openscap
openscap copied to clipboard
OpenSCAP
HTML Report should show each skipped rule
Description of Feature request:
HTML Report should show each skipped rule.
This is from workflow, where there is a initial policy with list of enabled and disabled rules. Enabled meaning we want this and disabled meaning we do not want this. And then when running oscap xccdf eval skip any rules where there is some regression, for example:
- running rule takes too long and I have other / better methods to handle the same intent
- rule implementation does not work right
- rule is right but distribution packages have regressions and there is no possibility to fix them
- rule is right but there is no safe way to mitigate for now and distribution package needs new features
And for those I use
--skip-rulefeature.
It would be nice to see what rules I have skipped.
For any regression style situation it would be better to have category "unrated". The rule is evaluated, but it is not rated in results if failed.
OpenSCAP Version:
openscap-scanner-1.3.6-5.fc36.x86_64
Operating System & Version:
Fedora 36
Steps to Reproduce:
- Run
oscap xccdf eval ... --results-arf ssg-results-arf.xml --skip-rule xccdf_org.ssgproject.content_rule_rpm_verify_hashes ... - Run
oscap xccdf generate report --output ssg-results.html ssg-results-arf.xml
Actual Results:
At ssg-results-arf.xml there is:
<rule-result idref="xccdf_org.ssgproject.content_rule_rpm_verify_hashes"
role="full" time="..." severity="high" weight="1.000000">
<result>notselected</result>
</rule-result>
But there is nothing in ssg-results.html about xccdf_org.ssgproject.content_rule_rpm_verify_hashes.
Expected Results:
In HTML report these rules should be possible to see by enabling "notselected" tickbox at "Rule Overview" section, default off.
