Creation of items from ind:shellcommand when 'command' is a list of command via var_ref

[vanderpol]

With the new shellcommand test, the documentation states "The evaluation of the object should always produce one item.", this was based on the discussions of the proposal, and how the existing CIS extension worked in the past. This question is more of a general OVAL question, when the object of a test refers to a variable, this generally implies that multiple items can be created, (think of a UNIX/Windows file test, where the filepath is a variable to a list of filepaths etc..)

Should the documentation for the shellcommand be updated to clarify, or does some other higher level documentation in OVAL already define this scenario? If so, can anyone point to a specific spot in the schema files that clearly defines this behavior? Something like "when using var_refs as part of the object, this has the same effect as having multiple objects defined, and multiple system data items may be collected as necessary."

In our SCC implementation, we currently only create one item regardless of the content, but it seems this may be shortsighted, as the var ref with a list of commands was not in mind.

In the attached sample content it demonstrates creating 2 items from a file test that points to a variable containing 2 filepaths, but only creating 1 item for a shellcommand test which points to a variable containing 2 powerhell commands. I assume this should be creating 2 items as well?
Uploading OVAL-Results_shell-command-with-variables.zip…

Thoughts on this @solind?

[solind]

Hi @vanderpol, I can't see the attachment. However, yes, var_refs can certainly create multiple object permutations. It sounds as if in the case you're describing, two items should be produced -- each being the product of collecting the shellcommand_object with each different variable value.

I know that this behavior is documented at least in part 5.3.5.1.2 (functions), and part 5.3.6.4 (objects and states), of the OVAL Language Specification document.

When I was working on Joval, I wrote the engine so that it automatically managed object permutations arising from variables so that it wasn't necessary to add the same code to all the various object collection implementations.

[vanderpol]

As always, thanks you @solind, that helps a lot. I don't think you really need to see our sample files, as your answer provided clarity on this topic. We will ensure that the shellcommand test creates multiple items if the command is via var_ref, and multiple commands are being passed in. We do this for all other tests, but this one was an outlier due to its abnormal 'create one and only one' design.

[solind]

Just remember, in OVAL, it always seems that every exception has at least one exception!