Math and OVAL

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

Math and OVAL

John Garrett

This thread revolves around the concept of counting with respect to OVAL.  Perhaps I’m approaching the problem in the wrong way.  When I first submitted my bug report for it using SCC, I figured that SCC was simply wrong; turns out OpenScap yields the same results.  The reply I received “somewhat” makes sense, but the logic seems very twisted in my mind.  1+1 will always equal two and be less than 3; anything else is crazy…  Yet, with OVAL, this seems not the case.

 

What I am attempting to do, is for a given file, determine if there are X instances of a given string in a file.  I’ve attempted this with both object only, and object and state, but to no avail.

 

For the given tests:

        - V-1: <2 was the requirement, yet it passed.  (Should have failed in my mind)

        - V-2: >3 was the requirement and it passed like it should have.

        - V-3: =3 was the requirement, yet it passed.  (Should have failed in my mind)

        - V-4: >4 was the requirement and it failed like it should have.

 

What follows below is the response I received, and after reading it, and trying this in OpenScap as well as SCC, this would seem to be the case.  So, that being the case; what approach should I take if I wanted the above outcomes to happen in regards to counting?

 

I think I see where the misunderstanding lies. According to the MITRE OVAL spec for textfilecontent54, which can found at http://oval.mitre.org/language/version5.11/ovaldefinition/documentation/independent-definitions-schema.html:

The instance entity calls out a specific match of the pattern. The first match is given an instance value of 1, the second match is given an instance value of 2, and so on. Note that the main purpose of this entity is to provide uniqueness for different textfilecontent_items that results from multiple matches of a given pattern against the same file. Most likely this entity will be defined as greater than or equal to 1 which would result in the object representing the set of all matches of the pattern.

Therefore, the instance entity functions as an index for referencing particular matches out of a set instead of a counter. Accordingly, the first test in your sample content collects the first string (instance less than 2) that matches the pattern 'hello'. That test passes because its 'check existence' requirement expects one or more items to exist, and exactly one item does actually exist.

The second test collects the fourth string (instance greater than 3) that matches the given pattern, which also satisfies the 'check existence' requirement of one or more items.

The third test passes because it collects the third matching string (instance equals 3), satisfying the one or more item 'check existence' requirement.

Finally, the fourth test fails because it is seeking any matches that occur after the first four instances (instance greater than 4), but the target file contains only four matches. Thus, 'check existence' requirement of one or more items is not met because the item does not exist.

 

 

 

V/r,

John W. Garrett

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

testfile (34 bytes) Download Attachment
count_bench-xccdf.xml (8K) Download Attachment
count_bench-oval.xml (8K) Download Attachment
count_bench-cpe-oval.xml (4K) Download Attachment
count_bench-cpe-dictionary.xml (732 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Math and OVAL

David Solin-3
Hi John,

I’m not sure whether I understand your question.  Your content isn’t counting anything, it’s making assertions, which are either true or false.  There is a CountFunctionType on OVAL which makes it possible to count things for the purposes of creating a variable value, which is what I sort of expected you’d be asking about — but you’re not.

If you want to determine whether a string appears X number of times in a file, then you should create a textfilecontent54_test that checks for the existence of any matching items whose “instance” value is X.  If you want to make sure there are exactly X instances, you can test for any item matches whose “instace” value is greater than X, and build a definition combining the results of both these tests (e.g., first AND NOT second).

Best regards,
—David

David A. Solin
Co-Founder, Research & Technology
[hidden email]

Joval Continuous Monitoring

Facebook Linkedin



On Jul 13, 2015, at 9:59 AM, John Garrett <[hidden email]> wrote:

This thread revolves around the concept of counting with respect to OVAL.  Perhaps I’m approaching the problem in the wrong way.  When I first submitted my bug report for it using SCC, I figured that SCC was simply wrong; turns out OpenScap yields the same results.  The reply I received “somewhat” makes sense, but the logic seems very twisted in my mind.  1+1 will always equal two and be less than 3; anything else is crazy…  Yet, with OVAL, this seems not the case.
 
What I am attempting to do, is for a given file, determine if there are X instances of a given string in a file.  I’ve attempted this with both object only, and object and state, but to no avail.
 
For the given tests:
        - V-1: <2 was the requirement, yet it passed.  (Should have failed in my mind)
        - V-2: >3 was the requirement and it passed like it should have.
        - V-3: =3 was the requirement, yet it passed.  (Should have failed in my mind)
        - V-4: >4 was the requirement and it failed like it should have.
 
What follows below is the response I received, and after reading it, and trying this in OpenScap as well as SCC, this would seem to be the case.  So, that being the case; what approach should I take if I wanted the above outcomes to happen in regards to counting?
 
I think I see where the misunderstanding lies. According to the MITRE OVAL spec for textfilecontent54, which can found at http://oval.mitre.org/language/version5.11/ovaldefinition/documentation/independent-definitions-schema.html:
The instance entity calls out a specific match of the pattern. The first match is given an instance value of 1, the second match is given an instance value of 2, and so on. Note that the main purpose of this entity is to provide uniqueness for different textfilecontent_items that results from multiple matches of a given pattern against the same file. Most likely this entity will be defined as greater than or equal to 1 which would result in the object representing the set of all matches of the pattern.
Therefore, the instance entity functions as an index for referencing particular matches out of a set instead of a counter. Accordingly, the first test in your sample content collects the first string (instance less than 2) that matches the pattern 'hello'. That test passes because its 'check existence' requirement expects one or more items to exist, and exactly one item does actually exist.
The second test collects the fourth string (instance greater than 3) that matches the given pattern, which also satisfies the 'check existence' requirement of one or more items.
The third test passes because it collects the third matching string (instance equals 3), satisfying the one or more item 'check existence' requirement.
Finally, the fourth test fails because it is seeking any matches that occur after the first four instances (instance greater than 4), but the target file contains only four matches. Thus, 'check existence' requirement of one or more items is not met because the item does not exist.
 
 
 
V/r,
John W. Garrett
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email]. <testfile><count_bench-xccdf.xml><count_bench-oval.xml><count_bench-cpe-oval.xml><count_bench-cpe-dictionary.xml>

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Math and OVAL

John Garrett

Hi David,

 

As always, thank you for taking some time reply.

 

Ok, so “counting”.  You are correct, it is making an assertions, which will be determined true or false.  It’s the resulting outcome that I disagree with.

 

As you pointed out, I want to determine whether a string appears X number of times in a file.  In agreeance, I created and used textfilecontent54.  Within the object, I used: <ind:instance datatype="int" operation="Desired Mathematic Operation">X</ind:instance>. 

 

For those given objects, the following assertions were made:

        - V-1: <2 was the requirement, yet it passed.  (Should have failed in my mind)

        - V-2: >3 was the requirement and it passed like it should have.

        - V-3: =3 was the requirement, yet it passed.  (Should have failed in my mind)

        - V-4: >4 was the requirement and it failed like it should have.

 

To quote you, “If you want to determine whether a string appears X number of times in a file, then you should create a textfilecontent54_test that checks for the existence of any matching items whose “instance” value is X.  If you want to make sure there are exactly X instances, you can test for any item matches whose “instace” value is greater than X, and build a definition combining the results of both these tests (e.g., first AND NOT second).”

 

Why would the logic dictate that I need two tests just for an “equal to” logic?  With that idea in mind, it would seem I would need to make not just 2, but a test/object for everything I didn’t want.  i.e.:

    If the desired outcome is V-2 as listed above (>3), then I would need to make tests, telling the code, >3, but not:

·         Less than 3

·         Equal to 3

·         Less than or equal to three

 

Am I following correctly?

 

 

 

V/r,

John W. Garrett

 

From: David Solin [mailto:[hidden email]]
Sent: Monday, July 13, 2015 11:23 AM
To: [hidden email]
Subject: Re: [OVAL-DEVELOPER-LIST] Math and OVAL

 

Hi John,

 

I’m not sure whether I understand your question.  Your content isn’t counting anything, it’s making assertions, which are either true or false.  There is a CountFunctionType on OVAL which makes it possible to count things for the purposes of creating a variable value, which is what I sort of expected you’d be asking about — but you’re not.

 

If you want to determine whether a string appears X number of times in a file, then you should create a textfilecontent54_test that checks for the existence of any matching items whose “instance” value is X.  If you want to make sure there are exactly X instances, you can test for any item matches whose “instace” value is greater than X, and build a definition combining the results of both these tests (e.g., first AND NOT second).

 

Best regards,

—David

 

David A. Solin
Co-Founder, Research & Technology
[hidden email]

Joval Continuous Monitoring

FacebookLinkedin

 

 

On Jul 13, 2015, at 9:59 AM, John Garrett <[hidden email]> wrote:

 

This thread revolves around the concept of counting with respect to OVAL.  Perhaps I’m approaching the problem in the wrong way.  When I first submitted my bug report for it using SCC, I figured that SCC was simply wrong; turns out OpenScap yields the same results.  The reply I received “somewhat” makes sense, but the logic seems very twisted in my mind.  1+1 will always equal two and be less than 3; anything else is crazy…  Yet, with OVAL, this seems not the case.

 

What I am attempting to do, is for a given file, determine if there are X instances of a given string in a file.  I’ve attempted this with both object only, and object and state, but to no avail.

 

For the given tests:

        - V-1: <2 was the requirement, yet it passed.  (Should have failed in my mind)

        - V-2: >3 was the requirement and it passed like it should have.

        - V-3: =3 was the requirement, yet it passed.  (Should have failed in my mind)

        - V-4: >4 was the requirement and it failed like it should have.

 

What follows below is the response I received, and after reading it, and trying this in OpenScap as well as SCC, this would seem to be the case.  So, that being the case; what approach should I take if I wanted the above outcomes to happen in regards to counting?

 

I think I see where the misunderstanding lies. According to the MITRE OVAL spec for textfilecontent54, which can found at http://oval.mitre.org/language/version5.11/ovaldefinition/documentation/independent-definitions-schema.html:

The instance entity calls out a specific match of the pattern. The first match is given an instance value of 1, the second match is given an instance value of 2, and so on. Note that the main purpose of this entity is to provide uniqueness for different textfilecontent_items that results from multiple matches of a given pattern against the same file. Most likely this entity will be defined as greater than or equal to 1 which would result in the object representing the set of all matches of the pattern.

Therefore, the instance entity functions as an index for referencing particular matches out of a set instead of a counter. Accordingly, the first test in your sample content collects the first string (instance less than 2) that matches the pattern 'hello'. That test passes because its 'check existence' requirement expects one or more items to exist, and exactly one item does actually exist.

The second test collects the fourth string (instance greater than 3) that matches the given pattern, which also satisfies the 'check existence' requirement of one or more items.

The third test passes because it collects the third matching string (instance equals 3), satisfying the one or more item 'check existence' requirement.

Finally, the fourth test fails because it is seeking any matches that occur after the first four instances (instance greater than 4), but the target file contains only four matches. Thus, 'check existence' requirement of one or more items is not met because the item does not exist.

 

 

 

V/r,

John W. Garrett

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email]. <testfile><count_bench-xccdf.xml><count_bench-oval.xml><count_bench-cpe-oval.xml><count_bench-cpe-dictionary.xml>

 

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

Reply | Threaded
Open this post in threaded view
|

Re: Math and OVAL

dpeddicord
John, David,

John -- you do not need to include the xccdf, cpe, etc. file (we really only need the OVAL ,file.)

The Test file has 4 "hellos"
I am bit confused by the lack of a object/state comparison in your content,  I see "check existence test"  for
<Instance operation="less than">2 . . .  there would be instances 1 -- object exists, test passes
<instance operation="greater than">3 . . . there would be 1  instance -  object exists, test passes
<instance operation="equals " datatype="int">3 . . . there would be one instance  - object exists, test passes
, etc.


Your operators (s) are going to choose which/how many  items are created ... not compare the number of instances for the object.

Don



-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of John Garrett
Sent: Monday, July 13, 2015 2:02 PM
To: [hidden email]
Subject: Re: [OVAL-DEVELOPER-LIST] Math and OVAL

Hi David,

 

As always, thank you for taking some time reply.

 

Ok, so “counting”.  You are correct, it is making an assertions, which will be determined true or false.  It’s the resulting outcome that I disagree with.

 

As you pointed out, I want to determine whether a string appears X number of times in a file.  In agreeance, I created and used textfilecontent54.  Within the object, I used: <ind:instance datatype="int" operation="Desired Mathematic Operation">X</ind:instance>.  

 

For those given objects, the following assertions were made:

        - V-1: <2 was the requirement, yet it passed.  (Should have failed in my mind)

        - V-2: >3 was the requirement and it passed like it should have.

        - V-3: =3 was the requirement, yet it passed.  (Should have failed in my mind)

        - V-4: >4 was the requirement and it failed like it should have.

 

To quote you, “If you want to determine whether a string appears X number of times in a file, then you should create a textfilecontent54_test that checks for the existence of any matching items whose “instance” value is X.  If you want to make sure there are exactly X instances, you can test for any item matches whose “instace” value is greater than X, and build a definition combining the results of both these tests (e.g., first AND NOT second).”

 

Why would the logic dictate that I need two tests just for an “equal to” logic?  With that idea in mind, it would seem I would need to make not just 2, but a test/object for everything I didn’t want.  i.e.:

    If the desired outcome is V-2 as listed above (>3), then I would need to make tests, telling the code, >3, but not:

·         Less than 3

·         Equal to 3

·         Less than or equal to three

 

Am I following correctly?

 

 

 

V/r,

John W. Garrett

 

From: David Solin [mailto:[hidden email]]
Sent: Monday, July 13, 2015 11:23 AM
To: [hidden email]
Subject: Re: [OVAL-DEVELOPER-LIST] Math and OVAL

 

Hi John,

 

I’m not sure whether I understand your question.  Your content isn’t counting anything, it’s making assertions, which are either true or false.  There is a CountFunctionType on OVAL which makes it possible to count things for the purposes of creating a variable value, which is what I sort of expected you’d be asking about — but you’re not.

 

If you want to determine whether a string appears X number of times in a file, then you should create a textfilecontent54_test that checks for the existence of any matching items whose “instance” value is X.  If you want to make sure there are exactly X instances, you can test for any item matches whose “instace” value is greater than X, and build a definition combining the results of both these tests (e.g., first AND NOT second).

 

Best regards,

—David

 

David A. Solin
Co-Founder, Research & Technology
[hidden email] <mailto:[hidden email]>  

Joval Continuous Monitoring <http://jovalcm.com>

Facebook <https://www.facebook.com/jovalcm> Linkedin <https://www.linkedin.com/company/joval-continuous-monitoring>

 

 

        On Jul 13, 2015, at 9:59 AM, John Garrett <[hidden email]> wrote:

         

        This thread revolves around the concept of counting with respect to OVAL.  Perhaps I’m approaching the problem in the wrong way.  When I first submitted my bug report for it using SCC, I figured that SCC was simply wrong; turns out OpenScap yields the same results.  The reply I received “somewhat” makes sense, but the logic seems very twisted in my mind.  1+1 will always equal two and be less than 3; anything else is crazy…  Yet, with OVAL, this seems not the case.

         

        What I am attempting to do, is for a given file, determine if there are X instances of a given string in a file.  I’ve attempted this with both object only, and object and state, but to no avail.

         

        For the given tests:

                - V-1: <2 was the requirement, yet it passed.  (Should have failed in my mind)

                - V-2: >3 was the requirement and it passed like it should have.

                - V-3: =3 was the requirement, yet it passed.  (Should have failed in my mind)

                - V-4: >4 was the requirement and it failed like it should have.

         

        What follows below is the response I received, and after reading it, and trying this in OpenScap as well as SCC, this would seem to be the case.  So, that being the case; what approach should I take if I wanted the above outcomes to happen in regards to counting?

         

        I think I see where the misunderstanding lies. According to the MITRE OVAL spec for textfilecontent54, which can found at http://oval.mitre.org/language/version5.11/ovaldefinition/documentation/independent-definitions-schema.html <http://oval.mitre.org/language/version5.11/ovaldefinition/documentation/independent-definitions-schema.html> :

        The instance entity calls out a specific match of the pattern. The first match is given an instance value of 1, the second match is given an instance value of 2, and so on. Note that the main purpose of this entity is to provide uniqueness for different textfilecontent_items that results from multiple matches of a given pattern against the same file. Most likely this entity will be defined as greater than or equal to 1 which would result in the object representing the set of all matches of the pattern.

        Therefore, the instance entity functions as an index for referencing particular matches out of a set instead of a counter. Accordingly, the first test in your sample content collects the first string (instance less than 2) that matches the pattern 'hello'. That test passes because its 'check existence' requirement expects one or more items to exist, and exactly one item does actually exist.

        The second test collects the fourth string (instance greater than 3) that matches the given pattern, which also satisfies the 'check existence' requirement of one or more items.

        The third test passes because it collects the third matching string (instance equals 3), satisfying the one or more item 'check existence' requirement.

        Finally, the fourth test fails because it is seeking any matches that occur after the first four instances (instance greater than 4), but the target file contains only four matches. Thus, 'check existence' requirement of one or more items is not met because the item does not exist.

         

         

         

        V/r,

        John W. Garrett

        To unsubscribe, send an email message to [hidden email] <mailto:[hidden email]>  with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email] <mailto:[hidden email]> . <testfile><count_bench-xccdf.xml><count_bench-oval.xml><count_bench-cpe-oval.xml><count_bench-cpe-dictionary.xml>

 

To unsubscribe, send an email message to [hidden email] <mailto:[hidden email]>  with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

Reply | Threaded
Open this post in threaded view
|

Re: Math and OVAL

John Garrett
Hi Don,

For <2...
hello
hello
hello
hello
= pass

I don't follow how that works, but I'll just accept it as "the way it is" and move on.

If I wanted OVAL to look at the above, and determine if there are less than 2 instances of the string "hello" in a given file; if I cannot do with with textfilecontent54, then what if anything can it be accomplished with?  i.e.  "Compare the number of instances for the object".


V/r,
John W. Garrett

-----Original Message-----
From: Peddicord, Don [mailto:[hidden email]]
Sent: Monday, July 13, 2015 2:19 PM
To: [hidden email]
Subject: Re: [OVAL-DEVELOPER-LIST] Math and OVAL

John, David,

John -- you do not need to include the xccdf, cpe, etc. file (we really only need the OVAL ,file.)

The Test file has 4 "hellos"
I am bit confused by the lack of a object/state comparison in your content,  I see "check existence test"  for <Instance operation="less than">2 . . .  there would be instances 1 -- object exists, test passes <instance operation="greater than">3 . . . there would be 1  instance -  object exists, test passes <instance operation="equals " datatype="int">3 . . . there would be one instance  - object exists, test passes , etc.


Your operators (s) are going to choose which/how many  items are created ... not compare the number of instances for the object.

Don



-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of John Garrett
Sent: Monday, July 13, 2015 2:02 PM
To: [hidden email]
Subject: Re: [OVAL-DEVELOPER-LIST] Math and OVAL

Hi David,

 

As always, thank you for taking some time reply.

 

Ok, so “counting”.  You are correct, it is making an assertions, which will be determined true or false.  It’s the resulting outcome that I disagree with.

 

As you pointed out, I want to determine whether a string appears X number of times in a file.  In agreeance, I created and used textfilecontent54.  Within the object, I used: <ind:instance datatype="int" operation="Desired Mathematic Operation">X</ind:instance>.  

 

For those given objects, the following assertions were made:

        - V-1: <2 was the requirement, yet it passed.  (Should have failed in my mind)

        - V-2: >3 was the requirement and it passed like it should have.

        - V-3: =3 was the requirement, yet it passed.  (Should have failed in my mind)

        - V-4: >4 was the requirement and it failed like it should have.

 

To quote you, “If you want to determine whether a string appears X number of times in a file, then you should create a textfilecontent54_test that checks for the existence of any matching items whose “instance” value is X.  If you want to make sure there are exactly X instances, you can test for any item matches whose “instace” value is greater than X, and build a definition combining the results of both these tests (e.g., first AND NOT second).”

 

Why would the logic dictate that I need two tests just for an “equal to” logic?  With that idea in mind, it would seem I would need to make not just 2, but a test/object for everything I didn’t want.  i.e.:

    If the desired outcome is V-2 as listed above (>3), then I would need to make tests, telling the code, >3, but not:

·         Less than 3

·         Equal to 3

·         Less than or equal to three

 

Am I following correctly?

 

 

 

V/r,

John W. Garrett

 

From: David Solin [mailto:[hidden email]]
Sent: Monday, July 13, 2015 11:23 AM
To: [hidden email]
Subject: Re: [OVAL-DEVELOPER-LIST] Math and OVAL

 

Hi John,

 

I’m not sure whether I understand your question.  Your content isn’t counting anything, it’s making assertions, which are either true or false.  There is a CountFunctionType on OVAL which makes it possible to count things for the purposes of creating a variable value, which is what I sort of expected you’d be asking about — but you’re not.

 

If you want to determine whether a string appears X number of times in a file, then you should create a textfilecontent54_test that checks for the existence of any matching items whose “instance” value is X.  If you want to make sure there are exactly X instances, you can test for any item matches whose “instace” value is greater than X, and build a definition combining the results of both these tests (e.g., first AND NOT second).

 

Best regards,

—David

 

David A. Solin
Co-Founder, Research & Technology
[hidden email] <mailto:[hidden email]>  

Joval Continuous Monitoring <http://jovalcm.com>

Facebook <https://www.facebook.com/jovalcm> Linkedin <https://www.linkedin.com/company/joval-continuous-monitoring>

 

 

        On Jul 13, 2015, at 9:59 AM, John Garrett <[hidden email]> wrote:

         

        This thread revolves around the concept of counting with respect to OVAL.  Perhaps I’m approaching the problem in the wrong way.  When I first submitted my bug report for it using SCC, I figured that SCC was simply wrong; turns out OpenScap yields the same results.  The reply I received “somewhat” makes sense, but the logic seems very twisted in my mind.  1+1 will always equal two and be less than 3; anything else is crazy…  Yet, with OVAL, this seems not the case.

         

        What I am attempting to do, is for a given file, determine if there are X instances of a given string in a file.  I’ve attempted this with both object only, and object and state, but to no avail.

         

        For the given tests:

                - V-1: <2 was the requirement, yet it passed.  (Should have failed in my mind)

                - V-2: >3 was the requirement and it passed like it should have.

                - V-3: =3 was the requirement, yet it passed.  (Should have failed in my mind)

                - V-4: >4 was the requirement and it failed like it should have.

         

        What follows below is the response I received, and after reading it, and trying this in OpenScap as well as SCC, this would seem to be the case.  So, that being the case; what approach should I take if I wanted the above outcomes to happen in regards to counting?

         

        I think I see where the misunderstanding lies. According to the MITRE OVAL spec for textfilecontent54, which can found at http://oval.mitre.org/language/version5.11/ovaldefinition/documentation/independent-definitions-schema.html <http://oval.mitre.org/language/version5.11/ovaldefinition/documentation/independent-definitions-schema.html> :

        The instance entity calls out a specific match of the pattern. The first match is given an instance value of 1, the second match is given an instance value of 2, and so on. Note that the main purpose of this entity is to provide uniqueness for different textfilecontent_items that results from multiple matches of a given pattern against the same file. Most likely this entity will be defined as greater than or equal to 1 which would result in the object representing the set of all matches of the pattern.

        Therefore, the instance entity functions as an index for referencing particular matches out of a set instead of a counter. Accordingly, the first test in your sample content collects the first string (instance less than 2) that matches the pattern 'hello'. That test passes because its 'check existence' requirement expects one or more items to exist, and exactly one item does actually exist.

        The second test collects the fourth string (instance greater than 3) that matches the given pattern, which also satisfies the 'check existence' requirement of one or more items.

        The third test passes because it collects the third matching string (instance equals 3), satisfying the one or more item 'check existence' requirement.

        Finally, the fourth test fails because it is seeking any matches that occur after the first four instances (instance greater than 4), but the target file contains only four matches. Thus, 'check existence' requirement of one or more items is not met because the item does not exist.

         

         

         

        V/r,

        John W. Garrett

        To unsubscribe, send an email message to [hidden email] <mailto:[hidden email]>  with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email] <mailto:[hidden email]> . <testfile><count_bench-xccdf.xml><count_bench-oval.xml><count_bench-cpe-oval.xml><count_bench-cpe-dictionary.xml>

 

To unsubscribe, send an email message to [hidden email] <mailto:[hidden email]>  with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

Reply | Threaded
Open this post in threaded view
|

Re: Math and OVAL

dpeddicord
John,
My best friend in this sort of thing is: https://oval.mitre.org/language/version5.10/OVAL_Language_Specification_09-14-2011.pdf
 

In your content you are "telling" the tool (SCC, open scap) to collect all the  "instances < 2"  in this case it would create 2 objects (oops, I am not sure if instance is zero based)
Hello instance 0 , and hello instance 1.
You are not doing a state comparison so the results will be based on "check_existance" which, again I am not sure defaults to at  least one ..... since at least one exists, then the test passes.
If you did a state comparison instance > 2  check existence is at least one , then the test would fail as there are no  object items with an instance > 2   ... (only for this , that  is  < 2, object).

That sounds confusing as I read it back. .... David can probably clarify.  But the "trick" is to separate the collection of objects (creation of object items) from the evaluation of the collected values (state / item comparison.)

Don



-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of John Garrett
Sent: Monday, July 13, 2015 2:25 PM
To: [hidden email]
Subject: Re: [OVAL-DEVELOPER-LIST] Math and OVAL

Hi Don,

For <2...
hello
hello
hello
hello
= pass

I don't follow how that works, but I'll just accept it as "the way it is" and move on.

If I wanted OVAL to look at the above, and determine if there are less than 2 instances of the string "hello" in a given file; if I cannot do with with textfilecontent54, then what if anything can it be accomplished with?  i.e.  "Compare the number of instances for the object".


V/r,
John W. Garrett

-----Original Message-----
From: Peddicord, Don [mailto:[hidden email]]
Sent: Monday, July 13, 2015 2:19 PM
To: [hidden email]
Subject: Re: [OVAL-DEVELOPER-LIST] Math and OVAL

John, David,

John -- you do not need to include the xccdf, cpe, etc. file (we really only need the OVAL ,file.)

The Test file has 4 "hellos"
I am bit confused by the lack of a object/state comparison in your content,  I see "check existence test"  for <Instance operation="less than">2 . . .  there would be instances 1 -- object exists, test passes <instance operation="greater than">3 . . . there would be 1  instance -  object exists, test passes <instance operation="equals " datatype="int">3 . . . there would be one instance  - object exists, test passes , etc.


Your operators (s) are going to choose which/how many  items are created ... not compare the number of instances for the object.

Don



-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of John Garrett
Sent: Monday, July 13, 2015 2:02 PM
To: [hidden email]
Subject: Re: [OVAL-DEVELOPER-LIST] Math and OVAL

Hi David,

 

As always, thank you for taking some time reply.

 

Ok, so “counting”.  You are correct, it is making an assertions, which will be determined true or false.  It’s the resulting outcome that I disagree with.

 

As you pointed out, I want to determine whether a string appears X number of times in a file.  In agreeance, I created and used textfilecontent54.  Within the object, I used: <ind:instance datatype="int" operation="Desired Mathematic Operation">X</ind:instance>.  

 

For those given objects, the following assertions were made:

        - V-1: <2 was the requirement, yet it passed.  (Should have failed in my mind)

        - V-2: >3 was the requirement and it passed like it should have.

        - V-3: =3 was the requirement, yet it passed.  (Should have failed in my mind)

        - V-4: >4 was the requirement and it failed like it should have.

 

To quote you, “If you want to determine whether a string appears X number of times in a file, then you should create a textfilecontent54_test that checks for the existence of any matching items whose “instance” value is X.  If you want to make sure there are exactly X instances, you can test for any item matches whose “instace” value is greater than X, and build a definition combining the results of both these tests (e.g., first AND NOT second).”

 

Why would the logic dictate that I need two tests just for an “equal to” logic?  With that idea in mind, it would seem I would need to make not just 2, but a test/object for everything I didn’t want.  i.e.:

    If the desired outcome is V-2 as listed above (>3), then I would need to make tests, telling the code, >3, but not:

·         Less than 3

·         Equal to 3

·         Less than or equal to three

 

Am I following correctly?

 

 

 

V/r,

John W. Garrett

 

From: David Solin [mailto:[hidden email]]
Sent: Monday, July 13, 2015 11:23 AM
To: [hidden email]
Subject: Re: [OVAL-DEVELOPER-LIST] Math and OVAL

 

Hi John,

 

I’m not sure whether I understand your question.  Your content isn’t counting anything, it’s making assertions, which are either true or false.  There is a CountFunctionType on OVAL which makes it possible to count things for the purposes of creating a variable value, which is what I sort of expected you’d be asking about — but you’re not.

 

If you want to determine whether a string appears X number of times in a file, then you should create a textfilecontent54_test that checks for the existence of any matching items whose “instance” value is X.  If you want to make sure there are exactly X instances, you can test for any item matches whose “instace” value is greater than X, and build a definition combining the results of both these tests (e.g., first AND NOT second).

 

Best regards,

—David

 

David A. Solin
Co-Founder, Research & Technology
[hidden email] <mailto:[hidden email]>  

Joval Continuous Monitoring <http://jovalcm.com>

Facebook <https://www.facebook.com/jovalcm> Linkedin <https://www.linkedin.com/company/joval-continuous-monitoring>

 

 

        On Jul 13, 2015, at 9:59 AM, John Garrett <[hidden email]> wrote:

         

        This thread revolves around the concept of counting with respect to OVAL.  Perhaps I’m approaching the problem in the wrong way.  When I first submitted my bug report for it using SCC, I figured that SCC was simply wrong; turns out OpenScap yields the same results.  The reply I received “somewhat” makes sense, but the logic seems very twisted in my mind.  1+1 will always equal two and be less than 3; anything else is crazy…  Yet, with OVAL, this seems not the case.

         

        What I am attempting to do, is for a given file, determine if there are X instances of a given string in a file.  I’ve attempted this with both object only, and object and state, but to no avail.

         

        For the given tests:

                - V-1: <2 was the requirement, yet it passed.  (Should have failed in my mind)

                - V-2: >3 was the requirement and it passed like it should have.

                - V-3: =3 was the requirement, yet it passed.  (Should have failed in my mind)

                - V-4: >4 was the requirement and it failed like it should have.

         

        What follows below is the response I received, and after reading it, and trying this in OpenScap as well as SCC, this would seem to be the case.  So, that being the case; what approach should I take if I wanted the above outcomes to happen in regards to counting?

         

        I think I see where the misunderstanding lies. According to the MITRE OVAL spec for textfilecontent54, which can found at http://oval.mitre.org/language/version5.11/ovaldefinition/documentation/independent-definitions-schema.html <http://oval.mitre.org/language/version5.11/ovaldefinition/documentation/independent-definitions-schema.html> :

        The instance entity calls out a specific match of the pattern. The first match is given an instance value of 1, the second match is given an instance value of 2, and so on. Note that the main purpose of this entity is to provide uniqueness for different textfilecontent_items that results from multiple matches of a given pattern against the same file. Most likely this entity will be defined as greater than or equal to 1 which would result in the object representing the set of all matches of the pattern.

        Therefore, the instance entity functions as an index for referencing particular matches out of a set instead of a counter. Accordingly, the first test in your sample content collects the first string (instance less than 2) that matches the pattern 'hello'. That test passes because its 'check existence' requirement expects one or more items to exist, and exactly one item does actually exist.

        The second test collects the fourth string (instance greater than 3) that matches the given pattern, which also satisfies the 'check existence' requirement of one or more items.

        The third test passes because it collects the third matching string (instance equals 3), satisfying the one or more item 'check existence' requirement.

        Finally, the fourth test fails because it is seeking any matches that occur after the first four instances (instance greater than 4), but the target file contains only four matches. Thus, 'check existence' requirement of one or more items is not met because the item does not exist.

         

         

         

        V/r,

        John W. Garrett

        To unsubscribe, send an email message to [hidden email] <mailto:[hidden email]>  with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email] <mailto:[hidden email]> . <testfile><count_bench-xccdf.xml><count_bench-oval.xml><count_bench-cpe-oval.xml><count_bench-cpe-dictionary.xml>

 

To unsubscribe, send an email message to [hidden email] <mailto:[hidden email]>  with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

Reply | Threaded
Open this post in threaded view
|

Re: Math and OVAL

David Solin-3
In reply to this post by dpeddicord
Hi John,

(For some strange reason I never got your initial reply… but I was able to read it in Don’s reply.  Anyway…)

What’s happening is that you’re not appreciating the full depth of your OVAL assertions.

An OVAL object is like a query — it can have no results, one result, or many results (these are the “items” in OVAL).  The existence check is asserted against the number of items that result from an object query.  If the existence check passes, then the “check” is asserted against those items, and a result is computed.  By default, the value of “check” is “at least one” — meaning, at least one item must satisfy the assertion in the state.

If you have five items resulting for an object, with instance=1, instance=2, instance=3, instance=4, etc., and you check “less than 2”, “greater than 3”, "equals 3” — well, all of these assertions are true at least once when tested against all the items!  Hence, the result is true!

In order to implement my recommended approach, you’ll have to use an object filter.  That’s a state through which all the object results are passed.  A filter state with “instance equals 2” will remove the items whose instance values are not 2.  Then, you can use the existence check to determine whether any items made it through the filter.

Does that help to explain what’s happening, and what I’m recommending?

Best regards,
— David A. Solin
Co-Founder, Research & Technology
[hidden email]

 

   



> On Jul 13, 2015, at 1:18 PM, Peddicord, Don <[hidden email]> wrote:
>
> John, David,
>
> John -- you do not need to include the xccdf, cpe, etc. file (we really only need the OVAL ,file.)
>
> The Test file has 4 "hellos"
> I am bit confused by the lack of a object/state comparison in your content,  I see "check existence test"  for
> <Instance operation="less than">2 . . .  there would be instances 1 -- object exists, test passes
> <instance operation="greater than">3 . . . there would be 1  instance -  object exists, test passes
> <instance operation="equals " datatype="int">3 . . . there would be one instance  - object exists, test passes
> , etc.
>
>
> Your operators (s) are going to choose which/how many  items are created ... not compare the number of instances for the object.
>
> Don
>
>
>
> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]] On Behalf Of John Garrett
> Sent: Monday, July 13, 2015 2:02 PM
> To: [hidden email]
> Subject: Re: [OVAL-DEVELOPER-LIST] Math and OVAL
>
> Hi David,
>
>
>
> As always, thank you for taking some time reply.
>
>
>
> Ok, so “counting”.  You are correct, it is making an assertions, which will be determined true or false.  It’s the resulting outcome that I disagree with.
>
>
>
> As you pointed out, I want to determine whether a string appears X number of times in a file.  In agreeance, I created and used textfilecontent54.  Within the object, I used: <ind:instance datatype="int" operation="Desired Mathematic Operation">X</ind:instance>.  
>
>
>
> For those given objects, the following assertions were made:
>
>        - V-1: <2 was the requirement, yet it passed.  (Should have failed in my mind)
>
>        - V-2: >3 was the requirement and it passed like it should have.
>
>        - V-3: =3 was the requirement, yet it passed.  (Should have failed in my mind)
>
>        - V-4: >4 was the requirement and it failed like it should have.
>
>
>
> To quote you, “If you want to determine whether a string appears X number of times in a file, then you should create a textfilecontent54_test that checks for the existence of any matching items whose “instance” value is X.  If you want to make sure there are exactly X instances, you can test for any item matches whose “instace” value is greater than X, and build a definition combining the results of both these tests (e.g., first AND NOT second).”
>
>
>
> Why would the logic dictate that I need two tests just for an “equal to” logic?  With that idea in mind, it would seem I would need to make not just 2, but a test/object for everything I didn’t want.  i.e.:
>
>    If the desired outcome is V-2 as listed above (>3), then I would need to make tests, telling the code, >3, but not:
>
> ·         Less than 3
>
> ·         Equal to 3
>
> ·         Less than or equal to three
>
>
>
> Am I following correctly?
>
>
>
>
>
>
>
> V/r,
>
> John W. Garrett
>
>
>
> From: David Solin [mailto:[hidden email]]
> Sent: Monday, July 13, 2015 11:23 AM
> To: [hidden email]
> Subject: Re: [OVAL-DEVELOPER-LIST] Math and OVAL
>
>
>
> Hi John,
>
>
>
> I’m not sure whether I understand your question.  Your content isn’t counting anything, it’s making assertions, which are either true or false.  There is a CountFunctionType on OVAL which makes it possible to count things for the purposes of creating a variable value, which is what I sort of expected you’d be asking about — but you’re not.
>
>
>
> If you want to determine whether a string appears X number of times in a file, then you should create a textfilecontent54_test that checks for the existence of any matching items whose “instance” value is X.  If you want to make sure there are exactly X instances, you can test for any item matches whose “instace” value is greater than X, and build a definition combining the results of both these tests (e.g., first AND NOT second).
>
>
>
> Best regards,
>
> —David
>
>
>
> David A. Solin
> Co-Founder, Research & Technology
> [hidden email] <mailto:[hidden email]>  
>
> Joval Continuous Monitoring <http://jovalcm.com>
>
> Facebook <https://www.facebook.com/jovalcm> Linkedin <https://www.linkedin.com/company/joval-continuous-monitoring>
>
>
>
>
>
> On Jul 13, 2015, at 9:59 AM, John Garrett <[hidden email]> wrote:
>
>
>
> This thread revolves around the concept of counting with respect to OVAL.  Perhaps I’m approaching the problem in the wrong way.  When I first submitted my bug report for it using SCC, I figured that SCC was simply wrong; turns out OpenScap yields the same results.  The reply I received “somewhat” makes sense, but the logic seems very twisted in my mind.  1+1 will always equal two and be less than 3; anything else is crazy…  Yet, with OVAL, this seems not the case.
>
>
>
> What I am attempting to do, is for a given file, determine if there are X instances of a given string in a file.  I’ve attempted this with both object only, and object and state, but to no avail.
>
>
>
> For the given tests:
>
>        - V-1: <2 was the requirement, yet it passed.  (Should have failed in my mind)
>
>        - V-2: >3 was the requirement and it passed like it should have.
>
>        - V-3: =3 was the requirement, yet it passed.  (Should have failed in my mind)
>
>        - V-4: >4 was the requirement and it failed like it should have.
>
>
>
> What follows below is the response I received, and after reading it, and trying this in OpenScap as well as SCC, this would seem to be the case.  So, that being the case; what approach should I take if I wanted the above outcomes to happen in regards to counting?
>
>
>
> I think I see where the misunderstanding lies. According to the MITRE OVAL spec for textfilecontent54, which can found at http://oval.mitre.org/language/version5.11/ovaldefinition/documentation/independent-definitions-schema.html <http://oval.mitre.org/language/version5.11/ovaldefinition/documentation/independent-definitions-schema.html> :
>
> The instance entity calls out a specific match of the pattern. The first match is given an instance value of 1, the second match is given an instance value of 2, and so on. Note that the main purpose of this entity is to provide uniqueness for different textfilecontent_items that results from multiple matches of a given pattern against the same file. Most likely this entity will be defined as greater than or equal to 1 which would result in the object representing the set of all matches of the pattern.
>
> Therefore, the instance entity functions as an index for referencing particular matches out of a set instead of a counter. Accordingly, the first test in your sample content collects the first string (instance less than 2) that matches the pattern 'hello'. That test passes because its 'check existence' requirement expects one or more items to exist, and exactly one item does actually exist.
>
> The second test collects the fourth string (instance greater than 3) that matches the given pattern, which also satisfies the 'check existence' requirement of one or more items.
>
> The third test passes because it collects the third matching string (instance equals 3), satisfying the one or more item 'check existence' requirement.
>
> Finally, the fourth test fails because it is seeking any matches that occur after the first four instances (instance greater than 4), but the target file contains only four matches. Thus, 'check existence' requirement of one or more items is not met because the item does not exist.
>
>
>
>
>
>
>
> V/r,
>
> John W. Garrett
>
> To unsubscribe, send an email message to [hidden email] <mailto:[hidden email]>  with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email] <mailto:[hidden email]> . <testfile><count_bench-xccdf.xml><count_bench-oval.xml><count_bench-cpe-oval.xml><count_bench-cpe-dictionary.xml>
>
>
>
> To unsubscribe, send an email message to [hidden email] <mailto:[hidden email]>  with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
>

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Math and OVAL

John Garrett
Hi David,

I've tried filters with both include and exclude, still nothing works as expected.  To make sure I understand right, as per the Oval Spec for 5.10.1 (PDF).  If applying a filter on an object:

Using the default, which is exclude: The exclude value specifies that all items that match the filter shall be excluded from set that the filter is applied to.
To me, this means that for a given filter where instance =1, do NOT care about anything where instance = 1

Using the include action: The include value specifies that only items that match the filter shall be included in the set that the filter is applied to.
To me, this means that for a given filter where instance =1, ONLY care about anything where instance = 1.

The above being said, with a textfile containing hello 4 times, I still do not get the intended results.  Attached is my attempt at this.


V/r,
John W. Garrett

-----Original Message-----
From: David Solin [mailto:[hidden email]]
Sent: Monday, July 13, 2015 3:00 PM
To: [hidden email]
Subject: Re: [OVAL-DEVELOPER-LIST] Math and OVAL

Hi John,

(For some strange reason I never got your initial reply… but I was able to read it in Don’s reply.  Anyway…)

What’s happening is that you’re not appreciating the full depth of your OVAL assertions.

An OVAL object is like a query — it can have no results, one result, or many results (these are the “items” in OVAL).  The existence check is asserted against the number of items that result from an object query.  If the existence check passes, then the “check” is asserted against those items, and a result is computed.  By default, the value of “check” is “at least one” — meaning, at least one item must satisfy the assertion in the state.

If you have five items resulting for an object, with instance=1, instance=2, instance=3, instance=4, etc., and you check “less than 2”, “greater than 3”, "equals 3” — well, all of these assertions are true at least once when tested against all the items!  Hence, the result is true!

In order to implement my recommended approach, you’ll have to use an object filter.  That’s a state through which all the object results are passed.  A filter state with “instance equals 2” will remove the items whose instance values are not 2.  Then, you can use the existence check to determine whether any items made it through the filter.

Does that help to explain what’s happening, and what I’m recommending?

Best regards,
— David A. Solin
Co-Founder, Research & Technology
[hidden email]

 

   



> On Jul 13, 2015, at 1:18 PM, Peddicord, Don <[hidden email]> wrote:
>
> John, David,
>
> John -- you do not need to include the xccdf, cpe, etc. file (we
> really only need the OVAL ,file.)
>
> The Test file has 4 "hellos"
> I am bit confused by the lack of a object/state comparison in your
> content,  I see "check existence test"  for <Instance operation="less
> than">2 . . .  there would be instances 1 -- object exists, test
> passes <instance operation="greater than">3 . . . there would be 1  
> instance -  object exists, test passes <instance operation="equals " datatype="int">3 . . . there would be one instance  - object exists, test passes , etc.
>
>
> Your operators (s) are going to choose which/how many  items are created ... not compare the number of instances for the object.
>
> Don
>
>
>
> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of John
> Garrett
> Sent: Monday, July 13, 2015 2:02 PM
> To: [hidden email]
> Subject: Re: [OVAL-DEVELOPER-LIST] Math and OVAL
>
> Hi David,
>
>
>
> As always, thank you for taking some time reply.
>
>
>
> Ok, so “counting”.  You are correct, it is making an assertions, which will be determined true or false.  It’s the resulting outcome that I disagree with.
>
>
>
> As you pointed out, I want to determine whether a string appears X number of times in a file.  In agreeance, I created and used textfilecontent54.  Within the object, I used: <ind:instance datatype="int" operation="Desired Mathematic Operation">X</ind:instance>.  
>
>
>
> For those given objects, the following assertions were made:
>
>        - V-1: <2 was the requirement, yet it passed.  (Should have
> failed in my mind)
>
>        - V-2: >3 was the requirement and it passed like it should have.
>
>        - V-3: =3 was the requirement, yet it passed.  (Should have
> failed in my mind)
>
>        - V-4: >4 was the requirement and it failed like it should have.
>
>
>
> To quote you, “If you want to determine whether a string appears X number of times in a file, then you should create a textfilecontent54_test that checks for the existence of any matching items whose “instance” value is X.  If you want to make sure there are exactly X instances, you can test for any item matches whose “instace” value is greater than X, and build a definition combining the results of both these tests (e.g., first AND NOT second).”
>
>
>
> Why would the logic dictate that I need two tests just for an “equal to” logic?  With that idea in mind, it would seem I would need to make not just 2, but a test/object for everything I didn’t want.  i.e.:
>
>    If the desired outcome is V-2 as listed above (>3), then I would need to make tests, telling the code, >3, but not:
>
> ·         Less than 3
>
> ·         Equal to 3
>
> ·         Less than or equal to three
>
>
>
> Am I following correctly?
>
>
>
>
>
>
>
> V/r,
>
> John W. Garrett
>
>
>
> From: David Solin [mailto:[hidden email]]
> Sent: Monday, July 13, 2015 11:23 AM
> To: [hidden email]
> Subject: Re: [OVAL-DEVELOPER-LIST] Math and OVAL
>
>
>
> Hi John,
>
>
>
> I’m not sure whether I understand your question.  Your content isn’t counting anything, it’s making assertions, which are either true or false.  There is a CountFunctionType on OVAL which makes it possible to count things for the purposes of creating a variable value, which is what I sort of expected you’d be asking about — but you’re not.
>
>
>
> If you want to determine whether a string appears X number of times in a file, then you should create a textfilecontent54_test that checks for the existence of any matching items whose “instance” value is X.  If you want to make sure there are exactly X instances, you can test for any item matches whose “instace” value is greater than X, and build a definition combining the results of both these tests (e.g., first AND NOT second).
>
>
>
> Best regards,
>
> —David
>
>
>
> David A. Solin
> Co-Founder, Research & Technology
> [hidden email] <mailto:[hidden email]>
>
> Joval Continuous Monitoring <http://jovalcm.com>
>
> Facebook <https://www.facebook.com/jovalcm> Linkedin
> <https://www.linkedin.com/company/joval-continuous-monitoring>
>
>
>
>
>
> On Jul 13, 2015, at 9:59 AM, John Garrett <[hidden email]> wrote:
>
>
>
> This thread revolves around the concept of counting with respect to OVAL.  Perhaps I’m approaching the problem in the wrong way.  When I first submitted my bug report for it using SCC, I figured that SCC was simply wrong; turns out OpenScap yields the same results.  The reply I received “somewhat” makes sense, but the logic seems very twisted in my mind.  1+1 will always equal two and be less than 3; anything else is crazy…  Yet, with OVAL, this seems not the case.
>
>
>
> What I am attempting to do, is for a given file, determine if there are X instances of a given string in a file.  I’ve attempted this with both object only, and object and state, but to no avail.
>
>
>
> For the given tests:
>
>        - V-1: <2 was the requirement, yet it passed.  (Should have
> failed in my mind)
>
>        - V-2: >3 was the requirement and it passed like it should have.
>
>        - V-3: =3 was the requirement, yet it passed.  (Should have
> failed in my mind)
>
>        - V-4: >4 was the requirement and it failed like it should have.
>
>
>
> What follows below is the response I received, and after reading it, and trying this in OpenScap as well as SCC, this would seem to be the case.  So, that being the case; what approach should I take if I wanted the above outcomes to happen in regards to counting?
>
>
>
> I think I see where the misunderstanding lies. According to the MITRE OVAL spec for textfilecontent54, which can found at http://oval.mitre.org/language/version5.11/ovaldefinition/documentation/independent-definitions-schema.html <http://oval.mitre.org/language/version5.11/ovaldefinition/documentation/independent-definitions-schema.html> :
>
> The instance entity calls out a specific match of the pattern. The first match is given an instance value of 1, the second match is given an instance value of 2, and so on. Note that the main purpose of this entity is to provide uniqueness for different textfilecontent_items that results from multiple matches of a given pattern against the same file. Most likely this entity will be defined as greater than or equal to 1 which would result in the object representing the set of all matches of the pattern.
>
> Therefore, the instance entity functions as an index for referencing particular matches out of a set instead of a counter. Accordingly, the first test in your sample content collects the first string (instance less than 2) that matches the pattern 'hello'. That test passes because its 'check existence' requirement expects one or more items to exist, and exactly one item does actually exist.
>
> The second test collects the fourth string (instance greater than 3) that matches the given pattern, which also satisfies the 'check existence' requirement of one or more items.
>
> The third test passes because it collects the third matching string (instance equals 3), satisfying the one or more item 'check existence' requirement.
>
> Finally, the fourth test fails because it is seeking any matches that occur after the first four instances (instance greater than 4), but the target file contains only four matches. Thus, 'check existence' requirement of one or more items is not met because the item does not exist.
>
>
>
>
>
>
>
> V/r,
>
> John W. Garrett
>
> To unsubscribe, send an email message to [hidden email]
> <mailto:[hidden email]>  with SIGNOFF OVAL-DEVELOPER-LIST in
> the BODY of the message. If you have difficulties, write to
> [hidden email]
> <mailto:[hidden email]> .
> <testfile><count_bench-xccdf.xml><count_bench-oval.xml><count_bench-cp
> e-oval.xml><count_bench-cpe-dictionary.xml>
>
>
>
> To unsubscribe, send an email message to [hidden email] <mailto:[hidden email]>  with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
>
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message.  If you have difficulties, write to [hidden email].

count_bench-oval.xml (10K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Math and OVAL

David Solin-3
Hi John,

I’m sorry, I forgot that textfilecontent54_object has an instance entity (making the filter I described quite unnecessary).

I ran your OVAL definitions file (from several emails ago) and reproduced your results.

You have four tests, each of which checks for the existence of items matching an object (since they have no states defined, there are no assertions about those items apart from the objects themselves).  Since there are four instances of ‘hello’ in your file, there could be items with instance=1, 2, 3 and 4.  Only one of your objects fails to match at least one object.  So only that one test fails.

Let’s take V-1 (which you think should have failed).  For instance less than 2, you will get the following item match:

<ind-sc:textfilecontent_item id="0">
    <ind-sc:filepath>/root/testfile</ind-sc:filepath>
    <ind-sc:path>/root</ind-sc:path>
    <ind-sc:filename>testfile</ind-sc:filename>
    <ind-sc:pattern>hello</ind-sc:pattern>
    <ind-sc:instance datatype="int">1</ind-sc:instance>
    <ind-sc:text>hello</ind-sc:text>
</ind-sc:textfilecontent_item>

I.e., the first match in the file!  So, that exists, obviously.  That’s why your test passed — you are only checking ‘at_least_one_exists’, and indeed, that one item (the first instance of the string ‘hello’ in the file) does exist.

Best regards,
—David A. Solin
Co-Founder, Research & Technology
[hidden email]

 

   



> On Jul 13, 2015, at 3:19 PM, John Garrett <[hidden email]> wrote:
>
> Hi David,
>
> I've tried filters with both include and exclude, still nothing works as expected.  To make sure I understand right, as per the Oval Spec for 5.10.1 (PDF).  If applying a filter on an object:
>
> Using the default, which is exclude: The exclude value specifies that all items that match the filter shall be excluded from set that the filter is applied to.
> To me, this means that for a given filter where instance =1, do NOT care about anything where instance = 1
>
> Using the include action: The include value specifies that only items that match the filter shall be included in the set that the filter is applied to.
> To me, this means that for a given filter where instance =1, ONLY care about anything where instance = 1.
>
> The above being said, with a textfile containing hello 4 times, I still do not get the intended results.  Attached is my attempt at this.
>
>
> V/r,
> John W. Garrett
>
> -----Original Message-----
> From: David Solin [mailto:[hidden email]]
> Sent: Monday, July 13, 2015 3:00 PM
> To: [hidden email]
> Subject: Re: [OVAL-DEVELOPER-LIST] Math and OVAL
>
> Hi John,
>
> (For some strange reason I never got your initial reply… but I was able to read it in Don’s reply.  Anyway…)
>
> What’s happening is that you’re not appreciating the full depth of your OVAL assertions.
>
> An OVAL object is like a query — it can have no results, one result, or many results (these are the “items” in OVAL).  The existence check is asserted against the number of items that result from an object query.  If the existence check passes, then the “check” is asserted against those items, and a result is computed.  By default, the value of “check” is “at least one” — meaning, at least one item must satisfy the assertion in the state.
>
> If you have five items resulting for an object, with instance=1, instance=2, instance=3, instance=4, etc., and you check “less than 2”, “greater than 3”, "equals 3” — well, all of these assertions are true at least once when tested against all the items!  Hence, the result is true!
>
> In order to implement my recommended approach, you’ll have to use an object filter.  That’s a state through which all the object results are passed.  A filter state with “instance equals 2” will remove the items whose instance values are not 2.  Then, you can use the existence check to determine whether any items made it through the filter.
>
> Does that help to explain what’s happening, and what I’m recommending?
>
> Best regards,
> — David A. Solin
> Co-Founder, Research & Technology
> [hidden email]
>
>
>
>
>
>
>
>> On Jul 13, 2015, at 1:18 PM, Peddicord, Don <[hidden email]> wrote:
>>
>> John, David,
>>
>> John -- you do not need to include the xccdf, cpe, etc. file (we
>> really only need the OVAL ,file.)
>>
>> The Test file has 4 "hellos"
>> I am bit confused by the lack of a object/state comparison in your
>> content,  I see "check existence test"  for <Instance operation="less
>> than">2 . . .  there would be instances 1 -- object exists, test
>> passes <instance operation="greater than">3 . . . there would be 1  
>> instance -  object exists, test passes <instance operation="equals " datatype="int">3 . . . there would be one instance  - object exists, test passes , etc.
>>
>>
>> Your operators (s) are going to choose which/how many  items are created ... not compare the number of instances for the object.
>>
>> Don
>>
>>
>>
>> -----Original Message-----
>> From: [hidden email]
>> [mailto:[hidden email]] On Behalf Of John
>> Garrett
>> Sent: Monday, July 13, 2015 2:02 PM
>> To: [hidden email]
>> Subject: Re: [OVAL-DEVELOPER-LIST] Math and OVAL
>>
>> Hi David,
>>
>>
>>
>> As always, thank you for taking some time reply.
>>
>>
>>
>> Ok, so “counting”.  You are correct, it is making an assertions, which will be determined true or false.  It’s the resulting outcome that I disagree with.
>>
>>
>>
>> As you pointed out, I want to determine whether a string appears X number of times in a file.  In agreeance, I created and used textfilecontent54.  Within the object, I used: <ind:instance datatype="int" operation="Desired Mathematic Operation">X</ind:instance>.  
>>
>>
>>
>> For those given objects, the following assertions were made:
>>
>>       - V-1: <2 was the requirement, yet it passed.  (Should have
>> failed in my mind)
>>
>>       - V-2: >3 was the requirement and it passed like it should have.
>>
>>       - V-3: =3 was the requirement, yet it passed.  (Should have
>> failed in my mind)
>>
>>       - V-4: >4 was the requirement and it failed like it should have.
>>
>>
>>
>> To quote you, “If you want to determine whether a string appears X number of times in a file, then you should create a textfilecontent54_test that checks for the existence of any matching items whose “instance” value is X.  If you want to make sure there are exactly X instances, you can test for any item matches whose “instace” value is greater than X, and build a definition combining the results of both these tests (e.g., first AND NOT second).”
>>
>>
>>
>> Why would the logic dictate that I need two tests just for an “equal to” logic?  With that idea in mind, it would seem I would need to make not just 2, but a test/object for everything I didn’t want.  i.e.:
>>
>>   If the desired outcome is V-2 as listed above (>3), then I would need to make tests, telling the code, >3, but not:
>>
>> ·         Less than 3
>>
>> ·         Equal to 3
>>
>> ·         Less than or equal to three
>>
>>
>>
>> Am I following correctly?
>>
>>
>>
>>
>>
>>
>>
>> V/r,
>>
>> John W. Garrett
>>
>>
>>
>> From: David Solin [mailto:[hidden email]]
>> Sent: Monday, July 13, 2015 11:23 AM
>> To: [hidden email]
>> Subject: Re: [OVAL-DEVELOPER-LIST] Math and OVAL
>>
>>
>>
>> Hi John,
>>
>>
>>
>> I’m not sure whether I understand your question.  Your content isn’t counting anything, it’s making assertions, which are either true or false.  There is a CountFunctionType on OVAL which makes it possible to count things for the purposes of creating a variable value, which is what I sort of expected you’d be asking about — but you’re not.
>>
>>
>>
>> If you want to determine whether a string appears X number of times in a file, then you should create a textfilecontent54_test that checks for the existence of any matching items whose “instance” value is X.  If you want to make sure there are exactly X instances, you can test for any item matches whose “instace” value is greater than X, and build a definition combining the results of both these tests (e.g., first AND NOT second).
>>
>>
>>
>> Best regards,
>>
>> —David
>>
>>
>>
>> David A. Solin
>> Co-Founder, Research & Technology
>> [hidden email] <mailto:[hidden email]>
>>
>> Joval Continuous Monitoring <http://jovalcm.com>
>>
>> Facebook <https://www.facebook.com/jovalcm> Linkedin
>> <https://www.linkedin.com/company/joval-continuous-monitoring>
>>
>>
>>
>>
>>
>> On Jul 13, 2015, at 9:59 AM, John Garrett <[hidden email]> wrote:
>>
>>
>>
>> This thread revolves around the concept of counting with respect to OVAL.  Perhaps I’m approaching the problem in the wrong way.  When I first submitted my bug report for it using SCC, I figured that SCC was simply wrong; turns out OpenScap yields the same results.  The reply I received “somewhat” makes sense, but the logic seems very twisted in my mind.  1+1 will always equal two and be less than 3; anything else is crazy…  Yet, with OVAL, this seems not the case.
>>
>>
>>
>> What I am attempting to do, is for a given file, determine if there are X instances of a given string in a file.  I’ve attempted this with both object only, and object and state, but to no avail.
>>
>>
>>
>> For the given tests:
>>
>>        - V-1: <2 was the requirement, yet it passed.  (Should have
>> failed in my mind)
>>
>>        - V-2: >3 was the requirement and it passed like it should have.
>>
>>        - V-3: =3 was the requirement, yet it passed.  (Should have
>> failed in my mind)
>>
>>        - V-4: >4 was the requirement and it failed like it should have.
>>
>>
>>
>> What follows below is the response I received, and after reading it, and trying this in OpenScap as well as SCC, this would seem to be the case.  So, that being the case; what approach should I take if I wanted the above outcomes to happen in regards to counting?
>>
>>
>>
>> I think I see where the misunderstanding lies. According to the MITRE OVAL spec for textfilecontent54, which can found at http://oval.mitre.org/language/version5.11/ovaldefinition/documentation/independent-definitions-schema.html <http://oval.mitre.org/language/version5.11/ovaldefinition/documentation/independent-definitions-schema.html> :
>>
>> The instance entity calls out a specific match of the pattern. The first match is given an instance value of 1, the second match is given an instance value of 2, and so on. Note that the main purpose of this entity is to provide uniqueness for different textfilecontent_items that results from multiple matches of a given pattern against the same file. Most likely this entity will be defined as greater than or equal to 1 which would result in the object representing the set of all matches of the pattern.
>>
>> Therefore, the instance entity functions as an index for referencing particular matches out of a set instead of a counter. Accordingly, the first test in your sample content collects the first string (instance less than 2) that matches the pattern 'hello'. That test passes because its 'check existence' requirement expects one or more items to exist, and exactly one item does actually exist.
>>
>> The second test collects the fourth string (instance greater than 3) that matches the given pattern, which also satisfies the 'check existence' requirement of one or more items.
>>
>> The third test passes because it collects the third matching string (instance equals 3), satisfying the one or more item 'check existence' requirement.
>>
>> Finally, the fourth test fails because it is seeking any matches that occur after the first four instances (instance greater than 4), but the target file contains only four matches. Thus, 'check existence' requirement of one or more items is not met because the item does not exist.
>>
>>
>>
>>
>>
>>
>>
>> V/r,
>>
>> John W. Garrett
>>
>> To unsubscribe, send an email message to [hidden email]
>> <mailto:[hidden email]>  with SIGNOFF OVAL-DEVELOPER-LIST in
>> the BODY of the message. If you have difficulties, write to
>> [hidden email]
>> <mailto:[hidden email]> .
>> <testfile><count_bench-xccdf.xml><count_bench-oval.xml><count_bench-cp
>> e-oval.xml><count_bench-cpe-dictionary.xml>
>>
>>
>>
>> To unsubscribe, send an email message to [hidden email] <mailto:[hidden email]>  with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
>>
>
> To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message.  If you have difficulties, write to [hidden email].
> <count_bench-oval.xml>

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Math and OVAL

John Garrett
Good morning David,

So if I followed you correctly, OVAL has no proper way to do a true "string" count of any kind?

i.e.
count=$(cat foo | grep pop | wc -l)


V/r,
John W. Garrett

-----Original Message-----
From: David Solin [mailto:[hidden email]]
Sent: Monday, July 13, 2015 5:15 PM
To: [hidden email]
Subject: Re: [OVAL-DEVELOPER-LIST] Math and OVAL

Hi John,

I’m sorry, I forgot that textfilecontent54_object has an instance entity (making the filter I described quite unnecessary).

I ran your OVAL definitions file (from several emails ago) and reproduced your results.

You have four tests, each of which checks for the existence of items matching an object (since they have no states defined, there are no assertions about those items apart from the objects themselves).  Since there are four instances of ‘hello’ in your file, there could be items with instance=1, 2, 3 and 4.  Only one of your objects fails to match at least one object.  So only that one test fails.

Let’s take V-1 (which you think should have failed).  For instance less than 2, you will get the following item match:

<ind-sc:textfilecontent_item id="0">
    <ind-sc:filepath>/root/testfile</ind-sc:filepath>
    <ind-sc:path>/root</ind-sc:path>
    <ind-sc:filename>testfile</ind-sc:filename>
    <ind-sc:pattern>hello</ind-sc:pattern>
    <ind-sc:instance datatype="int">1</ind-sc:instance>
    <ind-sc:text>hello</ind-sc:text>
</ind-sc:textfilecontent_item>

I.e., the first match in the file!  So, that exists, obviously.  That’s why your test passed — you are only checking ‘at_least_one_exists’, and indeed, that one item (the first instance of the string ‘hello’ in the file) does exist.

Best regards,
—David A. Solin
Co-Founder, Research & Technology
[hidden email]

 

   



> On Jul 13, 2015, at 3:19 PM, John Garrett <[hidden email]> wrote:
>
> Hi David,
>
> I've tried filters with both include and exclude, still nothing works as expected.  To make sure I understand right, as per the Oval Spec for 5.10.1 (PDF).  If applying a filter on an object:
>
> Using the default, which is exclude: The exclude value specifies that all items that match the filter shall be excluded from set that the filter is applied to.
> To me, this means that for a given filter where instance =1, do NOT
> care about anything where instance = 1
>
> Using the include action: The include value specifies that only items that match the filter shall be included in the set that the filter is applied to.
> To me, this means that for a given filter where instance =1, ONLY care about anything where instance = 1.
>
> The above being said, with a textfile containing hello 4 times, I still do not get the intended results.  Attached is my attempt at this.
>
>
> V/r,
> John W. Garrett
>
> -----Original Message-----
> From: David Solin [mailto:[hidden email]]
> Sent: Monday, July 13, 2015 3:00 PM
> To: [hidden email]
> Subject: Re: [OVAL-DEVELOPER-LIST] Math and OVAL
>
> Hi John,
>
> (For some strange reason I never got your initial reply… but I was
> able to read it in Don’s reply.  Anyway…)
>
> What’s happening is that you’re not appreciating the full depth of your OVAL assertions.
>
> An OVAL object is like a query — it can have no results, one result, or many results (these are the “items” in OVAL).  The existence check is asserted against the number of items that result from an object query.  If the existence check passes, then the “check” is asserted against those items, and a result is computed.  By default, the value of “check” is “at least one” — meaning, at least one item must satisfy the assertion in the state.
>
> If you have five items resulting for an object, with instance=1, instance=2, instance=3, instance=4, etc., and you check “less than 2”, “greater than 3”, "equals 3” — well, all of these assertions are true at least once when tested against all the items!  Hence, the result is true!
>
> In order to implement my recommended approach, you’ll have to use an object filter.  That’s a state through which all the object results are passed.  A filter state with “instance equals 2” will remove the items whose instance values are not 2.  Then, you can use the existence check to determine whether any items made it through the filter.
>
> Does that help to explain what’s happening, and what I’m recommending?
>
> Best regards,
> — David A. Solin
> Co-Founder, Research & Technology
> [hidden email]
>
>
>
>
>
>
>
>> On Jul 13, 2015, at 1:18 PM, Peddicord, Don <[hidden email]> wrote:
>>
>> John, David,
>>
>> John -- you do not need to include the xccdf, cpe, etc. file (we
>> really only need the OVAL ,file.)
>>
>> The Test file has 4 "hellos"
>> I am bit confused by the lack of a object/state comparison in your
>> content,  I see "check existence test"  for <Instance operation="less
>> than">2 . . .  there would be instances 1 -- object exists, test
>> passes <instance operation="greater than">3 . . . there would be 1
>> instance -  object exists, test passes <instance operation="equals " datatype="int">3 . . . there would be one instance  - object exists, test passes , etc.
>>
>>
>> Your operators (s) are going to choose which/how many  items are created ... not compare the number of instances for the object.
>>
>> Don
>>
>>
>>
>> -----Original Message-----
>> From: [hidden email]
>> [mailto:[hidden email]] On Behalf Of John
>> Garrett
>> Sent: Monday, July 13, 2015 2:02 PM
>> To: [hidden email]
>> Subject: Re: [OVAL-DEVELOPER-LIST] Math and OVAL
>>
>> Hi David,
>>
>>
>>
>> As always, thank you for taking some time reply.
>>
>>
>>
>> Ok, so “counting”.  You are correct, it is making an assertions, which will be determined true or false.  It’s the resulting outcome that I disagree with.
>>
>>
>>
>> As you pointed out, I want to determine whether a string appears X number of times in a file.  In agreeance, I created and used textfilecontent54.  Within the object, I used: <ind:instance datatype="int" operation="Desired Mathematic Operation">X</ind:instance>.  
>>
>>
>>
>> For those given objects, the following assertions were made:
>>
>>       - V-1: <2 was the requirement, yet it passed.  (Should have
>> failed in my mind)
>>
>>       - V-2: >3 was the requirement and it passed like it should have.
>>
>>       - V-3: =3 was the requirement, yet it passed.  (Should have
>> failed in my mind)
>>
>>       - V-4: >4 was the requirement and it failed like it should have.
>>
>>
>>
>> To quote you, “If you want to determine whether a string appears X number of times in a file, then you should create a textfilecontent54_test that checks for the existence of any matching items whose “instance” value is X.  If you want to make sure there are exactly X instances, you can test for any item matches whose “instace” value is greater than X, and build a definition combining the results of both these tests (e.g., first AND NOT second).”
>>
>>
>>
>> Why would the logic dictate that I need two tests just for an “equal to” logic?  With that idea in mind, it would seem I would need to make not just 2, but a test/object for everything I didn’t want.  i.e.:
>>
>>   If the desired outcome is V-2 as listed above (>3), then I would need to make tests, telling the code, >3, but not:
>>
>> ·         Less than 3
>>
>> ·         Equal to 3
>>
>> ·         Less than or equal to three
>>
>>
>>
>> Am I following correctly?
>>
>>
>>
>>
>>
>>
>>
>> V/r,
>>
>> John W. Garrett
>>
>>
>>
>> From: David Solin [mailto:[hidden email]]
>> Sent: Monday, July 13, 2015 11:23 AM
>> To: [hidden email]
>> Subject: Re: [OVAL-DEVELOPER-LIST] Math and OVAL
>>
>>
>>
>> Hi John,
>>
>>
>>
>> I’m not sure whether I understand your question.  Your content isn’t counting anything, it’s making assertions, which are either true or false.  There is a CountFunctionType on OVAL which makes it possible to count things for the purposes of creating a variable value, which is what I sort of expected you’d be asking about — but you’re not.
>>
>>
>>
>> If you want to determine whether a string appears X number of times in a file, then you should create a textfilecontent54_test that checks for the existence of any matching items whose “instance” value is X.  If you want to make sure there are exactly X instances, you can test for any item matches whose “instace” value is greater than X, and build a definition combining the results of both these tests (e.g., first AND NOT second).
>>
>>
>>
>> Best regards,
>>
>> —David
>>
>>
>>
>> David A. Solin
>> Co-Founder, Research & Technology
>> [hidden email] <mailto:[hidden email]>
>>
>> Joval Continuous Monitoring <http://jovalcm.com>
>>
>> Facebook <https://www.facebook.com/jovalcm> Linkedin
>> <https://www.linkedin.com/company/joval-continuous-monitoring>
>>
>>
>>
>>
>>
>> On Jul 13, 2015, at 9:59 AM, John Garrett <[hidden email]> wrote:
>>
>>
>>
>> This thread revolves around the concept of counting with respect to OVAL.  Perhaps I’m approaching the problem in the wrong way.  When I first submitted my bug report for it using SCC, I figured that SCC was simply wrong; turns out OpenScap yields the same results.  The reply I received “somewhat” makes sense, but the logic seems very twisted in my mind.  1+1 will always equal two and be less than 3; anything else is crazy…  Yet, with OVAL, this seems not the case.
>>
>>
>>
>> What I am attempting to do, is for a given file, determine if there are X instances of a given string in a file.  I’ve attempted this with both object only, and object and state, but to no avail.
>>
>>
>>
>> For the given tests:
>>
>>        - V-1: <2 was the requirement, yet it passed.  (Should have
>> failed in my mind)
>>
>>        - V-2: >3 was the requirement and it passed like it should have.
>>
>>        - V-3: =3 was the requirement, yet it passed.  (Should have
>> failed in my mind)
>>
>>        - V-4: >4 was the requirement and it failed like it should have.
>>
>>
>>
>> What follows below is the response I received, and after reading it, and trying this in OpenScap as well as SCC, this would seem to be the case.  So, that being the case; what approach should I take if I wanted the above outcomes to happen in regards to counting?
>>
>>
>>
>> I think I see where the misunderstanding lies. According to the MITRE OVAL spec for textfilecontent54, which can found at http://oval.mitre.org/language/version5.11/ovaldefinition/documentation/independent-definitions-schema.html <http://oval.mitre.org/language/version5.11/ovaldefinition/documentation/independent-definitions-schema.html> :
>>
>> The instance entity calls out a specific match of the pattern. The first match is given an instance value of 1, the second match is given an instance value of 2, and so on. Note that the main purpose of this entity is to provide uniqueness for different textfilecontent_items that results from multiple matches of a given pattern against the same file. Most likely this entity will be defined as greater than or equal to 1 which would result in the object representing the set of all matches of the pattern.
>>
>> Therefore, the instance entity functions as an index for referencing particular matches out of a set instead of a counter. Accordingly, the first test in your sample content collects the first string (instance less than 2) that matches the pattern 'hello'. That test passes because its 'check existence' requirement expects one or more items to exist, and exactly one item does actually exist.
>>
>> The second test collects the fourth string (instance greater than 3) that matches the given pattern, which also satisfies the 'check existence' requirement of one or more items.
>>
>> The third test passes because it collects the third matching string (instance equals 3), satisfying the one or more item 'check existence' requirement.
>>
>> Finally, the fourth test fails because it is seeking any matches that occur after the first four instances (instance greater than 4), but the target file contains only four matches. Thus, 'check existence' requirement of one or more items is not met because the item does not exist.
>>
>>
>>
>>
>>
>>
>>
>> V/r,
>>
>> John W. Garrett
>>
>> To unsubscribe, send an email message to [hidden email]
>> <mailto:[hidden email]>  with SIGNOFF OVAL-DEVELOPER-LIST
>> in the BODY of the message. If you have difficulties, write to
>> [hidden email]
>> <mailto:[hidden email]> .
>> <testfile><count_bench-xccdf.xml><count_bench-oval.xml><count_bench-c
>> p e-oval.xml><count_bench-cpe-dictionary.xml>
>>
>>
>>
>> To unsubscribe, send an email message to [hidden email] <mailto:[hidden email]>  with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
>>
>
> To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message.  If you have difficulties, write to [hidden email].
> <count_bench-oval.xml>

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message.  If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Math and OVAL

David Solin-3
In reply to this post by John Garrett
Hi John,

Actually OVAL does have a count function.

You could take the object:

<ind:textfilecontent54_object xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:bench.demo:obj:100” comment=“All instances of the string ‘hello’ in testfile” version="1">
      <ind:path>/root</ind:path>
      <ind:filename>testfile</ind:filename>
      <ind:pattern>hello</ind:pattern>
      <ind:instance datatype=“int” operation=“greater than or equal”>1</ind:instance>
</ind:textfilecontent54_object>

…and use it to reference a variable:

<local_variable id="oval:bench.demo:var:100" version="1" comment=“Count the number of items" datatype=“int”>
    <count>
        <object_component object_ref="oval:bench.demo:obj:100" item_field=“instance”/>
    </count>
</local_variable>

The value of that variable will be the count of the number of items (e.g., instances of the word hello in the file).

Best regards,
— David A. Solin
Co-Founder, Research & Technology
[hidden email]

 

   



> On Jul 13, 2015, at 3:19 PM, John Garrett <[hidden email]> wrote:
>
> Hi David,
>
> I've tried filters with both include and exclude, still nothing works as expected.  To make sure I understand right, as per the Oval Spec for 5.10.1 (PDF).  If applying a filter on an object:
>
> Using the default, which is exclude: The exclude value specifies that all items that match the filter shall be excluded from set that the filter is applied to.
> To me, this means that for a given filter where instance =1, do NOT care about anything where instance = 1
>
> Using the include action: The include value specifies that only items that match the filter shall be included in the set that the filter is applied to.
> To me, this means that for a given filter where instance =1, ONLY care about anything where instance = 1.
>
> The above being said, with a textfile containing hello 4 times, I still do not get the intended results.  Attached is my attempt at this.
>
>
> V/r,
> John W. Garrett
>
> -----Original Message-----
> From: David Solin [mailto:[hidden email]]
> Sent: Monday, July 13, 2015 3:00 PM
> To: [hidden email]
> Subject: Re: [OVAL-DEVELOPER-LIST] Math and OVAL
>
> Hi John,
>
> (For some strange reason I never got your initial reply… but I was able to read it in Don’s reply.  Anyway…)
>
> What’s happening is that you’re not appreciating the full depth of your OVAL assertions.
>
> An OVAL object is like a query — it can have no results, one result, or many results (these are the “items” in OVAL).  The existence check is asserted against the number of items that result from an object query.  If the existence check passes, then the “check” is asserted against those items, and a result is computed.  By default, the value of “check” is “at least one” — meaning, at least one item must satisfy the assertion in the state.
>
> If you have five items resulting for an object, with instance=1, instance=2, instance=3, instance=4, etc., and you check “less than 2”, “greater than 3”, "equals 3” — well, all of these assertions are true at least once when tested against all the items!  Hence, the result is true!
>
> In order to implement my recommended approach, you’ll have to use an object filter.  That’s a state through which all the object results are passed.  A filter state with “instance equals 2” will remove the items whose instance values are not 2.  Then, you can use the existence check to determine whether any items made it through the filter.
>
> Does that help to explain what’s happening, and what I’m recommending?
>
> Best regards,
> — David A. Solin
> Co-Founder, Research & Technology
> [hidden email]
>
>
>
>
>
>
>
>> On Jul 13, 2015, at 1:18 PM, Peddicord, Don <[hidden email]> wrote:
>>
>> John, David,
>>
>> John -- you do not need to include the xccdf, cpe, etc. file (we
>> really only need the OVAL ,file.)
>>
>> The Test file has 4 "hellos"
>> I am bit confused by the lack of a object/state comparison in your
>> content,  I see "check existence test"  for <Instance operation="less
>> than">2 . . .  there would be instances 1 -- object exists, test
>> passes <instance operation="greater than">3 . . . there would be 1  
>> instance -  object exists, test passes <instance operation="equals " datatype="int">3 . . . there would be one instance  - object exists, test passes , etc.
>>
>>
>> Your operators (s) are going to choose which/how many  items are created ... not compare the number of instances for the object.
>>
>> Don
>>
>>
>>
>> -----Original Message-----
>> From: [hidden email]
>> [mailto:[hidden email]] On Behalf Of John
>> Garrett
>> Sent: Monday, July 13, 2015 2:02 PM
>> To: [hidden email]
>> Subject: Re: [OVAL-DEVELOPER-LIST] Math and OVAL
>>
>> Hi David,
>>
>>
>>
>> As always, thank you for taking some time reply.
>>
>>
>>
>> Ok, so “counting”.  You are correct, it is making an assertions, which will be determined true or false.  It’s the resulting outcome that I disagree with.
>>
>>
>>
>> As you pointed out, I want to determine whether a string appears X number of times in a file.  In agreeance, I created and used textfilecontent54.  Within the object, I used: <ind:instance datatype="int" operation="Desired Mathematic Operation">X</ind:instance>.  
>>
>>
>>
>> For those given objects, the following assertions were made:
>>
>>       - V-1: <2 was the requirement, yet it passed.  (Should have
>> failed in my mind)
>>
>>       - V-2: >3 was the requirement and it passed like it should have.
>>
>>       - V-3: =3 was the requirement, yet it passed.  (Should have
>> failed in my mind)
>>
>>       - V-4: >4 was the requirement and it failed like it should have.
>>
>>
>>
>> To quote you, “If you want to determine whether a string appears X number of times in a file, then you should create a textfilecontent54_test that checks for the existence of any matching items whose “instance” value is X.  If you want to make sure there are exactly X instances, you can test for any item matches whose “instace” value is greater than X, and build a definition combining the results of both these tests (e.g., first AND NOT second).”
>>
>>
>>
>> Why would the logic dictate that I need two tests just for an “equal to” logic?  With that idea in mind, it would seem I would need to make not just 2, but a test/object for everything I didn’t want.  i.e.:
>>
>>   If the desired outcome is V-2 as listed above (>3), then I would need to make tests, telling the code, >3, but not:
>>
>> ·         Less than 3
>>
>> ·         Equal to 3
>>
>> ·         Less than or equal to three
>>
>>
>>
>> Am I following correctly?
>>
>>
>>
>>
>>
>>
>>
>> V/r,
>>
>> John W. Garrett
>>
>>
>>
>> From: David Solin [mailto:[hidden email]]
>> Sent: Monday, July 13, 2015 11:23 AM
>> To: [hidden email]
>> Subject: Re: [OVAL-DEVELOPER-LIST] Math and OVAL
>>
>>
>>
>> Hi John,
>>
>>
>>
>> I’m not sure whether I understand your question.  Your content isn’t counting anything, it’s making assertions, which are either true or false.  There is a CountFunctionType on OVAL which makes it possible to count things for the purposes of creating a variable value, which is what I sort of expected you’d be asking about — but you’re not.
>>
>>
>>
>> If you want to determine whether a string appears X number of times in a file, then you should create a textfilecontent54_test that checks for the existence of any matching items whose “instance” value is X.  If you want to make sure there are exactly X instances, you can test for any item matches whose “instace” value is greater than X, and build a definition combining the results of both these tests (e.g., first AND NOT second).
>>
>>
>>
>> Best regards,
>>
>> —David
>>
>>
>>
>> David A. Solin
>> Co-Founder, Research & Technology
>> [hidden email] <mailto:[hidden email]>
>>
>> Joval Continuous Monitoring <http://jovalcm.com>
>>
>> Facebook <https://www.facebook.com/jovalcm> Linkedin
>> <https://www.linkedin.com/company/joval-continuous-monitoring>
>>
>>
>>
>>
>>
>> On Jul 13, 2015, at 9:59 AM, John Garrett <[hidden email]> wrote:
>>
>>
>>
>> This thread revolves around the concept of counting with respect to OVAL.  Perhaps I’m approaching the problem in the wrong way.  When I first submitted my bug report for it using SCC, I figured that SCC was simply wrong; turns out OpenScap yields the same results.  The reply I received “somewhat” makes sense, but the logic seems very twisted in my mind.  1+1 will always equal two and be less than 3; anything else is crazy…  Yet, with OVAL, this seems not the case.
>>
>>
>>
>> What I am attempting to do, is for a given file, determine if there are X instances of a given string in a file.  I’ve attempted this with both object only, and object and state, but to no avail.
>>
>>
>>
>> For the given tests:
>>
>>        - V-1: <2 was the requirement, yet it passed.  (Should have
>> failed in my mind)
>>
>>        - V-2: >3 was the requirement and it passed like it should have.
>>
>>        - V-3: =3 was the requirement, yet it passed.  (Should have
>> failed in my mind)
>>
>>        - V-4: >4 was the requirement and it failed like it should have.
>>
>>
>>
>> What follows below is the response I received, and after reading it, and trying this in OpenScap as well as SCC, this would seem to be the case.  So, that being the case; what approach should I take if I wanted the above outcomes to happen in regards to counting?
>>
>>
>>
>> I think I see where the misunderstanding lies. According to the MITRE OVAL spec for textfilecontent54, which can found at http://oval.mitre.org/language/version5.11/ovaldefinition/documentation/independent-definitions-schema.html <http://oval.mitre.org/language/version5.11/ovaldefinition/documentation/independent-definitions-schema.html> :
>>
>> The instance entity calls out a specific match of the pattern. The first match is given an instance value of 1, the second match is given an instance value of 2, and so on. Note that the main purpose of this entity is to provide uniqueness for different textfilecontent_items that results from multiple matches of a given pattern against the same file. Most likely this entity will be defined as greater than or equal to 1 which would result in the object representing the set of all matches of the pattern.
>>
>> Therefore, the instance entity functions as an index for referencing particular matches out of a set instead of a counter. Accordingly, the first test in your sample content collects the first string (instance less than 2) that matches the pattern 'hello'. That test passes because its 'check existence' requirement expects one or more items to exist, and exactly one item does actually exist.
>>
>> The second test collects the fourth string (instance greater than 3) that matches the given pattern, which also satisfies the 'check existence' requirement of one or more items.
>>
>> The third test passes because it collects the third matching string (instance equals 3), satisfying the one or more item 'check existence' requirement.
>>
>> Finally, the fourth test fails because it is seeking any matches that occur after the first four instances (instance greater than 4), but the target file contains only four matches. Thus, 'check existence' requirement of one or more items is not met because the item does not exist.
>>
>>
>>
>>
>>
>>
>>
>> V/r,
>>
>> John W. Garrett
>>
>> To unsubscribe, send an email message to [hidden email]
>> <mailto:[hidden email]>  with SIGNOFF OVAL-DEVELOPER-LIST in
>> the BODY of the message. If you have difficulties, write to
>> [hidden email]
>> <mailto:[hidden email]> .
>> <testfile><count_bench-xccdf.xml><count_bench-oval.xml><count_bench-cp
>> e-oval.xml><count_bench-cpe-dictionary.xml>
>>
>>
>>
>> To unsubscribe, send an email message to [hidden email] <mailto:[hidden email]>  with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
>>
>
> To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message.  If you have difficulties, write to [hidden email].
> <count_bench-oval.xml>

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Math and OVAL

dpeddicord
In reply to this post by John Garrett
John,
Not like that. OVAL is not a procedural language.

David is pointing you in the right direction.


My first thought,   for example, verify that count of  string "matches"  < 2

. . .
-<ind:textfilecontent54_test version="1" id="oval:bench.demo:tst:100" comment="BUG" check_existence="none_exists" check="all" xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
 <ind:object object_ref="oval:bench.demo:obj:100"/>
</ind:textfilecontent54_test>
</tests>
<objects>
-<ind:textfilecontent54_object version="1" id="oval:bench.demo:obj:100" comment="V-1" xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"> <ind:path>/root</ind:path> <ind:filename>testfile</ind:filename> <ind:pattern>hello</ind:pattern>  
<filter action-"exclude" >oval:bench.demo:ste:100</filter>
</ind:textfilecontent54_object>
</objects>
<states>
 <ind:textfilecontent54_state version="1" id="oval:bench.demo:ste:100" comment="V-1" xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
 <ind:instance datatype="int" operation="less  than  ">2</ind:instance>
</ind:textfilecontent54_state>
</states>
. . .
I have not verified that this will actualy work, however my thinking is :
..... if there are more than 2 string matches in the target file.   Any instances > 2  will exist creating objects (which therefore exist) causing the test to fail.  (assuming that the looked for req is less than 2 matches)

I am sure that David will correct my flaws here
v/r
Don
-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of John Garrett
Sent: Tuesday, July 14, 2015 10:39 AM
To: [hidden email]
Subject: Re: [OVAL-DEVELOPER-LIST] Math and OVAL

Good morning David,

So if I followed you correctly, OVAL has no proper way to do a true "string" count of any kind?

i.e.
count=$(cat foo | grep pop | wc -l)


V/r,
John W. Garrett

-----Original Message-----
From: David Solin [mailto:[hidden email]]
Sent: Monday, July 13, 2015 5:15 PM
To: [hidden email]
Subject: Re: [OVAL-DEVELOPER-LIST] Math and OVAL

Hi John,

I’m sorry, I forgot that textfilecontent54_object has an instance entity (making the filter I described quite unnecessary).

I ran your OVAL definitions file (from several emails ago) and reproduced your results.

You have four tests, each of which checks for the existence of items matching an object (since they have no states defined, there are no assertions about those items apart from the objects themselves).  Since there are four instances of ‘hello’ in your file, there could be items with instance=1, 2, 3 and 4.  Only one of your objects fails to match at least one object.  So only that one test fails.

Let’s take V-1 (which you think should have failed).  For instance less than 2, you will get the following item match:

<ind-sc:textfilecontent_item id="0">
    <ind-sc:filepath>/root/testfile</ind-sc:filepath>
    <ind-sc:path>/root</ind-sc:path>
    <ind-sc:filename>testfile</ind-sc:filename>
    <ind-sc:pattern>hello</ind-sc:pattern>
    <ind-sc:instance datatype="int">1</ind-sc:instance>
    <ind-sc:text>hello</ind-sc:text>
</ind-sc:textfilecontent_item>

I.e., the first match in the file!  So, that exists, obviously.  That’s why your test passed — you are only checking ‘at_least_one_exists’, and indeed, that one item (the first instance of the string ‘hello’ in the file) does exist.

Best regards,
—David A. Solin
Co-Founder, Research & Technology
[hidden email]

 

   



> On Jul 13, 2015, at 3:19 PM, John Garrett <[hidden email]> wrote:
>
> Hi David,
>
> I've tried filters with both include and exclude, still nothing works as expected.  To make sure I understand right, as per the Oval Spec for 5.10.1 (PDF).  If applying a filter on an object:
>
> Using the default, which is exclude: The exclude value specifies that all items that match the filter shall be excluded from set that the filter is applied to.
> To me, this means that for a given filter where instance =1, do NOT
> care about anything where instance = 1
>
> Using the include action: The include value specifies that only items that match the filter shall be included in the set that the filter is applied to.
> To me, this means that for a given filter where instance =1, ONLY care about anything where instance = 1.
>
> The above being said, with a textfile containing hello 4 times, I still do not get the intended results.  Attached is my attempt at this.
>
>
> V/r,
> John W. Garrett
>
> -----Original Message-----
> From: David Solin [mailto:[hidden email]]
> Sent: Monday, July 13, 2015 3:00 PM
> To: [hidden email]
> Subject: Re: [OVAL-DEVELOPER-LIST] Math and OVAL
>
> Hi John,
>
> (For some strange reason I never got your initial reply… but I was
> able to read it in Don’s reply.  Anyway…)
>
> What’s happening is that you’re not appreciating the full depth of your OVAL assertions.
>
> An OVAL object is like a query — it can have no results, one result, or many results (these are the “items” in OVAL).  The existence check is asserted against the number of items that result from an object query.  If the existence check passes, then the “check” is asserted against those items, and a result is computed.  By default, the value of “check” is “at least one” — meaning, at least one item must satisfy the assertion in the state.
>
> If you have five items resulting for an object, with instance=1, instance=2, instance=3, instance=4, etc., and you check “less than 2”, “greater than 3”, "equals 3” — well, all of these assertions are true at least once when tested against all the items!  Hence, the result is true!
>
> In order to implement my recommended approach, you’ll have to use an object filter.  That’s a state through which all the object results are passed.  A filter state with “instance equals 2” will remove the items whose instance values are not 2.  Then, you can use the existence check to determine whether any items made it through the filter.
>
> Does that help to explain what’s happening, and what I’m recommending?
>
> Best regards,
> — David A. Solin
> Co-Founder, Research & Technology
> [hidden email]
>
>
>
>
>
>
>
>> On Jul 13, 2015, at 1:18 PM, Peddicord, Don <[hidden email]> wrote:
>>
>> John, David,
>>
>> John -- you do not need to include the xccdf, cpe, etc. file (we
>> really only need the OVAL ,file.)
>>
>> The Test file has 4 "hellos"
>> I am bit confused by the lack of a object/state comparison in your
>> content,  I see "check existence test"  for <Instance operation="less
>> than">2 . . .  there would be instances 1 -- object exists, test
>> passes <instance operation="greater than">3 . . . there would be 1
>> instance -  object exists, test passes <instance operation="equals " datatype="int">3 . . . there would be one instance  - object exists, test passes , etc.
>>
>>
>> Your operators (s) are going to choose which/how many  items are created ... not compare the number of instances for the object.
>>
>> Don
>>
>>
>>
>> -----Original Message-----
>> From: [hidden email]
>> [mailto:[hidden email]] On Behalf Of John
>> Garrett
>> Sent: Monday, July 13, 2015 2:02 PM
>> To: [hidden email]
>> Subject: Re: [OVAL-DEVELOPER-LIST] Math and OVAL
>>
>> Hi David,
>>
>>
>>
>> As always, thank you for taking some time reply.
>>
>>
>>
>> Ok, so “counting”.  You are correct, it is making an assertions, which will be determined true or false.  It’s the resulting outcome that I disagree with.
>>
>>
>>
>> As you pointed out, I want to determine whether a string appears X number of times in a file.  In agreeance, I created and used textfilecontent54.  Within the object, I used: <ind:instance datatype="int" operation="Desired Mathematic Operation">X</ind:instance>.  
>>
>>
>>
>> For those given objects, the following assertions were made:
>>
>>       - V-1: <2 was the requirement, yet it passed.  (Should have
>> failed in my mind)
>>
>>       - V-2: >3 was the requirement and it passed like it should have.
>>
>>       - V-3: =3 was the requirement, yet it passed.  (Should have
>> failed in my mind)
>>
>>       - V-4: >4 was the requirement and it failed like it should have.
>>
>>
>>
>> To quote you, “If you want to determine whether a string appears X number of times in a file, then you should create a textfilecontent54_test that checks for the existence of any matching items whose “instance” value is X.  If you want to make sure there are exactly X instances, you can test for any item matches whose “instace” value is greater than X, and build a definition combining the results of both these tests (e.g., first AND NOT second).”
>>
>>
>>
>> Why would the logic dictate that I need two tests just for an “equal to” logic?  With that idea in mind, it would seem I would need to make not just 2, but a test/object for everything I didn’t want.  i.e.:
>>
>>   If the desired outcome is V-2 as listed above (>3), then I would need to make tests, telling the code, >3, but not:
>>
>> ·         Less than 3
>>
>> ·         Equal to 3
>>
>> ·         Less than or equal to three
>>
>>
>>
>> Am I following correctly?
>>
>>
>>
>>
>>
>>
>>
>> V/r,
>>
>> John W. Garrett
>>
>>
>>
>> From: David Solin [mailto:[hidden email]]
>> Sent: Monday, July 13, 2015 11:23 AM
>> To: [hidden email]
>> Subject: Re: [OVAL-DEVELOPER-LIST] Math and OVAL
>>
>>
>>
>> Hi John,
>>
>>
>>
>> I’m not sure whether I understand your question.  Your content isn’t counting anything, it’s making assertions, which are either true or false.  There is a CountFunctionType on OVAL which makes it possible to count things for the purposes of creating a variable value, which is what I sort of expected you’d be asking about — but you’re not.
>>
>>
>>
>> If you want to determine whether a string appears X number of times in a file, then you should create a textfilecontent54_test that checks for the existence of any matching items whose “instance” value is X.  If you want to make sure there are exactly X instances, you can test for any item matches whose “instace” value is greater than X, and build a definition combining the results of both these tests (e.g., first AND NOT second).
>>
>>
>>
>> Best regards,
>>
>> —David
>>
>>
>>
>> David A. Solin
>> Co-Founder, Research & Technology
>> [hidden email] <mailto:[hidden email]>
>>
>> Joval Continuous Monitoring <http://jovalcm.com>
>>
>> Facebook <https://www.facebook.com/jovalcm> Linkedin
>> <https://www.linkedin.com/company/joval-continuous-monitoring>
>>
>>
>>
>>
>>
>> On Jul 13, 2015, at 9:59 AM, John Garrett <[hidden email]> wrote:
>>
>>
>>
>> This thread revolves around the concept of counting with respect to OVAL.  Perhaps I’m approaching the problem in the wrong way.  When I first submitted my bug report for it using SCC, I figured that SCC was simply wrong; turns out OpenScap yields the same results.  The reply I received “somewhat” makes sense, but the logic seems very twisted in my mind.  1+1 will always equal two and be less than 3; anything else is crazy…  Yet, with OVAL, this seems not the case.
>>
>>
>>
>> What I am attempting to do, is for a given file, determine if there are X instances of a given string in a file.  I’ve attempted this with both object only, and object and state, but to no avail.
>>
>>
>>
>> For the given tests:
>>
>>        - V-1: <2 was the requirement, yet it passed.  (Should have
>> failed in my mind)
>>
>>        - V-2: >3 was the requirement and it passed like it should have.
>>
>>        - V-3: =3 was the requirement, yet it passed.  (Should have
>> failed in my mind)
>>
>>        - V-4: >4 was the requirement and it failed like it should have.
>>
>>
>>
>> What follows below is the response I received, and after reading it, and trying this in OpenScap as well as SCC, this would seem to be the case.  So, that being the case; what approach should I take if I wanted the above outcomes to happen in regards to counting?
>>
>>
>>
>> I think I see where the misunderstanding lies. According to the MITRE OVAL spec for textfilecontent54, which can found at http://oval.mitre.org/language/version5.11/ovaldefinition/documentation/independent-definitions-schema.html <http://oval.mitre.org/language/version5.11/ovaldefinition/documentation/independent-definitions-schema.html> :
>>
>> The instance entity calls out a specific match of the pattern. The first match is given an instance value of 1, the second match is given an instance value of 2, and so on. Note that the main purpose of this entity is to provide uniqueness for different textfilecontent_items that results from multiple matches of a given pattern against the same file. Most likely this entity will be defined as greater than or equal to 1 which would result in the object representing the set of all matches of the pattern.
>>
>> Therefore, the instance entity functions as an index for referencing particular matches out of a set instead of a counter. Accordingly, the first test in your sample content collects the first string (instance less than 2) that matches the pattern 'hello'. That test passes because its 'check existence' requirement expects one or more items to exist, and exactly one item does actually exist.
>>
>> The second test collects the fourth string (instance greater than 3) that matches the given pattern, which also satisfies the 'check existence' requirement of one or more items.
>>
>> The third test passes because it collects the third matching string (instance equals 3), satisfying the one or more item 'check existence' requirement.
>>
>> Finally, the fourth test fails because it is seeking any matches that occur after the first four instances (instance greater than 4), but the target file contains only four matches. Thus, 'check existence' requirement of one or more items is not met because the item does not exist.
>>
>>
>>
>>
>>
>>
>>
>> V/r,
>>
>> John W. Garrett
>>
>> To unsubscribe, send an email message to [hidden email]
>> <mailto:[hidden email]>  with SIGNOFF OVAL-DEVELOPER-LIST
>> in the BODY of the message. If you have difficulties, write to
>> [hidden email]
>> <mailto:[hidden email]> .
>> <testfile><count_bench-xccdf.xml><count_bench-oval.xml><count_bench-c
>> p e-oval.xml><count_bench-cpe-dictionary.xml>
>>
>>
>>
>> To unsubscribe, send an email message to [hidden email] <mailto:[hidden email]>  with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
>>
>
> To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message.  If you have difficulties, write to [hidden email].
> <count_bench-oval.xml>

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message.  If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Math and OVAL

dpeddicord
In reply to this post by David Solin-3
David,
I like your way better than mine :-)
Don


-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of David Solin
Sent: Tuesday, July 14, 2015 10:59 AM
To: [hidden email]
Subject: Re: [OVAL-DEVELOPER-LIST] Math and OVAL

Hi John,

Actually OVAL does have a count function.

You could take the object:

<ind:textfilecontent54_object xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:bench.demo:obj:100” comment=“All instances of the string ‘hello’ in testfile” version="1">
      <ind:path>/root</ind:path>
      <ind:filename>testfile</ind:filename>
      <ind:pattern>hello</ind:pattern>
      <ind:instance datatype=“int” operation=“greater than or equal”>1</ind:instance> </ind:textfilecontent54_object>

…and use it to reference a variable:

<local_variable id="oval:bench.demo:var:100" version="1" comment=“Count the number of items" datatype=“int”>
    <count>
        <object_component object_ref="oval:bench.demo:obj:100" item_field=“instance”/>
    </count>
</local_variable>

The value of that variable will be the count of the number of items (e.g., instances of the word hello in the file).

Best regards,
— David A. Solin
Co-Founder, Research & Technology
[hidden email]

 

   



> On Jul 13, 2015, at 3:19 PM, John Garrett <[hidden email]> wrote:
>
> Hi David,
>
> I've tried filters with both include and exclude, still nothing works as expected.  To make sure I understand right, as per the Oval Spec for 5.10.1 (PDF).  If applying a filter on an object:
>
> Using the default, which is exclude: The exclude value specifies that all items that match the filter shall be excluded from set that the filter is applied to.
> To me, this means that for a given filter where instance =1, do NOT
> care about anything where instance = 1
>
> Using the include action: The include value specifies that only items that match the filter shall be included in the set that the filter is applied to.
> To me, this means that for a given filter where instance =1, ONLY care about anything where instance = 1.
>
> The above being said, with a textfile containing hello 4 times, I still do not get the intended results.  Attached is my attempt at this.
>
>
> V/r,
> John W. Garrett
>
> -----Original Message-----
> From: David Solin [mailto:[hidden email]]
> Sent: Monday, July 13, 2015 3:00 PM
> To: [hidden email]
> Subject: Re: [OVAL-DEVELOPER-LIST] Math and OVAL
>
> Hi John,
>
> (For some strange reason I never got your initial reply… but I was
> able to read it in Don’s reply.  Anyway…)
>
> What’s happening is that you’re not appreciating the full depth of your OVAL assertions.
>
> An OVAL object is like a query — it can have no results, one result, or many results (these are the “items” in OVAL).  The existence check is asserted against the number of items that result from an object query.  If the existence check passes, then the “check” is asserted against those items, and a result is computed.  By default, the value of “check” is “at least one” — meaning, at least one item must satisfy the assertion in the state.
>
> If you have five items resulting for an object, with instance=1, instance=2, instance=3, instance=4, etc., and you check “less than 2”, “greater than 3”, "equals 3” — well, all of these assertions are true at least once when tested against all the items!  Hence, the result is true!
>
> In order to implement my recommended approach, you’ll have to use an object filter.  That’s a state through which all the object results are passed.  A filter state with “instance equals 2” will remove the items whose instance values are not 2.  Then, you can use the existence check to determine whether any items made it through the filter.
>
> Does that help to explain what’s happening, and what I’m recommending?
>
> Best regards,
> — David A. Solin
> Co-Founder, Research & Technology
> [hidden email]
>
>
>
>
>
>
>
>> On Jul 13, 2015, at 1:18 PM, Peddicord, Don <[hidden email]> wrote:
>>
>> John, David,
>>
>> John -- you do not need to include the xccdf, cpe, etc. file (we
>> really only need the OVAL ,file.)
>>
>> The Test file has 4 "hellos"
>> I am bit confused by the lack of a object/state comparison in your
>> content,  I see "check existence test"  for <Instance operation="less
>> than">2 . . .  there would be instances 1 -- object exists, test
>> passes <instance operation="greater than">3 . . . there would be 1
>> instance -  object exists, test passes <instance operation="equals " datatype="int">3 . . . there would be one instance  - object exists, test passes , etc.
>>
>>
>> Your operators (s) are going to choose which/how many  items are created ... not compare the number of instances for the object.
>>
>> Don
>>
>>
>>
>> -----Original Message-----
>> From: [hidden email]
>> [mailto:[hidden email]] On Behalf Of John
>> Garrett
>> Sent: Monday, July 13, 2015 2:02 PM
>> To: [hidden email]
>> Subject: Re: [OVAL-DEVELOPER-LIST] Math and OVAL
>>
>> Hi David,
>>
>>
>>
>> As always, thank you for taking some time reply.
>>
>>
>>
>> Ok, so “counting”.  You are correct, it is making an assertions, which will be determined true or false.  It’s the resulting outcome that I disagree with.
>>
>>
>>
>> As you pointed out, I want to determine whether a string appears X number of times in a file.  In agreeance, I created and used textfilecontent54.  Within the object, I used: <ind:instance datatype="int" operation="Desired Mathematic Operation">X</ind:instance>.  
>>
>>
>>
>> For those given objects, the following assertions were made:
>>
>>       - V-1: <2 was the requirement, yet it passed.  (Should have
>> failed in my mind)
>>
>>       - V-2: >3 was the requirement and it passed like it should have.
>>
>>       - V-3: =3 was the requirement, yet it passed.  (Should have
>> failed in my mind)
>>
>>       - V-4: >4 was the requirement and it failed like it should have.
>>
>>
>>
>> To quote you, “If you want to determine whether a string appears X number of times in a file, then you should create a textfilecontent54_test that checks for the existence of any matching items whose “instance” value is X.  If you want to make sure there are exactly X instances, you can test for any item matches whose “instace” value is greater than X, and build a definition combining the results of both these tests (e.g., first AND NOT second).”
>>
>>
>>
>> Why would the logic dictate that I need two tests just for an “equal to” logic?  With that idea in mind, it would seem I would need to make not just 2, but a test/object for everything I didn’t want.  i.e.:
>>
>>   If the desired outcome is V-2 as listed above (>3), then I would need to make tests, telling the code, >3, but not:
>>
>> ·         Less than 3
>>
>> ·         Equal to 3
>>
>> ·         Less than or equal to three
>>
>>
>>
>> Am I following correctly?
>>
>>
>>
>>
>>
>>
>>
>> V/r,
>>
>> John W. Garrett
>>
>>
>>
>> From: David Solin [mailto:[hidden email]]
>> Sent: Monday, July 13, 2015 11:23 AM
>> To: [hidden email]
>> Subject: Re: [OVAL-DEVELOPER-LIST] Math and OVAL
>>
>>
>>
>> Hi John,
>>
>>
>>
>> I’m not sure whether I understand your question.  Your content isn’t counting anything, it’s making assertions, which are either true or false.  There is a CountFunctionType on OVAL which makes it possible to count things for the purposes of creating a variable value, which is what I sort of expected you’d be asking about — but you’re not.
>>
>>
>>
>> If you want to determine whether a string appears X number of times in a file, then you should create a textfilecontent54_test that checks for the existence of any matching items whose “instance” value is X.  If you want to make sure there are exactly X instances, you can test for any item matches whose “instace” value is greater than X, and build a definition combining the results of both these tests (e.g., first AND NOT second).
>>
>>
>>
>> Best regards,
>>
>> —David
>>
>>
>>
>> David A. Solin
>> Co-Founder, Research & Technology
>> [hidden email] <mailto:[hidden email]>
>>
>> Joval Continuous Monitoring <http://jovalcm.com>
>>
>> Facebook <https://www.facebook.com/jovalcm> Linkedin
>> <https://www.linkedin.com/company/joval-continuous-monitoring>
>>
>>
>>
>>
>>
>> On Jul 13, 2015, at 9:59 AM, John Garrett <[hidden email]> wrote:
>>
>>
>>
>> This thread revolves around the concept of counting with respect to OVAL.  Perhaps I’m approaching the problem in the wrong way.  When I first submitted my bug report for it using SCC, I figured that SCC was simply wrong; turns out OpenScap yields the same results.  The reply I received “somewhat” makes sense, but the logic seems very twisted in my mind.  1+1 will always equal two and be less than 3; anything else is crazy…  Yet, with OVAL, this seems not the case.
>>
>>
>>
>> What I am attempting to do, is for a given file, determine if there are X instances of a given string in a file.  I’ve attempted this with both object only, and object and state, but to no avail.
>>
>>
>>
>> For the given tests:
>>
>>        - V-1: <2 was the requirement, yet it passed.  (Should have
>> failed in my mind)
>>
>>        - V-2: >3 was the requirement and it passed like it should have.
>>
>>        - V-3: =3 was the requirement, yet it passed.  (Should have
>> failed in my mind)
>>
>>        - V-4: >4 was the requirement and it failed like it should have.
>>
>>
>>
>> What follows below is the response I received, and after reading it, and trying this in OpenScap as well as SCC, this would seem to be the case.  So, that being the case; what approach should I take if I wanted the above outcomes to happen in regards to counting?
>>
>>
>>
>> I think I see where the misunderstanding lies. According to the MITRE OVAL spec for textfilecontent54, which can found at http://oval.mitre.org/language/version5.11/ovaldefinition/documentation/independent-definitions-schema.html <http://oval.mitre.org/language/version5.11/ovaldefinition/documentation/independent-definitions-schema.html> :
>>
>> The instance entity calls out a specific match of the pattern. The first match is given an instance value of 1, the second match is given an instance value of 2, and so on. Note that the main purpose of this entity is to provide uniqueness for different textfilecontent_items that results from multiple matches of a given pattern against the same file. Most likely this entity will be defined as greater than or equal to 1 which would result in the object representing the set of all matches of the pattern.
>>
>> Therefore, the instance entity functions as an index for referencing particular matches out of a set instead of a counter. Accordingly, the first test in your sample content collects the first string (instance less than 2) that matches the pattern 'hello'. That test passes because its 'check existence' requirement expects one or more items to exist, and exactly one item does actually exist.
>>
>> The second test collects the fourth string (instance greater than 3) that matches the given pattern, which also satisfies the 'check existence' requirement of one or more items.
>>
>> The third test passes because it collects the third matching string (instance equals 3), satisfying the one or more item 'check existence' requirement.
>>
>> Finally, the fourth test fails because it is seeking any matches that occur after the first four instances (instance greater than 4), but the target file contains only four matches. Thus, 'check existence' requirement of one or more items is not met because the item does not exist.
>>
>>
>>
>>
>>
>>
>>
>> V/r,
>>
>> John W. Garrett
>>
>> To unsubscribe, send an email message to [hidden email]
>> <mailto:[hidden email]>  with SIGNOFF OVAL-DEVELOPER-LIST
>> in the BODY of the message. If you have difficulties, write to
>> [hidden email]
>> <mailto:[hidden email]> .
>> <testfile><count_bench-xccdf.xml><count_bench-oval.xml><count_bench-c
>> p e-oval.xml><count_bench-cpe-dictionary.xml>
>>
>>
>>
>> To unsubscribe, send an email message to [hidden email] <mailto:[hidden email]>  with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
>>
>
> To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message.  If you have difficulties, write to [hidden email].
> <count_bench-oval.xml>

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message.  If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Math and OVAL

John Garrett
Don and David,

Thank you both for your insight and wisdom, it is very much appreciated.  Lucky me, getting pulled in another direction right now, so I won't be able to test this out today.  Hopefully tomorrow or the next.  I'll report back as to how I do.  Thanks again very much!


V/r,
John W. Garrett

-----Original Message-----
From: Peddicord, Don [mailto:[hidden email]]
Sent: Tuesday, July 14, 2015 11:01 AM
To: [hidden email]
Subject: Re: [OVAL-DEVELOPER-LIST] Math and OVAL

David,
I like your way better than mine :-)
Don


-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of David Solin
Sent: Tuesday, July 14, 2015 10:59 AM
To: [hidden email]
Subject: Re: [OVAL-DEVELOPER-LIST] Math and OVAL

Hi John,

Actually OVAL does have a count function.

You could take the object:

<ind:textfilecontent54_object xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:bench.demo:obj:100” comment=“All instances of the string ‘hello’ in testfile” version="1">
      <ind:path>/root</ind:path>
      <ind:filename>testfile</ind:filename>
      <ind:pattern>hello</ind:pattern>
      <ind:instance datatype=“int” operation=“greater than or equal”>1</ind:instance> </ind:textfilecontent54_object>

…and use it to reference a variable:

<local_variable id="oval:bench.demo:var:100" version="1" comment=“Count the number of items" datatype=“int”>
    <count>
        <object_component object_ref="oval:bench.demo:obj:100" item_field=“instance”/>
    </count>
</local_variable>

The value of that variable will be the count of the number of items (e.g., instances of the word hello in the file).

Best regards,
— David A. Solin
Co-Founder, Research & Technology
[hidden email]

 

   



> On Jul 13, 2015, at 3:19 PM, John Garrett <[hidden email]> wrote:
>
> Hi David,
>
> I've tried filters with both include and exclude, still nothing works as expected.  To make sure I understand right, as per the Oval Spec for 5.10.1 (PDF).  If applying a filter on an object:
>
> Using the default, which is exclude: The exclude value specifies that all items that match the filter shall be excluded from set that the filter is applied to.
> To me, this means that for a given filter where instance =1, do NOT
> care about anything where instance = 1
>
> Using the include action: The include value specifies that only items that match the filter shall be included in the set that the filter is applied to.
> To me, this means that for a given filter where instance =1, ONLY care about anything where instance = 1.
>
> The above being said, with a textfile containing hello 4 times, I still do not get the intended results.  Attached is my attempt at this.
>
>
> V/r,
> John W. Garrett
>
> -----Original Message-----
> From: David Solin [mailto:[hidden email]]
> Sent: Monday, July 13, 2015 3:00 PM
> To: [hidden email]
> Subject: Re: [OVAL-DEVELOPER-LIST] Math and OVAL
>
> Hi John,
>
> (For some strange reason I never got your initial reply… but I was
> able to read it in Don’s reply.  Anyway…)
>
> What’s happening is that you’re not appreciating the full depth of your OVAL assertions.
>
> An OVAL object is like a query — it can have no results, one result, or many results (these are the “items” in OVAL).  The existence check is asserted against the number of items that result from an object query.  If the existence check passes, then the “check” is asserted against those items, and a result is computed.  By default, the value of “check” is “at least one” — meaning, at least one item must satisfy the assertion in the state.
>
> If you have five items resulting for an object, with instance=1, instance=2, instance=3, instance=4, etc., and you check “less than 2”, “greater than 3”, "equals 3” — well, all of these assertions are true at least once when tested against all the items!  Hence, the result is true!
>
> In order to implement my recommended approach, you’ll have to use an object filter.  That’s a state through which all the object results are passed.  A filter state with “instance equals 2” will remove the items whose instance values are not 2.  Then, you can use the existence check to determine whether any items made it through the filter.
>
> Does that help to explain what’s happening, and what I’m recommending?
>
> Best regards,
> — David A. Solin
> Co-Founder, Research & Technology
> [hidden email]
>
>
>
>
>
>
>
>> On Jul 13, 2015, at 1:18 PM, Peddicord, Don <[hidden email]> wrote:
>>
>> John, David,
>>
>> John -- you do not need to include the xccdf, cpe, etc. file (we
>> really only need the OVAL ,file.)
>>
>> The Test file has 4 "hellos"
>> I am bit confused by the lack of a object/state comparison in your
>> content,  I see "check existence test"  for <Instance operation="less
>> than">2 . . .  there would be instances 1 -- object exists, test
>> passes <instance operation="greater than">3 . . . there would be 1
>> instance -  object exists, test passes <instance operation="equals " datatype="int">3 . . . there would be one instance  - object exists, test passes , etc.
>>
>>
>> Your operators (s) are going to choose which/how many  items are created ... not compare the number of instances for the object.
>>
>> Don
>>
>>
>>
>> -----Original Message-----
>> From: [hidden email]
>> [mailto:[hidden email]] On Behalf Of John
>> Garrett
>> Sent: Monday, July 13, 2015 2:02 PM
>> To: [hidden email]
>> Subject: Re: [OVAL-DEVELOPER-LIST] Math and OVAL
>>
>> Hi David,
>>
>>
>>
>> As always, thank you for taking some time reply.
>>
>>
>>
>> Ok, so “counting”.  You are correct, it is making an assertions, which will be determined true or false.  It’s the resulting outcome that I disagree with.
>>
>>
>>
>> As you pointed out, I want to determine whether a string appears X number of times in a file.  In agreeance, I created and used textfilecontent54.  Within the object, I used: <ind:instance datatype="int" operation="Desired Mathematic Operation">X</ind:instance>.  
>>
>>
>>
>> For those given objects, the following assertions were made:
>>
>>       - V-1: <2 was the requirement, yet it passed.  (Should have
>> failed in my mind)
>>
>>       - V-2: >3 was the requirement and it passed like it should have.
>>
>>       - V-3: =3 was the requirement, yet it passed.  (Should have
>> failed in my mind)
>>
>>       - V-4: >4 was the requirement and it failed like it should have.
>>
>>
>>
>> To quote you, “If you want to determine whether a string appears X number of times in a file, then you should create a textfilecontent54_test that checks for the existence of any matching items whose “instance” value is X.  If you want to make sure there are exactly X instances, you can test for any item matches whose “instace” value is greater than X, and build a definition combining the results of both these tests (e.g., first AND NOT second).”
>>
>>
>>
>> Why would the logic dictate that I need two tests just for an “equal to” logic?  With that idea in mind, it would seem I would need to make not just 2, but a test/object for everything I didn’t want.  i.e.:
>>
>>   If the desired outcome is V-2 as listed above (>3), then I would need to make tests, telling the code, >3, but not:
>>
>> ·         Less than 3
>>
>> ·         Equal to 3
>>
>> ·         Less than or equal to three
>>
>>
>>
>> Am I following correctly?
>>
>>
>>
>>
>>
>>
>>
>> V/r,
>>
>> John W. Garrett
>>
>>
>>
>> From: David Solin [mailto:[hidden email]]
>> Sent: Monday, July 13, 2015 11:23 AM
>> To: [hidden email]
>> Subject: Re: [OVAL-DEVELOPER-LIST] Math and OVAL
>>
>>
>>
>> Hi John,
>>
>>
>>
>> I’m not sure whether I understand your question.  Your content isn’t counting anything, it’s making assertions, which are either true or false.  There is a CountFunctionType on OVAL which makes it possible to count things for the purposes of creating a variable value, which is what I sort of expected you’d be asking about — but you’re not.
>>
>>
>>
>> If you want to determine whether a string appears X number of times in a file, then you should create a textfilecontent54_test that checks for the existence of any matching items whose “instance” value is X.  If you want to make sure there are exactly X instances, you can test for any item matches whose “instace” value is greater than X, and build a definition combining the results of both these tests (e.g., first AND NOT second).
>>
>>
>>
>> Best regards,
>>
>> —David
>>
>>
>>
>> David A. Solin
>> Co-Founder, Research & Technology
>> [hidden email] <mailto:[hidden email]>
>>
>> Joval Continuous Monitoring <http://jovalcm.com>
>>
>> Facebook <https://www.facebook.com/jovalcm> Linkedin
>> <https://www.linkedin.com/company/joval-continuous-monitoring>
>>
>>
>>
>>
>>
>> On Jul 13, 2015, at 9:59 AM, John Garrett <[hidden email]> wrote:
>>
>>
>>
>> This thread revolves around the concept of counting with respect to OVAL.  Perhaps I’m approaching the problem in the wrong way.  When I first submitted my bug report for it using SCC, I figured that SCC was simply wrong; turns out OpenScap yields the same results.  The reply I received “somewhat” makes sense, but the logic seems very twisted in my mind.  1+1 will always equal two and be less than 3; anything else is crazy…  Yet, with OVAL, this seems not the case.
>>
>>
>>
>> What I am attempting to do, is for a given file, determine if there are X instances of a given string in a file.  I’ve attempted this with both object only, and object and state, but to no avail.
>>
>>
>>
>> For the given tests:
>>
>>        - V-1: <2 was the requirement, yet it passed.  (Should have
>> failed in my mind)
>>
>>        - V-2: >3 was the requirement and it passed like it should have.
>>
>>        - V-3: =3 was the requirement, yet it passed.  (Should have
>> failed in my mind)
>>
>>        - V-4: >4 was the requirement and it failed like it should have.
>>
>>
>>
>> What follows below is the response I received, and after reading it, and trying this in OpenScap as well as SCC, this would seem to be the case.  So, that being the case; what approach should I take if I wanted the above outcomes to happen in regards to counting?
>>
>>
>>
>> I think I see where the misunderstanding lies. According to the MITRE OVAL spec for textfilecontent54, which can found at http://oval.mitre.org/language/version5.11/ovaldefinition/documentation/independent-definitions-schema.html <http://oval.mitre.org/language/version5.11/ovaldefinition/documentation/independent-definitions-schema.html> :
>>
>> The instance entity calls out a specific match of the pattern. The first match is given an instance value of 1, the second match is given an instance value of 2, and so on. Note that the main purpose of this entity is to provide uniqueness for different textfilecontent_items that results from multiple matches of a given pattern against the same file. Most likely this entity will be defined as greater than or equal to 1 which would result in the object representing the set of all matches of the pattern.
>>
>> Therefore, the instance entity functions as an index for referencing particular matches out of a set instead of a counter. Accordingly, the first test in your sample content collects the first string (instance less than 2) that matches the pattern 'hello'. That test passes because its 'check existence' requirement expects one or more items to exist, and exactly one item does actually exist.
>>
>> The second test collects the fourth string (instance greater than 3) that matches the given pattern, which also satisfies the 'check existence' requirement of one or more items.
>>
>> The third test passes because it collects the third matching string (instance equals 3), satisfying the one or more item 'check existence' requirement.
>>
>> Finally, the fourth test fails because it is seeking any matches that occur after the first four instances (instance greater than 4), but the target file contains only four matches. Thus, 'check existence' requirement of one or more items is not met because the item does not exist.
>>
>>
>>
>>
>>
>>
>>
>> V/r,
>>
>> John W. Garrett
>>
>> To unsubscribe, send an email message to [hidden email]
>> <mailto:[hidden email]>  with SIGNOFF OVAL-DEVELOPER-LIST
>> in the BODY of the message. If you have difficulties, write to
>> [hidden email]
>> <mailto:[hidden email]> .
>> <testfile><count_bench-xccdf.xml><count_bench-oval.xml><count_bench-c
>> p e-oval.xml><count_bench-cpe-dictionary.xml>
>>
>>
>>
>> To unsubscribe, send an email message to [hidden email] <mailto:[hidden email]>  with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
>>
>
> To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message.  If you have difficulties, write to [hidden email].
> <count_bench-oval.xml>

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message.  If you have difficulties, write to [hidden email].