import openscap-1.3.5-4.el8

SOURCES/openscap-1.3.6-PR-1745-waive-hugepages.patch

@@ -0,0 +1,43 @@
+From 192f908562779fe4c9b7e5cc7605840976a06c85 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Mon, 26 Apr 2021 13:13:26 +0200
+Subject: [PATCH] Waive the known issue with hugepages on ppc64/ppc64le
+
+The known issue has been reported in
+https://bugzilla.redhat.com/show_bug.cgi?id=1642995
+
+This modification is currently applied as a patch applied during setup
+phase of Sanity/smoke-test in Fedora CI gating.
+https://src.fedoraproject.org/tests/openscap/blob/main/f/Sanity/smoke-test
+The patched file got changed recetly so the patch doesn't apply anymore
+which causes the Rawhide gating to fail.
+We have decided to propose the change to upstream to avoid the need
+for modifying the patch in the tests and to prevent similar problems
+in the future.
+---
+ tests/probes/sysctl/test_sysctl_probe_all.sh | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/tests/probes/sysctl/test_sysctl_probe_all.sh b/tests/probes/sysctl/test_sysctl_probe_all.sh
+index 2280ff7ae..c79d7ed18 100755
+--- a/tests/probes/sysctl/test_sysctl_probe_all.sh
++++ b/tests/probes/sysctl/test_sysctl_probe_all.sh
+@@ -73,6 +73,10 @@ if [ "$procps_ver" != "$lowest_ver" ]; then
+ 	sed -i '/.*vm.stat_refresh/d' "$sysctlNames"
+ fi
+ 
++if ! grep -q "hugepages" "$ourNames"; then
++	sed -i "/^.*hugepages.*$/d" "$sysctlNames"
++fi
++
+ echo "Diff (sysctlNames / ourNames): ------"
+ diff "$sysctlNames" "$ourNames"
+ echo "-------------------------------------"
+@@ -84,6 +88,7 @@ sed -i -E "/^E: oscap: +Can't read sysctl value from /d" "$stderr"
+ # that can't fit into 8K buffer and result in errno 14
+ # (for example /proc/sys/kernel/spl/hostid could be the case)
+ sed -i -E "/^E: oscap: +An error.*14, Bad address/d" "$stderr"
++sed -i "/^.*hugepages.*$/d" "$stderr"
+ 
+ echo "Errors (without messages related to permissions):"
+ cat "$stderr"

SOURCES/openscap-1.3.6-PR-1748-covscan.patch

@@ -0,0 +1,52 @@
+From 378ef5e438a2f5af7a50374d2bd23bdd3403201f Mon Sep 17 00:00:00 2001
+From: Evgeny Kolesnikov <ekolesni@redhat.com>
+Date: Tue, 4 May 2021 08:41:06 +0200
+Subject: [PATCH] Fix covscan-reported issues in yamlfilecontent probe and
+ schematron
+
+Error: FORWARD_NULL (CWE-476): [#def1]
+/OVAL/probes/independent/yamlfilecontent_probe.c:392: var_compare_op: Comparing "yaml_file" to null implies that "yaml_file" might be null.
+/OVAL/probes/independent/yamlfilecontent_probe.c:417: var_deref_model: Passing null pointer "yaml_file" to "fclose", which dereferences it.
+#  416|   cleanup:
+#  417|-> 	fclose(yaml_file);
+#  418|   	yaml_parser_delete(&parser);
+
+Error: RESOURCE_LEAK (CWE-772): [#def2] [important]
+/source/schematron.c:549: alloc_fn: Storage is returned from allocation function "xmlXPathNodeEval".
+/source/schematron.c:549: var_assign: Assigning: "component_refs" = storage returned from "xmlXPathNodeEval(data_stream_node, (xmlChar *)"ds:checklists/ds:component-ref", context)".
+/source/schematron.c:551: leaked_storage: Variable "component_refs" going out of scope leaks the storage it points to.
+#  550|   	if (component_refs == NULL || component_refs->nodesetval == NULL) {
+#  551|-> 		return res;
+#  552|   	}
+---
+ src/OVAL/probes/independent/yamlfilecontent_probe.c | 3 ++-
+ src/source/schematron.c                             | 2 ++
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/OVAL/probes/independent/yamlfilecontent_probe.c b/src/OVAL/probes/independent/yamlfilecontent_probe.c
+index ed5ce0d68..62a8f4ff2 100644
+--- a/src/OVAL/probes/independent/yamlfilecontent_probe.c
++++ b/src/OVAL/probes/independent/yamlfilecontent_probe.c
+@@ -414,7 +414,8 @@ static int process_yaml_file(const char *prefix, const char *path, const char *f
+ 	}
+ 
+ cleanup:
+-	fclose(yaml_file);
++	if (yaml_file != NULL)
++		fclose(yaml_file);
+ 	yaml_parser_delete(&parser);
+ 	free(filepath_with_prefix);
+ 	free(filepath);
+diff --git a/src/source/schematron.c b/src/source/schematron.c
+index 6cb22658b..c32d5aed6 100644
+--- a/src/source/schematron.c
++++ b/src/source/schematron.c
+@@ -548,6 +548,8 @@ static bool _req_src_346_1_sub1(xmlNodePtr data_stream_node, xmlXPathContextPtr
+ 	/* every $m in ds:checklists/ds:component-ref satisfies ... */
+ 	xmlXPathObjectPtr component_refs = xmlXPathNodeEval(data_stream_node, BAD_CAST "ds:checklists/ds:component-ref", context);
+ 	if (component_refs == NULL || component_refs->nodesetval == NULL) {
++		if (component_refs != NULL)
++			xmlXPathFreeObject(component_refs);
+ 		return res;
+ 	}
+ 	for (int i = 0; i < component_refs->nodesetval->nodeNr; i++) {

SOURCES/openscap-1.3.6-PR-1749-blueprint-fix.patch

@@ -0,0 +1,64 @@
+From 5f0a9033b466d929613a2a55a1524ec75c09b5b0 Mon Sep 17 00:00:00 2001
+From: Evgeny Kolesnikov <ekolesni@redhat.com>
+Date: Thu, 6 May 2021 08:14:12 +0200
+Subject: [PATCH] Introduce OSBuild Blueprint fix type
+
+---
+ utils/oscap-xccdf.c | 7 +++++--
+ utils/oscap.8       | 2 +-
+ xsl/xccdf-share.xsl | 1 +
+ 3 files changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/utils/oscap-xccdf.c b/utils/oscap-xccdf.c
+index 95c1c7658d..801e54fa35 100644
+--- a/utils/oscap-xccdf.c
++++ b/utils/oscap-xccdf.c
+@@ -275,7 +275,8 @@ static struct oscap_module XCCDF_GEN_FIX = {
+     .usage = "[options] xccdf-file.xml",
+     .help = GEN_OPTS
+         "\nFix Options:\n"
+-		"   --fix-type <type>             - Fix type. Should be one of: bash, ansible, puppet, anaconda (default: bash).\n"
++		"   --fix-type <type>             - Fix type. Should be one of: bash, ansible, puppet, anaconda, ignition, kubernetes,\n"
++		"                                   blueprint (default: bash).\n"
+ 		"   --output <file>               - Write the script into file.\n"
+ 		"   --result-id <id>              - Fixes will be generated for failed rule-results of the specified TestResult.\n"
+ 		"   --template <id|filename>      - Fix template. (default: bash)\n"
+@@ -887,10 +888,12 @@ int app_generate_fix(const struct oscap_action *action)
+ 			template = "urn:xccdf:fix:script:ignition";
+ 		} else if (strcmp(action->fix_type, "kubernetes") == 0) {
+ 			template = "urn:xccdf:fix:script:kubernetes";
++		} else if (strcmp(action->fix_type, "blueprint") == 0) {
++			template = "urn:redhat:osbuild:blueprint";
+ 		} else {
+ 			fprintf(stderr,
+ 					"Unknown fix type '%s'.\n"
+-					"Please provide one of: bash, ansible, puppet, anaconda, ignition, kubernetes.\n"
++					"Please provide one of: bash, ansible, puppet, anaconda, ignition, kubernetes, blueprint.\n"
+ 					"Or provide a custom template using '--template' instead.\n",
+ 					action->fix_type);
+ 			return OSCAP_ERROR;
+diff --git a/utils/oscap.8 b/utils/oscap.8
+index 240b829d7b..6cae0ffe8a 100644
+--- a/utils/oscap.8
++++ b/utils/oscap.8
+@@ -395,7 +395,7 @@ Result-oriented fixes are generated using result-id provided to select only the
+ Profile-oriented fixes are generated using all rules within the provided profile. If no result-id/profile are provided, (default) profile will be used to generate fixes.
+ .TP
+ \fB\-\-fix-type TYPE\fR
+-Specify fix type. There are multiple programming languages in which the fix script can be generated. TYPE should be one of: bash, ansible, puppet, anaconda, ignition, kubernetes. Default is bash. This option is mutually exclusive with --template, because fix type already determines the template URN.
++Specify fix type. There are multiple programming languages in which the fix script can be generated. TYPE should be one of: bash, ansible, puppet, anaconda, ignition, kubernetes, blueprint. Default is bash. This option is mutually exclusive with --template, because fix type already determines the template URN.
+ .TP
+ \fB\-\-output FILE\fR
+ Write the report to this file instead of standard output.
+diff --git a/xsl/xccdf-share.xsl b/xsl/xccdf-share.xsl
+index 9f8e587676..d7a9f3b7e2 100644
+--- a/xsl/xccdf-share.xsl
++++ b/xsl/xccdf-share.xsl
+@@ -295,6 +295,7 @@ Authors:
+             <xsl:when test="$fix/@system = 'urn:xccdf:fix:script:puppet'">Puppet snippet</xsl:when>
+             <xsl:when test="$fix/@system = 'urn:redhat:anaconda:pre'">Anaconda snippet</xsl:when>
+             <xsl:when test="$fix/@system = 'urn:xccdf:fix:script:kubernetes'">Kubernetes snippet</xsl:when>
++            <xsl:when test="$fix/@system = 'urn:redhat:osbuild:blueprint'">OSBuild Blueprint snippet</xsl:when>
+             <xsl:otherwise>script</xsl:otherwise>
+         </xsl:choose>
+     </xsl:variable>

SOURCES/openscap-1.3.6-PR-1753-getlogin.patch

@@ -0,0 +1,36 @@
+From b31cff1bc3a298cfa36a10476f2d633c290b6741 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Tue, 11 May 2021 13:20:18 +0200
+Subject: [PATCH] Replace getlogin by cuserid
+
+The getlogin() is used here to fill in the xccdf:identity element which
+shall contain information about the system identity or user employed
+during application of the benchmark. But, the getlogin() can return NULL
+when there is no controlling terminal. This happened when testing oscap
+on a test system with no pty.  As an alternative, the system provides
+also cuserid() function which gets the effective user ID of the process.
+However, these 2 values differ when the program is executed under sudo.
+From the user experience point of view, it would be better to have
+displayed there the user logged in on the controlling terminal. As a
+compromise, we will first attempt to obtain the name using getlogin()
+and if that fails we will run cuserid().
+---
+ src/XCCDF/result.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/XCCDF/result.c b/src/XCCDF/result.c
+index cd03e6bd8f..cbe016c44a 100644
+--- a/src/XCCDF/result.c
++++ b/src/XCCDF/result.c
+@@ -217,7 +217,10 @@ static inline void _xccdf_result_fill_identity(struct xccdf_result *result)
+ 	xccdf_identity_set_authenticated(id, 0);
+ 	xccdf_identity_set_privileged(id, 0);
+ #ifdef OSCAP_UNIX
+-	xccdf_identity_set_name(id, getlogin());
++	char *name = getlogin();
++	if (name == NULL)
++		name = cuserid(NULL);
++	xccdf_identity_set_name(id, name);
+ #elif defined(OS_WINDOWS)
+ 	GetUserName((TCHAR *) w32_username, &w32_usernamesize); /* XXX: Check the return value? */
+ 	xccdf_identity_set_name(id, w32_username);

SPECS/openscap.spec

@@ -1,11 +1,15 @@
 Name:           openscap
 Version:        1.3.5
-Release:        2%{?dist}
+Release:        4%{?dist}
 Summary:        Set of open source libraries enabling integration of the SCAP line of standards
 Group:          System Environment/Libraries
 License:        LGPLv2+
 URL:            http://www.open-scap.org/
 Source0:        https://github.com/OpenSCAP/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz
+Patch1:         openscap-1.3.6-PR-1745-waive-hugepages.patch
+Patch2:         openscap-1.3.6-PR-1748-covscan.patch
+Patch3:         openscap-1.3.6-PR-1749-blueprint-fix.patch
+Patch4:         openscap-1.3.6-PR-1753-getlogin.patch
 BuildRequires:  cmake >= 2.6
 BuildRequires:  swig libxml2-devel libxslt-devel perl-generators perl-XML-Parser
 BuildRequires:  rpm-devel
@@ -214,6 +218,14 @@ rm -rf $RPM_BUILD_ROOT
 %{_bindir}/oscap-run-sce-script
 
 %changelog
+* Tue Jun 01 2021 Jan Černý <jcerny@redhat.com> - 1.3.5-4
+- Replace getlogin by cuserid
+
+* Mon May 10 2021 Evgenii Kolesnikov <ekolesni@redhat.com> - 1.3.5-3
+- Waive known issue with hugepages in upstream testsuite (RHBZ#1912000)
+- Fix issues reported by the coverity scan
+- Introduce OSBuild 'blueprint' fix type
+
 * Tue May 04 2021 Evgenii Kolesnikov <ekolesni@redhat.com> - 1.3.5-2
 - Fix changelog (add missing 1.3.3-6 entry)