greenbone · mbrinkhoff · Jan 7, 2026 · Jan 7, 2026 · Jan 7, 2026 · Jan 7, 2026
@@ -74,7 +74,7 @@ def test_invalid_oid(self):
 
         self.assertIsInstance(results[0], LinterError)
         self.assertEqual(
-            ("script_oid() is using an invalid " "OID '1.3.6.1.4.1.25623.2.0.100376'"),
+            ("script_oid() is using an invalid OID '1.3.6.1.4.1.25623.2.0.100376'"),
             results[0].message,
         )
 
@@ -803,3 +803,95 @@ def test_oid_microsoft_not_ok(self):
             ),
             results[0].message,
         )
+
+    def test_oid_compliance_cis_os_ok(self):
+        path = Path("some/file.nasl")
+        content = '  script_oid("1.3.6.1.4.1.25623.1.4.0.123456");\n  script_family("Policy");\n'
+        fake_context = self.create_file_plugin_context(nasl_file=path, file_content=content)
+        plugin = CheckValidOID(fake_context)
+
+        results = list(plugin.run())
+
+        self.assertEqual(len(results), 0)
+
+    def test_oid_compliance_cis_server_software_ok(self):
+        path = Path("some/file.nasl")
+        content = '  script_oid("1.3.6.1.4.1.25623.1.4.1.123456");\n  script_family("Policy");\n'
+        fake_context = self.create_file_plugin_context(nasl_file=path, file_content=content)
+        plugin = CheckValidOID(fake_context)
+
+        results = list(plugin.run())
+
+        self.assertEqual(len(results), 0)
+
+    def test_oid_compliance_cis_desktop_software_ok(self):
+        path = Path("some/file.nasl")
+        content = '  script_oid("1.3.6.1.4.1.25623.1.4.2.123456");\n  script_family("Policy");\n'
+        fake_context = self.create_file_plugin_context(nasl_file=path, file_content=content)
+        plugin = CheckValidOID(fake_context)
+
+        results = list(plugin.run())
+
+        self.assertEqual(len(results), 0)
+
+    def test_oid_compliance_cis_network_devices_ok(self):
+        path = Path("some/file.nasl")
+        content = '  script_oid("1.3.6.1.4.1.25623.1.4.3.123456");\n  script_family("Policy");\n'
+        fake_context = self.create_file_plugin_context(nasl_file=path, file_content=content)
+        plugin = CheckValidOID(fake_context)
+
+        results = list(plugin.run())
+
+        self.assertEqual(len(results), 0)
+
+    def test_oid_compliance_non_cis_ok(self):
+        path = Path("some/file.nasl")
+        content = '  script_oid("1.3.6.1.4.1.25623.1.4.4.123456");\n  script_family("Policy");\n'
+        fake_context = self.create_file_plugin_context(nasl_file=path, file_content=content)
+        plugin = CheckValidOID(fake_context)
+
+        results = list(plugin.run())
+
+        self.assertEqual(len(results), 0)
+
+    def test_oid_compliance_unknown_product_not_ok(self):
+        path = Path("some/file.nasl")
+        content = '  script_oid("1.3.6.1.4.1.25623.1.4.5.123456");\n  script_family("Policy");\n'
+        fake_context = self.create_file_plugin_context(nasl_file=path, file_content=content)
+        plugin = CheckValidOID(fake_context)
+
+        results = list(plugin.run())
+
+        self.assertIsInstance(results[0], LinterError)
+        self.assertEqual(
+            "script_oid() is using an invalid OID '1.3.6.1.4.1.25623.1.4.5.123456' "
+            "(Compliance pattern: 1.3.6.1.4.1.25623.1.4.[0-4]",
+            results[0].message,
+        )
+
+    def test_oid_compliance_too_short_not_ok(self):
+        path = Path("some/file.nasl")
+        content = '  script_oid("1.3.6.1.4.1.25623.1.4.0");\n  script_family("Policy");\n'
+        fake_context = self.create_file_plugin_context(nasl_file=path, file_content=content)
+        plugin = CheckValidOID(fake_context)
+
+        results = list(plugin.run())
+
+        self.assertIsInstance(results[0], LinterError)
+        self.assertEqual(
+            "script_oid() is using an invalid OID '1.3.6.1.4.1.25623.1.4.0' "
+            "(Compliance pattern: 1.3.6.1.4.1.25623.1.4.[0-4]",
+            results[0].message,
+        )
+
+    def test_oid_compliance_long_ok(self):
+        path = Path("some/file.nasl")
+        content = (
+            '  script_oid("1.3.6.1.4.1.25623.1.4.0.123456.7890");\n  script_family("Policy");\n'
+        )
+        fake_context = self.create_file_plugin_context(nasl_file=path, file_content=content)
+        plugin = CheckValidOID(fake_context)
+
+        results = list(plugin.run())
+
+        self.assertEqual(len(results), 0)
@@ -109,7 +109,7 @@ def check_content(
             if vendor_number == "1":
                 if family != f"Debian {family_template}":
                     yield LinterError(
-                        f"script_oid() {is_using_reserved} Debian " f"'{str(oid)}'",
+                        f"script_oid() {is_using_reserved} Debian '{str(oid)}'",
                         file=nasl_file,
                         plugin=self.name,
                     )
@@ -118,7 +118,7 @@ def check_content(
             elif vendor_number == "2":
                 if family != f"Huawei EulerOS {family_template}":
                     yield LinterError(
-                        f"script_oid() {is_using_reserved} EulerOS " f"'{str(oid)}'",
+                        f"script_oid() {is_using_reserved} EulerOS '{str(oid)}'",
                         file=nasl_file,
                         plugin=self.name,
                     )
@@ -142,7 +142,7 @@ def check_content(
             elif vendor_number == "4":
                 if family != f"SuSE {family_template}":
                     yield LinterError(
-                        f"script_oid() {is_using_reserved} SUSE SLES " f"'{str(oid)}'",
+                        f"script_oid() {is_using_reserved} SUSE SLES '{str(oid)}'",
                         file=nasl_file,
                         plugin=self.name,
                     )
@@ -166,7 +166,7 @@ def check_content(
             elif vendor_number == "5":
                 if family != f"Amazon Linux {family_template}":
                     yield LinterError(
-                        f"script_oid() {is_using_reserved} Amazon Linux " f"'{str(oid)}'",
+                        f"script_oid() {is_using_reserved} Amazon Linux '{str(oid)}'",
                         file=nasl_file,
                         plugin=self.name,
                     )
@@ -189,7 +189,7 @@ def check_content(
             elif vendor_number == "6":
                 if family != f"Gentoo {family_template}":
                     yield LinterError(
-                        f"script_oid() {is_using_reserved} Gentoo " f"'{str(oid)}'",
+                        f"script_oid() {is_using_reserved} Gentoo '{str(oid)}'",
                         file=nasl_file,
                         plugin=self.name,
                     )
@@ -198,7 +198,7 @@ def check_content(
             elif vendor_number == "7":
                 if family != "FreeBSD Local Security Checks":
                     yield LinterError(
-                        f"script_oid() {is_using_reserved} FreeBSD " f"'{str(oid)}'",
+                        f"script_oid() {is_using_reserved} FreeBSD '{str(oid)}'",
                         file=nasl_file,
                         plugin=self.name,
                     )
@@ -207,7 +207,7 @@ def check_content(
             elif vendor_number == "8":
                 if family != f"Oracle Linux {family_template}":
                     yield LinterError(
-                        f"script_oid() {is_using_reserved} Oracle Linux " f"'{str(oid)}'",
+                        f"script_oid() {is_using_reserved} Oracle Linux '{str(oid)}'",
                         file=nasl_file,
                         plugin=self.name,
                     )
@@ -216,7 +216,7 @@ def check_content(
             elif vendor_number == "9":
                 if family != f"Fedora {family_template}":
                     yield LinterError(
-                        f"script_oid() {is_using_reserved} Fedora " f"'{str(oid)}'",
+                        f"script_oid() {is_using_reserved} Fedora '{str(oid)}'",
                         file=nasl_file,
                         plugin=self.name,
                     )
@@ -225,7 +225,7 @@ def check_content(
             elif vendor_number == "10":
                 if family != f"Mageia Linux {family_template}":
                     yield LinterError(
-                        f"script_oid() {is_using_reserved} Mageia Linux " f"'{str(oid)}'",
+                        f"script_oid() {is_using_reserved} Mageia Linux '{str(oid)}'",
                         file=nasl_file,
                         plugin=self.name,
                     )
@@ -248,7 +248,7 @@ def check_content(
             elif vendor_number == "11":
                 if family != f"Red Hat {family_template}":
                     yield LinterError(
-                        f"script_oid() {is_using_reserved} Red Hat " f"'{str(oid)}'",
+                        f"script_oid() {is_using_reserved} Red Hat '{str(oid)}'",
                         file=nasl_file,
                         plugin=self.name,
                     )
@@ -257,17 +257,15 @@ def check_content(
             elif vendor_number == "12":
                 if family != f"Ubuntu {family_template}":
                     yield LinterError(
-                        f"script_oid() {is_using_reserved} Ubuntu " f"'{str(oid)}'",
+                        f"script_oid() {is_using_reserved} Ubuntu '{str(oid)}'",
                         file=nasl_file,
                         plugin=self.name,
                     )
                     return
 
             elif vendor_number == "13":
                 if family != f"Slackware {family_template}":
-                    yield LinterError(
-                        f"script_oid() {is_using_reserved} Slackware " f"'{str(oid)}'"
-                    )
+                    yield LinterError(f"script_oid() {is_using_reserved} Slackware '{str(oid)}'")
                     return
 
                 slackware_sa_match = re.search(
@@ -285,7 +283,7 @@ def check_content(
             elif vendor_number == "14":
                 if family != f"Rocky Linux {family_template}":
                     yield LinterError(
-                        f"script_oid() {is_using_reserved} Rocky Linux " f"'{str(oid)}'",
+                        f"script_oid() {is_using_reserved} Rocky Linux '{str(oid)}'",
                         file=nasl_file,
                         plugin=self.name,
                     )
@@ -294,15 +292,15 @@ def check_content(
             elif vendor_number == "15":
                 if family != f"AlmaLinux {family_template}":
                     yield LinterError(
-                        f"script_oid() {is_using_reserved} AlmaLinux " f"'{str(oid)}'",
+                        f"script_oid() {is_using_reserved} AlmaLinux '{str(oid)}'",
                         file=nasl_file,
                         plugin=self.name,
                     )
                     return
             elif vendor_number == "18":
                 if family != f"openSUSE {family_template}":
                     yield LinterError(
-                        f"script_oid() {is_using_reserved} openSUSE " f"'{str(oid)}'",
+                        f"script_oid() {is_using_reserved} openSUSE '{str(oid)}'",
                         file=nasl_file,
                         plugin=self.name,
                     )
@@ -337,7 +335,7 @@ def check_content(
             if "1.3.6.1.4.1.25623.1.2.1." in oid:
                 if not name.startswith(f"Mozilla Firefox {security_template}"):
                     yield LinterError(
-                        f"script_oid() {is_using_reserved} 'Firefox' (" f"{str(oid)})",
+                        f"script_oid() {is_using_reserved} 'Firefox' ({str(oid)})",
                         file=nasl_file,
                         plugin=self.name,
                     )
@@ -363,7 +361,7 @@ def check_content(
         if "1.3.6.1.4.1.25623.1.3." in oid:
             if family_match.group("value") != f"Windows {family_template}":
                 yield LinterError(
-                    f"script_oid() {is_using_reserved} 'Windows' (" f"{str(oid)})",
+                    f"script_oid() {is_using_reserved} 'Windows' ({str(oid)})",
                     file=nasl_file,
                     plugin=self.name,
                 )
@@ -384,6 +382,30 @@ def check_content(
                 return
             return
 
+        # Fixed OID-scheme for Compliance OIDs
+        if "1.3.6.1.4.1.25623.1.4." in oid:
+            if family_match.group("value") != "Policy":
+                yield LinterError(
+                    f"script_oid() {is_using_reserved} 'Policy & Compliance' ({str(oid)})",
+                    file=nasl_file,
+                    plugin=self.name,
+                )
+                return
+
+            compliance_oid_match = re.search(
+                r"^1\.3\.6\.1\.4\.1\.25623\.1\.4\.[0-4](\.\d+)+",
+                oid,
+            )
+            if not compliance_oid_match:
+                yield LinterError(
+                    f"script_oid() {invalid_oid} '{str(oid)}' "
+                    "(Compliance pattern: 1.3.6.1.4.1.25623.1.4.[0-4]",
+                    file=nasl_file,
+                    plugin=self.name,
+                )
+                return
+            return
+
         oid_digit_match = re.search(r"^1\.3\.6\.1\.4\.1\.25623\.1\.0\.([0-9]+)", oid)
         if oid_digit_match is None or oid_digit_match.group(1) is None:
             yield LinterError(
@@ -435,7 +457,7 @@ def check_content(
             return
 
         yield LinterError(
-            f"script_oid() {invalid_oid} " f"'{str(oid)}' (unassigned OID range)",
+            f"script_oid() {invalid_oid} '{str(oid)}' (unassigned OID range)",
             file=nasl_file,
             plugin=self.name,
         )