Possible Issue Regarding oval_org.mitre.oval_tst_11355 (OVAL Registry Test)
Closed this issue · 4 comments
muslugorkem commented
The test provided in the link below does not agree with the OVAL schematron. In the schematron it is stated that, the “name“ entity for OVAL items can be defined as “nil“ which means that the “name“ entity should not be collected. However, in one of the OVAL tests, the “name” entity is defined as “nil” but in the OVAL state a “value” entity is checked against the object. This should probably not be possible because the “value“ should not be collected in the first place.
Link
DavidRies commented
I built the OVAL definition that contains the referenced test and it passes schema and schematron validation:
<?xml version="1.0" encoding="UTF-8"?>
<oval_definitions
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5"
xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd">
<generator>
<oval:product_name>CIS OVAL Repository</oval:product_name>
<oval:product_version>0.1</oval:product_version>
<oval:schema_version>5.11.2</oval:schema_version>
<oval:timestamp>2020-09-30T19:18:51</oval:timestamp>
</generator>
<definitions> <definition xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" class="inventory" id="oval:org.mitre.oval:def:11782" version="8">
<metadata>
<title>The operating system installed on the system is Red Hat Enterprise Linux 3</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 3</platform>
</affected>
<reference ref_id="cpe:/o:redhat:enterprise_linux:3" source="CPE" />
<description>The operating system installed on the system is Red Hat Enterprise Linux 3.</description>
<oval_repository>
<dates>
<submitted date="2010-07-06T12:00:00.000-06:00">
<contributor organization="SCAP.com, LLC">Aharon Chernin</contributor>
</submitted>
<status_change date="2010-07-28T14:09:25.361-04:00">DRAFT</status_change>
<status_change date="2010-08-16T04:10:36.365-04:00">INTERIM</status_change>
<status_change date="2010-09-06T04:11:26.996-04:00">ACCEPTED</status_change>
<modified comment="EDITED oval:org.mitre.oval:ste:11298 - Updated CPE reference, updated regular expression" date="2011-02-17T13:32:00.706-05:00">
<contributor organization="Symantec Corporation">Dragos Prisaca</contributor>
</modified>
<status_change date="2011-02-17T13:33:54.219-05:00">INTERIM</status_change>
<status_change date="2011-03-07T04:00:05.947-05:00">ACCEPTED</status_change>
<modified comment="EDITED oval:org.mitre.oval:ste:11298 - Corrected - right version for brlapi and brlapi-devel as specified by RHSA-2010:0181-5" date="2013-03-18T12:26:00.995-04:00">
<contributor organization="G2, Inc.">Dragos Prisaca</contributor>
</modified>
<status_change date="2013-03-18T12:31:17.613-04:00">INTERIM</status_change>
<status_change date="2013-04-08T04:00:07.318-04:00">ACCEPTED</status_change>
</dates>
<status>ACCEPTED</status>
<min_schema_version>5.10</min_schema_version>
</oval_repository>
</metadata>
<criteria>
<criterion comment="Red Hat Enterprise 3 is installed" test_ref="oval:org.mitre.oval:tst:7836" />
</criteria>
</definition>
<definition xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" class="inventory" id="oval:org.mitre.oval:def:15990" version="28">
<metadata>
<title>Oracle Linux 4.x</title>
<affected family="unix">
<platform>Oracle Linux 4</platform>
</affected>
<reference ref_id="cpe:/o:oracle:linux:4" source="CPE" />
<description>The operating system installed on the system is Oracle Linux 4.x</description>
<oval_repository>
<dates>
<submitted date="2013-03-05T10:00:00.000-00:00">
<contributor organization="G2, Inc.">Dragos Prisaca</contributor>
</submitted>
<status_change date="2013-03-06T10:17:12.445-05:00">DRAFT</status_change>
<status_change date="2013-03-25T04:00:09.175-04:00">INTERIM</status_change>
<status_change date="2013-04-15T04:00:15.149-04:00">ACCEPTED</status_change>
<modified comment="EDITED oval:org.mitre.oval:tst:80147 - new object with the old value and refer that new object in the test." date="2014-03-17T11:21:00.077-04:00">
<contributor organization="Hewlett-Packard">Chandan M C</contributor>
</modified>
<status_change date="2014-03-17T11:23:39.354-04:00">INTERIM</status_change>
<status_change date="2014-04-07T04:01:59.810-04:00">ACCEPTED</status_change>
</dates>
<status>ACCEPTED</status>
<min_schema_version>5.10</min_schema_version>
</oval_repository>
</metadata>
<criteria>
<criterion comment="the installed operating system is part of the Unix family" test_ref="oval:org.mitre.oval:tst:4424" />
<criterion comment="Oracle Linux 4.x is installed" test_ref="oval:org.mitre.oval:tst:80147" />
</criteria>
</definition>
<definition xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" class="inventory" id="oval:org.mitre.oval:def:16651" version="26">
<metadata>
<title>CentOS Linux 3.x</title>
<affected family="unix">
<platform>CentOS Linux 3</platform>
</affected>
<reference ref_id="cpe:/o:centos:centos:3" source="CPE" />
<description>The operating system installed on the system is CentOS Linux 3.x</description>
<oval_repository>
<dates>
<submitted date="2013-03-05T10:00:00.000-00:00">
<contributor organization="G2, Inc.">Dragos Prisaca</contributor>
</submitted>
<status_change date="2013-03-06T10:17:11.027-05:00">DRAFT</status_change>
<status_change date="2013-03-25T04:01:05.702-04:00">INTERIM</status_change>
<status_change date="2013-04-15T04:00:17.279-04:00">ACCEPTED</status_change>
</dates>
<status>ACCEPTED</status>
<min_schema_version>5.10</min_schema_version>
</oval_repository>
</metadata>
<criteria>
<criterion comment="the installed operating system is part of the Unix family" test_ref="oval:org.mitre.oval:tst:4424" />
<criterion comment="CentOS Linux 3.x is installed" test_ref="oval:org.mitre.oval:tst:80206" />
</criteria>
</definition>
<definition xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" class="inventory" id="oval:org.mitre.oval:def:11831" version="8">
<metadata>
<title>The operating system installed on the system is Red Hat Enterprise Linux 4</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 4</platform>
</affected>
<reference ref_id="cpe:/o:redhat:enterprise_linux:4" source="CPE" />
<description>The operating system installed on the system is Red Hat Enterprise Linux 4.</description>
<oval_repository>
<dates>
<submitted date="2010-07-06T12:00:00.000-06:00">
<contributor organization="SCAP.com, LLC">Aharon Chernin</contributor>
</submitted>
<status_change date="2010-07-28T14:09:25.710-04:00">DRAFT</status_change>
<status_change date="2010-08-16T04:10:42.275-04:00">INTERIM</status_change>
<status_change date="2010-09-06T04:11:34.417-04:00">ACCEPTED</status_change>
<modified comment="EDITED oval:org.mitre.oval:def:11831 - Updated CPE reference, updated regular expression" date="2011-02-17T13:29:00.547-05:00">
<contributor organization="Symantec Corporation">Dragos Prisaca</contributor>
</modified>
<status_change date="2011-02-17T13:31:01.582-05:00">INTERIM</status_change>
<status_change date="2011-03-07T04:00:06.261-05:00">ACCEPTED</status_change>
<modified comment="EDITED oval:org.mitre.oval:ste:11366 - Corrected - right version for brlapi and brlapi-devel as specified by RHSA-2010:0181-5" date="2013-03-18T12:26:00.995-04:00">
<contributor organization="G2, Inc.">Dragos Prisaca</contributor>
</modified>
<status_change date="2013-03-18T12:31:11.966-04:00">INTERIM</status_change>
<status_change date="2013-04-08T04:00:07.616-04:00">ACCEPTED</status_change>
</dates>
<status>ACCEPTED</status>
<min_schema_version>5.10</min_schema_version>
</oval_repository>
</metadata>
<criteria>
<criterion comment="Red Hat Enterprise 4 is installed" test_ref="oval:org.mitre.oval:tst:2652" />
</criteria>
</definition>
<definition xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" class="inventory" id="oval:org.mitre.oval:def:16636" version="26">
<metadata>
<title>CentOS Linux 4.x</title>
<affected family="unix">
<platform>CentOS Linux 4</platform>
</affected>
<reference ref_id="cpe:/o:centos:centos:4" source="CPE" />
<description>The operating system installed on the system is CentOS Linux 4.x</description>
<oval_repository>
<dates>
<submitted date="2013-03-05T10:00:00.000-00:00">
<contributor organization="G2, Inc.">Dragos Prisaca</contributor>
</submitted>
<status_change date="2013-03-06T10:17:11.995-05:00">DRAFT</status_change>
<status_change date="2013-03-25T04:01:05.534-04:00">INTERIM</status_change>
<status_change date="2013-04-15T04:00:16.835-04:00">ACCEPTED</status_change>
</dates>
<status>ACCEPTED</status>
<min_schema_version>5.10</min_schema_version>
</oval_repository>
</metadata>
<criteria>
<criterion comment="the installed operating system is part of the Unix family" test_ref="oval:org.mitre.oval:tst:4424" />
<criterion comment="CentOS Linux 4.x is installed" test_ref="oval:org.mitre.oval:tst:80582" />
</criteria>
</definition>
<definition xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" class="vulnerability" id="oval:org.mitre.oval:def:11355" version="30">
<metadata>
<title>The smdb daemon (smbd/service.c) in Samba 3.0.1 through 3.0.22 allows remote attackers to cause a denial of service (memory consumption) via a large number of share connection requests.</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 3</platform>
<platform>CentOS Linux 3</platform>
<platform>Red Hat Enterprise Linux 4</platform>
<platform>CentOS Linux 4</platform>
<platform>Oracle Linux 4</platform>
</affected>
<reference ref_id="CVE-2006-3403" ref_url="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3403" source="CVE" />
<description>The smdb daemon (smbd/service.c) in Samba 3.0.1 through 3.0.22 allows remote attackers to cause a denial of service (memory consumption) via a large number of share connection requests.</description>
<oval_repository>
<dates>
<submitted date="2010-07-09T03:56:16-04:00">
<contributor organization="SCAP.com, LLC">Aharon Chernin</contributor>
</submitted>
<status_change date="2010-07-28T14:33:55.581-04:00">DRAFT</status_change>
<status_change date="2010-08-16T04:08:57.967-04:00">INTERIM</status_change>
<status_change date="2010-09-06T04:09:41.575-04:00">ACCEPTED</status_change>
<modified comment="EDITED oval:org.mitre.oval:def:11355 - Expanded the vulnerability checks for RHEL 3, 4, and 5 to cover CentOS 3, 4, 5 and Oracle Linux 4 and 5" date="2013-04-10T16:10:00.062-04:00">
<contributor organization="G2, Inc.">Dragos Prisaca</contributor>
</modified>
<status_change date="2013-04-10T16:18:52.245-04:00">INTERIM</status_change>
<status_change date="2013-04-29T04:13:29.186-04:00">ACCEPTED</status_change>
</dates>
<status>ACCEPTED</status>
<min_schema_version>5.10</min_schema_version>
</oval_repository>
</metadata>
<criteria operator="OR">
<criteria comment="OS Section: RHEL3, CentOS3" operator="AND">
<criteria comment="RHEL3 or CentOS3" operator="OR">
<extend_definition comment="The operating system installed on the system is Red Hat Enterprise Linux 3" definition_ref="oval:org.mitre.oval:def:11782" />
<extend_definition comment="CentOS Linux 3.x" definition_ref="oval:org.mitre.oval:def:16651" />
</criteria>
<criteria comment="Configuration section" operator="OR">
<criterion comment="samba-common is earlier than 0:3.0.9-1.3E.10" test_ref="oval:org.mitre.oval:tst:32912" />
<criterion comment="samba-swat is earlier than 0:3.0.9-1.3E.10" test_ref="oval:org.mitre.oval:tst:32281" />
<criterion comment="samba-client is earlier than 0:3.0.9-1.3E.10" test_ref="oval:org.mitre.oval:tst:32746" />
<criterion comment="samba is earlier than 0:3.0.9-1.3E.10" test_ref="oval:org.mitre.oval:tst:32584" />
</criteria>
</criteria>
<criteria comment="OS Section: RHEL4, CentOS4, Oracle Linux 4" operator="AND">
<criteria comment="RHEL4, CentOS4 or Oracle Linux 4" operator="OR">
<extend_definition comment="The operating system installed on the system is Red Hat Enterprise Linux 4" definition_ref="oval:org.mitre.oval:def:11831" />
<extend_definition comment="CentOS Linux 4.x" definition_ref="oval:org.mitre.oval:def:16636" />
<extend_definition comment="Oracle Linux 4.x" definition_ref="oval:org.mitre.oval:def:15990" />
</criteria>
<criteria comment="Configuration section" operator="OR">
<criterion comment="samba-common is earlier than 0:3.0.10-1.4E.6.2" test_ref="oval:org.mitre.oval:tst:32794" />
<criterion comment="samba-swat is earlier than 0:3.0.10-1.4E.6.2" test_ref="oval:org.mitre.oval:tst:32921" />
<criterion comment="samba-client is earlier than 0:3.0.10-1.4E.6.2" test_ref="oval:org.mitre.oval:tst:32338" />
<criterion comment="samba is earlier than 0:3.0.10-1.4E.6.2" test_ref="oval:org.mitre.oval:tst:32826" />
</criteria>
</criteria>
</criteria>
</definition>
</definitions>
<tests> <rpminfo_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" check="at least one" check_existence="at_least_one_exists" comment="samba is earlier than 0:3.0.10-1.4E.6.2" id="oval:org.mitre.oval:tst:32826" version="2">
<object object_ref="oval:org.mitre.oval:obj:13931" />
<state state_ref="oval:org.mitre.oval:ste:10177" />
</rpminfo_test>
<rpminfo_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" check="at least one" check_existence="at_least_one_exists" comment="samba-swat is earlier than 0:3.0.9-1.3E.10" id="oval:org.mitre.oval:tst:32281" version="2">
<object object_ref="oval:org.mitre.oval:obj:13707" />
<state state_ref="oval:org.mitre.oval:ste:10126" />
</rpminfo_test>
<rpminfo_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" check="at least one" check_existence="at_least_one_exists" comment="samba-common is earlier than 0:3.0.10-1.4E.6.2" id="oval:org.mitre.oval:tst:32794" version="2">
<object object_ref="oval:org.mitre.oval:obj:14032" />
<state state_ref="oval:org.mitre.oval:ste:10177" />
</rpminfo_test>
<rpminfo_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" check="at least one" check_existence="at_least_one_exists" comment="samba-swat is earlier than 0:3.0.10-1.4E.6.2" id="oval:org.mitre.oval:tst:32921" version="2">
<object object_ref="oval:org.mitre.oval:obj:13707" />
<state state_ref="oval:org.mitre.oval:ste:10177" />
</rpminfo_test>
<rpminfo_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" check="at least one" check_existence="at_least_one_exists" comment="samba-common is earlier than 0:3.0.9-1.3E.10" id="oval:org.mitre.oval:tst:32912" version="2">
<object object_ref="oval:org.mitre.oval:obj:14032" />
<state state_ref="oval:org.mitre.oval:ste:10126" />
</rpminfo_test>
<rpminfo_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" check="at least one" check_existence="at_least_one_exists" comment="samba-client is earlier than 0:3.0.9-1.3E.10" id="oval:org.mitre.oval:tst:32746" version="2">
<object object_ref="oval:org.mitre.oval:obj:13861" />
<state state_ref="oval:org.mitre.oval:ste:10126" />
</rpminfo_test>
<family_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="only one" check_existence="at_least_one_exists" comment="the installed operating system is part of the Unix family" id="oval:org.mitre.oval:tst:4424" version="23">
<object object_ref="oval:org.mitre.oval:obj:99" />
<state state_ref="oval:org.mitre.oval:ste:3907" />
</family_test>
<rpminfo_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" check="at least one" check_existence="at_least_one_exists" comment="CentOS Linux 3.x is installed" id="oval:org.mitre.oval:tst:80206" version="1">
<object object_ref="oval:org.mitre.oval:obj:24078" />
<state state_ref="oval:org.mitre.oval:ste:19938" />
</rpminfo_test>
<rpminfo_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" check="at least one" check_existence="at_least_one_exists" comment="Oracle Linux 4.x is installed" id="oval:org.mitre.oval:tst:80147" version="2">
<object object_ref="oval:org.mitre.oval:obj:30416" />
<state state_ref="oval:org.mitre.oval:ste:20410" />
</rpminfo_test>
<rpminfo_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" check="at least one" check_existence="at_least_one_exists" comment="CentOS Linux 4.x is installed" id="oval:org.mitre.oval:tst:80582" version="1">
<object object_ref="oval:org.mitre.oval:obj:24078" />
<state state_ref="oval:org.mitre.oval:ste:20410" />
</rpminfo_test>
<rpminfo_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" check="at least one" check_existence="at_least_one_exists" comment="Red Hat Enterprise 3 is installed" id="oval:org.mitre.oval:tst:7836" version="3">
<object object_ref="oval:org.mitre.oval:obj:1414" />
<state state_ref="oval:org.mitre.oval:ste:11298" />
</rpminfo_test>
<rpminfo_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" check="at least one" check_existence="at_least_one_exists" comment="Red Hat Enterprise 4 is installed" id="oval:org.mitre.oval:tst:2652" version="3">
<object object_ref="oval:org.mitre.oval:obj:1414" />
<state state_ref="oval:org.mitre.oval:ste:11366" />
</rpminfo_test>
<rpminfo_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" check="at least one" check_existence="at_least_one_exists" comment="samba-client is earlier than 0:3.0.10-1.4E.6.2" id="oval:org.mitre.oval:tst:32338" version="2">
<object object_ref="oval:org.mitre.oval:obj:13861" />
<state state_ref="oval:org.mitre.oval:ste:10177" />
</rpminfo_test>
<rpminfo_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" check="at least one" check_existence="at_least_one_exists" comment="samba is earlier than 0:3.0.9-1.3E.10" id="oval:org.mitre.oval:tst:32584" version="2">
<object object_ref="oval:org.mitre.oval:obj:13931" />
<state state_ref="oval:org.mitre.oval:ste:10126" />
</rpminfo_test>
</tests>
<objects> <rpminfo_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" id="oval:org.mitre.oval:obj:30416" version="1">
<name>enterprise-release</name>
</rpminfo_object>
<rpminfo_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" comment="the redhat-release rpm" id="oval:org.mitre.oval:obj:1414" version="1">
<name>redhat-release</name>
</rpminfo_object>
<ns0:family_object xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="This is the default family object. Only one family object should exist." id="oval:org.mitre.oval:obj:99" version="1" />
<rpminfo_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" comment="samba-common package information" id="oval:org.mitre.oval:obj:14032" version="2">
<name>samba-common</name>
</rpminfo_object>
<rpminfo_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" id="oval:org.mitre.oval:obj:24078" version="1">
<name>centos-release</name>
</rpminfo_object>
<rpminfo_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" comment="samba-swat package information" id="oval:org.mitre.oval:obj:13707" version="2">
<name>samba-swat</name>
</rpminfo_object>
<rpminfo_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" comment="samba package information" id="oval:org.mitre.oval:obj:13931" version="2">
<name>samba</name>
</rpminfo_object>
<rpminfo_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" comment="samba-client package information" id="oval:org.mitre.oval:obj:13861" version="2">
<name>samba-client</name>
</rpminfo_object>
</objects>
<states> <family_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="Unix family" id="oval:org.mitre.oval:ste:3907" version="1">
<family>unix</family>
</family_state>
<rpminfo_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" id="oval:org.mitre.oval:ste:10126" version="1">
<evr datatype="evr_string" operation="less than">0:3.0.9-1.3E.10</evr>
</rpminfo_state>
<rpminfo_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" comment="version matches regex ^4.*$" id="oval:org.mitre.oval:ste:20410" version="1">
<version operation="pattern match">^4.*$</version>
</rpminfo_state>
<rpminfo_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" comment="version matches regex ^3.*$" id="oval:org.mitre.oval:ste:19938" version="1">
<version operation="pattern match">^3.*$</version>
</rpminfo_state>
<rpminfo_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" comment="version matches ^3\D.+$" id="oval:org.mitre.oval:ste:11298" version="3">
<version operation="pattern match">^3\D.+$</version>
</rpminfo_state>
<rpminfo_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" id="oval:org.mitre.oval:ste:10177" version="1">
<evr datatype="evr_string" operation="less than">0:3.0.10-1.4E.6.2</evr>
</rpminfo_state>
<rpminfo_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" comment="version matches ^4\D.+$" id="oval:org.mitre.oval:ste:11366" version="3">
<version operation="pattern match">^4\D.+$</version>
</rpminfo_state>
</states>
</oval_definitions>
muslugorkem commented
I'm sorry but this is not oval:org.mitre.oval:tst:11355 but it is oval:org.mitre.oval:def:11355. The definition that contains the test that I am talking about is oval:org.mitre.oval:def:7553.
Also, I am not saying that the referred test is not valid. I am claiming that this test would never result to true. From what I understand, the object in the referred test does not collect the necessary information that could be compared with the state. If the 'name' entity is 'nil', then there would be no information to be collected which can be compared with the 'value' entity of the state. Am I missing something here?
DavidRies commented
Hello @egkmor, my apologies for the confusion. I took a look at the correct definition and you are right. Thank you for this feedback!
Before getting into the details, I want to point out that this is a VERY OLD test (over 10 years) for platforms that have been EOL'd years ago, so... it might not be worth too much consideration.
Here is the relevant excerpt:
<definition xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" class="vulnerability" id="oval:org.mitre.oval:def:7553" version="8">
<metadata>
<title>Untrusted search path vulnerability in Google Earth version 5.1.3535.3218</title>
...
<tests>
<registry_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows" check="at least one" check_existence="at_least_one_exists" comment="Check if Google Earth installed is equal to 5.1.3535.3218" id="oval:org.mitre.oval:tst:11355" version="3">
<object object_ref="oval:org.mitre.oval:obj:7272" />
<state state_ref="oval:org.mitre.oval:ste:7168" />
</registry_test>
<registry_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows" check="at least one" check_existence="at_least_one_exists" comment="Check if Google Earth is installed" id="oval:org.mitre.oval:tst:11367" version="3">
<object object_ref="oval:org.mitre.oval:obj:7272" />
</registry_test>
</tests>
<objects>
<registry_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" comment="The registry key HKEY_LOCAL_MACHINE\SOFTWARE\Google\GoogleEarthPluginof exists" id="oval:org.mitre.oval:obj:26863" version="1">
<hive>HKEY_LOCAL_MACHINE</hive>
<key>SOFTWARE\Google\GoogleEarthPlugin</key>
<name xsi:nil="true" />
</registry_object>
<registry_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" comment="The registry key HKEY_LOCAL_MACHINE\SOFTWARE\Google\GoogleEarthPluginof (32 bit) exists" id="oval:org.mitre.oval:obj:26511" version="1">
<behaviors windows_view="32_bit" />
<hive>HKEY_LOCAL_MACHINE</hive>
<key>SOFTWARE\Google\GoogleEarthPlugin</key>
<name xsi:nil="true" />
</registry_object>
<registry_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows" xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5" comment="Registry holds Google Earth Plugin" id="oval:org.mitre.oval:obj:7272" version="2">
<oval-def:set>
<oval-def:object_reference>oval:org.mitre.oval:obj:26511</oval-def:object_reference>
<oval-def:object_reference>oval:org.mitre.oval:obj:26863</oval-def:object_reference>
</oval-def:set>
</registry_object>
</objects>
<states>
<registry_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows" comment="State matches if Google Earth version is 5.1.3535.3218" id="oval:org.mitre.oval:ste:7168" version="1">
<value datatype="version">5.1.3535.3218</value>
</registry_state>
</states>
The <registry_object>/<name xsi:nil="true" /> indicates that this object is testing for the existence of the path (as the comments indicate) and items will not include registry values. This is the correct formulation for oval:org.mitre.oval:tst:11367 which is checking to see if the paths exist (and by implication, the plugin is installed).
However, as you point out, they are not correct for oval:org.mitre.oval:tst:11355 which needs to collect and compare the version number contained in the value of the registry name.
If you wanted to fix this, you would need to determine the appropriate name in the registry path that contains the version number and create new objects that are identical to the 3 above but with the appropriate name value and revise the test to reference the new objects for the version criteria. NOTE: you should leave the 3 objects above in place because they are used appropriately by the inventory definition.
muslugorkem commented
Thanks a lot for your quick and informative answer! I have not contributed to OVAL before but this may be a good starting point for me.