From 337734fce1474aab4ba2fcf61a5ab48355ccdb5d Mon Sep 17 00:00:00 2001
From: Juan Fernandez <juan-fdz-hawa@users.noreply.github.com>
Date: Wed, 8 Jun 2022 14:29:58 -0400
Subject: [PATCH] Bug: Issue while parsing dpkg objects with inline names
 (#6146)

* Bug: Issue while parsing dpkg objects with inline names

Dpkg objects can also define their names inline, not only using variable references.
---
 .../vulnerabilities/oval/input/dpkg_object.go |  1 +
 server/vulnerabilities/oval/mappers.go        | 21 ++++++++++++++++++-
 server/vulnerabilities/oval/parser.go         | 10 ++++-----
 3 files changed, 26 insertions(+), 6 deletions(-)

diff --git a/server/vulnerabilities/oval/input/dpkg_object.go b/server/vulnerabilities/oval/input/dpkg_object.go
index 982320a619..072c7b81ce 100644
--- a/server/vulnerabilities/oval/input/dpkg_object.go
+++ b/server/vulnerabilities/oval/input/dpkg_object.go
@@ -2,6 +2,7 @@ package oval_input
 
 type dpkgObjectNameXML struct {
 	VarRef string `xml:"var_ref,attr"`
+	Value  string `xml:",chardata"`
 }
 
 // DpkgObjectXML see https://oval.mitre.org/language/version5.10.1/ovaldefinition/documentation/linux-definitions-schema.html#dpkginfo_object.
diff --git a/server/vulnerabilities/oval/mappers.go b/server/vulnerabilities/oval/mappers.go
index 584a0a69c2..5d1d97f24b 100644
--- a/server/vulnerabilities/oval/mappers.go
+++ b/server/vulnerabilities/oval/mappers.go
@@ -89,12 +89,31 @@ func mapPackageState(sta oval_input.DpkgStateXML) ([]oval_parsed.ObjectStateEvrS
 }
 
 func mapPackageObject(obj oval_input.DpkgObjectXML, vars map[string]oval_input.ConstantVariableXML) ([]string, error) {
+	// Test objects can define their 'name' in one of two ways:
+	// 1. Inline:
+	// <:object ...>
+	//      <:name>software name</:name>
+	// </:object>
+	//
+	// 2. As a variable reference:
+	// <:object ...>
+	// 		<:name var_ref="var:200224390000000" var_check="at least one" />
+	// </:object>
+
+	// Check whether the name was defined inline
+	if obj.Name.Value != "" {
+		return []string{obj.Name.Value}, nil
+	}
+
+	var r []string
+	// If not, the name should be defined as a variable
 	variable, ok := vars[obj.Name.VarRef]
 	if !ok {
 		return nil, fmt.Errorf("variable not found %s", obj.Name.VarRef)
 	}
 
-	var r []string
+	// Normally the variable for a test object contains a single value, but according to the specs,
+	// it can contain multiple values.
 	r = append(r, variable.Values...)
 
 	return r, nil
diff --git a/server/vulnerabilities/oval/parser.go b/server/vulnerabilities/oval/parser.go
index 4d2c07c9d9..a0b9f95ed6 100644
--- a/server/vulnerabilities/oval/parser.go
+++ b/server/vulnerabilities/oval/parser.go
@@ -15,27 +15,27 @@ import (
 func parseDefinitions(inputFile string, outputFile string) error {
 	r, err := os.Open(inputFile)
 	if err != nil {
-		return err
+		return fmt.Errorf("oval parser: %w", err)
 	}
 	defer r.Close()
 
 	xmlResult, err := parseXML(r)
 	if err != nil {
-		return err
+		return fmt.Errorf("oval parser: %w", err)
 	}
 
 	result, err := mapResult(xmlResult)
 	if err != nil {
-		return err
+		return fmt.Errorf("oval parser: %w", err)
 	}
 
 	payload, err := json.Marshal(result)
 	if err != nil {
-		return err
+		return fmt.Errorf("oval parser: %w", err)
 	}
 	err = ioutil.WriteFile(outputFile, payload, 0o644)
 	if err != nil {
-		return err
+		return fmt.Errorf("oval parser: %w", err)
 	}
 
 	return nil