.gitignore

@@ -1 +1 @@
-SOURCES/openscap-1.3.11.tar.gz
+SOURCES/openscap-1.3.12.tar.gz

.openscap.metadata

@@ -1 +1 @@
-2a44242053bd95c20c05fa572d203705e46a107b SOURCES/openscap-1.3.11.tar.gz
+0de19fd72129fd9d0e2a541918e199c321b08a34 SOURCES/openscap-1.3.12.tar.gz

SOURCES/2218.patch

@@ -0,0 +1,30 @@
+From a65dff2815eb10c3e420c61c81f1793a683630dc Mon Sep 17 00:00:00 2001
+From: Flos Lonicerae <lonicerae@gmail.com>
+Date: Sat, 19 Oct 2024 18:58:30 +0800
+Subject: [PATCH] Make a copy before spliting.
+
+---
+ src/OVAL/probes/probe/worker.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/OVAL/probes/probe/worker.c b/src/OVAL/probes/probe/worker.c
+index d667127d63..e0a07c31ec 100644
+--- a/src/OVAL/probes/probe/worker.c
++++ b/src/OVAL/probes/probe/worker.c
+@@ -985,7 +985,7 @@ static SEXP_t *probe_set_eval(probe_t *probe, SEXP_t *set, size_t depth)
+ 
+ static void _add_blocked_paths(struct oscap_list *bpaths)
+ {
+-	char *envar = getenv("OSCAP_PROBE_IGNORE_PATHS");
++	char *envar = oscap_strdup(getenv("OSCAP_PROBE_IGNORE_PATHS"));
+ 	if (envar == NULL) {
+ 		return;
+ 	}
+@@ -996,6 +996,7 @@ static void _add_blocked_paths(struct oscap_list *bpaths)
+ 	for (int i = 0; paths[i]; ++i) {
+ 		oscap_list_add(bpaths, strdup(paths[i]));
+ 	}
++	free(envar);
+ 	free(paths);
+ #endif
+ }

SOURCES/2224.patch

@@ -0,0 +1,47 @@
+From d38914a4d62b2ad9d011a530bf39b4acf76e5b1b Mon Sep 17 00:00:00 2001
+From: Evgeny Kolesnikov <ekolesni@redhat.com>
+Date: Tue, 15 Apr 2025 15:05:07 +0200
+Subject: [PATCH] tests: OVAL/API/skip_paths
+
+Modify the test so it could catch the regression
+with environment variable modified during execution.
+See #2168.
+---
+ tests/API/OVAL/skip_paths/test_skip_paths.sh  | 4 ++--
+ tests/API/OVAL/skip_paths/test_skip_paths.xml | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/tests/API/OVAL/skip_paths/test_skip_paths.sh b/tests/API/OVAL/skip_paths/test_skip_paths.sh
+index 4b69c9aa33..26dc5b395a 100755
+--- a/tests/API/OVAL/skip_paths/test_skip_paths.sh
++++ b/tests/API/OVAL/skip_paths/test_skip_paths.sh
+@@ -15,8 +15,8 @@ cp "$srcdir/test.xml" "$root/b/"
+ mkdir -p "$root/c"
+ touch "$root/c/z"
+ cp "$srcdir/test.xml" "$root/c/"
+-# oscap probes will skip directories "b" and "c"
+-export OSCAP_PROBE_IGNORE_PATHS="$root/b:$root/c"
++# oscap probes will skip directories "$root/n", "$root/b" and "$root/c"
++export OSCAP_PROBE_IGNORE_PATHS="$root/n:$root/c:$root/b"
+ $OSCAP oval eval --results $result "$srcdir/test_skip_paths.xml"
+ assert_exists 1 '/oval_results/results/system/definitions/definition[@definition_id="oval:x:def:1" and @result="true"]'
+ assert_exists 1 '/oval_results/results/system/oval_system_characteristics/collected_objects/object[@id="oval:x:obj:1" and @flag="complete"]'
+diff --git a/tests/API/OVAL/skip_paths/test_skip_paths.xml b/tests/API/OVAL/skip_paths/test_skip_paths.xml
+index a03196153b..57048f3ef7 100644
+--- a/tests/API/OVAL/skip_paths/test_skip_paths.xml
++++ b/tests/API/OVAL/skip_paths/test_skip_paths.xml
+@@ -90,12 +90,12 @@
+     <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" version="1" id="oval:x:obj:3">
+       <filepath>/tmp/oscap_test_skip_paths/a/x</filepath>
+       <pattern>^.*$</pattern>
+-      <instance datatype="int" operation="greater than or equal">1</instance>
++      <instance datatype="int">1</instance>
+     </textfilecontent54_object>
+     <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" version="1" id="oval:x:obj:4">
+       <filepath>/tmp/oscap_test_skip_paths/b/y</filepath>
+       <pattern>^.*$</pattern>
+-      <instance datatype="int" operation="greater than or equal">1</instance>
++      <instance datatype="int">1</instance>
+     </textfilecontent54_object>
+     <filehash58_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" version="1" id="oval:x:obj:5">
+       <filepath>/tmp/oscap_test_skip_paths/a/x</filepath>

SOURCES/2233.patch

@@ -0,0 +1,97 @@
+From 94934207b34978f92ab2f7b7cc0e8a73508c8266 Mon Sep 17 00:00:00 2001
+From: Evgeny Kolesnikov <ekolesni@redhat.com>
+Date: Thu, 17 Apr 2025 14:02:55 +0200
+Subject: [PATCH] Inherit opscap environment when executing Bash remediations
+ with --remediate
+
+Make the Bash remediation environment consistent with other
+types of remediation.
+---
+ src/XCCDF_POLICY/xccdf_policy_remediate.c     |  8 ++-----
+ tests/API/XCCDF/unittests/CMakeLists.txt      |  1 +
+ .../unittests/test_remediation_environment.sh | 21 +++++++++++++++++++
+ .../test_remediation_environment.xccdf.xml    | 16 ++++++++++++++
+ 4 files changed, 40 insertions(+), 6 deletions(-)
+ create mode 100755 tests/API/XCCDF/unittests/test_remediation_environment.sh
+ create mode 100644 tests/API/XCCDF/unittests/test_remediation_environment.xccdf.xml
+
+diff --git a/src/XCCDF_POLICY/xccdf_policy_remediate.c b/src/XCCDF_POLICY/xccdf_policy_remediate.c
+index d99f6d49de..842ef2df9d 100644
+--- a/src/XCCDF_POLICY/xccdf_policy_remediate.c
++++ b/src/XCCDF_POLICY/xccdf_policy_remediate.c
+@@ -464,12 +464,8 @@ static inline int _xccdf_fix_execute(struct xccdf_rule_result *rr, struct xccdf_
+ 				NULL
+ 			};
+ 
+-			char *const envp[2] = {
+-				"PATH=/bin:/sbin:/usr/bin:/usr/sbin",
+-				NULL
+-			};
+-
+-			execve(interpret, argvp, envp);
++			// We are inheriting openscap environment
++			execve(interpret, argvp, environ);
+ 			/* Wow, execve returned. In this special case, we failed to execute the fix
+ 			 * and we return 0 from function. At least the following error message will
+ 			 * indicate the problem in xccdf:message. */
+diff --git a/tests/API/XCCDF/unittests/CMakeLists.txt b/tests/API/XCCDF/unittests/CMakeLists.txt
+index 164b795e0e..ef835e3506 100644
+--- a/tests/API/XCCDF/unittests/CMakeLists.txt
++++ b/tests/API/XCCDF/unittests/CMakeLists.txt
+@@ -92,6 +92,7 @@ add_oscap_test("test_remediation_cdata.sh")
+ add_oscap_test("test_remediation_subs_unresolved.sh")
+ add_oscap_test("test_remediation_fix_without_system.sh")
+ add_oscap_test("test_remediation_invalid_characters.sh")
++add_oscap_test("test_remediation_environment.sh")
+ add_oscap_test("test_remediate_simple.sh")
+ add_oscap_test("test_remediate_perl.sh")
+ add_oscap_test("test_report_check_with_empty_selector.sh")
+diff --git a/tests/API/XCCDF/unittests/test_remediation_environment.sh b/tests/API/XCCDF/unittests/test_remediation_environment.sh
+new file mode 100755
+index 0000000000..1f5fd0afbf
+--- /dev/null
++++ b/tests/API/XCCDF/unittests/test_remediation_environment.sh
+@@ -0,0 +1,21 @@
++#!/usr/bin/env bash
++. $builddir/tests/test_common.sh
++
++set -e
++set -o pipefail
++
++name=$(basename $0 .sh)
++result=$(mktemp -t ${name}.out.XXXXXX)
++
++rm -f remediation.env
++
++CANARY_EXPORTED="CANARY_EXPORTED_VALUE"
++export CANARY_EXPORTED
++CANARY_PROCESS="CANARY_PROCESS_VALUE" $OSCAP xccdf eval --remediate $srcdir/${name}.xccdf.xml || true
++
++grep -q "${PATH}" remediation.env || die "PATH not found"
++grep -q "CANARY_EXPORTED_VALUE" remediation.env || die "CANARY_EXPORTED_VALUE not found"
++grep -q "CANARY_PROCESS_VALUE" remediation.env || die "CANARY_PROCESS_VALUE not found"
++
++rm -f remediation.env
++rm $result
+diff --git a/tests/API/XCCDF/unittests/test_remediation_environment.xccdf.xml b/tests/API/XCCDF/unittests/test_remediation_environment.xccdf.xml
+new file mode 100644
+index 0000000000..0875b6c241
+--- /dev/null
++++ b/tests/API/XCCDF/unittests/test_remediation_environment.xccdf.xml
+@@ -0,0 +1,16 @@
++<?xml version="1.0" encoding="UTF-8"?>
++<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" id="xccdf_moc.elpmaxe.www_benchmark_test">
++  <status>accepted</status>
++  <version>1.0</version>
++  <Rule selected="true" id="xccdf_moc.elpmaxe.www_rule_1">
++    <title>Write some environment variables</title>
++    <fix system="urn:xccdf:fix:script:sh">
++        echo "PATH=${PATH}" > remediation.env
++        echo "CANARY_EXPORTED=${CANARY_EXPORTED}" >> remediation.env
++        echo "CANARY_PROCESS=${CANARY_PROCESS}" >> remediation.env
++    </fix>
++    <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
++      <check-content-ref href="test_remediation_simple.oval.xml" name="oval:moc.elpmaxe.www:def:1"/>
++    </check>
++  </Rule>
++</Benchmark>

SPECS/openscap.spec

@@ -1,15 +1,15 @@
 Name:           openscap
-Version:        1.3.11
+Version:        1.3.12
-Release:        1%{?dist}
+Release:        2%{?dist}
-Epoch:          1
 Summary:        Set of open source libraries enabling integration of the SCAP line of standards
+Group:          System Environment/Libraries
 License:        LGPLv2+
 URL:            http://www.open-scap.org/
 Source0:        https://github.com/OpenSCAP/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz
-BuildRequires:  make
+Patch0:         2218.patch
+Patch1:         2224.patch
+Patch2:         2233.patch
 BuildRequires:  cmake >= 2.6
-BuildRequires:  gcc
-BuildRequires:  gcc-c++
 BuildRequires:  swig libxml2-devel libxslt-devel perl-generators perl-XML-Parser
 BuildRequires:  rpm-devel
 BuildRequires:  libgcrypt-devel
@@ -21,6 +21,7 @@ BuildRequires:  libblkid-devel
 BuildRequires:  bzip2-devel
 BuildRequires:  asciidoc
 BuildRequires:  openldap-devel
+BuildRequires:  GConf2-devel
 BuildRequires:  glib2-devel
 BuildRequires:  dbus-devel
 BuildRequires:  libyaml-devel
@@ -33,6 +34,7 @@ Requires:       bash
 Requires:       bzip2-libs
 Requires:       dbus
 Requires:       libyaml
+Requires:       GConf2
 Requires:       glib2
 Requires:       libacl
 Requires:       libblkid
@@ -40,9 +42,15 @@ Requires:       libcap
 Requires:       libselinux
 Requires:       openldap
 Requires:       popt
-# We have procps-ng, which provides procps
+# RHEL8 has procps-ng, which provides procps
 Requires:       procps
 Requires:       xmlsec1 xmlsec1-openssl
+Requires(post):   /sbin/ldconfig
+Requires(postun): /sbin/ldconfig
+Obsoletes:      python2-openscap
+Obsoletes:      openscap-content-sectool
+Obsoletes:      openscap-extra-probes
+Obsoletes:      openscap-extra-probes-sql
 
 %description
 OpenSCAP is a set of open source libraries providing an easier path
@@ -52,7 +60,8 @@ for the expression of Computer Network Defense related information.
 
 %package        devel
 Summary:        Development files for %{name}
-Requires:       %{name}%{?_isa} = %{epoch}:%{version}-%{release}
+Group:          Development/Libraries
+Requires:       %{name}%{?_isa} = %{version}-%{release}
 Requires:       libxml2-devel
 Requires:       pkgconfig
 BuildRequires:  doxygen
@@ -63,7 +72,8 @@ developing applications that use %{name}.
 
 %package        python3
 Summary:        Python 3 bindings for %{name}
-Requires:       %{name}%{?_isa} = %{epoch}:%{version}-%{release}
+Group:          Development/Libraries
+Requires:       %{name}%{?_isa} = %{version}-%{release}
 BuildRequires:  python3-devel
 
 %description    python3
@@ -72,9 +82,12 @@ libraries can be used by python3.
 
 %package        scanner
 Summary:        OpenSCAP Scanner Tool (oscap)
-Requires:       %{name}%{?_isa} = %{epoch}:%{version}-%{release}
+Group:          Applications/System
+Requires:       %{name}%{?_isa} = %{version}-%{release}
 Requires:       libcurl >= 7.12.0
 BuildRequires:  libcurl-devel >= 7.12.0
+Obsoletes:      openscap-selinux
+Obsoletes:      openscap-selinux-compat
 
 %description    scanner
 The %{name}-scanner package contains oscap command-line tool. The oscap
@@ -83,9 +96,10 @@ compliance checking using SCAP content.
 
 %package        utils
 Summary:        OpenSCAP Utilities
-Requires:       %{name}%{?_isa} = %{epoch}:%{version}-%{release}
+Group:          Applications/System
+Requires:       %{name}%{?_isa} = %{version}-%{release}
 Requires:       rpmdevtools rpm-build
-Requires:       %{name}-scanner%{?_isa} = %{epoch}:%{version}-%{release}
+Requires:       %{name}-scanner%{?_isa} = %{version}-%{release}
 Requires:       bash
 
 %description    utils
@@ -95,7 +109,8 @@ tool which is now separated to %{name}-scanner sub-package.
 
 %package        engine-sce
 Summary:        Script Check Engine plug-in for OpenSCAP
-Requires:       %{name}%{?_isa} = %{epoch}:%{version}-%{release}
+Group:          Applications/System
+Requires:       %{name}%{?_isa} = %{version}-%{release}
 
 %description    engine-sce
 The Script Check Engine is non-standard extension to SCAP protocol. This
@@ -104,8 +119,9 @@ commands using a scripting language (Bash, Perl, Python, Ruby, ...).
 
 %package        engine-sce-devel
 Summary:        Development files for %{name}-engine-sce
-Requires:       %{name}-devel%{?_isa} = %{epoch}:%{version}-%{release}
+Group:          Development/Libraries
-Requires:       %{name}-engine-sce%{?_isa} = %{epoch}:%{version}-%{release}
+Requires:       %{name}-devel%{?_isa} = %{version}-%{release}
+Requires:       %{name}-engine-sce%{?_isa} = %{version}-%{release}
 Requires:       pkgconfig
 
 %description    engine-sce-devel
@@ -114,21 +130,21 @@ for developing applications that use %{name}-engine-sce.
 
 %prep
 %autosetup -p1
+mkdir build
 
 %build
-# gconf is a legacy system not used any more, and it blocks testing of oscap-anaconda-addon
+cd build
-# as gconf is no longer part of the installation medium
+%cmake -DENABLE_PERL=OFF \
-%cmake \
         -DENABLE_DOCS=ON \
-    -DENABLE_PERL=OFF \
         -DENABLE_OSCAP_UTIL_DOCKER=OFF \
+        -DENABLE_OSCAP_UTIL_IM=OFF \
+        -DENABLE_OSCAP_UTIL_CHROOT=ON \
+        -DENABLE_OSCAP_UTIL_PODMAN=ON \
+        -DENABLE_OSCAP_UTIL_VM=ON \
         -DENABLE_OSCAP_REMEDIATE_SERVICE=OFF \
         -DOPENSCAP_PROBE_LINUX_DPKGINFO=OFF \
-    -DOPENSCAP_PROBE_UNIX_GCONF=OFF \
+        ..
-    -DOPENSCAP_ENABLE_SHA1=OFF \
+make %{?_smp_mflags}
-    -DOPENSCAP_ENABLE_MD5=OFF \
-    -DGCONF_LIBRARY=
-%cmake_build
 make docs
 
 %check
@@ -137,14 +153,20 @@ ctest -V %{?_smp_mflags}
 %endif
 
 %install
-%cmake_install
+cd build
+%make_install
 
 find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';'
 
 # fix python shebangs
 pathfix.py -i %{__python3} -p -n $RPM_BUILD_ROOT%{_bindir}/scap-as-rpm
 
-%ldconfig_scriptlets
+%clean
+rm -rf $RPM_BUILD_ROOT
+
+%post -p /sbin/ldconfig
+
+%postun -p /sbin/ldconfig
 
 %files
 %doc AUTHORS NEWS README.md
@@ -192,217 +214,256 @@ pathfix.py -i %{__python3} -p -n $RPM_BUILD_ROOT%{_bindir}/scap-as-rpm
 %{_bindir}/scap-as-rpm
 %{_mandir}/man8/autotailor.8.gz
 %{_bindir}/autotailor
-%{_mandir}/man8/oscap-im.8.gz
-%{_bindir}/oscap-im
 
 %files engine-sce
 %{_libdir}/libopenscap_sce.so.*
 %{_bindir}/oscap-run-sce-script
 
 %changelog
-* Mon Feb 10 2025 Jan Černý <jcerny@redhat.com> - 1:1.3.11-1
+* Mon May 05 2025 Evgenii Kolesnikov <ekolesni@redhat.com> - 1:1.3.12-2
-- Upgrade to the latest upstream release (RHEL-76355)
+- Initialize tmt (RHEL-43240)
-- Introduce "oscap-im", a tool for building hardened bootable container images
-- Fix RPM probes in bootable container images build environment (RHEL-55251)
 
-* Wed Aug 07 2024 Milan Lysonek <mlysonek@redhat.com> - 1:1.3.10-3
+* Fri Apr 25 2025 Evgenii Kolesnikov <ekolesni@redhat.com> - 1:1.3.12-1
-- Switch gating to tmt plan (RHEL-43241)
+- Upgrade to the latest upstream release (RHEL-88842)
+- Fix error when tailoring DISA content (RHEL-34104)
+- Fix OSCAP_PROBE_IGNORE_PATHS handling (RHEL-67297)
 
-* Mon Apr 08 2024 Jan Černý <jcerny@redhat.com> - 1:1.3.10-2
+* Wed Aug 07 2024 Milan Lysonek <mlysonek@redhat.com> - 1.3.10-3
+- Switch gating to tmt plan (RHEL-43240)
+
+* Mon Apr 08 2024 Jan Černý <jcerny@redhat.com> - 1.3.10-2
 - Explicitely disable dpkginfo probe
 
-* Tue Apr 02 2024 Jan Černý <jcerny@redhat.com> - 1:1.3.10-1
+* Tue Apr 02 2024 Jan Černý <jcerny@redhat.com> - 1.3.10-1
-- Rebase to the latest upstream version (RHEL-29172)
+- Rebase to the latest upstream version (RHEL-31221)
-- Fix OVAL results file name (RHEL-7050)
+- Add ability to define a limit of collected items (RHEL-11925)
-- Add ability to define a limit of collected items (RHEL-4141)
+- Add option --references that can select rules based on their reference (RHEL-1479)
-- Add ability to refine rules in autotailor (RHEL-1477)
-- Improve the formatting of Blueprint remediations (RHEL-1476)
 
 * Fri Jul 14 2023 Evgenii Kolesnikov <ekolesni@redhat.com> - 1.3.8-1
-- Upgrade to the latest upstream release (rhbz#2217442)
+- Upgrade to the latest upstream release (rhbz#2217441)
-- Fix systemd* probes unit enumeration (rhbz#2219532)
+- Add offline support for sysctl probe (rhbz#2185791)
+- Fix systemd* probes unit enumeration (rhbz#2219533)
 
-* Fri Jan 27 2023 Jan Černý <jcerny@redhat.com> - 1:1.3.7-1
+* Fri Jan 27 2023 Jan Černý <jcerny@redhat.com> - 1.3.7-1
-- Upgrade to the latest upstream release (rhbz#2159286)
+- Upgrade to the latest upstream release (rhbz#2159290)
-- Fix error when processing OVAL filters (rhbz#2126883)
+- Fix error when processing OVAL filters (rhbz#2126882)
-- Don't emit xmlfilecontent items if XPath doesn't match (rhbz#2138884)
+- Don't emit xmlfilecontent items if XPath doesn't match (rhbz#2139060)
 
-* Thu Jul 21 2022 Jan Černý <jcerny@redhat.com> - 1:1.3.6-4
+* Thu Jul 21 2022 Jan Černý <jcerny@redhat.com> - 1.3.6-4
-- Fix potential invalid scan results in OpenSCAP (rhbz#2109485)
+- Fix potential invalid scan results in OpenSCAP (rhbz#2111040)
-- Remove oscap-remediate service (rhbz#2111358)
+- Remove oscap-remediate service (rhbz#2111360)
 
-* Mon Feb 07 2022 Jan Černý <jcerny@redhat.com> - 1:1.3.6-3
+* Wed Feb 02 2022 Jan Černý <jcerny@redhat.com> - 1.3.6-3
-- Prevent file permission errors (rhbz#2048571)
+- Prevent fails of test_ds_misc.sh
 
 * Mon Jan 31 2022 Jan Černý <jcerny@redhat.com> - 1.3.6-2
 - Fix coverity issues
 - Prevent fails of test_ds_misc.sh
 
-* Thu Jan 20 2022 Jan Černý <jcerny@redhat.com> - 1:1.3.6-1
+* Thu Jan 20 2022 Jan Černý <jcerny@redhat.com> - 1.3.6-1
-- Upgrade to the latest upstream release (rhbz#2041782)
+- Upgrade to the latest upstream release (rhbz#2041781)
-- Select and exclude groups of rules on the command line (rhbz#2020580, rhbz#2020581)
+- Select and exclude groups of rules on the command line
 - The boot-time remediation service for systemd's Offline Update mode
 
-* Fri Nov 19 2021 Jan Černý <jcerny@redhat.com> - 1:1.3.5-13
+* Fri Nov 19 2021 Jan Černý <jcerny@redhat.com> - 1.3.5-10
 - Print warning for local files
 
-* Tue Nov 09 2021 Jan Černý <jcerny@redhat.com> - 1:1.3.5-12
+* Wed Nov 10 2021 Jan Černý <jcerny@redhat.com> - 1.3.5-9
-- Allow using local files instead of remote resources (rhbz#2015518)
+- Lower memory limits and improve their checking (rhbz#2021851)
-- Add an alternative source of hostname (rhbz#2021509)
+- Remove timestamp from the user manual (rhbz#2022364)
-- Lower memory limits and improve their checking (rhbz#2022362)
 
-* Thu Nov 04 2021 Jan Černý <jcerny@redhat.com> - 1:1.3.5-11
+* Tue Nov 09 2021 Jan Černý <jcerny@redhat.com> - 1.3.5-8
-- Initialize crypto API only once (rhbz#2020044)
+- Allow local DS components (rhbz#1970529)
-- Add support for Blueprint remediations (rhbz#2020052)
+- Fix hostname detection in offline scan of UBI 9 images (rhbz#1893888)
+- Add an alternative source of hostname (rhbz#1977668)
+- Fix oscap-chroot errors in process58_probe caused by empty /proc (rhbz#2008922)
 
-* Mon Nov 01 2021 Evgenii Kolesnikov <ekolesni@redhat.com> - 1:1.3.5-10
+* Thu Nov 04 2021 Evgenii Kolesnikov <ekolesni@redhat.com> - 1.3.5-7
-- Fix process58 probe errors when scanning minimalist filesystem in offline mode (rhbz#2019054)
+- Introduce support for Image Builder's Blueprint remediation type (rhbz#2020050)
 
-* Mon Nov 01 2021 Matej Tyc <matyc@redhat.com> - 1:1.3.5-9
+* Wed Jul 28 2021 Jan Černý <jcerny@redhat.com> - 1.3.5-6
-- Fix bad handling of HTTP error code (rhbz#2002733)
+- Initialize crypto API only once (rhbz#1959570)
 
-* Fri Aug 27 2021 Jan Černý <jcerny@redhat.com> - 1:1.3.5-8
+* Wed Jul 14 2021 Evgenii Kolesnikov <ekolesni@redhat.com> - 1.3.5-5
-- Revert Epoch removal
+- Add 'null' values handling to the yamlfilecontent probe (RHBZ#1981691)
 
-* Tue Aug 24 2021 Evgenii Kolesnikov <ekolesni@redhat.com> - 1:1.3.5-7
+* Tue Jun 01 2021 Jan Černý <jcerny@redhat.com> - 1.3.5-4
-- Update package spec file
+- Replace getlogin by cuserid
 
-* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1:1.3.5-6
+* Mon May 10 2021 Evgenii Kolesnikov <ekolesni@redhat.com> - 1.3.5-3
-- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+- Waive known issue with hugepages in upstream testsuite (RHBZ#1912000)
-  Related: rhbz#1991688
+- Fix issues reported by the coverity scan
+- Introduce OSBuild 'blueprint' fix type
 
-* Thu Jul 22 2021 Jan Černý <jcerny@redhat.com> - 1:1.3.5-5
+* Tue May 04 2021 Evgenii Kolesnikov <ekolesni@redhat.com> - 1.3.5-2
-- Remove support for SHA-1 and MD5 (rhbz#1936619)
+- Fix changelog (add missing 1.3.3-6 entry)
-- Fix coverity findings (rhbz#1938830)
 
-* Tue Jun 29 2021 Jan Černý <jcerny@redhat.com> - 1:1.3.5-4
+* Thu Apr 29 2021 Evgenii Kolesnikov <ekolesni@redhat.com> - 1.3.5-1
-- Fix failing test tests/API/XCCDF/unittests/test_profile_selection_by_suffix.sh
+- Upgrade to the latest upstream release (RHBZ#1953092)
-- Add 'null' yamlfilecontent values handling
+- Fix segfault when using --stig-viewer option and latest XML file from DoD (RHBZ#1912000)
+- Improve doc about --stig-viewer (RHBZ#1918759)
+- Backport an upstream patch adding CentOS CPE (RHBZ#1907935)
 
-* Mon Jun 28 2021 Jan Černý <jcerny@redhat.com> - 1:1.3.5-3
+* Wed Nov 25 2020 Evgenii Kolesnikov <ekolesni@redhat.com> - 1.3.4-5
-- Do not set RPATH on built binaries
+- Add check for non-local GPFS file system into Test Suite (RHBZ#1840578)
-- Fix UBI9 scan (rhbz#1953610)
-- Fix failing rpminspect xml test
 
-* Thu May 20 2021 Jan Černý <jcerny@redhat.com> - 1:1.3.5-2
+* Fri Nov 13 2020 Evgenii Kolesnikov <ekolesni@redhat.com> - 1.3.4-4
-- Remove containers subpackage
+- Use MALLOC_CHECK_=3 while executing Test Suite (RHBZ#1891770)
 
-* Fri Apr 23 2021 Jan Černý <jcerny@redhat.com> - 1:1.3.5-1
+* Tue Nov 10 2020 Jan Černý <jcerny@redhat.com> - 1.3.4-3
-- Update to the latest upstream release
+- Fix memory allocation (RHBZ#1891770)
 
-* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1:1.3.4-4
+* Thu Oct 29 2020 Evgenii Kolesnikov <ekolesni@redhat.com> - 1.3.3-6
-- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+- Enable profile composition with a specific platform (RHBZ#1896676)
+- Enable YAML probe to work with sets of values (RHBZ#1895715)
 
-* Wed Dec 09 2020 Jan Černý <jcerny@redhat.com> - 1:1.3.4-3
+* Mon Oct 26 2020 Evgenii Kolesnikov <ekolesni@redhat.com> - 1.3.4-2
-- Remove dependency on GConf2
+- Fix problems uncovered by the Coverity Scan (RHBZ#1887794)
-- Update cmake command
 
-* Tue Nov 03 2020 Evgenii Kolesnikov <ekolesni@redhat.com> - 1.3.4-2
+* Wed Oct 14 2020 Evgenii Kolesnikov <ekolesni@redhat.com> - 1.3.4-1
-- Fix problems uncovered by the Coverity Scan
+- Upgrade to the latest upstream release (RHBZ#1887794)
-- Fix field names handling in yamlfilecontent probe
+- Treat GPFS as a remote file system (RHBZ#1840578, RHBZ#1840579)
+- Fixed the most problematic memory issues that were causing OOM situations
+  for systems with large amount of files (RHBZ#1824152)
+- Proper handling of OVALs with circular dependencies between definitions (RHBZ#1812476)
 
-* Wed Oct 07 2020 Evgenii Kolesnikov <ekolesni@redhat.com> - 1:1.3.4-1
+* Wed Aug 19 2020 Jan Černý <jcerny@redhat.com> - 1.3.3-5
-- Upgrade to the latest upstream release
+- Detect remote file systems correctly (RHBZ#1870087)
 
-* Thu Aug 27 2020 Jan Černý <jcerny@redhat.com> - 1:1.3.3-6
+* Mon Aug 03 2020 Jan Černý <jcerny@redhat.com> - 1.3.3-4
-- Disabled the gconf probe, and removed the gconf dependency.
+- Fix memory leaks in rpmverifyfile probe (RHBZ#1861301)
-  gconf is a legacy system not used any more, and it blocks testing of oscap-anaconda-addon
-  as gconf is no longer part of the installation medium for Fedora 32
 
-* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.3.3-5
+* Tue Jul 21 2020 Matěj Týč <matyc@redhat.com> - 1.3.3-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+- Added support for fetching remote content with compression (RHBZ#1855708)
 
-* Tue Jul 14 2020 Tom Stellard <tstellar@redhat.com> - 1:1.3.3-4
+* Thu Jun 25 2020 Matěj Týč <matyc@redhat.com> - 1.3.3-2
-- Update spec file to use new cmake macros
+- Prevent unwanted recursion that could crash the scanner (RHBZ#1686370)
-- https://fedoraproject.org/wiki/Changes/CMake_to_do_out-of-source_builds
 
-* Tue May 26 2020 Miro Hrončok <mhroncok@redhat.com> - 1:1.3.3-3
+* Mon May 04 2020 Evgeny Kolesnikov <ekolesni@redhat.com> - 1.3.3-1
-- Rebuilt for Python 3.9
+- Upgrade to the latest upstream release (rhbz#1829761)
+- Added a Python script that can be used for CLI tailoring (autotailor)
+- Added timezone to XCCDF TestResult start/end time
+- Added yamlfilecontent independent probe (proposal/draft implementation)
+- Added ability to generate `machineconfig` fix
+- Introduced `urn:xccdf:fix:script:kubernetes` fix type in XCCDF
+- Fixed filepath pattern matching in offline mode in textfilecontent58 probe
+- Fixed #170: The rpmverifyfile probe can't verify files from '/bin' directory
+- Fixed #1512: Severity refinement lost in generated guide
+- Fixed #1453: Pointer lost in Swig API
+- The data system_info probe return for offline and online modes is consistent and actual
+- Evaluation Characteristics of the XCCDF report are now consistent with OVAL entities
+  from system_info probe
 
-* Mon May 04 2020 Jan Černý <jcerny@redhat.com> - 1:1.3.3-2
+* Fri Mar 27 2020 Jan Černý <jcerny@redhat.com> - 1.3.2-9
-- Add libyaml-devel as a dependency to enable yamlfilecontent probe
+- Generate HTML guides from tailored profiles (RHBZ#1743835)
 
-* Thu Apr 30 2020 Jan Černý <jcerny@redhat.com> - 1:1.3.3-1
+* Wed Mar 18 2020 Jan Černý <jcerny@redhat.com> - 1.3.2-8
-- Upgrade to the latest upstream release
+- Fix tests for rpmverifyfileprobe (RHBZ#1814726)
 
-* Thu Apr 09 2020 Matěj Týč <matyc@redhat.com> - 1:1.3.2-5
+* Thu Mar 12 2020 Jan Černý <jcerny@redhat.com> - 1.3.2-7
-- Made the spec file requirements section copy-paste of the RHEL8 section.
+- Fix segmentation fault in systemdunitdependency_probe (RHBZ#1793050)
-- Cleaned the spec file up from ancient obsoletes.
+- Fix crash in textfilecontent probe (RHBZ#1686467)
+- Do not drop empty lines from Ansible remediations (RHBZ#1795563)
+- Fix oscap-ssh --sudo (RHBZ#1803116)
+- Remove useless warnings (RHBZ#1764139)
 
-* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.3.2-4
+* Thu Jan 23 2020 Jan Černý <jcerny@redhat.com> - 1.3.2-6
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+- Fix FindACL.cmake
 
-* Mon Jan 27 2020 Jan Černý <jcerny@redhat.com> - 1:1.3.2-3
+* Tue Jan 21 2020 Matěj Týč <matyc@redhat.com> - 1.3.2-5
-- Fix duplicate global variables (RHBZ#1793914)
+- Added more exhaustive package dependencies.
+- Added the covscan/UX patch.
 
-* Wed Jan 15 2020 Jan Černý <jcerny@redhat.com> - 1:1.3.2-2
+* Mon Jan 20 2020 Evgeny Kolesnikov <ekolesni@redhat.com> - 1.3.2-4
-- Do not use C++ keyword operator as a function parameter name
+- Added patch: utils/oscap-podman: Detect ambiguous scan target
 
-* Tue Jan 14 2020 Jan Černý <jcerny@redhat.com> - 1:1.3.2-1
+* Mon Jan 20 2020 Evgeny Kolesnikov <ekolesni@redhat.com> - 1.3.2-3
-- Upgrade to the latest upstream release
+- Refined requirements
 
-* Thu Oct 03 2019 Miro Hrončok <mhroncok@redhat.com> - 1:1.3.1-4
+* Sun Jan 19 2020 Evgeny Kolesnikov <ekolesni@redhat.com> - 1.3.2-2
-- Rebuilt for Python 3.8.0rc1 (#1748018)
+- Added patch: Fix case where CMake couldn't find libacl or xattr.h
 
-* Mon Aug 19 2019 Miro Hrončok <mhroncok@redhat.com> - 1:1.3.1-3
+* Wed Jan 15 2020 Evgeny Kolesnikov <ekolesni@redhat.com> - 1.3.2-1
-- Rebuilt for Python 3.8
+- Upgrade to the latest upstream release (rhbz#1778296)
+- Offline mode support for environmentvariable58 probe (rhbz#1493614)
+- The oscap-docker wrapper is available without Atomic
+- Improved support of multi-check rules (report, remediations, console output) (rhbz#1771438)
+- Improved HTML report look and feel, including printed version (rhbz#1640839)
+- Less clutter in verbose mode output; some warnings and errors demoted to verbose mode levels
+- Probe rpmverifyfile uses and returns canonical paths (rhbz#1776308)
+- Improved a11y of HTML reports and guides (rhbz#1767382)
+- Fixes and improvements for SWIG Python bindings (rhbz#1753603)
+- #1403 fixed: Scanner would not apply remediation for multicheck rules (verbosity)
+- Fixed URL link mechanism for Red Hat Errata
+- New STIG Viewer URI: public.cyber.mil
+- Probe selinuxsecuritycontext would not check if SELinux is enabled
+- Scanner would provide information about unsupported OVAL objects
+- Added more tests for offline mode (probes, remediation) (rhbz#1618489)
+- #528 fixed: Eval SCE script when /tmp is in mode noexec
+- #1173, RHBZ#1603347 fixed: Double chdir/chroot in probe rpmverifypackage (rhbz#1636431) 
 
-* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.3.1-2
+* Wed Dec 18 2019 Vojtech Polasek <vpolasek@redhat.com> - 1.3.1-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+- put back openscap-chroot, openscap-podman and openscap-vm files
 
-* Thu Jun 13 2019 Jan Černý <jcerny@redhat.com> - 1:1.3.1-1
+* Fri Nov 01 2019 Vojtech Polasek <vpolasek@redhat.com> - 1.3.1-2
+- Fixed XSLT template making rule details in reports accessible for screenreader users (#1767382)
+
+* Fri Jun 14 2019 Evgeny Kolesnikov <ekolesni@redhat.com> - 1.3.1-1
+- Bumped the package release number
+
+* Thu Jun 13 2019 Evgeny Kolesnikov <ekolesni@redhat.com> - 1.3.1-0
+- Upgrade to the latest upstream release (rhbz#1718826)
+- Support for SCAP 1.3 Source Datastreams (evaluating, XML schemas, validation) (rhbz#1709429)
+- Tailoring files are included in ARF result files
+- Remote filesystems mounted using `autofs` direct maps are not recognized as local filesystems (rhbz#1655943)
+- Offline scan utilizing rpmverifyfile probe fails in fchdir and aborts (rhbz#1636431)
+
+* Wed Jan 16 2019 Gabriel Becker <ggasparb@redhat.com> - 1.3.0-7
+- Removed oscap-vm binary and manpage files from build as they will not be supported by RHEL-8.0.0.
+- Explicitly specify which files should be in openscap-utils subpackage.
+
+* Mon Jan 14 2019 Gabriel Becker <ggasparb@redhat.com> - 1.3.0-6
+- Removed containers package as RHEL-8.0.0 will not support it.
+- Removed oscap-chroot binary and manpage from utils package as RHEL-8.0.0 will not support it.
+
+* Mon Oct 15 2018 Jan Černý <jcerny@redhat.com> - 1.3.0-5
+- Fixed unresolved symbols in SCE library
+
+* Fri Oct 12 2018 Matěj Týč <matyc@redhat.com> - 1.3.0-4
+- Fixed a sudo regression in oscap-ssh.
+- Updated test to work with newer versions of procps.
+- Updated the man page.
+
+* Tue Oct 09 2018 Matěj Týč <matyc@redhat.com> - 1.3.0-3
+- Fixed memory error in SWIG (RHBZ#1607014)
+
+* Tue Oct 09 2018 Jan Černý <jcerny@redhat.com> - 1.3.0-2
+- Drop openscap-perl subpackage (RHBZ#1624396)
+
+* Mon Oct 08 2018 Jan Černý <jcerny@redhat.com> - 1.3.0-1
+- upgrade to the latest upstream release
+- list subpackages removed in 1.3.0_alpha1-1 as obsoleted
+
+* Fri Aug 10 2018 Jan Černý <jcerny@redhat.com> - 1.3.0_alpha2-1
 - upgrade to the latest upstream release
 
-* Mon Jun 10 22:13:21 CET 2019 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 1:1.3.0-7
+* Thu Aug 09 2018 Jan Černý <jcerny@redhat.com> - 1.3.0_alpha1-3
-- Rebuild for RPM 4.15
+- Add RHEL8 CPE (until RHEL8 public beta downstream patch only)
 
-* Mon Jun 10 15:42:04 CET 2019 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 1:1.3.0-6
+* Fri Jul 27 2018 Jan Černý <jcerny@redhat.com> - 1.3.0_alpha1-2
-- Rebuild for RPM 4.15
+- Use AsciiDoc instead of AsciiDoctor (RHBZ#1607541)
 
-* Sat Jun 01 2019 Jitka Plesnikova <jplesnik@redhat.com> - 1:1.3.0-5
+* Fri Jul 20 2018 Jan Černý <jcerny@redhat.com> - 1.3.0_alpha1-1
-- Perl 5.30 rebuild
-
-* Mon May 20 2019 Jan Černý <jcerny@redhat.com> - 1.3.0-4
-- Upgrade the Epoch to align with F30
-
-* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.0-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
-
-* Fri Oct 19 2018 Matěj Týč <matyc@redhat.com> - 1.3.0-2
-- Removed the openscap-perl package to be on par with RHEL.
-
-* Tue Oct 09 2018 Jan Černý <jcerny@redhat.com> - 1.3.0-1
-- upgrade to the latest upstream release
-
-* Mon Sep 10 2018 Jan Černý <jcerny@redhat.com> - 1.3.0_alpha2-2
-- List subpackages removed in 1.3.0_alpha1-1 as obsoleted (RHBZ#1626801)
-
-* Mon Aug 13 2018 Jan Černý <jcerny@redhat.com> - 1.3.0_alpha2-1
-- upgrade to the latest upstream release
-
-* Wed Jul 25 2018 Jan Černý <jcerny@redhat.com> - 1.3.0_alpha1-2
-- removed python2-openscap subpackage
-
-* Wed Jul 18 2018 Jan Černý <jcerny@redhat.com> - 1.3.0_alpha1-1
 - upgrade to the latest upstream release
 - change specfile to use CMake
 - dropped commands in the spec file that are no longer relevant
 - dropped subpackages in the spec file that are no longer relevant
 
-* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.17-5
+* Fri May 18 2018 Jan Černý <jcerny@redhat.com> - 1.2.16-5
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+- Use pathfix.py instead of a downstream patch to fix shebang
 
-* Tue Jul 03 2018 Petr Pisar <ppisar@redhat.com> - 1.2.17-4
+* Thu May 17 2018 Jan Černý <jcerny@redhat.com> - 1.2.16-4
-- Perl 5.28 rebuild
+- Remove Python 2 dependencies
-
-* Fri Jun 29 2018 Jitka Plesnikova <jplesnik@redhat.com> - 1.2.17-3
-- Perl 5.28 rebuild
-
-* Tue Jun 19 2018 Miro Hrončok <mhroncok@redhat.com> - 1.2.17-2
-- Rebuilt for Python 3.7
-
-* Tue May 29 2018 Jan Černý <jcerny@redhat.com> - 1.2.17-1
-- upgrade to the latest upstream release
 
 * Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.16-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
@@ -786,4 +847,3 @@ pathfix.py -i %{__python3} -p -n $RPM_BUILD_ROOT%{_bindir}/scap-as-rpm
 
 * Thu Jan 15 2009 Tomas Heinrich <theinric@redhat.com> 0.1.1-1
 - Initial rpm
-