Merge branch 'c9' into a9

2023-02-28 12:01:58 +03:00 · 2023-02-28 12:01:58 +03:00 · 26b2098e5f
commit 26b2098e5f
parent a193ac1101 9fd9bd51b1
7 changed files with 567 additions and 53 deletions
--- a/SOURCES/openscap-1.3.5-almalinux.patch
+++ b/SOURCES/openscap-1.3.5-almalinux.patch
@ -1,7 +1,7 @@
-diff -aruN openscap-1.3.6/cpe/openscap-cpe-oval.xml openscap-1.3.6.alma/cpe/openscap-cpe-oval.xml
--- openscap-1.3.6/cpe/openscap-cpe-oval.xml	2021-04-12 08:34:00.000000000 +0300
-+++ openscap-1.3.6.alma/cpe/openscap-cpe-oval.xml	2022-05-19 12:24:07.000000000 +0300
-@@ -133,6 +133,32 @@
+diff -Naur openscap-1.3.3.orig/cpe/openscap-cpe-oval.xml openscap-1.3.3.alma/cpe/openscap-cpe-oval.xml
+--- openscap-1.3.3.orig/cpe/openscap-cpe-oval.xml	2020-04-30 11:50:09.000000000 +0300
+++ openscap-1.3.3.alma/cpe/openscap-cpe-oval.xml	2021-03-22 13:12:12.069413537 +0300
+@@ -133,6 +133,19 @@
                         <criterion comment="Oracle Linux 8 is installed" test_ref="oval:org.open-scap.cpe.ol:tst:8"/>
                   </criteria>
             </definition>
@ -17,24 +17,11 @@ diff -aruN openscap-1.3.6/cpe/openscap-cpe-oval.xml openscap-1.3.6.alma/cpe/open
 +                  <criteria>
 +                        <criterion comment="AlmaLinux 8 is installed" test_ref="oval:org.open-scap.cpe.almalinux:tst:8"/>
 +                  </criteria>
-+            </definition>
-+            <definition class="inventory" id="oval:org.open-scap.cpe.almalinux:def:9" version="1">
-+                  <metadata>
-+                        <title>AlmaLinux 9</title>
-+                        <affected family="unix">
-+                              <platform>AlmaLinux 9</platform>
-+                        </affected>
-+                        <reference ref_id="cpe:/o:almalinux:almalinux:9" source="CPE"/>
-+                        <description>The operating system installed on the system is AlmaLinux 9</description>
-+                  </metadata>
-+                  <criteria>
-+                        <criterion comment="AlmaLinux 9 is installed" test_ref="oval:org.open-scap.cpe.almalinux:tst:9"/>
-+                  </criteria>
 +            </definition>
             <definition class="inventory" id="oval:org.open-scap.cpe.rhel:def:1005" version="1">
                   <metadata>
                         <title>Community Enterprise Operating System 5</title>
-@@ -868,6 +894,16 @@
+@@ -828,6 +841,11 @@
                   <object object_ref="oval:org.open-scap.cpe.oraclelinux-release:obj:1"/>
                   <state state_ref="oval:org.open-scap.cpe.ol:ste:8"/>
             </rpminfo_test>
@ -42,16 +29,11 @@ diff -aruN openscap-1.3.6/cpe/openscap-cpe-oval.xml openscap-1.3.6.alma/cpe/open
 +                  xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
 +                  <object object_ref="oval:org.open-scap.cpe.almalinux-release:obj:1"/>
 +                  <state state_ref="oval:org.open-scap.cpe.almalinux:ste:8"/>
-+            </rpminfo_test>
-+            <rpminfo_test check_existence="at_least_one_exists" id="oval:org.open-scap.cpe.almalinux:tst:9" version="1" check="at least one" comment="almalinux-release is version 9"
-+                  xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
-+                  <object object_ref="oval:org.open-scap.cpe.almalinux-release:obj:1"/>
-+                  <state state_ref="oval:org.open-scap.cpe.almalinux:ste:9"/>
 +            </rpminfo_test>
             <rpmverifyfile_test check_existence="at_least_one_exists" id="oval:org.open-scap.cpe.rhel:tst:1005" version="1" check="at least one" comment="centos-release is version 5"
                   xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
                   <object object_ref="oval:org.open-scap.cpe.redhat-release:obj:3"/>
-@@ -1223,6 +1259,9 @@
+@@ -1165,6 +1183,9 @@
             <rpminfo_object id="oval:org.open-scap.cpe.oraclelinux-release:obj:1" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
                   <name>oraclelinux-release</name>
             </rpminfo_object>
@ -61,35 +43,27 @@ diff -aruN openscap-1.3.6/cpe/openscap-cpe-oval.xml openscap-1.3.6.alma/cpe/open
             <registry_object id="oval:org.open-scap.cpe.windows:obj:1" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows" >
                   <hive>HKEY_LOCAL_MACHINE</hive>
                   <key>SOFTWARE\Microsoft\Windows NT\CurrentVersion</key>
-@@ -1307,6 +1346,14 @@
+@@ -1233,6 +1254,10 @@
                   <name operation="pattern match">^oraclelinux-release</name>
                   <version operation="pattern match">^8</version>
             </rpminfo_state>
 +            <rpminfo_state id="oval:org.open-scap.cpe.almalinux:ste:8" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
 +                  <name operation="pattern match">^almalinux-release</name>
 +                  <version operation="pattern match">^8</version>
-+            </rpminfo_state>
-+            <rpminfo_state id="oval:org.open-scap.cpe.almalinux:ste:9" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
-+                  <name operation="pattern match">^almalinux-release</name>
-+                  <version operation="pattern match">^9</version>
 +            </rpminfo_state>
             <rpminfo_state id="oval:org.open-scap.cpe.fedora:ste:16" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
                   <version operation="pattern match">^16$</version>
             </rpminfo_state>
-diff -aruN openscap-1.3.6/cpe/openscap-cpe-dict.xml openscap-1.3.6.alma/cpe/openscap-cpe-dict.xml
--- openscap-1.3.6/cpe/openscap-cpe-dict.xml	2021-04-12 08:34:00.000000000 +0300
-+++ openscap-1.3.6.alma/cpe/openscap-cpe-dict.xml	2022-05-19 12:24:45.000000000 +0300
-@@ -37,6 +37,14 @@
+diff -Naur openscap-1.3.5/cpe/openscap-cpe-dict.xml openscap-1.3.5.alma/cpe/openscap-cpe-dict.xml
+--- openscap-1.3.5/cpe/openscap-cpe-dict.xml	2021-04-23 13:39:58.000000000 +0300
+++ openscap-1.3.5.alma/cpe/openscap-cpe-dict.xml	2021-10-10 10:02:27.000000000 +0300
+@@ -37,6 +37,10 @@
             <title xml:lang="en-us">Community Enterprise Operating System 8</title>
             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="openscap-cpe-oval.xml">oval:org.open-scap.cpe.centos:def:8</check>
       </cpe-item>
 +      <cpe-item name="cpe:/o:almalinux:almalinux:8">
 +            <title xml:lang="en-us">AlmaLinux 8</title>
 +            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="openscap-cpe-oval.xml">oval:org.open-scap.cpe.almalinux:def:8</check>
-+      </cpe-item>
-+      <cpe-item name="cpe:/o:almalinux:almalinux:9">
-+            <title xml:lang="en-us">AlmaLinux 9</title>
-+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="openscap-cpe-oval.xml">oval:org.open-scap.cpe.almalinux:def:9</check>
 +      </cpe-item>
       <cpe-item name="cpe:/o:fedoraproject:fedora:32">
             <title xml:lang="en-us">Fedora 32</title>
--- a/SOURCES/openscap-1.3.7-PR-1861-failed-to-check-available-memory.patch
+++ b/SOURCES/openscap-1.3.7-PR-1861-failed-to-check-available-memory.patch
@ -0,0 +1,22 @@
+From 12f9c02a612bb1687676b74a4739126b1913b1fe Mon Sep 17 00:00:00 2001
+From: Ajay Nair <ajaynair59@gmail.com>
+Date: Mon, 9 May 2022 13:31:47 -0400
+Subject: [PATCH] Reset errno before call to strtoll
+
+---
+ src/common/memusage.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/common/memusage.c b/src/common/memusage.c
+index c6755f21f1..ffa70b662b 100644
+--- a/src/common/memusage.c
+++ b/src/common/memusage.c
+@@ -71,6 +71,8 @@ static int read_common_sizet(void *szp, char *strval)
+ 		return (-1);
+ 
+ 	*end = '\0';
+
+	errno = 0;
+ 	*(size_t *)szp = strtoll(strval, NULL, 10);
+ 
+ 	if (errno == EINVAL ||
--- a/SOURCES/openscap-1.3.7-PR-1874-unit-test-read-common-sizet.patch
+++ b/SOURCES/openscap-1.3.7-PR-1874-unit-test-read-common-sizet.patch
@ -0,0 +1,233 @@
+From 07486e9033d8cc1fd03962994b3359cb611a9ac9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Fri, 22 Jul 2022 16:50:01 +0200
+Subject: [PATCH 1/3] Add unit test for read_common_sizet function
+
+The unit test will cover the missing set errno
+to 0 which was the root cause of:
+https://github.com/OpenSCAP/openscap/issues/1867
+
+Therefore, this test can be used during verification of:
+https://bugzilla.redhat.com/show_bug.cgi?id=2109485
+---
+ tests/API/probes/CMakeLists.txt   |  9 +++++
+ tests/API/probes/test_memusage.c  | 67 +++++++++++++++++++++++++++++++
+ tests/API/probes/test_memusage.sh |  9 +++++
+ 3 files changed, 85 insertions(+)
+ create mode 100644 tests/API/probes/test_memusage.c
+ create mode 100755 tests/API/probes/test_memusage.sh
+
+diff --git a/tests/API/probes/CMakeLists.txt b/tests/API/probes/CMakeLists.txt
+index ae3c7212a0..2ac4081ac2 100644
+--- a/tests/API/probes/CMakeLists.txt
+++ b/tests/API/probes/CMakeLists.txt
+@@ -38,3 +38,12 @@ target_include_directories(oval_fts_list PUBLIC
+ )
+ target_link_libraries(oval_fts_list openscap)
+ add_oscap_test("fts.sh")
+
+add_oscap_test_executable(test_memusage
+	"test_memusage.c"
+	"${CMAKE_SOURCE_DIR}/src/common/bfind.c"
+)
+target_include_directories(test_memusage PUBLIC
+	"${CMAKE_SOURCE_DIR}/src/common"
+)
+add_oscap_test("test_memusage.sh")
+diff --git a/tests/API/probes/test_memusage.c b/tests/API/probes/test_memusage.c
+new file mode 100644
+index 0000000000..5dced98f03
+--- /dev/null
+++ b/tests/API/probes/test_memusage.c
+@@ -0,0 +1,67 @@
+/*
+ * Copyright 2022 Red Hat Inc., Durham, North Carolina.
+ * All Rights Reserved.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ *
+ * Authors:
+ *      "Jan Černý" <jcerny@redhat.com>
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include "memusage.h"
+#include "memusage.c"
+#define OS_LINUX
+
+static int test_basic()
+{
+	size_t size;
+	char *strval = strdup("17 MB");
+	read_common_sizet(&size, strval);
+	free(strval);
+	return (size == 17);
+}
+
+static int test_errno()
+{
+	size_t size;
+	char *strval = strdup("17 MB");
+
+	/* Test that setting errno outside of the read_common_sizet function
+	 * doesn't influence the function and doesn't make the function fail.
+	 */
+	errno = EINVAL;
+
+	int ret = read_common_sizet(&size, strval);
+	free(strval);
+	return (ret != -1);
+}
+
+int main(int argc, char *argv[])
+{
+	if (!test_basic()) {
+		fprintf(stderr, "test_basic has failed\n");
+		return 1;
+	}
+	if (!test_errno()) {
+		fprintf(stderr, "test_errno has failed\n");
+		return 1;
+	}
+	return 0;
+}
+diff --git a/tests/API/probes/test_memusage.sh b/tests/API/probes/test_memusage.sh
+new file mode 100755
+index 0000000000..4c76bdc0ac
+--- /dev/null
+++ b/tests/API/probes/test_memusage.sh
+@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+
+. $builddir/tests/test_common.sh
+
+if [ -n "${CUSTOM_OSCAP+x}" ] ; then
+    exit 255
+fi
+
+./test_memusage
+
+From 2cc649d5e9fbf337bbfca69c21313657a5b8a7cf Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Mon, 25 Jul 2022 09:00:36 +0200
+Subject: [PATCH 2/3] Replace license by SPDX ID
+
+---
+ tests/API/probes/test_memusage.c | 22 +---------------------
+ 1 file changed, 1 insertion(+), 21 deletions(-)
+
+diff --git a/tests/API/probes/test_memusage.c b/tests/API/probes/test_memusage.c
+index 5dced98f03..db2915f6d5 100644
+--- a/tests/API/probes/test_memusage.c
+++ b/tests/API/probes/test_memusage.c
+@@ -1,24 +1,4 @@
+-/*
+- * Copyright 2022 Red Hat Inc., Durham, North Carolina.
+- * All Rights Reserved.
+- *
+- * This library is free software; you can redistribute it and/or
+- * modify it under the terms of the GNU Lesser General Public
+- * License as published by the Free Software Foundation; either
+- * version 2.1 of the License, or (at your option) any later version.
+- *
+- * This library is distributed in the hope that it will be useful,
+- * but WITHOUT ANY WARRANTY; without even the implied warranty of
+- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+- * Lesser General Public License for more details.
+- *
+- * You should have received a copy of the GNU Lesser General Public
+- * License along with this library; if not, write to the Free Software
+- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+- *
+- * Authors:
+- *      "Jan Černý" <jcerny@redhat.com>
+- */
+// SPDX-License-Identifier: LGPL-2.1-or-later
+ 
+ #ifdef HAVE_CONFIG_H
+ #include <config.h>
+
+From caadd89e61f5d70e251180055686a3b52c763c66 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Mon, 25 Jul 2022 09:00:45 +0200
+Subject: [PATCH 3/3] Improve unit test for read_common_sizet
+
+Check for multiple different situations.
+---
+ tests/API/probes/test_memusage.c | 34 ++++++++++++++++++++++++++++----
+ 1 file changed, 30 insertions(+), 4 deletions(-)
+
+diff --git a/tests/API/probes/test_memusage.c b/tests/API/probes/test_memusage.c
+index db2915f6d5..b9db865d45 100644
+--- a/tests/API/probes/test_memusage.c
+++ b/tests/API/probes/test_memusage.c
+@@ -12,16 +12,34 @@
+ static int test_basic()
+ {
+ 	size_t size;
+-	char *strval = strdup("17 MB");
+-	read_common_sizet(&size, strval);
+	char *strval = strdup("17 kB\n");
+	int ret = read_common_sizet(&size, strval);
+ 	free(strval);
+-	return (size == 17);
+	return (size == 17 && ret == 0);
+}
+
+static int test_no_unit()
+{
+	size_t size;
+	char *strval = strdup("42");
+	int ret = read_common_sizet(&size, strval);
+	free(strval);
+	return (ret == -1);
+}
+
+static int test_invalid_number()
+{
+	size_t size;
+	char *strval = strdup("www kB\n");
+	int ret = read_common_sizet(&size, strval);
+	free(strval);
+	return (size == 0 && ret == 0);
+ }
+ 
+ static int test_errno()
+ {
+ 	size_t size;
+-	char *strval = strdup("17 MB");
+	char *strval = strdup("17 kB\n");
+ 
+ 	/* Test that setting errno outside of the read_common_sizet function
+ 	 * doesn't influence the function and doesn't make the function fail.
+@@ -39,6 +57,14 @@ int main(int argc, char *argv[])
+ 		fprintf(stderr, "test_basic has failed\n");
+ 		return 1;
+ 	}
+	if (!test_no_unit()) {
+		fprintf(stderr, "test_no_unit has failed\n");
+		return 1;
+	}
+	if (!test_invalid_number()) {
+		fprintf(stderr, "test_invalid_number has failed\n");
+		return 1;
+	}
+ 	if (!test_errno()) {
+ 		fprintf(stderr, "test_errno has failed\n");
+ 		return 1;
--- a/SOURCES/openscap-1.3.7-PR-1875-reset-errno-strtol.patch
+++ b/SOURCES/openscap-1.3.7-PR-1875-reset-errno-strtol.patch
@ -0,0 +1,71 @@
+From 55b09ba184c1803a5e1454c44e9e9a5c578dd741 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Mon, 25 Jul 2022 17:10:17 +0200
+Subject: [PATCH] Reset errno before strtol
+
+This sets errno to 0 before strotol calls after which the errno
+is being checked.
+
+Per man 3 strtol:
+Since  strtol()  can  legitimately  return 0, LONG_MAX, or
+LONG_MIN (LLONG_MAX or LLONG_MIN for strtoll()) on both success and
+failure, the calling program should set errno to 0 before the call, and
+then determine if an error occurred by checking whether errno has a
+nonzero value after the call.
+
+This is inspired by https://github.com/OpenSCAP/openscap/pull/1861.
+---
+ src/OVAL/probes/independent/sql57_probe.c | 1 +
+ src/OVAL/probes/independent/sql_probe.c   | 1 +
+ src/OVAL/probes/oval_fts.c                | 1 +
+ src/OVAL/probes/unix/xinetd_probe.c       | 1 +
+ 4 files changed, 4 insertions(+)
+
+diff --git a/src/OVAL/probes/independent/sql57_probe.c b/src/OVAL/probes/independent/sql57_probe.c
+index ce1466635c..2b35750ee2 100644
+--- a/src/OVAL/probes/independent/sql57_probe.c
+++ b/src/OVAL/probes/independent/sql57_probe.c
+@@ -216,6 +216,7 @@ static int dbURIInfo_parse(dbURIInfo_t *info, const char *conn)
+ 			matchitem1(tok, 'c',
+ 				   "onnecttimeout", tmp);
+ 			if (tmp != NULL) {
+				errno = 0;
+ 				info->conn_timeout = strtol(tmp, NULL, 10);
+ 
+ 				if (errno == ERANGE || errno == EINVAL)
+diff --git a/src/OVAL/probes/independent/sql_probe.c b/src/OVAL/probes/independent/sql_probe.c
+index 2ede89d031..71ba3c08c3 100644
+--- a/src/OVAL/probes/independent/sql_probe.c
+++ b/src/OVAL/probes/independent/sql_probe.c
+@@ -216,6 +216,7 @@ static int dbURIInfo_parse(dbURIInfo_t *info, const char *conn)
+ 			matchitem1(tok, 'c',
+ 				   "onnecttimeout", tmp);
+ 			if (tmp != NULL) {
+				errno = 0;
+ 				info->conn_timeout = strtol(tmp, NULL, 10);
+ 
+ 				if (errno == ERANGE || errno == EINVAL)
+diff --git a/src/OVAL/probes/oval_fts.c b/src/OVAL/probes/oval_fts.c
+index 1364159c90..f9d0a0c1fd 100644
+--- a/src/OVAL/probes/oval_fts.c
+++ b/src/OVAL/probes/oval_fts.c
+@@ -729,6 +729,7 @@ OVAL_FTS *oval_fts_open_prefixed(const char *prefix, SEXP_t *path, SEXP_t *filen
+ 	/* max_depth */
+ 	PROBE_ENT_AREF(behaviors, r0, "max_depth", return NULL;);
+ 	SEXP_string_cstr_r(r0, cstr_buff, sizeof cstr_buff - 1);
+	errno = 0;
+ 	max_depth = strtol(cstr_buff, NULL, 10);
+ 	if (errno == EINVAL || errno == ERANGE) {
+ 		dE("Invalid value of the `%s' attribute: %s", "recurse_direction", cstr_buff);
+diff --git a/src/OVAL/probes/unix/xinetd_probe.c b/src/OVAL/probes/unix/xinetd_probe.c
+index b3375500db..703a07f513 100644
+--- a/src/OVAL/probes/unix/xinetd_probe.c
+++ b/src/OVAL/probes/unix/xinetd_probe.c
+@@ -1280,6 +1280,7 @@ int op_assign_bool(void *var, char *val)
+ 		*((bool *)(var)) = false;
+ 	} else {
+ 		char *endptr = NULL;
+		errno = 0;
+ 		*((bool *)(var)) = (bool) strtol (val, &endptr, 2);
+ 		if (errno == EINVAL || errno == ERANGE) {
+ 			return -1;
--- a/SOURCES/openscap-1.3.7-PR-1876-disable-oscap-remediate.patch
+++ b/SOURCES/openscap-1.3.7-PR-1876-disable-oscap-remediate.patch
@ -0,0 +1,82 @@
+From 140d60bc751e6c0e4138ab3a2e8e9b130264f905 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Wed, 27 Jul 2022 09:40:29 +0200
+Subject: [PATCH] Add CMake option to disable oscap-remediate service
+
+This patch introduces a new CMake build option
+ENABLE_OSCAP_REMEDIATE_SERVICE which can be used to disable the
+installation of the files related to the oscap-remediate systemd
+service. Downstream packagers can use this option to disable shipping
+the oscap-remediate service in their RPM spec files.
+
+Resolves: rhbz#2111358
+Resolves: rhbz#2111360
+---
+ CMakeLists.txt       | 15 +++++++++------
+ utils/CMakeLists.txt | 20 +++++++++++---------
+ 2 files changed, 20 insertions(+), 15 deletions(-)
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 61c57d7a3e..48e19e5203 100644
+--- a/CMakeLists.txt
+++ b/CMakeLists.txt
+@@ -327,6 +327,7 @@ cmake_dependent_option(ENABLE_OSCAP_UTIL_VM "enables the oscap-vm utility, this
+ cmake_dependent_option(ENABLE_OSCAP_UTIL_PODMAN "enables the oscap-podman utility, this lets you scan Podman containers and container images" ON "NOT WIN32" OFF)
+ cmake_dependent_option(ENABLE_OSCAP_UTIL_CHROOT "enables the oscap-chroot utility, this lets you scan entire chroots using offline scanning" ON "NOT WIN32" OFF)
+ option(ENABLE_OSCAP_UTIL_AUTOTAILOR "enables the autotailor utility that is able to perform command-line tailoring" TRUE)
+option(ENABLE_OSCAP_REMEDIATE_SERVICE "enables the oscap-remediate service" TRUE)
+ 
+ # ---------- TEST-SUITE SWITCHES
+ 
+@@ -609,12 +610,14 @@ if(NOT WIN32)
+ 		DESTINATION ${CMAKE_INSTALL_LIBDIR}/pkgconfig
+ 	)
+ 	if(WITH_SYSTEMD)
+-		# systemd service for offline (boot-time) remediation
+-		configure_file("oscap-remediate.service.in" "oscap-remediate.service" @ONLY)
+-		install(FILES
+-			${CMAKE_CURRENT_BINARY_DIR}/oscap-remediate.service
+-			DESTINATION ${SYSTEMD_UNITDIR}
+-		)
+		if(ENABLE_OSCAP_REMEDIATE_SERVICE)
+			# systemd service for offline (boot-time) remediation
+			configure_file("oscap-remediate.service.in" "oscap-remediate.service" @ONLY)
+			install(FILES
+				${CMAKE_CURRENT_BINARY_DIR}/oscap-remediate.service
+				DESTINATION ${SYSTEMD_UNITDIR}
+			)
+		endif()
+ 	endif()
+ endif()
+ 
+diff --git a/utils/CMakeLists.txt b/utils/CMakeLists.txt
+index 3f199eaabc..93ce1f2a9d 100644
+--- a/utils/CMakeLists.txt
+++ b/utils/CMakeLists.txt
+@@ -59,15 +59,17 @@ if(ENABLE_OSCAP_UTIL)
+ 		)
+ 
+ 		if(WITH_SYSTEMD)
+-			install(PROGRAMS "oscap-remediate"
+-				DESTINATION ${CMAKE_INSTALL_LIBEXECDIR}
+-			)
+-			install(PROGRAMS "oscap-remediate-offline"
+-				DESTINATION ${CMAKE_INSTALL_BINDIR}
+-			)
+-			install(FILES "oscap-remediate-offline.8"
+-				DESTINATION "${CMAKE_INSTALL_MANDIR}/man8"
+-			)
+			if (ENABLE_OSCAP_REMEDIATE_SERVICE)
+				install(PROGRAMS "oscap-remediate"
+					DESTINATION ${CMAKE_INSTALL_LIBEXECDIR}
+				)
+				install(PROGRAMS "oscap-remediate-offline"
+					DESTINATION ${CMAKE_INSTALL_BINDIR}
+				)
+				install(FILES "oscap-remediate-offline.8"
+					DESTINATION "${CMAKE_INSTALL_MANDIR}/man8"
+				)
+			endif()
+ 		endif()
+ 	endif()
+ endif()
--- a/SOURCES/openscap-1.3.7-PR-1891-xmlfilecontent.patch
+++ b/SOURCES/openscap-1.3.7-PR-1891-xmlfilecontent.patch
@ -0,0 +1,132 @@
+From 9c2052febe494ca5fe8e3fef7996fd2c2c736785 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Wed, 2 Nov 2022 09:04:25 +0100
+Subject: [PATCH] Don't emit items if XPath doesn't match
+
+This commit fixes the behavior of the xmlfilecontent probe in situation
+when the XPath query in xmlfilecontent_object doesn't match any node in
+the given XML file and the query returns an empty node set. Currently,
+in this situation, we emit an item in which we add an empty value_of
+element. However, this value_of element has its datatype attribute set
+to an empty string, which is invalid according to the OVAL schema. When
+we try to make the OVAL results valid, we face the problem that it isn't
+clear what should be the value of the datatype attribute for empty
+elements. But as we can realize the XPath doesn't match anything means
+that the requested object doesn't exist on the system, so a better
+behavior would be to not produce a xmlfilecontent54_item.  That is
+consistent with eg. situation when a regular expression matched nothing
+in textfilecontent54_object.  This commit therefore stops the item
+generation in this situation.
+
+This commit also extends the existing test to cover the situation
+of XPath queries for nonexistent element and nonexistent attribute.
+
+Fixes: #1890, rhbz#2138884, rhbz#2139060
+---
+ .../probes/independent/xmlfilecontent_probe.c |  5 +--
+ .../test_xmlfilecontent_probe.sh              |  6 +++
+ .../test_xmlfilecontent_probe.xml             | 38 +++++++++++++++++++
+ 3 files changed, 46 insertions(+), 3 deletions(-)
+
+diff --git a/src/OVAL/probes/independent/xmlfilecontent_probe.c b/src/OVAL/probes/independent/xmlfilecontent_probe.c
+index 6c70b359ba..5d56afa0d4 100644
+--- a/src/OVAL/probes/independent/xmlfilecontent_probe.c
+++ b/src/OVAL/probes/independent/xmlfilecontent_probe.c
+@@ -296,10 +296,9 @@ static int process_file(const char *prefix, const char *path, const char *filena
+ 
+ 		node_cnt = nodes->nodeNr;
+ 		dD("node_cnt: %d.", node_cnt);
+-		if (node_cnt == 0) {
+-			probe_item_setstatus(item, SYSCHAR_STATUS_DOES_NOT_EXIST);
+-			probe_item_ent_add(item, "value_of", NULL, NULL);
+-			probe_itement_setstatus(item, "value_of", 1, SYSCHAR_STATUS_DOES_NOT_EXIST);
+		if (node_cnt <= 0) {
+			ret = -5;
+			goto cleanup;
+ 		} else {
+ 			node_tab = nodes->nodeTab;
+ 			for (i = 0; i < node_cnt; ++i) {
+diff --git a/tests/probes/xmlfilecontent/test_xmlfilecontent_probe.sh b/tests/probes/xmlfilecontent/test_xmlfilecontent_probe.sh
+index e3c56a8606..68138dad75 100755
+--- a/tests/probes/xmlfilecontent/test_xmlfilecontent_probe.sh
+++ b/tests/probes/xmlfilecontent/test_xmlfilecontent_probe.sh
+@@ -6,9 +6,15 @@ set -e -o pipefail
+ cp $srcdir/example.xml /tmp/
+ result=$(mktemp)
+ $OSCAP oval eval --results $result $srcdir/test_xmlfilecontent_probe.xml
+# Even if OSCAP_FULL_VALIDATION is set, an invalid OVAL result doesn't cause
+# the "oscap oval eval" to return a non-zero value, so let's run validation
+# as a separate command
+$OSCAP oval validate "$result"
+ assert_exists 1 '/oval_results/results/system/definitions/definition[@definition_id="oval:x:def:1" and @result="true"]'
+ assert_exists 1 '/oval_results/results/system/definitions/definition[@definition_id="oval:x:def:2" and @result="true"]'
+ assert_exists 1 '/oval_results/results/system/definitions/definition[@definition_id="oval:x:def:3" and @result="true"]'
+ assert_exists 1 '/oval_results/results/system/definitions/definition[@definition_id="oval:x:def:4" and @result="true"]'
+ assert_exists 1 '/oval_results/results/system/definitions/definition[@definition_id="oval:x:def:5" and @result="true"]'
+assert_exists 1 '/oval_results/results/system/definitions/definition[@definition_id="oval:x:def:6" and @result="true"]'
+assert_exists 1 '/oval_results/results/system/definitions/definition[@definition_id="oval:x:def:7" and @result="true"]'
+ rm -f $result
+\ No newline at end of file
+diff --git a/tests/probes/xmlfilecontent/test_xmlfilecontent_probe.xml b/tests/probes/xmlfilecontent/test_xmlfilecontent_probe.xml
+index 3350df0c49..0a9708d4b6 100644
+--- a/tests/probes/xmlfilecontent/test_xmlfilecontent_probe.xml
+++ b/tests/probes/xmlfilecontent/test_xmlfilecontent_probe.xml
+@@ -66,6 +66,30 @@
+         <criterion test_ref="oval:x:tst:5" comment="test"/>
+       </criteria>
+     </definition>
+    <definition class="compliance" version="1" id="oval:x:def:6">
+      <metadata>
+        <title>A simple test OVAL for xmlfilecontent test - check nonexisting attribute</title>
+        <description>x</description>
+        <affected family="unix">
+          <platform>x</platform>
+        </affected>
+      </metadata>
+      <criteria>
+        <criterion test_ref="oval:x:tst:6" comment="test"/>
+      </criteria>
+    </definition>
+    <definition class="compliance" version="1" id="oval:x:def:7">
+      <metadata>
+        <title>A simple test OVAL for xmlfilecontent test - check nonexisting element</title>
+        <description>x</description>
+        <affected family="unix">
+          <platform>x</platform>
+        </affected>
+      </metadata>
+      <criteria>
+        <criterion test_ref="oval:x:tst:7" comment="test"/>
+      </criteria>
+    </definition>
+   </definitions>
+ 
+   <tests>
+@@ -89,6 +113,12 @@
+       <ind:object object_ref="oval:x:obj:5"/>
+       <ind:state state_ref="oval:x:ste:5"/>
+     </ind:xmlfilecontent_test>
+    <ind:xmlfilecontent_test id="oval:x:tst:6" version="1" comment="test an xpath expression" check="all" check_existence="none_exist">
+      <ind:object object_ref="oval:x:obj:6"/>
+    </ind:xmlfilecontent_test>
+    <ind:xmlfilecontent_test id="oval:x:tst:7" version="1" comment="test an xpath expression" check="all" check_existence="none_exist">
+      <ind:object object_ref="oval:x:obj:7"/>
+    </ind:xmlfilecontent_test>
+   </tests>
+ 
+   <objects>
+@@ -112,6 +142,14 @@
+         <ind:filepath>/tmp/example.xml</ind:filepath>
+         <ind:xpath>//*[@regid="mycoyote.com"]/@name</ind:xpath>
+     </ind:xmlfilecontent_object>
+    <ind:xmlfilecontent_object id="oval:x:obj:6" version="1" comment="xpath query">
+        <ind:filepath>/tmp/example.xml</ind:filepath>
+        <ind:xpath>/SoftwareIdentity/@thisattributedoesnotexist</ind:xpath>
+    </ind:xmlfilecontent_object>
+    <ind:xmlfilecontent_object id="oval:x:obj:7" version="1" comment="xpath query">
+        <ind:filepath>/tmp/example.xml</ind:filepath>
+        <ind:xpath>/SoftwareIdentity/thiselementdoesnotexist</ind:xpath>
+    </ind:xmlfilecontent_object>
+   </objects>
+ 
+   <states>
--- a/SPECS/openscap.spec
+++ b/SPECS/openscap.spec
@ -1,6 +1,6 @@
 Name:           openscap
 Version:        1.3.6
-Release:        3%{?dist}.alma.1
+Release:        5%{?dist}.alma
 Epoch:          1
 Summary:        Set of open source libraries enabling integration of the SCAP line of standards
 License:        LGPLv2+
@ -10,6 +10,12 @@ Patch1:         openscap-1.3.7-PR-1841-coverity.patch
 Patch2:         openscap-1.3.7-PR-1843-fix-test-ds-misc.patch
 Patch3:         openscap-1.3.7-PR-1844-fix-test-ds-misc-2.patch
 Patch4:         openscap-1.3.7-PR-1846-file-permissions.patch
+Patch5:         openscap-1.3.7-PR-1861-failed-to-check-available-memory.patch
+Patch6:         openscap-1.3.7-PR-1874-unit-test-read-common-sizet.patch
+Patch7:         openscap-1.3.7-PR-1875-reset-errno-strtol.patch
+Patch8:         openscap-1.3.7-PR-1876-disable-oscap-remediate.patch
+Patch9:         openscap-1.3.7-PR-1891-xmlfilecontent.patch
+
 # Add AlmaLinux definitions
 Patch100:       openscap-1.3.5-almalinux.patch

@ -129,6 +135,7 @@ for developing applications that use %{name}-engine-sce.
    -DENABLE_DOCS=ON \
    -DENABLE_PERL=OFF \
    -DENABLE_OSCAP_UTIL_DOCKER=OFF \
+    -DENABLE_OSCAP_REMEDIATE_SERVICE=OFF \
    -DOPENSCAP_PROBE_UNIX_GCONF=OFF \
    -DOPENSCAP_ENABLE_SHA1=OFF \
    -DOPENSCAP_ENABLE_MD5=OFF \
@ -151,12 +158,6 @@ pathfix.py -i %{__python3} -p -n $RPM_BUILD_ROOT%{_bindir}/scap-as-rpm

 %ldconfig_scriptlets

-# enable oscap-remediate.service here for now
-# https://github.com/hughsie/PackageKit/issues/401
-# https://bugzilla.redhat.com/show_bug.cgi?id=1833176
-mkdir -p %{buildroot}%{_unitdir}/system-update.target.wants/
-ln -sf ../oscap-remediate.service %{buildroot}%{_unitdir}/system-update.target.wants/oscap-remediate.service
-
 %files
 %doc AUTHORS NEWS README.md
 %license COPYING
@ -189,12 +190,7 @@ ln -sf ../oscap-remediate.service %{buildroot}%{_unitdir}/system-update.target.w
 %{_bindir}/oscap
 %{_mandir}/man8/oscap-chroot.8.gz
 %{_bindir}/oscap-chroot
-%{_mandir}/man8/oscap-remediate-offline.8.gz
-%{_bindir}/oscap-remediate-offline
 %{_sysconfdir}/bash_completion.d
-%{_libexecdir}/oscap-remediate
-%{_unitdir}/oscap-remediate.service
-%{_unitdir}/system-update.target.wants/

 %files utils
 %doc docs/oscap-scan.cron
@ -214,12 +210,16 @@ ln -sf ../oscap-remediate.service %{buildroot}%{_unitdir}/system-update.target.w
 %{_bindir}/oscap-run-sce-script

 %changelog
-* Thu May 19 2022 Eduard Abdullin <eabdullin@almalinux.org> - 1:1.3.6-3.alma.1
- Update AlmaLinux patch for AlmaLinux 9
-
-* Fri Apr 08 2022 Eduard Abdullin <eabdullin@almalinux.org> - 1:1.3.6-3.alma
+* Tue Feb 28 2023 Eduard Abdullin <eabdullin@almalinux.org> - 1:1.3.6-5.alma
 - Add AlmaLinux definitions

+* Mon Jan 30 2023 Jan Černý <jcerny@redhat.com> - 1:1.3.6-5
+- Don't emit xmlfilecontent items if XPath doesn't match (rhbz#2165580)
+
+* Thu Jul 21 2022 Jan Černý <jcerny@redhat.com> - 1:1.3.6-4
+- Fix potential invalid scan results in OpenSCAP (rhbz#2109485)
+- Remove oscap-remediate service (rhbz#2111358)
+
 * Mon Feb 07 2022 Jan Černý <jcerny@redhat.com> - 1:1.3.6-3
 - Prevent file permission errors (rhbz#2048571)