Skip to content
Permalink
Browse files

marking XML issues as resolved

  • Loading branch information
squinky86 committed Mar 5, 2020
1 parent a1aaa5f commit c01a5f22ff4ffb55e03c09d4e0d521db4a7a8c6c
@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--STIGQter :: 1.0.0-->
<!--STIGQter :: 1.0.1-->
<CHECKLIST>
<ASSET>
<ROLE>None</ROLE>
<VULN_ATTRIBUTE>CCI_REF</VULN_ATTRIBUTE>
<ATTRIBUTE_DATA>CCI-002385</ATTRIBUTE_DATA>
</STIG_DATA>
<STATUS>Open</STATUS>
<FINDING_DETAILS>The software has an open XML entity expansion error, inherent in the Qt library. This is listed as issue #26 in the STIGQter issue tracker (https://github.com/squinky86/STIGQter/issues/26) and issue QTBUG-47417 in the Qt issue tracker (https://bugreports.qt.io/browse/QTBUG-47417).</FINDING_DETAILS>
<COMMENTS/>
<STATUS>NotAFinding</STATUS>
<FINDING_DETAILS/>
<COMMENTS>Scans and tests for XML handling issues. Triaging of previous issues has occured (see https://github.com/squinky86/STIGQter/issues/26).</COMMENTS>
<SEVERITY_OVERRIDE/>
<SEVERITY_JUSTIFICATION/>
</VULN>
<VULN_ATTRIBUTE>CCI_REF</VULN_ATTRIBUTE>
<ATTRIBUTE_DATA>CCI-001094</ATTRIBUTE_DATA>
</STIG_DATA>
<STATUS>Open</STATUS>
<FINDING_DETAILS>The software has an open XML entity expansion error, inherent in the Qt library. This is listed as issue #26 in the STIGQter issue tracker (https://github.com/squinky86/STIGQter/issues/26) and issue QTBUG-47417 in the Qt issue tracker (https://bugreports.qt.io/browse/QTBUG-47417).</FINDING_DETAILS>
<COMMENTS/>
<STATUS>NotAFinding</STATUS>
<FINDING_DETAILS/>
<COMMENTS>Scans and tests for DoS issues. Triaging of previous issues has occured (see https://github.com/squinky86/STIGQter/issues/26).</COMMENTS>
<SEVERITY_OVERRIDE/>
<SEVERITY_JUSTIFICATION/>
</VULN>
<VULN_ATTRIBUTE>CCI_REF</VULN_ATTRIBUTE>
<ATTRIBUTE_DATA>CCI-001310</ATTRIBUTE_DATA>
</STIG_DATA>
<STATUS>Open</STATUS>
<FINDING_DETAILS>The software has an open XML entity expansion error, inherent in the Qt library. This is listed as issue #26 in the STIGQter issue tracker (https://github.com/squinky86/STIGQter/issues/26) and issue QTBUG-47417 in the Qt issue tracker (https://bugreports.qt.io/browse/QTBUG-47417).</FINDING_DETAILS>
<COMMENTS/>
<STATUS>NotAFinding</STATUS>
<FINDING_DETAILS/>
<COMMENTS>Scans and tests for XML-oriented attacks. Triaging of previous issues has occured (see https://github.com/squinky86/STIGQter/issues/26).</COMMENTS>
<SEVERITY_OVERRIDE/>
<SEVERITY_JUSTIFICATION/>
</VULN>
@@ -221,27 +221,17 @@ \subsection{SC-4 -- Information in Shared Resources}
\subsection{SC-5 -- Denial of Service Protection}
\label{sec:sc-5}

\paragraph{Applicable CCIs:} CCI-1093, CCI-2386

Current DoS attacks are listed under CCI-2385. Mitigation is to not load CKLs or XCCDF files from untrusted sources.

\paragraph{\textcolor{red}{Non-Compliant CCI(s):}} CCI-2385

The software has a known bug involving XML bombs. See \href{Issue #26}{https://github.com/squinky86/STIGQter/issues/26} in the STIGQter issue tracker.
\paragraph{Applicable CCIs:} CCI-1093, CCI-2385, CCI-2386

Vulnerabilities are scanned for and triaged in accordance with SA-11.

See SA-15(4) in the SA documentation for threat models.

\subsubsection{SC-5(1) -- Restrict Internal Users}

\paragraph{Applicable CCIs:} CCI-2387

The software does not connect to services in a way that would launch a DoS attack.

\paragraph{\textcolor{red}{Non-Compliant CCIs:}} CCI-1094
\paragraph{Applicable CCIs:} CCI-1094, CCI-2387

See Section~\ref{sec:sc-5} for more details.
The software does not connect to services in a way that would launch a DoS attack. Crashes from XML bombs are detected using the SA-11 scanning policy.

\subsubsection{SC-5(2) -- Excess Capacity / Bandwidth / Redundancy}

@@ -236,14 +236,10 @@ \subsection{SI-6 -- Security Function Verification}

\subsection{SI-10 -- Information Input Validation}

\paragraph{Applicable CCIs:} CCI-2744
\paragraph{Applicable CCIs:} CCI-1310, CCI-2744

Software assurance scans are conducted to check for input handling errors in accordance with the SA policy. The application implements input validation at the application level. The nature of acceptable inputs is well-defined and the information system checks the validity of these inputs. The application will not execute critical functions unless the user provides valid inputs.

\paragraph{\textcolor{red}{Non-Compliant CCIs:}} CCI-1310

See discussion in SA policy section SA-5 for more information.

\subsubsection{SI-10(3) -- Predictable Behavior}

\paragraph{Applicable CCIs:} CCI-2754

0 comments on commit c01a5f2

Please sign in to comment.
You can’t perform that action at this time.