Behavior of non existent objects definition 538 bug?

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

Edit: [a-z]? instead of [a-z]

 

---

From: Stull, Brian
Sent: Thursday, November 05, 2009 12:44 PM
To: 'OVAL Developer List (Closed Public Discussion)'
Subject: Behavior of non existent objects definition 538 bug?

 

I’ve noticed something with oval definition 538.

 

What is the behavior of a test and the definition the test is running in if a certain object doesn’t exist, and the object must exist in order for the check to happen? Maybe this is a bug with this particular definition or I am missing something.

 

On my system definition (XP) 538 evaluates to say vulnerable, which I do not believe is the case. Flash9.ocx doesn’t exist anymore, and is replaced by Flash9c.ocx. Because Flash9.ocx doesn’t exist on my system, the test evaluates to 0, but gets negated to be 1 which then makes the definition think that my machine is vulnerable. My Flash9c.ocx version is 9.0.45.0 which is well over 9.0.16.0. Maybe this check should be modified to check for Objects Flash9[a-z].ocx instead of just Flash9.ocx.

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

Hi Brian,

If an OVAL definition contains a test that references an object that does not exist (i.e. no items were found for that object) the object will receive a flag value of "does not exist".  However, the result of the test will depend on the value specified by the check_existence attribute.  If the check_existence attribute is equal to "none_exist" or "any_exist" the test will evaluate to "true".  If the check_existence attribute is equal to "only_one_exists", "at_least_one_exists", or "all_exist" the test will evaluate to "false".  For more information on the values of the check_existence attribute please see the xsd:simpleType name="ExistenceEnumeration" in the oval-common-schema which can be found at http://oval.mitre.org/language/download/schema/version5.6/ovaldefinition/complete/oval-common-schema.xsd.  Please let me know if you have any other questions.

Thanks,

Danny

________________________________________
From: Stull, Brian [[hidden email]]
Sent: Thursday, November 05, 2009 12:46 PM
To: oval-developer-list OVAL Developer List/Closed Public Discussion
Subject: Re: [OVAL-DEVELOPER-LIST] Behavior of non existent objects definition 538 bug?

Edit: [a-z]? instead of [a-z]

________________________________
From: Stull, Brian
Sent: Thursday, November 05, 2009 12:44 PM
To: 'OVAL Developer List (Closed Public Discussion)'
Subject: Behavior of non existent objects definition 538 bug?

I’ve noticed something with oval definition 538.

What is the behavior of a test and the definition the test is running in if a certain object doesn’t exist, and the object must exist in order for the check to happen? Maybe this is a bug with this particular definition or I am missing something.

On my system definition (XP) 538 evaluates to say vulnerable, which I do not believe is the case. Flash9.ocx doesn’t exist anymore, and is replaced by Flash9c.ocx. Because Flash9.ocx doesn’t exist on my system, the test evaluates to 0, but gets negated to be 1 which then makes the definition think that my machine is vulnerable. My Flash9c.ocx version is 9.0.45.0 which is well over 9.0.16.0. Maybe this check should be modified to check for Objects Flash9[a-z].ocx instead of just Flash9.ocx.
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].