Cisco ASA schema issues in OVAL 5.11

[joval]

There are a number of problems with the Cisco ASA schema in OVAL 5.11:

• interface_[state/item]/urpf_command entity should be deprecated and replaced with two new entities: ipv4_urpf_command and ipv6_urpf_command, both Entity[State/Item]StringType.
• interface_item/ipv4_address entity should have maxOccurs="1".

[joval]

Additional problems:

• class_map_item/used_in_class_map should have maxOccurs="unbounded"
• class_map_item/used_in_policy_map should have maxOccurs="unbounded"
• class_map_item/match should have maxOccurs="unbounded"
• policy_map_item/match_action should have maxOccurs="unbounded"

[joval]

We have further discussed changes required to the class_map_item with Cisco, and have mutually decided that class_map_item/used_in_class_map and used_in_policy_map must retain maxOccurs="1", so that it will be possible to associate multiple class_maps with the policy_map(s) in which they are used, by dint of having items in which they appear together.

This will also make it possible to know the policy_map_action for each policy_map in which the class_map appears.

Similarly, the class_map_item/match and policy_map_item/match_action should retain maxOccurs="1", with the idea being that a distinct item will be generated for each match.

This was probably the initial vision for these items, which must have been temporarily lost in the course of discussion.