HTML Report Creation Fails With XPath error: growing nodeset hit limit

Question

HTML Report Creation Fails With XPath error: growing nodeset hit limit

gfrizzo-rescale opened this issue 7 months ago · comments

Description of Problem:

When running a scan oscap xccdf eval with --report oscap-results.html argument, the following error appears at the end and the report creation fails:

XPath error : Memory allocation failed : growing nodeset hit limit

growing nodeset hit limit

^
runtime error: file /openscap/xsl/xccdf-report.xsl line 91 element value-of
XPath evaluation returned no result.
OpenSCAP Error: Could not apply XSLT /openscap/xsl/xccdf-report.xsl to XML file: NONEXISTENT [/openscap/src/source/xslt.c:183]

OpenSCAP Version:

1.3.10 (also tried with 1.3.8. Same error)

Operating System & Version:

Red Hat Enterprise Linux 8.9 (Ootpa)

Steps to Reproduce:

I believe this may be related to the number of files being scanned. So, have at least 318135 files in the system.
Run: oscap xccdf eval --fetch-remote-resources --profile xccdf_org.ssgproject.content_profile_stig --report my-oscap-results.html --stig-viewer my-stig-viewer-results.xml /usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.2.xml
Error shows at the end of the scan. XML report is successfully generated. HTML fails.

Actual Results:

HTML report is not generated.

Expected Results:

HTML report is generated.

Additional Information / Debugging Steps:

At the end of the scan, the oscap process is consuming around 12 GB of RAM (machine has plenty available)
I believe this may be related: https://stackoverflow.com/questions/40159864/getting-memory-allocation-failed-growing-nodeset-hit-limit-with-xml2-package

Evgeny Kolesnikov · Answer 1 · Fri Feb 02 2024 07:51:39 GMT+0800 (China Standard Time)

Well, you're in luck. Kinda. We have 2 workarounds: #2051 and #2052. Choose your poison.

Gustavo Frizzo · Answer 2 · Wed Feb 07 2024 02:37:58 GMT+0800 (China Standard Time)

Thanks!

OSCAP_PROBE_MAX_COLLECTED_ITEMS works.
Any recommendations for the default value? Based on #2051, 1000 is fine?

Also, not sure if this is the right place to ask but, do you know how long would take to the openscap 1.3.10 release to reach the official distribution channels (so, a simple yum install would install version 1.3.10)?

Evgeny Kolesnikov · Answer 3 · Wed Feb 07 2024 02:40:53 GMT+0800 (China Standard Time)

It all depends on the system. And you should understand that limiting collected items might yield false-negative results. Pick the biggest you possibly can.

Evgeny Kolesnikov · Answer 4 · Wed Feb 07 2024 02:42:50 GMT+0800 (China Standard Time)

Re: 1.3.10, sometime in the first half of the year, hopefully. No precise ETA yet.