OVAL vulnerability Criteria - All sorts of confusing...

[wagner-robert]

All,
I am trying to use OpenSCAP for vulnerability analysis using OVAL files. One thing I have noticed is the vulnerability criteria is all sorts of confusing. Some examples:
Redhat 9: https://security.access.redhat.com/data/oval/v2/RHEL9/

 <criteria operator="OR">
  <criterion comment="Red Hat Enterprise Linux must be installed" test_ref="oval:com.redhat.rhba:tst:20223893008"/>
  <criteria operator="AND">
   <criterion comment="Red Hat Enterprise Linux 9 is installed" test_ref="oval:com.redhat.rhba:tst:20223893007"/>
   <criteria operator="OR">
    <criteria operator="AND">
     <criterion comment="redhat-release is earlier than 0:9.0-2.17.el9" test_ref="oval:com.redhat.rhba:tst:20223893001"/>
     <criterion comment="redhat-release is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhba:tst:20223893002"/>
    </criteria>
    <criteria operator="AND">
     <criterion comment="redhat-release-eula is earlier than 0:9.0-2.17.el9" test_ref="oval:com.redhat.rhba:tst:20223893003"/>
     <criterion comment="redhat-release-eula is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhba:tst:20223893004"/>
    </criteria>
    <criteria operator="AND">
     <criterion comment="redhat-sb-certs is earlier than 0:9.0-2.17.el9" test_ref="oval:com.redhat.rhba:tst:20223893005"/>
     <criterion comment="redhat-sb-certs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhba:tst:20223893006"/>
    </criteria>
   </criteria>
  </criteria>
 </criteria>

This starts with an "OR" statement. It seems like you would want to say "If you have RHEL installed AND RHEL 9 installed AND you have any of the following conditions are TRUE - then you are vulnerable"

Oracle does this differently: https://linux.oracle.com/security/oval/

<criteria operator="AND">
<criterion test_ref="oval:com.oracle.elsa:tst:20225527001" comment="Oracle Linux 9 is installed"/>
<criteria operator="OR">
<criteria operator="AND">
<criterion test_ref="oval:com.oracle.elsa:tst:20225527002" comment="Oracle Linux arch is aarch64"/>
<criteria operator="AND">
<criterion test_ref="oval:com.oracle.elsa:tst:20225527003" comment="squid is earlier than 7:5.2-1.el9_0.1"/>
<criterion test_ref="oval:com.oracle.elsa:tst:20225527004" comment="squid is signed with the Oracle Linux 9 key"/>
</criteria>
</criteria>
<criteria operator="AND">
<criterion test_ref="oval:com.oracle.elsa:tst:20225527005" comment="Oracle Linux arch is x86_64"/>  ----WHY EVALUATE for both aarch64 and x86_64????
<criteria operator="AND">
<criterion test_ref="oval:com.oracle.elsa:tst:20225527003" comment="squid is earlier than 7:5.2-1.el9_0.1"/>  ----WHY Double Evaluate???
<criterion test_ref="oval:com.oracle.elsa:tst:20225527004" comment="squid is signed with the Oracle Linux 9 key"/>
</criteria>
</criteria>
</criteria>
</criteria>

These seem overly complicated. Does something like this work:

<criteria >  -----------it is always an implied AND
  <criterion test_ref="oval:com.oracle.elsa:tst:20225527001" comment="Oracle Linux 9 is installed"/>  ----MUST be TRUE
  <criterion test_ref="oval:com.oracle.elsa:tst:20225527002" comment="Oracle Linux arch is aarch64"/>  ------MUST be TRUE
  <criteria operator="OR">   ---------ONE OF THE FOLLOWING MUST BE TRUE
	<criteria >
	<criterion test_ref="oval:com.oracle.elsa:tst:20225527003" comment="squid is earlier than 7:5.2-1.el9_0.1"/>
	<criterion test_ref="oval:com.oracle.elsa:tst:20225527004" comment="squid is signed with the Oracle Linux 9 key"/>
	</criteria>

	<criteria > ----JUST PRETEND THIS WAS IN THE ORIGINAL
	<criterion test_ref="oval:com.oracle.elsa:tst:20225527003" comment="squid-devel is earlier than 7:5.2-1.el9_0.1"/>
	<criterion test_ref="oval:com.oracle.elsa:tst:20225527004" comment="squid-devel is signed with the Oracle Linux 9 key"/>
	</criteria>


   </criteria>
</criteria>

If someone could write a PDF on how to create and debug the Criteria statements, it would be greatly appreciated.

Also, some of the tests are truly odd:

<red-def:rpmverifyfile_test check="none satisfy" comment="Red Hat Enterprise Linux must be installed" id="oval:com.redhat.rhba:tst:20223893008" version="635">
 <red-def:object object_ref="oval:com.redhat.rhba:obj:20223893004"/>
 <red-def:state state_ref="oval:com.redhat.rhba:ste:20223893005"/>
</red-def:rpmverifyfile_test>

Why would they create a test that RHEL must be installed with a check="none satisfy"?????