After a discussion with the team on 2023-03-06, we decided to clone the BZ #2138884 to RHEL 7.9 as well.

The bug is reproducible with:
openscap-1.2.17-15.el7_9.x86_64
scap-security-guide-0.1.66-1.el7_9.noarch

Steps to reproduce, tailored to RHEL 7:
1. oscap xccdf eval --profile '(all)' --rule xccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled --results results.xml --oval-results /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
2. oscap oval validate ssg-rhel7-oval.xml.result.xml

+++ This bug was initially created as a clone of Bug #2138884 +++

Description of problem:
During productization of ComplianceAsCode on 2022-10-31 (as of ComplianceAsCode upstream head 4b5551f) we have found that OpenSCAP produces invalid OVAL results.

Version-Release number of selected component (if applicable):
openscap-1.3.6-4.el9.x86_64.rpm

How reproducible:
deterministic.

Steps to Reproduce:
1.oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_ism_o --report xccdf_org.ssgproject.content_profile_ism_o.html --results-arf xccdf_org.ssgproject.content_profile_ism_o-xccdf-arf-results.xml --results xccdf_org.ssgproject.content_profile_ism_o-xccdf-results.xml --oval-results /tmp/ssg-rhel9-ds.xml
2. oscap oval validate --results --schematron /var/lib/libvirt/images/ism_o/ssg-rhel9-oval.xml.result.xml

Actual results:
OVAL results are invalid

File '/var/lib/libvirt/images/ism_o/ssg-rhel9-oval.xml.result.xml' line 65535: Element '

{http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#independent}

value_of', attribute 'datatype': [facet 'enumeration'] The value '' is not an element of the set

{'binary', 'boolean', 'evr_string', 'fileset_revision', 'float', 'ios_version', 'int', 'ipv4_address', 'ipv6_address', 'string', 'version'}

.
OpenSCAP Error: Invalid OVAL Results (5.11) content in /var/lib/libvirt/images/ism_o/ssg-rhel9-oval.xml.result.xml. [/builddir/build/BUILD/openscap-1.3.6/src/source/oscap_source.c:353]

Notice the value_of element's attribute datatype:

79191 <ind-sys:xmlfilecontent_item id="105091439" status="does not exist">
79192 <ind-sys:filepath>/usr/lib/firewalld/zones/trusted.xml</ind-sys:filepath>
79193 <ind-sys:path>/usr/lib/firewalld/zones</ind-sys:path>
79194 <ind-sys:filename>trusted.xml</ind-sys:filename>
79195 <ind-sys:xpath>/zone/service[@name='ssh']</ind-sys:xpath>
79196 <ind-sys:value_of datatype="" status="does not exist"/>
79197 </ind-sys:xmlfilecontent_item>

Expected results:
valid OVAL results

Additional info:

This is caused by OVAL content in rule firewalld_sshd_port_enabled. This has been improved recently in ComplianceAsCode/content#9712

This has been also reported upstream: https://github.com/OpenSCAP/openscap/issues/1890

— Additional comment from Jan Černý on 2022-11-02 08:19:27 UTC —

A patch has been proposed to upstream for discussion in https://github.com/OpenSCAP/openscap/pull/1891.

— Additional comment from Jan Černý on 2022-11-10 10:25:17 UTC —

Analysis: In situation when the XPath query in xmlfilecontent_object doesn't match any node in the given XML file and the query returns an empty node set, we emit an item in which we add an empty value_of element. However, this value_of element has its datatype attribute set to an empty string, which is invalid according to the OVAL schema. When we try to make the OVAL results valid, we face the problem that it isn't clear what should be the value of the datatype attribute for empty elements. But as we can realize the XPath doesn't match anything means that the requested object doesn't exist on the system, so a better behavior would be to not produce a xmlfilecontent54_item. That is consistent with eg. situation when a regular expression matched nothing in textfilecontent54_object. Therefore, we should stop the item generation in this situation.

— Additional comment from Jan Černý on 2023-01-04 15:04:20 UTC —

Fixed upstream in https://github.com/OpenSCAP/openscap/pull/1891

— Additional comment from Matus Marhefka on 2023-01-10 08:33:39 UTC —

Adding qa ack and aligning ITM with the rebase bug - bz2159286

— Additional comment from Jan Černý on 2023-01-23 10:40:20 UTC —

We have nominated this BZ for z-stream update for all supported releases trough 9.0.0 because in https://bugzilla.redhat.com/show_bug.cgi?id=2158405 we plan to rebase the scap-security-guide package in all supported releases trough 9.0.0 to the latest upstream release and that version of scap-security-guide will contain the content that triggers the problem described this BZ. Therefore, the rebased scap-security-guide wouldn't be usable with unfixed openscap and would produce this error during compliance scans.

— Additional comment from AutoMiloš on 2023-01-27 17:03:11 UTC —

AutoMilos started a Beaker job for the automated tests linked to this bug:

Artifact: Build(openscap-1.3.7-1.el9)
Beaker links:
https://beaker.engineering.redhat.com/jobs/7472767

AutoMilos will post a comment with attached results once the job has completed.

—
This is an automated comment from AutoMilos - your helpful bug verification bot.
https://gitlab.cee.redhat.com/omosnace/AutoMilos
Contact: https://bugzilla.redhat.com/page.cgi?id=agiletools/team/show.html&team_id=208
[AutoMilos/job_started/7472767/c50f5ac4c0facb2ee6239fbf1b3872f15cf64b02/openscap-1.3.7-1.el9/]

— Additional comment from AutoMiloš on 2023-01-27 18:02:11 UTC —

The Beaker job started by AutoMilos has completed.

Artifact tested: Build(openscap-1.3.7-1.el9)
Beaker link: https://beaker.engineering.redhat.com/jobs/7472767
Overall result: PASS

PASS - TC#75476 /CoreOS/openscap/Sanity/smoke-test (RHEL-9.2.0-20230127.12, s390x)
PASS - TC#75476 /CoreOS/openscap/Sanity/smoke-test (RHEL-9.2.0-20230127.12, x86_64)
PASS - TC#75476 /CoreOS/openscap/Sanity/smoke-test (RHEL-9.2.0-20230127.12, aarch64)
PASS - TC#75476 /CoreOS/openscap/Sanity/smoke-test (RHEL-9.2.0-20230127.12, ppc64le)

Please review the test results and decide on further action. Full logs are attached.

—
This is an automated comment from AutoMilos - your helpful bug verification bot.
https://gitlab.cee.redhat.com/omosnace/AutoMilos
Contact: https://bugzilla.redhat.com/page.cgi?id=agiletools/team/show.html&team_id=208
[AutoMilos/job_finished/7472767]

— Additional comment from Marek Haicman on 2023-01-30 12:26:58 UTC —

Updates of the security compliance profiles and related support is performed for all supported versions. Granting zstream+

— Additional comment from RHEL Program Management on 2023-01-30 12:27:09 UTC —

This BZ has been approved for cloning.

The BZ can be now cloned by everyone with the self-service cloning tool https://watson.engineering.redhat.com/rules

For more information regarding ZStream and cloning please visit https://docs.google.com/document/d/1yL8iTHjxyQ7sI-fC4PcPjpOOyfF5ECGnK-B7r_QRZm4/edit#

— Additional comment from RHEL Program Management Team on 2023-01-30 13:19:17 UTC —

This bug has been copied as 9.1.0 stream bug#2165580 and now must be resolved in the current update release, blocker flag set.

This bug has been copied as 9.0.0 stream bug#2165581 and now must be resolved in the current update release, blocker flag set.

— Additional comment from Matus Marhefka on 2023-01-30 13:47:26 UTC —

Adding Verified:Tested for openscap-1.3.7-1.el9 based on results from the comment 7

— Additional comment from errata-xmlrpc on 2023-01-30 14:00:51 UTC —

Bug report changed to ON_QA status by Errata System.
A QE request has been submitted for advisory RHBA-2023:109045-01
https://errata.devel.redhat.com/advisory/109045

— Additional comment from errata-xmlrpc on 2023-01-30 14:00:55 UTC —

This bug has been added to advisory RHBA-2023:109045 by auto/ptp-jenkins@REDHAT.COM (auto/ptp-jenkins@REDHAT.COM)

— Additional comment from Matus Marhefka on 2023-02-01 15:27:39 UTC —

Verified for openscap-1.3.7-1.el9
Build is included in the RHEL-9.2.0-20230201.12 nightly compose.