How do I get SQL tests to work with Joval?

Supported Engines

Joval is capable of supporting SQL tests for the following set of database engines/versions out of the box, using the associated JDBC drivers:

Engine Version(s) JDBC Driver
DB2 ≥8.1 IBM
MSSQL Azure, 2005, 2008, 2008 R2, 2012, 2014, 2016, 2017, 2019 jTDS
MySQL ≥4.1 Connector/J
Oracle ≥9.0.1 Oracle
PostgreSQL ≥7.2 PostgreSQL
Sybase 10, 11, 12, 15, 16 jTDS

Using Joval Professional Edition

Joval Professional Edition ships with the Oracle, jTDS and PostgreSQL drivers installed. To add DB2 and MySQL support, end-users can download the desired drivers and copy them to Joval’s lib/ directory (e.g., “C:\Program Files\Joval\Joval 6.1.4\lib” on Windows).

Using the Joval Utilities

Joval-Utilities.jar does not bundle any JDBC drivers. To use the sql_object with the Joval Utilities, you must download the JDBC drivers, and reference them from the command-line using a Java property, bootstrapclasspath. For example:

java "-Dbootstrapclasspath=/path/to/driver.jar:/path/to/other.jar" -jar Joval-Utilities.jar [mode] [args]

Note that on Windows, the path separator character is ;.
Using the Joval-Utilities, it is also possible to override the version list defaults for MS SQL Server and Sybase noted in the table above using the Java system properties joval.sql.microsoft.versions and joval.sql.sybase.versions, respectively. The format for the value is simply a comma-separated list (without padding), e.g.:

java "-Djoval.sql.microsoft.versions=2017,2020" -jar Joval-Utilities.jar [mode] [args]

This property dictates values that can be used in the sql_object/version entity in OVAL content, in conjunction with the associated engine entity value, without triggering an error during processing.

Connection String

The connection_string entity of your sql_object is treated as a semicolon-delimited list of name/value pairs. The property names are case-sensitive. The database username and password can be set using properties called “user” or “userName”, and “password”. The properties “port” and “portNumber” can be used to specify a non-standard port number for the database connection. The properties “database”, “databaseName” and “SID” can all be used to set the database name. The JDBC connection URL will be constructed as:

[prefix]:[host]:[port]/[database name]

With the exception of the username and password, all property name/value pairs are passed directly to the JDBC driver as connection properties (e.g., you can specify a Windows login domain for MSSQL using the “domain” property).

For MSSQL only, if no username and password are specified in the connection_string, single-sign-on (SSO) will be used for host-based scans, and the target host username and password will be used for network/remote scans.

For Oracle, MSSQL and Sybase, the version entity of your sql_object must match one of the supported enumerated versions from the table above.