openscap HTML report redesign – part 2

I have started a discussion about openscap HTML report redesign.

Gathered feedback

This was gathered from comments on the referenced blog post, the openscap, scap-workbench and scap-security-guide mailing lists.

  • search through XCCDF rules (identifiers, title, ID, description, …) – implemented
  • filter by XCCDF result – implemented
  • use HTML anchors, speed up navigation between result details and result overview (jquery popup?) – implemented
  • too many colors in the introduction section – hopefully fixed
  • organize rule results into groups, display rule overview as a tree – implemented
  • show severity in rule overview – implemented
  • report fail and error rules by severity in addition to the standard XCCDF score system – TODO
  • sort by severity in rule overview – TODO
  • sort by identifiers in rule overview – TODO
  • false positive waiving, other means to pass feedback about why rule fails – probably out of scope, would need a new file format to store the waivers

xslt-devel branch

I have created a new branch in the openscap repository where I am continuing with this effort. Instead of a prototype HTML the repo has working XSLTs. Keep in mind that the branch breaks openscap tests and you can’t generate HTML report using the oscap tool command line. Instead you have to use xsltproc directly for now.


A mild change in color scheme, nothing you see here is set in stone though
Rule overview is not a hierarchy, shows groups and counts failed rules in each group
When you click on a rule a modal dialog with more details is shown, you no longer need to jump around the document
You can hide all the failing rules to feel happier!
Tree nodes in rule overview can be collapsed and expanded by clicking on them
Simple keyword searching is implemented for XCCDF rules

Generated sample

All the usual disclaimers apply. This is not the final version, a lot more than is necessary is bundled, not everything works.

Open the out.html file in a reasonably modern web browser.


More feedback?

Would appreciate feedback again. I plan to continue working on this next week.

4 thoughts on “openscap HTML report redesign – part 2”

    1. I find the notapplicable very, very useful…. at least for now.

      Many legacy tools (e.g. SECSCAN) would report results saying (for example) /etc/httpd.conf has invalid permissions, even if httpd wasn’t installed. So SysAdmins would go install httpd just to pass this rule.

      As users begin to transition from legacy tooling to OpenSCAP, it’d be great to show ‘notapplicable’ in the default output just so SysAdmins know they still passed that check

      1. notselected is a no-brainer, that will be off by default. I think notapplicable should also be off by default, as it doesn’t apply to the machine. I will leave it on by default for now and we’ll see.

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.