tool report openscap not working

[AndreasDickow]

Setup Ubuntu22.04 LTS
Faraday 5.0.0
faraday-cli 2.1.1

[apt](https://www.server-world.info/en/command/html/apt.html) -y install libopenscap8 bzip2
wget https://security-metadata.canonical.com/oval/com.ubuntu.$(lsb_release -cs).usn.oval.xml.bz2
bzip2 -d com.ubuntu.jammy.usn.oval.xml.bz2
oscap oval eval --results openscap_report.xml com.ubuntu.jammy.usn.oval.xml

now having a openscap .xml report I try to import it by using

faraday-cli tool report openscap_report.xml --plugin-id openscap

My faraday server responds with

EXCEPTION of type 'IndexError' occurred with message: list index out of range

the oscap result xml has the following layout

<?xml version="1.0" encoding="UTF-8"?>
<oval_results xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns="http://oval.mitre.org/XMLSchema/oval-results-5" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-results-5 oval-results-schema.xsd http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd">
  <generator>
    <oval:product_name>cpe:/a:open-scap:oscap</oval:product_name>
    <oval:product_version>1.2.17</oval:product_version>
    <oval:schema_version>5.11.1</oval:schema_version>
    <oval:timestamp>2024-01-04T14:47:47</oval:timestamp>
    <terms_of_use xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5">Copyright (C) 2024 Canonical LTD. All rights reserved. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License version 3 for more details. You should have received a copy of the GNU General Public License version 3 along with this program.  If not, see http://www.gnu.org/licenses/.</terms_of_use>
  </generator>
  <directives>
    <definition_true reported="true" content="full"/>
    <definition_false reported="true" content="full"/>
    <definition_unknown reported="true" content="full"/>
    <definition_error reported="true" content="full"/>
    <definition_not_evaluated reported="true" content="full"/>
    <definition_not_applicable reported="true" content="full"/>
  </directives>
  <oval_definitions xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:unix-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" xmlns:ind-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" xmlns:lin-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" xmlns:win-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix unix-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#linux linux-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd">
    <generator>
      <oval:product_name>Canonical USN OVAL Generator</oval:product_name>
      <oval:product_version>1</oval:product_version>
      <oval:schema_version>5.11.1</oval:schema_version>
      <oval:timestamp>2024-01-04T12:42:14</oval:timestamp>
      <terms_of_use xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5">Copyright (C) 2024 Canonical LTD. All rights reserved. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License version 3 for more details. You should have received a copy of the GNU General Public License version 3 along with this program.  If not, see http://www.gnu.org/licenses/.</terms_of_use>
    </generator>
    <definitions>
      <definition id="oval:com.ubuntu.jammy:def:991000000" version="1" class="patch">
        <metadata>
          <title>LSN-0099-1 -- Kernel Live Patch Security Notice</title>
          <affected family="unix">
            <platform>Ubuntu 22.04 LTS</platform>
          </affected>
          <reference source="USN" ref_id="LSN-0099-1" ref_url="https://ubuntu.com/security/notices/LSN-0099-1"/>
          <reference source="CVE" ref_id="CVE-2023-42752" ref_url="https://ubuntu.com/security/CVE-2023-42752"/>
          <reference source="CVE" ref_id="CVE-2023-3777" ref_url="https://ubuntu.com/security/CVE-2023-3777"/>
          <reference source="CVE" ref_id="CVE-2023-3609" ref_url="https://ubuntu.com/security/CVE-2023-3609"/>
          <reference source="CVE" ref_id="CVE-2023-42753" ref_url="https://ubuntu.com/security/CVE-2023-42753"/>
          <reference source="CVE" ref_id="CVE-2023-4623" ref_url="https://ubuntu.com/security/CVE-2023-4623"/>
          <reference source="CVE" ref_id="CVE-2023-3567" ref_url="https://ubuntu.com/security/CVE-2023-3567"/>
          <reference source="CVE" ref_id="CVE-2023-40283" ref_url="https://ubuntu.com/security/CVE-2023-40283"/>
          <reference source="CVE" ref_id="CVE-2023-5197" ref_url="https://ubuntu.com/security/CVE-2023-5197"/>
          <reference source="CVE" ref_id="CVE-2023-3776" ref_url="https://ubuntu.com/security/CVE-2023-3776"/>
          <reference source="CVE" ref_id="CVE-2023-4622" ref_url="https://ubuntu.com/security/CVE-2023-4622"/>
          <reference source="CVE" ref_id="CVE-2023-4004" ref_url="https://ubuntu.com/security/CVE-2023-4004"/>
          <reference source="CVE" ref_id="CVE-2023-34319" ref_url="https://ubuntu.com/security/CVE-2023-34319"/>
          <reference source="CVE" ref_id="CVE-2022-3643" ref_url="https://ubuntu.com/security/CVE-2022-3643"/>
          <reference source="CVE" ref_id="CVE-2023-31436" ref_url="https://ubuntu.com/security/CVE-2023-31436"/>
          <description>...</description>
          <advisory xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" from="[email protected]">
                    <severity>High</severity>
                    <issued date="2023-11-28"/>
                    <cve href="https://ubuntu.com/security/CVE-2023-42752" priority="high" public="20231013" cvss_score="5.5" cvss_vector="CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" cvss_severity="medium" usns="6439-1,6440-1,6441-1,6442-1,6443-1,6444-1,6445-1,6446-1,6440-2,6439-2,6441-2,6444-2,6445-2,6446-2,6440-3,6446-3,6441-3,6460-1,6466-1">CVE-2023-42752</cve>
                    <cve href="https://ubuntu.com/security/CVE-2023-3777" priority="high" public="20230803" cvss_score="7.8" cvss_vector="CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" cvss_severity="high" usns="6315-1,6316-1,6318-1,6321-1,6325-1,6328-1,6330-1,6332-1,6348-1,6385-1">CVE-2023-3777</cve>
                    <cve href="https://ubuntu.com/security/CVE-2023-3609" priority="high" public="20230721" cvss_score="7.8" cvss_vector="CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" cvss_severity="high" usns="6285-1,6315-1,6317-1,6318-1,6321-1,6324-1,6325-1,6328-1,6329-1,6330-1,6331-1,6332-1,6346-1,6348-1,6357-1,6385-1,6397-1">CVE-2023-3609</cve>
                    <cve href="https://ubuntu.com/security/CVE-2023-42753" priority="high" public="20230925" cvss_score="7.8" cvss_vector="CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" cvss_severity="high" usns="6415-1,6439-1,6440-1,6441-1,6442-1,6444-1,6445-1,6446-1,6440-2,6439-2,6441-2,6444-2,6445-2,6446-2,6440-3,6446-3,6441-3,6466-1">CVE-2023-42753</cve>
                    <cve href="https://ubuntu.com/security/CVE-2023-4623" priority="high" public="20230906" cvss_score="7.8" cvss_vector="CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" cvss_severity="high" usns="6415-1,6439-1,6440-1,6441-1,6442-1,6444-1,6445-1,6446-1,6440-2,6439-2,6441-2,6444-2,6445-2,6446-2,6440-3,6446-3,6441-3,6460-1,6466-1">CVE-2023-4623</cve>
                    <cve href="https://ubuntu.com/security/CVE-2023-3567" priority="high" public="20230724" cvss_score="7.1" cvss_vector="CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H" cvss_severity="high" usns="6309-1,6327-1,6341-1">CVE-2023-3567</cve>
                    <cve href="https://ubuntu.com/security/CVE-2023-40283" priority="high" public="20230814" cvss_score="7.8" cvss_vector="CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" cvss_severity="high" usns="6343-1,6383-1,6385-1,6386-1,6387-1,6388-1,6396-1,6387-2,6386-2,6386-3,6396-2,6396-3,6466-1">CVE-2023-40283</cve>
                    <cve href="https://ubuntu.com/security/CVE-2023-5197" priority="medium" public="20230927" cvss_score="6.6" cvss_vector="CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H" cvss_severity="medium" usns="6443-1,6444-1,6445-1,6446-1,6444-2,6445-2,6446-2,6446-3,6454-1,6454-2,6466-1,6454-3,6454-4,6479-1">CVE-2023-5197</cve>
                    <cve href="https://ubuntu.com/security/CVE-2023-3776" priority="high" public="20230721" cvss_score="7.8" cvss_vector="CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" cvss_severity="high" usns="6285-1,6309-1,6315-1,6317-1,6318-1,6321-1,6324-1,6325-1,6327-1,6328-1,6329-1,6330-1,6331-1,6332-1,6341-1,6342-1,6346-1,6348-1,6342-2,6357-1,6385-1,6397-1">CVE-2023-3776</cve>
                    <cve href="https://ubuntu.com/security/CVE-2023-4622" priority="high" public="20230906" cvss_score="7.0" cvss_vector="CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" cvss_severity="high" usns="6415-1,6439-1,6440-1,6441-1,6442-1,6444-1,6445-1,6446-1,6440-2,6439-2,6441-2,6444-2,6445-2,6446-2,6440-3,6446-3,6441-3,6466-1">CVE-2023-4622</cve>
                    <cve href="https://ubuntu.com/security/CVE-2023-4004" priority="high" public="20230731" cvss_score="7.8" cvss_vector="CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" cvss_severity="high" usns="6315-1,6316-1,6318-1,6321-1,6325-1,6328-1,6330-1,6332-1,6348-1,6385-1,6442-1">CVE-2023-4004</cve>
                    <cve href="https://ubuntu.com/security/CVE-2023-34319" priority="medium" public="20230809" cvss_score="7.8" cvss_vector="CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" cvss_severity="high" usns="6343-1,6439-1,6440-1,6441-1,6442-1,6444-1,6445-1,6446-1,6440-2,6439-2,6441-2,6444-2,6445-2,6446-2,6440-3,6446-3,6441-3,6466-1">CVE-2023-34319</cve>
                    <cve href="https://ubuntu.com/security/CVE-2022-3643" priority="medium" public="20221207" cvss_score="6.5" cvss_vector="CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H" cvss_severity="medium" usns="5794-1,5802-1,5803-1,5804-1,5804-2,5808-1,5813-1,5814-1,5829-1,5830-1,5831-1,5832-1,5860-1,5861-1,5863-1,5875-1,5877-1,5879-1,5918-1">CVE-2022-3643</cve>
                    <cve href="https://ubuntu.com/security/CVE-2023-31436" priority="high" public="20230428" cvss_score="7.8" cvss_vector="CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" cvss_severity="high" usns="6127-1,6130-1,6131-1,6132-1,6135-1,6149-1,6150-1,6162-1,6173-1,6175-1,6186-1,6222-1,6256-1,6385-1,6460-1">CVE-2023-31436</cve>
                    
                </advisory>
        </metadata>
        <criteria>
          <extend_definition definition_ref="oval:com.ubuntu.jammy:def:100" applicability_check="true" comment="Ubuntu 22.04 LTS (jammy) is installed."/>
          <criteria operator="OR">
            <criteria>
              <criterion test_ref="oval:com.ubuntu.jammy:tst:9910000001" comment="Long Term Support"/>
              <criterion test_ref="oval:com.ubuntu.jammy:tst:9910000000" comment="Long Term Support"/>
            </criteria>
          </criteria>
        </criteria>
      </definition>
...

[ezk06eer]

Hi @AndreasDickow thanks for reporting this, we will correct the plugin and let you know.