[OVAL DEVELOPER] Solaris packageAvoidList item? FMRI?

Darren J Moffat Darren.Moffat at Oracle.COM
Wed Nov 18 03:53:35 EST 2015

On 11/17/15 16:20, Ulmer, John R. wrote:
> Darren,
> Thanks for the confirmation.
> In the short term, we'll be filling the item with the package name even though the XML tag name will continue to be FMRI (to allow XML validation and until the schema is fixed).
> So, how do I push this forward?
> Who needs to know that the schema needs a tweak?
> I've lost the handle since we moved from MITRE.

I'm not sure either but I'm assuming this list is the place to do it.

> ------------------------------------
> John R.  Ulmer
> SPAWAR Systems Center Atlantic
> (843)218-5953
> John.R.Ulmer at saic.com
> -----Original Message-----
> From: Darren J Moffat [mailto:Darren.Moffat at Oracle.COM]
> Sent: Tuesday, November 17, 2015 10:30 AM
> To: Ulmer, John R.; oval_developer at lists.cisecurity.org
> Subject: Re: [OVAL DEVELOPER] Solaris packageAvoidList item? FMRI?
> On 11/17/15 14:46, Ulmer, John R. wrote:
>> Regarding the Solaris packageavoidlist items.
>> Given that:
>> -  'pkg avoid' returns only the 'name' of the avoided package and not the full FMRI, and
>> -  I don't see another/better way to query which packages are tagged to 'avoid,' and
>> - the full FMRI is not available on a system on which a package is not installed and has no access to a repository.
>> It would seem that since only the name of the package is returned by 'pkg avoid' and since a given package name could conceivably be sourced from more than one publisher, it is impossible to determine the FMRI for a given package.
>> Also, the  documents at https://github.com/OVALProject/Sandbox/tree/master/resources/x-solaris-updates/content/packageavoidlist_test show a 'name' field in the state and item rather than an FMRI field.  The schema (the actual xsd file) requires the 'fmri.'
>> Should the packageAvoidList state and item contain just the package name?
>> Or, if the FMRI is the correct information, how do we assure that we have the correct package FMRI when we only have the package name to work off of?
> The avoid list is the name of the package not the full FMRI so the
> schema requiring an FMRI is wrong.
> The pkg system only stores package names for the avoid list not the full
> FMRI - since the point of avoid is to avoid the package regardless of
> publisher.
> --
> Darren J Moffat

Darren J Moffat


More information about the OVAL_Developer mailing list