From 1ce40c85543fd0b3c6a6d36457186388590b63c2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Wed, 30 Sep 2020 14:12:13 +0200
Subject: [PATCH 1/4] Prevent segfault

Prevent segfault if there are circular dependencies between OVAL
definitions.  This segfault happened when an OVAL definition references
itself in the extend_definition element. It can also happen when the
referenced OVAL definition references back to the parent OVAL definition
and therefore  there is a circular dependency between OVAL definitions.
See the test OVALs for examples of such definitions. The circle wasn't
detected and it caused infinite recursion which caused a segfault.

The fix uses a list which stores the IDs of already evaluated
definitions and it checks if a definition isn't evaluated for the second
time.

Fixes: rhbz#1812476
---
 src/OVAL/results/oval_resultCriteriaNode.c    | 16 ++++--
 src/OVAL/results/oval_resultDefinition.c      | 13 ++++-
 src/OVAL/results/oval_resultSystem.c          | 32 +++++++++--
 src/OVAL/results/oval_results_impl.h          | 11 ++--
 tests/API/OVAL/unittests/CMakeLists.txt       |  2 +
 .../unittests/test_circular_extend_def.sh     | 39 +++++++++++++
 .../unittests/test_circular_extend_def.xml    | 56 +++++++++++++++++++
 .../unittests/test_recursive_extend_def.sh    | 16 ++++++
 .../unittests/test_recursive_extend_def.xml   | 56 +++++++++++++++++++
 9 files changed, 226 insertions(+), 15 deletions(-)
 create mode 100755 tests/API/OVAL/unittests/test_circular_extend_def.sh
 create mode 100644 tests/API/OVAL/unittests/test_circular_extend_def.xml
 create mode 100755 tests/API/OVAL/unittests/test_recursive_extend_def.sh
 create mode 100644 tests/API/OVAL/unittests/test_recursive_extend_def.xml

diff --git a/src/OVAL/results/oval_resultCriteriaNode.c b/src/OVAL/results/oval_resultCriteriaNode.c
index 5ddd20adf3..29d06bdc6e 100644
--- a/src/OVAL/results/oval_resultCriteriaNode.c
+++ b/src/OVAL/results/oval_resultCriteriaNode.c
@@ -234,8 +234,10 @@ void oval_result_criteria_node_free(struct oval_result_criteria_node *node)
 	free(node);
 }
 
-struct oval_result_criteria_node *make_result_criteria_node_from_oval_criteria_node
-    (struct oval_result_system *sys, struct oval_criteria_node *oval_node, int variable_instance) {
+struct oval_result_criteria_node *make_result_criteria_node_from_oval_criteria_node(
+		struct oval_result_system *sys, struct oval_criteria_node *oval_node,
+		struct oscap_list *visited_definitions, int variable_instance)
+{
 	struct oval_result_criteria_node *rslt_node = NULL;
 	if (oval_node) {
 		oval_criteria_node_type_t type = oval_criteria_node_get_type(oval_node);
@@ -255,7 +257,10 @@ struct oval_result_criteria_node *make_result_criteria_node_from_oval_criteria_n
 					struct oval_criteria_node *oval_subnode
 					    = oval_criteria_node_iterator_next(oval_subnodes);
 					struct oval_result_criteria_node *rslt_subnode
-					    = make_result_criteria_node_from_oval_criteria_node(sys, oval_subnode, variable_instance);
+						= make_result_criteria_node_from_oval_criteria_node(sys, oval_subnode, visited_definitions, variable_instance);
+					if (rslt_subnode == NULL) {
+						return NULL;
+					}
 					oval_result_criteria_node_add_subnode(rslt_node, rslt_subnode);
 				}
 				oval_criteria_node_iterator_free(oval_subnodes);
@@ -272,7 +277,10 @@ struct oval_result_criteria_node *make_result_criteria_node_from_oval_criteria_n
 		case OVAL_NODETYPE_EXTENDDEF:{
 				struct oval_definition *oval_definition = oval_criteria_node_get_definition(oval_node);
 				struct oval_result_definition *rslt_definition
-				    = oval_result_system_get_new_definition(sys, oval_definition, variable_instance);
+					= oval_result_system_get_new_definition_with_check(sys, oval_definition, visited_definitions, variable_instance);
+				if (rslt_definition == NULL) {
+					return NULL;
+				}
 				rslt_node = oval_result_criteria_node_new(sys,
 									  type,
 									  negate,
diff --git a/src/OVAL/results/oval_resultDefinition.c b/src/OVAL/results/oval_resultDefinition.c
index 9ea0c69257..a5db1a5acb 100644
--- a/src/OVAL/results/oval_resultDefinition.c
+++ b/src/OVAL/results/oval_resultDefinition.c
@@ -113,14 +113,21 @@ void oval_result_definition_free(struct oval_result_definition *definition)
 	free(definition);
 }
 
-struct oval_result_definition *make_result_definition_from_oval_definition
-    (struct oval_result_system *sys, struct oval_definition *oval_definition, int variable_instance) {
+struct oval_result_definition *make_result_definition_from_oval_definition(struct oval_result_system *sys, struct oval_definition *oval_definition, struct oscap_list *visited_definitions, int variable_instance)
+{
 	char *defid = oval_definition_get_id(oval_definition);
+	if (visited_definitions != NULL) {
+		if (oscap_list_contains(visited_definitions, defid, (oscap_cmp_func) oscap_streq)) {
+			dE("Circular dependency in OVAL definition '%s'.", defid);
+			return NULL;
+		}
+		oscap_list_add(visited_definitions, strdup(defid));
+	}
 	struct oval_result_definition *rslt_definition = oval_result_definition_new(sys, defid);
 	oval_result_definition_set_instance(rslt_definition, variable_instance);
 	struct oval_criteria_node *oval_criteria = oval_definition_get_criteria(oval_definition);
 	struct oval_result_criteria_node *rslt_criteria = 
-		make_result_criteria_node_from_oval_criteria_node(sys, oval_criteria, variable_instance);
+		make_result_criteria_node_from_oval_criteria_node(sys, oval_criteria, visited_definitions, variable_instance);
 	if (rslt_criteria)
 		oval_result_definition_set_criteria(rslt_definition, rslt_criteria);
 	return rslt_definition;
diff --git a/src/OVAL/results/oval_resultSystem.c b/src/OVAL/results/oval_resultSystem.c
index 6c12dc5603..51a555093d 100644
--- a/src/OVAL/results/oval_resultSystem.c
+++ b/src/OVAL/results/oval_resultSystem.c
@@ -50,6 +50,7 @@
 #include "common/debug_priv.h"
 #include "common/_error.h"
 #include "common/util.h"
+#include "common/list.h"
 
 typedef struct oval_result_system {
 	struct oval_results_model *model;
@@ -195,6 +196,14 @@ struct oval_result_test *oval_result_system_get_test(struct oval_result_system *
 
 struct oval_result_definition *oval_result_system_get_new_definition
     (struct oval_result_system *sys, struct oval_definition *oval_definition, int variable_instance) {
+
+	return oval_result_system_get_new_definition_with_check(sys, oval_definition, NULL, variable_instance);
+
+}
+
+struct oval_result_definition *oval_result_system_get_new_definition_with_check
+		(struct oval_result_system *sys, struct oval_definition *oval_definition, struct oscap_list *visited_definitions, int variable_instance)
+{
 	// This function is used from multiple different places which might not be sustainable.
 	// variable_instance=0 means that caller has no special preference for variable_instance
 	// 	and the very last definition shall be returned. Additionally, we should create
@@ -205,14 +214,20 @@ struct oval_result_definition *oval_result_system_get_new_definition
 		char *id = oval_definition_get_id(oval_definition);
 		rslt_definition = oval_result_system_get_definition(sys, id);
 		if (rslt_definition == NULL) {
-			rslt_definition = make_result_definition_from_oval_definition(sys, oval_definition,
+			rslt_definition = make_result_definition_from_oval_definition(sys, oval_definition, visited_definitions,
 				variable_instance ? variable_instance : 1);
+			if (rslt_definition == NULL) {
+				return NULL;
+			}
 			oval_result_system_add_definition(sys, rslt_definition);
 		}
 		else if (oval_result_definition_get_variable_instance_hint(rslt_definition) != oval_result_definition_get_instance(rslt_definition)) {
 			int hint = oval_result_definition_get_variable_instance_hint(rslt_definition);
 			dI("Creating another result-definition for id=%s based on variable_instance: %d", id, hint);
-			rslt_definition = make_result_definition_from_oval_definition(sys, oval_definition, hint);
+			rslt_definition = make_result_definition_from_oval_definition(sys, oval_definition, visited_definitions, hint);
+			if (rslt_definition == NULL) {
+				return NULL;
+			}
 			oval_result_system_add_definition(sys, rslt_definition);
 		}
 	}
@@ -376,17 +391,26 @@ struct oval_result_definition *oval_result_system_prepare_definition(struct oval
 		return NULL;
 	}
 
+	struct oscap_list *visited_definitions = oscap_list_new();
         rslt_definition = oval_result_system_get_definition(sys, id);
         if (rslt_definition == NULL) {
-		rslt_definition = make_result_definition_from_oval_definition(sys, oval_definition, 1);
+		rslt_definition = make_result_definition_from_oval_definition(sys, oval_definition, visited_definitions, 1);
+		if (rslt_definition == NULL) {
+			goto cleanup;
+		}
                 oval_result_system_add_definition(sys, rslt_definition);
         }
 	else if (oval_result_definition_get_variable_instance_hint(rslt_definition) != oval_result_definition_get_instance(rslt_definition)) {
 		int hint = oval_result_definition_get_variable_instance_hint(rslt_definition);
 		dI("Creating another result-definition for id=%s based on variable_instance: %d", id, hint);
-		rslt_definition = make_result_definition_from_oval_definition(sys, oval_definition, hint);
+		rslt_definition = make_result_definition_from_oval_definition(sys, oval_definition, visited_definitions, hint);
+		if (rslt_definition == NULL) {
+			goto cleanup;
+		}
 		oval_result_system_add_definition(sys, rslt_definition);
 	}
+cleanup:
+	oscap_list_free(visited_definitions, free);
 	return rslt_definition;
 }
 
diff --git a/src/OVAL/results/oval_results_impl.h b/src/OVAL/results/oval_results_impl.h
index a6c0747613..cd9f728d2b 100644
--- a/src/OVAL/results/oval_results_impl.h
+++ b/src/OVAL/results/oval_results_impl.h
@@ -37,6 +37,7 @@
 #include "OVAL/oval_system_characteristics_impl.h"
 #include "OVAL/adt/oval_smc_impl.h"
 
+#include "common/list.h"
 #include "common/util.h"
 #include "source/oscap_source_priv.h"
 
@@ -47,9 +48,9 @@ xmlNode *oval_result_system_to_dom(struct oval_result_system *, struct oval_resu
 struct oval_result_test *oval_result_system_get_new_test(struct oval_result_system *, struct oval_test *, int variable_instance);
 
 int oval_result_definition_parse_tag(xmlTextReaderPtr, struct oval_parser_context *, void *);
-struct oval_result_definition *make_result_definition_from_oval_definition(struct oval_result_system *,
-									   struct oval_definition *,
-									   int variable_instance);
+struct oval_result_definition *make_result_definition_from_oval_definition(
+		struct oval_result_system *, struct oval_definition *,
+		struct oscap_list *, int variable_instance);
 xmlNode *oval_result_definition_to_dom(struct oval_result_definition *, oval_result_directive_content_t, xmlDocPtr, xmlNode *);
 int oval_result_definition_get_variable_instance_hint(const struct oval_result_definition *definition);
 void oval_result_definition_set_variable_instance_hint(struct oval_result_definition *definition, int new_hint_value);
@@ -63,7 +64,7 @@ xmlNode *oval_result_test_to_dom(struct oval_result_test *, xmlDocPtr, xmlNode *
 int oval_result_item_parse_tag(xmlTextReaderPtr, struct oval_parser_context *, struct oval_result_system *, oscap_consumer_func, void *);
 xmlNode *oval_result_item_to_dom(struct oval_result_item *, xmlDocPtr, xmlNode *);
 
-struct oval_result_criteria_node *make_result_criteria_node_from_oval_criteria_node(struct oval_result_system *, struct oval_criteria_node *, int variable_instance);
+struct oval_result_criteria_node *make_result_criteria_node_from_oval_criteria_node(struct oval_result_system *, struct oval_criteria_node *, struct oscap_list *, int variable_instance);
 
 int oval_result_criteria_node_parse(xmlTextReaderPtr, struct oval_parser_context *, struct oval_result_system *, oscap_consumer_func, void *);
 oval_result_t oval_result_criteria_node_negate(struct oval_result_criteria_node *node, oval_result_t result);
@@ -74,6 +75,8 @@ oval_result_t oval_result_parse(xmlTextReaderPtr, char *, oval_result_t);
 struct oval_result_definition *oval_result_system_get_new_definition(struct oval_result_system *,
 								     struct oval_definition *,
 								     int variable_instance);
+struct oval_result_definition *oval_result_system_get_new_definition_with_check(struct oval_result_system *, struct oval_definition *, struct oscap_list *, int);
+
 struct oval_result_test *oval_result_system_get_test(struct oval_result_system *, char *);
 
 struct oresults {
diff --git a/tests/API/OVAL/unittests/CMakeLists.txt b/tests/API/OVAL/unittests/CMakeLists.txt
index 5b1e26aa92..9ec019f764 100644
--- a/tests/API/OVAL/unittests/CMakeLists.txt
+++ b/tests/API/OVAL/unittests/CMakeLists.txt
@@ -1,6 +1,7 @@
 add_oscap_test("test_anyxml.sh")
 add_oscap_test("test_applicability_check.sh")
 add_oscap_test("test_cim_datetime.sh")
+add_oscap_test("test_circular_extend_def.sh")
 add_oscap_test("test_comment.sh")
 add_oscap_test("test_count_function.sh")
 add_oscap_test("test_deprecated_def.sh")
@@ -24,6 +25,7 @@ add_oscap_test("test_item_not_exist.sh")
 add_oscap_test("test_object_component_type.sh")
 add_oscap_test("test_oval_empty_variable_evaluation.sh")
 add_oscap_test("test_platform_version.sh")
+add_oscap_test("test_recursive_extend_def.sh")
 add_oscap_test("test_skip_valid.sh")
 add_oscap_test("test_state_check_existence.sh")
 add_oscap_test("test_without_syschars.sh")
diff --git a/tests/API/OVAL/unittests/test_circular_extend_def.sh b/tests/API/OVAL/unittests/test_circular_extend_def.sh
new file mode 100755
index 0000000000..6e71568b1f
--- /dev/null
+++ b/tests/API/OVAL/unittests/test_circular_extend_def.sh
@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+
+. $builddir/tests/test_common.sh
+set -e
+set -o pipefail
+
+stdout="$(mktemp)"
+stderr="$(mktemp)"
+
+$OSCAP oval eval --id "oval:ssg-chronyd_specify_remote_server:def:1" $srcdir/test_circular_extend_def.xml > "$stdout" 2> "$stderr"
+
+grep -q "Definition oval:ssg-chronyd_specify_remote_server:def:1: not evaluated" "$stdout"
+grep -q "Circular dependency in OVAL definition 'oval:ssg-chronyd_specify_remote_server:def:1'\." "$stderr"
+
+rm -f "$stdout"
+rm -f "$stderr"
+
+stdout="$(mktemp)"
+stderr="$(mktemp)"
+
+$OSCAP oval eval --id "oval:ssg-service_chronyd_enabled:def:1" $srcdir/test_circular_extend_def.xml > "$stdout" 2> "$stderr"
+
+grep -q "Definition oval:ssg-service_chronyd_enabled:def:1: not evaluated" "$stdout"
+grep -q "Circular dependency in OVAL definition 'oval:ssg-service_chronyd_enabled:def:1'\." "$stderr"
+
+rm -f "$stdout"
+rm -f "$stderr"
+
+stdout="$(mktemp)"
+stderr="$(mktemp)"
+
+$OSCAP oval eval $srcdir/test_circular_extend_def.xml > "$stdout" 2> "$stderr"
+
+grep -q "Definition oval:ssg-chronyd_specify_remote_server:def:1: not evaluated" "$stdout"
+grep -q "Definition oval:ssg-service_chronyd_enabled:def:1: not evaluated" "$stdout"
+grep -q "Circular dependency in OVAL definition .*" "$stderr"
+
+rm -f "$stdout"
+rm -f "$stderr"
diff --git a/tests/API/OVAL/unittests/test_circular_extend_def.xml b/tests/API/OVAL/unittests/test_circular_extend_def.xml
new file mode 100644
index 0000000000..7e276e67f9
--- /dev/null
+++ b/tests/API/OVAL/unittests/test_circular_extend_def.xml
@@ -0,0 +1,56 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<ns3:oval_definitions xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd         http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd         http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd         http://oval.mitre.org/XMLSchema/oval-definitions-5#unix unix-definitions-schema.xsd         http://oval.mitre.org/XMLSchema/oval-definitions-5#linux linux-definitions-schema.xsd">
+  <ns3:generator>
+    <ns5:product_name xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-common-5">combine_ovals.py from SCAP Security Guide</ns5:product_name>
+    <ns5:product_version xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-common-5">ssg: [0, 1, 49], python: 3.7.6</ns5:product_version>
+    <ns5:schema_version xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-common-5">5.11</ns5:schema_version>
+    <ns5:timestamp xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-common-5">2020-03-11T10:34:56</ns5:timestamp>
+  </ns3:generator>
+  <ns3:definitions>
+    <ns3:definition class="compliance" id="oval:ssg-chronyd_specify_remote_server:def:1" version="1">
+      <ns3:metadata>
+        <ns3:title>Specify Remote NTP chronyd Server for Time Data</ns3:title>
+        <ns3:affected family="unix">
+          <ns3:platform>Red Hat Enterprise Linux 8</ns3:platform>
+        </ns3:affected>
+        <ns3:description>A remote chronyd NTP Server for time synchronization should be specified (and dependencies are met)</ns3:description>
+        <ns3:reference ref_id="CCE-82734-5" source="CCE"/>
+        <ns3:reference ref_id="chronyd_specify_remote_server" source="ssg"/>
+      </ns3:metadata>
+      <ns3:criteria comment="service chronyd enabled" operator="AND">
+        <ns3:extend_definition comment="service chronyd enabled" definition_ref="oval:ssg-service_chronyd_enabled:def:1"/>
+      </ns3:criteria>
+    </ns3:definition>
+    <ns3:definition class="compliance" id="oval:ssg-service_chronyd_enabled:def:1" version="1">
+      <ns3:metadata>
+        <ns3:title>Service chronyd Enabled</ns3:title>
+        <ns3:affected family="unix">
+          <ns3:platform>Red Hat Enterprise Linux 8</ns3:platform>
+        </ns3:affected>
+        <ns3:description>The chronyd service should be enabled if possible.</ns3:description>
+        <ns3:reference ref_id="CCE-82729-5" source="CCE"/>
+        <ns3:reference ref_id="service_chronyd_enabled" source="ssg"/>
+      </ns3:metadata>
+      <ns3:criteria comment="chronyd remote server specified and service chronyd is configured to start" operator="AND">
+        <ns3:extend_definition comment="chronyd remote server specified" definition_ref="oval:ssg-chronyd_specify_remote_server:def:1"/>
+        <ns3:criterion comment="multi-user.target wants chronyd" test_ref="oval:ssg-test_multi_user_wants_chronyd:tst:1"/>
+      </ns3:criteria>
+    </ns3:definition>
+  </ns3:definitions>
+  <ns3:tests>
+    <ns8:systemdunitdependency_test xmlns:ns8="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_multi_user_wants_chronyd:tst:1" version="1">
+      <ns8:object object_ref="oval:ssg-object_multi_user_target_for_chronyd_enabled:obj:1"/>
+      <ns8:state state_ref="oval:ssg-state_systemd_chronyd_on:ste:1"/>
+    </ns8:systemdunitdependency_test>
+  </ns3:tests>
+  <ns3:objects>
+    <ns8:systemdunitdependency_object xmlns:ns8="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" comment="list of dependencies of multi-user.target" id="oval:ssg-object_multi_user_target_for_chronyd_enabled:obj:1" version="1">
+      <ns8:unit>multi-user.target</ns8:unit>
+    </ns8:systemdunitdependency_object>
+  </ns3:objects>
+  <ns3:states>
+    <ns8:systemdunitdependency_state xmlns:ns8="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" comment="chronyd listed at least once in the dependencies" id="oval:ssg-state_systemd_chronyd_on:ste:1" version="1">
+      <ns8:dependency entity_check="at least one">chronyd.service</ns8:dependency>
+    </ns8:systemdunitdependency_state>
+  </ns3:states>
+</ns3:oval_definitions>
diff --git a/tests/API/OVAL/unittests/test_recursive_extend_def.sh b/tests/API/OVAL/unittests/test_recursive_extend_def.sh
new file mode 100755
index 0000000000..1e45039073
--- /dev/null
+++ b/tests/API/OVAL/unittests/test_recursive_extend_def.sh
@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+. $builddir/tests/test_common.sh
+set -e
+set -o pipefail
+
+stdout="$(mktemp)"
+stderr="$(mktemp)"
+
+$OSCAP oval eval $srcdir/test_recursive_extend_def.xml > "$stdout" 2> "$stderr"
+
+grep -q "Definition oval:ssg-chronyd_specify_remote_server:def:1: not evaluated" "$stdout"
+grep -q "Circular dependency in OVAL definition 'oval:ssg-chronyd_specify_remote_server:def:1'\." "$stderr"
+
+rm -f "$stdout"
+rm -f "$stderr"
diff --git a/tests/API/OVAL/unittests/test_recursive_extend_def.xml b/tests/API/OVAL/unittests/test_recursive_extend_def.xml
new file mode 100644
index 0000000000..dab8da301a
--- /dev/null
+++ b/tests/API/OVAL/unittests/test_recursive_extend_def.xml
@@ -0,0 +1,56 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<ns3:oval_definitions xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd         http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd         http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd         http://oval.mitre.org/XMLSchema/oval-definitions-5#unix unix-definitions-schema.xsd         http://oval.mitre.org/XMLSchema/oval-definitions-5#linux linux-definitions-schema.xsd">
+  <ns3:generator>
+    <ns5:product_name xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-common-5">combine_ovals.py from SCAP Security Guide</ns5:product_name>
+    <ns5:product_version xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-common-5">ssg: [0, 1, 49], python: 3.7.6</ns5:product_version>
+    <ns5:schema_version xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-common-5">5.11</ns5:schema_version>
+    <ns5:timestamp xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-common-5">2020-03-11T10:34:56</ns5:timestamp>
+  </ns3:generator>
+  <ns3:definitions>
+    <ns3:definition class="compliance" id="oval:ssg-chronyd_specify_remote_server:def:1" version="1">
+      <ns3:metadata>
+        <ns3:title>Specify Remote NTP chronyd Server for Time Data</ns3:title>
+        <ns3:affected family="unix">
+          <ns3:platform>Red Hat Enterprise Linux 8</ns3:platform>
+        </ns3:affected>
+        <ns3:description>A remote chronyd NTP Server for time synchronization should be specified (and dependencies are met)</ns3:description>
+        <ns3:reference ref_id="CCE-82734-5" source="CCE"/>
+        <ns3:reference ref_id="chronyd_specify_remote_server" source="ssg"/>
+      </ns3:metadata>
+      <ns3:criteria comment="chronyd enabled and remote server specified" operator="AND">
+        <ns3:extend_definition comment="service chronyd enabled" definition_ref="oval:ssg-service_chronyd_enabled:def:1"/>
+        <ns3:extend_definition comment="chronyd remote server specified" definition_ref="oval:ssg-chronyd_specify_remote_server:def:1"/>
+      </ns3:criteria>
+    </ns3:definition>
+    <ns3:definition class="compliance" id="oval:ssg-service_chronyd_enabled:def:1" version="1">
+      <ns3:metadata>
+        <ns3:title>Service chronyd Enabled</ns3:title>
+        <ns3:affected family="unix">
+          <ns3:platform>Red Hat Enterprise Linux 8</ns3:platform>
+        </ns3:affected>
+        <ns3:description>The chronyd service should be enabled if possible.</ns3:description>
+        <ns3:reference ref_id="CCE-82729-5" source="CCE"/>
+        <ns3:reference ref_id="service_chronyd_enabled" source="ssg"/>
+      </ns3:metadata>
+      <ns3:criteria comment="package chronyd installed and service chronyd is configured to start" operator="AND">
+        <ns3:criterion comment="multi-user.target wants chronyd" test_ref="oval:ssg-test_multi_user_wants_chronyd:tst:1"/>
+      </ns3:criteria>
+    </ns3:definition>
+  </ns3:definitions>
+  <ns3:tests>
+    <ns8:systemdunitdependency_test xmlns:ns8="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_multi_user_wants_chronyd:tst:1" version="1">
+      <ns8:object object_ref="oval:ssg-object_multi_user_target_for_chronyd_enabled:obj:1"/>
+      <ns8:state state_ref="oval:ssg-state_systemd_chronyd_on:ste:1"/>
+    </ns8:systemdunitdependency_test>
+  </ns3:tests>
+  <ns3:objects>
+    <ns8:systemdunitdependency_object xmlns:ns8="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" comment="list of dependencies of multi-user.target" id="oval:ssg-object_multi_user_target_for_chronyd_enabled:obj:1" version="1">
+      <ns8:unit>multi-user.target</ns8:unit>
+    </ns8:systemdunitdependency_object>
+  </ns3:objects>
+  <ns3:states>
+    <ns8:systemdunitdependency_state xmlns:ns8="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" comment="chronyd listed at least once in the dependencies" id="oval:ssg-state_systemd_chronyd_on:ste:1" version="1">
+      <ns8:dependency entity_check="at least one">chronyd.service</ns8:dependency>
+    </ns8:systemdunitdependency_state>
+  </ns3:states>
+</ns3:oval_definitions>

From b1fba3da5186798b61072ab5a3f45170e5c5f885 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Thu, 1 Oct 2020 14:12:01 +0200
Subject: [PATCH 2/4] Replace systemdunitdependency test by file test

---
 .../OVAL/unittests/test_circular_extend_def.xml  | 16 +++++-----------
 .../OVAL/unittests/test_recursive_extend_def.xml | 16 +++++-----------
 2 files changed, 10 insertions(+), 22 deletions(-)

diff --git a/tests/API/OVAL/unittests/test_circular_extend_def.xml b/tests/API/OVAL/unittests/test_circular_extend_def.xml
index 7e276e67f9..26d4706a1d 100644
--- a/tests/API/OVAL/unittests/test_circular_extend_def.xml
+++ b/tests/API/OVAL/unittests/test_circular_extend_def.xml
@@ -38,19 +38,13 @@
     </ns3:definition>
   </ns3:definitions>
   <ns3:tests>
-    <ns8:systemdunitdependency_test xmlns:ns8="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_multi_user_wants_chronyd:tst:1" version="1">
+    <ns8:file_test xmlns:ns8="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_multi_user_wants_chronyd:tst:1" version="1">
       <ns8:object object_ref="oval:ssg-object_multi_user_target_for_chronyd_enabled:obj:1"/>
-      <ns8:state state_ref="oval:ssg-state_systemd_chronyd_on:ste:1"/>
-    </ns8:systemdunitdependency_test>
+    </ns8:file_test>
   </ns3:tests>
   <ns3:objects>
-    <ns8:systemdunitdependency_object xmlns:ns8="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" comment="list of dependencies of multi-user.target" id="oval:ssg-object_multi_user_target_for_chronyd_enabled:obj:1" version="1">
-      <ns8:unit>multi-user.target</ns8:unit>
-    </ns8:systemdunitdependency_object>
+    <ns8:file_object xmlns:ns8="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" comment="list of dependencies of multi-user.target" id="oval:ssg-object_multi_user_target_for_chronyd_enabled:obj:1" version="1">
+      <ns8:filepath>/tmp/xxx</ns8:filepath>
+    </ns8:file_object>
   </ns3:objects>
-  <ns3:states>
-    <ns8:systemdunitdependency_state xmlns:ns8="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" comment="chronyd listed at least once in the dependencies" id="oval:ssg-state_systemd_chronyd_on:ste:1" version="1">
-      <ns8:dependency entity_check="at least one">chronyd.service</ns8:dependency>
-    </ns8:systemdunitdependency_state>
-  </ns3:states>
 </ns3:oval_definitions>
diff --git a/tests/API/OVAL/unittests/test_recursive_extend_def.xml b/tests/API/OVAL/unittests/test_recursive_extend_def.xml
index dab8da301a..9261141627 100644
--- a/tests/API/OVAL/unittests/test_recursive_extend_def.xml
+++ b/tests/API/OVAL/unittests/test_recursive_extend_def.xml
@@ -38,19 +38,13 @@
     </ns3:definition>
   </ns3:definitions>
   <ns3:tests>
-    <ns8:systemdunitdependency_test xmlns:ns8="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_multi_user_wants_chronyd:tst:1" version="1">
+    <ns8:file_test xmlns:ns8="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_multi_user_wants_chronyd:tst:1" version="1">
       <ns8:object object_ref="oval:ssg-object_multi_user_target_for_chronyd_enabled:obj:1"/>
-      <ns8:state state_ref="oval:ssg-state_systemd_chronyd_on:ste:1"/>
-    </ns8:systemdunitdependency_test>
+    </ns8:file_test>
   </ns3:tests>
   <ns3:objects>
-    <ns8:systemdunitdependency_object xmlns:ns8="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" comment="list of dependencies of multi-user.target" id="oval:ssg-object_multi_user_target_for_chronyd_enabled:obj:1" version="1">
-      <ns8:unit>multi-user.target</ns8:unit>
-    </ns8:systemdunitdependency_object>
+    <ns8:file_object xmlns:ns8="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" comment="list of dependencies of multi-user.target" id="oval:ssg-object_multi_user_target_for_chronyd_enabled:obj:1" version="1">
+      <ns8:filepath>/tmp/xxx</ns8:filepath>
+    </ns8:file_object>
   </ns3:objects>
-  <ns3:states>
-    <ns8:systemdunitdependency_state xmlns:ns8="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" comment="chronyd listed at least once in the dependencies" id="oval:ssg-state_systemd_chronyd_on:ste:1" version="1">
-      <ns8:dependency entity_check="at least one">chronyd.service</ns8:dependency>
-    </ns8:systemdunitdependency_state>
-  </ns3:states>
 </ns3:oval_definitions>

From ff56e61374633b9851605d5347e9697d6644c3bf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Thu, 1 Oct 2020 14:29:38 +0200
Subject: [PATCH 3/4] Make the test OVAL files more generic

---
 .../unittests/test_circular_extend_def.sh     | 16 ++++----
 .../unittests/test_circular_extend_def.xml    | 38 +++++++------------
 .../unittests/test_recursive_extend_def.sh    |  4 +-
 .../unittests/test_recursive_extend_def.xml   | 38 +++++++------------
 4 files changed, 38 insertions(+), 58 deletions(-)

diff --git a/tests/API/OVAL/unittests/test_circular_extend_def.sh b/tests/API/OVAL/unittests/test_circular_extend_def.sh
index 6e71568b1f..32b263658b 100755
--- a/tests/API/OVAL/unittests/test_circular_extend_def.sh
+++ b/tests/API/OVAL/unittests/test_circular_extend_def.sh
@@ -7,10 +7,10 @@ set -o pipefail
 stdout="$(mktemp)"
 stderr="$(mktemp)"
 
-$OSCAP oval eval --id "oval:ssg-chronyd_specify_remote_server:def:1" $srcdir/test_circular_extend_def.xml > "$stdout" 2> "$stderr"
+$OSCAP oval eval --id "oval:x:def:1" $srcdir/test_circular_extend_def.xml > "$stdout" 2> "$stderr"
 
-grep -q "Definition oval:ssg-chronyd_specify_remote_server:def:1: not evaluated" "$stdout"
-grep -q "Circular dependency in OVAL definition 'oval:ssg-chronyd_specify_remote_server:def:1'\." "$stderr"
+grep -q "Definition oval:x:def:1: not evaluated" "$stdout"
+grep -q "Circular dependency in OVAL definition 'oval:x:def:1'\." "$stderr"
 
 rm -f "$stdout"
 rm -f "$stderr"
@@ -18,10 +18,10 @@ rm -f "$stderr"
 stdout="$(mktemp)"
 stderr="$(mktemp)"
 
-$OSCAP oval eval --id "oval:ssg-service_chronyd_enabled:def:1" $srcdir/test_circular_extend_def.xml > "$stdout" 2> "$stderr"
+$OSCAP oval eval --id "oval:x:def:2" $srcdir/test_circular_extend_def.xml > "$stdout" 2> "$stderr"
 
-grep -q "Definition oval:ssg-service_chronyd_enabled:def:1: not evaluated" "$stdout"
-grep -q "Circular dependency in OVAL definition 'oval:ssg-service_chronyd_enabled:def:1'\." "$stderr"
+grep -q "Definition oval:x:def:2: not evaluated" "$stdout"
+grep -q "Circular dependency in OVAL definition 'oval:x:def:2'\." "$stderr"
 
 rm -f "$stdout"
 rm -f "$stderr"
@@ -31,8 +31,8 @@ stderr="$(mktemp)"
 
 $OSCAP oval eval $srcdir/test_circular_extend_def.xml > "$stdout" 2> "$stderr"
 
-grep -q "Definition oval:ssg-chronyd_specify_remote_server:def:1: not evaluated" "$stdout"
-grep -q "Definition oval:ssg-service_chronyd_enabled:def:1: not evaluated" "$stdout"
+grep -q "Definition oval:x:def:1: not evaluated" "$stdout"
+grep -q "Definition oval:x:def:2: not evaluated" "$stdout"
 grep -q "Circular dependency in OVAL definition .*" "$stderr"
 
 rm -f "$stdout"
diff --git a/tests/API/OVAL/unittests/test_circular_extend_def.xml b/tests/API/OVAL/unittests/test_circular_extend_def.xml
index 26d4706a1d..c745a0bd89 100644
--- a/tests/API/OVAL/unittests/test_circular_extend_def.xml
+++ b/tests/API/OVAL/unittests/test_circular_extend_def.xml
@@ -7,43 +7,33 @@
     <ns5:timestamp xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-common-5">2020-03-11T10:34:56</ns5:timestamp>
   </ns3:generator>
   <ns3:definitions>
-    <ns3:definition class="compliance" id="oval:ssg-chronyd_specify_remote_server:def:1" version="1">
+    <ns3:definition class="compliance" id="oval:x:def:1" version="1">
       <ns3:metadata>
-        <ns3:title>Specify Remote NTP chronyd Server for Time Data</ns3:title>
-        <ns3:affected family="unix">
-          <ns3:platform>Red Hat Enterprise Linux 8</ns3:platform>
-        </ns3:affected>
-        <ns3:description>A remote chronyd NTP Server for time synchronization should be specified (and dependencies are met)</ns3:description>
-        <ns3:reference ref_id="CCE-82734-5" source="CCE"/>
-        <ns3:reference ref_id="chronyd_specify_remote_server" source="ssg"/>
+        <ns3:title>Definition 1</ns3:title>
+        <ns3:description>Definition 1</ns3:description>
       </ns3:metadata>
-      <ns3:criteria comment="service chronyd enabled" operator="AND">
-        <ns3:extend_definition comment="service chronyd enabled" definition_ref="oval:ssg-service_chronyd_enabled:def:1"/>
+      <ns3:criteria comment="one criterion" operator="AND">
+        <ns3:extend_definition comment="the other definition" definition_ref="oval:x:def:2"/>
       </ns3:criteria>
     </ns3:definition>
-    <ns3:definition class="compliance" id="oval:ssg-service_chronyd_enabled:def:1" version="1">
+    <ns3:definition class="compliance" id="oval:x:def:2" version="1">
       <ns3:metadata>
-        <ns3:title>Service chronyd Enabled</ns3:title>
-        <ns3:affected family="unix">
-          <ns3:platform>Red Hat Enterprise Linux 8</ns3:platform>
-        </ns3:affected>
-        <ns3:description>The chronyd service should be enabled if possible.</ns3:description>
-        <ns3:reference ref_id="CCE-82729-5" source="CCE"/>
-        <ns3:reference ref_id="service_chronyd_enabled" source="ssg"/>
+        <ns3:title>Definition 2</ns3:title>
+        <ns3:description>Definition 2</ns3:description>
       </ns3:metadata>
-      <ns3:criteria comment="chronyd remote server specified and service chronyd is configured to start" operator="AND">
-        <ns3:extend_definition comment="chronyd remote server specified" definition_ref="oval:ssg-chronyd_specify_remote_server:def:1"/>
-        <ns3:criterion comment="multi-user.target wants chronyd" test_ref="oval:ssg-test_multi_user_wants_chronyd:tst:1"/>
+      <ns3:criteria comment="two criteria" operator="AND">
+        <ns3:extend_definition comment="points back to definition 1 - makes circular dependency" definition_ref="oval:x:def:1"/>
+        <ns3:criterion comment="some test" test_ref="oval:x:tst:1"/>
       </ns3:criteria>
     </ns3:definition>
   </ns3:definitions>
   <ns3:tests>
-    <ns8:file_test xmlns:ns8="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_multi_user_wants_chronyd:tst:1" version="1">
-      <ns8:object object_ref="oval:ssg-object_multi_user_target_for_chronyd_enabled:obj:1"/>
+    <ns8:file_test xmlns:ns8="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" check="all" check_existence="any_exist" comment="file test" id="oval:x:tst:1" version="1">
+      <ns8:object object_ref="oval:x:obj:1"/>
     </ns8:file_test>
   </ns3:tests>
   <ns3:objects>
-    <ns8:file_object xmlns:ns8="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" comment="list of dependencies of multi-user.target" id="oval:ssg-object_multi_user_target_for_chronyd_enabled:obj:1" version="1">
+    <ns8:file_object xmlns:ns8="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" comment="dummy file" id="oval:x:obj:1" version="1">
       <ns8:filepath>/tmp/xxx</ns8:filepath>
     </ns8:file_object>
   </ns3:objects>
diff --git a/tests/API/OVAL/unittests/test_recursive_extend_def.sh b/tests/API/OVAL/unittests/test_recursive_extend_def.sh
index 1e45039073..b7e3fc2469 100755
--- a/tests/API/OVAL/unittests/test_recursive_extend_def.sh
+++ b/tests/API/OVAL/unittests/test_recursive_extend_def.sh
@@ -9,8 +9,8 @@ stderr="$(mktemp)"
 
 $OSCAP oval eval $srcdir/test_recursive_extend_def.xml > "$stdout" 2> "$stderr"
 
-grep -q "Definition oval:ssg-chronyd_specify_remote_server:def:1: not evaluated" "$stdout"
-grep -q "Circular dependency in OVAL definition 'oval:ssg-chronyd_specify_remote_server:def:1'\." "$stderr"
+grep -q "Definition oval:x:def:1: not evaluated" "$stdout"
+grep -q "Circular dependency in OVAL definition 'oval:x:def:1'\." "$stderr"
 
 rm -f "$stdout"
 rm -f "$stderr"
diff --git a/tests/API/OVAL/unittests/test_recursive_extend_def.xml b/tests/API/OVAL/unittests/test_recursive_extend_def.xml
index 9261141627..99d8613c2b 100644
--- a/tests/API/OVAL/unittests/test_recursive_extend_def.xml
+++ b/tests/API/OVAL/unittests/test_recursive_extend_def.xml
@@ -7,43 +7,33 @@
     <ns5:timestamp xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-common-5">2020-03-11T10:34:56</ns5:timestamp>
   </ns3:generator>
   <ns3:definitions>
-    <ns3:definition class="compliance" id="oval:ssg-chronyd_specify_remote_server:def:1" version="1">
+    <ns3:definition class="compliance" id="oval:x:def:1" version="1">
       <ns3:metadata>
-        <ns3:title>Specify Remote NTP chronyd Server for Time Data</ns3:title>
-        <ns3:affected family="unix">
-          <ns3:platform>Red Hat Enterprise Linux 8</ns3:platform>
-        </ns3:affected>
-        <ns3:description>A remote chronyd NTP Server for time synchronization should be specified (and dependencies are met)</ns3:description>
-        <ns3:reference ref_id="CCE-82734-5" source="CCE"/>
-        <ns3:reference ref_id="chronyd_specify_remote_server" source="ssg"/>
+        <ns3:title>Definition 1</ns3:title>
+        <ns3:description>Definition 1</ns3:description>
       </ns3:metadata>
-      <ns3:criteria comment="chronyd enabled and remote server specified" operator="AND">
-        <ns3:extend_definition comment="service chronyd enabled" definition_ref="oval:ssg-service_chronyd_enabled:def:1"/>
-        <ns3:extend_definition comment="chronyd remote server specified" definition_ref="oval:ssg-chronyd_specify_remote_server:def:1"/>
+      <ns3:criteria comment="two criteria" operator="AND">
+        <ns3:extend_definition comment="other definition" definition_ref="oval:x:def:2"/>
+        <ns3:extend_definition comment="points to itself" definition_ref="oval:x:def:1"/>
       </ns3:criteria>
     </ns3:definition>
-    <ns3:definition class="compliance" id="oval:ssg-service_chronyd_enabled:def:1" version="1">
+    <ns3:definition class="compliance" id="oval:x:def:2" version="1">
       <ns3:metadata>
-        <ns3:title>Service chronyd Enabled</ns3:title>
-        <ns3:affected family="unix">
-          <ns3:platform>Red Hat Enterprise Linux 8</ns3:platform>
-        </ns3:affected>
-        <ns3:description>The chronyd service should be enabled if possible.</ns3:description>
-        <ns3:reference ref_id="CCE-82729-5" source="CCE"/>
-        <ns3:reference ref_id="service_chronyd_enabled" source="ssg"/>
+        <ns3:title>Definition 2</ns3:title>
+        <ns3:description>Definition 2</ns3:description>
       </ns3:metadata>
-      <ns3:criteria comment="package chronyd installed and service chronyd is configured to start" operator="AND">
-        <ns3:criterion comment="multi-user.target wants chronyd" test_ref="oval:ssg-test_multi_user_wants_chronyd:tst:1"/>
+      <ns3:criteria comment="one criterion" operator="AND">
+        <ns3:criterion comment="file test" test_ref="oval:x:tst:1"/>
       </ns3:criteria>
     </ns3:definition>
   </ns3:definitions>
   <ns3:tests>
-    <ns8:file_test xmlns:ns8="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_multi_user_wants_chronyd:tst:1" version="1">
-      <ns8:object object_ref="oval:ssg-object_multi_user_target_for_chronyd_enabled:obj:1"/>
+    <ns8:file_test xmlns:ns8="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" check="all" check_existence="any_exist" comment="file test" id="oval:x:tst:1" version="1">
+      <ns8:object object_ref="oval:x:obj:1"/>
     </ns8:file_test>
   </ns3:tests>
   <ns3:objects>
-    <ns8:file_object xmlns:ns8="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" comment="list of dependencies of multi-user.target" id="oval:ssg-object_multi_user_target_for_chronyd_enabled:obj:1" version="1">
+    <ns8:file_object xmlns:ns8="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" comment="dummy file" id="oval:x:obj:1" version="1">
       <ns8:filepath>/tmp/xxx</ns8:filepath>
     </ns8:file_object>
   </ns3:objects>

From a3405fe94382e0b432a7ad7f88063803b3d4c052 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Thu, 1 Oct 2020 15:43:58 +0200
Subject: [PATCH 4/4] Fix coding style

---
 src/OVAL/results/oval_resultCriteriaNode.c |  6 ++----
 src/OVAL/results/oval_resultSystem.c       | 12 ++++--------
 2 files changed, 6 insertions(+), 12 deletions(-)

diff --git a/src/OVAL/results/oval_resultCriteriaNode.c b/src/OVAL/results/oval_resultCriteriaNode.c
index 29d06bdc6e..8072832062 100644
--- a/src/OVAL/results/oval_resultCriteriaNode.c
+++ b/src/OVAL/results/oval_resultCriteriaNode.c
@@ -258,9 +258,8 @@ struct oval_result_criteria_node *make_result_criteria_node_from_oval_criteria_n
 					    = oval_criteria_node_iterator_next(oval_subnodes);
 					struct oval_result_criteria_node *rslt_subnode
 						= make_result_criteria_node_from_oval_criteria_node(sys, oval_subnode, visited_definitions, variable_instance);
-					if (rslt_subnode == NULL) {
+					if (rslt_subnode == NULL)
 						return NULL;
-					}
 					oval_result_criteria_node_add_subnode(rslt_node, rslt_subnode);
 				}
 				oval_criteria_node_iterator_free(oval_subnodes);
@@ -278,9 +277,8 @@ struct oval_result_criteria_node *make_result_criteria_node_from_oval_criteria_n
 				struct oval_definition *oval_definition = oval_criteria_node_get_definition(oval_node);
 				struct oval_result_definition *rslt_definition
 					= oval_result_system_get_new_definition_with_check(sys, oval_definition, visited_definitions, variable_instance);
-				if (rslt_definition == NULL) {
+				if (rslt_definition == NULL)
 					return NULL;
-				}
 				rslt_node = oval_result_criteria_node_new(sys,
 									  type,
 									  negate,
diff --git a/src/OVAL/results/oval_resultSystem.c b/src/OVAL/results/oval_resultSystem.c
index 51a555093d..e957ed4512 100644
--- a/src/OVAL/results/oval_resultSystem.c
+++ b/src/OVAL/results/oval_resultSystem.c
@@ -216,18 +216,16 @@ struct oval_result_definition *oval_result_system_get_new_definition_with_check
 		if (rslt_definition == NULL) {
 			rslt_definition = make_result_definition_from_oval_definition(sys, oval_definition, visited_definitions,
 				variable_instance ? variable_instance : 1);
-			if (rslt_definition == NULL) {
+			if (rslt_definition == NULL)
 				return NULL;
-			}
 			oval_result_system_add_definition(sys, rslt_definition);
 		}
 		else if (oval_result_definition_get_variable_instance_hint(rslt_definition) != oval_result_definition_get_instance(rslt_definition)) {
 			int hint = oval_result_definition_get_variable_instance_hint(rslt_definition);
 			dI("Creating another result-definition for id=%s based on variable_instance: %d", id, hint);
 			rslt_definition = make_result_definition_from_oval_definition(sys, oval_definition, visited_definitions, hint);
-			if (rslt_definition == NULL) {
+			if (rslt_definition == NULL)
 				return NULL;
-			}
 			oval_result_system_add_definition(sys, rslt_definition);
 		}
 	}
@@ -395,18 +393,16 @@ struct oval_result_definition *oval_result_system_prepare_definition(struct oval
         rslt_definition = oval_result_system_get_definition(sys, id);
         if (rslt_definition == NULL) {
 		rslt_definition = make_result_definition_from_oval_definition(sys, oval_definition, visited_definitions, 1);
-		if (rslt_definition == NULL) {
+		if (rslt_definition == NULL)
 			goto cleanup;
-		}
                 oval_result_system_add_definition(sys, rslt_definition);
         }
 	else if (oval_result_definition_get_variable_instance_hint(rslt_definition) != oval_result_definition_get_instance(rslt_definition)) {
 		int hint = oval_result_definition_get_variable_instance_hint(rslt_definition);
 		dI("Creating another result-definition for id=%s based on variable_instance: %d", id, hint);
 		rslt_definition = make_result_definition_from_oval_definition(sys, oval_definition, visited_definitions, hint);
-		if (rslt_definition == NULL) {
+		if (rslt_definition == NULL)
 			goto cleanup;
-		}
 		oval_result_system_add_definition(sys, rslt_definition);
 	}
 cleanup: