[OVAL DEVELOPER] Solaris packageAvoidList item? FMRI?

Ulmer, John R. JOHN.R.ULMER at saic.com
Tue Nov 17 11:20:07 EST 2015


Darren,
Thanks for the confirmation.  
In the short term, we'll be filling the item with the package name even though the XML tag name will continue to be FMRI (to allow XML validation and until the schema is fixed).

So, how do I push this forward?
Who needs to know that the schema needs a tweak?
I've lost the handle since we moved from MITRE.


------------------------------------
John R.  Ulmer
SPAWAR Systems Center Atlantic
(843)218-5953
John.R.Ulmer at saic.com


-----Original Message-----
From: Darren J Moffat [mailto:Darren.Moffat at Oracle.COM] 
Sent: Tuesday, November 17, 2015 10:30 AM
To: Ulmer, John R.; oval_developer at lists.cisecurity.org
Subject: Re: [OVAL DEVELOPER] Solaris packageAvoidList item? FMRI?



On 11/17/15 14:46, Ulmer, John R. wrote:
> Regarding the Solaris packageavoidlist items.
>
> Given that:
> -  'pkg avoid' returns only the 'name' of the avoided package and not the full FMRI, and
> -  I don't see another/better way to query which packages are tagged to 'avoid,' and
> - the full FMRI is not available on a system on which a package is not installed and has no access to a repository.
>
> It would seem that since only the name of the package is returned by 'pkg avoid' and since a given package name could conceivably be sourced from more than one publisher, it is impossible to determine the FMRI for a given package.
>
> Also, the  documents at https://github.com/OVALProject/Sandbox/tree/master/resources/x-solaris-updates/content/packageavoidlist_test show a 'name' field in the state and item rather than an FMRI field.  The schema (the actual xsd file) requires the 'fmri.'
>
> Should the packageAvoidList state and item contain just the package name?
> Or, if the FMRI is the correct information, how do we assure that we have the correct package FMRI when we only have the package name to work off of?

The avoid list is the name of the package not the full FMRI so the 
schema requiring an FMRI is wrong.

The pkg system only stores package names for the avoid list not the full 
FMRI - since the point of avoid is to avoid the package regardless of 
publisher.

--
Darren J Moffat

...




More information about the OVAL_Developer mailing list