Hi!
The process of updating the SCAP is looped. As shown in log:
all CML files nvdcve-2.0 are loaded,
SCAP db starts to rebuild, and is interrupted by error “update_ovaldef_xml: Failed to parse element ”
then process starts to download all XML packages again.
It looks like the reason for the failure is in the definition:
definition id=“oval:org.mitre.oval:def:21169” version=“29” class=“patch”>
Could you please help me to fix the issue?
Environment are below:
Greenbone Security Assistant 20.08.0~git-17a736a39-gsa-20.08
Greenbone Vulnerability Manager 20.08.0~git-0754740a-gvmd-20.08
GIT revision 0754740a-gvmd-20.08
Manager DB revision 233
OpenVAS 20.8.0
gvm-libs 20.8.0~git-3597093-gvm-libs-20.08
Debian 4.19.152-1 (2020-10-18) x86_64 GNU/Linux
Sascha
January 25, 2022, 1:24pm
2
Hi Alex and all,
I face the same problem: Updating SCAP data from feed ist re-starting over and over again. Any idea or solution?
/var/log/gvm/gvmd.log (excerpt):
md manage:WARNING:2022-01-25 09h55.03 UTC:1824: update_ovaldef_xml: Failed to parse element
md manage:WARNING:2022-01-25 09h55.11 UTC:2110: update_scap: No SCAP db present, rebuilding SCAP db from scratch
md manage: INFO:2022-01-25 09h55.14 UTC:2110: update_scap: Updating data from feed
md manage: INFO:2022-01-25 09h55.14 UTC:2110: Updating CPEs
md manage: INFO:2022-01-25 10h01.45 UTC:2110: Updating /var/lib/gvm/scap-data/nvdcve-2.0-2002.xml
...
md manage: INFO:2022-01-25 10h12.41 UTC:2110: Updating /var/lib/gvm/scap-data/nvdcve-2.0-2022.xml
md manage: INFO:2022-01-25 10h12.42 UTC:2110: Updating OVAL data
md manage:WARNING:2022-01-25 10h12.47 UTC:2110: oval_timestamp: Failed to parse element: <?xml version="1.0" encoding="UTF-8"?>
...
md manage:WARNING:2022-01-25 10h12.49 UTC:2110: update_ovaldef_xml: Failed to parse element
md manage:WARNING:2022-01-25 10h12.56 UTC:2453: update_scap: No SCAP db present, rebuilding SCAP db from scratch
md manage: INFO:2022-01-25 10h12.59 UTC:2453: update_scap: Updating data from feed
md manage: INFO:2022-01-25 10h12.59 UTC:2453: Updating CPEs
md manage: INFO:2022-01-25 10h16.37 UTC:2453: Updating /var/lib/gvm/scap-data/nvdcve-2.0-2002.xml
System:
Greenbone Vulnerability Manager / gvmd 21.4.4 (DB revision 242)
Greenbone Security Assistant / gsad 21.4.3
CentOS 8
DeeAnn
January 25, 2022, 3:07pm
3
Hi @Sascha and welcome to the forum
The first thing to try is another feed sync to see if that resolves it, and please let us know. Thanks!
Sascha
January 25, 2022, 5:51pm
4
Thanks DeeAnn!
Yes, I restarted the daemons, it found no SCAP db present, and it sync’ed. After almost finishing, it started over again. Same as in the logs I posted.
Amendment:
The failure and re-start syncing always starts when an oval document cannot be parsed:
md manage: INFO:2022-01-24 21h00.48 UTC:4891: Updating OVAL data
md manage:WARNING:2022-01-24 21h00.52 UTC:4891: oval_timestamp: Failed to parse element: <?xml version="1.0" encoding="UTF-8"?>
<oval_definitions xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#windows windows-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<generator>
<oval:product_name>The OVAL Repository</oval:product_name>
<oval:schema_version>5.10</oval:schema_version>
<oval:timestamp>2015-09-03T08:49:23.326-04:00</oval:timestamp>
</generator>
...
DeeAnn
January 27, 2022, 11:05am
5
@Sascha thanks for letting us know and we’re looking into it.
(edit to add- I’ve also moved the thread to the Greenbone Source Edition category)
Sascha
February 4, 2022, 2:32pm
6
Solved.
I yum updated my CentOS 8 after moving it to vault and now the SCAP db syncing works. Maybe the syncing process uses some date/time functionality from the OS to parse the timestamp. (I saw the timestamps in oval xml are YYYY-MM-DDTHH:mm:ss.000-04:00 rather than YYYY-MM-DDTHH:mm:ss.000Z in the scap-data xml that were parsed correctly already before the update.)