Fix schema ordering when adding tailoring to ARF files

Now the tailoring is added just before the extended-components (i.e. SCE).

Created in part by Claude Code.

Fixes #2260

Author: Mab879

src/DS/rds.c

@@ -737,7 +737,16 @@ static int _ds_rds_create_from_dom(xmlDocPtr *ret, xmlDocPtr sds_doc,
 		xmlSetProp(tailoring_component, BAD_CAST "id", BAD_CAST tailoring_component_id);
 		xmlSetProp(tailoring_component, BAD_CAST "timestamp", BAD_CAST tailoring_doc_timestamp);
 		xmlAddChild(tailoring_component, tailoring_res_node);
-		xmlAddChild(sds_res_node, tailoring_component);
+
+		// Insert tailoring component after regular components but before extended-components
+		// to maintain proper schema ordering (all components must come before extended-components)
+		xmlNodePtr first_extended_component = node_get_child_element(sds_res_node, "extended-component");
+		if (first_extended_component == NULL) {
+			// no extended component yet, add to the end
+			xmlAddChild(sds_res_node, tailoring_component);
+		} else {
+			xmlAddPrevSibling(first_extended_component, tailoring_component);
+		}
 
 		xmlNodePtr checklists_element = NULL;
 		xmlNodePtr datastream_element = node_get_child_element(sds_res_node, "data-stream");

tests/API/XCCDF/tailoring/all.sh

@@ -169,6 +169,38 @@ function test_api_xccdf_tailoring_profile_generate_guide {
     rm -f $guide
 }
 
+function test_api_xccdf_tailoring_with_extended_component_ordering {
+    # Regression test for the fix ensuring tailoring extended-component is inserted
+    # before existing extended-components (e.g. SCE scripts) to maintain schema ordering
+    # See https://github.com/OpenSCAP/openscap/issues/2260 for more details
+
+    local INPUT=$srcdir/$1
+    local TAILORING=$srcdir/$2
+
+    result=`mktemp`
+    stderr=`mktemp`
+
+    # Generate ARF with tailoring
+    $OSCAP xccdf eval --tailoring-file $TAILORING --profile "xccdf_com.example.www_profile_customized" --results-arf $result $INPUT 2>$stderr || [ "$?" == "2" ]
+
+    # Validate the ARF against schema - this would fail if ordering is wrong
+    $OSCAP ds rds-validate $result 2>$stderr
+
+    # Verify that tailoring extended-component exists
+    assert_exists 1 '/arf:asset-report-collection/arf:report-requests/arf:report-request/arf:content/ds:data-stream-collection/ds:component/xccdf:Tailoring'
+
+    # Additional check: If we have multiple extended-components, verify tailoring comes before others
+    # This uses xmllint to check the position - tailoring should come before any other extended-component
+    extended_comp_count=$($XPATH $result 'count(//ds:extended-component)')
+    if [ "$extended_comp_count" -gt "1" ]; then
+        # Get the first extended-component and verify it contains Tailoring
+        first_ext_comp_has_tailoring=$($XPATH $result 'count(//ds:extended-component[1]/xccdf:Tailoring)')
+        [ "$first_ext_comp_has_tailoring" == "1" ] || return 1
+    fi
+
+    rm -f "$result" "$stderr"
+}
+
 # Testing.
 
 test_init "test_api_xccdf_tailoring.log"
@@ -191,6 +223,6 @@ test_run "test_api_xccdf_tailoring_simple_include_in_arf_xlink_namespace" test_a
 test_run "test_api_xccdf_tailoring_profile_include_in_arf" test_api_xccdf_tailoring_profile_include_in_arf baseline.xccdf.xml baseline.tailoring.xml
 test_run "test_api_xccdf_tailoring_profile_generate_fix" test_api_xccdf_tailoring_profile_generate_fix baseline.xccdf.xml baseline.tailoring.xml
 test_run "test_api_xccdf_tailoring_profile_generate_guide" test_api_xccdf_tailoring_profile_generate_guide baseline.xccdf.xml baseline.tailoring.xml
-
+test_run "test_api_xccdf_tailoring_with_extended_component_ordering" test_api_xccdf_tailoring_with_extended_component_ordering baseline.xccdf.xml baseline.tailoring.xml
 
 test_exit