Fix test fails

- Do not set RPATH on built binaries
- Fix UBI9 scan (rhbz#1953610)
- Fix failing rpminspect xml test

Resolves: RHBZ#1952789

openscap-1.3.6-rpath-pr-1765.patch

@@ -0,0 +1,42 @@
+From 5f8879927fa34827f1b367eac311845e6ebec9a7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Thu, 10 Jun 2021 13:41:25 +0200
+Subject: [PATCH] Do not set Rpath
+
+See: https://docs.fedoraproject.org/en-US/packaging-guidelines/#_beware_of_rpath
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1967200
+---
+ CMakeLists.txt | 18 ------------------
+ 1 file changed, 18 deletions(-)
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index c70ba29bf..cc7b5e005 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -482,25 +482,7 @@ else()
+ endif()
+ set(OSCAP_TEMP_DIR "/tmp" CACHE STRING "use different temporary directory to execute sce scripts (default=/tmp)")
+ 
+-# ---------- RPATHS for linking
+ 
+-# see https://cmake.org/Wiki/CMake_RPATH_handling
+-
+-# use, i.e. don't skip the full RPATH for the build tree
+-set(CMAKE_SKIP_BUILD_RPATH FALSE)
+-
+-# when building, don't use the install RPATH already
+-# (but later on when installing)
+-set(CMAKE_BUILD_WITH_INSTALL_RPATH FALSE)
+-
+-set(CMAKE_INSTALL_RPATH ${CMAKE_INSTALL_FULL_LIBDIR})
+-
+-# add the automatically determined parts of the RPATH
+-# which point to directories outside the build tree to the install RPATH
+-set(CMAKE_INSTALL_RPATH_USE_LINK_PATH TRUE)
+-
+-# Turn on RPATH for OSX for policy warning
+-set(CMAKE_MACOSX_RPATH ON)
+ # ---------- CONFIGURATION
+ 
+ configure_file("config.h.in" "config.h")

openscap-1.3.6-rpminspect-xml-pr-1773.patch

@@ -0,0 +1,81 @@
+From e515fc9694efb8703f6c55782094e0273c0dec9d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Fri, 25 Jun 2021 13:59:59 +0200
+Subject: [PATCH] Workaround rpminspect problem
+
+rpminspect produces this problem:
+
+xml-files:
+----------
+1) File /usr/share/openscap/xsl/oval-results-report.xsl is a malformed XML file on x86_64
+Result: VERIFY
+Waiver Authorization: Anyone
+
+Details:
+No declaration for element stylesheet
+
+Suggested Remedy: Correct the reported errors in the XML document
+
+I assume that it's caused by mixing the DTD and schema - it probably
+expects that the DTD will contain a declaration of the root element
+as well. The workaround simply expands both entities by substituting
+them by their contents.
+---
+ xsl/oval-results-report.xsl | 18 ++++++------------
+ 1 file changed, 6 insertions(+), 12 deletions(-)
+
+diff --git a/xsl/oval-results-report.xsl b/xsl/oval-results-report.xsl
+index fe50717795..744540c8f8 100644
+--- a/xsl/oval-results-report.xsl
++++ b/xsl/oval-results-report.xsl
+@@ -1,10 +1,4 @@
+ <?xml version="1.0" encoding="UTF-8"?>
+-<!DOCTYPE xsl:stylesheet [
+-<!-- check symbol -->
+-<!ENTITY resultgood "&#x2713;">
+-<!-- x symbol -->
+-<!ENTITY resultbad "&#x2715;">
+-]>
+ <!--
+ 
+ ****************************************************************************************
+@@ -129,7 +123,7 @@
+ 						<tr class="LightRow">
+ 							<td class="resultbadA ColorBox"/>
+ 							<td class="resultbadB ColorBox"/>
+-							<td class="Text" title="Non-Compliant/Vulnerable/Unpatched">&resultbad;</td>
++							<td class="Text" title="Non-Compliant/Vulnerable/Unpatched">&#x2715;</td>
+ 						</tr>
+ 					</table>
+ 				</td>
+@@ -138,7 +132,7 @@
+ 						<tr class="LightRow">
+ 							<td class="resultgoodA ColorBox"/>
+ 							<td class="resultgoodB ColorBox"/>
+-							<td class="Text" title="Compliant/Non-Vulnerable/Patched">&resultgood;</td>
++							<td class="Text" title="Compliant/Non-Vulnerable/Patched">&#x2713;</td>
+ 						</tr>
+ 					</table>
+ 				</td>
+@@ -227,8 +221,8 @@
+ 					<table border="1">
+ 						<tr class="Title">
+ 							<td class="TitleLabel" align="center">Systems Analyzed</td>
+-							<td class="TitleLabel" align="center" title="Non-Compliant/Vulnerable/Unpatched">&resultbad;</td>
+-							<td class="TitleLabel" align="center" title="Compliant/Non-Vulnerable/Patched">&resultgood;</td>
++							<td class="TitleLabel" align="center" title="Non-Compliant/Vulnerable/Unpatched">&#x2715;</td>
++							<td class="TitleLabel" align="center" title="Compliant/Non-Vulnerable/Patched">&#x2713;</td>
+ 							<td class="TitleLabel" align="center">Errors</td>
+ 							<td class="TitleLabel" align="center">Unknown</td>
+ 							<td class="TitleLabel" align="center" title="Inventory/Miscellaneous class, or Not Applicable/Not Evaluated result">Other</td>
+@@ -497,8 +491,8 @@
+     <xsl:template name="GeneratorResTotals">
+         <xsl:param name="resultsElm"/>
+         <tr class="DarkRow Center">
+-        	<td class="SmallLabel" style="width: 20%;" title="Non-Compliant/Vulnerable/Unpatched">#&resultbad;</td>
+-        	<td class="SmallLabel" style="width: 20%;" title="Compliant/Non-Vulnerable/Patched">#&resultgood;</td>
++        	<td class="SmallLabel" style="width: 20%;" title="Non-Compliant/Vulnerable/Unpatched">#&#x2715;</td>
++        	<td class="SmallLabel" style="width: 20%;" title="Compliant/Non-Vulnerable/Patched">#&#x2713;</td>
+         	<td class="SmallLabel" style="width: 20%;" title="Error">#Error</td>
+         	<td class="SmallLabel" style="width: 20%;" title="Unknown">#Unknown</td>
+         	<td class="SmallLabel" style="width: 20%;" title="Inventory/Miscellaneous class, or Not Applicable/Not Evaluated result">#Other</td>

openscap-1.3.6-ubi9-pr-1772.patch

@@ -0,0 +1,38 @@
+From 80543bc666d648d0251e4c7b675489b8011a548a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Fri, 25 Jun 2021 10:19:43 +0200
+Subject: [PATCH] Fix UBI 9 scan
+
+In offline mode when scanning a cointainer based on UBI 9 the
+system_info probe failed because the function `_offline_get_hname` which
+reads from `/etc/hostname` returns an empty string which causes
+`__sysinfo_saneval(hname)` check to return zero which in turn causes the
+probe returns an error. We can prevent this situation by replacing the
+empty string by `"Unknown"`, which we already do when the `hname` is
+`NULL`.
+
+Addressing:
+
+W: oscap: Can't receive message: 125, Operation canceled.
+E: oscap: Recv: retry limit (0) reached.
+OpenSCAP Error: Probe at sd=32 (system_info) reported an error: Invalid type, value or format [/home/jcerny/work/git/openscap/src/OVAL/oval_probe_ext.c:383]
+Unable to receive a message from probe [/home/jcerny/work/git/openscap/src/OVAL/oval_probe_ext.c:572]
+
+Resolves: rhbz#1953610
+---
+ src/OVAL/probes/independent/system_info_probe.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/OVAL/probes/independent/system_info_probe.c b/src/OVAL/probes/independent/system_info_probe.c
+index 9bdd73556d..8251e655ed 100644
+--- a/src/OVAL/probes/independent/system_info_probe.c
++++ b/src/OVAL/probes/independent/system_info_probe.c
+@@ -732,7 +732,7 @@ int system_info_probe_main(probe_ctx *ctx, void *arg)
+ 	if (!architecture)
+ 		architecture = strdup(unknown);
+ 
+-	if (!hname)
++	if (!hname || *hname == '\0')
+ 		hname = strdup(unknown);
+ 
+ 	if (__sysinfo_saneval(os_name) < 1 ||

openscap.spec

@@ -1,13 +1,16 @@
 Name:           openscap
 Version:        1.3.5
-Release:        2%{?dist}
+Release:        3%{?dist}
 Epoch:          1
 Summary:        Set of open source libraries enabling integration of the SCAP line of standards
 License:        LGPLv2+
 URL:            http://www.open-scap.org/
 Source0:        https://github.com/OpenSCAP/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz
-Patch1: openscap-1.3.6-waive-hugetables-pr-1745.patch
-Patch2: openscap-1.3.6-replace-getlogin-pr-1753.patch
+Patch1:         openscap-1.3.6-waive-hugetables-pr-1745.patch
+Patch2:         openscap-1.3.6-replace-getlogin-pr-1753.patch
+Patch3:         openscap-1.3.6-rpath-pr-1765.patch
+Patch4:         openscap-1.3.6-ubi9-pr-1772.patch
+Patch5:         openscap-1.3.6-rpminspect-xml-pr-1773.patch
 BuildRequires:  cmake >= 2.6
 BuildRequires:  gcc
 BuildRequires:  gcc-c++
@@ -193,6 +196,11 @@ pathfix.py -i %{__python3} -p -n $RPM_BUILD_ROOT%{_bindir}/scap-as-rpm
 %{_bindir}/oscap-run-sce-script
 
 %changelog
+* Mon Jun 28 2021 Jan Černý <jcerny@redhat.com> - 1:1.3.5-3
+- Do not set RPATH on built binaries
+- Fix UBI9 scan (rhbz#1953610)
+- Fix failing rpminspect xml test
+
 * Thu May 20 2021 Jan Černý <jcerny@redhat.com> - 1:1.3.5-2
 - Remove containers subpackage