Upgrade to the latest upstream release

Resolves: RHEL-88413

2218.patch

@@ -0,0 +1,30 @@
+From a65dff2815eb10c3e420c61c81f1793a683630dc Mon Sep 17 00:00:00 2001
+From: Flos Lonicerae <lonicerae@gmail.com>
+Date: Sat, 19 Oct 2024 18:58:30 +0800
+Subject: [PATCH] Make a copy before spliting.
+
+---
+ src/OVAL/probes/probe/worker.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/OVAL/probes/probe/worker.c b/src/OVAL/probes/probe/worker.c
+index d667127d63..e0a07c31ec 100644
+--- a/src/OVAL/probes/probe/worker.c
++++ b/src/OVAL/probes/probe/worker.c
+@@ -985,7 +985,7 @@ static SEXP_t *probe_set_eval(probe_t *probe, SEXP_t *set, size_t depth)
+ 
+ static void _add_blocked_paths(struct oscap_list *bpaths)
+ {
+-	char *envar = getenv("OSCAP_PROBE_IGNORE_PATHS");
++	char *envar = oscap_strdup(getenv("OSCAP_PROBE_IGNORE_PATHS"));
+ 	if (envar == NULL) {
+ 		return;
+ 	}
+@@ -996,6 +996,7 @@ static void _add_blocked_paths(struct oscap_list *bpaths)
+ 	for (int i = 0; paths[i]; ++i) {
+ 		oscap_list_add(bpaths, strdup(paths[i]));
+ 	}
++	free(envar);
+ 	free(paths);
+ #endif
+ }

2224.patch

@@ -0,0 +1,47 @@
+From d38914a4d62b2ad9d011a530bf39b4acf76e5b1b Mon Sep 17 00:00:00 2001
+From: Evgeny Kolesnikov <ekolesni@redhat.com>
+Date: Tue, 15 Apr 2025 15:05:07 +0200
+Subject: [PATCH] tests: OVAL/API/skip_paths
+
+Modify the test so it could catch the regression
+with environment variable modified during execution.
+See #2168.
+---
+ tests/API/OVAL/skip_paths/test_skip_paths.sh  | 4 ++--
+ tests/API/OVAL/skip_paths/test_skip_paths.xml | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/tests/API/OVAL/skip_paths/test_skip_paths.sh b/tests/API/OVAL/skip_paths/test_skip_paths.sh
+index 4b69c9aa33..26dc5b395a 100755
+--- a/tests/API/OVAL/skip_paths/test_skip_paths.sh
++++ b/tests/API/OVAL/skip_paths/test_skip_paths.sh
+@@ -15,8 +15,8 @@ cp "$srcdir/test.xml" "$root/b/"
+ mkdir -p "$root/c"
+ touch "$root/c/z"
+ cp "$srcdir/test.xml" "$root/c/"
+-# oscap probes will skip directories "b" and "c"
+-export OSCAP_PROBE_IGNORE_PATHS="$root/b:$root/c"
++# oscap probes will skip directories "$root/n", "$root/b" and "$root/c"
++export OSCAP_PROBE_IGNORE_PATHS="$root/n:$root/c:$root/b"
+ $OSCAP oval eval --results $result "$srcdir/test_skip_paths.xml"
+ assert_exists 1 '/oval_results/results/system/definitions/definition[@definition_id="oval:x:def:1" and @result="true"]'
+ assert_exists 1 '/oval_results/results/system/oval_system_characteristics/collected_objects/object[@id="oval:x:obj:1" and @flag="complete"]'
+diff --git a/tests/API/OVAL/skip_paths/test_skip_paths.xml b/tests/API/OVAL/skip_paths/test_skip_paths.xml
+index a03196153b..57048f3ef7 100644
+--- a/tests/API/OVAL/skip_paths/test_skip_paths.xml
++++ b/tests/API/OVAL/skip_paths/test_skip_paths.xml
+@@ -90,12 +90,12 @@
+     <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" version="1" id="oval:x:obj:3">
+       <filepath>/tmp/oscap_test_skip_paths/a/x</filepath>
+       <pattern>^.*$</pattern>
+-      <instance datatype="int" operation="greater than or equal">1</instance>
++      <instance datatype="int">1</instance>
+     </textfilecontent54_object>
+     <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" version="1" id="oval:x:obj:4">
+       <filepath>/tmp/oscap_test_skip_paths/b/y</filepath>
+       <pattern>^.*$</pattern>
+-      <instance datatype="int" operation="greater than or equal">1</instance>
++      <instance datatype="int">1</instance>
+     </textfilecontent54_object>
+     <filehash58_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" version="1" id="oval:x:obj:5">
+       <filepath>/tmp/oscap_test_skip_paths/a/x</filepath>

2233.patch

@@ -0,0 +1,97 @@
+From 94934207b34978f92ab2f7b7cc0e8a73508c8266 Mon Sep 17 00:00:00 2001
+From: Evgeny Kolesnikov <ekolesni@redhat.com>
+Date: Thu, 17 Apr 2025 14:02:55 +0200
+Subject: [PATCH] Inherit opscap environment when executing Bash remediations
+ with --remediate
+
+Make the Bash remediation environment consistent with other
+types of remediation.
+---
+ src/XCCDF_POLICY/xccdf_policy_remediate.c     |  8 ++-----
+ tests/API/XCCDF/unittests/CMakeLists.txt      |  1 +
+ .../unittests/test_remediation_environment.sh | 21 +++++++++++++++++++
+ .../test_remediation_environment.xccdf.xml    | 16 ++++++++++++++
+ 4 files changed, 40 insertions(+), 6 deletions(-)
+ create mode 100755 tests/API/XCCDF/unittests/test_remediation_environment.sh
+ create mode 100644 tests/API/XCCDF/unittests/test_remediation_environment.xccdf.xml
+
+diff --git a/src/XCCDF_POLICY/xccdf_policy_remediate.c b/src/XCCDF_POLICY/xccdf_policy_remediate.c
+index d99f6d49de..842ef2df9d 100644
+--- a/src/XCCDF_POLICY/xccdf_policy_remediate.c
++++ b/src/XCCDF_POLICY/xccdf_policy_remediate.c
+@@ -464,12 +464,8 @@ static inline int _xccdf_fix_execute(struct xccdf_rule_result *rr, struct xccdf_
+ 				NULL
+ 			};
+ 
+-			char *const envp[2] = {
+-				"PATH=/bin:/sbin:/usr/bin:/usr/sbin",
+-				NULL
+-			};
+-
+-			execve(interpret, argvp, envp);
++			// We are inheriting openscap environment
++			execve(interpret, argvp, environ);
+ 			/* Wow, execve returned. In this special case, we failed to execute the fix
+ 			 * and we return 0 from function. At least the following error message will
+ 			 * indicate the problem in xccdf:message. */
+diff --git a/tests/API/XCCDF/unittests/CMakeLists.txt b/tests/API/XCCDF/unittests/CMakeLists.txt
+index 164b795e0e..ef835e3506 100644
+--- a/tests/API/XCCDF/unittests/CMakeLists.txt
++++ b/tests/API/XCCDF/unittests/CMakeLists.txt
+@@ -92,6 +92,7 @@ add_oscap_test("test_remediation_cdata.sh")
+ add_oscap_test("test_remediation_subs_unresolved.sh")
+ add_oscap_test("test_remediation_fix_without_system.sh")
+ add_oscap_test("test_remediation_invalid_characters.sh")
++add_oscap_test("test_remediation_environment.sh")
+ add_oscap_test("test_remediate_simple.sh")
+ add_oscap_test("test_remediate_perl.sh")
+ add_oscap_test("test_report_check_with_empty_selector.sh")
+diff --git a/tests/API/XCCDF/unittests/test_remediation_environment.sh b/tests/API/XCCDF/unittests/test_remediation_environment.sh
+new file mode 100755
+index 0000000000..1f5fd0afbf
+--- /dev/null
++++ b/tests/API/XCCDF/unittests/test_remediation_environment.sh
+@@ -0,0 +1,21 @@
++#!/usr/bin/env bash
++. $builddir/tests/test_common.sh
++
++set -e
++set -o pipefail
++
++name=$(basename $0 .sh)
++result=$(mktemp -t ${name}.out.XXXXXX)
++
++rm -f remediation.env
++
++CANARY_EXPORTED="CANARY_EXPORTED_VALUE"
++export CANARY_EXPORTED
++CANARY_PROCESS="CANARY_PROCESS_VALUE" $OSCAP xccdf eval --remediate $srcdir/${name}.xccdf.xml || true
++
++grep -q "${PATH}" remediation.env || die "PATH not found"
++grep -q "CANARY_EXPORTED_VALUE" remediation.env || die "CANARY_EXPORTED_VALUE not found"
++grep -q "CANARY_PROCESS_VALUE" remediation.env || die "CANARY_PROCESS_VALUE not found"
++
++rm -f remediation.env
++rm $result
+diff --git a/tests/API/XCCDF/unittests/test_remediation_environment.xccdf.xml b/tests/API/XCCDF/unittests/test_remediation_environment.xccdf.xml
+new file mode 100644
+index 0000000000..0875b6c241
+--- /dev/null
++++ b/tests/API/XCCDF/unittests/test_remediation_environment.xccdf.xml
+@@ -0,0 +1,16 @@
++<?xml version="1.0" encoding="UTF-8"?>
++<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" id="xccdf_moc.elpmaxe.www_benchmark_test">
++  <status>accepted</status>
++  <version>1.0</version>
++  <Rule selected="true" id="xccdf_moc.elpmaxe.www_rule_1">
++    <title>Write some environment variables</title>
++    <fix system="urn:xccdf:fix:script:sh">
++        echo "PATH=${PATH}" > remediation.env
++        echo "CANARY_EXPORTED=${CANARY_EXPORTED}" >> remediation.env
++        echo "CANARY_PROCESS=${CANARY_PROCESS}" >> remediation.env
++    </fix>
++    <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
++      <check-content-ref href="test_remediation_simple.oval.xml" name="oval:moc.elpmaxe.www:def:1"/>
++    </check>
++  </Rule>
++</Benchmark>

openscap.spec

@@ -1,11 +1,14 @@
 Name:           openscap
-Version:        1.3.11
+Version:        1.3.12
 Release:        1%{?dist}
 Epoch:          1
 Summary:        Set of open source libraries enabling integration of the SCAP line of standards
 License:        LGPLv2+
 URL:            http://www.open-scap.org/
 Source0:        https://github.com/OpenSCAP/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz
+Patch0:         2218.patch
+Patch1:         2224.patch
+Patch2:         2233.patch
 BuildRequires:  make
 BuildRequires:  cmake >= 2.6
 BuildRequires:  gcc
@@ -200,6 +203,10 @@ pathfix.py -i %{__python3} -p -n $RPM_BUILD_ROOT%{_bindir}/scap-as-rpm
 %{_bindir}/oscap-run-sce-script
 
 %changelog
+* Fri Apr 25 2025 Evgenii Kolesnikov <ekolesni@redhat.com> - 1:1.3.12-1
+- Upgrade to the latest upstream release (RHEL-88413)
+- Fix OSCAP_PROBE_IGNORE_PATHS handling
+
 * Mon Feb 10 2025 Jan Černý <jcerny@redhat.com> - 1:1.3.11-1
 - Upgrade to the latest upstream release (RHEL-76355)
 - Introduce "oscap-im", a tool for building hardened bootable container images

sources

@@ -1 +1 @@
-SHA512 (openscap-1.3.11.tar.gz) = 41e11e3ac1861f678d52b179a183e6c7c60419a13b2d95126663652782f20575baf3801e0217a9aad3dc5d630dc40ca4b6be5d17da15cf985ccca89496b84eeb
+SHA512 (openscap-1.3.12.tar.gz) = a37f39012bdca0dee35ce07d8b50e8b95924a49267bf3793ee84de01431e4e27841d267cd5eee45b0782e7f549e656248e57fd31c0e022ab544f2a03246b9aec