I'm using the compiled datastream SCAP content for Red Hat security advisories ( https://www.redhat.com/security/data/metrics/ds/com.redhat.rhsa-RHEL7.ds.xml). >From what I can tell, most of the checks are testing if a package version indicates whether or not it's already patched. Most of these are via the OVAL rpminfo_test. What I don't understand is how it actually works; i.e.:
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk is earlier than 1:1.7.0.55-2.4.7.2.el7_0" id="oval:com.redhat.rhsa:tst:20140675005" version="601"> <red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675005"/> <red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675003"/> </red-def:rpminfo_test> Somehow this test passes even if I don't have the java-1.7.0-openjdk package installed. Shouldn't it be false in that case since the "at least one" check wouldn't be satisfied? I understand why you would want it to be true; so that your tests would pass if not applicable and pass/fail based on version if it was, but it seems to me you would need to implement that via a more complicated condition involving both a test for existence and a test for version info. I just don't see how the single rpminfo_test achieves that and passes in this case. ---------- Chuck Atkins Staff R&D Engineer, Scientific Computing Kitware, Inc.
_______________________________________________ Open-scap-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/open-scap-list
