[OVAL DEVELOPER] regex_capture quantified subpattern behavior clarification

Jan Lieskovsky jlieskov at redhat.com
Mon Aug 8 06:14:21 EDT 2016

Hello OVAL Developers,

  there's the following documentation section in RegexCaptureFunctionType

"Note that a quantified capturing sub-pattern does not produce multiple
substrings.  Standard regular expression semantics are such that if a
capturing sub-pattern is required to match multiple times in order for
the overall regular expression to match, the capture produced is the
last substring to have matched the sub-pattern."

(from https://github.com/OVALProject/Language/blob/master/specifications/oval-language-specification.docx )

If I am reading the above section correctly, in the case there are multiple
"substrings" within the text, the regex_capture pattern could match against,
and pattern quantification is used, the last matched item should be collected
/ returned by the scanner.

But checking this behaviour in the OpenSCAP scanner, always the first matched
instance is returned (regardless if pattern quantification was used / specified
or not).

Suppose the attached example OVAL file.

Unless I have misunderstood something, the regex_capture()'s collected value
should be the "fs.suid_dumpable = 4" (IOW the last one), not the
"fs.suid_dumpable = 1", like it's done currently, right? IMHO last one should
be collected, since quantified sub-pattern was used in regex_capture specification.

Is this correct? Or I have overlooked something? If the latter, could you
hopefully provide an example of an pattern, when "regex_capture" would return
last substring that matched the sub-pattern, as specified in the specification?

Thank you && Regards, Jan
Jan iankko Lieskovsky / Red Hat Security Technologies Team

-------------- next part --------------
A non-text attachment was scrubbed...
Name: regex_capture_test.xml
Type: application/xml
Size: 3427 bytes
Desc: not available
URL: <http://lists.cisecurity.org/pipermail/oval_developer_lists.cisecurity.org/attachments/20160808/3d065895/attachment.xml>

More information about the OVAL_Developer mailing list