From 7886738481ab3a8f9e0465a504eefc571cc108bb Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Jun 09 2020 19:59:48 +0000
Subject: import openscap-1.3.3-1.el8


---

diff --git a/.gitignore b/.gitignore
index fc9c1e0..b759384 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/openscap-1.3.2.tar.gz
+SOURCES/openscap-1.3.3.tar.gz
diff --git a/.openscap.metadata b/.openscap.metadata
index 2413801..36498f3 100644
--- a/.openscap.metadata
+++ b/.openscap.metadata
@@ -1 +1 @@
-5fe71454faff8cdcbd0e13e7c7343daf04069ca9 SOURCES/openscap-1.3.2.tar.gz
+6988d1ea7b86669d410ab5defc1be394cba5b017 SOURCES/openscap-1.3.3.tar.gz
diff --git a/SOURCES/01-add-test-fix-type-anaconda.patch b/SOURCES/01-add-test-fix-type-anaconda.patch
deleted file mode 100644
index a1c2b73..0000000
--- a/SOURCES/01-add-test-fix-type-anaconda.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 712000a675103393045fde191856ce1dd306f1ca Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
-Date: Mon, 13 Jan 2020 17:28:09 +0100
-Subject: [PATCH] Add a test to check --fix-type Anaconda
-
-There should be 2 equal ways of generating Anaconda remediations:
-"oscap xccdf generate fix --fix-type anaconda" and
-"oscap xccdf generate fix --template urn:redhat:anaconda:pre"
-Both commands should give the same output.
-This tests a fix for https://bugzilla.redhat.com/show_bug.cgi?id=1736850
-introduced by b1448ec95a957a76eb8be6d439531c532d97ff3c
----
- .../API/XCCDF/unittests/test_report_anaconda_fixes.sh  | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/tests/API/XCCDF/unittests/test_report_anaconda_fixes.sh b/tests/API/XCCDF/unittests/test_report_anaconda_fixes.sh
-index d4e86e657..650f3d75b 100755
---- a/tests/API/XCCDF/unittests/test_report_anaconda_fixes.sh
-+++ b/tests/API/XCCDF/unittests/test_report_anaconda_fixes.sh
-@@ -23,6 +23,16 @@ grep -v "$line1" $result | grep -v "$line2" | grep -v "$line3"
- [ "`grep -v "$line1" $result | grep -v "$line2" | sed 's/\W//g'`"x == x ]
- :> $result
- 
-+# use --fix-type instead of URN template to generate the same fix
-+$OSCAP xccdf generate fix --fix-type anaconda \
-+	--output $result $srcdir/${name}.xccdf.xml 2>&1 > $stderr
-+[ -f $stderr ]; [ ! -s $stderr ]; :> $stderr
-+grep "$line1" $result
-+grep "$line2" $result
-+grep -v "$line1" $result | grep -v "$line2" | grep -v "$line3"
-+[ "`grep -v "$line1" $result | grep -v "$line2" | sed 's/\W//g'`"x == x ]
-+:> $result
-+
- $OSCAP xccdf generate fix --template urn:redhat:anaconda:pre \
- 	--profile xccdf_moc.elpmaxe.www_profile_1 \
- 	--output $result $srcdir/${name}.xccdf.xml 2>&1 > $stderr
diff --git a/SOURCES/02-do-not-use-keyword-operator-as-a-function-parameter.patch b/SOURCES/02-do-not-use-keyword-operator-as-a-function-parameter.patch
deleted file mode 100644
index e6dbdca..0000000
--- a/SOURCES/02-do-not-use-keyword-operator-as-a-function-parameter.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 0ba7c9423f64a88ceef50318f1a382059484f737 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
-Date: Wed, 15 Jan 2020 13:54:45 +0100
-Subject: [PATCH] Do not use C++ keyword operator as a function parameter name
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This fixes SCAP Workbench build.
-
-Addressing:
-[ 37%] Building CXX object CMakeFiles/scap-workbench.dir/scap-workbench_autogen/mocs_compilation.cpp.o
-In file included from /usr/local/include/openscap/xccdf_policy.h:39,
-                 from /home/jcerny/work/git/scap-workbench/include/TailoringDockWidgets.h:31,
-                 from /home/jcerny/work/git/scap-workbench/build/scap-workbench_autogen/6YEA5652QU/moc_TailoringDockWidgets.cpp:10,
-                 from /home/jcerny/work/git/scap-workbench/build/scap-workbench_autogen/mocs_compilation.cpp:18:
-/usr/local/include/openscap/oval_definitions.h:1676:117: error: declaration of ‘operator,’ as parameter
- 1676 | restriction *oval_variable_possible_restriction_new(oval_operator_t operator, const char *hint);
-      |                                                                             ^
-
-Fixes: #1462
----
- src/OVAL/public/oval_definitions.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/OVAL/public/oval_definitions.h b/src/OVAL/public/oval_definitions.h
-index ea9d3aaf8..b5fe77154 100644
---- a/src/OVAL/public/oval_definitions.h
-+++ b/src/OVAL/public/oval_definitions.h
-@@ -1669,7 +1669,7 @@ OSCAP_API void oval_variable_possible_value_iterator_free(struct oval_variable_p
-  * @param hint A short description of what the value means or represents.
-  * @memberof oval_variable_possible_restriction
-  */
--OSCAP_API struct oval_variable_possible_restriction *oval_variable_possible_restriction_new(oval_operator_t operator, const char *hint);
-+OSCAP_API struct oval_variable_possible_restriction *oval_variable_possible_restriction_new(oval_operator_t, const char *);
- 
- 
- /**
diff --git a/SOURCES/03-fix-cmake-test-for-libcap-xattr-h.patch b/SOURCES/03-fix-cmake-test-for-libcap-xattr-h.patch
deleted file mode 100644
index 6ea2560..0000000
--- a/SOURCES/03-fix-cmake-test-for-libcap-xattr-h.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From 3fbf36004eec55b9a88916559029332d7f356bae Mon Sep 17 00:00:00 2001
-From: Gabe <redhatrises@gmail.com>
-Date: Wed, 15 Jan 2020 15:02:32 -0700
-Subject: [PATCH] Fix case where CMake couldn't find libacl or xattr.h
-
----
- CMakeLists.txt      | 2 +-
- cmake/FindACL.cmake | 6 +++---
- 2 files changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/CMakeLists.txt b/CMakeLists.txt
-index 720d8d8eb..fe20992a5 100644
---- a/CMakeLists.txt
-+++ b/CMakeLists.txt
-@@ -238,7 +238,7 @@ cmake_dependent_option(OPENSCAP_PROBE_INDEPENDENT_XMLFILECONTENT "Independent xm
- # UNIX PROBES
- cmake_dependent_option(OPENSCAP_PROBE_UNIX_DNSCACHE "Unix dnscache probe" ON "ENABLE_PROBES_UNIX" OFF)
- cmake_dependent_option(OPENSCAP_PROBE_UNIX_FILE "Unix file probe" ON "ENABLE_PROBES_UNIX" OFF)
--cmake_dependent_option(OPENSCAP_PROBE_UNIX_FILEEXTENDEDATTRIBUTE "Unix fileextendedattribute probe" ON "ENABLE_PROBES_UNIX; (HAVE_SYS_XATTR_H OR HAVE_ATTR_XATTR_H)" OFF)
-+cmake_dependent_option(OPENSCAP_PROBE_UNIX_FILEEXTENDEDATTRIBUTE "Unix fileextendedattribute probe" ON "ENABLE_PROBES_UNIX; HAVE_SYS_XATTR_H OR HAVE_ATTR_XATTR_H" OFF)
- cmake_dependent_option(OPENSCAP_PROBE_UNIX_GCONF "Unix gconf probe" ON "ENABLE_PROBES_UNIX; GCONF_FOUND" OFF)
- cmake_dependent_option(OPENSCAP_PROBE_UNIX_INTERFACE "Unix interface probe" ON "ENABLE_PROBES_UNIX" OFF)
- cmake_dependent_option(OPENSCAP_PROBE_UNIX_PASSWORD "Unix password probe" ON "ENABLE_PROBES_UNIX" OFF)
-diff --git a/cmake/FindACL.cmake b/cmake/FindACL.cmake
-index 1753b0dd3..2d4a3027c 100644
---- a/cmake/FindACL.cmake
-+++ b/cmake/FindACL.cmake
-@@ -8,17 +8,17 @@
- include(LibFindMacros)
- 
- # Use pkg-config to get hints about paths
--libfind_pkg_check_modules(ACL_PKGCONF acl)
-+libfind_pkg_check_modules(ACL_PKGCONF libacl)
- 
- # Include dir
- find_path(ACL_INCLUDE_DIR
--	NAMES acl/libacl.h
-+	NAMES "acl/libacl.h sys/libacl.h"
- 	PATHS ${ACL_PKGCONF_INCLUDE_DIRS}
- )
- 
- # Finally the library itself
- find_library(ACL_LIBRARY
--	NAMES acl
-+	NAMES libacl
- 	PATHS ${ACL_PKGCONF_LIBRARY_DIRS}
- )
- 
diff --git a/SOURCES/04-oscap-podman-detect-ambiguous-targets.patch b/SOURCES/04-oscap-podman-detect-ambiguous-targets.patch
deleted file mode 100644
index ed3b9ff..0000000
--- a/SOURCES/04-oscap-podman-detect-ambiguous-targets.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From 532a6c77f388d2e06ec12338df9ea97d955f5edc Mon Sep 17 00:00:00 2001
-From: Matus Marhefka <mmarhefk@redhat.com>
-Date: Thu, 16 Jan 2020 15:39:37 +0100
-Subject: [PATCH] utils/oscap-podman: Detect ambiguous scan target
-
-In case that a container image and a running container have the same
-name, `oscap-podman` scans container image and a running container is
-skipped. This might be unexpected and might cause a confusion for user.
-Therefore, this commit adds a code which detects such situation and
-rather informs user about ambiguous scan target and terminates.
-In such cases the unique container image/container ID should be used
-for specifying the target of the scan.
----
- utils/oscap-podman | 23 ++++++++++++++++++-----
- 1 file changed, 18 insertions(+), 5 deletions(-)
-
-diff --git a/utils/oscap-podman b/utils/oscap-podman
-index 272afd988..32ec0cfcb 100755
---- a/utils/oscap-podman
-+++ b/utils/oscap-podman
-@@ -65,17 +65,30 @@ if grep -q "\-\-remediate" <<< "$@"; then
-     die
- fi
- 
-+IMAGE_NAME=$(podman image exists "$1" \
-+    && podman image inspect --format "{{.Id}} {{.RepoTags}}" "$1")
-+CONTAINER_NAME=$(podman container exists "$1" \
-+    && podman container inspect --format "{{.Id}} {{.Name}}" "$1")
-+
-+if [ -n "$IMAGE_NAME" ] && [ -n "$CONTAINER_NAME" ]; then
-+    echo "Ambiguous target, container image and container with the same name detected: '$1'." >&2
-+    echo "Please rather use an unique ID to specify the target of the scan." >&2
-+    die
-+fi
-+
- # Check if the target of scan is image or container.
- CLEANUP=0
--if podman images | grep -q $1; then
-+if [ -n "$IMAGE_NAME" ]; then
-     ID=$(podman create $1) || die
--    IMG_NAME=$(podman images --format "{{.ID}} ({{.Repository}}:{{.Tag}})" | grep -m1 $1)
--    TARGET="podman-image://$IMG_NAME"
-+    TARGET="podman-image://$IMAGE_NAME"
-     CLEANUP=1
--else
-+elif [ -n "$CONTAINER_NAME" ]; then
-     # If the target was not found in images we suppose it is a container.
-     ID=$1
--    TARGET="podman-container://$1"
-+    TARGET="podman-container://$CONTAINER_NAME"
-+else
-+    echo "Target of the scan not found: '$1'." >&2
-+    die
- fi
- 
- # podman init creates required files such as: /run/.containerenv - we don't care about output and exit code
diff --git a/SOURCES/openscap-1.2.18-oscap-ssh-sudo.patch b/SOURCES/openscap-1.2.18-oscap-ssh-sudo.patch
deleted file mode 100644
index 064bbdb..0000000
--- a/SOURCES/openscap-1.2.18-oscap-ssh-sudo.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From f2d9ec9883a344daa67a80ad54e6652185346395 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Renaud=20M=C3=A9trich?= <rmetrich@redhat.com>
-Date: Fri, 14 Feb 2020 14:57:33 +0100
-Subject: [PATCH] Fixed oscap-ssh failing to retrieve the result files when
- executing with --sudo
-
-Depending on the umask configuration of the target system, "sudo oscap"
-may create the result files in temporary directory with 600 permissions,
-which makes retrieving the log (as the regular user that ssh'ed to the
-system) impossible:
-
-~~~
-$ oscap-ssh --sudo user@system 22 xccdf eval ...
-[...]
-oscap exit code: 0
-Copying back requested files...
-scp: /tmp/tmp.0kfbPWEy6u/report.html: Permission denied
-Failed to copy the HTML report back to local machine!
-~~~
-
-Scenario to reproduce the failure: set a default umask in /etc/sudoers:
-
-~~~
-Defaults	umask = 0077
-~~~
-
-The fix consists in changing the result files' ownership from "root" to
-user's back, all while in the single sudo (using two sudo commands
-wouldn't be nice since the user may get the password prompt twice,
-depending on the sudo's configuration).
----
- utils/oscap-ssh | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/utils/oscap-ssh b/utils/oscap-ssh
-index 658cc2ee4..bd2e209c4 100755
---- a/utils/oscap-ssh
-+++ b/utils/oscap-ssh
-@@ -280,7 +280,12 @@ echo "Starting the evaluation..."
- # changing directory because of --oval-results support. oval results files are
- # dumped into PWD, and we can't be sure by the file names - we need controlled
- # environment
--ssh_execute_with_command_and_options "cd $REMOTE_TEMP_DIR; $OSCAP_SUDO oscap $(command_array_to_string oscap_args)" "$SSH_TTY_ALLOCATION_OPTION"
-+if [ -z "$OSCAP_SUDO" ]; then
-+    ssh_execute_with_command_and_options "cd $REMOTE_TEMP_DIR; oscap $(command_array_to_string oscap_args)" "$SSH_TTY_ALLOCATION_OPTION"
-+else
-+    OSCAP_CMD="oscap $(command_array_to_string oscap_args); rc=\$?; chown \$SUDO_USER $REMOTE_TEMP_DIR/*; exit \$rc"
-+    ssh_execute_with_command_and_options "cd $REMOTE_TEMP_DIR; $OSCAP_SUDO sh -c '$OSCAP_CMD'" "$SSH_TTY_ALLOCATION_OPTION"
-+fi
- OSCAP_EXIT_CODE=$?
- echo "oscap exit code: $OSCAP_EXIT_CODE"
- 
diff --git a/SOURCES/openscap-1.3.2-covscan_ux_fix.patch b/SOURCES/openscap-1.3.2-covscan_ux_fix.patch
deleted file mode 100644
index 637aaf6..0000000
--- a/SOURCES/openscap-1.3.2-covscan_ux_fix.patch
+++ /dev/null
@@ -1,389 +0,0 @@
-From 47a2662bccb8e6f2f192acf46c26d862fe3bbcfb Mon Sep 17 00:00:00 2001
-From: Evgeny Kolesnikov <ekolesni@redhat.com>
-Date: Fri, 17 Jan 2020 10:24:07 +0100
-Subject: [PATCH 1/2] Covscan fixes
-
-Error: FORWARD_NULL (CWE-476): [#def17]
-xccdf_policy_remediate.c:383: var_compare_op: Comparing "rr" to null implies that "rr" might be null.
-xccdf_policy_remediate.c:384: var_deref_model: Passing null pointer "rr" to "_rule_add_info_message", which dereferences it.
-
-Error: FORWARD_NULL (CWE-476): [#def18]
-test_fsdev_is_local_fs.c:35: assign_zero: Assigning: "ment.mnt_fsname" = "NULL".
-test_fsdev_is_local_fs.c:37: var_deref_model: Passing "&ment" to "is_local_fs", which dereferences null "ment.mnt_fsname".
----
- src/OVAL/probes/fsdev.c                   |  4 ++++
- src/XCCDF_POLICY/xccdf_policy_remediate.c | 12 ++++++++++--
- 2 files changed, 14 insertions(+), 2 deletions(-)
-
-diff --git a/src/OVAL/probes/fsdev.c b/src/OVAL/probes/fsdev.c
-index bd8e52fbf..a6b36f5e0 100644
---- a/src/OVAL/probes/fsdev.c
-+++ b/src/OVAL/probes/fsdev.c
-@@ -97,6 +97,10 @@ static int is_local_fs(struct mntent *ment)
- 		return 0;
- 	}
- 
-+	if (ment->mnt_fsname == NULL) {
-+		return 0;
-+	}
-+
- 	s = ment->mnt_fsname;
- 	/* If the fsname begins with "//", it is probably CIFS. */
- 	if (s[0] == '/' && s[1] == '/')
-diff --git a/src/XCCDF_POLICY/xccdf_policy_remediate.c b/src/XCCDF_POLICY/xccdf_policy_remediate.c
-index 389a7d1bd..f59737727 100644
---- a/src/XCCDF_POLICY/xccdf_policy_remediate.c
-+++ b/src/XCCDF_POLICY/xccdf_policy_remediate.c
-@@ -380,7 +380,11 @@ static inline int _xccdf_fix_decode_xml(struct xccdf_fix *fix, char **result)
- #if defined(unix) || defined(__unix__) || defined(__unix)
- static inline int _xccdf_fix_execute(struct xccdf_rule_result *rr, struct xccdf_fix *fix)
- {
--	if (fix == NULL || rr == NULL || oscap_streq(xccdf_fix_get_content(fix), NULL)) {
-+	if (rr == NULL) {
-+		return 1;
-+	}
-+
-+	if (fix == NULL || oscap_streq(xccdf_fix_get_content(fix), NULL)) {
- 		_rule_add_info_message(rr, "No fix available.");
- 		return 1;
- 	}
-@@ -481,7 +485,11 @@ static inline int _xccdf_fix_execute(struct xccdf_rule_result *rr, struct xccdf_
- #else
- static inline int _xccdf_fix_execute(struct xccdf_rule_result *rr, struct xccdf_fix *fix)
- {
--	if (fix == NULL || rr == NULL || oscap_streq(xccdf_fix_get_content(fix), NULL)) {
-+	if (rr == NULL) {
-+		return 1;
-+	}
-+
-+	if (fix == NULL || oscap_streq(xccdf_fix_get_content(fix), NULL)) {
- 		_rule_add_info_message(rr, "No fix available.");
- 		return 1;
- 	} else {
-
-From 7bccc09eabd30e0581cf0fdf4f20fa481db12e91 Mon Sep 17 00:00:00 2001
-From: Evgeny Kolesnikov <ekolesni@redhat.com>
-Date: Fri, 17 Jan 2020 11:04:13 +0100
-Subject: [PATCH 2/2] Covscan fixes (SHELLCHECK), small refactoring in Shell
- wrappers
-
-Error: SHELLCHECK_WARNING:
-warning: die references arguments, but none are ever passed. [SC2120]
-
-Error: SHELLCHECK_WARNING:
-warning: Use 'cd ... || exit' or 'cd ... || return' in case cd fails. [SC2164]
-
-Error: SHELLCHECK_WARNING:
-warning: Declare and assign separately to avoid masking return values. [SC2155]
----
- utils/oscap-chroot | 20 ++++++++++++--------
- utils/oscap-podman | 42 +++++++++++++++++++++---------------------
- utils/oscap-ssh    | 39 ++++++++++++++++++++++-----------------
- utils/oscap-vm     | 19 +++++++++++--------
- 4 files changed, 66 insertions(+), 54 deletions(-)
-
-diff --git a/utils/oscap-chroot b/utils/oscap-chroot
-index 6518d7a2c..318f55a91 100755
---- a/utils/oscap-chroot
-+++ b/utils/oscap-chroot
-@@ -25,6 +25,13 @@ function die()
-     exit 1
- }
- 
-+function invalid()
-+{
-+    echo -e "$*\n" >&2
-+    usage
-+    exit 1
-+}
-+
- function usage()
- {
-     echo "oscap-chroot -- Tool for offline SCAP evaluation of filesystems mounted in arbitrary paths."
-@@ -74,26 +81,23 @@ function usage()
- }
- 
- if [ $# -lt 1 ]; then
--    echo "No arguments provided."
--    usage
--    die
-+    invalid "No arguments provided."
- elif [ "$1" == "-h" ] || [ "$1" == "--help" ]; then
-     usage
--    die
-+    exit 0
- elif [ "$#" -gt 1 ]; then
-     true
- else
--    echo "Invalid arguments provided."
--    usage
--    die
-+    invalid "Invalid arguments provided."
- fi
- 
- # Learn more at https://www.redhat.com/archives/open-scap-list/2013-July/msg00000.html
- export OSCAP_PROBE_ROOT
--OSCAP_PROBE_ROOT="$(cd "$1"; pwd)"
-+OSCAP_PROBE_ROOT="$(cd "$1" && pwd)" || die "Invalid CHROOT_PATH argument."
- export OSCAP_EVALUATION_TARGET="chroot://$OSCAP_PROBE_ROOT"
- shift 1
- 
- oscap "$@"
- EXIT_CODE=$?
-+
- exit $EXIT_CODE
-diff --git a/utils/oscap-podman b/utils/oscap-podman
-index 32ec0cfcb..6b9f4a3de 100755
---- a/utils/oscap-podman
-+++ b/utils/oscap-podman
-@@ -16,13 +16,19 @@
- # License along with this library; if not, write to the Free Software
- # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
- 
--
- function die()
- {
-     echo "$*" >&2
-     exit 1
- }
- 
-+function invalid()
-+{
-+    echo -e "$*\n" >&2
-+    usage
-+    exit 1
-+}
-+
- function usage()
- {
-     echo "oscap-podman -- Tool for SCAP evaluation of Podman images and containers."
-@@ -39,30 +45,24 @@ function usage()
- OSCAP_BINARY=oscap
- 
- if [ $# -lt 1 ]; then
--    echo "No arguments provided."
--    usage
--    die
-+    invalid "No arguments provided."
- elif [ "$1" == "-h" ] || [ "$1" == "--help" ]; then
-     usage
--    die
-+    exit 0
- elif [[ "$1" == --oscap=* ]] && [ $# -gt 2 ]; then
-     OSCAP_BINARY=${1#"--oscap="}
-     shift
- elif [ "$#" -gt 1 ]; then
-     true
- else
--    echo "Invalid arguments provided."
--    usage
--    die
-+    invalid "Invalid arguments provided."
- fi
- 
- if [ $(id -u) -ne 0 ]; then
--    echo "This script cannot run in rootless mode." >&2
--    die
-+    die "This script cannot run in rootless mode."
- fi
- if grep -q "\-\-remediate" <<< "$@"; then
--    echo "This script does not support '--remediate' option." >&2
--    die
-+    die "This script does not support '--remediate' option."
- fi
- 
- IMAGE_NAME=$(podman image exists "$1" \
-@@ -72,14 +72,13 @@ CONTAINER_NAME=$(podman container exists "$1" \
- 
- if [ -n "$IMAGE_NAME" ] && [ -n "$CONTAINER_NAME" ]; then
-     echo "Ambiguous target, container image and container with the same name detected: '$1'." >&2
--    echo "Please rather use an unique ID to specify the target of the scan." >&2
--    die
-+    die  "Please rather use an unique ID to specify the target of the scan."
- fi
- 
- # Check if the target of scan is image or container.
- CLEANUP=0
- if [ -n "$IMAGE_NAME" ]; then
--    ID=$(podman create $1) || die
-+    ID=$(podman create $1) || die "Unable to create a container."
-     TARGET="podman-image://$IMAGE_NAME"
-     CLEANUP=1
- elif [ -n "$CONTAINER_NAME" ]; then
-@@ -87,14 +86,13 @@ elif [ -n "$CONTAINER_NAME" ]; then
-     ID=$1
-     TARGET="podman-container://$CONTAINER_NAME"
- else
--    echo "Target of the scan not found: '$1'." >&2
--    die
-+    die "Target of the scan not found: '$1'."
- fi
- 
- # podman init creates required files such as: /run/.containerenv - we don't care about output and exit code
- podman init $ID &> /dev/null || true
- 
--DIR=$(podman mount $ID) || die
-+DIR=$(podman mount $ID) || die "Failed to mount."
- 
- if [ ! -f "$DIR/run/.containerenv" ]; then
-     # ubi8-init image does not create .containerenv when running podman init, but we need to make sure that the file is there
-@@ -105,14 +103,16 @@ for VAR in `podman inspect $ID --format '{{join .Config.Env " "}}'`; do
-     eval "export OSCAP_OFFLINE_$VAR"
- done
- 
--export OSCAP_PROBE_ROOT="$(cd "$DIR"; pwd)"
-+export OSCAP_PROBE_ROOT
-+OSCAP_PROBE_ROOT="$(cd "$DIR" && pwd)" || die "Unable to change current directory to OSCAP_PROBE_ROOT (DIR)."
- export OSCAP_EVALUATION_TARGET="$TARGET"
- shift 1
- 
- $OSCAP_BINARY "$@"
- EXIT_CODE=$?
--podman umount $ID > /dev/null || die
-+
-+podman umount $ID > /dev/null || die "Failed to unmount."
- if [ $CLEANUP -eq 1 ]; then
--    podman rm $ID > /dev/null || die
-+    podman rm $ID > /dev/null || die "Failed to clean up."
- fi
- exit $EXIT_CODE
-diff --git a/utils/oscap-ssh b/utils/oscap-ssh
-index 08c8bcd2b..cd3600180 100755
---- a/utils/oscap-ssh
-+++ b/utils/oscap-ssh
-@@ -22,9 +22,12 @@ function die()
-     exit 1
- }
- 
--hash ssh 2> /dev/null || die "Cannot find ssh, please install the OpenSSH client."
--hash scp 2> /dev/null || die "Cannot find scp, please install the OpenSSH client."
--hash mktemp 2> /dev/null || die "Cannot find mktemp, please install coreutils."
-+function invalid()
-+{
-+    echo -e "$*\n" >&2
-+    usage
-+    exit 1
-+}
- 
- function usage()
- {
-@@ -87,10 +90,6 @@ function usage()
-     echo "See \`man oscap\` to learn more about semantics of these options."
- }
- 
--OSCAP_SUDO=""
--# SSH_ADDITIONAL_OPTIONS may be defined in the calling shell
--SSH_TTY_ALLOCATION_OPTION=""
--
- # $1, $2, ... SSH options (pass them as separate arguments)
- function ssh_execute_with_options {
-     ssh -o ControlPath="$MASTER_SOCKET" $SSH_ADDITIONAL_OPTIONS "$@" -p "$SSH_PORT" "$SSH_HOST"
-@@ -118,22 +117,20 @@ function scp_retreive_from_temp_dir {
- # Returns: String, where individual command components are double-quoted, so they are not interpreted by the shell.
- #  For example, an array ('-p' '(all)') will be transformed to "\"-p\" \"(all)\"", so after the shell expansion, it will end up as "-p" "(all)".
- function command_array_to_string {
--	eval "printf '\"%s\" ' \"\${$1[@]}\""
-+    eval "printf '\"%s\" ' \"\${$1[@]}\""
- }
- 
- function first_argument_is_sudo {
--	[ "$1" == "sudo" ] || [ "$1" == "--sudo" ]
--	return $?
-+    [ "$1" == "sudo" ] || [ "$1" == "--sudo" ]
-+    return $?
- }
- 
- function sanity_check_arguments {
-     if [ $# -lt 1 ]; then
--        echo "No arguments provided."
--        usage
--        die
-+        invalid "No arguments provided."
-     elif [ "$1" == "-h" ] || [ "$1" == "--help" ]; then
-         usage
--        die
-+        exit 0
-     elif first_argument_is_sudo "$@"; then
-         OSCAP_SUDO="sudo"
-         # force pseudo-tty allocation so that users can type their password if necessary
-@@ -141,9 +138,7 @@ function sanity_check_arguments {
-         shift
-     fi
-     if [ $# -lt 2 ]; then
--        echo "Missing ssh host and ssh port."
--        usage
--        die
-+        invalid "Missing ssh host and ssh port."
-     fi
- }
- 
-@@ -165,6 +160,16 @@ function check_oscap_arguments {
-     fi
- }
- 
-+
-+hash ssh 2> /dev/null || die "Cannot find ssh, please install the OpenSSH client."
-+hash scp 2> /dev/null || die "Cannot find scp, please install the OpenSSH client."
-+hash mktemp 2> /dev/null || die "Cannot find mktemp, please install coreutils."
-+
-+
-+OSCAP_SUDO=""
-+# SSH_ADDITIONAL_OPTIONS may be defined in the calling shell
-+SSH_TTY_ALLOCATION_OPTION=""
-+
- sanity_check_arguments "$@"
- first_argument_is_sudo "$@" && shift
- 
-diff --git a/utils/oscap-vm b/utils/oscap-vm
-index 02f8c6396..6557eb3a7 100755
---- a/utils/oscap-vm
-+++ b/utils/oscap-vm
-@@ -22,6 +22,13 @@ function die()
-     exit 1
- }
- 
-+function invalid()
-+{
-+    echo -e "$*\n" >&2
-+    usage
-+    exit 1
-+}
-+
- function usage()
- {
-     echo "oscap-vm -- Tool for offline SCAP evaluation of virtual machines."
-@@ -76,12 +83,10 @@ function usage()
- OSCAP_BINARY=oscap
- 
- if [ $# -lt 1 ]; then
--    echo "No arguments provided."
--    usage
--    die
-+    invalid "No arguments provided."
- elif [ "$1" == "-h" ] || [ "$1" == "--help" ]; then
-     usage
--    die
-+    exit 0
- elif [[ "$1" == --oscap=* ]] && [ $# -gt 3 ]; then
-     OSCAP_BINARY=${1#"--oscap="}
-     shift
-@@ -90,9 +95,7 @@ elif [ "$1" == "image" ] && [ $# -gt 2 ]; then
- elif [ "$1" == "domain" ] && [ $# -gt 2 ]; then
-     true
- else
--    echo "Invalid arguments provided."
--    usage
--    die
-+    invalid "Invalid arguments provided."
- fi
- 
- hash guestmount 2> /dev/null || die "Cannot find guestmount, please install libguestfs utilities."
-@@ -128,7 +131,7 @@ fi
- 
- # Learn more at https://www.redhat.com/archives/open-scap-list/2013-July/msg00000.html
- export OSCAP_PROBE_ROOT
--OSCAP_PROBE_ROOT="$(cd "$MOUNTPOINT"; pwd)"
-+OSCAP_PROBE_ROOT="$(cd "$MOUNTPOINT" && pwd)" || die "Unable to change current directory to OSCAP_PROBE_ROOT (MOUNTPOINT)."
- export OSCAP_EVALUATION_TARGET="oscap-vm $1 $2"
- shift 2
- 
diff --git a/SOURCES/openscap-1.3.3-ansible-newlines.patch b/SOURCES/openscap-1.3.3-ansible-newlines.patch
deleted file mode 100644
index 7e6b509..0000000
--- a/SOURCES/openscap-1.3.3-ansible-newlines.patch
+++ /dev/null
@@ -1,156 +0,0 @@
-diff --git a/src/XCCDF_POLICY/xccdf_policy_remediate.c b/src/XCCDF_POLICY/xccdf_policy_remediate.c
-index f59737727..19bb59f2e 100644
---- a/src/XCCDF_POLICY/xccdf_policy_remediate.c
-+++ b/src/XCCDF_POLICY/xccdf_policy_remediate.c
-@@ -139,11 +139,10 @@ static int _write_remediation_to_fd_and_free(int output_fd, const char* template
- 					free(text);
- 					return 1;
- 				}
--
--				if (_write_text_to_fd(output_fd, "\n") != 0) {
--					free(text);
--					return 1;
--				}
-+			}
-+			if (_write_text_to_fd(output_fd, "\n") != 0) {
-+				free(text);
-+				return 1;
- 			}
- 
- 			if (next_delim != NULL) {
-diff --git a/tests/API/XCCDF/unittests/CMakeLists.txt b/tests/API/XCCDF/unittests/CMakeLists.txt
-index 2a56d3cdc..05ddea219 100644
---- a/tests/API/XCCDF/unittests/CMakeLists.txt
-+++ b/tests/API/XCCDF/unittests/CMakeLists.txt
-@@ -18,6 +18,7 @@ if(PYTHONINTERP_FOUND)
- 	add_oscap_test("all_python.sh")
- endif()
- 
-+add_oscap_test("test_ansible_yaml_block_scalar.sh")
- add_oscap_test("test_xccdf_shall_pass1.sh")
- add_oscap_test("test_xccdf_shall_pass2.sh")
- add_oscap_test("test_xccdf_shall_pass3.sh")
-diff --git a/tests/API/XCCDF/unittests/test_ansible_yaml_block_scalar.playbook.yml b/tests/API/XCCDF/unittests/test_ansible_yaml_block_scalar.playbook.yml
-new file mode 100644
-index 000000000..dd0276739
---- /dev/null
-+++ b/tests/API/XCCDF/unittests/test_ansible_yaml_block_scalar.playbook.yml
-@@ -0,0 +1,37 @@
-+---
-+
-+
-+- hosts: all
-+  vars:
-+  tasks:
-+    - name: Make sure contents of /etc/audit/rules.d/10-base-config.rules are as expected
-+      copy:
-+        dest: /etc/audit/rules.d/10-base-config.rules
-+        content: |+
-+          ## First rule - delete all
-+          -D
-+
-+          ## Increase the buffers to survive stress events.
-+          ## Make this bigger for busy systems
-+          -b 8192
-+
-+          ## This determine how long to wait in burst of events
-+          --backlog_wait_time 60000
-+
-+          ## Set failure mode to syslog
-+          -f 1
-+
-+
-+        force: true
-+      when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
-+      tags:
-+        - audit_basic_configuration
-+        - medium_severity
-+        - restrict_strategy
-+        - low_complexity
-+        - low_disruption
-+        - no_reboot_needed
-+        - CCE-82462-3
-+        - NIST-800-53-AU-2(a)
-+
-+
-diff --git a/tests/API/XCCDF/unittests/test_ansible_yaml_block_scalar.sh b/tests/API/XCCDF/unittests/test_ansible_yaml_block_scalar.sh
-new file mode 100755
-index 000000000..4ca5b3be5
---- /dev/null
-+++ b/tests/API/XCCDF/unittests/test_ansible_yaml_block_scalar.sh
-@@ -0,0 +1,21 @@
-+#!/bin/bash
-+. $builddir/tests/test_common.sh
-+
-+set -e
-+set -o pipefail
-+
-+profile="xccdf_moc.elpmaxe.www_profile_standard"
-+
-+name=$(basename $0 .sh)
-+stderr=$(mktemp -t ${name}.err.XXXXXX)
-+playbook=$(mktemp -t ${name}.yml.XXXXXX)
-+playbook_without_header=$(mktemp -t ${name}.yml.XXXXXX)
-+
-+# Generate an Ansible playbook from a profile in SDS file
-+$OSCAP xccdf generate fix --profile $profile --fix-type ansible "$srcdir/$name.xccdf.xml"  >$playbook 2>$stderr
-+sed '/^#/d' $playbook > $playbook_without_header
-+diff -u $playbook_without_header $srcdir/$name.playbook.yml
-+[ -f $stderr ]; [ ! -s $stderr ]; rm $stderr
-+
-+rm $playbook
-+rm $playbook_without_header
-diff --git a/tests/API/XCCDF/unittests/test_ansible_yaml_block_scalar.xccdf.xml b/tests/API/XCCDF/unittests/test_ansible_yaml_block_scalar.xccdf.xml
-new file mode 100644
-index 000000000..81b2adfd4
---- /dev/null
-+++ b/tests/API/XCCDF/unittests/test_ansible_yaml_block_scalar.xccdf.xml
-@@ -0,0 +1,48 @@
-+<?xml version="1.0" encoding="UTF-8"?>
-+<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" id="xccdf_moc.elpmaxe.www_benchmark_test">
-+  <status>incomplete</status>
-+  <title>Security Benchmark</title>
-+  <description xml:lang="en-US">A sample benchmark</description>
-+  <version>1.0</version>
-+  <Profile id="xccdf_moc.elpmaxe.www_profile_standard">
-+    <title xml:lang="en-US">Standard System Security Profile</title>
-+    <description xml:lang="en-US">This profile contains rules to ensure standard security baseline of your system.</description>
-+    <select idref="xccdf_moc.elpmaxe.www_rule_1" selected="true"/>
-+  </Profile>
-+  <Rule selected="false" id="xccdf_moc.elpmaxe.www_rule_1">
-+    <title>Passing rule</title>
-+    <fix id="ansible_fix_for_passing_rule" system="urn:xccdf:fix:script:ansible">- name: Make sure contents of /etc/audit/rules.d/10-base-config.rules are as expected
-+  copy:
-+    dest: /etc/audit/rules.d/10-base-config.rules
-+    content: |+
-+      ## First rule - delete all
-+      -D
-+
-+      ## Increase the buffers to survive stress events.
-+      ## Make this bigger for busy systems
-+      -b 8192
-+
-+      ## This determine how long to wait in burst of events
-+      --backlog_wait_time 60000
-+
-+      ## Set failure mode to syslog
-+      -f 1
-+
-+
-+    force: true
-+  when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
-+  tags:
-+    - audit_basic_configuration
-+    - medium_severity
-+    - restrict_strategy
-+    - low_complexity
-+    - low_disruption
-+    - no_reboot_needed
-+    - CCE-82462-3
-+    - NIST-800-53-AU-2(a)
-+</fix>
-+    <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-+        <check-content-ref href="oval/pass/oval.xml" name="oval:moc.elpmaxe.www:def:1"/>
-+    </check>
-+  </Rule>
-+</Benchmark>
diff --git a/SOURCES/openscap-1.3.3-fix-cmake-findacl.patch b/SOURCES/openscap-1.3.3-fix-cmake-findacl.patch
deleted file mode 100644
index e5c00b3..0000000
--- a/SOURCES/openscap-1.3.3-fix-cmake-findacl.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From 4982aa3da7ae00cd3656db7f47ac3706e85ab7d4 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
-Date: Thu, 23 Jan 2020 16:24:37 +0100
-Subject: [PATCH] Fix FindACL.cmake
-
-find_path parameter `NAMES` values should be separated. According to
-https://cmake.org/cmake/help/latest/command/find_path.html it should be:
-`NAMES name1 [name2 ...]`
-
-find_library parameter `NAMES` either should not contain `lib` or should
-contain both `lib` and `.so.` The documentation at
-https://cmake.org/cmake/help/latest/command/find_library.html says: Each
-library name given to the `NAMES` option is first considered as a
-library file name and then considered with platform-specific prefixes
-(e.g. `lib`) and suffixes (e.g. `.so`).
-
-This bug caused that even if cmake reported that libacl was found, the
-library wasn't linked to the built `libopenscap.so`. Also,
-`HAVE_ACL_EXTENDED_FILE`, `HAVE_ACL_LIBACL_H` and `HAVE_SYS_ACL_H` were
-undefined in `config.h`, which caused some guarded pieces of code to not
-compile, which means features missing.
----
- cmake/FindACL.cmake | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/cmake/FindACL.cmake b/cmake/FindACL.cmake
-index 2d4a3027c..a41f2c13a 100644
---- a/cmake/FindACL.cmake
-+++ b/cmake/FindACL.cmake
-@@ -12,13 +12,13 @@ libfind_pkg_check_modules(ACL_PKGCONF libacl)
- 
- # Include dir
- find_path(ACL_INCLUDE_DIR
--	NAMES "acl/libacl.h sys/libacl.h"
-+	NAMES "acl/libacl.h" "sys/libacl.h"
- 	PATHS ${ACL_PKGCONF_INCLUDE_DIRS}
- )
- 
- # Finally the library itself
- find_library(ACL_LIBRARY
--	NAMES libacl
-+	NAMES acl
- 	PATHS ${ACL_PKGCONF_LIBRARY_DIRS}
- )
- 
diff --git a/SOURCES/openscap-1.3.3-generate-guide-tailoring.patch b/SOURCES/openscap-1.3.3-generate-guide-tailoring.patch
deleted file mode 100644
index 6c234cd..0000000
--- a/SOURCES/openscap-1.3.3-generate-guide-tailoring.patch
+++ /dev/null
@@ -1,249 +0,0 @@
-diff --git a/src/XCCDF/benchmark.c b/src/XCCDF/benchmark.c
-index f561736d4..d6560b7c9 100644
---- a/src/XCCDF/benchmark.c
-+++ b/src/XCCDF/benchmark.c
-@@ -866,6 +866,19 @@ xccdf_benchmark_find_target_htable(const struct xccdf_benchmark *benchmark, xccd
- 	return XITEM(benchmark)->sub.benchmark.items_dict;
- }
- 
-+int xccdf_benchmark_include_tailored_profiles(struct xccdf_benchmark *benchmark)
-+{
-+	struct oscap_list *profiles = XITEM(benchmark)->sub.benchmark.profiles;
-+	struct oscap_htable_iterator *it = oscap_htable_iterator_new(XITEM(benchmark)->sub.benchmark.profiles_dict);
-+	while(oscap_htable_iterator_has_more(it)) {
-+		struct xccdf_profile *profile = oscap_htable_iterator_next_value(it);
-+		if (xccdf_profile_get_tailoring(profile)) {
-+			oscap_list_add(profiles, xccdf_profile_clone(profile));
-+		}
-+	}
-+	oscap_htable_iterator_free(it);
-+	return 0;
-+}
- 
- struct xccdf_plain_text *xccdf_plain_text_new(void)
- {
-diff --git a/src/XCCDF/item.h b/src/XCCDF/item.h
-index 35204744f..da76f854d 100644
---- a/src/XCCDF/item.h
-+++ b/src/XCCDF/item.h
-@@ -437,6 +437,7 @@ void xccdf_item_dump(struct xccdf_item *item, int depth);
- struct xccdf_item* xccdf_item_get_benchmark_internal(struct xccdf_item* item);
- bool xccdf_benchmark_parse(struct xccdf_item *benchmark, xmlTextReaderPtr reader);
- void xccdf_benchmark_dump(struct xccdf_benchmark *benchmark);
-+int xccdf_benchmark_include_tailored_profiles(struct xccdf_benchmark *benchmark);
- struct oscap_htable_iterator *xccdf_benchmark_get_cluster_items(struct xccdf_benchmark *benchmark, const char *cluster_id);
- bool xccdf_benchmark_register_item(struct xccdf_benchmark *benchmark, struct xccdf_item *item);
- bool xccdf_benchmark_unregister_item(struct xccdf_item *item);
-diff --git a/src/XCCDF/public/xccdf_session.h b/src/XCCDF/public/xccdf_session.h
-index ac96e2036..026432693 100644
---- a/src/XCCDF/public/xccdf_session.h
-+++ b/src/XCCDF/public/xccdf_session.h
-@@ -558,6 +558,14 @@ OSCAP_API int xccdf_session_build_policy_from_testresult(struct xccdf_session *s
-  */
- OSCAP_API int xccdf_session_add_report_from_source(struct xccdf_session *session, struct oscap_source *report_source);
- 
-+/**
-+ * Generate HTML guide form a loaded XCCDF session
-+ * @param session XCCDF Session
-+ * @param outfile path to the output file
-+ * @returns zero on success
-+ */
-+OSCAP_API int xccdf_session_generate_guide(struct xccdf_session *session, const char *outfile);
-+
- /// @}
- /// @}
- #endif
-diff --git a/src/XCCDF/xccdf_session.c b/src/XCCDF/xccdf_session.c
-index 1005a030a..d38905f77 100644
---- a/src/XCCDF/xccdf_session.c
-+++ b/src/XCCDF/xccdf_session.c
-@@ -1746,3 +1746,44 @@ int xccdf_session_add_report_from_source(struct xccdf_session *session, struct o
- 	session->xccdf.result = result;
- 	return 0;
- }
-+
-+int xccdf_session_generate_guide(struct xccdf_session *session, const char *outfile)
-+{
-+	struct xccdf_policy *policy = xccdf_session_get_xccdf_policy(session);
-+	if (policy == NULL) {
-+		oscap_seterr(OSCAP_EFAMILY_OSCAP, "Could not get XCCDF policy.");
-+		return 1;
-+	}
-+	struct xccdf_policy_model *model = xccdf_policy_get_model(policy);
-+	if (model == NULL) {
-+		oscap_seterr(OSCAP_EFAMILY_OSCAP, "Could not get XCCDF policy model.");
-+		return 1;
-+	}
-+	struct xccdf_benchmark *benchmark = xccdf_policy_model_get_benchmark(model);
-+	if (benchmark == NULL) {
-+		oscap_seterr(OSCAP_EFAMILY_OSCAP, "Could not get XCCDF benchmark.");
-+		return 1;
-+	}
-+	xccdf_benchmark_include_tailored_profiles(benchmark);
-+	const char *params[] = {
-+		"oscap-version",     oscap_get_version(),
-+		"benchmark_id",      xccdf_benchmark_get_id(benchmark),
-+		"profile_id",        xccdf_session_get_profile_id(session),
-+		NULL
-+	};
-+	struct oscap_source *benchmark_source = xccdf_benchmark_export_source(benchmark, NULL);
-+	if (benchmark_source == NULL) {
-+		oscap_seterr(OSCAP_EFAMILY_OSCAP,
-+			"Failed to export source from XCCDF benchmark %s.",
-+			xccdf_benchmark_get_id(benchmark));
-+		return 1;
-+	}
-+	int ret = oscap_source_apply_xslt_path(benchmark_source,
-+		"xccdf-guide.xsl", outfile, params, oscap_path_to_xslt());
-+	oscap_source_free(benchmark_source);
-+	if (ret < 0) {
-+		oscap_seterr(OSCAP_EFAMILY_OSCAP, "Could not apply XSLT.");
-+		return 1;
-+	}
-+	return 0;
-+}
-\ No newline at end of file
-diff --git a/tests/API/XCCDF/tailoring/all.sh b/tests/API/XCCDF/tailoring/all.sh
-index dbed97a87..fc2ccd743 100755
---- a/tests/API/XCCDF/tailoring/all.sh
-+++ b/tests/API/XCCDF/tailoring/all.sh
-@@ -134,6 +134,21 @@ function test_api_xccdf_tailoring_profile_generate_fix {
-     rm -f $tailoring_result $fix_result
- }
- 
-+function test_api_xccdf_tailoring_profile_generate_guide {
-+    local INPUT=$srcdir/$1
-+    local TAILORING=$srcdir/$2
-+
-+    guide=`mktemp`
-+    # tailoring profile only with "always fail" rule and generate HTML guide
-+    $OSCAP xccdf generate guide --tailoring-file $TAILORING --profile "xccdf_com.example.www_profile_customized" --output $guide $INPUT
-+
-+    grep -q "Baseline Testing Profile 1 \[CUSTOMIZED\]" $guide
-+    # profile 'customized' selects first rule and deselects the second
-+    grep -q "xccdf_com.example.www_rule_first" $guide
-+    grep -v "xccdf_com.example.www_rule_second" $guide
-+    rm -f $guide
-+}
-+
- # Testing.
- 
- test_init "test_api_xccdf_tailoring.log"
-@@ -154,6 +169,7 @@ test_run "test_api_xccdf_tailoring_autonegotiation" test_api_xccdf_tailoring_aut
- test_run "test_api_xccdf_tailoring_simple_include_in_arf" test_api_xccdf_tailoring_simple_include_in_arf simple-xccdf.xml simple-tailoring.xml
- test_run "test_api_xccdf_tailoring_profile_include_in_arf" test_api_xccdf_tailoring_profile_include_in_arf baseline.xccdf.xml baseline.tailoring.xml
- test_run "test_api_xccdf_tailoring_profile_generate_fix" test_api_xccdf_tailoring_profile_generate_fix baseline.xccdf.xml baseline.tailoring.xml
-+test_run "test_api_xccdf_tailoring_profile_generate_guide" test_api_xccdf_tailoring_profile_generate_guide baseline.xccdf.xml baseline.tailoring.xml
- 
- 
- test_exit
-diff --git a/utils/oscap-xccdf.c b/utils/oscap-xccdf.c
-index 472a2cc6f..87a0c7ad1 100644
---- a/utils/oscap-xccdf.c
-+++ b/utils/oscap-xccdf.c
-@@ -77,6 +77,7 @@ static bool getopt_xccdf(int argc, char **argv, struct oscap_action *action);
- static bool getopt_generate(int argc, char **argv, struct oscap_action *action);
- static int app_xccdf_xslt(const struct oscap_action *action);
- static int app_generate_fix(const struct oscap_action *action);
-+static int app_generate_guide(const struct oscap_action *action);
- 
- #define XCCDF_SUBMODULES_NUM		7
- #define XCCDF_GEN_SUBMODULES_NUM	5 /* See actual arrays
-@@ -244,12 +245,18 @@ static struct oscap_module XCCDF_GEN_GUIDE = {
-     .help = GEN_OPTS
- 		"\nGuide Options:\n"
- 		"   --output <file>               - Write the document into file.\n"
--		"   --hide-profile-info           - Do not output additional information about selected profile.\n"
-+		"   --hide-profile-info           - This option has no effect.\n"
- 		"   --benchmark-id <id>           - ID of XCCDF Benchmark in some component in the datastream that should be used.\n"
-+		"                                   (only applicable for source datastreams)\n"
-+		"   --xccdf-id <id>               - ID of component-ref with XCCDF in the datastream that should be evaluated.\n"
-+		"                                   (only applicable for source datastreams)\n"
-+		"   --tailoring-file <file>       - Use given XCCDF Tailoring file.\n"
-+		"                                   (only applicable for source datastreams)\n"
-+		"   --tailoring-id <component-id> - Use given DS component as XCCDF Tailoring file.\n"
- 		"                                   (only applicable for source datastreams)\n",
-     .opt_parser = getopt_xccdf,
--    .user = "xccdf-guide.xsl",
--    .func = app_xccdf_xslt
-+    .user = NULL,
-+    .func = app_generate_guide
- };
- 
- static struct oscap_module XCCDF_GEN_FIX = {
-@@ -973,6 +980,50 @@ int app_generate_fix(const struct oscap_action *action)
- 	return ret;
- }
- 
-+int app_generate_guide(const struct oscap_action *action)
-+{
-+	int ret = OSCAP_ERROR;
-+
-+	struct oscap_source *source = oscap_source_new_from_file(action->f_xccdf);
-+	struct xccdf_session *session = xccdf_session_new_from_source(source);
-+	if (session == NULL) {
-+		goto cleanup;
-+	}
-+
-+	xccdf_session_set_validation(session, action->validate, getenv("OSCAP_FULL_VALIDATION") != NULL);
-+	xccdf_session_set_remote_resources(session, action->remote_resources, download_reporting_callback);
-+	xccdf_session_set_user_tailoring_file(session, action->tailoring_file);
-+	xccdf_session_set_user_tailoring_cid(session, action->tailoring_id);
-+	if (xccdf_session_is_sds(session)) {
-+		xccdf_session_set_component_id(session, action->f_xccdf_id);
-+		xccdf_session_set_benchmark_id(session, action->f_benchmark_id);
-+	}
-+	xccdf_session_set_loading_flags(session, XCCDF_SESSION_LOAD_XCCDF);
-+
-+	if (xccdf_session_load(session) != 0) {
-+		goto cleanup;
-+	}
-+
-+	if (!xccdf_session_set_profile_id(session, action->profile)) {
-+		if (action->profile != NULL) {
-+			if (xccdf_set_profile_or_report_bad_id(session, action->profile, action->f_xccdf) == OSCAP_ERROR)
-+				goto cleanup;
-+		} else {
-+			fprintf(stderr, "No Policy was found for default profile.\n");
-+			goto cleanup;
-+		}
-+	}
-+
-+	if (xccdf_session_generate_guide(session, action->f_results) == 0) {
-+		ret = OSCAP_OK;
-+	}
-+
-+cleanup:
-+	xccdf_session_free(session);
-+	oscap_print_error();
-+	return ret;
-+}
-+
- int app_xccdf_xslt(const struct oscap_action *action)
- {
- 	const char *oval_template = action->oval_template;
-diff --git a/utils/oscap.8 b/utils/oscap.8
-index 1b05f8c9e..3a50d1df5 100644
---- a/utils/oscap.8
-+++ b/utils/oscap.8
-@@ -331,10 +331,19 @@ Generate a HTML document containing a security guide from an XCCDF Benchmark. Un
- Write the guide to this file instead of standard output.
- .TP
- \fB\-\-hide-profile-info\fR
--Information on chosen profile (e.g. rules selected by the profile) will be excluded from the document.
-+This option has no effect and is kept only for backward compatibility purposes.
- .TP
- \fB\-\-benchmark-id ID\fR
- Selects a component ref from any datastream that references a component with XCCDF Benchmark such that its @id attribute matches given string exactly.
-+.TP
-+\fB\-\-xccdf-id ID\fR
-+Takes component ref with given ID from checklists. This allows to select a particular XCCDF component even in cases where there are 2 XCCDFs in one datastream. If none is given, the first component from the checklists element is used.
-+.TP
-+\fB\-\-tailoring-file TAILORING_FILE\fR
-+Use given file for XCCDF tailoring. Select profile from tailoring file to apply using --profile. If both --tailoring-file and --tailoring-id are specified, --tailoring-file takes priority.
-+.TP
-+\fB\-\-tailoring-id COMPONENT_REF_ID\fR
-+Use tailoring component in input source datastream for XCCDF tailoring. The tailoring component must be specified by its Ref-ID (value of component-ref/@id attribute in input source datastream). Select profile from tailoring component to apply using --profile. If both --tailoring-file and --tailoring-id are specified, --tailoring-file takes priority.
- .RE
- .TP
- .B \fBreport\fR  [\fIoptions\fR] xccdf-file
diff --git a/SOURCES/openscap-1.3.3-remove-useless-warnings-tests.patch b/SOURCES/openscap-1.3.3-remove-useless-warnings-tests.patch
deleted file mode 100644
index 97a9420..0000000
--- a/SOURCES/openscap-1.3.3-remove-useless-warnings-tests.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From b2b00e2316439d6517c8b763f542db637ebcf0b0 Mon Sep 17 00:00:00 2001
-From: Matus Marhefka <mmarhefk@redhat.com>
-Date: Tue, 3 Mar 2020 14:12:39 +0100
-Subject: [PATCH] tests/probes/environmentvariable58: add test to cover
- 7c78b84dd
-
----
- .../test_probes_environmentvariable58.sh               | 10 +++++++++-
- 1 file changed, 9 insertions(+), 1 deletion(-)
-
-diff --git a/tests/probes/environmentvariable58/test_probes_environmentvariable58.sh b/tests/probes/environmentvariable58/test_probes_environmentvariable58.sh
-index 786ea528a..7679c3495 100755
---- a/tests/probes/environmentvariable58/test_probes_environmentvariable58.sh
-+++ b/tests/probes/environmentvariable58/test_probes_environmentvariable58.sh
-@@ -24,13 +24,16 @@ function test_probes_environmentvariable58 {
-     local ret_val=0;
-     local DF="$1.xml"
-     local RF="$1.results.xml"
-+    echo "result file: $RF"
-+    local stderr=$(mktemp $1.err.XXXXXX)
-+    echo "stderr file: $stderr"
- 
-     [ -f $RF ] && rm -f $RF
- 
-     bash ${srcdir}/$1.xml.sh > $DF
-     LINES=$?
- 
--    $OSCAP oval eval --results $RF $DF
-+    $OSCAP oval eval --results $RF $DF 2> $stderr
- 
-     if [ -f $RF ]; then
- 	verify_results "def" $DF $RF 1 && verify_results "tst" $DF $RF $LINES
-@@ -39,6 +42,11 @@ function test_probes_environmentvariable58 {
- 	ret_val=1
-     fi
- 
-+    # Test fails if there are any warnings or "Entity has no value" on stderr.
-+    echo "Verify that there are no warnings on stderr"
-+    grep -Ei "(W:|Entity has no value)" $stderr && ret_val=1
-+
-+    rm $stderr
-     return $ret_val
- }
- 
diff --git a/SOURCES/openscap-1.3.3-remove-useless-warnings.patch b/SOURCES/openscap-1.3.3-remove-useless-warnings.patch
deleted file mode 100644
index a9fedfe..0000000
--- a/SOURCES/openscap-1.3.3-remove-useless-warnings.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-diff --git a/src/OVAL/probes/public/probe-api.h b/src/OVAL/probes/public/probe-api.h
-index 24cf756cb..c1178956f 100644
---- a/src/OVAL/probes/public/probe-api.h
-+++ b/src/OVAL/probes/public/probe-api.h
-@@ -488,11 +488,9 @@ OSCAP_API SEXP_t *probe_item_create(oval_subtype_t item_subtype, probe_elmatr_t
- 		SEXP_t *___r;					\
- 								\
- 		if ((___r = probe_ent_getval(ent)) == NULL) {	\
--			dW("Entity has no value!");		\
- 			invalid_exp				\
- 		} else {					\
- 			if (!SEXP_stringp(___r)) {		\
--				dE("Invalid type");		\
- 				SEXP_free(___r);		\
- 				invalid_exp			\
- 			}					\
-@@ -511,11 +509,9 @@ OSCAP_API SEXP_t *probe_item_create(oval_subtype_t item_subtype, probe_elmatr_t
- 		SEXP_t *___r;					\
- 								\
- 		if ((___r = probe_ent_getval(ent)) == NULL) {	\
--			dW("Entity has no value!");		\
- 			nil_exp;				\
- 		} else {					\
- 			if (!SEXP_numberp(___r)) {		\
--				dE("Invalid type");		\
- 				SEXP_free(___r);		\
- 				invalid_exp;			\
- 			} else {				\
diff --git a/SOURCES/openscap-1.3.3-rpmverifyfile-tests.patch b/SOURCES/openscap-1.3.3-rpmverifyfile-tests.patch
deleted file mode 100644
index b08183b..0000000
--- a/SOURCES/openscap-1.3.3-rpmverifyfile-tests.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-diff --git a/tests/probes/rpm/rpmverifyfile/test_probes_rpmverifyfile.sh b/tests/probes/rpm/rpmverifyfile/test_probes_rpmverifyfile.sh
-index cefde6b75..e913a56c4 100755
---- a/tests/probes/rpm/rpmverifyfile/test_probes_rpmverifyfile.sh
-+++ b/tests/probes/rpm/rpmverifyfile/test_probes_rpmverifyfile.sh
-@@ -41,7 +41,7 @@ function test_probes_rpmverifyfile {
-     assert_exists 1 'oval_results/oval_definitions/objects/lin-def:rpmverifyfile_object/lin-def:release'
-     assert_exists 1 'oval_results/oval_definitions/objects/lin-def:rpmverifyfile_object/lin-def:arch'
-     assert_exists 1 'oval_results/oval_definitions/objects/lin-def:rpmverifyfile_object/lin-def:filepath'
--    assert_exists 1 'oval_results/oval_definitions/objects/lin-def:rpmverifyfile_object/lin-def:filepath[text()="/etc/os-release"]'
-+    assert_exists 1 'oval_results/oval_definitions/objects/lin-def:rpmverifyfile_object/lin-def:filepath[text()="/usr/bin/true"]'
-     sc='oval_results/results/system/oval_system_characteristics/'
-     sd=$sc'system_data/'
-     assert_exists 1 $sc'collected_objects/object'
-diff --git a/tests/probes/rpm/rpmverifyfile/test_probes_rpmverifyfile.xml b/tests/probes/rpm/rpmverifyfile/test_probes_rpmverifyfile.xml
-index ecdecc75c..e3faa2631 100644
---- a/tests/probes/rpm/rpmverifyfile/test_probes_rpmverifyfile.xml
-+++ b/tests/probes/rpm/rpmverifyfile/test_probes_rpmverifyfile.xml
-@@ -30,7 +30,7 @@
-         <lin-def:version operation="pattern match"/>
-         <lin-def:release operation="pattern match"/>
-         <lin-def:arch operation="pattern match"/>
--        <lin-def:filepath>/etc/os-release</lin-def:filepath>
-+        <lin-def:filepath>/usr/bin/true</lin-def:filepath>
-     </lin-def:rpmverifyfile_object>
-   </objects>
- 
-diff --git a/tests/probes/rpm/rpmverifyfile/test_probes_rpmverifyfile_older.sh b/tests/probes/rpm/rpmverifyfile/test_probes_rpmverifyfile_older.sh
-index 3cb63eebe..da74e4671 100755
---- a/tests/probes/rpm/rpmverifyfile/test_probes_rpmverifyfile_older.sh
-+++ b/tests/probes/rpm/rpmverifyfile/test_probes_rpmverifyfile_older.sh
-@@ -40,7 +40,7 @@ function test_probes_rpmverifyfile {
-     assert_exists 1 'oval_results/oval_definitions/objects/lin-def:rpmverifyfile_object/lin-def:release'
-     assert_exists 1 'oval_results/oval_definitions/objects/lin-def:rpmverifyfile_object/lin-def:arch'
-     assert_exists 1 'oval_results/oval_definitions/objects/lin-def:rpmverifyfile_object/lin-def:filepath'
--    assert_exists 1 'oval_results/oval_definitions/objects/lin-def:rpmverifyfile_object/lin-def:filepath[text()="/etc/os-release"]'
-+    assert_exists 1 'oval_results/oval_definitions/objects/lin-def:rpmverifyfile_object/lin-def:filepath[text()="/usr/bin/true"]'
-     sc='oval_results/results/system/oval_system_characteristics/'
-     sd=$sc'system_data/'
-     assert_exists 1 $sc'collected_objects/object'
-diff --git a/tests/probes/rpm/rpmverifyfile/test_probes_rpmverifyfile_older.xml b/tests/probes/rpm/rpmverifyfile/test_probes_rpmverifyfile_older.xml
-index 73f9e76a3..420485146 100644
---- a/tests/probes/rpm/rpmverifyfile/test_probes_rpmverifyfile_older.xml
-+++ b/tests/probes/rpm/rpmverifyfile/test_probes_rpmverifyfile_older.xml
-@@ -30,7 +30,7 @@
-         <lin-def:version operation="pattern match"/>
-         <lin-def:release operation="pattern match"/>
-         <lin-def:arch operation="pattern match"/>
--        <lin-def:filepath>/etc/os-release</lin-def:filepath>
-+        <lin-def:filepath>/usr/bin/true</lin-def:filepath>
-     </lin-def:rpmverifyfile_object>
-   </objects>
- 
diff --git a/SOURCES/openscap-1.3.3-systemdunit-segfault.patch b/SOURCES/openscap-1.3.3-systemdunit-segfault.patch
deleted file mode 100644
index 4cd36b2..0000000
--- a/SOURCES/openscap-1.3.3-systemdunit-segfault.patch
+++ /dev/null
@@ -1,134 +0,0 @@
-diff --git a/src/OVAL/probes/unix/linux/systemdunitdependency_probe.c b/src/OVAL/probes/unix/linux/systemdunitdependency_probe.c
-index 2f194ce07..e2cbdb7d2 100644
---- a/src/OVAL/probes/unix/linux/systemdunitdependency_probe.c
-+++ b/src/OVAL/probes/unix/linux/systemdunitdependency_probe.c
-@@ -37,6 +37,8 @@
- #include <string.h>
- #include "systemdunitdependency_probe.h"
- 
-+static void get_all_dependencies_by_unit(DBusConnection *conn, const char *unit, SEXP_t *item, struct oscap_htable *visited_units);
-+
- static char *get_property_by_unit_path(DBusConnection *conn, const char *unit_path, const char *property)
- {
- 	DBusMessage *msg = NULL;
-@@ -135,7 +137,38 @@ static bool is_unit_name_a_target(const char *unit)
- 	return strncmp(unit + len - suffix_len, suffix, suffix_len) == 0;
- }
- 
--static void get_all_dependencies_by_unit(DBusConnection *conn, const char *unit, int(*callback)(const char *, void *), void *cbarg, bool include_requires, bool include_wants)
-+static int add_unit_dependency(const char *dependency, SEXP_t *item, struct oscap_htable *visited_units)
-+{
-+	if (oscap_htable_get(visited_units, dependency) != NULL) {
-+		return 1;
-+	}
-+	oscap_htable_add(visited_units, dependency, (void *) true);
-+	SEXP_t *se_dependency = SEXP_string_new(dependency, strlen(dependency));
-+	probe_item_ent_add(item, "dependency", NULL, se_dependency);
-+	SEXP_free(se_dependency);
-+	return 0;
-+}
-+
-+static void process_unit_property(const char *property, DBusConnection *conn, const char *path, SEXP_t *item, struct oscap_htable *visited_units)
-+{
-+	char *values_s = get_property_by_unit_path(conn, path, property);
-+	if (values_s) {
-+		char **values = oscap_split(values_s, ", ");
-+		for (int i = 0; values[i] != NULL; ++i) {
-+			if (oscap_strcmp(values[i], "") == 0) {
-+				continue;
-+			}
-+
-+			if (add_unit_dependency(values[i], item, visited_units) == 0) {
-+				get_all_dependencies_by_unit(conn, values[i], item, visited_units);
-+			}
-+		}
-+		free(values);
-+	}
-+	free(values_s);
-+}
-+
-+static void get_all_dependencies_by_unit(DBusConnection *conn, const char *unit, SEXP_t *item, struct oscap_htable *visited_units)
- {
- 	if (!unit || strcmp(unit, "(null)") == 0)
- 		return;
-@@ -146,66 +179,12 @@ static void get_all_dependencies_by_unit(DBusConnection *conn, const char *unit,
- 
- 	char *path = get_path_by_unit(conn, unit);
- 
--	if (include_requires) {
--		char *requires_s = get_property_by_unit_path(conn, path, "Requires");
--		if (requires_s) {
--			char **requires = oscap_split(requires_s, ", ");
--			for (int i = 0; requires[i] != NULL; ++i) {
--				if (oscap_strcmp(requires[i], "") == 0)
--					continue;
--
--				if (callback(requires[i], cbarg) == 0) {
--					get_all_dependencies_by_unit(conn, requires[i],
--									callback, cbarg,
--									include_requires, include_wants);
--				} else {
--					free(requires);
--					free(requires_s);
--					free(path);
--					return;
--				}
--			}
--			free(requires);
--		}
--		free(requires_s);
--	}
--
--	if (include_wants) {
--		char *wants_s = get_property_by_unit_path(conn, path, "Wants");
--		if (wants_s)
--		{
--			char **wants = oscap_split(wants_s, ", ");
--			for (int i = 0; wants[i] != NULL; ++i) {
--				if (oscap_strcmp(wants[i], "") == 0)
--					continue;
--
--				if (callback(wants[i], cbarg) == 0) {
--					get_all_dependencies_by_unit(conn, wants[i],
--									callback, cbarg,
--									include_requires, include_wants);
--				} else {
--					free(wants);
--					free(wants_s);
--					free(path);
--					return;
--				}
--			}
--			free(wants);
--		}
--		free(wants_s);
--	}
-+	process_unit_property("Requires", conn, path, item, visited_units);
-+	process_unit_property("Wants", conn, path, item, visited_units);
- 
- 	free(path);
- }
- 
--static int dependency_callback(const char *dependency, void *cbarg)
--{
--	SEXP_t *item = (SEXP_t *)cbarg;
--	SEXP_t *se_dependency = SEXP_string_new(dependency, strlen(dependency));
--	probe_item_ent_add(item, "dependency", NULL, se_dependency);
--	return 0;
--}
--
- static int unit_callback(const char *unit, void *cbarg)
- {
- 	struct unit_callback_vars *vars = (struct unit_callback_vars *)cbarg;
-@@ -221,8 +200,9 @@ static int unit_callback(const char *unit, void *cbarg)
- 					 "unit", OVAL_DATATYPE_SEXP, se_unit,
- 					 NULL);
- 
--	get_all_dependencies_by_unit(vars->dbus_conn, unit,
--				     dependency_callback, item, true, true);
-+	struct oscap_htable *visited_units = oscap_htable_new();
-+	get_all_dependencies_by_unit(vars->dbus_conn, unit, item, visited_units);
-+	oscap_htable_free(visited_units, NULL);
- 
- 	probe_item_collect(vars->ctx, item);
- 	SEXP_free(se_unit);
diff --git a/SOURCES/openscap-1.3.3-textfilecontent-crash.patch b/SOURCES/openscap-1.3.3-textfilecontent-crash.patch
deleted file mode 100644
index 4ee29c6..0000000
--- a/SOURCES/openscap-1.3.3-textfilecontent-crash.patch
+++ /dev/null
@@ -1,522 +0,0 @@
-diff --git a/docs/developer/developer.adoc b/docs/developer/developer.adoc
-index 08273e24d..823a1504e 100644
---- a/docs/developer/developer.adoc
-+++ b/docs/developer/developer.adoc
-@@ -317,6 +317,8 @@ behaviour.
- 
- * *OSCAP_FULL_VALIDATION=1* - validate all exported documents (slower)
- * *SEXP_VALIDATE_DISABLE=1* - do not validate SEXP expressions (faster)
-+* *OSCAP_PCRE_EXEC_RECURSION_LIMIT* - override default recursion limit
-+  for match in pcre_exec call in textfilecontent(54) probes.
- 
- 
- 
-diff --git a/src/OVAL/probes/independent/textfilecontent54_probe.c b/src/OVAL/probes/independent/textfilecontent54_probe.c
-index 1c449833f..3053f5d95 100644
---- a/src/OVAL/probes/independent/textfilecontent54_probe.c
-+++ b/src/OVAL/probes/independent/textfilecontent54_probe.c
-@@ -52,68 +52,11 @@
- #include <probe/option.h>
- #include <oval_fts.h>
- #include "common/debug_priv.h"
-+#include "common/util.h"
- #include "textfilecontent54_probe.h"
- 
- #define FILE_SEPARATOR '/'
- 
--static int get_substrings(char *str, int *ofs, pcre *re, int want_substrs, char ***substrings) {
--	int i, ret, rc;
--	int ovector[60], ovector_len = sizeof (ovector) / sizeof (ovector[0]);
--	char **substrs;
--
--	// todo: max match count check
--
--	for (i = 0; i < ovector_len; ++i)
--		ovector[i] = -1;
--
--#if defined(OS_SOLARIS)
--	rc = pcre_exec(re, NULL, str, strlen(str), *ofs, PCRE_NO_UTF8_CHECK, ovector, ovector_len);
--#else
--	rc = pcre_exec(re, NULL, str, strlen(str), *ofs, 0, ovector, ovector_len);
--#endif
--
--	if (rc < -1) {
--		dE("Function pcre_exec() failed to match a regular expression with return code %d on string '%s'.", rc, str);
--		return rc;
--	} else if (rc == -1) {
--		/* no match */
--		return 0;
--	}
--
--	*ofs = (*ofs == ovector[1]) ? ovector[1] + 1 : ovector[1];
--
--	if (!want_substrs) {
--		/* just report successful match */
--		return 1;
--	}
--
--	ret = 0;
--	if (rc == 0) {
--		/* vector too small */
--		// todo: report partial results
--		rc = ovector_len / 3;
--	}
--
--	substrs = malloc(rc * sizeof (char *));
--	for (i = 0; i < rc; ++i) {
--		int len;
--		char *buf;
--
--		if (ovector[2 * i] == -1)
--			continue;
--		len = ovector[2 * i + 1] - ovector[2 * i];
--		buf = malloc(len + 1);
--		memcpy(buf, str + ovector[2 * i], len);
--		buf[len] = '\0';
--		substrs[ret] = buf;
--		++ret;
--	}
--
--	*substrings = substrs;
--
--	return ret;
--}
--
- static SEXP_t *create_item(const char *path, const char *filename, char *pattern,
- 			   int instance, char **substrs, int substr_cnt, oval_schema_version_t over)
- {
-@@ -260,7 +203,7 @@ static int process_file(const char *prefix, const char *path, const char *file,
- 			want_instance = 0;
- 
- 		SEXP_free(next_inst);
--		substr_cnt = get_substrings(buf, &ofs, pfd->compiled_regex, want_instance, &substrs);
-+		substr_cnt = oscap_get_substrings(buf, &ofs, pfd->compiled_regex, want_instance, &substrs);
- 
- 		if (substr_cnt < 0) {
- 			SEXP_t *msg;
-diff --git a/src/OVAL/probes/independent/textfilecontent_probe.c b/src/OVAL/probes/independent/textfilecontent_probe.c
-index 9abf8fcc3..988a6471d 100644
---- a/src/OVAL/probes/independent/textfilecontent_probe.c
-+++ b/src/OVAL/probes/independent/textfilecontent_probe.c
-@@ -71,63 +71,11 @@
- #include <probe/option.h>
- #include <oval_fts.h>
- #include "common/debug_priv.h"
-+#include "common/util.h"
- #include "textfilecontent_probe.h"
- 
- #define FILE_SEPARATOR '/'
- 
--static int get_substrings(char *str, pcre *re, int want_substrs, char ***substrings) {
--	int i, ret, rc;
--	int ovector[60], ovector_len = sizeof (ovector) / sizeof (ovector[0]);
--
--	// todo: max match count check
--
--	for (i = 0; i < ovector_len; ++i)
--		ovector[i] = -1;
--
--	rc = pcre_exec(re, NULL, str, strlen(str), 0, 0,
--		       ovector, ovector_len);
--
--	if (rc < -1) {
--		return -1;
--	} else if (rc == -1) {
--		/* no match */
--		return 0;
--	} else if(!want_substrs) {
--		/* just report successful match */
--		return 1;
--	}
--
--	char **substrs;
--
--	ret = 0;
--	if (rc == 0) {
--		/* vector too small */
--		rc = ovector_len / 3;
--	}
--
--	substrs = malloc(rc * sizeof (char *));
--	for (i = 0; i < rc; ++i) {
--		int len;
--		char *buf;
--
--		if (ovector[2 * i] == -1)
--			continue;
--		len = ovector[2 * i + 1] - ovector[2 * i];
--		buf = malloc(len + 1);
--		memcpy(buf, str + ovector[2 * i], len);
--		buf[len] = '\0';
--		substrs[ret] = buf;
--		++ret;
--	}
--	/*
--	  if (ret < rc)
--	  substrs = realloc(substrs, ret * sizeof (char *));
--	*/
--	*substrings = substrs;
--
--	return ret;
--}
--
- static SEXP_t *create_item(const char *path, const char *filename, char *pattern,
- 			   int instance, char **substrs, int substr_cnt, oval_schema_version_t over)
- {
-@@ -244,9 +192,10 @@ static int process_file(const char *prefix, const char *path, const char *filena
- 
- 	int cur_inst = 0;
- 	char line[4096];
-+	int ofs = 0;
- 
- 	while (fgets(line, sizeof(line), fp) != NULL) {
--		substr_cnt = get_substrings(line, re, 1, &substrs);
-+		substr_cnt = oscap_get_substrings(line, &ofs, re, 1, &substrs);
- 		if (substr_cnt > 0) {
- 			int k;
- 			SEXP_t *item;
-diff --git a/src/common/util.c b/src/common/util.c
-index 146b7bc39..8f130c50e 100644
---- a/src/common/util.c
-+++ b/src/common/util.c
-@@ -30,11 +30,13 @@
- #include <limits.h>
- #include <stdarg.h>
- #include <math.h>
-+#include <pcre.h>
- 
- #include "util.h"
- #include "_error.h"
- #include "oscap.h"
- #include "oscap_helpers.h"
-+#include "debug_priv.h"
- 
- #ifdef OS_WINDOWS
- #include <stdlib.h>
-@@ -45,6 +47,7 @@
- #endif
- 
- #define PATH_SEPARATOR '/'
-+#define OSCAP_PCRE_EXEC_RECURSION_LIMIT_DEFAULT 5000
- 
- int oscap_string_to_enum(const struct oscap_string_map *map, const char *str)
- {
-@@ -353,6 +356,76 @@ char *oscap_path_join(const char *path1, const char *path2)
- 	return joined_path;
- }
- 
-+int oscap_get_substrings(char *str, int *ofs, pcre *re, int want_substrs, char ***substrings) {
-+	int i, ret, rc;
-+	int ovector[60], ovector_len = sizeof (ovector) / sizeof (ovector[0]);
-+	char **substrs;
-+
-+	// todo: max match count check
-+
-+	for (i = 0; i < ovector_len; ++i) {
-+		ovector[i] = -1;
-+	}
-+
-+	struct pcre_extra extra;
-+	extra.match_limit_recursion = OSCAP_PCRE_EXEC_RECURSION_LIMIT_DEFAULT;
-+	char *limit_str = getenv("OSCAP_PCRE_EXEC_RECURSION_LIMIT");
-+	if (limit_str != NULL) {
-+		unsigned long limit;
-+		if (sscanf(limit_str, "%lu", &limit) == 1) {
-+			extra.match_limit_recursion = limit;
-+		}
-+	}
-+	extra.flags = PCRE_EXTRA_MATCH_LIMIT_RECURSION;
-+#if defined(OS_SOLARIS)
-+	rc = pcre_exec(re, &extra, str, strlen(str), *ofs, PCRE_NO_UTF8_CHECK, ovector, ovector_len);
-+#else
-+	rc = pcre_exec(re, &extra, str, strlen(str), *ofs, 0, ovector, ovector_len);
-+#endif
-+
-+	if (rc < -1) {
-+		dE("Function pcre_exec() failed to match a regular expression with return code %d on string '%s'.", rc, str);
-+		return rc;
-+	} else if (rc == -1) {
-+		/* no match */
-+		return 0;
-+	}
-+
-+	*ofs = (*ofs == ovector[1]) ? ovector[1] + 1 : ovector[1];
-+
-+	if (!want_substrs) {
-+		/* just report successful match */
-+		return 1;
-+	}
-+
-+	ret = 0;
-+	if (rc == 0) {
-+		/* vector too small */
-+		// todo: report partial results
-+		rc = ovector_len / 3;
-+	}
-+
-+	substrs = malloc(rc * sizeof (char *));
-+	for (i = 0; i < rc; ++i) {
-+		int len;
-+		char *buf;
-+
-+		if (ovector[2 * i] == -1) {
-+			continue;
-+		}
-+		len = ovector[2 * i + 1] - ovector[2 * i];
-+		buf = malloc(len + 1);
-+		memcpy(buf, str + ovector[2 * i], len);
-+		buf[len] = '\0';
-+		substrs[ret] = buf;
-+		++ret;
-+	}
-+
-+	*substrings = substrs;
-+
-+	return ret;
-+}
-+
- #ifdef OS_WINDOWS
- char *oscap_windows_wstr_to_str(const wchar_t *wstr)
- {
-diff --git a/src/common/util.h b/src/common/util.h
-index 50a1c746f..2592f3962 100644
---- a/src/common/util.h
-+++ b/src/common/util.h
-@@ -31,6 +31,7 @@
- #include "public/oscap.h"
- #include <stdarg.h>
- #include <string.h>
-+#include <pcre.h>
- #include "oscap_export.h"
- 
- #ifndef __attribute__nonnull__
-@@ -467,6 +468,19 @@ int oscap_strncasecmp(const char *s1, const char *s2, size_t n);
-  */
- char *oscap_strerror_r(int errnum, char *buf, size_t buflen);
- 
-+/**
-+ * Match a regular expression and return substrings.
-+ * Caller is responsible for freeing the returned array.
-+ * @param str subject string
-+ * @param ofs starting offset in str
-+ * @param re compiled regular expression
-+ * @param want_substrs if non-zero, substrings will be returned
-+ * @param substrings contains returned substrings
-+ * @return count of matched substrings, 0 if no match
-+ * negative value on failure
-+ */
-+int oscap_get_substrings(char *str, int *ofs, pcre *re, int want_substrs, char ***substrings);
-+
- #ifdef OS_WINDOWS
- /**
-  * Convert wide character string to a C string (UTF-16 to UTF-8)
-diff --git a/tests/probes/textfilecontent54/30-ospp-v42.rules b/tests/probes/textfilecontent54/30-ospp-v42.rules
-new file mode 100644
-index 000000000..7ad0c254d
---- /dev/null
-+++ b/tests/probes/textfilecontent54/30-ospp-v42.rules
-@@ -0,0 +1,113 @@
-+## The purpose of these rules is to meet the requirements for Operating
-+## System Protection Profile (OSPP)v4.2. These rules depends on having
-+## 10-base-config.rules, 11-loginuid.rules, and 43-module-load.rules installed.
-+
-+## Unsuccessful file creation (open with O_CREAT)
-+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-+-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-+-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-+-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-+-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-+-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-+-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-+-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-+-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-+
-+## Unsuccessful file modifications (open for write or truncate)
-+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-+-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-+-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-+-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-+-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-+-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-+-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-+-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-+-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-+
-+## Unsuccessful file access (any other opens) This has to go last.
-+-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-+-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-+-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-+-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-+
-+## Unsuccessful file delete
-+-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete
-+-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete
-+-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete
-+-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete
-+
-+## Unsuccessful permission change
-+-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-+-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-+-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-+-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-+
-+## Unsuccessful ownership change
-+-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-+-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-+-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-+-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-+
-+## User add delete modify. This is covered by pam. However, someone could
-+## open a file and directly create or modify a user, so we'll watch passwd and
-+## shadow for writes
-+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
-+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
-+-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
-+-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
-+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
-+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
-+-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
-+-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
-+
-+## User enable and disable. This is entirely handled by pam.
-+
-+## Group add delete modify. This is covered by pam. However, someone could
-+## open a file and directly create or modify a user, so we'll watch group and
-+## gshadow for writes
-+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify
-+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify
-+-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify
-+-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify
-+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=group-modify
-+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=group-modify
-+-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=group-modify
-+-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=group-modify
-+
-+## Use of special rights for config changes. This would be use of setuid
-+## programs that relate to user accts. This is not all setuid apps because
-+## requirements are only for ones that affect system configuration.
-+-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-+-a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-+-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-+-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-+-a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-+-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-+-a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-+-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-+-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-+-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-+-a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-+
-+## Privilege escalation via su or sudo. This is entirely handled by pam.
-+
-+## Audit log access
-+-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
-+
-+## Software updates. This is entirely handled by rpm.
-+
-+## System start and shutdown. This is entirely handled by systemd
-+
-+## Kernel Module loading. This is handled in 43-module-load.rules
-+
-+## Application invocation. The requirements list an optional requirement
-+## FPT_SRP_EXT.1 Software Restriction Policies. This event is intended to
-+## state results from that policy. This would be handled entirely by
-+## that daemon.
-+
-diff --git a/tests/probes/textfilecontent54/CMakeLists.txt b/tests/probes/textfilecontent54/CMakeLists.txt
-index 87c6e215d..48bbde0e6 100644
---- a/tests/probes/textfilecontent54/CMakeLists.txt
-+++ b/tests/probes/textfilecontent54/CMakeLists.txt
-@@ -1,4 +1,5 @@
- if(ENABLE_PROBES_INDEPENDENT)
- 	add_oscap_test("all.sh")
- 	add_oscap_test("test_filecontent_non_utf.sh")
-+	add_oscap_test("test_recursion_limit.sh")
- endif()
-diff --git a/tests/probes/textfilecontent54/test_recursion_limit.oval.xml b/tests/probes/textfilecontent54/test_recursion_limit.oval.xml
-new file mode 100644
-index 000000000..6f6a5ba14
---- /dev/null
-+++ b/tests/probes/textfilecontent54/test_recursion_limit.oval.xml
-@@ -0,0 +1,38 @@
-+<?xml version="1.0"?>
-+<oval_definitions xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ind-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" xmlns:unix-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" xmlns:lin-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix unix-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#linux linux-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd">
-+  <generator>
-+    <oval:schema_version>5.11.1</oval:schema_version>
-+    <oval:timestamp>0001-01-01T00:00:00+00:00</oval:timestamp>
-+  </generator>
-+
-+  <definitions>
-+    <definition class="compliance" version="1" id="oval:x:def:1">
-+      <metadata>
-+        <title>The regular expression and the provided file should exceed recursion limits within pcre_exec used in the probe and cause a segfault.</title>
-+        <description>x</description>
-+        <affected family="unix">
-+          <platform>x</platform>
-+        </affected>
-+      </metadata>
-+      <criteria>
-+        <criterion test_ref="oval:x:tst:1" comment="always pass"/>
-+      </criteria>
-+    </definition>
-+  </definitions>
-+
-+  <tests>
-+    <ind:textfilecontent54_test id="oval:x:tst:1" version="1" comment="Match 3 audit rules"  check="all">
-+      <ind:object object_ref="oval:x:obj:1"/>
-+    </ind:textfilecontent54_test>
-+  </tests>
-+
-+  <objects>
-+    <ind:textfilecontent54_object id="oval:x:obj:1" version="1" comment="Object representing file">
-+      <ind:path>/tmp</ind:path>
-+      <ind:filename>30-ospp-v42.rules</ind:filename>
-+      <ind:pattern operation="pattern match">-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&amp;0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create(?:[^.]|\.\s)*-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&amp;01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification(?:[^.]|\.\s)*-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access</ind:pattern>
-+      <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-+    </ind:textfilecontent54_object>
-+  </objects>
-+
-+</oval_definitions>
-diff --git a/tests/probes/textfilecontent54/test_recursion_limit.sh b/tests/probes/textfilecontent54/test_recursion_limit.sh
-new file mode 100755
-index 000000000..2619dafdd
---- /dev/null
-+++ b/tests/probes/textfilecontent54/test_recursion_limit.sh
-@@ -0,0 +1,31 @@
-+#!/usr/bin/env bash
-+
-+set -e -o pipefail
-+
-+. $builddir/tests/test_common.sh
-+
-+probecheck "textfilecontent54" || exit 255
-+
-+cp $srcdir/30-ospp-v42.rules /tmp
-+
-+name=$(basename $0 .sh)
-+input=$srcdir/$name.oval.xml
-+result=$(mktemp)
-+stdout=$(mktemp)
-+stderr=$(mktemp)
-+
-+$OSCAP oval eval --results $result $input > $stdout 2> $stderr
-+
-+grep -q "Function pcre_exec() failed to match a regular expression with return code -21" $stderr
-+
-+assert_exists 1 '/oval_results/results/system/definitions/definition[@definition_id="oval:x:def:1" and @result="error"]'
-+
-+co='/oval_results/results/system/oval_system_characteristics/collected_objects'
-+assert_exists 1 $co'/object[@flag="error"]'
-+assert_exists 1 $co'/object/message[@level="error"]'
-+assert_exists 1 $co'/object/message[text()="Regular expression pattern match failed in file /tmp/30-ospp-v42.rules with error -21."]'
-+
-+rm -f /tmp/30-ospp-v42.rules
-+rm -f $result
-+rm -f $stdout
-+rm -f $stderr
diff --git a/SOURCES/openscap-1.3.4-fix-environmentvariable58-regression.patch b/SOURCES/openscap-1.3.4-fix-environmentvariable58-regression.patch
new file mode 100644
index 0000000..2c1b2db
--- /dev/null
+++ b/SOURCES/openscap-1.3.4-fix-environmentvariable58-regression.patch
@@ -0,0 +1,59 @@
+diff --git a/src/OVAL/probes/independent/environmentvariable58_probe.c b/src/OVAL/probes/independent/environmentvariable58_probe.c
+index 552ce6700..77233aeeb 100644
+--- a/src/OVAL/probes/independent/environmentvariable58_probe.c
++++ b/src/OVAL/probes/independent/environmentvariable58_probe.c
+@@ -96,32 +96,32 @@ static int read_environment(SEXP_t *pid_ent, SEXP_t *name_ent, probe_ctx *ctx)
+ 	ssize_t buffer_used;
+ 	size_t buffer_size;
+ 
++	const char *extra_vars = getenv("OSCAP_CONTAINER_VARS");
++	if (extra_vars && *extra_vars) {
++		char *vars = strdup(extra_vars);
++		char *tok, *eq_chr, *str, *strp;
++
++		for (str = vars; ; str = NULL) {
++			tok = strtok_r(str, "\n", &strp);
++			if (tok == NULL)
++				break;
++			eq_chr = strchr(tok, '=');
++			if (eq_chr == NULL)
++				continue;
++			PROBE_ENT_I32VAL(pid_ent, pid, pid = -1;, pid = 0;);
++			collect_variable(tok, eq_chr - tok, pid, name_ent, ctx);
++		}
++
++		free(vars);
++		return 0;
++	}
++
+ 	const char *prefix = getenv("OSCAP_PROBE_ROOT");
+ 	snprintf(path, PATH_MAX, "%s/proc", prefix ? prefix : "");
+ 	d = opendir(path);
+ 	if (d == NULL) {
+-		const char *extra_vars = getenv("OSCAP_CONTAINER_VARS");
+-		if (!extra_vars) {
+-			dE("Can't read %s/proc: errno=%d, %s.", prefix ? prefix : "", errno, strerror(errno));
+-			return PROBE_EACCESS;
+-		} else {
+-			char *vars = strdup(extra_vars);
+-			char *tok, *eq_chr, *str, *strp;
+-
+-			for (str = vars; ; str = NULL) {
+-				tok = strtok_r(str, "\n", &strp);
+-				if (tok == NULL)
+-					break;
+-				eq_chr = strchr(tok, '=');
+-				if (eq_chr == NULL)
+-					continue;
+-				PROBE_ENT_I32VAL(pid_ent, pid, pid = -1;, pid = 0;);
+-				collect_variable(tok, eq_chr - tok, pid, name_ent, ctx);
+-			}
+-
+-			free(vars);
+-			return 0;
+-		}
++		dE("Can't read %s/proc: errno=%d, %s.", prefix ? prefix : "", errno, strerror(errno));
++		return PROBE_EACCESS;
+ 	}
+ 
+ 	if ((buffer = realloc(NULL, BUFFER_SIZE)) == NULL) {
diff --git a/SPECS/openscap.spec b/SPECS/openscap.spec
index 4007e65..f397b89 100644
--- a/SPECS/openscap.spec
+++ b/SPECS/openscap.spec
@@ -1,27 +1,12 @@
 Name:           openscap
-Version:        1.3.2
-Release:        9%{?dist}
+Version:        1.3.3
+Release:        1%{?dist}
 Summary:        Set of open source libraries enabling integration of the SCAP line of standards
 Group:          System Environment/Libraries
 License:        LGPLv2+
 URL:            http://www.open-scap.org/
 Source0:        https://github.com/OpenSCAP/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz
-# PATCHES FOR 1.3.2
-Patch1:         01-add-test-fix-type-anaconda.patch
-Patch2:         02-do-not-use-keyword-operator-as-a-function-parameter.patch
-Patch3:         03-fix-cmake-test-for-libcap-xattr-h.patch
-Patch4:         04-oscap-podman-detect-ambiguous-targets.patch
-Patch5:         openscap-1.3.2-covscan_ux_fix.patch
-Patch6:         openscap-1.3.3-fix-cmake-findacl.patch
-Patch7:         openscap-1.3.3-systemdunit-segfault.patch
-Patch8:         openscap-1.3.3-textfilecontent-crash.patch
-Patch9:         openscap-1.3.3-ansible-newlines.patch
-Patch10:        openscap-1.2.18-oscap-ssh-sudo.patch
-Patch11:        openscap-1.3.3-remove-useless-warnings.patch
-Patch12:        openscap-1.3.3-remove-useless-warnings-tests.patch
-Patch13:        openscap-1.3.3-rpmverifyfile-tests.patch
-Patch14:        openscap-1.3.3-generate-guide-tailoring.patch
-# END PATCHES FOR 1.3.2
+Patch1:         openscap-1.3.4-fix-environmentvariable58-regression.patch
 BuildRequires:  cmake >= 2.6
 BuildRequires:  swig libxml2-devel libxslt-devel perl-generators perl-XML-Parser
 BuildRequires:  rpm-devel
@@ -37,6 +22,7 @@ BuildRequires:  openldap-devel
 BuildRequires:  GConf2-devel
 BuildRequires:  glib2-devel
 BuildRequires:  dbus-devel
+BuildRequires:  libyaml-devel
 %if %{?_with_check:1}%{!?_with_check:0}
 BuildRequires:  perl-XML-XPath
 BuildRequires:  bzip2
@@ -44,6 +30,7 @@ BuildRequires:  bzip2
 Requires:       bash
 Requires:       bzip2-libs
 Requires:       dbus
+Requires:       libyaml
 Requires:       GConf2
 Requires:       glib2
 Requires:       libacl
@@ -140,19 +127,6 @@ for developing applications that use %{name}-engine-sce.
 %prep
 %setup -q
 %patch1 -p1
-%patch2 -p1
-%patch3 -p1
-%patch4 -p1
-%patch5 -p1
-%patch6 -p1
-%patch7 -p1
-%patch8 -p1
-%patch9 -p1
-%patch10 -p1
-%patch11 -p1
-%patch12 -p1
-%patch13 -p1
-%patch14 -p1
 mkdir build
 
 %build
@@ -232,12 +206,29 @@ rm -rf $RPM_BUILD_ROOT
 %{_bindir}/oscap-vm
 %{_mandir}/man8/scap-as-rpm.8.gz
 %{_bindir}/scap-as-rpm
+%{_mandir}/man8/autotailor.8.gz
+%{_bindir}/autotailor
 
 %files engine-sce
 %{_libdir}/libopenscap_sce.so.*
 %{_bindir}/oscap-run-sce-script
 
 %changelog
+* Mon May 04 2020 Evgeny Kolesnikov <ekolesni@redhat.com> - 1.3.3-1
+- Upgrade to the latest upstream release (rhbz#1829761)
+- Added a Python script that can be used for CLI tailoring (autotailor)
+- Added timezone to XCCDF TestResult start/end time
+- Added yamlfilecontent independent probe (proposal/draft implementation)
+- Added ability to generate `machineconfig` fix
+- Introduced `urn:xccdf:fix:script:kubernetes` fix type in XCCDF
+- Fixed filepath pattern matching in offline mode in textfilecontent58 probe
+- Fixed #170: The rpmverifyfile probe can't verify files from '/bin' directory
+- Fixed #1512: Severity refinement lost in generated guide
+- Fixed #1453: Pointer lost in Swig API
+- The data system_info probe return for offline and online modes is consistent and actual
+- Evaluation Characteristics of the XCCDF report are now consistent with OVAL entities
+  from system_info probe
+
 * Fri Mar 27 2020 Jan Černý <jcerny@redhat.com> - 1.3.2-9
 - Generate HTML guides from tailored profiles (RHBZ#1743835)