openscap 0.4.8 → 0.5.0

data/lib/openscap/xccdf/value.rb

@@ -1,13 +1,4 @@
-#
-# Copyright (c) 2015 Red Hat Inc.
-#
-# This software is licensed to you under the GNU General Public License,
-# version 2 (GPLv2). There is NO WARRANTY for this software, express or
-# implied, including the implied warranties of MERCHANTABILITY or FITNESS
-# FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
-# along with this software; if not, see
-# http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
-#
+# frozen_string_literal: true
 
 require 'openscap/exceptions'
 require 'openscap/xccdf/item'

data/lib/openscap/xccdf.rb

@@ -1,13 +1,4 @@
-#
-# Copyright (c) 2014 Red Hat Inc.
-#
-# This software is licensed to you under the GNU General Public License,
-# version 2 (GPLv2). There is NO WARRANTY for this software, express or
-# implied, including the implied warranties of MERCHANTABILITY or FITNESS
-# FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
-# along with this software; if not, see
-# http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
-#
+# frozen_string_literal: true
 
 require 'openscap/openscap'
 
@@ -15,7 +6,7 @@ module OpenSCAP
   module Xccdf
     NUMERIC = :float
 
-    class Item
+    class Item # rubocop:disable Lint/EmptyClass
     end
   end
 end

data/lib/openscap.rb

@@ -1,13 +1,4 @@
-#
-# Copyright (c) 2014 Red Hat Inc.
-#
-# This software is licensed to you under the GNU General Public License,
-# version 2 (GPLv2). There is NO WARRANTY for this software, express or
-# implied, including the implied warranties of MERCHANTABILITY or FITNESS
-# FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
-# along with this software; if not, see
-# http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
-#
+# frozen_string_literal: true
 
 require 'openscap/openscap'
 require 'openscap/exceptions'

data/test/common/testcase.rb

@@ -1,13 +1,4 @@
-#
-# Copyright (c) 2014 Red Hat Inc.
-#
-# This software is licensed to you under the GNU General Public License,
-# version 2 (GPLv2). There is NO WARRANTY for this software, express or
-# implied, including the implied warranties of MERCHANTABILITY or FITNESS
-# FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
-# along with this software; if not, see
-# http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
-#
+# frozen_string_literal: true
 
 require 'test/unit'
 
@@ -26,7 +17,7 @@ module OpenSCAP
     end
 
     def cleanup
-      @s.destroy if @s
+      @s&.destroy
       Dir.chdir '../..'
       OpenSCAP.raise! if OpenSCAP.error?
       OpenSCAP.oscap_cleanup

data/test/data/sds-complex.xml

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="utf-8"?>
-<ds:data-stream-collection xmlns:ds="http://scap.nist.gov/schema/scap/source/1.2" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:cat="urn:oasis:names:tc:entity:xmlns:xml:catalog" id="scap_org.open-scap_collection_from_xccdf_first-xccdf.xml" schematron-version="1.0">
+<ds:data-stream-collection xmlns:ds="http://scap.nist.gov/schema/scap/source/1.2" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:cat="urn:oasis:names:tc:entity:xmlns:xml:catalog" id="scap_org.open-scap_collection_from_xccdf_first-xccdf.xml" schematron-version="1.2">
   <!-- This is bit more complex Datastream. The purpose is to test that scanner is able to find
         * datastream-id scap_org.open-scap_datastream_tst2
         * xccdf-id scap_org.open-scap_cref_second-xccdf.xml2

data/test/data/xccdf.xml

@@ -71,6 +71,7 @@ respective companies.</rear-matter>
   <version>0.0.4</version>
   <model system="urn:xccdf:scoring:default"/>
   <Profile id="xccdf_org.ssgproject.content_profile_common">
+    <version>3.2.1</version>
     <title xml:lang="en-US">Common Profile for General-Purpose Fedora Systems</title>
     <description xml:lang="en-US">This profile contains items common to general-purpose Fedora installations.</description>
     <select idref="xccdf_org.ssgproject.content_rule_disable_prelink" selected="true"/>
@@ -461,7 +462,7 @@ If this check produces any unexpected output, investigate.
             <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SC-28</reference>
             <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SI-7</reference>
             <rationale xml:lang="en-US">
-For AIDE to be effective, an initial database of "known-good" information about files
+For AIDE to be effective, an initial database of <i xmlns="http://www.w3.org/1999/xhtml">"known-good"</i> information about files
 must be captured and it should be able to be verified against the installed files.
 </rationale>
           </Rule>

data/test/ds/arf_test.rb

@@ -1,20 +1,11 @@
-#
-# Copyright (c) 2014 Red Hat Inc.
-#
-# This software is licensed to you under the GNU General Public License,
-# version 2 (GPLv2). There is NO WARRANTY for this software, express or
-# implied, including the implied warranties of MERCHANTABILITY or FITNESS
-# FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
-# along with this software; if not, see
-# http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
-#
+# frozen_string_literal: true
 
 require 'openscap'
 require 'openscap/ds/arf'
 require 'common/testcase'
 
 class TestArf < OpenSCAP::TestCase
-  REPORT = 'report.rds.xml'.freeze
+  REPORT = 'report.rds.xml'
 
   def test_arf_new_nil
     msg = nil
@@ -24,7 +15,7 @@ class TestArf < OpenSCAP::TestCase
     rescue OpenSCAP::OpenSCAPError => e
       msg = e.to_s
     end
-    assert msg.start_with?("Cannot initialize OpenSCAP::DS::Arf with ''"), 'Message was: ' + msg
+    assert msg.start_with?("Cannot initialize OpenSCAP::DS::Arf with ''"), "Message was: #{msg}"
   end
 
   def test_arf_new_wrong_format
@@ -36,7 +27,7 @@ class TestArf < OpenSCAP::TestCase
       msg = e.to_s
     end
     assert msg.include?('Could not create Result DataStream session: File is not Result DataStream.'),
-           'Message was: ' + msg
+           "Message was: #{msg}"
   end
 
   def test_create_arf_and_get_html
@@ -61,17 +52,17 @@ class TestArf < OpenSCAP::TestCase
     create_arf
     raw_data = File.read(REPORT)
     refute raw_data.empty?
-    arf = OpenSCAP::DS::Arf.new :content => raw_data, :path => REPORT
+    arf = OpenSCAP::DS::Arf.new content: raw_data, path: REPORT
     arf.destroy
   end
 
   def test_new_bz_memory
     bziped_file = new_arf_bz
-    raw_data = File.open(bziped_file, 'rb').read
+    raw_data = File.binread(bziped_file)
     assert !raw_data.empty?
     len = File.size(bziped_file)
     FileUtils.rm bziped_file
-    arf = OpenSCAP::DS::Arf.new :content => raw_data, :path => bziped_file, :length => len
+    arf = OpenSCAP::DS::Arf.new content: raw_data, path: bziped_file, length: len
     arf.destroy
   end
 
@@ -86,8 +77,8 @@ class TestArf < OpenSCAP::TestCase
 
   def new_arf_bz
     create_arf
-    system('/usr/bin/bzip2 ' + REPORT)
-    REPORT + '.bz2'
+    system("/usr/bin/bzip2 #{REPORT}")
+    "#{REPORT}.bz2"
   end
 
   def new_arf
@@ -97,9 +88,9 @@ class TestArf < OpenSCAP::TestCase
 
   def create_arf
     @s = OpenSCAP::Xccdf::Session.new('../data/sds-complex.xml')
-    @s.load(:component_id => 'scap_org.open-scap_cref_second-xccdf.xml')
+    @s.load(component_id: 'scap_org.open-scap_cref_second-xccdf.xml')
     @s.profile = 'xccdf_moc.elpmaxe.www_profile_1'
     @s.evaluate
-    @s.export_results(:rds_file => 'report.rds.xml')
+    @s.export_results(rds_file: 'report.rds.xml')
   end
 end

data/test/ds/sds_test.rb

@@ -1,13 +1,4 @@
-#
-# Copyright (c) 2014 Red Hat Inc.
-#
-# This software is licensed to you under the GNU General Public License,
-# version 2 (GPLv2). There is NO WARRANTY for this software, express or
-# implied, including the implied warranties of MERCHANTABILITY or FITNESS
-# FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
-# along with this software; if not, see
-# http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
-#
+# frozen_string_literal: true
 
 require 'openscap'
 require 'openscap/source'
@@ -15,6 +6,8 @@ require 'openscap/ds/sds'
 require 'common/testcase'
 
 class TestSds < OpenSCAP::TestCase
+  DS_FILE = '../data/sds-complex.xml'
+
   def test_new
     new_sds.destroy
   end
@@ -25,7 +18,7 @@ class TestSds < OpenSCAP::TestCase
     assert !@s.nil?
     msg = nil
     begin
-      OpenSCAP::DS::Sds.new :source => @s
+      OpenSCAP::DS::Sds.new source: @s
       assert false
     rescue OpenSCAP::OpenSCAPError => e
       msg = e.to_s
@@ -57,7 +50,7 @@ class TestSds < OpenSCAP::TestCase
     sds = new_sds
     msg = nil
     begin
-      benchmark = sds.select_checklist! :datastream_id => 'wrong'
+      benchmark = sds.select_checklist! datastream_id: 'wrong'
       assert false
     rescue OpenSCAP::OpenSCAPError => e
       msg = e.to_s
@@ -67,13 +60,29 @@ class TestSds < OpenSCAP::TestCase
     sds.destroy
   end
 
+  def tests_use_through_yields
+    OpenSCAP::Source.new DS_FILE do |source|
+      assert_equal 'SCAP Source Datastream', source.type
+      OpenSCAP::DS::Sds.new source: do |sds|
+        benchmark_source = sds.select_checklist!
+        html = sds.html_guide
+        assert_include html, 'bootstrap'
+
+        OpenSCAP::Xccdf::Benchmark.new benchmark_source do |benchmark|
+          assert_empty benchmark.profiles
+          assert benchmark.items.length == 1
+          assert benchmark.items.keys.first == 'xccdf_moc.elpmaxe.www_rule_first'
+        end
+      end
+    end
+  end
+
   private
 
   def new_sds
-    filename = '../data/sds-complex.xml'
-    @s = OpenSCAP::Source.new filename
+    @s = OpenSCAP::Source.new DS_FILE
     assert !@s.nil?
-    sds = OpenSCAP::DS::Sds.new :source => @s
+    sds = OpenSCAP::DS::Sds.new source: @s
     assert !sds.nil?
     sds
   end

data/test/integration/arf_waiver_test.rb

@@ -1,13 +1,4 @@
-#
-# Copyright (c) 2014 Red Hat Inc.
-#
-# This software is licensed to you under the GNU General Public License,
-# version 2 (GPLv2). There is NO WARRANTY for this software, express or
-# implied, including the implied warranties of MERCHANTABILITY or FITNESS
-# FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
-# along with this software; if not, see
-# http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
-#
+# frozen_string_literal: true
 
 require 'openscap'
 require 'openscap/xccdf/benchmark'
@@ -23,10 +14,10 @@ class TestArfWaiver < OpenSCAP::TestCase
     assert_default_score tr.score, -1, 1
     assert_default_score tr.score!(benchmark), -1, 1
 
-    rr.override!(:new_result => :pass,
-                 :time => 'yesterday',
-                 :authority => 'John Hacker',
-                 :raw_text => 'This should have passed')
+    rr.override!(new_result: :pass,
+                 time: 'yesterday',
+                 authority: 'John Hacker',
+                 raw_text: 'This should have passed')
     assert rr.result == 'pass'
 
     assert_default_score tr.score, -1, 1
@@ -94,7 +85,7 @@ class TestArfWaiver < OpenSCAP::TestCase
     @s = OpenSCAP::Xccdf::Session.new('../data/sds-complex.xml')
     @s.load
     @s.evaluate
-    @s.export_results(:rds_file => 'report.rds.xml')
+    @s.export_results(rds_file: 'report.rds.xml')
     OpenSCAP::DS::Arf.new('report.rds.xml')
   end
 end

data/test/openscap_test.rb

@@ -1,13 +1,4 @@
-#
-# Copyright (c) 2014 Red Hat Inc.
-#
-# This software is licensed to you under the GNU General Public License,
-# version 2 (GPLv2). There is NO WARRANTY for this software, express or
-# implied, including the implied warranties of MERCHANTABILITY or FITNESS
-# FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
-# along with this software; if not, see
-# http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
-#
+# frozen_string_literal: true
 
 require 'common/testcase'
 require 'openscap'

data/test/source_test.rb

@@ -1,13 +1,4 @@
-#
-# Copyright (c) 2014 Red Hat Inc.
-#
-# This software is licensed to you under the GNU General Public License,
-# version 2 (GPLv2). There is NO WARRANTY for this software, express or
-# implied, including the implied warranties of MERCHANTABILITY or FITNESS
-# FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
-# along with this software; if not, see
-# http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
-#
+# frozen_string_literal: true
 
 require 'openscap'
 require 'openscap/source'
@@ -22,7 +13,7 @@ class TestSource < OpenSCAP::TestCase
     rescue OpenSCAP::OpenSCAPError => e
       msg = e.to_s
     end
-    assert msg.start_with?('No filename specified!'), 'Message was: ' + msg
+    assert msg.start_with?('No filename specified!'), "Message was: #{msg}"
   end
 
   def test_source_new_ok
@@ -33,22 +24,22 @@ class TestSource < OpenSCAP::TestCase
   def test_source_new_memory
     raw_data = File.read('../data/xccdf.xml')
     refute raw_data.empty?
-    s = OpenSCAP::Source.new(:content => raw_data, :path => '/mytestpath')
+    s = OpenSCAP::Source.new(content: raw_data, path: '/mytestpath')
     s.destroy
   end
 
   def test_type_xccdf
-    s = OpenSCAP::Source.new('../data/xccdf.xml')
-    assert s.type == 'XCCDF Checklist', "Type was #{s.type}"
-    s.validate!
-    s.destroy
+    OpenSCAP::Source.new('../data/xccdf.xml') do |s|
+      assert s.type == 'XCCDF Checklist', "Type was #{s.type}"
+      s.validate!
+    end
   end
 
   def test_type_sds
-    s = OpenSCAP::Source.new('../data/sds-complex.xml')
-    assert s.type == 'SCAP Source Datastream', "Type was #{s.type}"
-    s.validate!
-    s.destroy
+    OpenSCAP::Source.new('../data/sds-complex.xml') do |s|
+      assert s.type == 'SCAP Source Datastream', "Type was #{s.type}"
+      s.validate!
+    end
   end
 
   def test_type_test_result
@@ -68,11 +59,11 @@ class TestSource < OpenSCAP::TestCase
       msg = e.to_s
     end
     assert msg.start_with?('Invalid XCCDF Checklist (1.2) content in ../data/invalid.xml.'),
-           'Message was: ' + msg
+           "Message was: #{msg}"
     assert msg.include?("../data/invalid.xml:3: Element '{http"),
-           'Message was: ' + msg
+           "Message was: #{msg}"
     assert msg.include?('This element is not expected. Expected is'),
-           'Message was: ' + msg
+           "Message was: #{msg}"
     s.destroy
   end
 

data/test/text_test.rb

@@ -1,13 +1,4 @@
-#
-# Copyright (c) 2014 Red Hat Inc.
-#
-# This software is licensed to you under the GNU General Public License,
-# version 2 (GPLv2). There is NO WARRANTY for this software, express or
-# implied, including the implied warranties of MERCHANTABILITY or FITNESS
-# FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
-# along with this software; if not, see
-# http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
-#
+# frozen_string_literal: true
 
 require 'openscap'
 require 'openscap/text'

data/test/xccdf/arf_test.rb

@@ -1,13 +1,4 @@
-#
-# Copyright (c) 2014--2016 Red Hat Inc.
-#
-# This software is licensed to you under the GNU General Public License,
-# version 2 (GPLv2). There is NO WARRANTY for this software, express or
-# implied, including the implied warranties of MERCHANTABILITY or FITNESS
-# FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
-# along with this software; if not, see
-# http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
-#
+# frozen_string_literal: true
 
 require 'common/testcase'
 require 'openscap'
@@ -47,7 +38,6 @@ class TestArf < OpenSCAP::TestCase
     _test_results = arf.test_result
     source_datastream = arf.report_request
     bench_source = source_datastream.select_checklist!
-    benchmark = OpenSCAP::Xccdf::Benchmark.new(bench_source)
-    benchmark
+    OpenSCAP::Xccdf::Benchmark.new(bench_source)
   end
 end

data/test/xccdf/benchmark_test.rb

@@ -1,13 +1,4 @@
-#
-# Copyright (c) 2014--2016 Red Hat Inc.
-#
-# This software is licensed to you under the GNU General Public License,
-# version 2 (GPLv2). There is NO WARRANTY for this software, express or
-# implied, including the implied warranties of MERCHANTABILITY or FITNESS
-# FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
-# along with this software; if not, see
-# http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
-#
+# frozen_string_literal: true
 
 require 'common/testcase'
 require 'openscap'
@@ -87,12 +78,12 @@ class TestBenchmark < OpenSCAP::TestCase
   def test_items_references
     b = benchmark_from_file
     install_hids_rule = b.items['xccdf_org.ssgproject.content_rule_install_hids']
-    expected_references = [{ :title     => 'SC-7',
-                             :href      => 'http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf',
-                             :html_link => "<a href='http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf'>SC-7</a>" },
-                           { :title     => '1263',
-                             :href      => 'http://iase.disa.mil/cci/index.html',
-                             :html_link => "<a href='http://iase.disa.mil/cci/index.html'>1263</a>" }]
+    expected_references = [{ title: 'SC-7',
+                             href: 'http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf',
+                             html_link: "<a href='http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf'>SC-7</a>" },
+                           { title: '1263',
+                             href: 'http://iase.disa.mil/cci/index.html',
+                             html_link: "<a href='http://iase.disa.mil/cci/index.html'>1263</a>" }]
     assert_equal(expected_references, install_hids_rule.references.map(&:to_hash), 'Install hids references should be equal')
     b.destroy
   end
@@ -102,16 +93,75 @@ class TestBenchmark < OpenSCAP::TestCase
     login_defs_rule = b.items['xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs']
     expected_content = ["var_accounts_minimum_age_login_defs=\"<sub xmlns=\"http://checklists.nist.gov/xccdf/1.2\" idref=\"xccdf_org.ssgproject.content_value_var_accounts_minimum_age_login_defs\" use=\"legacy\"/>\"\ngrep -q ^PASS_MIN_DAYS /etc/login.defs &amp;&amp; \\\nsed -i \"s/PASS_MIN_DAYS.*/PASS_MIN_DAYS\\t$var_accounts_minimum_age_login_defs/g\" /etc/login.defs\nif ! [ $? -eq 0 ]\nthen\n  echo -e \"PASS_MIN_DAYS\\t$var_accounts_minimum_age_login_defs\" &gt;&gt; /etc/login.defs\nfi\n"]
     expected_hashes = [{
-      :id => nil,
-      :platform => nil,
-      :content => expected_content.first,
-      :system => 'urn:xccdf:fix:script:sh'
+      id: nil,
+      platform: nil,
+      content: expected_content.first,
+      system: 'urn:xccdf:fix:script:sh'
     }]
     assert_equal(expected_content, login_defs_rule.fixes.map(&:content), 'Fix content should match')
     assert_equal(expected_hashes, login_defs_rule.fixes.map(&:to_hash), 'Fix hash should match')
     b.destroy
   end
 
+  def test_benchamrk_id
+    with_benchmark do |b|
+      assert_equal b.id, 'xccdf_org.ssgproject.content_benchmark_FEDORA'
+    end
+  end
+
+  def test_status_current
+    with_benchmark do |b|
+      status = b.status_current
+      assert_equal status.status, :draft
+      release_date = status.date
+      assert_equal release_date.year, 2014
+      assert_equal release_date.month, 10
+      assert_equal release_date.day, 2
+    end
+  end
+
+  def test_title
+    with_benchmark do |b|
+      assert_equal b.title, 'Guide to the Secure Configuration of Fedora'
+    end
+  end
+
+  def test_description
+    with_benchmark do |b|
+      assert_equal b.description, DESCRIPTION
+    end
+  end
+
+  def test_version
+    with_benchmark do |b|
+      assert_equal b.version, '0.0.4'
+    end
+  end
+
+  def test_references
+    with_benchmark do |b|
+      assert_equal b.references, []
+    end
+  end
+
+  def test_resolved
+    with_benchmark do |b|
+      assert b.resolved?
+    end
+  end
+
+  def test_policy_model
+    with_benchmark do |b|
+      assert b.policy_model.policies.keys == ['xccdf_org.ssgproject.content_profile_common']
+    end
+  end
+
+  def test_schema_version
+    with_benchmark do |b|
+      assert_equal b.schema_version, '1.2'
+    end
+  end
+
   private
 
   def benchmark_from_file
@@ -121,4 +171,31 @@ class TestBenchmark < OpenSCAP::TestCase
     assert !b.nil?
     b
   end
+
+  def with_benchmark(&)
+    OpenSCAP::Source.new '../data/xccdf.xml' do |source|
+      OpenSCAP::Xccdf::Benchmark.new(source, &)
+    end
+  end
+
+  DESCRIPTION = "This guide presents a catalog of security-relevant configuration\n" \
+                "settings for Fedora operating system formatted in the eXtensible Configuration\n" \
+                "Checklist Description Format (XCCDF).\n" \
+                "<br xmlns=\"http://www.w3.org/1999/xhtml\"/>\n" \
+                "<br xmlns=\"http://www.w3.org/1999/xhtml\"/>\n" \
+                "Providing system administrators with such guidance informs them how to securely\n" \
+                "configure systems under their control in a variety of network roles.  Policy\n" \
+                "makers and baseline creators can use this catalog of settings, with its\n" \
+                "associated references to higher-level security control catalogs, in order to\n" \
+                "assist them in security baseline creation.  This guide is a <i xmlns=\"http://www.w3.org/1999/xhtml\">catalog, not a\n" \
+                "checklist,</i> and satisfaction of every item is not likely to be possible or\n" \
+                "sensible in many operational scenarios.  However, the XCCDF format enables\n" \
+                "granular selection and adjustment of settings, and their association with OVAL\n" \
+                "and OCIL content provides an automated checking capability.  Transformations of\n" \
+                "this document, and its associated automated checking content, are capable of\n" \
+                "providing baselines that meet a diverse set of policy objectives.  Some example\n" \
+                "XCCDF <i xmlns=\"http://www.w3.org/1999/xhtml\">Profiles</i>, which are selections of items that form checklists and\n" \
+                "can be used as baselines, are available with this guide.  They can be\n" \
+                "processed, in an automated fashion, with tools that support the Security\n" \
+                "Content Automation Protocol (SCAP).\n"
 end

data/test/xccdf/item_test.rb

@@ -0,0 +1,82 @@
+# frozen_string_literal: true
+
+require 'openscap'
+require 'openscap/xccdf/benchmark'
+require 'common/testcase'
+
+class ItemTest < OpenSCAP::TestCase
+  def test_description_html
+    expected_markup = "\n" \
+                      "Most of the actions listed in this document are written with the\n" \
+                      "assumption that they will be executed by the root user running the\n" \
+                      "<xhtml:code xmlns:xhtml=\"http://www.w3.org/1999/xhtml\">/bin/bash</xhtml:code> shell. Commands preceded with a hash mark (#)\n" \
+                      "assume that the administrator will execute the commands as root, i.e.\n" \
+                      "apply the command via <xhtml:code xmlns:xhtml=\"http://www.w3.org/1999/xhtml\">sudo</xhtml:code> whenever possible, or use\n" \
+                      "<xhtml:code xmlns:xhtml=\"http://www.w3.org/1999/xhtml\">su</xhtml:code> to gain root privileges if <xhtml:code xmlns:xhtml=\"http://www.w3.org/1999/xhtml\">sudo</xhtml:code> cannot be\n" \
+                      "used. Commands which can be executed as a non-root user are are preceded\n" \
+                      "by a dollar sign ($) prompt.\n"
+    with_item 'xccdf_org.ssgproject.content_group_intro-root-shell-assumed' do |item|
+      assert_equal item.description(markup: true), expected_markup
+    end
+  end
+
+  def test_rationale_html
+    expected_markup = "\n" \
+                      "For AIDE to be effective, an initial database of <i xmlns=\"http://www.w3.org/1999/xhtml\">\"known-good\"</i> information about files\n" \
+                      "must be captured and it should be able to be verified against the installed files.\n"
+    with_item 'xccdf_org.ssgproject.content_rule_aide_build_database' do |item|
+      assert_equal item.rationale(markup: true), expected_markup
+    end
+  end
+
+  def test_missing_rationale
+    with_item 'xccdf_org.ssgproject.content_group_intro' do |item_sans_rationale|
+      assert_equal item_sans_rationale.rationale(markup: true), nil
+    end
+  end
+
+  def test_version
+    with_item 'xccdf_org.ssgproject.content_group_intro' do |item_sans_version|
+      assert_nil item_sans_version.version
+    end
+  end
+
+  def test_references
+    with_item 'xccdf_org.ssgproject.content_rule_disable_prelink' do |item|
+      item.references.tap do |refs|
+        assert_equal refs.length, 4
+        assert_equal refs.collect(&:title), ['CM-6(d)', 'CM-6(3)', 'SC-28', 'SI-7']
+        assert_equal refs.collect(&:href).uniq, ['http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf']
+      end
+    end
+  end
+
+  def test_warnings
+    expected_text = 'If verbose logging to <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">vsftpd.log</xhtml:code> is done, sparse logging of downloads to <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/var/log/xferlog</xhtml:code> will not also occur. However, the information about what files were downloaded is included in the information logged to <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">vsftpd.log</xhtml:code>'
+    with_item 'xccdf_org.ssgproject.content_rule_ftp_log_transactions' do |item|
+      warns = item.warnings
+      assert_equal warns.length, 1
+      warning = warns[0]
+      assert warning.instance_of?(Hash)
+      assert warning.keys.length == 2
+      assert warning[:category] == :general
+      assert warning[:text].text == expected_text
+    end
+  end
+
+  private
+
+  def with_item(id, &)
+    with_benchmark do |b|
+      item = b.items[id]
+      refute_nil item
+      yield item
+    end
+  end
+
+  def with_benchmark(&)
+    OpenSCAP::Source.new '../data/xccdf.xml' do |source|
+      OpenSCAP::Xccdf::Benchmark.new(source, &)
+    end
+  end
+end