Requirement | Count | Level | Type | Description | Location | Test |
---|---|---|---|---|---|---|
3-2 | 1 (of 1) |
WARN | SCHEMATRON | The @time attribute of the <xccdf:version> element SHOULD be used for a timestamp of when the benchmark was defined. | /*:data-stream-collection[namespace-uri()='http://scap.nist.gov/schema/scap/source/1.2'][1]/*:component[namespace-uri()='http://scap.nist.gov/schema/scap/source/1.2'][1]/*:Benchmark[namespace-uri()='http://checklists.nist.gov/xccdf/1.2'][1]/*:version[namespace-uri()='http://checklists.nist.gov/xccdf/1.2'][1] | exists(@time) |
15-1 | 1 (of 1) |
ERROR | SCHEMATRON | scap_gov.nist_datastream_cpe_applicability_test-datastream.zip - Every <xccdf:platform> or <cpe2:fact-ref> MUST match as EQUAL or SUPERSET to a CPE in a CPE dictionary component of this data stream. |
xccdf:platform platform_1 in ds:data-stream scap_gov.nist_datastream_cpe_applicability_test-datastream.zip xccdf:platform platform_2 in ds:data-stream scap_gov.nist_datastream_cpe_applicability_test-datastream.zip xccdf:platform platform_3 in ds:data-stream scap_gov.nist_datastream_cpe_applicability_test-datastream.zip xccdf:platform platform_4 in ds:data-stream scap_gov.nist_datastream_cpe_applicability_test-datastream.zip xccdf:platform platform_5 in ds:data-stream scap_gov.nist_datastream_cpe_applicability_test-datastream.zip xccdf:platform platform_6 in ds:data-stream scap_gov.nist_datastream_cpe_applicability_test-datastream.zip xccdf:platform platform_7 in ds:data-stream scap_gov.nist_datastream_cpe_applicability_test-datastream.zip xccdf:platform platform_2 in ds:data-stream scap_gov.nist_datastream_cpe_applicability_test-datastream.zip Schematron Context: /*:data-stream-collection[namespace-uri()='http://scap.nist.gov/schema/scap/source/1.2'][1]/*:data-stream[namespace-uri()='http://scap.nist.gov/schema/scap/source/1.2'][1] |
if( function-available('java:isEqualOrSuperset') ) then (every $m in ds:checklists/ds:component-ref satisfies ((every $n in xcf:get-component($m)//xccdf:platform[not(starts-with(@idref,'#'))] satisfies some $o in ds:dictionaries/ds:component-ref satisfies some $p in xcf:get-component($o)//cpe-dict:cpe-item satisfies java:isEqualOrSuperset($n/@idref,$p/@name)) and (every $q in xcf:get-component($m)//cpe-lang:fact-ref satisfies some $r in ds:dictionaries/ds:component-ref satisfies some $s in xcf:get-component($r)//cpe-dict:cpe-item satisfies java:isEqualOrSuperset($q/@name,$s/@name)))) else true() |
72-1 | 1 (of 1) |
ERROR | SCHEMATRON | scap_gov.nist_datastream_cpe_applicability_test-datastream.zip - For all SCAP <cpe-dict:cpe-item>'s specified the CPE dictionary component of an SCAP datastream that contain a cpe-dict:check element, that cpe-dict:check element SHALL refer to an OVAL inventory definition in the same SCAP data stream |
cpe-dict:cpe-item cpe:/o:microsoft:windows_7 in ds:data-stream scap_gov.nist_datastream_cpe_applicability_test-datastream.zip Schematron Context: /*:data-stream-collection[namespace-uri()='http://scap.nist.gov/schema/scap/source/1.2'][1]/*:data-stream[namespace-uri()='http://scap.nist.gov/schema/scap/source/1.2'][1] |
every $m in ds:dictionaries/ds:component-ref satisfies every $n in xcf:get-component($m)//cpe-dict:cpe-list/cpe-dict:cpe-item/cpe-dict:check satisfies ($n/@system = 'http://oval.mitre.org/XMLSchema/oval-definitions-5' and exists(xcf:get-component(xcf:get-component-ref($m/cat:catalog, $n/@href))//oval-def:definition[@id = $n])) |
207-1 | 1 (of 5) |
WARN | SCHEMATRON | oval:nist.validation:def:1 - OVAL definitions of class 'compliance' should include a reference to a CCE, where applicable. | /*:data-stream-collection[namespace-uri()='http://scap.nist.gov/schema/scap/source/1.2'][1]/*:component[namespace-uri()='http://scap.nist.gov/schema/scap/source/1.2'][2]/*:oval_definitions[namespace-uri()='http://oval.mitre.org/XMLSchema/oval-definitions-5'][1]/*:definitions[namespace-uri()='http://oval.mitre.org/XMLSchema/oval-definitions-5'][1]/*:definition[namespace-uri()='http://oval.mitre.org/XMLSchema/oval-definitions-5'][1] | if(@class eq 'compliance') then exists(oval-def:metadata/oval-def:reference[matches(@source,'^(http://cce.mitre.org|CCE)$')]) else true() |
207-1 | 1 (of 5) |
WARN | SCHEMATRON | oval:nist.validation:def:2 - OVAL definitions of class 'compliance' should include a reference to a CCE, where applicable. | /*:data-stream-collection[namespace-uri()='http://scap.nist.gov/schema/scap/source/1.2'][1]/*:component[namespace-uri()='http://scap.nist.gov/schema/scap/source/1.2'][2]/*:oval_definitions[namespace-uri()='http://oval.mitre.org/XMLSchema/oval-definitions-5'][1]/*:definitions[namespace-uri()='http://oval.mitre.org/XMLSchema/oval-definitions-5'][1]/*:definition[namespace-uri()='http://oval.mitre.org/XMLSchema/oval-definitions-5'][2] | if(@class eq 'compliance') then exists(oval-def:metadata/oval-def:reference[matches(@source,'^(http://cce.mitre.org|CCE)$')]) else true() |
207-1 | 1 (of 5) |
WARN | SCHEMATRON | oval:nist.validation:def:3 - OVAL definitions of class 'compliance' should include a reference to a CCE, where applicable. | /*:data-stream-collection[namespace-uri()='http://scap.nist.gov/schema/scap/source/1.2'][1]/*:component[namespace-uri()='http://scap.nist.gov/schema/scap/source/1.2'][2]/*:oval_definitions[namespace-uri()='http://oval.mitre.org/XMLSchema/oval-definitions-5'][1]/*:definitions[namespace-uri()='http://oval.mitre.org/XMLSchema/oval-definitions-5'][1]/*:definition[namespace-uri()='http://oval.mitre.org/XMLSchema/oval-definitions-5'][3] | if(@class eq 'compliance') then exists(oval-def:metadata/oval-def:reference[matches(@source,'^(http://cce.mitre.org|CCE)$')]) else true() |
207-1 | 1 (of 5) |
WARN | SCHEMATRON | oval:nist.validation:def:4 - OVAL definitions of class 'compliance' should include a reference to a CCE, where applicable. | /*:data-stream-collection[namespace-uri()='http://scap.nist.gov/schema/scap/source/1.2'][1]/*:component[namespace-uri()='http://scap.nist.gov/schema/scap/source/1.2'][2]/*:oval_definitions[namespace-uri()='http://oval.mitre.org/XMLSchema/oval-definitions-5'][1]/*:definitions[namespace-uri()='http://oval.mitre.org/XMLSchema/oval-definitions-5'][1]/*:definition[namespace-uri()='http://oval.mitre.org/XMLSchema/oval-definitions-5'][4] | if(@class eq 'compliance') then exists(oval-def:metadata/oval-def:reference[matches(@source,'^(http://cce.mitre.org|CCE)$')]) else true() |
207-1 | 1 (of 5) |
WARN | SCHEMATRON | oval:nist.validation:def:5 - OVAL definitions of class 'compliance' should include a reference to a CCE, where applicable. | /*:data-stream-collection[namespace-uri()='http://scap.nist.gov/schema/scap/source/1.2'][1]/*:component[namespace-uri()='http://scap.nist.gov/schema/scap/source/1.2'][2]/*:oval_definitions[namespace-uri()='http://oval.mitre.org/XMLSchema/oval-definitions-5'][1]/*:definitions[namespace-uri()='http://oval.mitre.org/XMLSchema/oval-definitions-5'][1]/*:definition[namespace-uri()='http://oval.mitre.org/XMLSchema/oval-definitions-5'][5] | if(@class eq 'compliance') then exists(oval-def:metadata/oval-def:reference[matches(@source,'^(http://cce.mitre.org|CCE)$')]) else true() |
251-1 | 1 (of 8) |
WARN | SCHEMATRON | xccdf_gov.nist_rule_cpe_applicability-1 - An xccdf:Rule should include an xccdf:ident containing a CVE, CCE, or CPE | /*:data-stream-collection[namespace-uri()='http://scap.nist.gov/schema/scap/source/1.2'][1]/*:component[namespace-uri()='http://scap.nist.gov/schema/scap/source/1.2'][1]/*:Benchmark[namespace-uri()='http://checklists.nist.gov/xccdf/1.2'][1]/*:Group[namespace-uri()='http://checklists.nist.gov/xccdf/1.2'][1]/*:Rule[namespace-uri()='http://checklists.nist.gov/xccdf/1.2'][1] | exists(xccdf:ident[matches(@system,'^(http://cce.mitre.org|http://cve.mitre.org|http://cpe.mitre.org)$')]) |
251-1 | 1 (of 8) |
WARN | SCHEMATRON | xccdf_gov.nist_rule_cpe_applicability-2 - An xccdf:Rule should include an xccdf:ident containing a CVE, CCE, or CPE | /*:data-stream-collection[namespace-uri()='http://scap.nist.gov/schema/scap/source/1.2'][1]/*:component[namespace-uri()='http://scap.nist.gov/schema/scap/source/1.2'][1]/*:Benchmark[namespace-uri()='http://checklists.nist.gov/xccdf/1.2'][1]/*:Group[namespace-uri()='http://checklists.nist.gov/xccdf/1.2'][1]/*:Rule[namespace-uri()='http://checklists.nist.gov/xccdf/1.2'][2] | exists(xccdf:ident[matches(@system,'^(http://cce.mitre.org|http://cve.mitre.org|http://cpe.mitre.org)$')]) |
251-1 | 1 (of 8) |
WARN | SCHEMATRON | xccdf_gov.nist_rule_cpe_applicability-3 - An xccdf:Rule should include an xccdf:ident containing a CVE, CCE, or CPE | /*:data-stream-collection[namespace-uri()='http://scap.nist.gov/schema/scap/source/1.2'][1]/*:component[namespace-uri()='http://scap.nist.gov/schema/scap/source/1.2'][1]/*:Benchmark[namespace-uri()='http://checklists.nist.gov/xccdf/1.2'][1]/*:Group[namespace-uri()='http://checklists.nist.gov/xccdf/1.2'][1]/*:Rule[namespace-uri()='http://checklists.nist.gov/xccdf/1.2'][3] | exists(xccdf:ident[matches(@system,'^(http://cce.mitre.org|http://cve.mitre.org|http://cpe.mitre.org)$')]) |
251-1 | 1 (of 8) |
WARN | SCHEMATRON | xccdf_gov.nist_rule_cpe_applicability-4 - An xccdf:Rule should include an xccdf:ident containing a CVE, CCE, or CPE | /*:data-stream-collection[namespace-uri()='http://scap.nist.gov/schema/scap/source/1.2'][1]/*:component[namespace-uri()='http://scap.nist.gov/schema/scap/source/1.2'][1]/*:Benchmark[namespace-uri()='http://checklists.nist.gov/xccdf/1.2'][1]/*:Group[namespace-uri()='http://checklists.nist.gov/xccdf/1.2'][1]/*:Rule[namespace-uri()='http://checklists.nist.gov/xccdf/1.2'][4] | exists(xccdf:ident[matches(@system,'^(http://cce.mitre.org|http://cve.mitre.org|http://cpe.mitre.org)$')]) |
251-1 | 1 (of 8) |
WARN | SCHEMATRON | xccdf_gov.nist_rule_cpe_applicability-5 - An xccdf:Rule should include an xccdf:ident containing a CVE, CCE, or CPE | /*:data-stream-collection[namespace-uri()='http://scap.nist.gov/schema/scap/source/1.2'][1]/*:component[namespace-uri()='http://scap.nist.gov/schema/scap/source/1.2'][1]/*:Benchmark[namespace-uri()='http://checklists.nist.gov/xccdf/1.2'][1]/*:Group[namespace-uri()='http://checklists.nist.gov/xccdf/1.2'][1]/*:Rule[namespace-uri()='http://checklists.nist.gov/xccdf/1.2'][5] | exists(xccdf:ident[matches(@system,'^(http://cce.mitre.org|http://cve.mitre.org|http://cpe.mitre.org)$')]) |
251-1 | 1 (of 8) |
WARN | SCHEMATRON | xccdf_gov.nist_rule_cpe_applicability-6 - An xccdf:Rule should include an xccdf:ident containing a CVE, CCE, or CPE | /*:data-stream-collection[namespace-uri()='http://scap.nist.gov/schema/scap/source/1.2'][1]/*:component[namespace-uri()='http://scap.nist.gov/schema/scap/source/1.2'][1]/*:Benchmark[namespace-uri()='http://checklists.nist.gov/xccdf/1.2'][1]/*:Group[namespace-uri()='http://checklists.nist.gov/xccdf/1.2'][1]/*:Rule[namespace-uri()='http://checklists.nist.gov/xccdf/1.2'][6] | exists(xccdf:ident[matches(@system,'^(http://cce.mitre.org|http://cve.mitre.org|http://cpe.mitre.org)$')]) |
251-1 | 1 (of 8) |
WARN | SCHEMATRON | xccdf_gov.nist_rule_cpe_applicability-7 - An xccdf:Rule should include an xccdf:ident containing a CVE, CCE, or CPE | /*:data-stream-collection[namespace-uri()='http://scap.nist.gov/schema/scap/source/1.2'][1]/*:component[namespace-uri()='http://scap.nist.gov/schema/scap/source/1.2'][1]/*:Benchmark[namespace-uri()='http://checklists.nist.gov/xccdf/1.2'][1]/*:Group[namespace-uri()='http://checklists.nist.gov/xccdf/1.2'][1]/*:Rule[namespace-uri()='http://checklists.nist.gov/xccdf/1.2'][7] | exists(xccdf:ident[matches(@system,'^(http://cce.mitre.org|http://cve.mitre.org|http://cpe.mitre.org)$')]) |
251-1 | 1 (of 8) |
WARN | SCHEMATRON | xccdf_gov.nist_rule_cpe_applicability-8 - An xccdf:Rule should include an xccdf:ident containing a CVE, CCE, or CPE | /*:data-stream-collection[namespace-uri()='http://scap.nist.gov/schema/scap/source/1.2'][1]/*:component[namespace-uri()='http://scap.nist.gov/schema/scap/source/1.2'][1]/*:Benchmark[namespace-uri()='http://checklists.nist.gov/xccdf/1.2'][1]/*:Group[namespace-uri()='http://checklists.nist.gov/xccdf/1.2'][2]/*:Rule[namespace-uri()='http://checklists.nist.gov/xccdf/1.2'][1] | exists(xccdf:ident[matches(@system,'^(http://cce.mitre.org|http://cve.mitre.org|http://cpe.mitre.org)$')]) |
Requirement | Count | Level | Type | Description | Location | Test |
---|---|---|---|---|---|---|
330-3 | 8 (of 11) |
WARN | SCHEMATRON | Warning: The @idref attribute of a 'platform' element must begin with 'cpe:/' (CPE name version 2.2 and earlier),'cpe:2.3:' (CPE name version 2.3), or '#' (followed by the @id value of a CPE 'platform-specification' element). See the XCCDF 1.2.1 specification, Section 6.2.5. | /*[local-name()='Benchmark']/*[local-name()='Profile']/*[local-name()='platform'] /*[local-name()='Benchmark']/*[local-name()='Group'][1]/*[local-name()='Rule'][2]/*[local-name()='platform'] /*[local-name()='Benchmark']/*[local-name()='Group'][1]/*[local-name()='Rule'][3]/*[local-name()='platform'] /*[local-name()='Benchmark']/*[local-name()='Group'][1]/*[local-name()='Rule'][4]/*[local-name()='platform'] /*[local-name()='Benchmark']/*[local-name()='Group'][1]/*[local-name()='Rule'][5]/*[local-name()='platform'] /*[local-name()='Benchmark']/*[local-name()='Group'][1]/*[local-name()='Rule'][6]/*[local-name()='platform'] /*[local-name()='Benchmark']/*[local-name()='Group'][1]/*[local-name()='Rule'][7]/*[local-name()='platform'] /*[local-name()='Benchmark']/*[local-name()='Group'][2]/*[local-name()='platform'] |
false() |
330-3 | 2 (of 11) |
WARN | SCHEMATRON | Warning: The 'cpe:/' prefix (CPE URI binding) is allowed within an @idref attribute, but the CPE Formatted String binding is preferred. See the XCCDF 1.2.1 specification, Section 6.2.5. | /*[local-name()='Benchmark']/*[local-name()='Group'][1]/*[local-name()='platform'] /*[local-name()='Benchmark']/*[local-name()='Group'][1]/*[local-name()='Rule'][1]/*[local-name()='platform'] |
false() |
330-3 | 1 (of 11) |
WARN | SCHEMATRON | Warning: The 'Benchmark' element has no platform specified, which implies the benchmark applies to all platforms. Applicable platforms should be indicate if possible. See the XCCDF 1.2.1 specification, Section 6.2.5. | /*[local-name()='Benchmark'] | false() |