From 39f57de7481689fd45c0d5bb7fcb94f5f533f772 Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Tue, 9 Dec 2025 12:30:01 -0600
Subject: [PATCH] Rebase to the latest upstream version

Resolves: RHEL-133977
Resolves: RHEL-74343
---
 2218.patch    | 30 ----------------
 2224.patch    | 47 -------------------------
 2233.patch    | 97 ---------------------------------------------------
 2284.patch    | 45 ++++++++++++++++++++++++
 openscap.spec | 12 ++++---
 sources       |  2 +-
 6 files changed, 53 insertions(+), 180 deletions(-)
 delete mode 100644 2218.patch
 delete mode 100644 2224.patch
 delete mode 100644 2233.patch
 create mode 100644 2284.patch

diff --git a/2218.patch b/2218.patch
deleted file mode 100644
index 4bdd101..0000000
--- a/2218.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From a65dff2815eb10c3e420c61c81f1793a683630dc Mon Sep 17 00:00:00 2001
-From: Flos Lonicerae <lonicerae@gmail.com>
-Date: Sat, 19 Oct 2024 18:58:30 +0800
-Subject: [PATCH] Make a copy before spliting.
-
----
- src/OVAL/probes/probe/worker.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/src/OVAL/probes/probe/worker.c b/src/OVAL/probes/probe/worker.c
-index d667127d63..e0a07c31ec 100644
---- a/src/OVAL/probes/probe/worker.c
-+++ b/src/OVAL/probes/probe/worker.c
-@@ -985,7 +985,7 @@ static SEXP_t *probe_set_eval(probe_t *probe, SEXP_t *set, size_t depth)
- 
- static void _add_blocked_paths(struct oscap_list *bpaths)
- {
--	char *envar = getenv("OSCAP_PROBE_IGNORE_PATHS");
-+	char *envar = oscap_strdup(getenv("OSCAP_PROBE_IGNORE_PATHS"));
- 	if (envar == NULL) {
- 		return;
- 	}
-@@ -996,6 +996,7 @@ static void _add_blocked_paths(struct oscap_list *bpaths)
- 	for (int i = 0; paths[i]; ++i) {
- 		oscap_list_add(bpaths, strdup(paths[i]));
- 	}
-+	free(envar);
- 	free(paths);
- #endif
- }
diff --git a/2224.patch b/2224.patch
deleted file mode 100644
index f44a4fe..0000000
--- a/2224.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From d38914a4d62b2ad9d011a530bf39b4acf76e5b1b Mon Sep 17 00:00:00 2001
-From: Evgeny Kolesnikov <ekolesni@redhat.com>
-Date: Tue, 15 Apr 2025 15:05:07 +0200
-Subject: [PATCH] tests: OVAL/API/skip_paths
-
-Modify the test so it could catch the regression
-with environment variable modified during execution.
-See #2168.
----
- tests/API/OVAL/skip_paths/test_skip_paths.sh  | 4 ++--
- tests/API/OVAL/skip_paths/test_skip_paths.xml | 4 ++--
- 2 files changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/tests/API/OVAL/skip_paths/test_skip_paths.sh b/tests/API/OVAL/skip_paths/test_skip_paths.sh
-index 4b69c9aa33..26dc5b395a 100755
---- a/tests/API/OVAL/skip_paths/test_skip_paths.sh
-+++ b/tests/API/OVAL/skip_paths/test_skip_paths.sh
-@@ -15,8 +15,8 @@ cp "$srcdir/test.xml" "$root/b/"
- mkdir -p "$root/c"
- touch "$root/c/z"
- cp "$srcdir/test.xml" "$root/c/"
--# oscap probes will skip directories "b" and "c"
--export OSCAP_PROBE_IGNORE_PATHS="$root/b:$root/c"
-+# oscap probes will skip directories "$root/n", "$root/b" and "$root/c"
-+export OSCAP_PROBE_IGNORE_PATHS="$root/n:$root/c:$root/b"
- $OSCAP oval eval --results $result "$srcdir/test_skip_paths.xml"
- assert_exists 1 '/oval_results/results/system/definitions/definition[@definition_id="oval:x:def:1" and @result="true"]'
- assert_exists 1 '/oval_results/results/system/oval_system_characteristics/collected_objects/object[@id="oval:x:obj:1" and @flag="complete"]'
-diff --git a/tests/API/OVAL/skip_paths/test_skip_paths.xml b/tests/API/OVAL/skip_paths/test_skip_paths.xml
-index a03196153b..57048f3ef7 100644
---- a/tests/API/OVAL/skip_paths/test_skip_paths.xml
-+++ b/tests/API/OVAL/skip_paths/test_skip_paths.xml
-@@ -90,12 +90,12 @@
-     <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" version="1" id="oval:x:obj:3">
-       <filepath>/tmp/oscap_test_skip_paths/a/x</filepath>
-       <pattern>^.*$</pattern>
--      <instance datatype="int" operation="greater than or equal">1</instance>
-+      <instance datatype="int">1</instance>
-     </textfilecontent54_object>
-     <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" version="1" id="oval:x:obj:4">
-       <filepath>/tmp/oscap_test_skip_paths/b/y</filepath>
-       <pattern>^.*$</pattern>
--      <instance datatype="int" operation="greater than or equal">1</instance>
-+      <instance datatype="int">1</instance>
-     </textfilecontent54_object>
-     <filehash58_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" version="1" id="oval:x:obj:5">
-       <filepath>/tmp/oscap_test_skip_paths/a/x</filepath>
diff --git a/2233.patch b/2233.patch
deleted file mode 100644
index bf6c4de..0000000
--- a/2233.patch
+++ /dev/null
@@ -1,97 +0,0 @@
-From 94934207b34978f92ab2f7b7cc0e8a73508c8266 Mon Sep 17 00:00:00 2001
-From: Evgeny Kolesnikov <ekolesni@redhat.com>
-Date: Thu, 17 Apr 2025 14:02:55 +0200
-Subject: [PATCH] Inherit opscap environment when executing Bash remediations
- with --remediate
-
-Make the Bash remediation environment consistent with other
-types of remediation.
----
- src/XCCDF_POLICY/xccdf_policy_remediate.c     |  8 ++-----
- tests/API/XCCDF/unittests/CMakeLists.txt      |  1 +
- .../unittests/test_remediation_environment.sh | 21 +++++++++++++++++++
- .../test_remediation_environment.xccdf.xml    | 16 ++++++++++++++
- 4 files changed, 40 insertions(+), 6 deletions(-)
- create mode 100755 tests/API/XCCDF/unittests/test_remediation_environment.sh
- create mode 100644 tests/API/XCCDF/unittests/test_remediation_environment.xccdf.xml
-
-diff --git a/src/XCCDF_POLICY/xccdf_policy_remediate.c b/src/XCCDF_POLICY/xccdf_policy_remediate.c
-index d99f6d49de..842ef2df9d 100644
---- a/src/XCCDF_POLICY/xccdf_policy_remediate.c
-+++ b/src/XCCDF_POLICY/xccdf_policy_remediate.c
-@@ -464,12 +464,8 @@ static inline int _xccdf_fix_execute(struct xccdf_rule_result *rr, struct xccdf_
- 				NULL
- 			};
- 
--			char *const envp[2] = {
--				"PATH=/bin:/sbin:/usr/bin:/usr/sbin",
--				NULL
--			};
--
--			execve(interpret, argvp, envp);
-+			// We are inheriting openscap environment
-+			execve(interpret, argvp, environ);
- 			/* Wow, execve returned. In this special case, we failed to execute the fix
- 			 * and we return 0 from function. At least the following error message will
- 			 * indicate the problem in xccdf:message. */
-diff --git a/tests/API/XCCDF/unittests/CMakeLists.txt b/tests/API/XCCDF/unittests/CMakeLists.txt
-index 164b795e0e..ef835e3506 100644
---- a/tests/API/XCCDF/unittests/CMakeLists.txt
-+++ b/tests/API/XCCDF/unittests/CMakeLists.txt
-@@ -92,6 +92,7 @@ add_oscap_test("test_remediation_cdata.sh")
- add_oscap_test("test_remediation_subs_unresolved.sh")
- add_oscap_test("test_remediation_fix_without_system.sh")
- add_oscap_test("test_remediation_invalid_characters.sh")
-+add_oscap_test("test_remediation_environment.sh")
- add_oscap_test("test_remediate_simple.sh")
- add_oscap_test("test_remediate_perl.sh")
- add_oscap_test("test_report_check_with_empty_selector.sh")
-diff --git a/tests/API/XCCDF/unittests/test_remediation_environment.sh b/tests/API/XCCDF/unittests/test_remediation_environment.sh
-new file mode 100755
-index 0000000000..1f5fd0afbf
---- /dev/null
-+++ b/tests/API/XCCDF/unittests/test_remediation_environment.sh
-@@ -0,0 +1,21 @@
-+#!/usr/bin/env bash
-+. $builddir/tests/test_common.sh
-+
-+set -e
-+set -o pipefail
-+
-+name=$(basename $0 .sh)
-+result=$(mktemp -t ${name}.out.XXXXXX)
-+
-+rm -f remediation.env
-+
-+CANARY_EXPORTED="CANARY_EXPORTED_VALUE"
-+export CANARY_EXPORTED
-+CANARY_PROCESS="CANARY_PROCESS_VALUE" $OSCAP xccdf eval --remediate $srcdir/${name}.xccdf.xml || true
-+
-+grep -q "${PATH}" remediation.env || die "PATH not found"
-+grep -q "CANARY_EXPORTED_VALUE" remediation.env || die "CANARY_EXPORTED_VALUE not found"
-+grep -q "CANARY_PROCESS_VALUE" remediation.env || die "CANARY_PROCESS_VALUE not found"
-+
-+rm -f remediation.env
-+rm $result
-diff --git a/tests/API/XCCDF/unittests/test_remediation_environment.xccdf.xml b/tests/API/XCCDF/unittests/test_remediation_environment.xccdf.xml
-new file mode 100644
-index 0000000000..0875b6c241
---- /dev/null
-+++ b/tests/API/XCCDF/unittests/test_remediation_environment.xccdf.xml
-@@ -0,0 +1,16 @@
-+<?xml version="1.0" encoding="UTF-8"?>
-+<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" id="xccdf_moc.elpmaxe.www_benchmark_test">
-+  <status>accepted</status>
-+  <version>1.0</version>
-+  <Rule selected="true" id="xccdf_moc.elpmaxe.www_rule_1">
-+    <title>Write some environment variables</title>
-+    <fix system="urn:xccdf:fix:script:sh">
-+        echo "PATH=${PATH}" > remediation.env
-+        echo "CANARY_EXPORTED=${CANARY_EXPORTED}" >> remediation.env
-+        echo "CANARY_PROCESS=${CANARY_PROCESS}" >> remediation.env
-+    </fix>
-+    <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-+      <check-content-ref href="test_remediation_simple.oval.xml" name="oval:moc.elpmaxe.www:def:1"/>
-+    </check>
-+  </Rule>
-+</Benchmark>
diff --git a/2284.patch b/2284.patch
new file mode 100644
index 0000000..e62ef6f
--- /dev/null
+++ b/2284.patch
@@ -0,0 +1,45 @@
+From 3a9fbd448ac18e50dfdf5a60af043cda7cdd63d0 Mon Sep 17 00:00:00 2001
+From: Matthew Burket <mburket@redhat.com>
+Date: Fri, 5 Dec 2025 09:12:43 -0600
+Subject: [PATCH] Always check the current lists before inserting on blueprints
+
+Fixes OpenSCAP#2282
+---
+ src/XCCDF_POLICY/xccdf_policy_remediate.c              |  2 +-
+ .../unittests/test_remediation_blueprint.xccdf.xml     | 10 ++++++++++
+ 2 files changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/src/XCCDF_POLICY/xccdf_policy_remediate.c b/src/XCCDF_POLICY/xccdf_policy_remediate.c
+index 842ef2df9d..c7c02f0135 100644
+--- a/src/XCCDF_POLICY/xccdf_policy_remediate.c
++++ b/src/XCCDF_POLICY/xccdf_policy_remediate.c
+@@ -724,7 +724,7 @@ static inline int _parse_blueprint_fix(const char *fix_text, struct blueprint_cu
+ 			memcpy(val, &fix_text[ovector[2]], ovector[3] - ovector[2]);
+ 			val[ovector[3] - ovector[2]] = '\0';
+ 
+-			if (!oscap_list_contains(customizations->kernel_append, val, (oscap_cmp_func) oscap_streq)) {
++			if (!oscap_list_contains(tab[i].list, val, (oscap_cmp_func) oscap_streq)) {
+ 				oscap_list_prepend(tab[i].list, val);
+ 			} else {
+ 				free(val);
+diff --git a/tests/API/XCCDF/unittests/test_remediation_blueprint.xccdf.xml b/tests/API/XCCDF/unittests/test_remediation_blueprint.xccdf.xml
+index 2fc909795b..de3b8468a8 100644
+--- a/tests/API/XCCDF/unittests/test_remediation_blueprint.xccdf.xml
++++ b/tests/API/XCCDF/unittests/test_remediation_blueprint.xccdf.xml
+@@ -104,6 +104,16 @@ enabled = ["sshd"]
+     <fix system="urn:redhat:osbuild:blueprint">
+ [customizations.services]
+ masked = ["evil"]
++</fix>
++    <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
++      <check-content-ref href="test_remediation_simple.oval.xml" name="oval:moc.elpmaxe.www:def:1"/>
++    </check>
++  </Rule>
++ <Rule selected="true" id="xccdf_moc.elpmaxe.www_rule_11">
++    <title>Enable sshd</title>
++    <fix system="urn:redhat:osbuild:blueprint">
++[customizations.services]
++enabled = ["sshd"]
+ </fix>
+     <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+       <check-content-ref href="test_remediation_simple.oval.xml" name="oval:moc.elpmaxe.www:def:1"/>
diff --git a/openscap.spec b/openscap.spec
index 1533abc..cb36c15 100644
--- a/openscap.spec
+++ b/openscap.spec
@@ -1,14 +1,12 @@
 Name:           openscap
-Version:        1.3.12
-Release:        2%{?dist}
+Version:        1.3.13
+Release:        1%{?dist}
 Summary:        Set of open source libraries enabling integration of the SCAP line of standards
 Group:          System Environment/Libraries
 License:        LGPLv2+
 URL:            http://www.open-scap.org/
 Source0:        https://github.com/OpenSCAP/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz
-Patch0:         2218.patch
-Patch1:         2224.patch
-Patch2:         2233.patch
+Patch0:         2284.patch
 BuildRequires:  cmake >= 2.6
 BuildRequires:  swig libxml2-devel libxslt-devel perl-generators perl-XML-Parser
 BuildRequires:  rpm-devel
@@ -220,6 +218,10 @@ rm -rf $RPM_BUILD_ROOT
 %{_bindir}/oscap-run-sce-script
 
 %changelog
+* Mon Dec 08 2025 Matthew Burket <mburket@redhat.com> - 1.3.13-1
+- Rebase to the latest upstream version (RHEL-133977)
+- Add note that oscap xccdf eval --local-file only works with SCAP 1.3 data streams (RHEL-74343)
+
 * Mon May 05 2025 Evgenii Kolesnikov <ekolesni@redhat.com> - 1:1.3.12-2
 - Initialize tmt (RHEL-43240)
 
diff --git a/sources b/sources
index 13e7113..b19a833 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (openscap-1.3.12.tar.gz) = a37f39012bdca0dee35ce07d8b50e8b95924a49267bf3793ee84de01431e4e27841d267cd5eee45b0782e7f549e656248e57fd31c0e022ab544f2a03246b9aec
+SHA512 (openscap-1.3.13.tar.gz) = 51c89c978437cda27a206bb83cc04f513556cf4adc7335e2f93e32e369e1a1d6a987f4fce8e9af6fc92e0c515402732a24f6c8922ea456f8fcb69dbab6d3ef01