OVAL Result - bad OR operator for Rocky Linux 9 must be installed

[wagner-robert]

All,
I am trying to figure out why OpenSCAP fails every CVE test. In looking at the RHEL9 oval file:
https://security.access.redhat.com/data/oval/v2/RHEL9/rhel-9.oval.xml.bz2
I see gzip issue has the following criteria

 <criteria operator="OR">
  <criterion comment="Red Hat Enterprise Linux must be installed" test_ref="oval:com.redhat.rhba:tst:20223893008"/>
  <criteria operator="AND">
   <criterion comment="Red Hat Enterprise Linux 9 is installed" test_ref="oval:com.redhat.rhba:tst:20223893007"/>
   <criterion comment="gzip is earlier than 0:1.10-9.el9_0" test_ref="oval:com.redhat.rhsa:tst:20224582001"/>
   <criterion comment="gzip is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20224582002"/>
  </criteria>
 </criteria>

The one generated by this python code results in:

<criteria operator="OR">
  <criterion comment="Rocky Linux must be installed"
    test_ref="oval:org.rockylinux.rlsa:tst:20250426001"/>
<criteria operator="AND">
  <criterion comment="gzip is earlier than 0:1.10-9.el9_0"
    test_ref="oval:org.rockylinux.rlsa:tst:202245829690"/>
  <criterion comment="gzip is signed with Rocky Linux rockyrelease2 key"
    test_ref="oval:org.rockylinux.rlsa:tst:202245829691"/>
</criteria>
<criteria operator="AND">
  <criterion comment="gzip-debuginfo is earlier than 0:1.10-9.el9_0"
    test_ref="oval:org.rockylinux.rlsa:tst:202245829692"/>
  <criterion comment="gzip-debuginfo is signed with Rocky Linux rockyrelease2 key"
    test_ref="oval:org.rockylinux.rlsa:tst:202245829693"/>
</criteria>
<criteria operator="AND">
  <criterion comment="gzip-debugsource is earlier than 0:1.10-9.el9_0"
    test_ref="oval:org.rockylinux.rlsa:tst:202245829694"/>
  <criterion comment="gzip-debugsource is signed with Rocky Linux rockyrelease2 key"
    test_ref="oval:org.rockylinux.rlsa:tst:202245829695"/>
</criteria>
**<criteria operator="OR">
  <criterion comment="Rocky Linux 9 must be installed"**
    test_ref="oval:org.rockylinux.rlsa:tst:20250426002"/>
</criteria>
</criteria>

I suspect that last "OR" for Rocky Linux 9 should be AND. The last criteria always results in a 'true'.
So, I have a fully patched system with gzip 1.12 - Looking at the results, everything is 'false' except Rocky Linux 9 = true.

[wagner-robert]

Simplify this down... I think this is what we are trying to say (example):

<criteria >  -----------it is always an implied AND
  <criterion test_ref="oval:com.oracle.elsa:tst:20225527001" comment="Oracle Linux 9 is installed"/>  ----MUST be TRUE
  <criterion test_ref="oval:com.oracle.elsa:tst:20225527002" comment="Oracle Linux arch is aarch64"/>  ------MUST be TRUE
  <criteria operator="OR">   ---------ONE OF THE FOLLOWING MUST BE TRUE
	<criteria >
	<criterion test_ref="oval:com.oracle.elsa:tst:20225527003" comment="squid is earlier than 7:5.2-1.el9_0.1"/>
	<criterion test_ref="oval:com.oracle.elsa:tst:20225527004" comment="squid is signed with the Oracle Linux 9 key"/>
	</criteria>

	<criteria > ----JUST PRETEND THIS WAS IN THE ORIGINAL
	<criterion test_ref="oval:com.oracle.elsa:tst:20225527003" comment="squid-devel is earlier than 7:5.2-1.el9_0.1"/>
	<criterion test_ref="oval:com.oracle.elsa:tst:20225527004" comment="squid-devel is signed with the Oracle Linux 9 key"/>
	</criteria>

   </criteria>
</criteria>

Or

<criteria > ----The following two statements must be true
  <criterion comment="Rocky Linux must be installed" test_ref="oval:org.rockylinux.rlsa:tst:20250426001"/>
  <criterion comment="Rocky Linux 9 must be installed"  test_ref="oval:org.rockylinux.rlsa:tst:20250426002"/>
     <criteria operator="OR"> ----AND, One of the following must be true
        <criteria >
        <criterion comment="gzip is earlier than 0:1.10-9.el9_0" test_ref="oval:org.rockylinux.rlsa:tst:202245829690"/>
        <criterion comment="gzip is signed with Rocky Linux rockyrelease2 key"     test_ref="oval:org.rockylinux.rlsa:tst:202245829691"/>
        </criteria>

      <criteria >
      <criterion comment="gzip-debuginfo is earlier than 0:1.10-9.el9_0"  test_ref="oval:org.rockylinux.rlsa:tst:202245829692"/>
       <criterion comment="gzip-debuginfo is signed with Rocky Linux rockyrelease2 key"  test_ref="oval:org.rockylinux.rlsa:tst:202245829693"/>
      </criteria>

      <criteria >
         <criterion comment="gzip-debugsource is earlier than 0:1.10-9.el9_0"     test_ref="oval:org.rockylinux.rlsa:tst:202245829694"/>
         <criterion comment="gzip-debugsource is signed with Rocky Linux rockyrelease2 key"     test_ref="oval:org.rockylinux.rlsa:tst:202245829695"/>
        </criteria>
  
      </criteria>   ----------Close the OR
</criteria>   --------------CLose the first criteria

If we are generating a file for RL9, we should only run it on RL9. This requires one to fix the "none satisfy" condition of tst:20250426001