[OVAL DEVELOPER] regex_capture quantified subpattern behavior clarification
jlieskov at redhat.com
Mon Aug 8 08:56:02 EDT 2016
----- Original Message -----
> From: "Jan Lieskovsky" <jlieskov at redhat.com>
> To: "OVAL Developer List" <oval_developer at lists.cisecurity.org>
> Sent: Monday, August 8, 2016 12:14:21 PM
> Subject: [OVAL DEVELOPER] regex_capture quantified subpattern behavior clarification
> Hello OVAL Developers,
> there's the following documentation section in RegexCaptureFunctionType
To express the question hopefully more clear. When modifying the original
regex pattern to read like:
<regex_capture pattern=".*(fs\.suid_dumpable = \d)+">
it's possible to obtain the last matched item from the string.
> "Note that a quantified capturing sub-pattern does not produce multiple
> substrings. Standard regular expression semantics are such that if a
> capturing sub-pattern is required to match multiple times in order for
> the overall regular expression to match, the capture produced is the
> last substring to have matched the sub-pattern."
But the question was if it would be possible provide example of the pattern,
which would produce "the capture produced is the last substring to have matched
Could we enhance the OVAL documentation with such an example?
Thank you && Regards, Jan
Jan iankko Lieskovsky / Red Hat Security Technologies Team
> If I am reading the above section correctly, in the case there are multiple
> "substrings" within the text, the regex_capture pattern could match against,
> and pattern quantification is used, the last matched item should be collected
> / returned by the scanner.
> But checking this behaviour in the OpenSCAP scanner, always the first matched
> instance is returned (regardless if pattern quantification was used /
> or not).
> Suppose the attached example OVAL file.
> Unless I have misunderstood something, the regex_capture()'s collected value
> should be the "fs.suid_dumpable = 4" (IOW the last one), not the
> "fs.suid_dumpable = 1", like it's done currently, right? IMHO last one should
> be collected, since quantified sub-pattern was used in regex_capture
> Is this correct? Or I have overlooked something? If the latter, could you
> hopefully provide an example of an pattern, when "regex_capture" would return
> last substring that matched the sub-pattern, as specified in the
> Thank you && Regards, Jan
> Jan iankko Lieskovsky / Red Hat Security Technologies Team
> OVAL_Developer mailing list
> OVAL_Developer at lists.cisecurity.org
More information about the OVAL_Developer