Failed to sync SCAP database

Archive Greenbone Community Edition
1

Hi!

The process of updating the SCAP is looped. As shown in log:

  • all CML files nvdcve-2.0 are loaded,
  • SCAP db starts to rebuild, and is interrupted by error “update_ovaldef_xml: Failed to parse element
  • then process starts to download all XML packages again.

It looks like the reason for the failure is in the definition:

definition id=“oval:org.mitre.oval:def:21169” version=“29” class=“patch”>

Could you please help me to fix the issue?

Environment are below:
Greenbone Security Assistant 20.08.0~git-17a736a39-gsa-20.08
Greenbone Vulnerability Manager 20.08.0~git-0754740a-gvmd-20.08
GIT revision 0754740a-gvmd-20.08
Manager DB revision 233
OpenVAS 20.8.0
gvm-libs 20.8.0~git-3597093-gvm-libs-20.08
Debian 4.19.152-1 (2020-10-18) x86_64 GNU/Linux

2

Hi Alex and all,
I face the same problem: Updating SCAP data from feed ist re-starting over and over again. Any idea or solution?

/var/log/gvm/gvmd.log (excerpt):

md manage:WARNING:2022-01-25 09h55.03 UTC:1824: update_ovaldef_xml: Failed to parse element
md manage:WARNING:2022-01-25 09h55.11 UTC:2110: update_scap: No SCAP db present, rebuilding SCAP db from scratch
md manage:   INFO:2022-01-25 09h55.14 UTC:2110: update_scap: Updating data from feed
md manage:   INFO:2022-01-25 09h55.14 UTC:2110: Updating CPEs
md manage:   INFO:2022-01-25 10h01.45 UTC:2110: Updating /var/lib/gvm/scap-data/nvdcve-2.0-2002.xml
...
md manage:   INFO:2022-01-25 10h12.41 UTC:2110: Updating /var/lib/gvm/scap-data/nvdcve-2.0-2022.xml
md manage:   INFO:2022-01-25 10h12.42 UTC:2110: Updating OVAL data
md manage:WARNING:2022-01-25 10h12.47 UTC:2110: oval_timestamp: Failed to parse element: <?xml version="1.0" encoding="UTF-8"?>
...
md manage:WARNING:2022-01-25 10h12.49 UTC:2110: update_ovaldef_xml: Failed to parse element
md manage:WARNING:2022-01-25 10h12.56 UTC:2453: update_scap: No SCAP db present, rebuilding SCAP db from scratch
md manage:   INFO:2022-01-25 10h12.59 UTC:2453: update_scap: Updating data from feed
md manage:   INFO:2022-01-25 10h12.59 UTC:2453: Updating CPEs
md manage:   INFO:2022-01-25 10h16.37 UTC:2453: Updating /var/lib/gvm/scap-data/nvdcve-2.0-2002.xml

System:
Greenbone Vulnerability Manager / gvmd 21.4.4 (DB revision 242)
Greenbone Security Assistant / gsad 21.4.3
CentOS 8

3

Hi @Sascha and welcome to the forum :slight_smile:

The first thing to try is another feed sync to see if that resolves it, and please let us know. Thanks!

4

Thanks DeeAnn!
Yes, I restarted the daemons, it found no SCAP db present, and it sync’ed. After almost finishing, it started over again. Same as in the logs I posted. :open_mouth:

Amendment:
The failure and re-start syncing always starts when an oval document cannot be parsed:

md manage:   INFO:2022-01-24 21h00.48 UTC:4891: Updating OVAL data
md manage:WARNING:2022-01-24 21h00.52 UTC:4891: oval_timestamp: Failed to parse element: <?xml version="1.0" encoding="UTF-8"?>
<oval_definitions xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#windows windows-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5">
  <generator>
    <oval:product_name>The OVAL Repository</oval:product_name>
    <oval:schema_version>5.10</oval:schema_version>
    <oval:timestamp>2015-09-03T08:49:23.326-04:00</oval:timestamp>
  </generator>
...
5

@Sascha thanks for letting us know and we’re looking into it.

(edit to add- I’ve also moved the thread to the Greenbone Source Edition category)

6

Solved.
I yum updated my CentOS 8 after moving it to vault and now the SCAP db syncing works. Maybe the syncing process uses some date/time functionality from the OS to parse the timestamp. (I saw the timestamps in oval xml are YYYY-MM-DDTHH:mm:ss.000-04:00 rather than YYYY-MM-DDTHH:mm:ss.000Z in the scap-data xml that were parsed correctly already before the update.)