So, after I stopped beating my head against the code and switched directions, I found the commit commentary for enable_derivatives.py in the upstream scap-security-guide package. Looking at that and the patches that were made between 0.1.40 and 0.1.43 to that file and the dependent library build_derivatives.py, it became clear that there was effort made to remove profiles and other content "that CentOS and derivatives don't need or shouldn't do..." That may make for some discussion about non-CentOS needs or desires in the upstream, unfortunately...

Given the upstream commits, I came up with the following patch (also attached) which seems to effectively disable the filtering and restore the previous profiles to our lists. I don't think the remaining additions from the commits are doing anything to impair the functionality of what remains of the ds and oval files, but I don't have a good regression test to run. My test runs with remediation that I did today seem to indicate that things fundamentally work. YMMV...

------------------- Cut Here -----------------------
diff -Naur scap-security-guide-0.1.43-orig/build-scripts/enable_derivatives.py scap-security-guide-0.1.43-new/build-scripts/enable_derivatives.py
--- scap-security-guide-0.1.43-orig/build-scripts/enable_derivatives.py	2019-02-18 08:15:54.000000000 -0500
+++ scap-security-guide-0.1.43-new/build-scripts/enable_derivatives.py	2019-09-16 17:01:53.777616290 -0400
@@ -95,7 +95,6 @@
         raise RuntimeError("No Benchmark found!")
 
     for namespace, benchmark in benchmarks:
-        ssg.build_derivatives.profile_handling(benchmark, namespace)
         if not ssg.build_derivatives.add_cpes(benchmark, namespace, mapping):
             raise RuntimeError(
                 "Could not add derivative OS CPEs to Benchmark '%s'."
diff -Naur scap-security-guide-0.1.43-orig/ssg/build_derivatives.py scap-security-guide-0.1.43-new/ssg/build_derivatives.py
--- scap-security-guide-0.1.43-orig/ssg/build_derivatives.py	2019-02-18 08:15:54.000000000 -0500
+++ scap-security-guide-0.1.43-new/ssg/build_derivatives.py	2019-09-16 17:02:22.770616290 -0400
@@ -97,8 +97,6 @@
                     rule.remove(ref)
 
         for fix in rule.findall(".//{%s}fix" % (namespace)):
-            if "fips" in fix.get("id"):
-                rule.remove(fix)
             sub_elems = fix.findall(".//{%s}sub" % (namespace))
             for sub_elem in sub_elems:
                 sub_elem.tail = re.sub(r"[\s]+- CCE-.*", "", sub_elem.tail)
------------------- Cut Here -----------------------


On 9/13/19, 2:23 PM, "Pat Riehecky" <[log in to unmask]> wrote:

    I'm in a similar boat.  I fear I've not spent much time looking at the 
    SCAP stuff since 7.2....
    
    Pat
    
    On 9/13/19 2:14 PM, Kraus, Dave (GE Healthcare) wrote:
    > Ok. I had a feeling that was the case.
    >
    > Anything in particular you'd like me to dig deeper into? Some bits of the enable_derivatives.py seem to be where I'd suspect breakage, but I haven't figured a way to tap into them easily...
    >