regex error in sysctl template

[a-skr]

Description of problem:

The regex in macro sysctl_match from sysctl template captures whitespaces too. This leads to errors like:

I: oscap:         Item '1012276' compared to state 'oval:ssg-state_static_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:ste:1' with result error. [oscap(1227):oscap(7f3bb5679b80):oval_resultTest.c:682:eval_item]
W: oscap:         Conversion of the string "1  " to an integer (64 bits) failed: Invalid argument [oscap(1227):oscap(7f3bb5679b80):oval_cmp.c:114:oval_str_cmp_str]

Therefore, the oval criterion evals to error.

The regexp ^[\s]*{{{ SYSCTLVAR }}}[\s]*=[\s]*(.*)[\s]*$ should be replaced with ^[\s]*{{{ SYSCTLVAR }}}[\s]*=[\s]*(\S*)[\s]*$

SCAP Security Guide Version:

current/master (commit 51001b136de16a993db42e591b449ab3431661b9)

Operating System Version:

tested on debian 12, with openscap version 3.7.4.

Steps to Reproduce:

1. Edit /etc/sysctl.conf, and add net.ipv6.conf.all.disable_ipv6 = 1 (note the trailing whitespace).
2. Run any rule that uses the sysctl template (for example xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra_defrtr)

Actual Results:

oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_user:tst:1 will evaluate to error.

Expected Results:

oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_user:tst:1 shall evaluate to true.

Other potential bug

I don't know if this is the intended behaviour, but when the previous oval condition evaluates to error, the rule still evaluates to pass or fail in the html report. Shouldn't the rule evaluates to error too?

I think there is something worrisome here: how can a rule evaluates to pass or fail when the tests on which it is based on are bugged?

fix

Fix is available as part of pull request #12084