content
- $ ./build_product -j4 ubuntu1604 -o'5.11'
- 
- You will probably need to install some packages to make it, for more information please check documentation for accurate version:
- $ sudo apt-get install -y cmake make expat libopenscap8 libxml2-utils ninja-build python3-jinja2 python3-yaml xsltproc shellcheck ninja-build yamllint ansible-lint build-essential
- 
- 
  [Where problems could occur]
  
- The first patch touch the comparison algorithm, so any regressions that
- it might have, might impact the comparison and scanning results. The
- second patch allows the build of USG/ComplianceAsCode for other
- platforms, which currently isn't possible.
+ The patch touches the comparison algorithm, so any regressions that it
+ might have, might impact the comparison and scanning results.
  
  [Other Info]
  
- Both issues affect all releases from Bionic to Kinetic.
- The epoch issue affects also Trusty ESM and Xenial ESM and we will be handling those in the ESM PPAs.
+ The epoch issue affects all releases from Bionic to Kinetic, and it also
+ Trusty ESM and Xenial ESM and we will be handling those in the ESM PPAs.
  
  The versioning algorithm implemented is based on dpkg's algorithm.
  
  Upstream accepted and merged the Debian epoch fix to its maint-1.3
- branch and it already made into 1.3.7 version [5]
+ branch and it already made into 1.3.7 version [3]
  
  [1] https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1911791
  [2] https://github.com/OpenSCAP/openscap/pull/1901
- [3] https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/2002551
- [4] https://launchpad.net/usg
- [5] https://github.com/OpenSCAP/openscap/releases/tag/1.3.7
+ [3] https://github.com/OpenSCAP/openscap/releases/tag/1.3.7

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2004476

Title:
  [SRU] Allow openscap to be less strict about epoch digit and able to
  build security certification projects

Status in openscap package in Ubuntu:
  Confirmed
Status in openscap source package in Trusty:
  In Progress
Status in openscap source package in Xenial:
  In Progress
Status in openscap source package in Bionic:
  In Progress
Status in openscap source package in Focal:
  In Progress
Status in openscap source package in Jammy:
  In Progress
Status in openscap source package in Kinetic:
  In Progress

Bug description:
  [Impact]
  Back in [1] where we added dpkg version comparison algorithm, we were too strict about the epoch number, where oscap would return an error message if no epoch number was provided. This SRU backports the fix provided to upstream [2] and released with openscap 1.3.7, meaning lunar is not affected by it.

  [Test Case]
  Attached to this bug is a zip file that contains OVAL data for one package (expat) and data of one CVE (CVE-2022-43680). The OVAL data is in both OCI
  and non-OCI format.

  The test consists of comparing the installed version of the mentioned
  packages, to different versions where the CVE could have been fixed.

  Testing procedure (Bionic):
  $ sudo apt update
  $ sudo apt install libopenscap8
  $ sudo apt install libexpat1
  $ tar -xzf test-data.tar.gz
  $ cd test-data/
  $ ./run.sh

  Here is the output of the test, with current openscap in jammy:
  $ ./run.sh
  oscap oval eval com.ubuntu.jammy.cve.oval.xml
  Definition oval:com.ubuntu.jammy:def:2022436800000000: error
  Definition oval:com.ubuntu.jammy:def:100: true
  OpenSCAP Error: Invalid epoch. [../../../../src/OVAL/results/oval_cmp_evr_string.c:399]
  oscap oval eval oci.com.ubuntu.jammy.cve.oval.xml
  Definition oval:com.ubuntu.jammy:def:2022436800000000: error
  OpenSCAP Error: Invalid epoch. [../../../../src/OVAL/results/oval_cmp_evr_string.c:399]

  and the output of the test, with patched openscap in jammy:
  $ ./run.sh
  oscap oval eval com.ubuntu.jammy.cve.oval.xml
  Definition oval:com.ubuntu.jammy:def:2022436800000000: false
  Definition oval:com.ubuntu.jammy:def:100: true
  Evaluation done.
  oscap oval eval oci.com.ubuntu.jammy.cve.oval.xml
  Definition oval:com.ubuntu.jammy:def:2022436800000000: false
  Evaluation done.

  [Where problems could occur]

  The patch touches the comparison algorithm, so any regressions that it
  might have, might impact the comparison and scanning results.

  [Other Info]

  The epoch issue affects all releases from Bionic to Kinetic, and it
  also Trusty ESM and Xenial ESM and we will be handling those in the
  ESM PPAs.

  The versioning algorithm implemented is based on dpkg's algorithm.

  Upstream accepted and merged the Debian epoch fix to its maint-1.3
  branch and it already made into 1.3.7 version [3]

  [1] https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1911791
  [2] https://github.com/OpenSCAP/openscap/pull/1901
  [3] https://github.com/OpenSCAP/openscap/releases/tag/1.3.7

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/2004476/+subscriptions

More information about the Ubuntu-sponsors mailing list