Description
Description of Problem:
When adding SCE support in ComplianceAsCode, @yuumasato noticed that the final datastream has a non-compliant <check-import> element with non-empty body (see linked comment).
This appears to be caused by oscap xccdf resolve during the build stage.
ubuntu2004/xccdf-unlinked-resolved-xsltproc.xml:5798: <check-import import-name="stdout"/> ubuntu2004/xccdf-unlinked-resolved.xml:9725: <check-import import-name="stdout"> ubuntu2004/xccdf-unlinked-resolved.xml:9726: </check-import>
Where the latter file is generated from the former during build (with modifications noted in the above comment):
COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" xccdf resolve -o "${CMAKE_CURRENT_BINARY_DIR}/xccdf-unlinked-resolved.xml" "${CMAKE_CURRENT_BINARY_DIR}/xccdf-unlinked-resolved-xsltproc.xml"
OpenSCAP Version:
We've observed this on both 1.2.17 and 1.3.x I believe.
Operating System & Version:
Ubuntu 21.04 + whatever @yuumasato runs :-)
Steps to Reproduce:
- Pull Add SCE Support to build system ComplianceAsCode/content#7075.
- Build with
-DSSG_SCE_ENABLED=ON. :-) - (Maybe also modify the xsltproc step to write to separate file so oscap can be tested & debugged)
Actual Results:
Notice ubuntu2004/shorthand.xml has a self-closed <check-import/> element whereas ubuntu2004/xccdf-unlinked-resolved.xml has a <check-import> element with non-empty body.
Expected Results:
<check-import /> should remain self-closed.
Additional Information / Debugging Steps:
I wonder if the content copy needs to be conditional on something?
https://github.com/openscap/openscap/blob/master/src/XCCDF/rule.c#L629