From 66ee333fd3846cd9d60addbee656fb1e1f85ec39 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <alexander.m.scheel@gmail.com>
Date: Tue, 12 Mar 2024 17:23:31 -0400
Subject: [PATCH] Fix SCE finding XPath to allow nesting with OCILs

When building data streams with complex checks (SCE combined with OVAL)
that also have OCIL checks, we build a nested check system like:

    <complex-check operator="OR">
        <complex-check operator="<SCE-CROSS-OVAL>">
            <OVAL />
            <SCE />
        </complex-check>
        <OCIL />
    </complex-check>

However, the XPath for finding such checks (to include the SCE in the
data stream) required the SCE check to be a direct descendant of the
rule. Modify the XPath to allow arbitrary nesting on the inner SCE.

Resolves: #11681

Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com>
---
 ssg/build_sce.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ssg/build_sce.py b/ssg/build_sce.py
index cd740ae1364..d5ea58bbb3f 100644
--- a/ssg/build_sce.py
+++ b/ssg/build_sce.py
@@ -241,7 +241,7 @@ def collect_sce_checks(datastreamtree):
     checks_xpath = str.format(
         ".//{{{ds_ns}}}component[@id='{cid}']/"
         "{{{xccdf_ns}}}Benchmark//"
-        "{{{xccdf_ns}}}Rule/"
+        "{{{xccdf_ns}}}Rule//"
         "{{{xccdf_ns}}}check[@system='{sce_sys}']/"
         "{{{xccdf_ns}}}check-content-ref",
         ds_ns=datastream_namespace,