You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by mj...@apache.org on 2007/02/26 11:53:09 UTC
svn commit: r511780 [3/3] - in /httpd/site/trunk: build.xml
docs/security/vulnerabilities-oval.xml xdocs/stylesheets/httpd-oval.xsl
Added: httpd/site/trunk/xdocs/stylesheets/httpd-oval.xsl
URL: http://svn.apache.org/viewvc/httpd/site/trunk/xdocs/stylesheets/httpd-oval.xsl?view=auto&rev=511780
==============================================================================
--- httpd/site/trunk/xdocs/stylesheets/httpd-oval.xsl (added)
+++ httpd/site/trunk/xdocs/stylesheets/httpd-oval.xsl Mon Feb 26 02:53:08 2007
@@ -0,0 +1,372 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- Transform vulnerabilities-httpd.xml into OVAL -->
+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" version="2.0">
+ <xsl:output method="text"/>
+ <xsl:output method="xml" version="1.0" encoding="UTF-8" indent="yes" name="xml"/>
+ <!--
+ The following keys are used when generating a unique list of values to loop over.
+ -->
+ <xsl:key name="cveids" match="/security/issue/cve" use="@name"/>
+ <xsl:key name="httpd_versions" match="/security/issue/affects[@prod = 'httpd'] | /security/issue/maybeaffects[@prod = 'httpd']" use="@version"/>
+ <!--
+ The directory where the output files should be written. Make sure a trailing
+ slash is present.
+ -->
+ <xsl:variable name="output_directory">./oval/</xsl:variable>
+ <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
+ <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
+ <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
+ <xsl:template match="/">
+ <xsl:call-template name="print_combined_file"/>
+ </xsl:template>
+ <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
+ <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
+ <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
+ <xsl:template name="print_combined_file">
+ <!--
+ TEMPLATE - print_combined_file
+
+ This template is used to create a combined xml file that has all the OVAL
+ definitions in a single document. Tests, objects, and states are reused
+ whenever possible.
+ -->
+ <xsl:variable name="filename" select="'httpd-oval-combined.xml'"/>
+ <!-- <xsl:result-document href="{$output_directory}{$filename}" format="xml">-->
+ <oval_definitions xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:apache-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#apache apache-definitions-schema.xsd">
+ <generator>
+ <oval:schema_version>5.1</oval:schema_version>
+ <oval:timestamp>2005-10-12T18:13:45</oval:timestamp>
+ </generator>
+ <definitions>
+ <!--
+ For each unique CVE id, create a new OVAL definition. This
+ definition might span a couple of different issues, and this
+ will be reflected in the criteria.
+ -->
+ <xsl:for-each select="//cve[generate-id() = generate-id(key('cveids',@name)[1])]">
+ <xsl:call-template name="httpd_definition">
+ <xsl:with-param name="cveid" select="@name"/>
+ </xsl:call-template>
+ </xsl:for-each>
+ </definitions>
+ <tests>
+ <!--
+ For each <affects> or <maybeaffects> element found across every
+ <issue> in the source document, generate an OVAL test to represent
+ it. These tests are used by the definitions created above.
+ -->
+ <xsl:for-each select="//affects[generate-id() = generate-id(key('httpd_versions',@version)[1])] | //maybeaffects[generate-id() = generate-id(key('httpd_versions',@version)[1])] ">
+ <xsl:call-template name="httpd_test"/>
+ </xsl:for-each>
+ </tests>
+ <objects>
+ <!--
+ The httpd test in OVAL always references the same object that
+ represents the collection of all httpd binaries on the system.
+ This object is used by each of the tests created above.
+ -->
+ <xsl:call-template name="httpd_object"/>
+ </objects>
+ <states>
+ <!--
+ For each <affects> or <maybeaffects> element found across every
+ <issue> in the source document, generate an OVAL state to
+ represent the version comparision. These states are used by the
+ tests created above.
+ -->
+ <xsl:for-each select="//affects[generate-id() = generate-id(key('httpd_versions',@version)[1])] | //maybeaffects[generate-id() = generate-id(key('httpd_versions',@version)[1])] ">
+ <xsl:call-template name="httpd_state"/>
+ </xsl:for-each>
+ </states>
+ </oval_definitions>
+ <!-- </xsl:result-document>-->
+ </xsl:template>
+ <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
+ <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
+ <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
+ <xsl:template name="print_individual_files">
+ <!--
+ TEMPLATE - print_individual_files
+
+ This template is used to create an individual xml file for each OVAL
+ definitions. A separate definition is created for each unique instance of
+ a CVE id. The opening <for-each> loop is used to cycle over all the unique
+ CVE ids found in the sorce document.
+ -->
+ <xsl:for-each select="//cve[generate-id() = generate-id(key('cveids',@name)[1])]">
+ <xsl:variable name="cveid" select="@name"/>
+ <!--
+ For each CVE id, create a new OVAL Definition file. The filename in this
+ case is generated from numbers of the CVE id. Since there is only one
+ definition per CVE, we can be confident that this is unique.
+ -->
+ <xsl:variable name="filename" select="concat(substring($cveid,5,4),substring($cveid,10),'.xml')"/>
+ <xsl:result-document href="{$output_directory}{$filename}" format="xml">
+ <oval_definitions xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:apache-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#apache apache-definitions-schema.xsd">
+ <generator>
+ <oval:schema_version>5.1</oval:schema_version>
+ <oval:timestamp>2005-10-12T18:13:45</oval:timestamp>
+ </generator>
+ <definitions>
+ <!--
+ Call the definition template for the current CVE id.
+ -->
+ <xsl:call-template name="httpd_definition">
+ <xsl:with-param name="cveid" select="$cveid"/>
+ </xsl:call-template>
+ </definitions>
+ <tests>
+ <!--
+ A test needs to be produced for each unique <affects> and
+ <maybeaffects> element found in the issues related to this
+ specific CVE id.
+ -->
+ <xsl:for-each select="/security/issue[./cve/@name = $cveid]">
+ <xsl:for-each select="./affects | ./maybeaffects">
+ <!--
+ TODO: If there is an <affects> or <maybeaffects> with
+ an OS attribute, then we need to print the test for that
+ OS. We will also have to print the associated object
+ and state.
+ -->
+ <xsl:call-template name="httpd_test"/>
+ </xsl:for-each>
+ </xsl:for-each>
+ </tests>
+ <objects>
+ <!--
+ The httpd test in OVAL always references the same object that
+ represents the collection of all httpd binaries on the system.
+ This object is used by each of the tests created above.
+ -->
+ <xsl:call-template name="httpd_object"/>
+ </objects>
+ <states>
+ <!--
+ For each <affects> or <maybeaffects> element found across every
+ <issue> related to the specified CVE, generate an OVAL state to
+ represent the version comparision. These states are used by the
+ tests created above.
+ -->
+ <xsl:for-each select="/security/issue[./cve/@name = $cveid]">
+ <xsl:for-each select="./affects | ./maybeaffects">
+ <xsl:call-template name="httpd_state"/>
+ </xsl:for-each>
+ </xsl:for-each>
+ </states>
+ </oval_definitions>
+ </xsl:result-document>
+ </xsl:for-each>
+ </xsl:template>
+ <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
+ <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
+ <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
+ <xsl:template name="httpd_definition">
+ <xsl:param name="cveid"/>
+ <!--
+ TEMPLATE - httpd_definition
+
+ This template is used to create an actual OVAL Definition. The id for this
+ definition is built from the numbers found in the cve name. Since we are
+ creating a single OVAL Definition per CVE, we can be confident that this
+ value is unique. It is also repeatable since the CVE id won't change.
+ -->
+ <xsl:variable name="definition_id">oval:org.apache.httpd:def:<xsl:value-of select="substring($cveid,5,4)"/><xsl:value-of select="substring($cveid,10)"/></xsl:variable>
+ <!--
+ Print out the actual definition element.
+ -->
+ <xsl:element name="definition" namespace="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <xsl:attribute name="id"><xsl:value-of select="$definition_id"/></xsl:attribute>
+ <xsl:attribute name="version">1</xsl:attribute>
+ <xsl:attribute name="class">vulnerability</xsl:attribute>
+ <!--
+ Add the required metadata to the OVAL Definition. This information is
+ required by the OVAL XML schema.
+ -->
+ <metadata>
+ <title><xsl:value-of select="../title"/></title>
+ <xsl:element name="reference">
+ <xsl:attribute name="source">CVE</xsl:attribute>
+ <xsl:attribute name="ref_id"><xsl:value-of select="$cveid"/></xsl:attribute>
+ <xsl:attribute name="ref_url">http://cve.mitre.org/cgi-bin/cvename.cgi?name=<xsl:value-of select="$cveid"/></xsl:attribute>
+ </xsl:element>
+ <description><xsl:value-of select="../description/p"/></description>
+ <!--
+ The <apache_httpd_repository> piece of metadata is not required by
+ the OVAL schema but is valid due the <xsd:any> tag found in the
+ schema. This section is a place to put information specifice to
+ apache httpd vulnerability report.
+ -->
+ <apache_httpd_repository>
+ <public><xsl:value-of select="../@public"/></public>
+ <reported><xsl:value-of select="../@reported"/></reported>
+ <released><xsl:value-of select="../@released"/></released>
+ <!--
+ If a <severity> element exists for this issue in the source XML
+ document, then create a similar <severity> element in the
+ definition metadata.
+ -->
+ <xsl:if test="../severity">
+ <xsl:element name="severity">
+ <xsl:attribute name="level"><xsl:value-of select="../severity/@level"/></xsl:attribute>
+ <xsl:value-of select="../severity"/>
+ </xsl:element>
+ </xsl:if>
+ <!--
+ If a <flaw> element exists for this issue in the source XML
+ document, then create a similar <flaw> element in the
+ definition metadata.
+ -->
+ <xsl:if test="../flaw">
+ <xsl:element name="flaw">
+ <xsl:attribute name="type"><xsl:value-of select="../flaw/@type"/></xsl:attribute>
+ </xsl:element>
+ </xsl:if>
+ </apache_httpd_repository>
+ </metadata>
+ <!--
+ Add the criteria to the OVAL Definition. This consists of all the
+ individual tests required by the different <issue> elements found in
+ the source xml document related to the specified CVE. The first step
+ is to loop over each <issue> and print out a child <criteria> element
+ that will group together the tests related to the <issue>. The second
+ step is to loop over each <affects> or <maybeaffects> element and print
+ out a corresponding <criterion> by calling the httpd_criteriontemplate.
+ -->
+ <criteria operator="OR">
+ <xsl:for-each select="/security/issue[./cve/@name = $cveid]">
+ <criteria operator="OR">
+ <xsl:for-each select="./affects | ./maybeaffects">
+ <!--
+ TODO: If there are <affects> or <maybeaffects> with an OS
+ attribute, then we need to add a <criteria> element that
+ ANDs an OS test with the ORd list of affected versions.
+ -->
+ <xsl:call-template name="httpd_criterion"/>
+ </xsl:for-each>
+ </criteria>
+ </xsl:for-each>
+ </criteria>
+ </xsl:element>
+ </xsl:template>
+ <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
+ <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
+ <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
+ <xsl:template name="httpd_criterion">
+ <!--
+ TEMPLATE - httpd_criterion
+
+ This template is used to create an individual <criterion> element. This
+ element provides the link between a definition and a test. Each <criterion>
+ references a test via the test id, which is determined by using the version
+ (without the periods) of httpd being tested. This will work as long as we
+ only have version tests.
+ -->
+ <xsl:variable name="test_id">oval:org.apache.httpd:tst:<xsl:value-of select="substring-before(@version,'.')"/><xsl:value-of select="substring-before(substring-after(@version,'.'),'.')"/><xsl:value-of select="substring-after(substring-after(@version,'.'),'.')"/></xsl:variable>
+ <!--
+ Create a comment for the test.
+ -->
+ <xsl:variable name="test_comment">the version of <xsl:value-of select="@prod"/> is <xsl:value-of select="@version"/></xsl:variable>
+ <!--
+ Create the actual criterion element
+ -->
+ <xsl:element name="criterion" namespace="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <xsl:attribute name="test_ref"><xsl:value-of select="$test_id"/></xsl:attribute>
+ <xsl:attribute name="comment"><xsl:value-of select="$test_comment"/></xsl:attribute>
+ </xsl:element>
+ </xsl:template>
+ <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
+ <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
+ <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
+ <xsl:template name="httpd_test">
+ <!--
+ TEMPLATE - httpd_test
+
+ This template is used to create an individual <httpd_test>. This element
+ binds an OVAL Object and an OVAL State with a check attribute. The test id
+ is determined by using the version (without the periods) of httpd being
+ tested for. This will work as long as we only have version tests.
+ -->
+ <xsl:variable name="test_id">oval:org.apache.httpd:tst:<xsl:value-of select="substring-before(@version,'.')"/><xsl:value-of select="substring-before(substring-after(@version,'.'),'.')"/><xsl:value-of select="substring-after(substring-after(@version,'.'),'.')"/></xsl:variable>
+ <!--
+ Create a comment for the test.
+ -->
+ <xsl:variable name="test_comment">the version of <xsl:value-of select="@prod"/> is <xsl:value-of select="@version"/></xsl:variable>
+ <!--
+ Create a unique state id. Attempting to use the version (without the periods)
+ of httpd being tested for. This will work as long as we only have version
+ tests. Note that we don't need to create an object id since every test
+ references the same object, meaning the object and its id can be hard coded
+ into this script.
+ -->
+ <xsl:variable name="state_id">oval:org.apache.httpd:ste:<xsl:value-of select="substring-before(@version,'.')"/><xsl:value-of select="substring-before(substring-after(@version,'.'),'.')"/><xsl:value-of select="substring-after(substring-after(@version,'.'),'.')"/></xsl:variable>
+ <!--
+ Print out the actual test element.
+ -->
+ <xsl:element name="httpd_test" namespace="http://oval.mitre.org/XMLSchema/oval-definitions-5#apache">
+ <xsl:attribute name="id"><xsl:value-of select="$test_id"/></xsl:attribute>
+ <xsl:attribute name="version">1</xsl:attribute>
+ <xsl:attribute name="comment"><xsl:value-of select="$test_comment"/></xsl:attribute>
+ <xsl:attribute name="check">at least one</xsl:attribute>
+ <!--
+ Add the <object> and <state> elements to this test.
+ -->
+ <object object_ref="oval:org.apache.httpd:obj:1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#apache"/>
+ <xsl:element name="state" namespace="http://oval.mitre.org/XMLSchema/oval-definitions-5#apache">
+ <xsl:attribute name="state_ref"><xsl:value-of select="$state_id"/></xsl:attribute>
+ </xsl:element>
+ </xsl:element>
+ </xsl:template>
+ <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
+ <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
+ <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
+ <xsl:template name="httpd_object">
+ <!--
+ TEMPLATE - httpd_object
+
+ This template is used to create an <httpd_object>. Note that every
+ <httpd_test> uses the same <httpd_object> so this template simply prints out
+ that object and does not have to loop over any elements of the source xml
+ file.
+ -->
+ <httpd_object id="oval:org.apache.httpd:obj:1" version="1" comment="the collection apache httpd binaries" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#apache">
+ <notes xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <note>This is the single httpd object required by an apache httpd test and represents the collection of all httpd binaries on the system.</note>
+ </notes>
+ </httpd_object>
+ </xsl:template>
+ <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
+ <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
+ <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
+ <xsl:template name="httpd_state">
+ <!--
+ TEMPLATE - httpd_state
+
+ This template is used to create an individual <httpd_state> element. This
+ element outlines a specific piece of information to evaluate an object
+ against. For our use here, we will be evaulating the version of HTTPD.
+ The id associated with the state is determined by using the version (without
+ the periods) of httpd being tested for. This will work as long as we only
+ have version tests.
+ -->
+ <xsl:variable name="state_id">oval:org.apache.httpd:ste:<xsl:value-of select="substring-before(@version,'.')"/><xsl:value-of select="substring-before(substring-after(@version,'.'),'.')"/><xsl:value-of select="substring-after(substring-after(@version,'.'),'.')"/></xsl:variable>
+ <!--
+ Create a comment for the state.
+ -->
+ <xsl:variable name="state_comment">the version of <xsl:value-of select="@prod"/> is <xsl:value-of select="@version"/></xsl:variable>
+ <!--
+ Print out the actual state element.
+ -->
+ <xsl:element name="httpd_state" namespace="http://oval.mitre.org/XMLSchema/oval-definitions-5#apache">
+ <xsl:attribute name="id"><xsl:value-of select="$state_id"/></xsl:attribute>
+ <xsl:attribute name="version">1</xsl:attribute>
+ <xsl:attribute name="comment"><xsl:value-of select="$state_comment"/></xsl:attribute>
+ <version datatype="version" operation="equals" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#apache">
+ <xsl:value-of select="@version"/>
+ </version>
+ </xsl:element>
+ </xsl:template>
+ <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
+ <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
+ <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
+</xsl:stylesheet>