oscap-ssh fails if remote sudo has NOEXEC

[pguillier]

The sudo noexec configuration option prevents oscap-ssh from running with the --sudo option.

From sudoers(5) manual:

sudo's noexec functionality can be used to prevent a program run by sudo from executing any other programs.

New to OpenSCAP, I am trying to run oscap-ssh against an "ANSSI BP-028 Enhanced" compliant RHEL image - which enforces the sudo noexec option in the /etc/sudoers config:

Defaults noexec

The oscap-ssh evaluation legitimely fails, as the remote secure sudo prevents exactly that behavior:

$ oscap-ssh --sudo xxxx 22 xccdf eval --profile anssi_bp28_enhanced /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml
Connecting to 'xxxx' on port '22'...
xxxx's password: 
Connected!
Copying input file '/usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml' to remote working directory '/tmp/tmp.4YVekDVjw3'...
ssg-rhel10-ds.xml                                                                    100%   19MB 159.4MB/s   00:00    
Starting the evaluation...
[sudo] password for x: 
sh: line 1: /bin/oscap: Permission denied
sh: line 1: /bin/chown: Permission denied
Shared connection to xxx closed.
oscap exit code: 126
Copying back requested files...
Removing remote temporary directory...
Disconnecting ssh and removing control ssh socket directory...
Exit request sent.

By commenting the noexec line in the /etc/sudoers config, the evaluation runs well.

I identified that this failure has been introduced in commit f2d9ec9 which runs sudo as sudo sh -c '$OSCAP_CMD' instead of sudo '$OSCAP_CMD'.

I can submit a patch, but as I am very new to this whole product I fear I might break other functionalities - as it has been done during the aforementioned commit.