Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

oscap-docker doesn't warn user about need of --fetch-remote-resources #713

Closed
yuumasato opened this issue Mar 24, 2017 · 3 comments
Closed

oscap-docker doesn't warn user about need of --fetch-remote-resources #713

yuumasato opened this issue Mar 24, 2017 · 3 comments
Assignees
@jan-cerny
Labels
oscap-docker
Milestone
1.2.15

Comments

@yuumasato
Copy link
Member

oscap-docker doesn't warn the user when remote resources are needed and '--fetch-remote-resources' was not provided.

How to reproduce:

  • scan a container image with a profile that fetches remote content, like pci-dss.
    sudo oscap-docker image 41a4953dbf95 xccdf eval --profile xccdf_org.ssgproject.content_profile_pci-dss --results results.xml --report report.hml ssg-rhel7-ds.xml

Actual output:
No warnings, and rule security_patches_up_to_date is simply marked as notchecked.

Title   Ensure Software Patches Installed
Rule    xccdf_org.ssgproject.content_rule_security_patches_up_to_date
Ident   CCE-26895-3
Result  notchecked

Expected output:
Warning like the one oscap outputs:

WARNING: This content points out to the remote resources. Use `--fetch-remote-resources' option to download them.
WARNING: Skipping https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2 file which is referenced from XCCDF content
@yuumasato yuumasato mentioned this issue Mar 24, 2017
Merged
@yuumasato
Copy link
Member Author

Just found out that openscap-docker from openscap-utils-1.2.10 shows the warning but version openscap-utils-1.2.13 doesn't.

Output from version 1.2.10:

[root@rhel7_vm ~]# oscap-docker image 41a4953dbf95 xccdf eval --profile xccdf_org.ssgproject.content_profile_pci-dss --results results.xml --report report.hml /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xmlxccdf_org.ssgproject.content_profile_pci-dss /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
This content points out to the remote resources. Use `--fetch-remote-resources' option to download them.

@mpreisler mpreisler added this to the 1.2.15 milestone Mar 24, 2017
@jan-cerny jan-cerny self-assigned this Apr 4, 2017
@jan-cerny
Copy link
Member

I think that we moved this message from the stdout to stderr because we wanted that Workbench can cosume it and display it, because it reads stderr. On the other hand, oscap-docker prints out stderr only if scan failed. So we made it visible in Workbench while we hide it in oscap-docker 😬 😬

I suggest oscap-docker copying oscap stderr to its stderr.

jan-cerny added a commit to jan-cerny/openscap that referenced this issue Apr 4, 2017
@jan-cerny
Issue OpenSCAP#713: Copy stderr produced by oscap to stderr of oscap-…
d971c45 
…docker

This will enable to see all the issues reported by oscap,
eg. remote resources suggestion, and all the other warnings
that are produced by the oscap tool.
mpreisler added a commit that referenced this issue Apr 7, 2017
@mpreisler
Merge pull request #718 from jan-cerny/issue713
00f2480 
Issue #713: Copy stderr produced by oscap to stderr of oscap-docker
@jan-cerny
Copy link
Member

Fixed in #718

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jan-cerny jan-cerny

Labels
oscap-docker
Projects
None yet
Milestone
1.2.15
Development

No branches or pull requests
3 participants
@mpreisler @yuumasato @jan-cerny