Add none-breaking space to the field Scanner in Evaluation Characteristic. (OpenSCAP1.3.6 -> OpenSCAP 1.3.6)

Packit failed on creating pull-requests in dist-git (https://src.fedoraproject.org/rpms/openscap-report.git):

You can retrigger the update by adding a comment (/packit propose-downstream) into this issue.

Looks like:

xccdf_org.ssgproject.content_rule_package_chrony_installed xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled

Are not updated for Ubuntu, Both checks are looking at ntpd and chronyd when they should be looking at chrony and ntp

Add a link to the security policy that is implemented by the profile used for the scan.

Add a sorting option - sort rules alphabetically when clicking on "Rule", sort by severity in ascending/descending order when clicking on "Severity", and show fails/passes first when clicking on "Result".

Redesign the advanced filtering options to make them more visible in the Report and easy for users to find.

Add a back to the top button.

Add filtering by references (eg. by STIG ID).

It would be good to click on rule results and this filters the output of Rule Overview.

It is not clear whether the slider is present in the rule detail.

Reproduce: The problem occurs when the window width is less than 900px.

After reviewing a report created by this tool I noticed that HTML pulls in CSS files and fonts from the Internet. There are some use cases where the viewer of the report may not be online. I propose that we vendor the CSS and fonts in the repo so the reports can be used offline.

Add a feedback popup text label when hitting the copy button to notify users the content was copied.

The generate_arf.sh script should determine the product automatically. Because passing a product using arg doesn't work
with tmt unless a distro is specified.

Current block is:

• name: Build and Test AIDE Database
  command: /usr/sbin/aide --init
  changed_when: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:

  • CJIS-5.10.1.3
  • NIST-800-53-CM-6(a)
  • PCI-DSS-Req-11.5
  • aide_build_database
  • low_complexity
  • low_disruption
  • medium_severity
  • no_reboot_needed
  • restrict_strategy

  Correct block should be:

  • name: Build and Test AIDE Database
    command: /usr/bin/aide --init
    changed_when: true
    when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
    tags:
  • CJIS-5.10.1.3
  • NIST-800-53-CM-6(a)
  • PCI-DSS-Req-11.5
  • aide_build_database
  • low_complexity
  • low_disruption
  • medium_severity
  • no_reboot_needed
  • restrict_strategy

Do not use link elements for References that do not provide links.

Add example sections with the common use of oscap-report to the manual page.

Describe the bug

For some complex OVAL tests, the test details displayed in HTML report aren't useful for finding the cause of the rule result. The specific example is rule audit_rules_privileged_commands. There are some details displayed but they aren't structured and other information is missing.

To Reproduce
Steps to reproduce the behavior:

1. Download the attached tarball and extract arf.xml from it
2. oscap-report arf.xml > report.html
3. Open the results of the rule xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands
4. Display test details of test test_augenrules_count_matches_system_priv_cmds

ARF file
arpc_arf.tar.gz

Expected behavior
The expected behavior is tricky to describe. I would like to have as much information in as much structured way as possible.

In the specific example of test ID test_augenrules_count_matches_system_priv_cmds, it's a variable test so I would expect that the value of the variable used in the variable object will be displayed there.

Screenshots

It's cropped, the panel is way bigger.

Environment (please complete the following information):

• OS: Fedora 38
• Browser: firefox-118.0.2-1.fc38.x86_64
• Python version: python3-3.11.6-1.fc38.x86_64
• Openscap-report version: openscap-report-0.2.5-1.fc38.noarch

Additional context
Add any other context about the problem here.

Evaluation Characteristics are a bunch of key-value pairs. I suggest a two-tier display, when the most useful items are visible after the first expansion, and the rest after the second one.

Some information from the help message should be moved to the man page. The help message should only show options without too much text. Currently, it takes up the entire terminal. It is too overwhelming for the help. See What should a formatted manual page look like?.

The search rule field could be floating and follow you while you navigate the report, this way you don't need to go back to the top to find another rule.

the report uses Red Hat fonts, which not all non-RH users have available. Perhaps use other standard fonts.

Solution: Keep Red Hat fonts and just use different log level such as INFO and chose a very similar default font for the report in case Red Hat fonts are not available.

The tracking issue for:

• Row: 62 https://github.com/OpenSCAP/openscap-report/security/code-scanning/31
• Row: 24 https://github.com/OpenSCAP/openscap-report/security/code-scanning/30
• Row: 13 https://github.com/OpenSCAP/openscap-report/security/code-scanning/29

Describe the bug

Traceback (most recent call last):
  File "/usr/bin/oscap-report", line 8, in <module>
    sys.exit(main())
             ^^^^^^
  File "/usr/lib/python3.11/site-packages/openscap_report/cli.py", line 205, in main
    report = api.generate_report(parser)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/openscap_report/cli.py", line 173, in generate_report
    report_generator = self.get_report_generator(report_parser)
                       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/openscap_report/cli.py", line 169, in get_report_generator
    return dict_of_report_generators[self.output_format](report_parser)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/openscap_report/report_generators/html.py", line 24, in __init__
    self.report = parser.parse_report()
                  ^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/openscap_report/scap_results_parser/scap_results_parser.py", line 92, in parse_report
    OVAL_and_CPE_tree_builder = OVALAndCPETreeBuilder(  # pylint: disable=C0103
                                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/openscap_report/scap_results_parser/oval_and_cpe_tree_builder.py", line 22, in __init__
    self.load_oval_definitions()
  File "/usr/lib/python3.11/site-packages/openscap_report/scap_results_parser/oval_and_cpe_tree_builder.py", line 33, in load_oval_definitions
    self._load_cpe_platforms()
  File "/usr/lib/python3.11/site-packages/openscap_report/scap_results_parser/oval_and_cpe_tree_builder.py", line 61, in _load_cpe_platforms
    self._evaluate_all_cpe_platforms()
  File "/usr/lib/python3.11/site-packages/openscap_report/scap_results_parser/oval_and_cpe_tree_builder.py", line 67, in _evaluate_all_cpe_platforms
    cpe_platform.result = cpe_platform.logical_test.evaluate_tree()
                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/openscap_report/scap_results_parser/data_structures/cpe_logical_test.py", line 55, in evaluate_tree
    results_counts = self._get_result_counts()
                     ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/openscap_report/scap_results_parser/data_structures/cpe_logical_test.py", line 34, in _get_result_counts
    value = str(child.oval_tree.evaluate_tree())
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
AttributeError: 'NoneType' object has no attribute 'evaluate_tree'

To Reproduce
tar xzf arf.tar.gz
oscap-report -o report.html selinux_all_devicefiles_labeled-regular_file_device_t.pass.sh-initial-arf.xml

ARF file
arf.tar.gz

Expected behavior
no traceback

Screenshots
no

Environment (please complete the following information):
Fedora 37
openscap-report-0.2.2-0.fc37.noarch - from updates-testing

Additional context
The ARF comes from automatus testing executed locally.

The command that Automatus used internally is:

oscap-ssh [email protected] 22 xccdf eval --verbose DEVEL --results-arf /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2023-03-29-1047/selinux_all_devicefiles_labeled-regular_file_device_t.pass.sh-initial-arf.xml --benchmark-id xccdf_org.ssgproject.content_benchmark_RHEL-9 --profile (all) --progress --oval-results --report /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2023-03-29-1047/selinux_all_devicefiles_labeled-regular_file_device_t.pass.sh-initial.html --rule xccdf_org.ssgproject.content_rule_selinux_all_devicefiles_labeled /tmp/_ssgts_ds_modified6gk8e2qs

Consider changing the header OSCAP Scan Result with something else, probably matching the title of the HTML page is fine OpenSCAP Evaluation Report. Because the document title "OSCAP Scan Result" is misleading because the input ARF can come from any scanner, not only oscap. Possibly title can be loaded from the ARF file.

Add an X button to clear the search field value on the right side of the search field.

Example of the problem at rule: xccdf_org.ssgproject.content_rule_timer_dnf-automatic_enabled)

Add Target IPs to the report.

Packit failed on creating pull-requests in dist-git (https://src.fedoraproject.org/rpms/openscap-report.git):

You can retrigger the update by adding a comment (/packit propose-downstream) into this issue.

Failed to load packit config file:

Cannot parse package config: ValidationError({'jobs': {0: {'job': ['Invalid enum member propose_downstream_fedora']}, 1: {'job': ['Invalid enum member test_fedora']}, 2: {'job': ['Invalid enum member build_epel8']}}}).

For more info, please check out the documentation or contact the Packit team.

If the scanner combines scanning and remediation, it may make sense to display context to scanning results.

This applies to cases when a rule scan fails, and remediation is executed.

• If the remediation fails (returns non-zero exit code, possibly produces an error message), it would make sense to accompany the FAIL result with "fix failed" or something like that.
• If the remediation succeeds, but the subsequent check fails, we display ERROR in the legacy oscap-produced reports. That's not really correct in terms of XCCDF, a FAIL with "fix unsuccessful" or something like that would describe the case better.
• If the remediation succeeds and the check also passes, we use FIXED - that's correct.

Describe the bug
The warning contains a monospaced text with gray backgrounds which spans from left to right and causes a new line, see the screenshot below.

To Reproduce
Steps to reproduce the behavior:

1. Generate report from the attached ARF
2. Go to rule details in rule audit_rules_privileged_commands
3. Scroll down to warnings
4. See the warning

ARF file
attach.zip

Expected behavior
The item with gray backgrounds doesn't span and doesn't cause a new line.

Screenshots

Environment (please complete the following information):

• OS: Fedora 38
• Browser: firefox-117.0.1-1.fc38.x86_64
• Python version: python3-3.11.5-1.fc38.x86_64
• Openscap-report version: openscap-report-0.2.5-1.fc38.noarch

Additional context
No.

Consider rearranging the place of the fields, for example, I believe the description should be more at the top. There are some data that you don't need to see every time (like "weight" or "multi-check rule").

This request is to add ability to generate HTML guides using oscap-report. It will replace the oscap xccdf generate guide feature of OpenSCAP.

Is your feature request related to a problem? Please describe.
No.

Describe the solution you'd like
oscap-report can generate HTML guides from a SCAP source data stream which will be visually similar to HTML reports, but wouldn't contain rule results. it will also be able to consume tailoring files.

Describe alternatives you've considered
I haven't considered any alternatives - the alternative is status quo.

Additional context

• Allow us to modernize the HTML guides.
• Opens ability to add another features to guides easily, eg. control mapping.
• Allow us to break the dependency of ComplianceAsCode on OpenSCAP.
• It will also open opportunities to provide browseable guides in our integrations.

Packit failed on creating pull-requests in dist-git (https://src.fedoraproject.org/rpms/openscap-report.git):

You can retrigger the update by adding a comment (/packit propose-downstream) into this issue.

Describe the bug

The following traceback happens when I try to generate a report from ARF that was produced by Automatus.

[jcerny@fedora openscap-report{main}]$ python3 -m openscap_report.cli /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2023-08-02-1131/dir_perms_world_writable_root_owned-all_dirs_ok.pass.sh-initial-arf.xml
Traceback (most recent call last):
  File "<frozen runpy>", line 198, in _run_module_as_main
  File "<frozen runpy>", line 88, in _run_code
  File "/home/jcerny/work/git/openscap-report/openscap_report/cli.py", line 216, in <module>
    main()
  File "/home/jcerny/work/git/openscap-report/openscap_report/cli.py", line 205, in main
    report = api.generate_report(parser)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/jcerny/work/git/openscap-report/openscap_report/cli.py", line 173, in generate_report
    report_generator = self.get_report_generator(report_parser)
                       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/jcerny/work/git/openscap-report/openscap_report/cli.py", line 169, in get_report_generator
    return dict_of_report_generators[self.output_format](report_parser)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/jcerny/work/git/openscap-report/openscap_report/report_generators/html.py", line 24, in __init__
    self.report = parser.parse_report()
                  ^^^^^^^^^^^^^^^^^^^^^
  File "/home/jcerny/work/git/openscap-report/openscap_report/scap_results_parser/scap_results_parser.py", line 91, in parse_report
    rules = rule_parser.get_rules()
            ^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/jcerny/work/git/openscap-report/openscap_report/scap_results_parser/parsers/rule_parser.py", line 203, in get_rules
    rule = self.process_rule(rule_el)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/jcerny/work/git/openscap-report/openscap_report/scap_results_parser/parsers/rule_parser.py", line 78, in process_rule
    "description": self.full_text_parser.get_full_description_of_rule(rule),
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/jcerny/work/git/openscap-report/openscap_report/scap_results_parser/parsers/full_text_parser.py", line 58, in get_full_description_of_rule
    return self._get_element_as_string(description) if description is not None else ""
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/jcerny/work/git/openscap-report/openscap_report/scap_results_parser/parsers/full_text_parser.py", line 52, in _get_element_as_string
    text += self._get_tag_text(child)
TypeError: can only concatenate str (not "NoneType") to str

To Reproduce
Steps to reproduce the behavior:

1. in the scap-security-guide project, build the content, and run a test scenario using Automatus:

python3 tests/automatus.py rule  --libvirt qemu:///system ssgts_rhel9 --scenario all_dirs_ok.pass.sh --dontclean  dir_perms_world_writable_root_owned

2. try to generate a HTML report using oscap-report from the test artifacts

python3 -m openscap_report.cli /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2023-08-02-1131/dir_perms_world_writable_root_owned-all_dirs_ok.pass.sh-initial-arf.xml

I attach this ARF below.

ARF file
arf.zip

Expected behavior
no traceback, report is generated

Screenshots
no

Environment (please complete the following information):

• OS: Fedora 38
• Browser: irrelevant
• Python version: python3-3.11.4-1.fc38.x86_64
• Openscap-report version: current upstream main branch as of 2023-08-02 as of HEAD 0aecd7a
• scap-security-guide current upstream master branch as of 2023-08-02 as of HEAD d81f29b9714f71f3beab6a5c1d7202bd8cde36bc

Additional context
The issue is also reproducible with the released version openscap-report-0.2.4-1.fc38.noarch.

Extend it to work with OVAL results. Maybe make the default output into an HTML file (being it a required parameter of the command).

The test details could be more visually separated from the OVAL tree, eg. by having a little different background colour.

Describe the bug
The References section of the rule details contains usually contains lot of references. However, these references aren't sorted, grouped or labeled. The references to different standards and policies are mixed together. It's a mere list of IDs that have no meaning to users.

To Reproduce
Steps to reproduce the behavior:

1. Go to rule details
2. See the References section

ARF file
https://hony.fedorapeople.org/arf_profile_cis_workstation_l1.xml

Expected behavior
The references should be presented in an concise and understandable way. For example, they can be presented in a form of a table. They should be grouped by target. The target name or title would be shown as well.

Screenshots

Environment (please complete the following information):

• OS: F 37
• Browser: Firefox
• Python version: python3-3.11.2-1.fc37.x86_64
• Openscap-report version: openscap-report-0.2.2-0.fc37.noarch

Additional context

• Ideally, the references could also be used for searching, sorting and grouping rules. (this might be a next task)
• The experience can be supported by improvements on the CaC project side, however, the key thing is to change the oscap-report.

Is your feature request related to a problem? Please describe.

• The current presentation shows the object definition without all attributes or collected objects.
• Displaying a more significant amount of collected objects causes problems with browser performance.

Describe the solution you'd like
Present the OVAL object and OVAL state with all attributes and don't display collected objects.

Add a tooltip for the OVAL operator that explains the behaviour of the operator.

Visually distinguish the platform applicability checks from the configuration check.

Filter and search rules by name, result or severity.

Add buttons to deselect or select all checkboxes for the result or severity of the rule.

Deprecation Warning:

openscap_report/__init__.py:6
  /Users/honyrodak/projects/oscap-report/openscap_report/__init__.py:6: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
    from pkg_resources import DistributionNotFound, get_distribution

-- Docs: https://docs.pytest.org/en/stable/how-to/capture-warnings.html

Python version:
platform darwin -- Python 3.11.4, pytest-7.4.0, pluggy-1.2.0
setuptools in /opt/homebrew/lib/python3.11/site-packages (67.6.1)

Add an explanation to the score scan in the form of a tooltip on how the score is calculated.

Split graph of CPE check and OVAL result graph of rule, because they are different checks.
Notes:

• ARF report from containers contains many cases of not applicable rules because of CPE check.

When I want to generate a report from an ARF I got a traceback.

You can extract my arf.xml from the attached ZIP archive.
arf.zip

[jcerny@thinkpad oscap-report{master}]$ oscap xccdf eval --rule xccdf_org.ssgproject.content_rule_selinux_state --profile '(all)' --results-arf arf.xml /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml 
Title   Ensure SELinux State is Enforcing
Rule    xccdf_org.ssgproject.content_rule_selinux_state
Result  pass

[jcerny@thinkpad oscap-report{master}]$ python3 -m oscap_report.cli -o report.html arf.xml
Traceback (most recent call last):
  File "/usr/lib64/python3.9/runpy.py", line 197, in _run_module_as_main
    return _run_code(code, main_globals, None,
  File "/usr/lib64/python3.9/runpy.py", line 87, in _run_code
    exec(code, run_globals)
  File "/home/jcerny/work/git/oscap-report/oscap_report/cli.py", line 157, in <module>
    main()
  File "/home/jcerny/work/git/oscap-report/oscap_report/cli.py", line 146, in main
    report = api.generate_report(parser)
  File "/home/jcerny/work/git/oscap-report/oscap_report/cli.py", line 118, in generate_report
    return report_generator.generate_html_report()
  File "/home/jcerny/work/git/oscap-report/oscap_report/html_report/report_generator.py", line 18, in generate_html_report
    html_report = template.render(report=self.report)
  File "/usr/lib/python3.9/site-packages/jinja2/environment.py", line 1090, in render
    self.environment.handle_exception()
  File "/usr/lib/python3.9/site-packages/jinja2/environment.py", line 832, in handle_exception
    reraise(*rewrite_traceback_stack(source=source))
  File "/usr/lib/python3.9/site-packages/jinja2/_compat.py", line 28, in reraise
    raise value.with_traceback(tb)
  File "/home/jcerny/work/git/oscap-report/oscap_report/html_report/templates/template_report.html", line 1, in top-level template code
    {% extends 'base_report.html' %}
  File "/home/jcerny/work/git/oscap-report/oscap_report/html_report/templates/base_report.html", line 365, in top-level template code
    {% block content%}
  File "/home/jcerny/work/git/oscap-report/oscap_report/html_report/templates/template_report.html", line 18, in block "content"
    {% include 'severity_of_failed_rules.html'%}
  File "/home/jcerny/work/git/oscap-report/oscap_report/html_report/templates/severity_of_failed_rules.html", line 1, in top-level template code
    {% set severity_of_failed_rules = report.get_severity_of_failed_rules_stats() %}
  File "/home/jcerny/work/git/oscap-report/oscap_report/scap_results_parser/data_structures.py", line 70, in get_severity_of_failed_rules_stats
    percent_per_rule = 100 / len(failed_rules)
ZeroDivisionError: division by zero

I think that the problem is that my ARF contains only a single rule which is passing.

Version: current upstream HEAD as of 337af4f