diff --git a/.gitignore b/.gitignore
index 0223773..33a3f05 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/openscap-1.3.5.tar.gz
+SOURCES/openscap-1.3.6.tar.gz
diff --git a/.openscap.metadata b/.openscap.metadata
index 38345b6..5048b38 100644
--- a/.openscap.metadata
+++ b/.openscap.metadata
@@ -1 +1 @@
-77494383980082f8bc625a6e196a6760d30a5107 SOURCES/openscap-1.3.5.tar.gz
+8c1b41bb7c32c22d541a6881ab8c5b8bef06890f SOURCES/openscap-1.3.6.tar.gz
diff --git a/SOURCES/openscap-1.3.6-alternative-hostname-pr-1806.patch b/SOURCES/openscap-1.3.6-alternative-hostname-pr-1806.patch
deleted file mode 100644
index 1d6b269..0000000
--- a/SOURCES/openscap-1.3.6-alternative-hostname-pr-1806.patch
+++ /dev/null
@@ -1,72 +0,0 @@
-From d97687c12ba6cbca1d732534ff7394bd14547d92 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
-Date: Fri, 10 Sep 2021 14:53:42 +0200
-Subject: [PATCH] Add an alternative source of hostname
-
-If /etc/hostname can't be read, we will try to open /proc/sys/kernel/hostname instead.
-
-Resolves: rhbz#1977668
----
- src/XCCDF/result.c | 5 ++++
- tests/API/XCCDF/unittests/CMakeLists.txt | 1 +
- .../XCCDF/unittests/test_results_hostname.sh | 26 +++++++++++++++++++
- 3 files changed, 32 insertions(+)
- create mode 100755 tests/API/XCCDF/unittests/test_results_hostname.sh
-
-diff --git a/src/XCCDF/result.c b/src/XCCDF/result.c
-index 91fcc6041d..c0ad4b926f 100644
---- a/src/XCCDF/result.c
-+++ b/src/XCCDF/result.c
-@@ -271,6 +271,11 @@ static char *_get_etc_hostname(const char *oscap_probe_root)
-
- fp = oscap_fopen_with_prefix(oscap_probe_root, "/etc/hostname");
-
-+ if (fp == NULL) {
-+ dD("Trying to use /proc/sys/kernel/hostname instead of /etc/hostname");
-+ fp = oscap_fopen_with_prefix(oscap_probe_root, "/proc/sys/kernel/hostname");
-+ }
-+
- if (fp == NULL)
- goto fail;
-
-diff --git a/tests/API/XCCDF/unittests/CMakeLists.txt b/tests/API/XCCDF/unittests/CMakeLists.txt
-index 52645834c4..6549538440 100644
---- a/tests/API/XCCDF/unittests/CMakeLists.txt
-+++ b/tests/API/XCCDF/unittests/CMakeLists.txt
-@@ -101,3 +101,4 @@ add_oscap_test("test_fix_arf.sh")
- add_oscap_test("test_fix_resultid_by_suffix.sh")
- add_oscap_test("test_generate_fix_ansible_vars.sh")
- add_oscap_test("test_xccdf_requires_conflicts.sh")
-+add_oscap_test("test_results_hostname.sh")
-diff --git a/tests/API/XCCDF/unittests/test_results_hostname.sh b/tests/API/XCCDF/unittests/test_results_hostname.sh
-new file mode 100755
-index 0000000000..c4408affbb
---- /dev/null
-+++ b/tests/API/XCCDF/unittests/test_results_hostname.sh
-@@ -0,0 +1,26 @@
-+#!/usr/bin/env bash
-+. $builddir/tests/test_common.sh
-+
-+set -e
-+set -o pipefail
-+
-+result=$(mktemp)
-+tmpdir=$(mktemp -d)
-+
-+export OSCAP_PROBE_ROOT="$tmpdir"
-+
-+mkdir -p "$tmpdir/etc"
-+echo "hostname_defined_in_etc_hostname" > "$tmpdir/etc/hostname"
-+$OSCAP xccdf eval --results "$result" "$srcdir/test_single_rule.ds.xml" || ret=$?
-+assert_exists 1 '/Benchmark/TestResult/target[text()="hostname_defined_in_etc_hostname"]'
-+assert_exists 0 '/Benchmark/TestResult/target[text()="hostname_defined_in_proc_sys_kernel"]'
-+
-+rm -rf "$tmpdir/etc/hostname"
-+mkdir -p "$tmpdir/proc/sys/kernel/"
-+echo "hostname_defined_in_proc_sys_kernel" > "$tmpdir/proc/sys/kernel/hostname"
-+$OSCAP xccdf eval --results "$result" "$srcdir/test_single_rule.ds.xml" || ret=$?
-+assert_exists 0 '/Benchmark/TestResult/target[text()="hostname_defined_in_etc_hostname"]'
-+assert_exists 1 '/Benchmark/TestResult/target[text()="hostname_defined_in_proc_sys_kernel"]'
-+
-+rm -f "$result"
-+rm -rf "$tmpdir"
diff --git a/SOURCES/openscap-1.3.6-blueprint-fix-pr-1749.patch b/SOURCES/openscap-1.3.6-blueprint-fix-pr-1749.patch
deleted file mode 100644
index 0e44989..0000000
--- a/SOURCES/openscap-1.3.6-blueprint-fix-pr-1749.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-From 5f0a9033b466d929613a2a55a1524ec75c09b5b0 Mon Sep 17 00:00:00 2001
-From: Evgeny Kolesnikov <ekolesni@redhat.com>
-Date: Thu, 6 May 2021 08:14:12 +0200
-Subject: [PATCH] Introduce OSBuild Blueprint fix type
-
----
- utils/oscap-xccdf.c | 7 +++++--
- utils/oscap.8 | 2 +-
- xsl/xccdf-share.xsl | 1 +
- 3 files changed, 7 insertions(+), 3 deletions(-)
-
-diff --git a/utils/oscap-xccdf.c b/utils/oscap-xccdf.c
-index 95c1c7658d..801e54fa35 100644
---- a/utils/oscap-xccdf.c
-+++ b/utils/oscap-xccdf.c
-@@ -275,7 +275,8 @@ static struct oscap_module XCCDF_GEN_FIX = {
- .usage = "[options] xccdf-file.xml",
- .help = GEN_OPTS
- "\nFix Options:\n"
-- " --fix-type <type> - Fix type. Should be one of: bash, ansible, puppet, anaconda (default: bash).\n"
-+ " --fix-type <type> - Fix type. Should be one of: bash, ansible, puppet, anaconda, ignition, kubernetes,\n"
-+ " blueprint (default: bash).\n"
- " --output <file> - Write the script into file.\n"
- " --result-id <id> - Fixes will be generated for failed rule-results of the specified TestResult.\n"
- " --template <id|filename> - Fix template. (default: bash)\n"
-@@ -887,10 +888,12 @@ int app_generate_fix(const struct oscap_action *action)
- template = "urn:xccdf:fix:script:ignition";
- } else if (strcmp(action->fix_type, "kubernetes") == 0) {
- template = "urn:xccdf:fix:script:kubernetes";
-+ } else if (strcmp(action->fix_type, "blueprint") == 0) {
-+ template = "urn:redhat:osbuild:blueprint";
- } else {
- fprintf(stderr,
- "Unknown fix type '%s'.\n"
-- "Please provide one of: bash, ansible, puppet, anaconda, ignition, kubernetes.\n"
-+ "Please provide one of: bash, ansible, puppet, anaconda, ignition, kubernetes, blueprint.\n"
- "Or provide a custom template using '--template' instead.\n",
- action->fix_type);
- return OSCAP_ERROR;
-diff --git a/utils/oscap.8 b/utils/oscap.8
-index 240b829d7b..6cae0ffe8a 100644
---- a/utils/oscap.8
-+++ b/utils/oscap.8
-@@ -395,7 +395,7 @@ Result-oriented fixes are generated using result-id provided to select only the
- Profile-oriented fixes are generated using all rules within the provided profile. If no result-id/profile are provided, (default) profile will be used to generate fixes.
- .TP
- \fB\-\-fix-type TYPE\fR
--Specify fix type. There are multiple programming languages in which the fix script can be generated. TYPE should be one of: bash, ansible, puppet, anaconda, ignition, kubernetes. Default is bash. This option is mutually exclusive with --template, because fix type already determines the template URN.
-+Specify fix type. There are multiple programming languages in which the fix script can be generated. TYPE should be one of: bash, ansible, puppet, anaconda, ignition, kubernetes, blueprint. Default is bash. This option is mutually exclusive with --template, because fix type already determines the template URN.
- .TP
- \fB\-\-output FILE\fR
- Write the report to this file instead of standard output.
-diff --git a/xsl/xccdf-share.xsl b/xsl/xccdf-share.xsl
-index 9f8e587676..d7a9f3b7e2 100644
---- a/xsl/xccdf-share.xsl
-+++ b/xsl/xccdf-share.xsl
-@@ -295,6 +295,7 @@ Authors:
- <xsl:when test="$fix/@system = 'urn:xccdf:fix:script:puppet'">Puppet snippet</xsl:when>
- <xsl:when test="$fix/@system = 'urn:redhat:anaconda:pre'">Anaconda snippet</xsl:when>
- <xsl:when test="$fix/@system = 'urn:xccdf:fix:script:kubernetes'">Kubernetes snippet</xsl:when>
-+ <xsl:when test="$fix/@system = 'urn:redhat:osbuild:blueprint'">OSBuild Blueprint snippet</xsl:when>
- <xsl:otherwise>script</xsl:otherwise>
- </xsl:choose>
- </xsl:variable>
diff --git a/SOURCES/openscap-1.3.6-blueprint-toml-pr-1810.patch b/SOURCES/openscap-1.3.6-blueprint-toml-pr-1810.patch
deleted file mode 100644
index ec31a3d..0000000
--- a/SOURCES/openscap-1.3.6-blueprint-toml-pr-1810.patch
+++ /dev/null
@@ -1,583 +0,0 @@
-From b0b7626dca08acd4563ae42c1c27ccc0777b5357 Mon Sep 17 00:00:00 2001
-From: Evgeny Kolesnikov <ekolesni@redhat.com>
-Date: Thu, 23 Sep 2021 00:58:29 +0200
-Subject: [PATCH] Add proper Blueprint's remediation snippets handling for
- generation of the final TOML document.
-
-As the final Blueprint could not be created by just gluing up all
-the snippets together we have to get a bit more creative.
----
- docs/manual/manual.adoc | 15 ++
- src/XCCDF_POLICY/xccdf_policy_remediate.c | 216 ++++++++++++++++--
- src/common/list.c | 19 ++
- src/common/list.h | 1 +
- tests/API/XCCDF/unittests/CMakeLists.txt | 1 +
- .../unittests/test_remediation_blueprint.sh | 27 +++
- .../unittests/test_remediation_blueprint.toml | 45 ++++
- .../test_remediation_blueprint.xccdf.xml | 102 +++++++++
- 8 files changed, 405 insertions(+), 21 deletions(-)
- create mode 100755 tests/API/XCCDF/unittests/test_remediation_blueprint.sh
- create mode 100644 tests/API/XCCDF/unittests/test_remediation_blueprint.toml
- create mode 100644 tests/API/XCCDF/unittests/test_remediation_blueprint.xccdf.xml
-
-diff --git a/docs/manual/manual.adoc b/docs/manual/manual.adoc
-index e8664eb920..90e2cc2c63 100644
---- a/docs/manual/manual.adoc
-+++ b/docs/manual/manual.adoc
-@@ -1084,6 +1084,21 @@ scanned during this command. If you want to generate remediation only for the
- failed rules based on scan results, refer to <<_reviewing_remediations,Reviewing
- remediations>>.
-
-+=== Generating Image Builder Blueprints
-+
-+OpenSCAP can also create a remediation in form of Image Builder (OSBuild) Blueprint. This remeditaion
-+is intendeded to be used as a bootstrap for image creation and usually it will contain only essential
-+elements of the configuration, elements that would be hard or impossible to change after the image
-+is created, like partitioning or set of installed packages.
-+
-+It is recommended to combine this type of remediation with other types, executed on the running system.
-+
-+For example, to generate a blueprint remediation for RHEL 8 OSPP profile, run:
-+
-+----
-+$ oscap xccdf generate fix --profile ospp --fix-type blueprint /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml > blueprint.toml
-+----
-+
- == Details on SCAP conformance
-
- === Check Engines
-diff --git a/src/XCCDF_POLICY/xccdf_policy_remediate.c b/src/XCCDF_POLICY/xccdf_policy_remediate.c
-index 0b3a037a5f..6033c3b54b 100644
---- a/src/XCCDF_POLICY/xccdf_policy_remediate.c
-+++ b/src/XCCDF_POLICY/xccdf_policy_remediate.c
-@@ -656,6 +656,78 @@ static int _write_fix_missing_warning_to_fd(const char *sys, int output_fd, stru
- }
- }
-
-+struct blueprint_entries {
-+ const char *pattern;
-+ struct oscap_list *list;
-+ pcre *re;
-+};
-+
-+static inline int _parse_blueprint_fix(const char *fix_text, struct oscap_list *generic, struct oscap_list *services_enable, struct oscap_list *services_disable, struct oscap_list *kernel_append)
-+{
-+ const char *err;
-+ int errofs;
-+ int ret = 0;
-+
-+ struct blueprint_entries tab[] = {
-+ {"\\[customizations\\.services\\]\\s+enabled[=\\s]+\\[([^\\]]+)\\]\\s+", services_enable, NULL},
-+ {"\\[customizations\\.services\\]\\s+disabled[=\\s]+\\[([^\\]]+)\\]\\s+", services_disable, NULL},
-+ {"\\[customizations\\.kernel\\]\\s+append[=\\s\"]+([^\"]+)[\\s\"]+", kernel_append, NULL},
-+ // We do this only to pop the 'distro' entry to the top of the generic list,
-+ // effectively placing it to the root of the TOML document.
-+ {"\\s+(distro[=\\s\"]+[^\"]+[\\s\"]+)", generic, NULL},
-+ {NULL, NULL, NULL}
-+ };
-+
-+ for (int i = 0; tab[i].pattern != NULL; i++) {
-+ tab[i].re = pcre_compile(tab[i].pattern, PCRE_UTF8, &err, &errofs, NULL);
-+ if (tab[i].re == NULL) {
-+ dE("Unable to compile /%s/ regex pattern, pcre_compile() returned error (offset: %d): '%s'.\n", tab[i].pattern, errofs, err);
-+ ret = 1;
-+ goto exit;
-+ }
-+ }
-+
-+ const size_t fix_text_len = strlen(fix_text);
-+ size_t start_offset = 0;
-+ int ovector[6] = {0};
-+
-+ for (int i = 0; tab[i].pattern != NULL; i++) {
-+ while (true) {
-+ const int match = pcre_exec(tab[i].re, NULL, fix_text, fix_text_len, start_offset,
-+ 0, ovector, sizeof(ovector) / sizeof(ovector[0]));
-+ if (match == -1)
-+ break;
-+
-+ if (match != 2) {
-+ dE("Expected 1 capture group matches per entry. Found %i!", match - 1);
-+ ret = 1;
-+ goto exit;
-+ }
-+
-+ char *val = malloc((ovector[3] - ovector[2] + 1) * sizeof(char));
-+ memcpy(val, &fix_text[ovector[2]], ovector[3] - ovector[2]);
-+ val[ovector[3] - ovector[2]] = '\0';
-+
-+ if (!oscap_list_contains(kernel_append, val, (oscap_cmp_func) oscap_streq)) {
-+ oscap_list_prepend(tab[i].list, val);
-+ } else {
-+ free(val);
-+ }
-+
-+ start_offset = ovector[1];
-+ }
-+ }
-+
-+ if (start_offset < fix_text_len-1) {
-+ oscap_list_add(generic, strdup(fix_text + start_offset));
-+ }
-+
-+exit:
-+ for (int i = 0; tab[i].pattern != NULL; i++)
-+ pcre_free(tab[i].re);
-+
-+ return ret;
-+}
-
- static inline int _parse_ansible_fix(const char *fix_text, struct oscap_list *variables, struct oscap_list *tasks)
- {
-@@ -793,6 +865,18 @@ static int _xccdf_policy_rule_generate_fix(struct xccdf_policy *policy, struct x
- return ret;
- }
-
-+static int _xccdf_policy_rule_generate_blueprint_fix(struct xccdf_policy *policy, struct xccdf_rule *rule, const char *template, struct oscap_list *generic, struct oscap_list *services_enable, struct oscap_list *services_disable, struct oscap_list *kernel_append)
-+{
-+ char *fix_text = NULL;
-+ int ret = _xccdf_policy_rule_get_fix_text(policy, rule, template, &fix_text);
-+ if (fix_text == NULL) {
-+ return ret;
-+ }
-+ ret = _parse_blueprint_fix(fix_text, generic, services_enable, services_disable, kernel_append);
-+ free(fix_text);
-+ return ret;
-+}
-+
- static int _xccdf_policy_rule_generate_ansible_fix(struct xccdf_policy *policy, struct xccdf_rule *rule, const char *template, struct oscap_list *variables, struct oscap_list *tasks)
- {
- char *fix_text = NULL;
-@@ -914,25 +998,45 @@ static char *_comment_multiline_text(char *text)
- static int _write_script_header_to_fd(struct xccdf_policy *policy, struct xccdf_result *result, const char *sys, int output_fd)
- {
- if (!(oscap_streq(sys, "") || oscap_streq(sys, "urn:xccdf:fix:script:sh") || oscap_streq(sys, "urn:xccdf:fix:commands") ||
-- oscap_streq(sys, "urn:xccdf:fix:script:ansible")))
-+ oscap_streq(sys, "urn:xccdf:fix:script:ansible") || oscap_streq(sys, "urn:redhat:osbuild:blueprint")))
- return 0; // no header required
-
-- const bool ansible_script = strcmp(sys, "urn:xccdf:fix:script:ansible") == 0;
-- const char *how_to_apply = ansible_script ?
-- "# $ ansible-playbook -i \"localhost,\" -c local playbook.yml\n"
-- "# $ ansible-playbook -i \"192.168.1.155,\" playbook.yml\n"
-- "# $ ansible-playbook -i inventory.ini playbook.yml" :
-- "# $ sudo ./remediation-script.sh";
- const char *oscap_version = oscap_get_version();
-- const char *format = ansible_script ? "ansible" : "bash";
-- const char *remediation_type = ansible_script ? "Ansible Playbook" : "Bash Remediation Script";
-- const char *shebang_with_newline = ansible_script ? "" : "#!/usr/bin/env bash\n";
-+ char *how_to_apply = "";
-+ char *format = (char *)sys;
-+ char *remediation_type = "Unknown";
-+ char *shebang_with_newline = "";
-+
-+ if (oscap_streq(sys, "urn:xccdf:fix:script:ansible")) {
-+ how_to_apply = "# $ ansible-playbook -i \"localhost,\" -c local playbook.yml\n"
-+ "# $ ansible-playbook -i \"192.168.1.155,\" playbook.yml\n"
-+ "# $ ansible-playbook -i inventory.ini playbook.yml";
-+ format = "ansible";
-+ remediation_type = "Ansible Playbook";
-+ }
-+
-+ if (oscap_streq(sys, "urn:redhat:osbuild:blueprint")) {
-+ how_to_apply = "# composer-cli blueprints push blueprint.toml";
-+ format = "blueprint";
-+ remediation_type = "Blueprint";
-+ }
-+
-+ if (oscap_streq(sys, "") || oscap_streq(sys, "urn:xccdf:fix:script:sh") || oscap_streq(sys, "urn:xccdf:fix:commands")) {
-+ how_to_apply = "# $ sudo ./remediation-script.sh";
-+ format = "bash";
-+ remediation_type = "Bash Remediation Script";
-+ shebang_with_newline = "#!/usr/bin/env bash\n";
-+ }
-
- char *fix_header;
-
- struct xccdf_profile *profile = xccdf_policy_get_profile(policy);
- const char *profile_id = xccdf_profile_get_id(profile);
-
-+ struct xccdf_benchmark *benchmark = xccdf_policy_get_benchmark(policy);
-+ const char *benchmark_version_info = benchmark ? xccdf_benchmark_get_version(benchmark) : "Unknown";
-+ const char *benchmark_id = benchmark ? xccdf_benchmark_get_id(benchmark) : "Unknown";
-+
- // Title
- struct oscap_text_iterator *title_iterator = xccdf_profile_get_title(profile);
- char *raw_profile_title = oscap_textlist_get_preferred_plaintext(title_iterator, NULL);
-@@ -942,11 +1046,6 @@ static int _write_script_header_to_fd(struct xccdf_policy *policy, struct xccdf_
-
- if (result == NULL) {
- // Profile-based remediation fix
-- struct xccdf_benchmark *benchmark = xccdf_policy_get_benchmark(policy);
-- if (benchmark == NULL) {
-- free(profile_title);
-- return 1;
-- }
- // Description
- struct oscap_text_iterator *description_iterator = xccdf_profile_get_description(profile);
- char *profile_description = description_iterator != NULL ?
-@@ -955,10 +1054,8 @@ static int _write_script_header_to_fd(struct xccdf_policy *policy, struct xccdf_
- char *commented_profile_description = _comment_multiline_text(profile_description);
- free(profile_description);
-
-- const char *benchmark_version_info = xccdf_benchmark_get_version(benchmark);
-- const char *benchmark_id = xccdf_benchmark_get_id(benchmark);
-- const struct xccdf_version_info *xccdf_version = xccdf_benchmark_get_schema_version(benchmark);
-- const char *xccdf_version_name = xccdf_version_info_get_version(xccdf_version);
-+ const struct xccdf_version_info *xccdf_version = benchmark ? xccdf_benchmark_get_schema_version(benchmark) : NULL;
-+ const char *xccdf_version_name = xccdf_version ? xccdf_version_info_get_version(xccdf_version) : "Unknown";
-
- fix_header = oscap_sprintf(
- "%s"
-@@ -1026,9 +1123,8 @@ static int _write_script_header_to_fd(struct xccdf_policy *policy, struct xccdf_
- result_id, format, remediation_type, remediation_type, how_to_apply
- );
- }
-- free(profile_title);
-
-- if (ansible_script) {
-+ if (oscap_streq(sys, "urn:xccdf:fix:script:ansible")) {
- char *ansible_fix_header = oscap_sprintf(
- "---\n"
- "%s\n"
-@@ -1036,9 +1132,85 @@ static int _write_script_header_to_fd(struct xccdf_policy *policy, struct xccdf_
- fix_header);
- free(fix_header);
- return _write_text_to_fd_and_free(output_fd, ansible_fix_header);
-+ } else if (oscap_streq(sys, "urn:redhat:osbuild:blueprint")) {
-+ char *blueprint_fix_header = oscap_sprintf(
-+ "%s"
-+ "name = \"%s\"\n"
-+ "description = \"%s\"\n"
-+ "version = \"%s\"\n",
-+ fix_header, profile_id, profile_title, benchmark_version_info);
-+ free(fix_header);
-+ return _write_text_to_fd_and_free(output_fd, blueprint_fix_header);
- } else {
- return _write_text_to_fd_and_free(output_fd, fix_header);
- }
-+
-+ free(profile_title);
-+}
-+
-+static int _xccdf_policy_generate_fix_blueprint(struct oscap_list *rules_to_fix, struct xccdf_policy *policy, const char *sys, int output_fd)
-+{
-+ int ret = 0;
-+ struct oscap_list *generic = oscap_list_new();
-+ struct oscap_list *services_enable = oscap_list_new();
-+ struct oscap_list *services_disable = oscap_list_new();
-+ struct oscap_list *kernel_append = oscap_list_new();
-+ struct oscap_iterator *rules_to_fix_it = oscap_iterator_new(rules_to_fix);
-+ while (oscap_iterator_has_more(rules_to_fix_it)) {
-+ struct xccdf_rule *rule = (struct xccdf_rule*)oscap_iterator_next(rules_to_fix_it);
-+ ret = _xccdf_policy_rule_generate_blueprint_fix(policy, rule, sys, generic, services_enable, services_disable, kernel_append);
-+ if (ret != 0)
-+ break;
-+ }
-+ oscap_iterator_free(rules_to_fix_it);
-+
-+ struct oscap_iterator *generic_it = oscap_iterator_new(generic);
-+ while(oscap_iterator_has_more(generic_it)) {
-+ char *var_line = (char *) oscap_iterator_next(generic_it);
-+ _write_text_to_fd(output_fd, var_line);
-+ }
-+ _write_text_to_fd(output_fd, "\n");
-+ oscap_iterator_free(generic_it);
-+ oscap_list_free(generic, free);
-+
-+ _write_text_to_fd(output_fd, "[customizations.kernel]\nappend = \"");
-+ struct oscap_iterator *kernel_append_it = oscap_iterator_new(kernel_append);
-+ while(oscap_iterator_has_more(kernel_append_it)) {
-+ char *var_line = (char *) oscap_iterator_next(kernel_append_it);
-+ _write_text_to_fd(output_fd, var_line);
-+ if (oscap_iterator_has_more(kernel_append_it))
-+ _write_text_to_fd(output_fd, " ");
-+ }
-+ _write_text_to_fd(output_fd, "\"\n\n");
-+ oscap_iterator_free(kernel_append_it);
-+ oscap_list_free(kernel_append, free);
-+
-+ _write_text_to_fd(output_fd, "[customizations.services]\n");
-+ _write_text_to_fd(output_fd, "enabled = [");
-+ struct oscap_iterator *services_enable_it = oscap_iterator_new(services_enable);
-+ while(oscap_iterator_has_more(services_enable_it)) {
-+ char *var_line = (char *) oscap_iterator_next(services_enable_it);
-+ _write_text_to_fd(output_fd, var_line);
-+ if (oscap_iterator_has_more(services_enable_it))
-+ _write_text_to_fd(output_fd, ",");
-+ }
-+ _write_text_to_fd(output_fd, "]\n");
-+ oscap_iterator_free(services_enable_it);
-+ oscap_list_free(services_enable, free);
-+
-+ _write_text_to_fd(output_fd, "disabled = [");
-+ struct oscap_iterator *services_disable_it = oscap_iterator_new(services_disable);
-+ while(oscap_iterator_has_more(services_disable_it)) {
-+ char *var_line = (char *) oscap_iterator_next(services_disable_it);
-+ _write_text_to_fd(output_fd, var_line);
-+ if (oscap_iterator_has_more(services_disable_it))
-+ _write_text_to_fd(output_fd, ",");
-+ }
-+ _write_text_to_fd(output_fd, "]\n\n");
-+ oscap_iterator_free(services_disable_it);
-+ oscap_list_free(services_disable, free);
-+
-+ return ret;
- }
-
- static int _xccdf_policy_generate_fix_ansible(struct oscap_list *rules_to_fix, struct xccdf_policy *policy, const char *sys, int output_fd)
-@@ -1145,6 +1317,8 @@ int xccdf_policy_generate_fix(struct xccdf_policy *policy, struct xccdf_result *
- // in Ansible we have to generate variables first and then tasks
- if (strcmp(sys, "urn:xccdf:fix:script:ansible") == 0) {
- ret = _xccdf_policy_generate_fix_ansible(rules_to_fix, policy, sys, output_fd);
-+ } else if (strcmp(sys, "urn:redhat:osbuild:blueprint") == 0) {
-+ ret = _xccdf_policy_generate_fix_blueprint(rules_to_fix, policy, sys, output_fd);
- } else {
- ret = _xccdf_policy_generate_fix_other(rules_to_fix, policy, sys, output_fd);
- }
-diff --git a/src/common/list.c b/src/common/list.c
-index 2516d0f2f0..90381069f8 100644
---- a/src/common/list.c
-+++ b/src/common/list.c
-@@ -66,6 +66,25 @@ bool oscap_list_add(struct oscap_list * list, void *value)
- return true;
- }
-
-+bool oscap_list_prepend(struct oscap_list * list, void *value)
-+{
-+ __attribute__nonnull__(list);
-+ if (value == NULL) return false;
-+
-+ struct oscap_list_item *item = malloc(sizeof(struct oscap_list_item));
-+ item->next = NULL;
-+ item->data = value;
-+ ++list->itemcount;
-+
-+ if (list->first == NULL) {
-+ list->last = list->first = item;
-+ } else {
-+ item->next = list->first;
-+ list->first = item;
-+ }
-+ return true;
-+}
-+
- bool oscap_list_push(struct oscap_list *list, void *value)
- {
- return oscap_list_add(list,value);
-diff --git a/src/common/list.h b/src/common/list.h
-index 7a0694dc8a..3179c514f0 100644
---- a/src/common/list.h
-+++ b/src/common/list.h
-@@ -62,6 +62,7 @@ struct oscap_list *oscap_list_new(void);
- void oscap_create_lists(struct oscap_list **first, ...);
- bool oscap_list_add(struct oscap_list *list, void *value);
- bool oscap_list_push(struct oscap_list *list, void *value);
-+bool oscap_list_prepend(struct oscap_list *list, void *value);
- bool oscap_list_pop(struct oscap_list *list, oscap_destruct_func destructor);
- bool oscap_list_remove(struct oscap_list *list, void *value, oscap_cmp_func compare, oscap_destruct_func destructor);
- struct oscap_list *oscap_list_clone(const struct oscap_list * list, oscap_clone_func cloner);
-diff --git a/tests/API/XCCDF/unittests/CMakeLists.txt b/tests/API/XCCDF/unittests/CMakeLists.txt
-index 52645834c4..9c17ebb78a 100644
---- a/tests/API/XCCDF/unittests/CMakeLists.txt
-+++ b/tests/API/XCCDF/unittests/CMakeLists.txt
-@@ -75,6 +75,7 @@ add_oscap_test("test_single_rule_stigw.sh")
- add_oscap_test("test_remediation_simple.sh")
- add_oscap_test("test_remediation_offline.sh")
- add_oscap_test("test_remediation_metadata.sh")
-+add_oscap_test("test_remediation_blueprint.sh")
- add_oscap_test("test_remediation_bad_fix.sh")
- add_oscap_test("test_remediation_subs_plain_text.sh")
- add_oscap_test("test_remediation_subs_plain_text_empty.sh")
-diff --git a/tests/API/XCCDF/unittests/test_remediation_blueprint.sh b/tests/API/XCCDF/unittests/test_remediation_blueprint.sh
-new file mode 100755
-index 0000000000..7c79822529
---- /dev/null
-+++ b/tests/API/XCCDF/unittests/test_remediation_blueprint.sh
-@@ -0,0 +1,27 @@
-+#!/usr/bin/env bash
-+. $builddir/tests/test_common.sh
-+
-+set -e
-+set -o pipefail
-+
-+name=$(basename $0 .sh)
-+result=$(make_temp_file /tmp ${name}.out)
-+stderr=$(make_temp_file /tmp ${name}.out)
-+
-+ret=0
-+
-+input_xml="$srcdir/${name}.xccdf.xml"
-+valid_toml="$srcdir/${name}.toml"
-+
-+echo "Stderr file = $stderr"
-+echo "Result file = $result"
-+[ -f $stderr ]; [ ! -s $stderr ]; :> $stderr
-+
-+# The $valid_toml file was generated without ' # This file was generated by OpenSCAP 1.3.5 using:' line
-+# to make the test independent from the scanner version. We have to filter this line from the output as well.
-+
-+$OSCAP xccdf generate fix --fix-type blueprint --profile 'common' "$input_xml" | grep -v "OpenSCAP" > "$result"
-+
-+diff $valid_toml $result
-+
-+rm "$result"
-diff --git a/tests/API/XCCDF/unittests/test_remediation_blueprint.toml b/tests/API/XCCDF/unittests/test_remediation_blueprint.toml
-new file mode 100644
-index 0000000000..e189adca9d
---- /dev/null
-+++ b/tests/API/XCCDF/unittests/test_remediation_blueprint.toml
-@@ -0,0 +1,45 @@
-+###############################################################################
-+#
-+# Blueprint for Profile title on one line
-+#
-+# Profile Description:
-+# Profile description
-+#
-+# Profile ID: xccdf_moc.elpmaxe.www_profile_common
-+# Benchmark ID: xccdf_moc.elpmaxe.www_benchmark_test
-+# Benchmark Version: 1.0
-+# XCCDF Version: 1.2
-+#
-+# $ oscap xccdf generate fix --profile xccdf_moc.elpmaxe.www_profile_common --fix-type blueprint xccdf-file.xml
-+#
-+# It attempts to fix every selected rule, even if the system is already compliant.
-+#
-+# How to apply this Blueprint:
-+# composer-cli blueprints push blueprint.toml
-+#
-+###############################################################################
-+
-+name = "xccdf_moc.elpmaxe.www_profile_common"
-+description = "Profile title on one line"
-+version = "1.0"
-+distro = rhel-80
-+
-+[[packages]]
-+name = "aide"
-+version = "*"
-+
-+[[customizations.filesystem]]
-+mountpoint = "/home"
-+size = 1
-+
-+[[customizations.filesystem]]
-+mountpoint = "/tmp"
-+size = 2
-+
-+[customizations.kernel]
-+append = "foo=bar audit=1"
-+
-+[customizations.services]
-+enabled = ["sshd","usbguard"]
-+disabled = ["kdump"]
-+
-diff --git a/tests/API/XCCDF/unittests/test_remediation_blueprint.xccdf.xml b/tests/API/XCCDF/unittests/test_remediation_blueprint.xccdf.xml
-new file mode 100644
-index 0000000000..e685620dac
---- /dev/null
-+++ b/tests/API/XCCDF/unittests/test_remediation_blueprint.xccdf.xml
-@@ -0,0 +1,102 @@
-+<?xml version="1.0" encoding="UTF-8"?>
-+<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" id="xccdf_moc.elpmaxe.www_benchmark_test">
-+ <status>accepted</status>
-+ <version>1.0</version>
-+ <Profile id="xccdf_moc.elpmaxe.www_profile_common">
-+ <title>Profile title on one line</title>
-+ <description>Profile description</description>
-+ <select idref="xccdf_moc.elpmaxe.www_rule_1" selected="true"/>
-+ </Profile>
-+ <Rule selected="true" id="xccdf_moc.elpmaxe.www_rule_1">
-+ <title>Install aide</title>
-+ <fix system="urn:redhat:osbuild:blueprint">
-+[[packages]]
-+name = "aide"
-+version = "*"
-+</fix>
-+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-+ <check-content-ref href="test_remediation_simple.oval.xml" name="oval:moc.elpmaxe.www:def:1"/>
-+ </check>
-+ </Rule>
-+ <Rule selected="true" id="xccdf_moc.elpmaxe.www_rule_2">
-+ <title>Define /home</title>
-+ <fix system="urn:redhat:osbuild:blueprint">
-+[[customizations.filesystem]]
-+mountpoint = "/home"
-+size = 1
-+</fix>
-+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-+ <check-content-ref href="test_remediation_simple.oval.xml" name="oval:moc.elpmaxe.www:def:1"/>
-+ </check>
-+ </Rule>
-+ <Rule selected="true" id="xccdf_moc.elpmaxe.www_rule_3">
-+ <title>Add audit=1 kernel option</title>
-+ <fix system="urn:redhat:osbuild:blueprint">
-+[customizations.kernel]
-+append = "audit=1"
-+</fix>
-+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-+ <check-content-ref href="test_remediation_simple.oval.xml" name="oval:moc.elpmaxe.www:def:1"/>
-+ </check>
-+ </Rule>
-+ <Rule selected="true" id="xccdf_moc.elpmaxe.www_rule_4">
-+ <title>Add foo=bar kernel option</title>
-+ <fix system="urn:redhat:osbuild:blueprint">
-+[customizations.kernel]
-+append = "foo=bar"
-+</fix>
-+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-+ <check-content-ref href="test_remediation_simple.oval.xml" name="oval:moc.elpmaxe.www:def:1"/>
-+ </check>
-+ </Rule>
-+ <Rule selected="true" id="xccdf_moc.elpmaxe.www_rule_5">
-+ <title>Define /tmp</title>
-+ <fix system="urn:redhat:osbuild:blueprint">
-+[[customizations.filesystem]]
-+mountpoint = "/tmp"
-+size = 2
-+</fix>
-+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-+ <check-content-ref href="test_remediation_simple.oval.xml" name="oval:moc.elpmaxe.www:def:1"/>
-+ </check>
-+ </Rule>
-+ <Rule selected="true" id="xccdf_moc.elpmaxe.www_rule_6">
-+ <title>Enable usbguard</title>
-+ <fix system="urn:redhat:osbuild:blueprint">
-+[customizations.services]
-+enabled = ["usbguard"]
-+</fix>
-+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-+ <check-content-ref href="test_remediation_simple.oval.xml" name="oval:moc.elpmaxe.www:def:1"/>
-+ </check>
-+ </Rule>
-+ <Rule selected="true" id="xccdf_moc.elpmaxe.www_rule_7">
-+ <title>Disable kdump</title>
-+ <fix system="urn:redhat:osbuild:blueprint">
-+[customizations.services]
-+disabled = ["kdump"]
-+</fix>
-+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-+ <check-content-ref href="test_remediation_simple.oval.xml" name="oval:moc.elpmaxe.www:def:1"/>
-+ </check>
-+ </Rule>
-+ <Rule selected="true" id="xccdf_moc.elpmaxe.www_rule_8">
-+ <title>Set distro (RHEL 8.0)</title>
-+ <fix system="urn:redhat:osbuild:blueprint">
-+distro = rhel-80
-+</fix>
-+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-+ <check-content-ref href="test_remediation_simple.oval.xml" name="oval:moc.elpmaxe.www:def:1"/>
-+ </check>
-+ </Rule>
-+ <Rule selected="true" id="xccdf_moc.elpmaxe.www_rule_9">
-+ <title>Enable sshd</title>
-+ <fix system="urn:redhat:osbuild:blueprint">
-+[customizations.services]
-+enabled = ["sshd"]
-+</fix>
-+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-+ <check-content-ref href="test_remediation_simple.oval.xml" name="oval:moc.elpmaxe.www:def:1"/>
-+ </check>
-+ </Rule>
-+</Benchmark>
diff --git a/SOURCES/openscap-1.3.6-coverity-issues-pr-1748.patch b/SOURCES/openscap-1.3.6-coverity-issues-pr-1748.patch
deleted file mode 100644
index 9d5661a..0000000
--- a/SOURCES/openscap-1.3.6-coverity-issues-pr-1748.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From 378ef5e438a2f5af7a50374d2bd23bdd3403201f Mon Sep 17 00:00:00 2001
-From: Evgeny Kolesnikov <ekolesni@redhat.com>
-Date: Tue, 4 May 2021 08:41:06 +0200
-Subject: [PATCH] Fix covscan-reported issues in yamlfilecontent probe and
- schematron
-
-Error: FORWARD_NULL (CWE-476): [#def1]
-/OVAL/probes/independent/yamlfilecontent_probe.c:392: var_compare_op: Comparing "yaml_file" to null implies that "yaml_file" might be null.
-/OVAL/probes/independent/yamlfilecontent_probe.c:417: var_deref_model: Passing null pointer "yaml_file" to "fclose", which dereferences it.
-# 416| cleanup:
-# 417|-> fclose(yaml_file);
-# 418| yaml_parser_delete(&parser);
-
-Error: RESOURCE_LEAK (CWE-772): [#def2] [important]
-/source/schematron.c:549: alloc_fn: Storage is returned from allocation function "xmlXPathNodeEval".
-/source/schematron.c:549: var_assign: Assigning: "component_refs" = storage returned from "xmlXPathNodeEval(data_stream_node, (xmlChar *)"ds:checklists/ds:component-ref", context)".
-/source/schematron.c:551: leaked_storage: Variable "component_refs" going out of scope leaks the storage it points to.
-# 550| if (component_refs == NULL || component_refs->nodesetval == NULL) {
-# 551|-> return res;
-# 552| }
----
- src/OVAL/probes/independent/yamlfilecontent_probe.c | 3 ++-
- src/source/schematron.c | 2 ++
- 2 files changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/src/OVAL/probes/independent/yamlfilecontent_probe.c b/src/OVAL/probes/independent/yamlfilecontent_probe.c
-index ed5ce0d68..62a8f4ff2 100644
---- a/src/OVAL/probes/independent/yamlfilecontent_probe.c
-+++ b/src/OVAL/probes/independent/yamlfilecontent_probe.c
-@@ -414,7 +414,8 @@ static int process_yaml_file(const char *prefix, const char *path, const char *f
- }
-
- cleanup:
-- fclose(yaml_file);
-+ if (yaml_file != NULL)
-+ fclose(yaml_file);
- yaml_parser_delete(&parser);
- free(filepath_with_prefix);
- free(filepath);
-diff --git a/src/source/schematron.c b/src/source/schematron.c
-index 6cb22658b..c32d5aed6 100644
---- a/src/source/schematron.c
-+++ b/src/source/schematron.c
-@@ -548,6 +548,8 @@ static bool _req_src_346_1_sub1(xmlNodePtr data_stream_node, xmlXPathContextPtr
- /* every $m in ds:checklists/ds:component-ref satisfies ... */
- xmlXPathObjectPtr component_refs = xmlXPathNodeEval(data_stream_node, BAD_CAST "ds:checklists/ds:component-ref", context);
- if (component_refs == NULL || component_refs->nodesetval == NULL) {
-+ if (component_refs != NULL)
-+ xmlXPathFreeObject(component_refs);
- return res;
- }
- for (int i = 0; i < component_refs->nodesetval->nodeNr; i++) {
diff --git a/SOURCES/openscap-1.3.6-coverity-issues-pr-1778.patch b/SOURCES/openscap-1.3.6-coverity-issues-pr-1778.patch
deleted file mode 100644
index 479b20c..0000000
--- a/SOURCES/openscap-1.3.6-coverity-issues-pr-1778.patch
+++ /dev/null
@@ -1,248 +0,0 @@
-From 6885a1caaad68f0844715cca90fd0d913e19aba5 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
-Date: Thu, 1 Jul 2021 16:06:23 +0200
-Subject: [PATCH 1/9] Plug a memory leak
-
-Addressing:
-
-1. openscap-1.3.5/src/OVAL/probes/independent/system_info_probe.c:738:6: warning[unix.Malloc]: Potential leak of memory pointed to by 'hname'
- 736| hname = strdup(unknown);
- 737|
- 738|-> if (__sysinfo_saneval(os_name) < 1 ||
- 739| __sysinfo_saneval(os_version) < 1 ||
- 740| __sysinfo_saneval(architecture) < 1 ||
----
- src/OVAL/probes/independent/system_info_probe.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/src/OVAL/probes/independent/system_info_probe.c b/src/OVAL/probes/independent/system_info_probe.c
-index 8251e655e..9f680e14d 100644
---- a/src/OVAL/probes/independent/system_info_probe.c
-+++ b/src/OVAL/probes/independent/system_info_probe.c
-@@ -732,8 +732,13 @@ int system_info_probe_main(probe_ctx *ctx, void *arg)
- if (!architecture)
- architecture = strdup(unknown);
-
-- if (!hname || *hname == '\0')
-+ if (hname && *hname == '\0') {
-+ free(hname);
-+ hname = NULL;
-+ }
-+ if (!hname) {
- hname = strdup(unknown);
-+ }
-
- if (__sysinfo_saneval(os_name) < 1 ||
- __sysinfo_saneval(os_version) < 1 ||
-
-From a600fa5d034daa408d277f91ceefd29b5ab10213 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
-Date: Thu, 1 Jul 2021 16:43:46 +0200
-Subject: [PATCH 2/9] Fix a possible NULL dereference
-
-Addressing:
-openscap-1.3.5/utils/oscap-tool.c:78:11: warning[-Wanalyzer-possible-null-dereference]: dereference of possibly-NULL 'to'
----
- utils/oscap-tool.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/utils/oscap-tool.c b/utils/oscap-tool.c
-index 62c4cde0e..d37fbb0e5 100644
---- a/utils/oscap-tool.c
-+++ b/utils/oscap-tool.c
-@@ -73,7 +73,8 @@ static size_t paramlist_size(const char **p) { size_t s = 0; if (!p) return s; w
-
- static size_t paramlist_cpy(const char **to, const char **p) {
- size_t s = 0;
-- if (!p) return s;
-+ if (!to || !p)
-+ return s;
- for (;p && p[s]; s += 2) to[s] = p[s], to[s+1] = p[s+1];
- to[s] = p[s];
- return s;
-
-From d7bb7e755b262424e5970f2bcc2d2af670f8ac63 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
-Date: Thu, 1 Jul 2021 17:03:09 +0200
-Subject: [PATCH 3/9] Fix a possible NULL dereference
-
-Addressing:
-openscap-1.3.5/src/source/xslt.c:124:21: warning[-Wanalyzer-possible-null-argument]: use of possibly-NULL 'strdup(xsltfile)' where non-null expected
----
- src/source/xslt.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/source/xslt.c b/src/source/xslt.c
-index 0d01c535b..24c4c46e9 100644
---- a/src/source/xslt.c
-+++ b/src/source/xslt.c
-@@ -105,7 +105,7 @@ static inline int save_stylesheet_result_to_file(xmlDoc *resulting_doc, xsltStyl
- static xmlDoc *apply_xslt_path_internal(struct oscap_source *source, const char *xsltfile, const char **params, const char *path_to_xslt, xsltStylesheet **stylesheet)
- {
- xmlDoc *doc = oscap_source_get_xmlDoc(source);
-- if (doc == NULL || stylesheet == NULL) {
-+ if (doc == NULL || stylesheet == NULL || xsltfile == NULL) {
- return NULL;
- }
-
-
-From a51952f0bc66402c3b68783ee9deaf3b4ecd529e Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
-Date: Fri, 2 Jul 2021 10:12:31 +0200
-Subject: [PATCH 4/9] Fix possible NULL dereference
-
-Addressing:
-
-openscap-1.3.5/src/XCCDF/xccdf_session.c:1349:15: warning[-Wanalyzer-possible-null-dereference]: dereference of possibly-NULL 'to'
----
- src/XCCDF/xccdf_session.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/src/XCCDF/xccdf_session.c b/src/XCCDF/xccdf_session.c
-index 9d8f42c44..10735214c 100644
---- a/src/XCCDF/xccdf_session.c
-+++ b/src/XCCDF/xccdf_session.c
-@@ -1344,7 +1344,8 @@ static size_t _paramlist_size(const char **p) { size_t s = 0; if (!p) return s;
-
- static size_t _paramlist_cpy(const char **to, const char **p) {
- size_t s = 0;
-- if (!p) return s;
-+ if (!to || !p)
-+ return s;
- for (;p && p[s]; s += 2) to[s] = p[s], to[s+1] = p[s+1];
- to[s] = p[s];
- return s;
-
-From 2f0ad2e9a7bbd69ecad14b28de6e12d237bcbf9b Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
-Date: Fri, 2 Jul 2021 10:15:39 +0200
-Subject: [PATCH 5/9] Fix possible NULL dereference
-
-Addressing:
-openscap-1.3.5/src/OVAL/results/oval_cmp_evr_string.c:132:16: warning[-Wanalyzer-null-dereference]: dereference of NULL 's'
----
- src/OVAL/results/oval_cmp_evr_string.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/src/OVAL/results/oval_cmp_evr_string.c b/src/OVAL/results/oval_cmp_evr_string.c
-index 89e51729b..b195a73f7 100644
---- a/src/OVAL/results/oval_cmp_evr_string.c
-+++ b/src/OVAL/results/oval_cmp_evr_string.c
-@@ -128,6 +128,9 @@ static void parseEVR(char *evr, const char **ep, const char **vp, const char **r
- const char *release;
- char *s, *se;
-
-+ if (!evr)
-+ return;
-+
- s = evr;
- while (*s && risdigit(*s)) s++; /* s points to epoch terminator */
- se = strrchr(s, '-'); /* se points to version terminator */
-
-From fe351d432d25d48116ec077671c97f0a2d996c82 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
-Date: Fri, 2 Jul 2021 10:26:03 +0200
-Subject: [PATCH 6/9] Fix possible NULL dereference
-
-openscap-1.3.5/src/OVAL/probes/unix/xinetd_probe.c:1492:56: warning[-Wanalyzer-null-dereference]: dereference of NULL 'valstr_array'
----
- src/OVAL/probes/unix/xinetd_probe.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/src/OVAL/probes/unix/xinetd_probe.c b/src/OVAL/probes/unix/xinetd_probe.c
-index 009fb4c4c..b3375500d 100644
---- a/src/OVAL/probes/unix/xinetd_probe.c
-+++ b/src/OVAL/probes/unix/xinetd_probe.c
-@@ -1483,6 +1483,10 @@ int op_remove_strl(void *var, char *val)
- valstr_array[valstr_array_size-1] = tok;
- valstr_array[valstr_array_size] = NULL;
- }
-+ if (valstr_array == NULL) {
-+ free(newstr_array);
-+ return -2;
-+ }
-
- // Remove the insersection from the string array
- newstr_array_size = 0;
-
-From 0ae47d335db49f049ba5bad5ba69c3bdbb0a55bc Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
-Date: Fri, 2 Jul 2021 10:52:28 +0200
-Subject: [PATCH 7/9] Fix possible NULL dereference
-
-The function oval_criteria_node_new can return NULL in multiple situations.
-
-Addressing:
-openscap-1.3.5/src/OVAL/oval_criteriaNode.c:390:28: warning[-Wanalyzer-null-dereference]: dereference of NULL 'node'
----
- src/OVAL/oval_criteriaNode.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/src/OVAL/oval_criteriaNode.c b/src/OVAL/oval_criteriaNode.c
-index de9081f9d..975a480a4 100644
---- a/src/OVAL/oval_criteriaNode.c
-+++ b/src/OVAL/oval_criteriaNode.c
-@@ -387,6 +387,11 @@ int oval_criteria_parse_tag(xmlTextReaderPtr reader, struct oval_parser_context
- assert(context != NULL); /* This is not asserted as attribute, because we
- can pass NULL pointer in case of OVAL_NODETYPE_UNKNOWN */
- struct oval_criteria_node *node = oval_criteria_node_new(context->definition_model, type);
-+ if (node == NULL) {
-+ free(tagname);
-+ free(namespace);
-+ return 1;
-+ }
- node->type = type;
- char *comm = (char *)xmlTextReaderGetAttribute(reader, BAD_CAST "comment");
- if (comm != NULL) {
-
-From 832cba38133f59dc27b0e9f6d2d6eddb7604577a Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
-Date: Fri, 2 Jul 2021 11:02:51 +0200
-Subject: [PATCH 8/9] Fix possible NULL dereference
-
-Addressing:
-openscap-1.3.5/src/OVAL/oval_component.c:2371:83: warning[-Wanalyzer-null-dereference]: dereference of NULL 'vcl_root
----
- src/OVAL/oval_component.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/src/OVAL/oval_component.c b/src/OVAL/oval_component.c
-index 96788a471..95004bd80 100644
---- a/src/OVAL/oval_component.c
-+++ b/src/OVAL/oval_component.c
-@@ -2368,6 +2368,9 @@ static oval_syschar_collection_flag_t _oval_component_evaluate_ARITHMETIC(oval_a
- }
- oval_component_iterator_free(subcomps);
-
-+ if (vcl_root == NULL) {
-+ return SYSCHAR_FLAG_ERROR;
-+ }
- val_itr = (struct oval_value_iterator *) oval_collection_iterator(vcl_root->val_col);
- while (oval_value_iterator_has_more(val_itr)) {
- struct oval_value *ov;
-
-From 3fb63f51f45af8edf2b8044445bfc5cb7092b7a5 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
-Date: Fri, 2 Jul 2021 11:10:03 +0200
-Subject: [PATCH 9/9] Fix possible NULL dereference
-
-Addressing:
-openscap-1.3.5/src/DS/rds_index.c:124:21: warning[-Wanalyzer-null-argument]: use of NULL 'id' where non-null expected
----
- src/DS/rds_index.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/src/DS/rds_index.c b/src/DS/rds_index.c
-index 374b55d64..cc0e2bbed 100644
---- a/src/DS/rds_index.c
-+++ b/src/DS/rds_index.c
-@@ -117,6 +117,9 @@ struct rds_asset_index* rds_index_get_asset(struct rds_index *rds, const char *i
- {
- struct rds_asset_index *ret = NULL;
-
-+ if (id == NULL)
-+ return ret;
-+
- struct rds_asset_index_iterator *it = rds_index_get_assets(rds);
- while (rds_asset_index_iterator_has_more(it))
- {
diff --git a/SOURCES/openscap-1.3.6-disable-sha1-md5-pr-1781.patch b/SOURCES/openscap-1.3.6-disable-sha1-md5-pr-1781.patch
deleted file mode 100644
index 30a84ae..0000000
--- a/SOURCES/openscap-1.3.6-disable-sha1-md5-pr-1781.patch
+++ /dev/null
@@ -1,1954 +0,0 @@
-From d687e50c61d3a06b99999942555803842f7c4526 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
-Date: Thu, 15 Jul 2021 09:39:45 +0200
-Subject: [PATCH 1/5] Allow disablement of SHA-1 and MD5
-
-This patch adds 2 new CMake options `OPENSCAP_ENABLE_SHA1` and
-`OPENSCAP_ENABLE_MD5`. By setting these CMake options to `OFF` we can
-disable SHA-1 and MD5 hashing algorithm in OpenSCAP. If they are set to
-`OFF`, the code using SHA-1 and MD5 won't be built. Linux distributions
-that wish to disable SHA-1 and MD5 can use these CMake options in their
-spec files from now on.
-
-Conditional compilation using C preprocessor macros is used to achieve
-it. The approach with conditional compilation has been preferred over
-the hard removal of the code because future versions of OpenSCAP can get
-into currently stable Linux distributions where a removal would have to
-be reverted by a downstream patch to avoid feature regression.
-
-The consequence of disabling MD5 and SHA-1 is that filehash probe will
-not be built but filehash_test is a deprecated OVAL test. Second
-consequence is that people won't be able to use SHA-1 and MD5 in their
-filehash58_test. That means people will have to rewrite their SCAP
-content to use SHA-256 or SHA-512 in their filehash58_objects.
-
-Resolves: rhbz#1936619
----
- CMakeLists.txt | 7 +-
- config.h.in | 3 +
- src/OVAL/probes/crapi/digest.c | 8 ++
- src/OVAL/probes/crapi/digest.h | 4 +
- src/OVAL/probes/crapi/md5.c | 4 +
- src/OVAL/probes/crapi/md5.h | 4 +
- src/OVAL/probes/crapi/sha1.c | 4 +
- src/OVAL/probes/crapi/sha1.h | 4 +
- .../probes/independent/filehash58_probe.c | 8 ++
- tests/API/crypt/test_api_crypt.sh | 34 ++++--
- tests/API/crypt/test_crapi_digest.c | 101 +++++++-----------
- tests/API/crypt/test_crapi_mdigest.c | 11 ++
- tests/probes/filehash/CMakeLists.txt | 2 +-
- .../filehash58/check_filehash_simple.xml | 6 +-
- .../filehash58/test_probes_filehash58.sh | 4 +-
- tests/test_common.sh.in | 3 +
- 16 files changed, 130 insertions(+), 77 deletions(-)
-
-diff --git a/CMakeLists.txt b/CMakeLists.txt
-index cc7b5e0059..9a15d591cf 100644
---- a/CMakeLists.txt
-+++ b/CMakeLists.txt
-@@ -251,11 +251,14 @@ if (WIN32)
- endif()
- cmake_dependent_option(ENABLE_PROBES_WINDOWS "build OVAL probes for the Windows OVAL tests" ${IS_WIN32} "ENABLE_PROBES" OFF)
-
-+option(OPENSCAP_ENABLE_SHA1 "Enable using the SHA-1 algorithm" ON)
-+option(OPENSCAP_ENABLE_MD5 "Enable using the MD5 algorithm" ON)
-+
- # INDEPENDENT PROBES
- cmake_dependent_option(OPENSCAP_PROBE_INDEPENDENT_ENVIRONMENTVARIABLE "Independent environmentvariable probe" ON "ENABLE_PROBES_INDEPENDENT; NOT WIN32" OFF)
- cmake_dependent_option(OPENSCAP_PROBE_INDEPENDENT_ENVIRONMENTVARIABLE58 "Independent environmentvariable58 probe" ON "ENABLE_PROBES_INDEPENDENT; NOT WIN32" OFF)
- cmake_dependent_option(OPENSCAP_PROBE_INDEPENDENT_FAMILY "Independent family probe" ON "ENABLE_PROBES_INDEPENDENT" OFF)
--cmake_dependent_option(OPENSCAP_PROBE_INDEPENDENT_FILEHASH "Independent filehash probe" ON "ENABLE_PROBES_INDEPENDENT; CRYPTO_FOUND; NOT WIN32" OFF)
-+cmake_dependent_option(OPENSCAP_PROBE_INDEPENDENT_FILEHASH "Independent filehash probe" ON "ENABLE_PROBES_INDEPENDENT; CRYPTO_FOUND; OPENSCAP_ENABLE_SHA1; OPENSCAP_ENABLE_MD5; NOT WIN32" OFF)
- cmake_dependent_option(OPENSCAP_PROBE_INDEPENDENT_FILEHASH58 "Independent filehash58 probe" ON "ENABLE_PROBES_INDEPENDENT; CRYPTO_FOUND; NOT WIN32" OFF)
- cmake_dependent_option(OPENSCAP_PROBE_INDEPENDENT_SQL "Independent sql probe" ON "ENABLE_PROBES_INDEPENDENT; OPENDBX_FOUND; NOT WIN32" OFF)
- cmake_dependent_option(OPENSCAP_PROBE_INDEPENDENT_SQL57 "Independent sql57 probe" ON "ENABLE_PROBES_INDEPENDENT; OPENDBX_FOUND; NOT WIN32" OFF)
-@@ -371,6 +374,8 @@ message(STATUS " ")
- message(STATUS "OVAL:")
- message(STATUS "base probe support: ${ENABLE_PROBES}")
- message(STATUS "SEAP msgid bit-size: ${SEAP_MSGID_BITS}")
-+message(STATUS "SHA-1: ${OPENSCAP_ENABLE_SHA1}")
-+message(STATUS "MD5: ${OPENSCAP_ENABLE_MD5}")
-
- message(STATUS "")
- message(STATUS "Independent probes: ${ENABLE_PROBES_INDEPENDENT}")
-diff --git a/config.h.in b/config.h.in
-index 7fdbb0a752..1b72855822 100644
---- a/config.h.in
-+++ b/config.h.in
-@@ -133,6 +133,9 @@
- #cmakedefine PYTHON2_PATH "@PYTHON2_PATH@"
- #cmakedefine PYTHON3_PATH "@PYTHON3_PATH@"
-
-+#cmakedefine OPENSCAP_ENABLE_SHA1
-+#cmakedefine OPENSCAP_ENABLE_MD5
-+
- #include "oscap_platforms.h"
- #include "compat.h"
-
-diff --git a/src/OVAL/probes/crapi/digest.c b/src/OVAL/probes/crapi/digest.c
-index c76963f8c4..fdd361813e 100644
---- a/src/OVAL/probes/crapi/digest.c
-+++ b/src/OVAL/probes/crapi/digest.c
-@@ -51,10 +51,14 @@ int crapi_digest_fd (int fd, crapi_alg_t alg, void *dst, size_t *size)
- }
-
- switch (alg) {
-+#ifdef OPENSCAP_ENABLE_MD5
- case CRAPI_DIGEST_MD5:
- return crapi_md5_fd (fd, dst, size);
-+#endif
-+#ifdef OPENSCAP_ENABLE_SHA1
- case CRAPI_DIGEST_SHA1:
- return crapi_sha1_fd (fd, dst, size);
-+#endif
- case CRAPI_DIGEST_SHA224:
- return crapi_sha224_fd (fd, dst, size);
- case CRAPI_DIGEST_SHA256:
-@@ -100,18 +104,22 @@ int crapi_mdigest_fd (int fd, int num, ... /* crapi_alg_t alg, void *dst, size_t
- size = va_arg (ap, size_t *);
-
- switch (alg) {
-+#ifdef OPENSCAP_ENABLE_MD5
- case CRAPI_DIGEST_MD5:
- ctbl[i].init = &crapi_md5_init;
- ctbl[i].update = &crapi_md5_update;
- ctbl[i].fini = &crapi_md5_fini;
- ctbl[i].free = &crapi_md5_free;
- break;
-+#endif
-+#ifdef OPENSCAP_ENABLE_SHA1
- case CRAPI_DIGEST_SHA1:
- ctbl[i].init = &crapi_sha1_init;
- ctbl[i].update = &crapi_sha1_update;
- ctbl[i].fini = &crapi_sha1_fini;
- ctbl[i].free = &crapi_sha1_free;
- break;
-+#endif
- case CRAPI_DIGEST_SHA224:
- ctbl[i].init = &crapi_sha224_init;
- ctbl[i].update = &crapi_sha224_update;
-diff --git a/src/OVAL/probes/crapi/digest.h b/src/OVAL/probes/crapi/digest.h
-index 1ffd4ebb9d..3de55e4f94 100644
---- a/src/OVAL/probes/crapi/digest.h
-+++ b/src/OVAL/probes/crapi/digest.h
-@@ -27,8 +27,12 @@
- #include <stddef.h>
-
- typedef enum {
-+#ifdef OPENSCAP_ENABLE_MD5
- CRAPI_DIGEST_MD5 = 0x01,
-+#endif
-+#ifdef OPENSCAP_ENABLE_SHA1
- CRAPI_DIGEST_SHA1 = 0x02,
-+#endif
- CRAPI_DIGEST_SHA256 = 0x04,
- CRAPI_DIGEST_SHA512 = 0x08,
- CRAPI_DIGEST_RMD160 = 0x10,
-diff --git a/src/OVAL/probes/crapi/md5.c b/src/OVAL/probes/crapi/md5.c
-index 688165e3b2..8fc32af027 100644
---- a/src/OVAL/probes/crapi/md5.c
-+++ b/src/OVAL/probes/crapi/md5.c
-@@ -33,6 +33,8 @@
- #include "crapi.h"
- #include "md5.h"
-
-+#ifdef OPENSCAP_ENABLE_MD5
-+
- #if defined(HAVE_NSS3)
- #include <sechash.h>
-
-@@ -230,3 +232,5 @@ int crapi_md5_fd (int fd, void *dst, size_t *size)
- }
- return (0);
- }
-+
-+#endif /* OPENSCAP_ENABLE_MD5 */
-diff --git a/src/OVAL/probes/crapi/md5.h b/src/OVAL/probes/crapi/md5.h
-index 6adf14a87b..15e82bb671 100644
---- a/src/OVAL/probes/crapi/md5.h
-+++ b/src/OVAL/probes/crapi/md5.h
-@@ -25,6 +25,8 @@
-
- #include <stddef.h>
-
-+#ifdef OPENSCAP_ENABLE_MD5
-+
- void *crapi_md5_init (void *dst, void *size);
- int crapi_md5_update (void *ctxp, void *bptr, size_t blen);
- int crapi_md5_fini (void *ctxp);
-@@ -32,4 +34,6 @@ void crapi_md5_free (void *ctxp);
-
- int crapi_md5_fd (int fd, void *dst, size_t *size);
-
-+#endif /* OPENSCAP_ENABLE_MD5 */
-+
- #endif /* CRAPI_MD5_H */
-diff --git a/src/OVAL/probes/crapi/sha1.c b/src/OVAL/probes/crapi/sha1.c
-index aee7916510..9a757d0274 100644
---- a/src/OVAL/probes/crapi/sha1.c
-+++ b/src/OVAL/probes/crapi/sha1.c
-@@ -33,6 +33,8 @@
- #include "crapi.h"
- #include "sha1.h"
-
-+#ifdef OPENSCAP_ENABLE_SHA1
-+
- #if defined(HAVE_NSS3)
- #include <sechash.h>
-
-@@ -226,3 +228,5 @@ int crapi_sha1_fd (int fd, void *dst, size_t *size)
-
- return (0);
- }
-+
-+#endif /* OPENSCAP_ENABLE_SHA1 */
-diff --git a/src/OVAL/probes/crapi/sha1.h b/src/OVAL/probes/crapi/sha1.h
-index 5c31c7ce92..282046c6a9 100644
---- a/src/OVAL/probes/crapi/sha1.h
-+++ b/src/OVAL/probes/crapi/sha1.h
-@@ -25,6 +25,8 @@
-
- #include <stddef.h>
-
-+#ifdef OPENSCAP_ENABLE_SHA1
-+
- void *crapi_sha1_init (void *dst, void *size);
- int crapi_sha1_update (void *ctxp, void *bptr, size_t blen);
- int crapi_sha1_fini (void *ctxp);
-@@ -32,4 +34,6 @@ void crapi_sha1_free (void *ctxp);
-
- int crapi_sha1_fd (int fd, void *dst, size_t *size);
-
-+#endif /* OPENSCAP_ENABLE_SHA1 */
-+
- #endif /* CRAPI_SHA1_H */
-diff --git a/src/OVAL/probes/independent/filehash58_probe.c b/src/OVAL/probes/independent/filehash58_probe.c
-index ff1e065746..895d8f92f4 100644
---- a/src/OVAL/probes/independent/filehash58_probe.c
-+++ b/src/OVAL/probes/independent/filehash58_probe.c
-@@ -60,8 +60,12 @@
- #define CRAPI_INVALID -1
-
- static const struct oscap_string_map CRAPI_ALG_MAP[] = {
-+#ifdef OPENSCAP_ENABLE_MD5
- {CRAPI_DIGEST_MD5, "MD5"},
-+#endif
-+#ifdef OPENSCAP_ENABLE_SHA1
- {CRAPI_DIGEST_SHA1, "SHA-1"},
-+#endif
- {CRAPI_DIGEST_SHA224, "SHA-224"},
- {CRAPI_DIGEST_SHA256, "SHA-256"},
- {CRAPI_DIGEST_SHA384, "SHA-384"},
-@@ -71,8 +75,12 @@ static const struct oscap_string_map CRAPI_ALG_MAP[] = {
- };
-
- static const struct oscap_string_map CRAPI_ALG_MAP_SIZE[] = {
-+#ifdef OPENSCAP_ENABLE_MD5
- {16, "MD5"},
-+#endif
-+#ifdef OPENSCAP_ENABLE_SHA1
- {20, "SHA-1"},
-+#endif
- {28, "SHA-224"},
- {32, "SHA-256"},
- {48, "SHA-384"},
-diff --git a/tests/API/crypt/test_api_crypt.sh b/tests/API/crypt/test_api_crypt.sh
-index e5e9d361f0..937f7eaf91 100755
---- a/tests/API/crypt/test_api_crypt.sh
-+++ b/tests/API/crypt/test_api_crypt.sh
-@@ -21,9 +21,8 @@ function test_crapi_digest {
- local TEMPDIR="$(make_temp_dir /tmp tmp)"
-
- local ret_val=0;
-- local sum_md5="";
-- local sum_sha1="";
-- local sum_sha256="";
-+ local sum=""
-+ local algo="$1"
-
- dd if=/dev/urandom of="${TEMPDIR}/a" count=1 bs=1k || return 2
- dd if=/dev/urandom of="${TEMPDIR}/b" count=123 bs=1 || return 2
-@@ -33,16 +32,21 @@ function test_crapi_digest {
- dd if=/dev/urandom of="${TEMPDIR}/f" count=312 bs=1 || return 2
-
- for file in a b c d e f; do
-- sum_md5=$((md5sum "${TEMPDIR}/${file}" || openssl md5 "${TEMPDIR}/${file}") | sed -n 's|^.*\([0-9a-f]\{32\}\).*$|\1|p')
-- sum_sha1=$((sha1sum "${TEMPDIR}/${file}" || openssl sha1 "${TEMPDIR}/${file}") | sed -n 's|^.*\([0-9a-f]\{40\}\).*$|\1|p')
-- sum_sha256=$((sha256sum "${TEMPDIR}/${file}" || openssl sha256 "${TEMPDIR}/${file}") | sed -n 's|^.*\([0-9a-f]\{64\}\).*$|\1|p')
-+ if [[ "$algo" == "md5" ]] ; then
-+ sum=$((md5sum "${TEMPDIR}/${file}" || openssl md5 "${TEMPDIR}/${file}") | sed -n 's|^.*\([0-9a-f]\{32\}\).*$|\1|p')
-+ elif [[ "$algo" == "sha1" ]] ; then
-+ sum=$((sha1sum "${TEMPDIR}/${file}" || openssl sha1 "${TEMPDIR}/${file}") | sed -n 's|^.*\([0-9a-f]\{40\}\).*$|\1|p')
-+ elif [[ "$algo" == "sha256" ]] ; then
-+ sum=$((sha256sum "${TEMPDIR}/${file}" || openssl sha256 "${TEMPDIR}/${file}") | sed -n 's|^.*\([0-9a-f]\{64\}\).*$|\1|p')
-+ else
-+ return 2
-+ fi
-
-- if [[ "$sum_md5" == "" || "$sum_sha1" == "" || "$sum_sha256" == "" ]]; then
-+ if [[ "$sum" == "" ]]; then
- return 2
- fi
-
-- ./test_crapi_digest "${TEMPDIR}/${file}" "$sum_md5" "$sum_sha1" "$sum_sha256" || return 1
-- #echo "$file: ret $?, 5: $sum_md5, 1: $sum_sha1, $sum_sha256"
-+ ./test_crapi_digest "${TEMPDIR}/${file}" "$sum" "$algo" || return 1
- done
-
- rm -rf "$TEMPDIR"
-@@ -88,8 +92,16 @@ function test_crapi_mdigest {
- test_init
-
- if [ -z ${CUSTOM_OSCAP+x} ] ; then
-- test_run "test_crapi_digest" test_crapi_digest
-- test_run "test_crapi_mdigest" test_crapi_mdigest
-+ if [[ "$OPENSCAP_ENABLE_MD5" == "ON" ]] ; then
-+ test_run "test_crapi_digest_md5" test_crapi_digest md5
-+ fi
-+ if [[ "$OPENSCAP_ENABLE_SHA1" == "ON" ]] ; then
-+ test_run "test_crapi_digest_sha1" test_crapi_digest sha1
-+ fi
-+ test_run "test_crapi_digest_sha256" test_crapi_digest sha256
-+ if [[ "$OPENSCAP_ENABLE_MD5" == "ON" && "$OPENSCAP_ENABLE_SHA1" == "ON" ]] ; then
-+ test_run "test_crapi_mdigest" test_crapi_mdigest
-+ fi
- fi
-
- test_exit
-diff --git a/tests/API/crypt/test_crapi_digest.c b/tests/API/crypt/test_crapi_digest.c
-index 41ef8fbaa5..e0ccf5b2a2 100644
---- a/tests/API/crypt/test_crapi_digest.c
-+++ b/tests/API/crypt/test_crapi_digest.c
-@@ -58,88 +58,69 @@ static int mem2hex (uint8_t *mem, size_t mlen, char *str, size_t slen)
-
- int main (int argc, char *argv[])
- {
-- uint8_t md5_dst[16];
-- size_t md5_dstlen = sizeof md5_dst;
--
-- uint8_t sha1_dst[20];
-- size_t sha1_dstlen = sizeof sha1_dst;
--
-- uint8_t sha256_dst[32];
-- size_t sha256_dstlen = sizeof sha256_dst;
--
-- char *orig_md5sum, comp_md5sum[(sizeof md5_dst * 2) + 1];
-- char *orig_sha1sum, comp_sha1sum[(sizeof sha1_dst * 2) + 1];
-- char *orig_sha256sum, comp_sha256sum[(sizeof sha256_dst * 2) + 1];
-- char *filename;
-- int fd;
--
-- if (argc != 5) {
-- fprintf (stderr, "Usage: %s <file> <md5sum> <sha1sum> <sha256sum>\n", argv[0]);
-+ if (argc != 4) {
-+ fprintf (stderr, "Usage: %s <file> <checksum> <algorithm>\n", argv[0]);
- return (1);
- }
-
-- filename = argv[1];
-- orig_md5sum = argv[2];
-- orig_sha1sum = argv[3];
-- orig_sha256sum = argv[4];
--
-- if (crapi_init (NULL) != 0) {
-- fprintf (stderr, "crapi_init() != 0\n");
-- abort ();
-- }
--
-- fd = open (filename, O_RDONLY);
--
-- if (fd < 0) {
-- perror ("open");
-- return (2);
-- }
-+ char *filename = argv[1];
-+ char *orig_sum = argv[2];
-+ char *algorithm_str = argv[3];
-
-- if (crapi_digest_fd (fd, CRAPI_DIGEST_MD5, &md5_dst, &md5_dstlen) != 0) {
-- fprintf (stderr, "crapi_digest() != 0\n");
-- abort ();
-- }
-+ crapi_alg_t algorithm;
-+ size_t dstlen = 0;
-
-- mem2hex (md5_dst, md5_dstlen, comp_md5sum, sizeof comp_md5sum);
-+ if (!strcmp(algorithm_str, "md5")) {
-+#ifdef OPENSCAP_ENABLE_MD5
-+ algorithm = CRAPI_DIGEST_MD5;
-+ dstlen = 16;
-+#else
-+ return 1;
-+#endif
-+ } else if (!strcmp(algorithm_str, "sha1")) {
-+#ifdef OPENSCAP_ENABLE_SHA1
-+ algorithm = CRAPI_DIGEST_SHA1;
-+ dstlen = 20;
-+#else
-+ return 1;
-+#endif
-+ } else if (!strcmp(algorithm_str, "sha256")) {
-+ algorithm = CRAPI_DIGEST_SHA256;
-+ dstlen = 32;
-+ } else {
-+ return 1;
-+ }
-
-- if (strcmp (orig_md5sum, comp_md5sum) != 0) {
-- fprintf (stderr, "crapi_digest::MD5(%s) != %s (== %s)\n", filename, orig_md5sum, comp_md5sum);
-- abort ();
-- }
-+ int fd = open(filename, O_RDONLY);
-
-- if (lseek (fd, 0, SEEK_SET) == (off_t)-1) {
-- perror ("lseek");
-+ if (fd < 0) {
-+ perror ("open");
- return (2);
- }
-
-- if (crapi_digest_fd (fd, CRAPI_DIGEST_SHA1, &sha1_dst, &sha1_dstlen) != 0) {
-- fprintf (stderr, "crapi_digest() != 0\n");
-+ if (crapi_init (NULL) != 0) {
-+ fprintf (stderr, "crapi_init() != 0\n");
- abort ();
- }
-
-- mem2hex (sha1_dst, sha1_dstlen, comp_sha1sum, sizeof comp_sha1sum);
--
-- if (strcmp (orig_sha1sum, comp_sha1sum) != 0) {
-- fprintf (stderr, "crapi_digest::SHA1(%s) != %s (== %s)\n", filename, orig_sha1sum, comp_sha1sum);
-- abort ();
-- }
-+ uint8_t *dst = malloc(dstlen);
-
-- if (lseek (fd, 0, SEEK_SET) == (off_t)-1) {
-- perror ("lseek");
-- return (2);
-- }
-+ size_t comp_sum_len = (dstlen * 2) + 1;
-+ char *comp_sum = malloc(comp_sum_len);
-
-- if (crapi_digest_fd (fd, CRAPI_DIGEST_SHA256, &sha256_dst, &sha256_dstlen) != 0) {
-+ if (crapi_digest_fd(fd, algorithm, dst, &dstlen) != 0) {
- fprintf (stderr, "crapi_digest() != 0\n");
- abort ();
- }
-
-- mem2hex (sha256_dst, sha256_dstlen, comp_sha256sum, sizeof comp_sha256sum);
-+ mem2hex (dst, dstlen, comp_sum, comp_sum_len);
-
-- if (strcmp (orig_sha256sum, comp_sha256sum) != 0) {
-- fprintf (stderr, "crapi_digest::SHA256(%s) != %s (== %s)\n", filename, orig_sha256sum, comp_sha256sum);
-+ if (strcmp(orig_sum, comp_sum) != 0) {
-+ fprintf (stderr, "crapi_digest::%s(%s) != %s (== %s)\n", algorithm_str, filename, orig_sum, comp_sum);
- abort ();
- }
-+ free(dst);
-+ free(comp_sum);
-
- close (fd);
-
-diff --git a/tests/API/crypt/test_crapi_mdigest.c b/tests/API/crypt/test_crapi_mdigest.c
-index 9c5d31dfb3..200a2bbd9e 100644
---- a/tests/API/crypt/test_crapi_mdigest.c
-+++ b/tests/API/crypt/test_crapi_mdigest.c
-@@ -24,6 +24,8 @@
- #include <config.h>
- #endif
-
-+#if (defined OPENSCAP_ENABLE_MD5 && defined OPENSCAP_ENABLE_SHA1)
-+
- #include <stdio.h>
- #include <stdint.h>
- #include <stdlib.h>
-@@ -127,3 +129,12 @@ int main (int argc, char *argv[])
-
- return (0);
- }
-+
-+#else
-+
-+int main (int argc, char *argv[])
-+{
-+ return 1;
-+}
-+
-+#endif
-diff --git a/tests/probes/filehash/CMakeLists.txt b/tests/probes/filehash/CMakeLists.txt
-index e9d579c44c..cd04df4f30 100644
---- a/tests/probes/filehash/CMakeLists.txt
-+++ b/tests/probes/filehash/CMakeLists.txt
-@@ -1,3 +1,3 @@
--if(ENABLE_PROBES_INDEPENDENT)
-+if(OPENSCAP_PROBE_INDEPENDENT_FILEHASH)
- add_oscap_test("test_probes_filehash.sh")
- endif()
-diff --git a/tests/probes/filehash58/check_filehash_simple.xml b/tests/probes/filehash58/check_filehash_simple.xml
-index 2f6fa877e6..33e6343c73 100644
---- a/tests/probes/filehash58/check_filehash_simple.xml
-+++ b/tests/probes/filehash58/check_filehash_simple.xml
-@@ -28,13 +28,13 @@
- <ns0:objects>
- <ns3:filehash58_object id="oval:ssg-concerned_file:obj:1" version="1">
- <ns3:filepath>/oval-test</ns3:filepath>
-- <ns3:hash_type>SHA-1</ns3:hash_type>
-+ <ns3:hash_type>SHA-256</ns3:hash_type>
- </ns3:filehash58_object>
- </ns0:objects>
- <ns0:states>
- <ns3:filehash58_state id="oval:ssg-hash_value:ste:1" version="1">
-- <ns3:hash_type>SHA-1</ns3:hash_type>
-- <ns3:hash>f1d2d2f924e986ac86fdf7b36c94bcdf32beec15</ns3:hash>
-+ <ns3:hash_type>SHA-256</ns3:hash_type>
-+ <ns3:hash>b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c</ns3:hash>
- </ns3:filehash58_state>
- </ns0:states>
- </ns0:oval_definitions>
-diff --git a/tests/probes/filehash58/test_probes_filehash58.sh b/tests/probes/filehash58/test_probes_filehash58.sh
-index 5d9c513f29..06ee64446d 100755
---- a/tests/probes/filehash58/test_probes_filehash58.sh
-+++ b/tests/probes/filehash58/test_probes_filehash58.sh
-@@ -96,7 +96,9 @@ function test_probes_filehash58_chroot_fail {
-
- test_init
-
--test_run "test_probes_filehash58" test_probes_filehash58
-+if [[ "$OPENSCAP_ENABLE_MD5" == "ON" && "$OPENSCAP_ENABLE_SHA1" == "ON" ]] ; then
-+ test_run "test_probes_filehash58" test_probes_filehash58
-+fi
-
- test_run "test_probes_filehash58_chroot_fail" test_probes_filehash58_chroot_fail
-
-diff --git a/tests/test_common.sh.in b/tests/test_common.sh.in
-index b562855271..ef3675c1bf 100755
---- a/tests/test_common.sh.in
-+++ b/tests/test_common.sh.in
-@@ -329,3 +329,6 @@ die() {
- }
-
- export -f assert_exists
-+
-+export OPENSCAP_ENABLE_MD5="@OPENSCAP_ENABLE_MD5@"
-+export OPENSCAP_ENABLE_SHA1="@OPENSCAP_ENABLE_SHA1@"
-
-From d7a800d3c9ffae2062a81e656e6013b8021b3d16 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
-Date: Thu, 15 Jul 2021 13:30:28 +0200
-Subject: [PATCH 2/5] Another test for filehash58 probe
-
-It renames the existing test case and also creates a new test case which
-is almost identical with the existing test case but it uses different
-hashing algorithms in the filehash58_test. The reason for creating it
-is that the existing test case uses the SHA-1 and MD5 alorithms. But we
-introduced CMake options OPENSCAP_ENABLE_SHA1 and OPENSCAP_ENABLE_MD5
-which allow to not build support for these algorithms. If OpenSCAP will
-be built with these options the existing tests would be disabled and we
-wouldn't test the filehash58 probe. We can expect that some downstreams
-will turn the options OFF so they need an alternative test instead.
----
- .../filehash58/test_probes_filehash58.sh | 40 +-
- .../test_probes_filehash58_new_algos.xml.sh | 1064 +++++++++++++++++
- ...> test_probes_filehash58_old_algos.xml.sh} | 0
- 3 files changed, 1099 insertions(+), 5 deletions(-)
- create mode 100644 tests/probes/filehash58/test_probes_filehash58_new_algos.xml.sh
- rename tests/probes/filehash58/{test_probes_filehash58.xml.sh => test_probes_filehash58_old_algos.xml.sh} (100%)
-
-diff --git a/tests/probes/filehash58/test_probes_filehash58.sh b/tests/probes/filehash58/test_probes_filehash58.sh
-index 06ee64446d..459654546a 100755
---- a/tests/probes/filehash58/test_probes_filehash58.sh
-+++ b/tests/probes/filehash58/test_probes_filehash58.sh
-@@ -16,19 +16,19 @@
-
- # Test Cases.
-
--function test_probes_filehash58 {
-+function test_probes_filehash58_old_algos {
-
- probecheck "filehash58" || return 255
- require "md5sum" || return 255
- require "sha1sum" || return 255
-
- local ret_val=0;
-- local DF="test_probes_filehash58.xml"
-+ local DF="test_probes_filehash58_old_algos.xml"
- local RF="results.xml"
-
- [ -f $RF ] && rm -f $RF
-
-- bash ${srcdir}/test_probes_filehash58.xml.sh > $DF
-+ bash ${srcdir}/test_probes_filehash58_old_algos.xml.sh > $DF
- $OSCAP oval eval --results $RF $DF
-
- if [ -f $RF ]; then
-@@ -38,7 +38,35 @@ function test_probes_filehash58 {
- ret_val=1
- fi
-
-- # The file was created as a side-effect of test_probes_filehash58.xml.sh
-+ # The file was created as a side-effect of test_probes_filehash58_old_algos.xml.sh
-+ [ $ret_val -eq 0 ] && rm -f /tmp/test_probes_filehash58.tmp
-+
-+ return $ret_val
-+}
-+
-+function test_probes_filehash58_new_algos {
-+
-+ probecheck "filehash58" || return 255
-+ require "sha256sum" || return 255
-+ require "sha512sum" || return 255
-+
-+ local ret_val=0
-+ local DF="test_probes_filehash58_new_algos.xml"
-+ local RF="results.xml"
-+
-+ [ -f $RF ] && rm -f $RF
-+
-+ bash ${srcdir}/test_probes_filehash58_new_algos.xml.sh > $DF
-+ $OSCAP oval eval --results $RF $DF
-+
-+ if [ -f $RF ]; then
-+ verify_results "def" $DF $RF 13 && verify_results "tst" $DF $RF 120
-+ ret_val=$?
-+ else
-+ ret_val=1
-+ fi
-+
-+ # The file was created as a side-effect of test_probes_filehash58_new_algos.xml.sh
- [ $ret_val -eq 0 ] && rm -f /tmp/test_probes_filehash58.tmp
-
- return $ret_val
-@@ -97,9 +125,11 @@ function test_probes_filehash58_chroot_fail {
- test_init
-
- if [[ "$OPENSCAP_ENABLE_MD5" == "ON" && "$OPENSCAP_ENABLE_SHA1" == "ON" ]] ; then
-- test_run "test_probes_filehash58" test_probes_filehash58
-+ test_run "test_probes_filehash58_old_algos" test_probes_filehash58_old_algos
- fi
-
-+test_run "test_probes_filehash58_new_algos" test_probes_filehash58_new_algos
-+
- test_run "test_probes_filehash58_chroot_fail" test_probes_filehash58_chroot_fail
-
- test_run "test_probes_filehash58_chroot_pass" test_probes_filehash58_chroot_pass
-diff --git a/tests/probes/filehash58/test_probes_filehash58_new_algos.xml.sh b/tests/probes/filehash58/test_probes_filehash58_new_algos.xml.sh
-new file mode 100644
-index 0000000000..d120a0d114
---- /dev/null
-+++ b/tests/probes/filehash58/test_probes_filehash58_new_algos.xml.sh
-@@ -0,0 +1,1064 @@
-+#!/usr/bin/env bash
-+
-+echo "Test Probes: FILEHASH test" > /tmp/test_probes_filehash58.tmp
-+
-+cat <<EOF
-+<?xml version="1.0"?>
-+<oval_definitions xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ind-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" xmlns:unix-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" xmlns:lin-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix unix-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#linux linux-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd">
-+
-+ <generator>
-+ <oval:product_name>filehash58</oval:product_name>
-+ <oval:product_version>1.0</oval:product_version>
-+ <oval:schema_version>5.11</oval:schema_version>
-+ <oval:timestamp>2011-07-14T00:00:00-00:00</oval:timestamp>
-+ </generator>
-+
-+ <definitions>
-+
-+ <definition class="compliance" version="1" id="oval:1:def:1"> <!-- comment="false" -->
-+ <metadata>
-+ <title></title>
-+ <description></description>
-+ </metadata>
-+ <criteria>
-+ <criteria operator="AND">
-+ <criterion test_ref="oval:1:tst:1"/>
-+ <criterion test_ref="oval:1:tst:2"/>
-+ <criterion test_ref="oval:1:tst:3"/>
-+ <criterion test_ref="oval:1:tst:4"/>
-+ <criterion test_ref="oval:1:tst:5"/>
-+ <criterion test_ref="oval:1:tst:6"/>
-+ <criterion test_ref="oval:1:tst:7"/>
-+ <criterion test_ref="oval:1:tst:8"/>
-+ <criterion test_ref="oval:1:tst:9"/>
-+ <criterion test_ref="oval:1:tst:10"/>
-+ <criterion test_ref="oval:1:tst:11"/>
-+ <criterion test_ref="oval:1:tst:12"/>
-+ <criterion test_ref="oval:1:tst:13"/>
-+ <criterion test_ref="oval:1:tst:14"/>
-+ <criterion test_ref="oval:1:tst:15"/>
-+ <criterion test_ref="oval:1:tst:16"/>
-+ <criterion test_ref="oval:1:tst:17"/>
-+ <criterion test_ref="oval:1:tst:18"/>
-+ <criterion test_ref="oval:1:tst:19"/>
-+ <criterion test_ref="oval:1:tst:20"/>
-+ <criterion test_ref="oval:1:tst:21"/>
-+ <criterion test_ref="oval:1:tst:22"/>
-+ <criterion test_ref="oval:1:tst:23"/>
-+ <criterion test_ref="oval:1:tst:24"/>
-+ <criterion test_ref="oval:1:tst:25"/>
-+ <criterion test_ref="oval:1:tst:26"/>
-+ <criterion test_ref="oval:1:tst:27"/>
-+ <criterion test_ref="oval:1:tst:28"/>
-+ <criterion test_ref="oval:1:tst:29"/>
-+ <criterion test_ref="oval:1:tst:30"/>
-+ <criterion test_ref="oval:1:tst:31"/>
-+ <criterion test_ref="oval:1:tst:32"/>
-+ <criterion test_ref="oval:1:tst:33"/>
-+ <criterion test_ref="oval:1:tst:34"/>
-+ <criterion test_ref="oval:1:tst:35"/>
-+ <criterion test_ref="oval:1:tst:36"/>
-+ <criterion test_ref="oval:1:tst:37"/>
-+ <criterion test_ref="oval:1:tst:38"/>
-+ <criterion test_ref="oval:1:tst:39"/>
-+ <criterion test_ref="oval:1:tst:40"/>
-+ <criterion test_ref="oval:1:tst:41"/>
-+ <criterion test_ref="oval:1:tst:42"/>
-+ <criterion test_ref="oval:1:tst:43"/>
-+ <criterion test_ref="oval:1:tst:44"/>
-+ <criterion test_ref="oval:1:tst:45"/>
-+ <criterion test_ref="oval:1:tst:46"/>
-+ <criterion test_ref="oval:1:tst:47"/>
-+ <criterion test_ref="oval:1:tst:48"/>
-+ <criterion test_ref="oval:1:tst:49"/>
-+ <criterion test_ref="oval:1:tst:50"/>
-+ <criterion test_ref="oval:1:tst:51"/>
-+ <criterion test_ref="oval:1:tst:52"/>
-+ <criterion test_ref="oval:1:tst:53"/>
-+ <criterion test_ref="oval:1:tst:54"/>
-+ <criterion test_ref="oval:1:tst:55"/>
-+ <criterion test_ref="oval:1:tst:56"/>
-+ <criterion test_ref="oval:1:tst:57"/>
-+ <criterion test_ref="oval:1:tst:58"/>
-+ <criterion test_ref="oval:1:tst:59"/>
-+ <criterion test_ref="oval:1:tst:60"/>
-+ <criterion test_ref="oval:1:tst:61"/>
-+ <criterion test_ref="oval:1:tst:62"/>
-+ <criterion test_ref="oval:1:tst:63"/>
-+ <criterion test_ref="oval:1:tst:64"/>
-+ <criterion test_ref="oval:1:tst:65"/>
-+ <criterion test_ref="oval:1:tst:66"/>
-+ <criterion test_ref="oval:1:tst:67"/>
-+ <criterion test_ref="oval:1:tst:68"/>
-+ <criterion test_ref="oval:1:tst:69"/>
-+ <criterion test_ref="oval:1:tst:70"/>
-+ <criterion test_ref="oval:1:tst:71"/>
-+ <criterion test_ref="oval:1:tst:72"/>
-+ <criterion test_ref="oval:1:tst:73"/>
-+ <criterion test_ref="oval:1:tst:74"/>
-+ <criterion test_ref="oval:1:tst:75"/>
-+ <criterion test_ref="oval:1:tst:76"/>
-+ <criterion test_ref="oval:1:tst:77"/>
-+ <criterion test_ref="oval:1:tst:78"/>
-+ <criterion test_ref="oval:1:tst:79"/>
-+ <criterion test_ref="oval:1:tst:80"/>
-+ <criterion test_ref="oval:1:tst:81"/>
-+ <criterion test_ref="oval:1:tst:82"/>
-+ <criterion test_ref="oval:1:tst:83"/>
-+ <criterion test_ref="oval:1:tst:84"/>
-+ <criterion test_ref="oval:1:tst:85"/>
-+ <criterion test_ref="oval:1:tst:86"/>
-+ <criterion test_ref="oval:1:tst:87"/>
-+ <criterion test_ref="oval:1:tst:88"/>
-+ <criterion test_ref="oval:1:tst:89"/>
-+ <criterion test_ref="oval:1:tst:90"/>
-+ <criterion test_ref="oval:1:tst:91"/>
-+ <criterion test_ref="oval:1:tst:92"/>
-+ <criterion test_ref="oval:1:tst:93"/>
-+ <criterion test_ref="oval:1:tst:94"/>
-+ <criterion test_ref="oval:1:tst:95"/>
-+ <criterion test_ref="oval:1:tst:96"/>
-+ <criterion test_ref="oval:1:tst:97"/>
-+ <criterion test_ref="oval:1:tst:98"/>
-+ <criterion test_ref="oval:1:tst:99"/>
-+ <criterion test_ref="oval:1:tst:100"/>
-+ <criterion test_ref="oval:1:tst:101"/>
-+ <criterion test_ref="oval:1:tst:102"/>
-+ <criterion test_ref="oval:1:tst:103"/>
-+ <criterion test_ref="oval:1:tst:104"/>
-+ <criterion test_ref="oval:1:tst:105"/>
-+ <criterion test_ref="oval:1:tst:106"/>
-+ <criterion test_ref="oval:1:tst:107"/>
-+ <criterion test_ref="oval:1:tst:108"/>
-+ <criterion test_ref="oval:1:tst:109"/>
-+ <criterion test_ref="oval:1:tst:110"/>
-+ <criterion test_ref="oval:1:tst:111"/>
-+ <criterion test_ref="oval:1:tst:112"/>
-+ <criterion test_ref="oval:1:tst:113"/>
-+ <criterion test_ref="oval:1:tst:114"/>
-+ <criterion test_ref="oval:1:tst:115"/>
-+ <criterion test_ref="oval:1:tst:116"/>
-+ <criterion test_ref="oval:1:tst:117"/>
-+ <criterion test_ref="oval:1:tst:118"/>
-+ <criterion test_ref="oval:1:tst:119"/>
-+ <criterion test_ref="oval:1:tst:120"/>
-+ </criteria>
-+ </criteria>
-+ </definition>
-+
-+ <definition class="compliance" version="1" id="oval:1:def:2"> <!-- comment="false" -->
-+ <metadata>
-+ <title></title>
-+ <description></description>
-+ </metadata>
-+ <criteria>
-+ <criteria operator="AND">
-+ <criterion test_ref="oval:1:tst:1"/>
-+ <criterion test_ref="oval:1:tst:5"/>
-+ </criteria>
-+ </criteria>
-+ </definition>
-+
-+ <definition class="compliance" version="1" id="oval:1:def:3"> <!-- comment="true" -->
-+ <metadata>
-+ <title></title>
-+ <description></description>
-+ </metadata>
-+ <criteria>
-+ <criteria operator="AND">
-+ <criterion test_ref="oval:1:tst:1"/>
-+ <criterion test_ref="oval:1:tst:1"/>
-+ </criteria>
-+ </criteria>
-+ </definition>
-+
-+ <definition class="compliance" version="1" id="oval:1:def:4"> <!-- comment="false" -->
-+ <metadata>
-+ <title></title>
-+ <description></description>
-+ </metadata>
-+ <criteria>
-+ <criteria operator="AND">
-+ <criterion test_ref="oval:1:tst:5"/>
-+ <criterion test_ref="oval:1:tst:5"/>
-+ </criteria>
-+ </criteria>
-+ </definition>
-+
-+ <definition class="compliance" version="1" id="oval:1:def:5"> <!-- comment="true" -->
-+ <metadata>
-+ <title></title>
-+ <description></description>
-+ </metadata>
-+ <criteria>
-+ <criteria operator="OR">
-+ <criterion test_ref="oval:1:tst:1"/>
-+ <criterion test_ref="oval:1:tst:5"/>
-+ </criteria>
-+ </criteria>
-+ </definition>
-+
-+ <definition class="compliance" version="1" id="oval:1:def:6"> <!-- comment="true" -->
-+ <metadata>
-+ <title></title>
-+ <description></description>
-+ </metadata>
-+ <criteria>
-+ <criteria operator="OR">
-+ <criterion test_ref="oval:1:tst:1"/>
-+ <criterion test_ref="oval:1:tst:1"/>
-+ </criteria>
-+ </criteria>
-+ </definition>
-+
-+ <definition class="compliance" version="1" id="oval:1:def:7"> <!-- comment="false" -->
-+ <metadata>
-+ <title></title>
-+ <description></description>
-+ </metadata>
-+ <criteria>
-+ <criteria operator="OR">
-+ <criterion test_ref="oval:1:tst:5"/>
-+ <criterion test_ref="oval:1:tst:5"/>
-+ </criteria>
-+ </criteria>
-+ </definition>
-+
-+ <definition class="compliance" version="1" id="oval:1:def:8"> <!-- comment="true" -->
-+ <metadata>
-+ <title></title>
-+ <description></description>
-+ </metadata>
-+ <criteria>
-+ <criteria operator="XOR">
-+ <criterion test_ref="oval:1:tst:1"/>
-+ <criterion test_ref="oval:1:tst:5"/>
-+ </criteria>
-+ </criteria>
-+ </definition>
-+
-+ <definition class="compliance" version="1" id="oval:1:def:9"> <!-- comment="false" -->
-+ <metadata>
-+ <title></title>
-+ <description></description>
-+ </metadata>
-+ <criteria>
-+ <criteria operator="XOR">
-+ <criterion test_ref="oval:1:tst:1"/>
-+ <criterion test_ref="oval:1:tst:1"/>
-+ </criteria>
-+ </criteria>
-+ </definition>
-+
-+ <definition class="compliance" version="1" id="oval:1:def:10"> <!-- comment="false" -->
-+ <metadata>
-+ <title></title>
-+ <description></description>
-+ </metadata>
-+ <criteria>
-+ <criteria operator="XOR">
-+ <criterion test_ref="oval:1:tst:5"/>
-+ <criterion test_ref="oval:1:tst:5"/>
-+ </criteria>
-+ </criteria>
-+ </definition>
-+
-+ <definition class="compliance" version="1" id="oval:1:def:11"> <!-- comment="true" -->
-+ <metadata>
-+ <title></title>
-+ <description></description>
-+ </metadata>
-+ <criteria>
-+ <criteria operator="ONE">
-+ <criterion test_ref="oval:1:tst:1"/>
-+ <criterion test_ref="oval:1:tst:5"/>
-+ </criteria>
-+ </criteria>
-+ </definition>
-+
-+ <definition class="compliance" version="1" id="oval:1:def:12"> <!-- comment="false" -->
-+ <metadata>
-+ <title></title>
-+ <description></description>
-+ </metadata>
-+ <criteria>
-+ <criteria operator="ONE">
-+ <criterion test_ref="oval:1:tst:1"/>
-+ <criterion test_ref="oval:1:tst:1"/>
-+ </criteria>
-+ </criteria>
-+ </definition>
-+
-+ <definition class="compliance" version="1" id="oval:1:def:13"> <!-- comment="false" -->
-+ <metadata>
-+ <title></title>
-+ <description></description>
-+ </metadata>
-+ <criteria>
-+ <criteria operator="ONE">
-+ <criterion test_ref="oval:1:tst:5"/>
-+ <criterion test_ref="oval:1:tst:5"/>
-+ </criteria>
-+ </criteria>
-+ </definition>
-+
-+ </definitions>
-+
-+ <tests>
-+
-+ <!-- DEFAULT STATELESS OBJECT -->
-+
-+ <!-- check="all" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:1" check="all" comment="true" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ </filehash58_test>
-+
-+ <!-- check="at least one" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:2" check="at least one" comment="true" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ </filehash58_test>
-+
-+ <!-- check="none satisfy" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:3" check="none satisfy" comment="true" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ </filehash58_test>
-+
-+ <!-- check="only one" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:4" check="only one" comment="true" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ </filehash58_test>
-+
-+ <!-- check="all" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:5" check="all" comment="false" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:2"/>
-+ </filehash58_test>
-+
-+ <!-- check="at least one" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:6" check="at least one" comment="false" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:2"/>
-+ </filehash58_test>
-+
-+ <!-- check="none satisfy" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:7" check="none satisfy" comment="false" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:2"/>
-+ </filehash58_test>
-+
-+ <!-- check="only one" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:8" check="only one" comment="false" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:2"/>
-+ </filehash58_test>
-+
-+ <!-- STATELESS OBJECT -->
-+
-+ <!-- check_existence="all_exist" check="all" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:9" check_existence="all_exist" check="all" comment="true" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ </filehash58_test>
-+
-+ <!-- check_existence="all_exist" check="at least one" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:10" check_existence="all_exist" check="at least one" comment="true" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ </filehash58_test>
-+
-+ <!-- check_existence="all_exist" check="none satisfy" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:11" check_existence="all_exist" check="none satisfy" comment="true" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ </filehash58_test>
-+
-+ <!-- check_existence="all_exist" check="only one" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:12" check_existence="all_exist" check="only one" comment="true" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ </filehash58_test>
-+
-+ <!-- check_existence="at_least_one_exists" check="all" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:13" check_existence="at_least_one_exists" check="all" comment="true" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ </filehash58_test>
-+
-+ <!-- check_existence="at_least_one_exists" check="at least one" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:14" check_existence="at_least_one_exists" check="at least one" comment="true" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ </filehash58_test>
-+
-+ <!-- check_existence="at_least_one_exists" check="none satisfy" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:15" check_existence="at_least_one_exists" check="none satisfy" comment="true" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ </filehash58_test>
-+
-+ <!-- check_existence="at_least_one_exists" check="only one" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:16" check_existence="at_least_one_exists" check="only one" comment="true" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ </filehash58_test>
-+
-+ <!-- check_existence="any_exist" check="all" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:17" check_existence="any_exist" check="all" comment="true" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ </filehash58_test>
-+
-+ <!-- check_existence="any_exist" check="at least one" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:18" check_existence="any_exist" check="at least one" comment="true" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ </filehash58_test>
-+
-+ <!-- check_existence="any_exist" check="none satisfy" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:19" check_existence="any_exist" check="none satisfy" comment="true" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ </filehash58_test>
-+
-+ <!-- check_existence="any_exist" check="only one" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:20" check_existence="any_exist" check="only one" comment="true" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ </filehash58_test>
-+
-+ <!-- check_existence="none_exist" check="all" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:21" check_existence="none_exist" check="all" comment="false" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ </filehash58_test>
-+
-+ <!-- check_existence="none_exist" check="at least one" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:22" check_existence="none_exist" check="at least one" comment="false" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ </filehash58_test>
-+
-+ <!-- check_existence="none_exist" check="none satisfy" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:23" check_existence="none_exist" check="none satisfy" comment="false" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ </filehash58_test>
-+
-+ <!-- check_existence="none_exist" check="only one" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:24" check_existence="none_exist" check="only one" comment="false" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ </filehash58_test>
-+
-+ <!-- check_existence="only_one_exists" check="all" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:25" check_existence="only_one_exists" check="all" comment="true" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ </filehash58_test>
-+
-+ <!-- check_existence="only_one_exists" check="at least one" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:26" check_existence="only_one_exists" check="at least one" comment="true" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ </filehash58_test>
-+
-+ <!-- check_existence="only_one_exists" check="none satisfy" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:27" check_existence="only_one_exists" check="none satisfy" comment="true" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ </filehash58_test>
-+
-+ <!-- check_existence="only_one_exists" check="only one" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:28" check_existence="only_one_exists" check="only one" comment="true" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ </filehash58_test>
-+
-+ <!-- check_existence="all_exist" check="all" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:29" check_existence="all_exist" check="all" comment="false" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:2"/>
-+ </filehash58_test>
-+
-+ <!-- check_existence="all_exist" check="at least one" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:30" check_existence="all_exist" check="at least one" comment="false" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:2"/>
-+ </filehash58_test>
-+
-+ <!-- check_existence="all_exist" check="none satisfy" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:31" check_existence="all_exist" check="none satisfy" comment="false" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:2"/>
-+ </filehash58_test>
-+
-+ <!-- check_existence="all_exist" check="only one" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:32" check_existence="all_exist" check="only one" comment="false" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:2"/>
-+ </filehash58_test>
-+
-+ <!-- check_existence="at_least_one_exists" check="all" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:33" check_existence="at_least_one_exists" check="all" comment="false" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:2"/>
-+ </filehash58_test>
-+
-+ <!-- check_existence="at_least_one_exists" check="at least one" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:34" check_existence="at_least_one_exists" check="at least one" comment="false" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:2"/>
-+ </filehash58_test>
-+
-+ <!-- check_existence="at_least_one_exists" check="none satisfy" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:35" check_existence="at_least_one_exists" check="none satisfy" comment="false" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:2"/>
-+ </filehash58_test>
-+
-+ <!-- check_existence="at_least_one_exists" check="only one" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:36" check_existence="at_least_one_exists" check="only one" comment="false" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:2"/>
-+ </filehash58_test>
-+
-+ <!-- check_existence="any_exist" check="all" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:37" check_existence="any_exist" check="all" comment="true" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:2"/>
-+ </filehash58_test>
-+
-+ <!-- check_existence="any_exist" check="at least one" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:38" check_existence="any_exist" check="at least one" comment="true" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:2"/>
-+ </filehash58_test>
-+
-+ <!-- check_existence="any_exist" check="none satisfy" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:39" check_existence="any_exist" check="none satisfy" comment="true" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:2"/>
-+ </filehash58_test>
-+
-+ <!-- check_existence="any_exist" check="only one" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:40" check_existence="any_exist" check="only one" comment="true" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:2"/>
-+ </filehash58_test>
-+
-+ <!-- check_existence="none_exist" check="all" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:41" check_existence="none_exist" check="all" comment="true" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:2"/>
-+ </filehash58_test>
-+
-+ <!-- check_existence="none_exist" check="at least one" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:42" check_existence="none_exist" check="at least one" comment="true" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:2"/>
-+ </filehash58_test>
-+
-+ <!-- check_existence="none_exist" check="none satisfy" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:43" check_existence="none_exist" check="none satisfy" comment="true" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:2"/>
-+ </filehash58_test>
-+
-+ <!-- check_existence="none_exist" check="only one" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:44" check_existence="none_exist" check="only one" comment="true" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:2"/>
-+ </filehash58_test>
-+
-+ <!-- check_existence="only_one_exists" check="all" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:45" check_existence="only_one_exists" check="all" comment="false" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:2"/>
-+ </filehash58_test>
-+
-+ <!-- check_existence="only_one_exists" check="at least one" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:46" check_existence="only_one_exists" check="at least one" comment="false" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:2"/>
-+ </filehash58_test>
-+
-+ <!-- check_existence="only_one_exists" check="none satisfy" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:47" check_existence="only_one_exists" check="none satisfy" comment="false" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:2"/>
-+ </filehash58_test>
-+
-+ <!-- check_existence="only_one_exists" check="only one" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:48" check_existence="only_one_exists" check="only one" comment="false" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:2"/>
-+ </filehash58_test>
-+
-+ <!-- DEFAULT OBJECT WITH STATE -->
-+
-+ <!-- check="all" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:49" check="all" comment="true" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ <state state_ref="oval:1:ste:1"/>
-+ </filehash58_test>
-+
-+ <filehash58_test version="1" id="oval:1:tst:50" check="all" comment="false" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ <state state_ref="oval:1:ste:2"/>
-+ </filehash58_test>
-+
-+ <filehash58_test version="1" id="oval:1:tst:51" check="all" comment="false" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ <state state_ref="oval:1:ste:3"/>
-+ </filehash58_test>
-+
-+ <!-- check="at least one" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:52" check="at least one" comment="true" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ <state state_ref="oval:1:ste:1"/>
-+ </filehash58_test>
-+
-+ <filehash58_test version="1" id="oval:1:tst:53" check="at least one" comment="false" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ <state state_ref="oval:1:ste:2"/>
-+ </filehash58_test>
-+
-+ <filehash58_test version="1" id="oval:1:tst:54" check="at least one" comment="false" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ <state state_ref="oval:1:ste:3"/>
-+ </filehash58_test>
-+
-+ <!-- check="none satisfy" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:55" check="none satisfy" comment="false" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ <state state_ref="oval:1:ste:1"/>
-+ </filehash58_test>
-+
-+ <filehash58_test version="1" id="oval:1:tst:56" check="none satisfy" comment="true" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ <state state_ref="oval:1:ste:2"/>
-+ </filehash58_test>
-+
-+ <filehash58_test version="1" id="oval:1:tst:57" check="none satisfy" comment="true" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ <state state_ref="oval:1:ste:3"/>
-+ </filehash58_test>
-+
-+ <!-- check="only one" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:58" check="only one" comment="true" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ <state state_ref="oval:1:ste:1"/>
-+ </filehash58_test>
-+
-+ <filehash58_test version="1" id="oval:1:tst:59" check="only one" comment="false" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ <state state_ref="oval:1:ste:2"/>
-+ </filehash58_test>
-+
-+ <filehash58_test version="1" id="oval:1:tst:60" check="only one" comment="false" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ <state state_ref="oval:1:ste:3"/>
-+ </filehash58_test>
-+
-+ <!-- OBJECT WITH STATE -->
-+
-+ <!-- check_existence="all_exist" check="all" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:61" check_existence="all_exist" check="all" comment="true" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ <state state_ref="oval:1:ste:1"/>
-+ </filehash58_test>
-+
-+ <filehash58_test version="1" id="oval:1:tst:62" check_existence="all_exist" check="all" comment="false" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ <state state_ref="oval:1:ste:2"/>
-+ </filehash58_test>
-+
-+ <filehash58_test version="1" id="oval:1:tst:63" check_existence="all_exist" check="all" comment="false" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ <state state_ref="oval:1:ste:3"/>
-+ </filehash58_test>
-+
-+ <!-- check_existence="all_exist" check="at least one" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:64" check_existence="all_exist" check="at least one" comment="true" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ <state state_ref="oval:1:ste:1"/>
-+ </filehash58_test>
-+
-+ <filehash58_test version="1" id="oval:1:tst:65" check_existence="all_exist" check="at least one" comment="false" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ <state state_ref="oval:1:ste:2"/>
-+ </filehash58_test>
-+
-+ <filehash58_test version="1" id="oval:1:tst:66" check_existence="all_exist" check="at least one" comment="false" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ <state state_ref="oval:1:ste:3"/>
-+ </filehash58_test>
-+
-+ <!-- check_existence="all_exist" check="none satisfy" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:67" check_existence="all_exist" check="none satisfy" comment="false" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ <state state_ref="oval:1:ste:1"/>
-+ </filehash58_test>
-+
-+ <filehash58_test version="1" id="oval:1:tst:68" check_existence="all_exist" check="none satisfy" comment="true" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ <state state_ref="oval:1:ste:2"/>
-+ </filehash58_test>
-+
-+ <filehash58_test version="1" id="oval:1:tst:69" check_existence="all_exist" check="none satisfy" comment="true" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ <state state_ref="oval:1:ste:3"/>
-+ </filehash58_test>
-+
-+ <!-- check_existence="all_exist" check="only one" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:70" check_existence="all_exist" check="only one" comment="true" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ <state state_ref="oval:1:ste:1"/>
-+ </filehash58_test>
-+
-+ <filehash58_test version="1" id="oval:1:tst:71" check_existence="all_exist" check="only one" comment="false" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ <state state_ref="oval:1:ste:2"/>
-+ </filehash58_test>
-+
-+ <filehash58_test version="1" id="oval:1:tst:72" check_existence="all_exist" check="only one" comment="false" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ <state state_ref="oval:1:ste:3"/>
-+ </filehash58_test>
-+
-+ <!-- check_existence="any_exist" check="all" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:73" check_existence="any_exist" check="all" comment="true" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ <state state_ref="oval:1:ste:1"/>
-+ </filehash58_test>
-+
-+ <filehash58_test version="1" id="oval:1:tst:74" check_existence="any_exist" check="all" comment="false" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ <state state_ref="oval:1:ste:2"/>
-+ </filehash58_test>
-+
-+ <filehash58_test version="1" id="oval:1:tst:75" check_existence="any_exist" check="all" comment="false" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ <state state_ref="oval:1:ste:3"/>
-+ </filehash58_test>
-+
-+ <!-- check_existence="any_exist" check="at least one" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:76" check_existence="any_exist" check="at least one" comment="true" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ <state state_ref="oval:1:ste:1"/>
-+ </filehash58_test>
-+
-+ <filehash58_test version="1" id="oval:1:tst:77" check_existence="any_exist" check="at least one" comment="false" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ <state state_ref="oval:1:ste:2"/>
-+ </filehash58_test>
-+
-+ <filehash58_test version="1" id="oval:1:tst:78" check_existence="any_exist" check="at least one" comment="false" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ <state state_ref="oval:1:ste:3"/>
-+ </filehash58_test>
-+
-+ <!-- check_existence="any_exist" check="none satisfy" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:79" check_existence="any_exist" check="none satisfy" comment="false" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ <state state_ref="oval:1:ste:1"/>
-+ </filehash58_test>
-+
-+ <filehash58_test version="1" id="oval:1:tst:80" check_existence="any_exist" check="none satisfy" comment="true" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ <state state_ref="oval:1:ste:2"/>
-+ </filehash58_test>
-+
-+ <filehash58_test version="1" id="oval:1:tst:81" check_existence="any_exist" check="none satisfy" comment="true" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ <state state_ref="oval:1:ste:3"/>
-+ </filehash58_test>
-+
-+ <!-- check_existence="any_exist" check="only one" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:82" check_existence="any_exist" check="only one" comment="true" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ <state state_ref="oval:1:ste:1"/>
-+ </filehash58_test>
-+
-+ <filehash58_test version="1" id="oval:1:tst:83" check_existence="any_exist" check="only one" comment="false" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ <state state_ref="oval:1:ste:2"/>
-+ </filehash58_test>
-+
-+ <filehash58_test version="1" id="oval:1:tst:84" check_existence="any_exist" check="only one" comment="false" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ <state state_ref="oval:1:ste:3"/>
-+ </filehash58_test>
-+
-+ <!-- check_existence="at_least_one_exists" check="all" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:85" check_existence="at_least_one_exists" check="all" comment="true" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ <state state_ref="oval:1:ste:1"/>
-+ </filehash58_test>
-+
-+ <filehash58_test version="1" id="oval:1:tst:86" check_existence="at_least_one_exists" check="all" comment="false" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ <state state_ref="oval:1:ste:2"/>
-+ </filehash58_test>
-+
-+ <filehash58_test version="1" id="oval:1:tst:87" check_existence="at_least_one_exists" check="all" comment="false" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ <state state_ref="oval:1:ste:3"/>
-+ </filehash58_test>
-+
-+ <!-- check_existence="at_least_one_exists" check="at least one" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:88" check_existence="at_least_one_exists" check="at least one" comment="true" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ <state state_ref="oval:1:ste:1"/>
-+ </filehash58_test>
-+
-+ <filehash58_test version="1" id="oval:1:tst:89" check_existence="at_least_one_exists" check="at least one" comment="false" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ <state state_ref="oval:1:ste:2"/>
-+ </filehash58_test>
-+
-+ <filehash58_test version="1" id="oval:1:tst:90" check_existence="at_least_one_exists" check="at least one" comment="false" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ <state state_ref="oval:1:ste:3"/>
-+ </filehash58_test>
-+
-+ <!-- check_existence="at_least_one_exists" check="none satisfy" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:91" check_existence="at_least_one_exists" check="none satisfy" comment="false" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ <state state_ref="oval:1:ste:1"/>
-+ </filehash58_test>
-+
-+ <filehash58_test version="1" id="oval:1:tst:92" check_existence="at_least_one_exists" check="none satisfy" comment="true" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ <state state_ref="oval:1:ste:2"/>
-+ </filehash58_test>
-+
-+ <filehash58_test version="1" id="oval:1:tst:93" check_existence="at_least_one_exists" check="none satisfy" comment="true" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ <state state_ref="oval:1:ste:3"/>
-+ </filehash58_test>
-+
-+ <!-- check_existence="at_least_one_exists" check="only one" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:94" check_existence="at_least_one_exists" check="only one" comment="true" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ <state state_ref="oval:1:ste:1"/>
-+ </filehash58_test>
-+
-+ <filehash58_test version="1" id="oval:1:tst:95" check_existence="at_least_one_exists" check="only one" comment="false" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ <state state_ref="oval:1:ste:2"/>
-+ </filehash58_test>
-+
-+ <filehash58_test version="1" id="oval:1:tst:96" check_existence="at_least_one_exists" check="only one" comment="false" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ <state state_ref="oval:1:ste:3"/>
-+ </filehash58_test>
-+
-+ <!-- check_existence="none_exist" check="all" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:97" check_existence="none_exist" check="all" comment="false" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ </filehash58_test>
-+
-+ <filehash58_test version="1" id="oval:1:tst:98" check_existence="none_exist" check="all" comment="false" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ </filehash58_test>
-+
-+ <filehash58_test version="1" id="oval:1:tst:99" check_existence="none_exist" check="all" comment="false" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ </filehash58_test>
-+
-+ <!-- check_existence="none_exist" check="at least one" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:100" check_existence="none_exist" check="at least one" comment="false" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ </filehash58_test>
-+
-+ <filehash58_test version="1" id="oval:1:tst:101" check_existence="none_exist" check="at least one" comment="false" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ </filehash58_test>
-+
-+ <filehash58_test version="1" id="oval:1:tst:102" check_existence="none_exist" check="at least one" comment="false" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ </filehash58_test>
-+
-+ <!-- check_existence="none_exist" check="none satisfy" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:103" check_existence="none_exist" check="none satisfy" comment="false" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ </filehash58_test>
-+
-+ <filehash58_test version="1" id="oval:1:tst:104" check_existence="none_exist" check="none satisfy" comment="false" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ </filehash58_test>
-+
-+ <filehash58_test version="1" id="oval:1:tst:105" check_existence="none_exist" check="none satisfy" comment="false" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ </filehash58_test>
-+
-+ <!-- check_existence="none_exist" check="only one" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:106" check_existence="none_exist" check="only one" comment="false" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ </filehash58_test>
-+
-+ <filehash58_test version="1" id="oval:1:tst:107" check_existence="none_exist" check="only one" comment="false" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ </filehash58_test>
-+
-+ <filehash58_test version="1" id="oval:1:tst:108" check_existence="none_exist" check="only one" comment="false" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ </filehash58_test>
-+
-+ <!-- check_existence="only_one_exists" check="all" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:109" check_existence="only_one_exists" check="all" comment="true" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ <state state_ref="oval:1:ste:1"/>
-+ </filehash58_test>
-+
-+ <filehash58_test version="1" id="oval:1:tst:110" check_existence="only_one_exists" check="all" comment="false" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ <state state_ref="oval:1:ste:2"/>
-+ </filehash58_test>
-+
-+ <filehash58_test version="1" id="oval:1:tst:111" check_existence="only_one_exists" check="all" comment="false" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ <state state_ref="oval:1:ste:3"/>
-+ </filehash58_test>
-+
-+ <!-- check_existence="only_one_exists" check="at least one" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:112" check_existence="only_one_exists" check="at least one" comment="true" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ <state state_ref="oval:1:ste:1"/>
-+ </filehash58_test>
-+
-+ <filehash58_test version="1" id="oval:1:tst:113" check_existence="only_one_exists" check="at least one" comment="false" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ <state state_ref="oval:1:ste:2"/>
-+ </filehash58_test>
-+
-+ <filehash58_test version="1" id="oval:1:tst:114" check_existence="only_one_exists" check="at least one" comment="false" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ <state state_ref="oval:1:ste:3"/>
-+ </filehash58_test>
-+
-+ <!-- check_existence="only_one_exists" check="none satisfy" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:115" check_existence="only_one_exists" check="none satisfy" comment="false" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ <state state_ref="oval:1:ste:1"/>
-+ </filehash58_test>
-+
-+ <filehash58_test version="1" id="oval:1:tst:116" check_existence="only_one_exists" check="none satisfy" comment="true" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ <state state_ref="oval:1:ste:2"/>
-+ </filehash58_test>
-+
-+ <filehash58_test version="1" id="oval:1:tst:117" check_existence="only_one_exists" check="none satisfy" comment="true" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ <state state_ref="oval:1:ste:3"/>
-+ </filehash58_test>
-+
-+ <!-- check_existence="only_one_exists" check="only one" -->
-+
-+ <filehash58_test version="1" id="oval:1:tst:118" check_existence="only_one_exists" check="only one" comment="true" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ <state state_ref="oval:1:ste:1"/>
-+ </filehash58_test>
-+
-+ <filehash58_test version="1" id="oval:1:tst:119" check_existence="only_one_exists" check="only one" comment="false" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ <state state_ref="oval:1:ste:2"/>
-+ </filehash58_test>
-+
-+ <filehash58_test version="1" id="oval:1:tst:120" check_existence="only_one_exists" check="only one" comment="false" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:1:obj:1"/>
-+ <state state_ref="oval:1:ste:3"/>
-+ </filehash58_test>
-+
-+ </tests>
-+
-+ <objects>
-+
-+ <!-- EXISTING OBJECT -->
-+ <filehash58_object version="1" id="oval:1:obj:1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <path>/tmp</path>
-+ <filename>test_probes_filehash58.tmp</filename>
-+ <hash_type>SHA-512</hash_type>
-+ </filehash58_object>
-+
-+ <!-- NON-EXISTING OBJECT -->
-+ <filehash58_object version="1" id="oval:1:obj:2" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <path>/tmp</path>
-+ <filename>test_probes_filehash58.invalid</filename>
-+ <hash_type>SHA-512</hash_type>
-+ </filehash58_object>
-+
-+ </objects>
-+
-+ <states>
-+
-+ <!-- FULLY TRUE STATE -->
-+ <filehash58_state version="1" id="oval:1:ste:1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+
-+ <filepath>/tmp/test_probes_filehash58.tmp</filepath>
-+ <path>/tmp</path>
-+ <filename>test_probes_filehash58.tmp</filename>
-+ <hash_type>SHA-512</hash_type>
-+ <hash>`sha512sum /tmp/test_probes_filehash58.tmp | awk '{print $1}'`</hash>
-+ </filehash58_state>
-+
-+ <!-- FULLY FALSE STATE -->
-+ <filehash58_state version="1" id="oval:1:ste:2" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <path>/tmp</path>
-+ <filename>test_probes_filehash58.tmp</filename>
-+ <hash_type>SHA-512</hash_type>
-+ <hash>ce66ae981bfdcb0a5b63e296792662caf3e9c0414d1053593876f38fc1afdaffb89fdbe016a21e7357209fbaa611644307d589780cca97c04df0052bc903af22</hash>
-+ </filehash58_state>
-+
-+ <!-- MIXED STATE -->
-+ <filehash58_state version="1" id="oval:1:ste:3" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <path>/tmp</path>
-+ <filename>test_probes_filehash58.tmp</filename>
-+ <hash_type var_ref="oval:1:var:1" var_check="at least one"/>
-+ <hash var_ref="oval:1:var:4" var_check="at least one"/>
-+ </filehash58_state>
-+
-+ </states>
-+
-+ <variables>
-+ <constant_variable id="oval:1:var:1" version="1" comment="several hash algorithms in one variable" datatype="string">
-+ <value>SHA-256</value>
-+ <value>SHA-512</value>
-+ </constant_variable>
-+ <constant_variable id="oval:1:var:4" version="1" comment="several hash algorithms in one variable" datatype="string">
-+ <value>`sha256sum /tmp/test_probes_filehash58.tmp | awk '{print $1}'`</value>
-+ <value>0bdf537d823dfb9194c25f2a444ac38fc177fc3ed2160acf7c15e3a07ccc600a8303e2a0e8ce50659395e0ab02910404e2134997b105794a167387de45f24768</value>
-+ </constant_variable>
-+ </variables>
-+
-+
-+</oval_definitions>
-+EOF
-diff --git a/tests/probes/filehash58/test_probes_filehash58.xml.sh b/tests/probes/filehash58/test_probes_filehash58_old_algos.xml.sh
-similarity index 100%
-rename from tests/probes/filehash58/test_probes_filehash58.xml.sh
-rename to tests/probes/filehash58/test_probes_filehash58_old_algos.xml.sh
-
-From 02a404bd0663e9e8191af6ea89bcaff5833eaaec Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
-Date: Wed, 21 Jul 2021 10:49:06 +0200
-Subject: [PATCH 3/5] Show supported crypto in oscap --version output
-
-It will allow users to discover which hash algorithms are supported
-by our probes.
----
- src/OVAL/probes/probe-table.c | 15 +++++++++++++++
- 1 file changed, 15 insertions(+)
-
-diff --git a/src/OVAL/probes/probe-table.c b/src/OVAL/probes/probe-table.c
-index f7ca47702a..dd434ae6f2 100644
---- a/src/OVAL/probes/probe-table.c
-+++ b/src/OVAL/probes/probe-table.c
-@@ -391,6 +391,21 @@ void probe_table_list(FILE *output)
- fprintf(output, "%-14s", oval_family_get_text(oval_subtype_get_family(type)));
- fprintf(output, "%-29s", oval_subtype_get_text(type));
- fprintf(output, "probe_%s", oval_subtype_get_text(type));
-+#if (defined(OPENSCAP_ENABLE_MD5) && defined(OPENSCAP_ENABLE_SHA1))
-+ if (type == OVAL_INDEPENDENT_FILE_HASH) {
-+ fprintf(output, " (MD5, SHA-1)");
-+ }
-+#endif
-+ if (type == OVAL_INDEPENDENT_FILE_HASH58) {
-+ fprintf(output, " (");
-+#ifdef OPENSCAP_ENABLE_MD5
-+ fprintf(output, "MD5, ");
-+#endif
-+#ifdef OPENSCAP_ENABLE_SHA1
-+ fprintf(output, "SHA-1, ");
-+#endif
-+ fprintf(output, "SHA-224, SHA-256, SHA-384, SHA-512)");
-+ }
- fprintf(output, "\n");
- entry++;
- }
-
-From df30597efbf7caa47e7b143dae518da01246e512 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
-Date: Wed, 21 Jul 2021 14:34:16 +0200
-Subject: [PATCH 4/5] Remove unused CRAPI_DIGEST_CNT
-
-This constant isn't used anywhere. Moerover, after introducing
-preprocessor variables OPENSCAP_ENABLE_MD5 and OPENSCAP_ENABLE_SHA1
-which affect the count supported crypto algorithms this value
-could dynamically differ from 7.
----
- src/OVAL/probes/crapi/digest.h | 2 --
- 1 file changed, 2 deletions(-)
-
-diff --git a/src/OVAL/probes/crapi/digest.h b/src/OVAL/probes/crapi/digest.h
-index 3de55e4f94..0d66db1336 100644
---- a/src/OVAL/probes/crapi/digest.h
-+++ b/src/OVAL/probes/crapi/digest.h
-@@ -40,8 +40,6 @@ typedef enum {
- CRAPI_DIGEST_SHA384 = 0x40
- } crapi_alg_t;
-
--#define CRAPI_DIGEST_CNT 7
--
- #include "md5.h"
- #include "sha1.h"
- #include "sha2.h"
-
-From 741bffe331b9a1b737440d4b9dce9a1775cc8345 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
-Date: Wed, 21 Jul 2021 14:42:45 +0200
-Subject: [PATCH 5/5] Raise an error when using unsupported hash types
-
-The OVAL content can have a hash algorithm in `hash_type` element that
-is allowed by the OVAL specification but isn't currently supported in
-OpenSCAP. At this moment, this can happen if OpenSCAP is compiled
-without SHA-1 or MD5 support by setting OPENSCAP_ENABLE_SHA1 or
-OPENSCAP_ENABLE_MD5 to OFF. In this situation we should warn the user,
-for example show a warning and add a message element to the OVAL
-results.
-
-To do that, we need to be able to iterate over all hash types specified
-in the OVAL specification, not only over the supported ones, because we
-need to distinguish between a no match, a match of supported algorithm
-and a match of an unsupported algorithm. Therefore we need to list them
-explicitly.
-
-The CRAPI_INVALID value has been replaced by 0 because it used to be a
--1 but a negative value can't be compared with an enum. That would cause
-a compiler warning.
----
- .../probes/independent/filehash58_probe.c | 109 +++++++++++-------
- 1 file changed, 69 insertions(+), 40 deletions(-)
-
-diff --git a/src/OVAL/probes/independent/filehash58_probe.c b/src/OVAL/probes/independent/filehash58_probe.c
-index 895d8f92f4..53535d7069 100644
---- a/src/OVAL/probes/independent/filehash58_probe.c
-+++ b/src/OVAL/probes/independent/filehash58_probe.c
-@@ -54,11 +54,22 @@
- #include "util.h"
- #include "probe/entcmp.h"
- #include "filehash58_probe.h"
-+#include "oscap_helpers.h"
-
- #define FILE_SEPARATOR '/'
-
--#define CRAPI_INVALID -1
-+/* List of hash types listed in OVAL specification */
-+static const char *OVAL_FILEHASH58_HASH_TYPES[] = {
-+ "MD5",
-+ "SHA-1",
-+ "SHA-224",
-+ "SHA-256",
-+ "SHA-384",
-+ "SHA-512",
-+ NULL
-+};
-
-+/* List of hash types supported by OpenSCAP */
- static const struct oscap_string_map CRAPI_ALG_MAP[] = {
- #ifdef OPENSCAP_ENABLE_MD5
- {CRAPI_DIGEST_MD5, "MD5"},
-@@ -71,7 +82,7 @@ static const struct oscap_string_map CRAPI_ALG_MAP[] = {
- {CRAPI_DIGEST_SHA384, "SHA-384"},
- {CRAPI_DIGEST_SHA512, "SHA-512"},
- /* {CRAPI_DIGEST_RMD160, "RMD-160"}, OVAL doesn't support this */
-- {CRAPI_INVALID, NULL}
-+ {0, NULL}
- };
-
- static const struct oscap_string_map CRAPI_ALG_MAP_SIZE[] = {
-@@ -165,45 +176,64 @@ static int filehash58_cb(const char *prefix, const char *p, const char *f, const
- probe_item_add_msg(itm, OVAL_MESSAGE_LEVEL_ERROR,
- "Can't open \"%s\": errno=%d, %s.", pbuf, errno, strerror (errno));
- probe_item_setstatus(itm, SYSCHAR_STATUS_ERROR);
-- } else {
-- uint8_t hash_dst[1025];
-- size_t hash_dstlen = sizeof hash_dst;
-- char hash_str[2051];
-
-- crapi_alg_t hash_type;
-+ probe_item_collect(ctx, itm);
-+ return 0;
-+ }
-
-- hash_type = oscap_string_to_enum(CRAPI_ALG_MAP, h);
-- hash_dstlen = oscap_string_to_enum(CRAPI_ALG_MAP_SIZE, h);
-+ uint8_t hash_dst[1025];
-+ size_t hash_dstlen = sizeof(hash_dst);
-+ char hash_str[2051];
-+ crapi_alg_t hash_type;
-
-- /*
-- * Compute hash value
-- */
-- if (crapi_mdigest_fd (fd, 1, hash_type, hash_dst, &hash_dstlen) != 0) {
-- close (fd);
-- return (-1);
-- }
-+ hash_type = oscap_string_to_enum(CRAPI_ALG_MAP, h);
-+ if (hash_type == 0) {
-+ char *msg = oscap_sprintf("This version of OpenSCAP doesn't support the '%s' hash algorithm.", h);
-+ dW(msg);
-+ itm = probe_item_create (OVAL_INDEPENDENT_FILE_HASH58, NULL,
-+ "filepath", OVAL_DATATYPE_STRING, pbuf,
-+ "path", OVAL_DATATYPE_STRING, p,
-+ "filename", OVAL_DATATYPE_STRING, f,
-+ "hash_type", OVAL_DATATYPE_STRING, h,
-+ NULL);
-+ probe_item_add_msg(itm, OVAL_MESSAGE_LEVEL_ERROR, msg);
-+ free(msg);
-+ probe_item_setstatus(itm, SYSCHAR_STATUS_ERROR);
-+ probe_item_collect(ctx, itm);
-+ close(fd);
-+ return 0;
-+ }
-+
-+ hash_dstlen = oscap_string_to_enum(CRAPI_ALG_MAP_SIZE, h);
-
-+ /*
-+ * Compute hash value
-+ */
-+ if (crapi_mdigest_fd(fd, 1, hash_type, hash_dst, &hash_dstlen) != 0) {
- close (fd);
-+ return (-1);
-+ }
-
-- hash_str[0] = '\0';
-- mem2hex (hash_dst, hash_dstlen, hash_str, sizeof hash_str);
-+ close (fd);
-
-- /*
-- * Create and add the item
-- */
-- itm = probe_item_create(OVAL_INDEPENDENT_FILE_HASH58, NULL,
-- "filepath", OVAL_DATATYPE_STRING, pbuf,
-- "path", OVAL_DATATYPE_STRING, p,
-- "filename", OVAL_DATATYPE_STRING, f,
-- "hash_type",OVAL_DATATYPE_STRING, h,
-- "hash", OVAL_DATATYPE_STRING, hash_str,
-- NULL);
-+ hash_str[0] = '\0';
-+ mem2hex(hash_dst, hash_dstlen, hash_str, sizeof(hash_str));
-
-- if (hash_dstlen == 0) {
-- probe_item_add_msg(itm, OVAL_MESSAGE_LEVEL_ERROR,
-- "Unable to compute %s hash value of \"%s\".", h, pbuf);
-- probe_item_setstatus(itm, SYSCHAR_STATUS_ERROR);
-- }
-+ /*
-+ * Create and add the item
-+ */
-+ itm = probe_item_create(OVAL_INDEPENDENT_FILE_HASH58, NULL,
-+ "filepath", OVAL_DATATYPE_STRING, pbuf,
-+ "path", OVAL_DATATYPE_STRING, p,
-+ "filename", OVAL_DATATYPE_STRING, f,
-+ "hash_type",OVAL_DATATYPE_STRING, h,
-+ "hash", OVAL_DATATYPE_STRING, hash_str,
-+ NULL);
-+
-+ if (hash_dstlen == 0) {
-+ probe_item_add_msg(itm, OVAL_MESSAGE_LEVEL_ERROR,
-+ "Unable to compute %s hash value of \"%s\".", h, pbuf);
-+ probe_item_setstatus(itm, SYSCHAR_STATUS_ERROR);
- }
-
- probe_item_collect(ctx, itm);
-@@ -300,15 +330,14 @@ int filehash58_probe_main(probe_ctx *ctx, void *arg)
- if ((ofts = oval_fts_open_prefixed(prefix, path, filename, filepath, behaviors, probe_ctx_getresult(ctx))) != NULL) {
- while ((ofts_ent = oval_fts_read(ofts)) != NULL) {
- /* find hash types to compare with entity, think "not satisfy" */
-- const struct oscap_string_map *p = CRAPI_ALG_MAP;
-- while (p->value != CRAPI_INVALID) {
-- SEXP_t *crapi_hash_type_sexp = SEXP_string_new(p->string, strlen(p->string));
-- if (probe_entobj_cmp(hash_type, crapi_hash_type_sexp) == OVAL_RESULT_TRUE) {
-- filehash58_cb(prefix, ofts_ent->path, ofts_ent->file, p->string, ctx);
-+ for (int i = 0; OVAL_FILEHASH58_HASH_TYPES[i] != NULL; i++) {
-+ const char *oval_filehash58_hash_type = OVAL_FILEHASH58_HASH_TYPES[i];
-+ SEXP_t *oval_filehash58_hash_type_sexp = SEXP_string_new(oval_filehash58_hash_type, strlen(oval_filehash58_hash_type));
-+ if (probe_entobj_cmp(hash_type, oval_filehash58_hash_type_sexp) == OVAL_RESULT_TRUE) {
-+ filehash58_cb(prefix, ofts_ent->path, ofts_ent->file, oval_filehash58_hash_type, ctx);
- }
-
-- SEXP_free(crapi_hash_type_sexp);
-- p++;
-+ SEXP_free(oval_filehash58_hash_type_sexp);
- }
- oval_ftsent_free(ofts_ent);
- }
diff --git a/SOURCES/openscap-1.3.6-empty-proc-in-offline-pr-1812.patch b/SOURCES/openscap-1.3.6-empty-proc-in-offline-pr-1812.patch
deleted file mode 100644
index 7138beb..0000000
--- a/SOURCES/openscap-1.3.6-empty-proc-in-offline-pr-1812.patch
+++ /dev/null
@@ -1,124 +0,0 @@
-From ea87ecab21a54741e64680977521837ccaf0206b Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
-Date: Tue, 5 Oct 2021 14:33:37 +0200
-Subject: [PATCH] Allow empty /proc in offline mode
-
-When scanning offline file systems the /proc might be empty. Currently,
-OpenSCAP thinks that it means a permissions problems, which is often
-true if it happens on a real system, but in offline mode it can be a
-normal situation. We will not consider empty /proc an error in offline
-mode.
-
-The commit also includes a simple test case.
-
-Inspired by eda9881e08f0398d1481f133fbb56c0080cfe9f3
-
-Resolves: RHBZ #2008922
----
- src/OVAL/probes/unix/process58_probe.c | 18 ++++++++++----
- tests/probes/process58/CMakeLists.txt | 1 +
- tests/probes/process58/empty_proc.sh | 33 ++++++++++++++++++++++++++
- 3 files changed, 47 insertions(+), 5 deletions(-)
- create mode 100755 tests/probes/process58/empty_proc.sh
-
-diff --git a/src/OVAL/probes/unix/process58_probe.c b/src/OVAL/probes/unix/process58_probe.c
-index d1108fc59..29c582152 100644
---- a/src/OVAL/probes/unix/process58_probe.c
-+++ b/src/OVAL/probes/unix/process58_probe.c
-@@ -472,7 +472,7 @@ static inline char *make_defunc_str(char* const cmd_buffer){
- static int read_process(SEXP_t *cmd_ent, SEXP_t *pid_ent, probe_ctx *ctx)
- {
- char buf[PATH_MAX];
-- int err = PROBE_EACCESS, max_cap_id;
-+ int max_cap_id;
- DIR *d;
- struct dirent *ent;
- oval_schema_version_t oval_version;
-@@ -501,6 +501,7 @@ static int read_process(SEXP_t *cmd_ent, SEXP_t *pid_ent, probe_ctx *ctx)
- cmd_buffer[0] = '[';
-
- // Scan the directories
-+ bool any_pid_dir_found = false;
- while (( ent = readdir(d) )) {
- int fd, len;
- char *tmp, state, tty_dev[128];
-@@ -562,9 +563,7 @@ static int read_process(SEXP_t *cmd_ent, SEXP_t *pid_ent, probe_ctx *ctx)
- }
- }
-
--
-- err = PROBE_ESUCCESS; // If we get this far, no permission problems
-- dI("Have command: %s", cmd);
-+ any_pid_dir_found = true;
- cmd_sexp = SEXP_string_newf("%s", cmd);
- pid_sexp = SEXP_number_newu_32(pid);
- if ((cmd_sexp == NULL || probe_entobj_cmp(cmd_ent, cmd_sexp) == OVAL_RESULT_TRUE) &&
-@@ -662,7 +661,16 @@ static int read_process(SEXP_t *cmd_ent, SEXP_t *pid_ent, probe_ctx *ctx)
- }
- closedir(d);
- oscap_buffer_free(cmdline_buffer);
-- return err;
-+
-+ if (!any_pid_dir_found) {
-+ dW("No data about processes could be read from '%s'.", buf);
-+ }
-+ // In offline mode, empty /proc might be a normal situation and doesn't
-+ // have to mean permissions problems
-+ if (prefix)
-+ return PROBE_ESUCCESS;
-+ else
-+ return any_pid_dir_found ? PROBE_ESUCCESS : PROBE_EACCESS;
- }
-
- int process58_probe_offline_mode_supported(void)
-diff --git a/tests/probes/process58/CMakeLists.txt b/tests/probes/process58/CMakeLists.txt
-index 17261dbb7..947665de6 100644
---- a/tests/probes/process58/CMakeLists.txt
-+++ b/tests/probes/process58/CMakeLists.txt
-@@ -2,6 +2,7 @@ if(ENABLE_PROBES_UNIX)
- add_oscap_test("capability.sh")
- add_oscap_test("command_line.sh")
- add_oscap_test("dev_to_tty.sh")
-+ add_oscap_test("empty_proc.sh")
- add_oscap_test("loginuid.sh")
- add_oscap_test("selinux_domain_label.sh")
- add_oscap_test("sessionid.sh")
-diff --git a/tests/probes/process58/empty_proc.sh b/tests/probes/process58/empty_proc.sh
-new file mode 100755
-index 000000000..2f0334b15
---- /dev/null
-+++ b/tests/probes/process58/empty_proc.sh
-@@ -0,0 +1,33 @@
-+#!/usr/bin/env bash
-+
-+# This is regression test of RHBZ #2008922
-+
-+set -e -o pipefail
-+
-+. $builddir/tests/test_common.sh
-+probecheck "process58" || exit 255
-+
-+name=$(basename $0 .sh)
-+result=$(mktemp ${name}.out.XXXXXX)
-+stderr=$(mktemp ${name}.err.XXXXXX)
-+
-+root=$(mktemp -d)
-+
-+# create an empty /proc in the offline file system dir
-+mkdir -p "$root/proc"
-+
-+export OSCAP_PROBE_ROOT="$root"
-+$OSCAP oval eval --results $result $srcdir/capability.oval.xml 2> $stderr
-+
-+[ $? -eq 0 ]
-+grep -q "^W: oscap:\s\+No data about processes could be read from '$root/proc'." "$stderr"
-+grep -q "OpenSCAP Error: Probe at sd=1 (process58) reported an error: Operation not permitted" "$stderr" && false
-+grep -q "W: oscap:\s\+Can't receive message: 125, Operation canceled." "$stderr" && false
-+
-+[ -s "$result" ]
-+assert_exists 1 '/oval_results/results/system/definitions/definition[@result="false"]'
-+assert_exists 1 '/oval_results/results/system/oval_system_characteristics/collected_objects/object[@flag="does not exist"]'
-+
-+rm "$stderr"
-+rm "$result"
-+rm -r "$root"
diff --git a/SOURCES/openscap-1.3.6-fix-failing-test-pr-1775.patch b/SOURCES/openscap-1.3.6-fix-failing-test-pr-1775.patch
deleted file mode 100644
index 70f9798..0000000
--- a/SOURCES/openscap-1.3.6-fix-failing-test-pr-1775.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From 11e5d42d279f39c13a9bdea7df6da7728b85a0b5 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
-Date: Tue, 29 Jun 2021 09:12:34 +0200
-Subject: [PATCH] Fix failing test
-
-The test fails becuse the OVAL content in
-`test_remediation_simple.oval.xml` used in rule
-`xccdf_moc.elpmaxe.www_rule_1` in
-`test_profile_selection_by_suffix.xccdf.xml` expects that a file named
-`test_file` exists in the current working directory.
-
-This test doesn't fail when executed as a part of complete test suite
-run. I guess that it's because some other test creates the `test_file`
-file and doesn't delete it. Unfortunately, I can't find which test
-creates it. There are many test cases that use a file `test_file`
-and it is also created often by remediation executed in some tests.
----
- .../API/XCCDF/unittests/test_profile_selection_by_suffix.sh | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/tests/API/XCCDF/unittests/test_profile_selection_by_suffix.sh b/tests/API/XCCDF/unittests/test_profile_selection_by_suffix.sh
-index 910264626a..9b0852df37 100755
---- a/tests/API/XCCDF/unittests/test_profile_selection_by_suffix.sh
-+++ b/tests/API/XCCDF/unittests/test_profile_selection_by_suffix.sh
-@@ -13,6 +13,9 @@ echo "Stderr file = $stderr"
- echo "Result file = $result"
- ret=0
-
-+touch test_file
-+[ -f test_file ]
-+
- # Multiple matches should result in failure
- $OSCAP xccdf eval --profile common $benchmark 2> $stderr || ret=$?
- [ $ret -eq 1 ]
-@@ -55,3 +58,5 @@ grep -Fq "No profile matching suffix \"another\" was found" $stderr
-
- [ -f $stderr ]; rm $stderr
- rm $result
-+
-+rm -f test_file
diff --git a/SOURCES/openscap-1.3.6-http_error_fix-PR_1805.patch b/SOURCES/openscap-1.3.6-http_error_fix-PR_1805.patch
deleted file mode 100644
index 148a10b..0000000
--- a/SOURCES/openscap-1.3.6-http_error_fix-PR_1805.patch
+++ /dev/null
@@ -1,92 +0,0 @@
-From d2790140325a3d77264937c38d5076899c824dd4 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
-Date: Fri, 10 Sep 2021 10:11:00 +0200
-Subject: [PATCH] Fail download on HTTP errors
-
-When the HTTP server returns status code greater than or equal 400,
-the download will fail.
-
-Resolves: rhbz#2002733
----
- src/common/oscap_acquire.c | 20 ++++++++++++++++++--
- tests/DS/test_ds_misc.sh | 15 +++++++++++++++
- 2 files changed, 33 insertions(+), 2 deletions(-)
-
-diff --git a/src/common/oscap_acquire.c b/src/common/oscap_acquire.c
-index cd9bfc36f6..8f4991751f 100644
---- a/src/common/oscap_acquire.c
-+++ b/src/common/oscap_acquire.c
-@@ -328,6 +328,14 @@ char* oscap_acquire_url_download(const char *url, size_t* memory_size)
-
- CURLcode res;
-
-+ /* CURLOPT_FAILONERROR - request failure on HTTP response >= 400 */
-+ res = curl_easy_setopt(curl, CURLOPT_FAILONERROR, true);
-+ if (res != 0) {
-+ curl_easy_cleanup(curl);
-+ oscap_seterr(OSCAP_EFAMILY_NET, "Failed to set CURLOPT_FAILONERROR: %s", curl_easy_strerror(res));
-+ return NULL;
-+ }
-+
- res = curl_easy_setopt(curl, CURLOPT_URL, url);
- if (res != 0) {
- curl_easy_cleanup(curl);
-@@ -387,14 +395,22 @@ char* oscap_acquire_url_download(const char *url, size_t* memory_size)
- }
-
- res = curl_easy_perform(curl);
-- curl_easy_cleanup(curl);
-
- if (res != 0) {
-- oscap_seterr(OSCAP_EFAMILY_NET, "Download failed: %s", curl_easy_strerror(res));
-+ if (res == CURLE_HTTP_RETURNED_ERROR) {
-+ long http_code = 0;
-+ curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &http_code);
-+ oscap_seterr(OSCAP_EFAMILY_NET, "Download failed: %s: %ld", curl_easy_strerror(res), http_code);
-+ } else {
-+ oscap_seterr(OSCAP_EFAMILY_NET, "Download failed: %s", curl_easy_strerror(res));
-+ }
-+ curl_easy_cleanup(curl);
- oscap_buffer_free(buffer);
- return NULL;
- }
-
-+ curl_easy_cleanup(curl);
-+
- *memory_size = oscap_buffer_get_length(buffer);
- char* data = oscap_buffer_bequeath(buffer); // get data and free buffer struct
- return data;
-diff --git a/tests/DS/test_ds_misc.sh b/tests/DS/test_ds_misc.sh
-index 4d2dfc449a..159007518e 100755
---- a/tests/DS/test_ds_misc.sh
-+++ b/tests/DS/test_ds_misc.sh
-@@ -250,6 +250,19 @@ function test_ds_continue_without_remote_resources() {
- rm -f "$result" "$oval_result"
- }
-
-+function test_ds_error_remote_resources() {
-+ local DS="${srcdir}/$1"
-+ local PROFILE="$2"
-+ local result=$(mktemp)
-+ local stderr=$(mktemp)
-+
-+ $OSCAP xccdf eval --fetch-remote-resources --profile "$PROFILE" --results "$result" "$DS" 2>"$stderr" || ret=$?
-+ grep -q "Downloading: https://www.example.com/security/data/oval/oval.xml.bz2 ... error" "$stderr"
-+ grep -q "OpenSCAP Error: Download failed: HTTP response code said error: 404" "$stderr"
-+
-+ rm -f "$result" "$stderr"
-+}
-+
- function test_source_date_epoch() {
- local xccdf="$srcdir/sds_multiple_oval/multiple-oval-xccdf.xml"
- local result="$(mktemp)"
-@@ -286,7 +299,9 @@ test_run "eval_cpe" test_eval_cpe eval_cpe/sds.xml
- test_run "test_eval_complex" test_eval_complex
- test_run "sds_add_multiple_oval_twice_in_row" sds_add_multiple_twice
- test_run "test_ds_1_2_continue_without_remote_resources" test_ds_continue_without_remote_resources ds_continue_without_remote_resources/remote_content_1.2.ds.xml xccdf_com.example.www_profile_test_remote_res
-+test_run "test_ds_1_2_error_remote_resources" test_ds_error_remote_resources ds_continue_without_remote_resources/remote_content_1.2.ds.xml xccdf_com.example.www_profile_test_remote_res
- test_run "test_ds_1_3_continue_without_remote_resources" test_ds_continue_without_remote_resources ds_continue_without_remote_resources/remote_content_1.3.ds.xml xccdf_com.example.www_profile_test_remote_res
-+test_run "test_ds_1_3_error_remote_resources" test_ds_error_remote_resources ds_continue_without_remote_resources/remote_content_1.3.ds.xml xccdf_com.example.www_profile_test_remote_res
- test_run "test_source_date_epoch" test_source_date_epoch
-
- test_exit
diff --git a/SOURCES/openscap-1.3.6-initialize-crapi-once-pr-1779.patch b/SOURCES/openscap-1.3.6-initialize-crapi-once-pr-1779.patch
deleted file mode 100644
index 94cc375..0000000
--- a/SOURCES/openscap-1.3.6-initialize-crapi-once-pr-1779.patch
+++ /dev/null
@@ -1,136 +0,0 @@
-From 5c422226df442855a7dc9834eb4ff74865394a92 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
-Date: Thu, 8 Jul 2021 14:28:16 +0200
-Subject: [PATCH 1/3] Initialize crypto API only once
-
-The function `crapi_init` calls `gcry_check_version` which must be
-called before any other function from the Libgcrypt library. That might
-be violated when multiple threads executing multiple probes are running.
-The mitigation proposed in this PR is to call `crapi_init` only once
-when the session is initialized which means before any threads are
-spawned.
-
-See also: https://www.gnupg.org/documentation/manuals/gcrypt/Multi_002dThreading.html#Multi_002dThreading
-
-Resolves: RHBZ#1959570
----
- src/OVAL/oval_probe_session.c | 5 +++++
- src/OVAL/probes/independent/filehash58_probe.c | 6 ------
- src/OVAL/probes/independent/filehash_probe.c | 6 ------
- src/OVAL/probes/independent/filemd5_probe.c | 6 ------
- 4 files changed, 5 insertions(+), 18 deletions(-)
-
-diff --git a/src/OVAL/oval_probe_session.c b/src/OVAL/oval_probe_session.c
-index 435ca148fd..6f6d7ad426 100644
---- a/src/OVAL/oval_probe_session.c
-+++ b/src/OVAL/oval_probe_session.c
-@@ -93,6 +93,11 @@ static void oval_probe_session_libinit(void)
- SEXP_free((SEXP_t *)exp);
-
- ncache_libinit();
-+ /*
-+ * Initialize crypto API
-+ */
-+ if (crapi_init (NULL) != 0)
-+ return (NULL);
- }
-
- /**
-diff --git a/src/OVAL/probes/independent/filehash58_probe.c b/src/OVAL/probes/independent/filehash58_probe.c
-index ff1e065746..32a38562bd 100644
---- a/src/OVAL/probes/independent/filehash58_probe.c
-+++ b/src/OVAL/probes/independent/filehash58_probe.c
-@@ -210,12 +210,6 @@ int filehash58_probe_offline_mode_supported()
-
- void *filehash58_probe_init(void)
- {
-- /*
-- * Initialize crypto API
-- */
-- if (crapi_init (NULL) != 0)
-- return (NULL);
--
- /*
- * Initialize mutex.
- */
-diff --git a/src/OVAL/probes/independent/filehash_probe.c b/src/OVAL/probes/independent/filehash_probe.c
-index 522d976512..6d8780dc95 100644
---- a/src/OVAL/probes/independent/filehash_probe.c
-+++ b/src/OVAL/probes/independent/filehash_probe.c
-@@ -190,12 +190,6 @@ int filehash_probe_offline_mode_supported()
-
- void *filehash_probe_init(void)
- {
-- /*
-- * Initialize crypto API
-- */
-- if (crapi_init (NULL) != 0)
-- return (NULL);
--
- /*
- * Initialize mutex.
- */
-diff --git a/src/OVAL/probes/independent/filemd5_probe.c b/src/OVAL/probes/independent/filemd5_probe.c
-index d0de402d8b..99913581f0 100644
---- a/src/OVAL/probes/independent/filemd5_probe.c
-+++ b/src/OVAL/probes/independent/filemd5_probe.c
-@@ -163,12 +163,6 @@ int probe_offline_mode_supported()
-
- void *probe_init (void)
- {
-- /*
-- * Initialize crypto API
-- */
-- if (crapi_init (NULL) != 0)
-- return (NULL);
--
- /*
- * Initialize mutex.
- */
-
-From c4c26d99a59205d744befe52be4e81bcf5f55d9c Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
-Date: Tue, 13 Jul 2021 13:03:21 +0200
-Subject: [PATCH 2/3] Add a missing include
-
----
- src/OVAL/oval_probe_session.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/src/OVAL/oval_probe_session.c b/src/OVAL/oval_probe_session.c
-index 6f6d7ad426..295782b536 100644
---- a/src/OVAL/oval_probe_session.c
-+++ b/src/OVAL/oval_probe_session.c
-@@ -48,6 +48,7 @@
- #include "oval_probe_ext.h"
- #include "probe-table.h"
- #include "oval_types.h"
-+#include "crapi/crapi.h"
-
- #if defined(OSCAP_THREAD_SAFE)
- #include <pthread.h>
-
-From 6241a8835574429a787e0dd48d2c0ac2a71499b8 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
-Date: Thu, 15 Jul 2021 14:21:00 +0200
-Subject: [PATCH 3/3] Don't initialize crypto on Windows
-
----
- src/OVAL/oval_probe_session.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/src/OVAL/oval_probe_session.c b/src/OVAL/oval_probe_session.c
-index 295782b536..b443cbcc80 100644
---- a/src/OVAL/oval_probe_session.c
-+++ b/src/OVAL/oval_probe_session.c
-@@ -97,8 +97,10 @@ static void oval_probe_session_libinit(void)
- /*
- * Initialize crypto API
- */
-+#ifndef OS_WINDOWS
- if (crapi_init (NULL) != 0)
- return (NULL);
-+#endif
- }
-
- /**
diff --git a/SOURCES/openscap-1.3.6-local-files-pr-1769.patch b/SOURCES/openscap-1.3.6-local-files-pr-1769.patch
deleted file mode 100644
index fd26026..0000000
--- a/SOURCES/openscap-1.3.6-local-files-pr-1769.patch
+++ /dev/null
@@ -1,2158 +0,0 @@
-From 35ae94cd84b7b99845f0d2306924946e66da6d50 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
-Date: Tue, 15 Jun 2021 10:09:44 +0200
-Subject: [PATCH 01/10] Allow providing pre-downloaded components
-
-OpenSCAP can download remote SCAP source data stream components from the
-internet if the --fetch-remote-resources option is set. When this
-command line option isn't set, it is possible to download the remote
-component separately, save it as file to the filesystem which name is
-equal to the name of the remote component and OpenSCAP would use this
-local file instead of just skipping the checks. It currently works by
-accident, it wasn't intended to work this way or at least I haven't
-heard it before, but somobody found out that it works and documented it
-as a KSC: https://access.redhat.com/solutions/5185891. However, it
-produces warning messages if the approach used in the KSC is used.
-
-This patch promotes the workaround to a feature. And it changes the
-logic so that it won't print the warnings.
-
-The main difference is that it won't work automatically, but only
-on user's demand by providing --use-local-file which is the new
-command line option introduced by this commit.
-
-Fixes: rhbz#1970527
----
- src/DS/ds_sds_session.c | 14 ++-
- src/DS/ds_sds_session_priv.h | 1 +
- src/DS/public/ds_sds_session.h | 15 ++-
- src/DS/sds.c | 22 +++++
- src/OVAL/oval_session.c | 11 ++-
- src/OVAL/public/oval_session.h | 15 ++-
- src/XCCDF/public/xccdf_session.h | 15 ++-
- src/XCCDF/xccdf_session.c | 36 ++++---
- tests/DS/CMakeLists.txt | 1 +
- .../remote.oval.xml | 58 +++++++++++
- .../remote_content_1.3.ds.xml | 96 +++++++++++++++++++
- .../DS/test_ds_use_local_remote_resources.sh | 57 +++++++++++
- utils/oscap-ds.c | 6 +-
- utils/oscap-info.c | 4 +-
- utils/oscap-oval.c | 6 +-
- utils/oscap-tool.h | 1 +
- utils/oscap-xccdf.c | 14 ++-
- utils/oscap.8 | 26 +++++
- 18 files changed, 369 insertions(+), 29 deletions(-)
- create mode 100644 tests/DS/ds_use_local_remote_resources/remote.oval.xml
- create mode 100644 tests/DS/ds_use_local_remote_resources/remote_content_1.3.ds.xml
- create mode 100755 tests/DS/test_ds_use_local_remote_resources.sh
-
-diff --git a/src/DS/ds_sds_session.c b/src/DS/ds_sds_session.c
-index 8c0072bae0..9d9a9c8b52 100644
---- a/src/DS/ds_sds_session.c
-+++ b/src/DS/ds_sds_session.c
-@@ -55,6 +55,7 @@ struct ds_sds_session {
- struct oscap_htable *component_uris; ///< maps component refs to component URIs
- bool fetch_remote_resources; ///< Allows loading of external components;
- download_progress_calllback_t progress; ///< Callback to report progress of download.
-+ bool use_local_file; ///< Use a locally downloaded copy of a remote resource if it exists
- };
-
- /**
-@@ -337,12 +338,23 @@ int ds_sds_session_register_component_with_dependencies(struct ds_sds_session *s
- return res;
- }
-
--void ds_sds_session_set_remote_resources(struct ds_sds_session *session, bool allowed, download_progress_calllback_t callback)
-+void ds_sds_session_configure_remote_resources(struct ds_sds_session *session, bool allowed, bool use_local_file, download_progress_calllback_t callback)
- {
- session->fetch_remote_resources = allowed;
-+ session->use_local_file = use_local_file;
- session->progress = (callback != NULL) ? callback : download_progress_empty_calllback;
- }
-
-+void ds_sds_session_set_remote_resources(struct ds_sds_session *session, bool allowed, download_progress_calllback_t callback)
-+{
-+ ds_sds_session_configure_remote_resources(session, allowed, false, callback);
-+}
-+
-+bool ds_sds_session_can_use_local_file(struct ds_sds_session *session)
-+{
-+ return session->use_local_file;
-+}
-+
- int ds_sds_session_dump_component_files(struct ds_sds_session *session)
- {
- return ds_dump_component_sources(session->component_sources, ds_sds_session_get_target_dir(session));
-diff --git a/src/DS/ds_sds_session_priv.h b/src/DS/ds_sds_session_priv.h
-index f58231dc48..018cd053ec 100644
---- a/src/DS/ds_sds_session_priv.h
-+++ b/src/DS/ds_sds_session_priv.h
-@@ -40,6 +40,7 @@ struct oscap_htable *ds_sds_session_get_component_sources(struct ds_sds_session
- struct oscap_htable *ds_sds_session_get_component_uris(struct ds_sds_session *session);
- const char *ds_sds_session_get_readable_origin(const struct ds_sds_session *session);
- bool ds_sds_session_fetch_remote_resources(struct ds_sds_session *session);
-+bool ds_sds_session_can_use_local_file(struct ds_sds_session *session);
- download_progress_calllback_t ds_sds_session_remote_resources_progress(struct ds_sds_session *session);
-
- void download_progress_empty_calllback(bool warning, const char * format, ...);
-diff --git a/src/DS/public/ds_sds_session.h b/src/DS/public/ds_sds_session.h
-index 20a85146cc..695a0df215 100644
---- a/src/DS/public/ds_sds_session.h
-+++ b/src/DS/public/ds_sds_session.h
-@@ -200,7 +200,20 @@ OSCAP_API void ds_sds_session_reset(struct ds_sds_session *session);
- * @param callback used to notify user about download proceeds. This might be safely set
- * to NULL -- ignoring user notification.
- */
--OSCAP_API void ds_sds_session_set_remote_resources(struct ds_sds_session *session, bool allowed, download_progress_calllback_t callback);
-+OSCAP_API OSCAP_DEPRECATED(void ds_sds_session_set_remote_resources(struct ds_sds_session *session, bool allowed, download_progress_calllback_t callback));
-+
-+/**
-+ * Set property of remote content.
-+ * @memberof ds_sds_session
-+ * @param session The source data stream session
-+ * @param allowed Whether is download of remote resources allowed in this
-+ * session (defaults to false)
-+ * @param use_local_file Allows to use a locally downloaded copy of the remote
-+ * resource if it exists (defaults to false)
-+ * @param callback used to notify user about download proceeds. This might be
-+ * safely set to NULL -- ignoring user notification.
-+ */
-+OSCAP_API void ds_sds_session_configure_remote_resources(struct ds_sds_session *session, bool allowed, bool use_local_file, download_progress_calllback_t callback);
-
- /**
- * Returns HTML representation of selected checklist in form of OpenSCAP guide.
-diff --git a/src/DS/sds.c b/src/DS/sds.c
-index 0f19a81982..b1737aa57f 100644
---- a/src/DS/sds.c
-+++ b/src/DS/sds.c
-@@ -413,6 +413,28 @@ static int ds_sds_dump_component_by_href(struct ds_sds_session *session, char* x
- }
-
- if (!ds_sds_session_fetch_remote_resources(session)) {
-+ /*
-+ * If fetching remote resources isn't allowed by the user let's take
-+ * a look whether there exists a file whose file name is equal to
-+ * @name attribute of the uri element within the catalog of the
-+ * previously processed component-ref which pointed us to the
-+ * currently processed component-ref. Note that the @name attribute
-+ * value has been passed as relative_filepath in the recursive call
-+ * of ds_sds_dump_component_ref_as. If such file exists, we will
-+ * assume that it's a local copy of the remote component located at
-+ * the URL defined in @xlink:href. This way people can provide the
-+ * previously downloaded component which might be useful on systems
-+ * with limited internet access. This behavior is allowed only when
-+ * --use-local-file is used on the command line.
-+ * See: https://bugzilla.redhat.com/show_bug.cgi?id=1970527
-+ * See: https://access.redhat.com/solutions/5185891
-+ */
-+ struct stat sb;
-+ if (ds_sds_session_can_use_local_file(session) && stat(relative_filepath, &sb) == 0) {
-+ dI("Using local file '%s' instead of '%s'", relative_filepath, xlink_href);
-+ return ds_sds_dump_file_component(relative_filepath, *component_id, session, target_filename_dirname, relative_filepath);
-+ }
-+
- static bool fetch_remote_resources_suggested = false;
-
- if (!fetch_remote_resources_suggested) {
-diff --git a/src/OVAL/oval_session.c b/src/OVAL/oval_session.c
-index ebc7e55f71..5adda43f66 100644
---- a/src/OVAL/oval_session.c
-+++ b/src/OVAL/oval_session.c
-@@ -84,6 +84,7 @@ struct oval_session {
- bool full_validation;
- bool fetch_remote_resources;
- download_progress_calllback_t progress;
-+ bool use_local_file;
- };
-
- struct oval_session *oval_session_new(const char *filename)
-@@ -223,7 +224,7 @@ static int oval_session_load_definitions(struct oval_session *session)
- if ((session->sds_session = ds_sds_session_new_from_source(session->source)) == NULL) {
- return 1;
- }
-- ds_sds_session_set_remote_resources(session->sds_session,session->fetch_remote_resources ,session->progress);
-+ ds_sds_session_configure_remote_resources(session->sds_session, session->fetch_remote_resources, session->use_local_file, session->progress);
- ds_sds_session_set_datastream_id(session->sds_session, session->datastream_id);
- if (ds_sds_session_register_component_with_dependencies(session->sds_session,
- "checks", session->component_id, "oval.xml") != 0) {
-@@ -451,12 +452,18 @@ void oval_session_set_export_system_characteristics(struct oval_session *session
- session->export_sys_chars = export;
- }
-
--void oval_session_set_remote_resources(struct oval_session *session, bool allowed, download_progress_calllback_t callback)
-+void oval_session_configure_remote_resources(struct oval_session *session, bool allowed, bool use_local_file, download_progress_calllback_t callback)
- {
- session->fetch_remote_resources = allowed;
-+ session->use_local_file = use_local_file;
- session->progress = callback;
- }
-
-+void oval_session_set_remote_resources(struct oval_session *session, bool allowed, download_progress_calllback_t callback)
-+{
-+ oval_session_configure_remote_resources(session, allowed, false, callback);
-+}
-+
- void oval_session_free(struct oval_session *session)
- {
- if (session == NULL)
-diff --git a/src/OVAL/public/oval_session.h b/src/OVAL/public/oval_session.h
-index ed97cb7768..d485676747 100644
---- a/src/OVAL/public/oval_session.h
-+++ b/src/OVAL/public/oval_session.h
-@@ -239,7 +239,20 @@ OSCAP_API void oval_session_set_export_system_characteristics(struct oval_sessio
- * @param callback used to notify user about download proceeds. This might be safely set
- * to NULL -- ignoring user notification.
- */
--OSCAP_API void oval_session_set_remote_resources(struct oval_session *session, bool allowed, download_progress_calllback_t callback);
-+OSCAP_API OSCAP_DEPRECATED(void oval_session_set_remote_resources(struct oval_session *session, bool allowed, download_progress_calllback_t callback));
-+
-+/**
-+ * Set property of remote content.
-+ * @memberof oval_session
-+ * @param session an \ref oval_session
-+ * @param allowed Whether is download of remote resources allowed in this
-+ * session (defaults to false)
-+ * @param use_local_file Allows to use a locally downloaded copy of the remote
-+ * resource if it exists (defaults to false)
-+ * @param callback used to notify user about download proceeds. This might be
-+ * safely set to NULL -- ignoring user notification.
-+ */
-+OSCAP_API void oval_session_configure_remote_resources(struct oval_session *session, bool allowed, bool use_local_file, download_progress_calllback_t callback);
-
- /**
- * Destructor of an \ref oval_session.
-diff --git a/src/XCCDF/public/xccdf_session.h b/src/XCCDF/public/xccdf_session.h
-index 70cfc677f3..2eb7128019 100644
---- a/src/XCCDF/public/xccdf_session.h
-+++ b/src/XCCDF/public/xccdf_session.h
-@@ -232,7 +232,20 @@ OSCAP_API void xccdf_session_set_user_tailoring_cid(struct xccdf_session *sessio
- * @param callback used to notify user about download proceeds. This might be safely set
- * to NULL -- ignoring user notification.
- */
--OSCAP_API void xccdf_session_set_remote_resources(struct xccdf_session *session, bool allowed, download_progress_calllback_t callback);
-+OSCAP_API OSCAP_DEPRECATED(void xccdf_session_set_remote_resources(struct xccdf_session *session, bool allowed, download_progress_calllback_t callback));
-+
-+/**
-+ * Set properties of remote content.
-+ * @memberof xccdf_session
-+ * @param session XCCDF Session
-+ * @param allowed Whether is download od remote resources allowed in this
-+ * session (defaults to false)
-+ * @param use_local_file Allows to use a locally downloaded copy of the remote
-+ * resource if it exists (defaults to false)
-+ * @param callback used to notify user about download proceeds. This might be
-+ * safely set to NULL -- ignoring user notification.
-+ */
-+OSCAP_API void xccdf_session_configure_remote_resources(struct xccdf_session *session, bool allowed, bool use_local_file, download_progress_calllback_t callback);
-
- /**
- * Disable or allow loading of depending content (OVAL, SCE, CPE)
-diff --git a/src/XCCDF/xccdf_session.c b/src/XCCDF/xccdf_session.c
-index 9d8f42c445..85fcc90d23 100644
---- a/src/XCCDF/xccdf_session.c
-+++ b/src/XCCDF/xccdf_session.c
-@@ -87,6 +87,7 @@ struct xccdf_session {
- } ds;
- struct {
- bool fetch_remote_resources; ///< Allows download of remote resources (not applicable when user sets custom oval files)
-+ bool use_local_file; ///< Use a locally downloaded copy of a remote resource if it exists
- download_progress_calllback_t progress; ///< Callback to report progress of download.
- struct oval_content_resource **custom_resources;///< OVAL files required by user
- struct oval_content_resource **resources;///< OVAL files referenced from XCCDF
-@@ -626,7 +627,8 @@ static struct ds_sds_session *xccdf_session_get_ds_sds_session(struct xccdf_sess
- return session->ds.session;
- }
-
--void xccdf_session_set_remote_resources(struct xccdf_session *session, bool allowed, download_progress_calllback_t callback)
-+
-+void xccdf_session_configure_remote_resources(struct xccdf_session *session, bool allowed, bool use_local_file, download_progress_calllback_t callback)
- {
- if (callback == NULL) {
- // With empty cb we don't have to check for NULL
-@@ -635,15 +637,21 @@ void xccdf_session_set_remote_resources(struct xccdf_session *session, bool allo
- }
-
- session->oval.fetch_remote_resources = allowed;
-+ session->oval.use_local_file = use_local_file;
- session->oval.progress = callback;
-
- if (xccdf_session_is_sds(session)) {
- // We have to propagate this option to allow loading
- // of external datastream components
-- ds_sds_session_set_remote_resources(xccdf_session_get_ds_sds_session(session), allowed, callback);
-+ ds_sds_session_configure_remote_resources(xccdf_session_get_ds_sds_session(session), allowed, use_local_file, callback);
- }
- }
-
-+void xccdf_session_set_remote_resources(struct xccdf_session *session, bool allowed, download_progress_calllback_t callback)
-+{
-+ xccdf_session_configure_remote_resources(session, allowed, false, callback);
-+}
-+
- void xccdf_session_set_loading_flags(struct xccdf_session *session, xccdf_session_loading_flags_t flags)
- {
- session->loading_flags = flags;
-@@ -993,6 +1001,7 @@ static int _xccdf_session_get_oval_from_model(struct xccdf_session *session)
- while (oscap_file_entry_iterator_has_more(files_it)) {
- struct oscap_file_entry *file_entry;
- struct stat sb;
-+ bool source_owned = false;
-
- file_entry = (struct oscap_file_entry *) oscap_file_entry_iterator_next(files_it);
-
-@@ -1002,9 +1011,6 @@ static int _xccdf_session_get_oval_from_model(struct xccdf_session *session)
-
- const char *file_path = oscap_file_entry_get_file(file_entry);
- struct oscap_source *source = NULL;
-- if (xccdf_session_get_ds_sds_session(session) != NULL) {
-- source = ds_sds_session_get_component_by_href(xccdf_session_get_ds_sds_session(session), file_path);
-- }
-
- tmp_path = malloc(PATH_MAX * sizeof(char));
- if (file_path[0] == '/') { // it's a simple absolute path
-@@ -1017,16 +1023,20 @@ static int _xccdf_session_get_oval_from_model(struct xccdf_session *session)
- snprintf(tmp_path, PATH_MAX, "%s/%s", dir_path, file_path);
- }
-
-- if (source != NULL || stat(tmp_path, &sb) == 0) {
-- resources[idx] = malloc(sizeof(struct oval_content_resource));
-- resources[idx]->href = oscap_strdup(oscap_file_entry_get_file(file_entry));
-- if (source == NULL) {
-+ if (xccdf_session_get_ds_sds_session(session) != NULL) {
-+ source = ds_sds_session_get_component_by_href(xccdf_session_get_ds_sds_session(session), file_path);
-+ source_owned = false;
-+ } else {
-+ if (stat(tmp_path, &sb) == 0) {
- source = oscap_source_new_from_file(tmp_path);
-- resources[idx]->source_owned = true;
-- }
-- else {
-- resources[idx]->source_owned = false;
-+ source_owned = true;
- }
-+ }
-+
-+ if (source != NULL) {
-+ resources[idx] = malloc(sizeof(struct oval_content_resource));
-+ resources[idx]->href = oscap_strdup(oscap_file_entry_get_file(file_entry));
-+ resources[idx]->source_owned = source_owned;
- resources[idx]->source = source;
- idx++;
- void *new_resources = realloc(resources, (idx + 1) * sizeof(struct oval_content_resource *));
-diff --git a/tests/DS/CMakeLists.txt b/tests/DS/CMakeLists.txt
-index f239586f8b..aac089cab5 100644
---- a/tests/DS/CMakeLists.txt
-+++ b/tests/DS/CMakeLists.txt
-@@ -4,6 +4,7 @@ add_oscap_test("test_sds_compose_split.sh")
- add_oscap_test("test_sds_eval.sh")
- add_oscap_test("test_sds_fix_from_results.sh")
- add_oscap_test("test_sds_fix_from_source.sh")
-+add_oscap_test("test_ds_use_local_remote_resources.sh")
-
- add_subdirectory("ds_sds_index")
- add_subdirectory("schematron")
-diff --git a/tests/DS/ds_use_local_remote_resources/remote.oval.xml b/tests/DS/ds_use_local_remote_resources/remote.oval.xml
-new file mode 100644
-index 0000000000..ed864a462d
---- /dev/null
-+++ b/tests/DS/ds_use_local_remote_resources/remote.oval.xml
-@@ -0,0 +1,58 @@
-+<?xml version="1.0"?>
-+<oval_definitions xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ind-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" xmlns:unix-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" xmlns:lin-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix unix-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#linux linux-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd">
-+ <generator>
-+ <oval:schema_version>5.10</oval:schema_version>
-+ <oval:timestamp>0001-01-01T00:00:00+00:00</oval:timestamp>
-+ </generator>
-+
-+ <definitions>
-+ <definition class="compliance" version="1" id="oval:x:def:1">
-+ <metadata>
-+ <title>This definition will pass</title>
-+ <description>x</description>
-+ <affected family="unix">
-+ <platform>x</platform>
-+ </affected>
-+ </metadata>
-+ <criteria comment="x" operator="OR">
-+ <criterion test_ref="oval:x:tst:1" comment="always pass"/>
-+ <criterion test_ref="oval:x:tst:2" comment="always fail"/>
-+ </criteria>
-+ </definition>
-+ <definition class="compliance" version="1" id="oval:x:def:2">
-+ <metadata>
-+ <title>This definition will fail</title>
-+ <description>x</description>
-+ <affected family="unix">
-+ <platform>x</platform>
-+ </affected>
-+ </metadata>
-+ <criteria comment="x" operator="AND">
-+ <criterion test_ref="oval:x:tst:1" comment="always pass"/>
-+ <criterion test_ref="oval:x:tst:2" comment="always fail"/>
-+ </criteria>
-+ </definition>
-+ </definitions>
-+
-+ <tests>
-+ <variable_test id="oval:x:tst:1" check="all" comment="always pass" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:x:obj:1"/>
-+ </variable_test>
-+
-+ <variable_test id="oval:x:tst:2" check="all" check_existence="none_exist" comment="always fail" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <object object_ref="oval:x:obj:1"/>
-+ </variable_test>
-+ </tests>
-+
-+ <objects>
-+ <variable_object id="oval:x:obj:1" version="1" comment="x" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
-+ <var_ref>oval:x:var:1</var_ref>
-+ </variable_object>
-+ </objects>
-+
-+ <variables>
-+ <constant_variable id="oval:x:var:1" version="1" comment="x" datatype="string">
-+ <value>x</value>
-+ </constant_variable>
-+ </variables>
-+</oval_definitions>
-diff --git a/tests/DS/ds_use_local_remote_resources/remote_content_1.3.ds.xml b/tests/DS/ds_use_local_remote_resources/remote_content_1.3.ds.xml
-new file mode 100644
-index 0000000000..ab1a0f1458
---- /dev/null
-+++ b/tests/DS/ds_use_local_remote_resources/remote_content_1.3.ds.xml
-@@ -0,0 +1,96 @@
-+<?xml version="1.0" encoding="utf-8"?>
-+<ds:data-stream-collection xmlns:ds="http://scap.nist.gov/schema/scap/source/1.2" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:cat="urn:oasis:names:tc:entity:xmlns:xml:catalog" id="scap_org.open-scap_collection_from_xccdf_test_single_rule.xccdf.xml" schematron-version="1.3">
-+<ds:data-stream id="scap_org.open-scap_datastream_from_xccdf_test_single_rule.xccdf.xml" scap-version="1.3" use-case="OTHER">
-+ <ds:checklists>
-+ <ds:component-ref id="scap_org.open-scap_cref_test_single_rule.xccdf.xml" xlink:href="#scap_org.open-scap_comp_test_single_rule.xccdf.xml">
-+ <cat:catalog>
-+ <cat:uri name="test_single_rule.oval.xml" uri="#scap_org.open-scap_cref_test_single_rule.oval.xml"/>
-+ <cat:uri name="remote.oval.xml" uri="#scap_org.open-scap_cref_remote.oval.xml"/>
-+ </cat:catalog>
-+ </ds:component-ref>
-+ </ds:checklists>
-+ <ds:checks>
-+ <ds:component-ref id="scap_org.open-scap_cref_test_single_rule.oval.xml" xlink:href="#scap_org.open-scap_comp_test_single_rule.oval.xml"/>
-+ <ds:component-ref id="scap_org.open-scap_cref_remote.oval.xml" xlink:href="https://www.example.com/security/data/oval/remote.oval.xml"/>
-+ </ds:checks>
-+</ds:data-stream>
-+
-+<ds:component id="scap_org.open-scap_comp_test_single_rule.oval.xml" timestamp="2017-06-09T07:07:38">
-+<oval_definitions xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:ind-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:win-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#windows windows-definitions-schema.xsd">
-+ <generator>
-+ <oval:schema_version>5.11</oval:schema_version>
-+ <oval:timestamp>2009-01-12T10:41:00-05:00</oval:timestamp>
-+ </generator>
-+
-+ <definitions>
-+ <definition class="compliance" id="oval:test-pass:def:1" version="1">
-+ <metadata>
-+ <title>PASS</title>
-+ <description>pass</description>
-+ </metadata>
-+ <criteria>
-+ <criterion comment="PASS test" test_ref="oval:x:tst:1"/>
-+ </criteria>
-+ </definition>
-+ </definitions>
-+
-+ <tests>
-+ <variable_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:x:tst:1" check="all" comment="always pass" version="1">
-+ <object object_ref="oval:x:obj:1"/>
-+ </variable_test>
-+ </tests>
-+
-+ <objects>
-+ <variable_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:x:obj:1" version="1" comment="x">
-+ <var_ref>oval:x:var:1</var_ref>
-+ </variable_object>
-+ </objects>
-+
-+ <variables>
-+ <constant_variable id="oval:x:var:1" version="1" comment="x" datatype="int">
-+ <value>100</value>
-+ </constant_variable>
-+ </variables>
-+
-+</oval_definitions>
-+</ds:component>
-+
-+<ds:component id="scap_org.open-scap_comp_test_single_rule.xccdf.xml" timestamp="2017-06-09T09:15:45">
-+<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_com.example.www_benchmark_dummy" xml:lang="en-US">
-+ <status>accepted</status>
-+ <version>1.0</version>
-+
-+ <Profile id="xccdf_com.example.www_profile_test_remote_res">
-+ <title>xccdf_test_profile</title>
-+ <description>This profile is for testing.</description>
-+ <select idref="xccdf_com.example.www_rule_test-pass" selected="true"/>
-+ <select idref="xccdf_com.example.www_rule_test-remote_res" selected="true"/>
-+ </Profile>
-+
-+ <Value id="xccdf_com.example.www_value_val1" type="number" operator="equals" interactive="0">
-+ <title>test value</title>
-+ <description>foo</description>
-+ <value selector="bar_1">50</value>
-+ <value selector="bar_2">100</value>
-+ </Value>
-+ <Rule selected="true" id="xccdf_com.example.www_rule_test-pass">
-+ <title>This rule always pass</title>
-+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-+ <check-content-ref href="test_single_rule.oval.xml" name="oval:test-pass:def:1"/>
-+ </check>
-+ </Rule>
-+ <Rule selected="true" id="xccdf_com.example.www_rule_test-remote_res">
-+ <title>This rule checks remote resource</title>
-+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" multi-check="true">
-+ <check-content-ref href="remote.oval.xml"/>
-+ </check>
-+ </Rule>
-+ <Rule selected="true" id="xccdf_com.example.www_rule_test-pass2">
-+ <title>This rule always pass</title>
-+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-+ <check-content-ref href="test_single_rule.oval.xml" name="oval:test-pass:def:1"/>
-+ </check>
-+ </Rule>
-+</Benchmark>
-+</ds:component>
-+</ds:data-stream-collection>
-diff --git a/tests/DS/test_ds_use_local_remote_resources.sh b/tests/DS/test_ds_use_local_remote_resources.sh
-new file mode 100755
-index 0000000000..706f38c2bc
---- /dev/null
-+++ b/tests/DS/test_ds_use_local_remote_resources.sh
-@@ -0,0 +1,57 @@
-+#!/usr/bin/env bash
-+
-+# Author:
-+# Jan Černý <jcerny@redhat.com>
-+
-+set -e -o pipefail
-+set -x
-+
-+. $builddir/tests/test_common.sh
-+
-+PROFILE="xccdf_com.example.www_profile_test_remote_res"
-+result=$(mktemp)
-+stderr=$(mktemp)
-+tmpdir=$(mktemp -d)
-+cp "${srcdir}/ds_use_local_remote_resources/remote_content_1.3.ds.xml" "$tmpdir"
-+cp "${srcdir}/ds_use_local_remote_resources/remote.oval.xml" "$tmpdir"
-+pushd "$tmpdir"
-+
-+$OSCAP xccdf eval --use-local-file --profile "$PROFILE" --results "$result" "remote_content_1.3.ds.xml" 2>"$stderr" || ret=$?
-+[ "$ret" = 2 ]
-+
-+grep -q "WARNING: Datastream component 'scap_org.open-scap_cref_remote.oval.xml' points out to the remote 'https://www.example.com/security/data/oval/remote.oval.xml'. Use '--fetch-remote-resources' option to download it." "$stderr" && false
-+grep -q "WARNING: Skipping 'https://www.example.com/security/data/oval/remote.oval.xml' file which is referenced from datastream" "$stderr" && false
-+
-+assert_exists 1 '//rule-result[@idref="xccdf_com.example.www_rule_test-pass"]/result[text()="pass"]'
-+# the remote_res rule is a multicheck with 2 oval definitions so it's twice here
-+assert_exists 1 '//rule-result[@idref="xccdf_com.example.www_rule_test-remote_res"]/result[text()="pass"]'
-+assert_exists 1 '//rule-result[@idref="xccdf_com.example.www_rule_test-remote_res"]/result[text()="fail"]'
-+assert_exists 1 '//rule-result[@idref="xccdf_com.example.www_rule_test-pass2"]/result[text()="pass"]'
-+
-+popd
-+rm -f "$result" "$stderr"
-+rm -rf "$tmpdir"
-+
-+
-+# test the same without --use-local-file to make sure the $tmpdir/remote.oval.xml isn't loaded by oscap
-+
-+result=$(mktemp)
-+stderr=$(mktemp)
-+tmpdir=$(mktemp -d)
-+cp "${srcdir}/ds_use_local_remote_resources/remote_content_1.3.ds.xml" "$tmpdir"
-+cp "${srcdir}/ds_use_local_remote_resources/remote.oval.xml" "$tmpdir"
-+pushd "$tmpdir"
-+
-+$OSCAP xccdf eval --profile "$PROFILE" --results "$result" "remote_content_1.3.ds.xml" 2>"$stderr" || ret=$?
-+[ "$ret" = 2 ]
-+
-+grep -q "WARNING: Datastream component 'scap_org.open-scap_cref_remote.oval.xml' points out to the remote 'https://www.example.com/security/data/oval/remote.oval.xml'. Use '--fetch-remote-resources' option to download it." "$stderr"
-+grep -q "WARNING: Skipping 'https://www.example.com/security/data/oval/remote.oval.xml' file which is referenced from datastream" "$stderr"
-+
-+assert_exists 1 '//rule-result[@idref="xccdf_com.example.www_rule_test-pass"]/result[text()="pass"]'
-+assert_exists 1 '//rule-result[@idref="xccdf_com.example.www_rule_test-remote_res"]/result[text()="notchecked"]'
-+assert_exists 1 '//rule-result[@idref="xccdf_com.example.www_rule_test-pass2"]/result[text()="pass"]'
-+
-+popd
-+rm -f "$result" "$stderr"
-+rm -rf "$tmpdir"
-\ No newline at end of file
-diff --git a/utils/oscap-ds.c b/utils/oscap-ds.c
-index 772c9c3283..6a42724597 100644
---- a/utils/oscap-ds.c
-+++ b/utils/oscap-ds.c
-@@ -82,7 +82,8 @@ static struct oscap_module DS_SDS_SPLIT_MODULE = {
- " --xccdf-id <id> - ID of XCCDF in the data stream that should be evaluated.\n"
- " --skip-valid - Skips validating of given XCCDF.\n"
- " --skip-validation\n"
-- " --fetch-remote-resources - Download remote content referenced by data stream.\n",
-+ " --fetch-remote-resources - Download remote content referenced by data stream.\n"
-+ " --use-local-file - Use a locally downloaded copy of the remote resource if it exists.\n",
- .opt_parser = getopt_ds,
- .func = app_ds_sds_split
- };
-@@ -186,6 +187,7 @@ bool getopt_ds(int argc, char **argv, struct oscap_action *action) {
- {"xccdf-id", required_argument, NULL, DS_OPT_XCCDF_ID},
- {"report-id", required_argument, NULL, DS_OPT_REPORT_ID},
- {"fetch-remote-resources", no_argument, &action->remote_resources, 1},
-+ {"use-local-file", no_argument, &action->use_local_file, 1},
- // end
- {0, 0, 0, 0}
- };
-@@ -308,7 +310,7 @@ int app_ds_sds_split(const struct oscap_action *action) {
- }
- ds_sds_session_set_datastream_id(session, f_datastream_id);
-
-- ds_sds_session_set_remote_resources(session, action->remote_resources, download_reporting_callback);
-+ ds_sds_session_configure_remote_resources(session, action->remote_resources, action->use_local_file, download_reporting_callback);
- ds_sds_session_set_target_dir(session, action->ds_action->target);
- if (ds_sds_session_register_component_with_dependencies(session, "checklists", f_component_id, NULL) != 0) {
- goto cleanup;
-diff --git a/utils/oscap-info.c b/utils/oscap-info.c
-index 46721eba05..01db5153b3 100644
---- a/utils/oscap-info.c
-+++ b/utils/oscap-info.c
-@@ -63,6 +63,7 @@ struct oscap_module OSCAP_INFO_MODULE = {
- .usage = "some-file.xml",
- .help = "Options:\n"
- " --fetch-remote-resources - Download remote content referenced by data stream.\n"
-+ " --use-local-file - Use a locally downloaded copy of the remote resource if it exists.\n"
- " --profile <id> - Show info of the profile with the given ID.\n"
- " --profiles - Show profiles from the input file in the <id>:<title> format, one line per profile.\n",
- .opt_parser = getopt_info,
-@@ -531,7 +532,7 @@ static int app_info_sds(struct oscap_source *source, const struct oscap_action *
- return OSCAP_ERROR;
- }
-
-- ds_sds_session_set_remote_resources(session, action->remote_resources, download_reporting_callback);
-+ ds_sds_session_configure_remote_resources(session, action->remote_resources, action->use_local_file, download_reporting_callback);
-
- /* get collection */
- struct ds_sds_index *sds = ds_sds_session_get_sds_idx(session);
-@@ -762,6 +763,7 @@ bool getopt_info(int argc, char **argv, struct oscap_action *action)
- /* Command-options */
- const struct option long_options[] = {
- {"fetch-remote-resources", no_argument, &action->remote_resources, 1},
-+ {"use-local-file", no_argument, &action->use_local_file, 1},
- {"profile", required_argument, 0, 'p'},
- {"profiles", no_argument, 0, 'n'},
- // end
-diff --git a/utils/oscap-oval.c b/utils/oscap-oval.c
-index 39bcb92edb..582a5695e3 100644
---- a/utils/oscap-oval.c
-+++ b/utils/oscap-oval.c
-@@ -115,7 +115,8 @@ static struct oscap_module OVAL_EVAL = {
- " --oval-id <id> - ID of the OVAL component ref in the data stream to use.\n"
- " (only applicable for source data streams)\n"
- " --fetch-remote-resources - Download remote content referenced by OVAL Definitions.\n"
-- " (only applicable for source data streams)\n",
-+ " (only applicable for source data streams)\n"
-+ " --use-local-file - Use a locally downloaded copy of the remote resource if it exists.\n",
- .opt_parser = getopt_oval_eval,
- .func = app_evaluate_oval
- };
-@@ -344,7 +345,7 @@ int app_evaluate_oval(const struct oscap_action *action)
- /* set OVAL Variables */
- oval_session_set_variables(session, action->f_variables);
-
-- oval_session_set_remote_resources(session, action->remote_resources, download_reporting_callback);
-+ oval_session_configure_remote_resources(session, action->remote_resources, action->use_local_file, download_reporting_callback);
- /* load all necesary OVAL Definitions and bind OVAL Variables if provided */
- if ((oval_session_load(session)) != 0)
- goto cleanup;
-@@ -520,6 +521,7 @@ bool getopt_oval_eval(int argc, char **argv, struct oscap_action *action)
- { "skip-valid", no_argument, &action->validate, 0 },
- { "skip-validation", no_argument, &action->validate, 0 },
- { "fetch-remote-resources", no_argument, &action->remote_resources, 1},
-+ { "use-local-file", no_argument, &action->use_local_file, 1},
- { 0, 0, 0, 0 }
- };
-
-diff --git a/utils/oscap-tool.h b/utils/oscap-tool.h
-index 18cce0fbce..a3b8781b27 100644
---- a/utils/oscap-tool.h
-+++ b/utils/oscap-tool.h
-@@ -174,6 +174,7 @@ struct oscap_action {
- int list_dynamic;
- char *verbosity_level;
- char *fix_type;
-+ int use_local_file;
- };
-
- int app_xslt(const char *infile, const char *xsltfile, const char *outfile, const char **params);
-diff --git a/utils/oscap-xccdf.c b/utils/oscap-xccdf.c
-index 801e54fa35..ef2768bdef 100644
---- a/utils/oscap-xccdf.c
-+++ b/utils/oscap-xccdf.c
-@@ -129,6 +129,7 @@ static struct oscap_module XCCDF_EXPORT_OVAL_VARIABLES = {
- " --skip-valid - Skip validation.\n"
- " --skip-validation\n"
- " --fetch-remote-resources - Download remote content referenced by XCCDF.\n"
-+ " --use-local-file - Use a locally downloaded copy of the remote resource if it exists.\n"
- " --datastream-id <id> - ID of the data stream in the collection to use.\n"
- " (only applicable for source data streams)\n"
- " --xccdf-id <id> - ID of component-ref with XCCDF in the data stream that should be evaluated.\n"
-@@ -171,6 +172,7 @@ static struct oscap_module XCCDF_EVAL = {
- " (only applicable for source data streams)\n"
- " --enforce-signature - Process only signed data streams.\n"
- " --fetch-remote-resources - Download remote content referenced by XCCDF.\n"
-+ " --use-local-file - Use a locally downloaded copy of the remote resource if it exists.\n"
- " --progress - Switch to sparse output suitable for progress reporting.\n"
- " Format is \"$rule_id:$result\\n\".\n"
- " --datastream-id <id> - ID of the data stream in the collection to use.\n"
-@@ -199,6 +201,7 @@ static struct oscap_module XCCDF_REMEDIATE = {
- " --cpe <name> - Use given CPE dictionary or language (autodetected)\n"
- " for applicability checks.\n"
- " --fetch-remote-resources - Download remote content referenced by XCCDF.\n"
-+ " --use-local-file - Use a locally downloaded copy of the remote resource if it exists.\n"
- " --results <file> - Write XCCDF Results into file.\n"
- " --results-arf <file> - Write ARF (result data stream) into file.\n"
- " --stig-viewer <file> - Writes XCCDF results into FILE in a format readable by DISA STIG Viewer\n"
-@@ -573,7 +576,7 @@ int app_evaluate_xccdf(const struct oscap_action *action)
- if (action->tailoring_file != NULL)
- xccdf_session_set_user_tailoring_file(session, action->tailoring_file);
- xccdf_session_set_user_tailoring_cid(session, action->tailoring_id);
-- xccdf_session_set_remote_resources(session, action->remote_resources, download_reporting_callback);
-+ xccdf_session_configure_remote_resources(session, action->remote_resources, action->use_local_file, download_reporting_callback);
- xccdf_session_set_custom_oval_files(session, action->f_ovals);
- xccdf_session_set_product_cpe(session, OSCAP_PRODUCTNAME);
- xccdf_session_set_rule(session, action->rule);
-@@ -678,7 +681,7 @@ static int app_xccdf_export_oval_variables(const struct oscap_action *action)
- xccdf_session_set_benchmark_id(session, action->f_benchmark_id);
- }
- xccdf_session_set_user_cpe(session, action->cpe);
-- xccdf_session_set_remote_resources(session, action->remote_resources, download_reporting_callback);
-+ xccdf_session_configure_remote_resources(session, action->remote_resources, action->use_local_file, download_reporting_callback);
- xccdf_session_set_custom_oval_files(session, action->f_ovals);
- xccdf_session_set_custom_oval_eval_fn(session, resolve_variables_wrapper);
-
-@@ -721,7 +724,7 @@ int app_xccdf_remediate(const struct oscap_action *action)
- goto cleanup;
- xccdf_session_set_validation(session, action->validate, getenv("OSCAP_FULL_VALIDATION") != NULL);
- xccdf_session_set_user_cpe(session, action->cpe);
-- xccdf_session_set_remote_resources(session, action->remote_resources, download_reporting_callback);
-+ xccdf_session_configure_remote_resources(session, action->remote_resources, action->use_local_file, download_reporting_callback);
- xccdf_session_set_custom_oval_files(session, action->f_ovals);
-
- if (xccdf_session_load(session) != 0)
-@@ -937,7 +940,7 @@ int app_generate_fix(const struct oscap_action *action)
- xccdf_session_set_signature_validation(session, action->validate_signature);
- xccdf_session_set_signature_enforcement(session, action->enforce_signature);
- xccdf_session_set_user_cpe(session, action->cpe);
-- xccdf_session_set_remote_resources(session, action->remote_resources, download_reporting_callback);
-+ xccdf_session_configure_remote_resources(session, action->remote_resources, action->use_local_file, download_reporting_callback);
- xccdf_session_set_custom_oval_files(session, action->f_ovals);
- xccdf_session_set_user_tailoring_file(session, action->tailoring_file);
- xccdf_session_set_user_tailoring_cid(session, action->tailoring_id);
-@@ -1012,7 +1015,7 @@ int app_generate_guide(const struct oscap_action *action)
- xccdf_session_set_validation(session, action->validate, getenv("OSCAP_FULL_VALIDATION") != NULL);
- xccdf_session_set_signature_validation(session, action->validate_signature);
- xccdf_session_set_signature_enforcement(session, action->enforce_signature);
-- xccdf_session_set_remote_resources(session, action->remote_resources, download_reporting_callback);
-+ xccdf_session_configure_remote_resources(session, action->remote_resources, action->use_local_file, download_reporting_callback);
- xccdf_session_set_user_tailoring_file(session, action->tailoring_file);
- xccdf_session_set_user_tailoring_cid(session, action->tailoring_id);
- if (xccdf_session_is_sds(session)) {
-@@ -1166,6 +1169,7 @@ bool getopt_xccdf(int argc, char **argv, struct oscap_action *action)
- {"skip-signature-validation", no_argument, &action->validate_signature, 0},
- {"enforce-signature", no_argument, &action->enforce_signature, 1},
- {"fetch-remote-resources", no_argument, &action->remote_resources, 1},
-+ {"use-local-file", no_argument, &action->use_local_file, 1},
- {"progress", no_argument, &action->progress, 1},
- {"remediate", no_argument, &action->remediate, 1},
- {"hide-profile-info", no_argument, &action->hide_profile_info, 1},
-diff --git a/utils/oscap.8 b/utils/oscap.8
-index 6cae0ffe8a..8dcb9ca330 100644
---- a/utils/oscap.8
-+++ b/utils/oscap.8
-@@ -72,6 +72,11 @@ For XCCDF or SCAP source data stream files, the info module prints out IDs of in
- Allow download of remote components referenced from data stream.
- .RE
- .TP
-+\fB\-\-use-local-file\fR
-+.RS
-+Instead of downloading remote data stream components from the network, use a data stream component stored locally in a file. In place of the remote data stream component OpenSCAP will attempt to use a file whose file name is equal to @name attribute of the uri element within the catalog element within the component-ref element in the data stream if such file exists.
-+.RE
-+.TP
- \fB\-\-profile PROFILE\fR
- .RS
- Show info of the profile with the given ID.
-@@ -201,6 +206,11 @@ Process only digitally signed SCAP source data streams. Data streams without a s
- Allow download of remote OVAL content referenced from XCCDF by check-content-ref/@href.
- .RE
- .TP
-+\fB\-\-use-local-file\fR
-+.RS
-+Instead of downloading remote data stream components from the network, use a data stream component stored locally in a file. In place of the remote data stream component OpenSCAP will attempt to use a file whose file name is equal to @name attribute of the uri element within the catalog element within the component-ref element in the data stream if such file exists.
-+.RE
-+.TP
- \fB\-\-remediate\fR
- .RS
- Execute XCCDF remediation in the process of XCCDF evaluation. This option automatically executes content of XCCDF fix elements for failed rules, and thus this shall be avoided unless for trusted content. Use of this option is always at your own risk.
-@@ -226,6 +236,11 @@ Do not validate input/output files.
- Allow download of remote OVAL content referenced from XCCDF by check-content-ref/@href.
- .RE
- .TP
-+\fB\-\-use-local-file\fR
-+.RS
-+Instead of downloading remote data stream components from the network, use a data stream component stored locally in a file. In place of the remote data stream component OpenSCAP will attempt to use a file whose file name is equal to @name attribute of the uri element within the catalog element within the component-ref element in the data stream if such file exists.
-+.RE
-+.TP
- \fB\-\-cpe CPE_FILE\fR
- .RS
- Use given CPE dictionary or language (auto-detected) for applicability checks.
-@@ -303,6 +318,11 @@ Select a particular profile from XCCDF document.
- Allow download of remote OVAL content referenced from XCCDF by check-content-ref/@href.
- .RE
- .TP
-+\fB\-\-use-local-file\fR
-+.RS
-+Instead of downloading remote data stream components from the network, use a data stream component stored locally in a file. In place of the remote data stream component OpenSCAP will attempt to use a file whose file name is equal to @name attribute of the uri element within the catalog element within the component-ref element in the data stream if such file exists.
-+.RE
-+.TP
- \fB\-\-skip-valid\fR, \fB\-\-skip-validation\fR
- .RS
- Do not validate input/output files.
-@@ -477,6 +497,9 @@ Do not validate input/output files.
- .TP
- \fB\-\-fetch-remote-resources\fR
- Allow download of remote components referenced from data stream.
-+.TP
-+\fB\-\-use-local-file\fR
-+Instead of downloading remote data stream components from the network, use a data stream component stored locally in a file. In place of the remote data stream component OpenSCAP will attempt to use a file whose file name is equal to @name attribute of the uri element within the catalog element within the component-ref element in the data stream if such file exists.
- .RE
-
- .TP
-@@ -638,6 +661,9 @@ Do not validate input/output files.
- .TP
- \fB\-\-fetch-remote-resources\fR
- Allow download of remote components referenced from data stream.
-+.TP
-+\fB\-\-use-local-file\fR
-+Instead of downloading remote data stream components from the network, use a data stream component stored locally in a file. In place of the remote data stream component OpenSCAP will attempt to use a file whose file name is equal to @name attribute of the uri element within the catalog element within the component-ref element in the data stream if such file exists.
- .RE
- .TP
- .B \fBsds-validate\fR SOURCE_DS
-
-From 0a24a755b7102b716da7237717aa78290f8efe9e Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
-Date: Tue, 13 Jul 2021 08:41:08 +0200
-Subject: [PATCH 02/10] Describe using local files in user manual
-
-To increase visiblity it's also added to the FAQs.
----
- docs/manual/manual.adoc | 27 +++++++++++++++++++++++++++
- 1 file changed, 27 insertions(+)
-
-diff --git a/docs/manual/manual.adoc b/docs/manual/manual.adoc
-index 409d502a3b..8655f518f0 100644
---- a/docs/manual/manual.adoc
-+++ b/docs/manual/manual.adoc
-@@ -1636,6 +1636,25 @@ Rule xccdf_org.ssgproject.content_rule_partition_for_var_log
- ...
- ----
-
-+On systems that don't have a direct internet access or if the user doesn't want OpenSCAP to connect to the network it's possible to download the remote content using other tools and then pass it to OpenSCAP as a file.
-+To do that, use `--use-local-file` instead of `--fetch-remote-resources` as argument of the `oscap` command.
-+
-+In place of the remote data stream component OpenSCAP will attempt to use a file whose file name is equal to `name` attribute of the `uri` element within the `catalog` element within the `component-ref` element representing a checklist in the data stream if such file exists.
-+
-+In the following example, the `ssg-rhel8-ds.xml` is an SCAP source datastream.
-+It needs some checks from a remote component. The remote component's `component-ref` ID is `scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL8.xml` and the `component-ref` is pointing to `https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml`.
-+The checks from the remote component are used in the only checklist in the data stream.
-+The `component-ref` of the checklist component contains a `catalog` where one of the `uri` elements maps the remote component's `component-ref` ID in the `uri` attribute to the actual name `security-data-oval-com.redhat.rhsa-RHEL8.xml` which is the value of the `name` attribute.
-+Therefore, we can download the remote data from `https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml` and save it as `security-data-oval-com.redhat.rhsa-RHEL8.xml`.
-+Then, we can optionally copy the file to the computer which we want to scan.
-+Then, we execute `oscap` with `--use-local-file` in that directory.
-+It will pick the file and use it instead of the remote data and it won't connect to the network.
-+
-+----
-+$ wget -O security-data-oval-com.redhat.rhsa-RHEL8.xml https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml
-+...
-+$ oscap xccdf eval --use-local-file --profile ospp ssg-rhel8-ds.xml
-+----
-
- == Practical Examples
- This section demonstrates practical usage of certain security content provided
-@@ -2133,3 +2152,11 @@ The downloaded guidance contains rule descriptions, but it doesn't contain OVAL
-
- Make sure that you provide the ID of the customized profile in `--profile` option instead of the ID of the original profile.
- If you created the tailoring file using SCAP Workbench, you were prompted to choose the ID of the customized profile. You can display the ID of the customized profile by running `oscap info <your_tailoring_file>`. By default, the ID of the customized profile ends with `_customized` suffix.
-+
-+*My SCAP source data stream contains rule `security_patches_up_to_date` which needs to download some data from the internet to work.*
-+*But I'm in an air gapped environment so it can't download it.*
-+*Can I download it separately and pass it to oscap?*
-+
-+Yes, it's possible, you can download the file on other computer that is connected to the internet and then copy the file to the system where you run `oscap`.
-+Instead of the `--fetch-remote-resources` option you will use the `--use-local-file` option.
-+For more information, please refer to section <<_using_external_or_remote_resources,Using external or remote resources>>.
-
-From 86ce263d26405d08abdf027e9b71bea69386e51f Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
-Date: Thu, 22 Jul 2021 16:19:36 +0200
-Subject: [PATCH 03/10] Provide a directory path
-
-This will allow users to pass a directory path where downloaded files
-are stored.
-
-Currently, when it attempts to open a file, the path is resolved
-relatively to the data stream file. For example, that means if the data
-stream file is located in /usr/share/xml/scap you need to copy the file
-there and you can have permission problems. Instead, we will pass the
-directory and store the downloaded file to the directory.
-
-The interface and command line options are updated to accept the
-directory path. Moreover, we have realized that there can be multiple
-remote components in a single source data stream. Therefore, we have
-found a more suitable name for the option which would more fit that the
-option accepts an argument and there can be multiple files.
----
- docs/manual/manual.adoc | 16 +++++-----
- src/DS/ds_sds_session.c | 10 +++---
- src/DS/ds_sds_session_priv.h | 2 +-
- src/DS/public/ds_sds_session.h | 7 +++--
- src/DS/sds.c | 31 ++++++++++++++++---
- src/OVAL/oval_session.c | 10 +++---
- src/OVAL/public/oval_session.h | 7 +++--
- src/XCCDF/public/xccdf_session.h | 7 +++--
- src/XCCDF/xccdf_session.c | 12 +++----
- .../DS/test_ds_use_local_remote_resources.sh | 19 ++++++------
- utils/oscap-ds.c | 10 ++++--
- utils/oscap-info.c | 9 ++++--
- utils/oscap-oval.c | 12 ++++---
- utils/oscap-tool.h | 2 +-
- utils/oscap-xccdf.c | 24 ++++++++------
- utils/oscap.8 | 18 +++++------
- 16 files changed, 118 insertions(+), 78 deletions(-)
-
-diff --git a/docs/manual/manual.adoc b/docs/manual/manual.adoc
-index 8655f518f0..9f0fc38b75 100644
---- a/docs/manual/manual.adoc
-+++ b/docs/manual/manual.adoc
-@@ -1636,8 +1636,8 @@ Rule xccdf_org.ssgproject.content_rule_partition_for_var_log
- ...
- ----
-
--On systems that don't have a direct internet access or if the user doesn't want OpenSCAP to connect to the network it's possible to download the remote content using other tools and then pass it to OpenSCAP as a file.
--To do that, use `--use-local-file` instead of `--fetch-remote-resources` as argument of the `oscap` command.
-+On systems that don't have a direct internet access or if the user doesn't want OpenSCAP to connect to the network it's possible to download the remote content using other tools, save it to a directory and then pass it to OpenSCAP as a file.
-+To do that, use `--local-files` instead of `--fetch-remote-resources` as argument of the `oscap` command.
-
- In place of the remote data stream component OpenSCAP will attempt to use a file whose file name is equal to `name` attribute of the `uri` element within the `catalog` element within the `component-ref` element representing a checklist in the data stream if such file exists.
-
-@@ -1645,15 +1645,15 @@ In the following example, the `ssg-rhel8-ds.xml` is an SCAP source datastream.
- It needs some checks from a remote component. The remote component's `component-ref` ID is `scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL8.xml` and the `component-ref` is pointing to `https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml`.
- The checks from the remote component are used in the only checklist in the data stream.
- The `component-ref` of the checklist component contains a `catalog` where one of the `uri` elements maps the remote component's `component-ref` ID in the `uri` attribute to the actual name `security-data-oval-com.redhat.rhsa-RHEL8.xml` which is the value of the `name` attribute.
--Therefore, we can download the remote data from `https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml` and save it as `security-data-oval-com.redhat.rhsa-RHEL8.xml`.
--Then, we can optionally copy the file to the computer which we want to scan.
--Then, we execute `oscap` with `--use-local-file` in that directory.
-+Therefore, we can download the remote data from `https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml` and save it as `security-data-oval-com.redhat.rhsa-RHEL8.xml` to some directory.
-+Then, we execute `oscap` with `--local-files` and provide a path to the directory where it's located.
- It will pick the file and use it instead of the remote data and it won't connect to the network.
-
- ----
--$ wget -O security-data-oval-com.redhat.rhsa-RHEL8.xml https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml
-+$ mkdir ~/scap-files
-+$ wget -O ~/scap-files/security-data-oval-com.redhat.rhsa-RHEL8.xml https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml
- ...
--$ oscap xccdf eval --use-local-file --profile ospp ssg-rhel8-ds.xml
-+$ oscap xccdf eval --local-files ~/scap-files --profile ospp ssg-rhel8-ds.xml
- ----
-
- == Practical Examples
-@@ -2158,5 +2158,5 @@ If you created the tailoring file using SCAP Workbench, you were prompted to cho
- *Can I download it separately and pass it to oscap?*
-
- Yes, it's possible, you can download the file on other computer that is connected to the internet and then copy the file to the system where you run `oscap`.
--Instead of the `--fetch-remote-resources` option you will use the `--use-local-file` option.
-+Instead of the `--fetch-remote-resources` option you will use the `--local-files` option.
- For more information, please refer to section <<_using_external_or_remote_resources,Using external or remote resources>>.
-diff --git a/src/DS/ds_sds_session.c b/src/DS/ds_sds_session.c
-index 9d9a9c8b52..99f4bc20fd 100644
---- a/src/DS/ds_sds_session.c
-+++ b/src/DS/ds_sds_session.c
-@@ -55,7 +55,7 @@ struct ds_sds_session {
- struct oscap_htable *component_uris; ///< maps component refs to component URIs
- bool fetch_remote_resources; ///< Allows loading of external components;
- download_progress_calllback_t progress; ///< Callback to report progress of download.
-- bool use_local_file; ///< Use a locally downloaded copy of a remote resource if it exists
-+ const char *local_files; ///< Path to the directory where local copies of remote components are located
- };
-
- /**
-@@ -338,10 +338,10 @@ int ds_sds_session_register_component_with_dependencies(struct ds_sds_session *s
- return res;
- }
-
--void ds_sds_session_configure_remote_resources(struct ds_sds_session *session, bool allowed, bool use_local_file, download_progress_calllback_t callback)
-+void ds_sds_session_configure_remote_resources(struct ds_sds_session *session, bool allowed, const char *local_files, download_progress_calllback_t callback)
- {
- session->fetch_remote_resources = allowed;
-- session->use_local_file = use_local_file;
-+ session->local_files = local_files;
- session->progress = (callback != NULL) ? callback : download_progress_empty_calllback;
- }
-
-@@ -350,9 +350,9 @@ void ds_sds_session_set_remote_resources(struct ds_sds_session *session, bool al
- ds_sds_session_configure_remote_resources(session, allowed, false, callback);
- }
-
--bool ds_sds_session_can_use_local_file(struct ds_sds_session *session)
-+const char *ds_sds_session_local_files(struct ds_sds_session *session)
- {
-- return session->use_local_file;
-+ return session->local_files;
- }
-
- int ds_sds_session_dump_component_files(struct ds_sds_session *session)
-diff --git a/src/DS/ds_sds_session_priv.h b/src/DS/ds_sds_session_priv.h
-index 018cd053ec..5e6dfc7672 100644
---- a/src/DS/ds_sds_session_priv.h
-+++ b/src/DS/ds_sds_session_priv.h
-@@ -40,7 +40,7 @@ struct oscap_htable *ds_sds_session_get_component_sources(struct ds_sds_session
- struct oscap_htable *ds_sds_session_get_component_uris(struct ds_sds_session *session);
- const char *ds_sds_session_get_readable_origin(const struct ds_sds_session *session);
- bool ds_sds_session_fetch_remote_resources(struct ds_sds_session *session);
--bool ds_sds_session_can_use_local_file(struct ds_sds_session *session);
-+const char *ds_sds_session_local_files(struct ds_sds_session *session);
- download_progress_calllback_t ds_sds_session_remote_resources_progress(struct ds_sds_session *session);
-
- void download_progress_empty_calllback(bool warning, const char * format, ...);
-diff --git a/src/DS/public/ds_sds_session.h b/src/DS/public/ds_sds_session.h
-index 695a0df215..83e7feadba 100644
---- a/src/DS/public/ds_sds_session.h
-+++ b/src/DS/public/ds_sds_session.h
-@@ -208,12 +208,13 @@ OSCAP_API OSCAP_DEPRECATED(void ds_sds_session_set_remote_resources(struct ds_sd
- * @param session The source data stream session
- * @param allowed Whether is download of remote resources allowed in this
- * session (defaults to false)
-- * @param use_local_file Allows to use a locally downloaded copy of the remote
-- * resource if it exists (defaults to false)
-+ * @param local_files Allows to use a locally downloaded copy of the remote
-+ * resources. Contains a path to a directory where the files are stored
-+ * (defaults to NULL).
- * @param callback used to notify user about download proceeds. This might be
- * safely set to NULL -- ignoring user notification.
- */
--OSCAP_API void ds_sds_session_configure_remote_resources(struct ds_sds_session *session, bool allowed, bool use_local_file, download_progress_calllback_t callback);
-+OSCAP_API void ds_sds_session_configure_remote_resources(struct ds_sds_session *session, bool allowed, const char *local_files, download_progress_calllback_t callback);
-
- /**
- * Returns HTML representation of selected checklist in form of OpenSCAP guide.
-diff --git a/src/DS/sds.c b/src/DS/sds.c
-index b1737aa57f..365ae96987 100644
---- a/src/DS/sds.c
-+++ b/src/DS/sds.c
-@@ -425,14 +425,35 @@ static int ds_sds_dump_component_by_href(struct ds_sds_session *session, char* x
- * the URL defined in @xlink:href. This way people can provide the
- * previously downloaded component which might be useful on systems
- * with limited internet access. This behavior is allowed only when
-- * --use-local-file is used on the command line.
-+ * --local-files is used on the command line.
- * See: https://bugzilla.redhat.com/show_bug.cgi?id=1970527
- * See: https://access.redhat.com/solutions/5185891
- */
-- struct stat sb;
-- if (ds_sds_session_can_use_local_file(session) && stat(relative_filepath, &sb) == 0) {
-- dI("Using local file '%s' instead of '%s'", relative_filepath, xlink_href);
-- return ds_sds_dump_file_component(relative_filepath, *component_id, session, target_filename_dirname, relative_filepath);
-+ const char *local_files = ds_sds_session_local_files(session);
-+ if (local_files != NULL) {
-+ char *local_filepath = oscap_path_join(local_files, relative_filepath);
-+ struct stat sb;
-+ if (stat(local_filepath, &sb) == 0) {
-+ //if (ds_sds_session_can_use_local_file(session)) {
-+ dI("Using local file '%s' instead of '%s'", local_filepath, xlink_href);
-+ struct oscap_source *source_file = oscap_source_new_from_file(local_filepath);
-+ xmlDoc *doc = oscap_source_get_xmlDoc(source_file);
-+ if (doc == NULL) {
-+ free(local_filepath);
-+ return -1;
-+ }
-+ xmlNodePtr inner_root = ds_sds_get_component_root_by_id(doc, *component_id);
-+
-+ if (ds_sds_register_component(session, doc, inner_root, *component_id, target_filename_dirname, relative_filepath) != 0) {
-+ free(local_filepath);
-+ return -1;
-+ }
-+ free(local_filepath);
-+ return 0;
-+ } else {
-+ dW("Can't use local file '%s' instead of '%s'", local_filepath, xlink_href);
-+ }
-+ free(local_filepath);
- }
-
- static bool fetch_remote_resources_suggested = false;
-diff --git a/src/OVAL/oval_session.c b/src/OVAL/oval_session.c
-index 5adda43f66..bb73543ed8 100644
---- a/src/OVAL/oval_session.c
-+++ b/src/OVAL/oval_session.c
-@@ -84,7 +84,7 @@ struct oval_session {
- bool full_validation;
- bool fetch_remote_resources;
- download_progress_calllback_t progress;
-- bool use_local_file;
-+ const char *local_files;
- };
-
- struct oval_session *oval_session_new(const char *filename)
-@@ -224,7 +224,7 @@ static int oval_session_load_definitions(struct oval_session *session)
- if ((session->sds_session = ds_sds_session_new_from_source(session->source)) == NULL) {
- return 1;
- }
-- ds_sds_session_configure_remote_resources(session->sds_session, session->fetch_remote_resources, session->use_local_file, session->progress);
-+ ds_sds_session_configure_remote_resources(session->sds_session, session->fetch_remote_resources, session->local_files, session->progress);
- ds_sds_session_set_datastream_id(session->sds_session, session->datastream_id);
- if (ds_sds_session_register_component_with_dependencies(session->sds_session,
- "checks", session->component_id, "oval.xml") != 0) {
-@@ -452,16 +452,16 @@ void oval_session_set_export_system_characteristics(struct oval_session *session
- session->export_sys_chars = export;
- }
-
--void oval_session_configure_remote_resources(struct oval_session *session, bool allowed, bool use_local_file, download_progress_calllback_t callback)
-+void oval_session_configure_remote_resources(struct oval_session *session, bool allowed, const char *local_files, download_progress_calllback_t callback)
- {
- session->fetch_remote_resources = allowed;
-- session->use_local_file = use_local_file;
-+ session->local_files = local_files;
- session->progress = callback;
- }
-
- void oval_session_set_remote_resources(struct oval_session *session, bool allowed, download_progress_calllback_t callback)
- {
-- oval_session_configure_remote_resources(session, allowed, false, callback);
-+ oval_session_configure_remote_resources(session, allowed, NULL, callback);
- }
-
- void oval_session_free(struct oval_session *session)
-diff --git a/src/OVAL/public/oval_session.h b/src/OVAL/public/oval_session.h
-index d485676747..378c77c490 100644
---- a/src/OVAL/public/oval_session.h
-+++ b/src/OVAL/public/oval_session.h
-@@ -247,12 +247,13 @@ OSCAP_API OSCAP_DEPRECATED(void oval_session_set_remote_resources(struct oval_se
- * @param session an \ref oval_session
- * @param allowed Whether is download of remote resources allowed in this
- * session (defaults to false)
-- * @param use_local_file Allows to use a locally downloaded copy of the remote
-- * resource if it exists (defaults to false)
-+ * @param local_files Allows to use a locally downloaded copy of the remote
-+ * resources. Contains a path to a directory where the files are stored
-+ * (defaults to NULL).
- * @param callback used to notify user about download proceeds. This might be
- * safely set to NULL -- ignoring user notification.
- */
--OSCAP_API void oval_session_configure_remote_resources(struct oval_session *session, bool allowed, bool use_local_file, download_progress_calllback_t callback);
-+OSCAP_API void oval_session_configure_remote_resources(struct oval_session *session, bool allowed, const char *local_files, download_progress_calllback_t callback);
-
- /**
- * Destructor of an \ref oval_session.
-diff --git a/src/XCCDF/public/xccdf_session.h b/src/XCCDF/public/xccdf_session.h
-index 2eb7128019..466ef2b9d4 100644
---- a/src/XCCDF/public/xccdf_session.h
-+++ b/src/XCCDF/public/xccdf_session.h
-@@ -240,12 +240,13 @@ OSCAP_API OSCAP_DEPRECATED(void xccdf_session_set_remote_resources(struct xccdf_
- * @param session XCCDF Session
- * @param allowed Whether is download od remote resources allowed in this
- * session (defaults to false)
-- * @param use_local_file Allows to use a locally downloaded copy of the remote
-- * resource if it exists (defaults to false)
-+ * @param local_files Allows to use a locally downloaded copy of the remote
-+ * resources. Contains a path to a directory where the files are stored
-+ * (defaults to NULL).
- * @param callback used to notify user about download proceeds. This might be
- * safely set to NULL -- ignoring user notification.
- */
--OSCAP_API void xccdf_session_configure_remote_resources(struct xccdf_session *session, bool allowed, bool use_local_file, download_progress_calllback_t callback);
-+OSCAP_API void xccdf_session_configure_remote_resources(struct xccdf_session *session, bool allowed, const char *local_files, download_progress_calllback_t callback);
-
- /**
- * Disable or allow loading of depending content (OVAL, SCE, CPE)
-diff --git a/src/XCCDF/xccdf_session.c b/src/XCCDF/xccdf_session.c
-index 85fcc90d23..990e40702b 100644
---- a/src/XCCDF/xccdf_session.c
-+++ b/src/XCCDF/xccdf_session.c
-@@ -87,7 +87,7 @@ struct xccdf_session {
- } ds;
- struct {
- bool fetch_remote_resources; ///< Allows download of remote resources (not applicable when user sets custom oval files)
-- bool use_local_file; ///< Use a locally downloaded copy of a remote resource if it exists
-+ const char *local_files; ///< Path to the directory where local copies of remote components are located
- download_progress_calllback_t progress; ///< Callback to report progress of download.
- struct oval_content_resource **custom_resources;///< OVAL files required by user
- struct oval_content_resource **resources;///< OVAL files referenced from XCCDF
-@@ -103,7 +103,7 @@ struct xccdf_session {
- char *arf_file; ///< Path to ARF file to export
- char *xccdf_file; ///< Path to XCCDF file to export
- char *xccdf_stig_viewer_file; ///< Path to STIG Viewer XCCDF file to export
-- char *report_file; ///< Path to HTML file to eport
-+ char *report_file; ///< Path to HTML file to export
- bool oval_results; ///< Shall be the OVAL results files exported?
- bool oval_variables; ///< Shall be the OVAL variable files exported?
- bool check_engine_plugins_results; ///< Shall the check engine plugins results be exported?
-@@ -628,7 +628,7 @@ static struct ds_sds_session *xccdf_session_get_ds_sds_session(struct xccdf_sess
- }
-
-
--void xccdf_session_configure_remote_resources(struct xccdf_session *session, bool allowed, bool use_local_file, download_progress_calllback_t callback)
-+void xccdf_session_configure_remote_resources(struct xccdf_session *session, bool allowed, const char *local_files, download_progress_calllback_t callback)
- {
- if (callback == NULL) {
- // With empty cb we don't have to check for NULL
-@@ -637,19 +637,19 @@ void xccdf_session_configure_remote_resources(struct xccdf_session *session, boo
- }
-
- session->oval.fetch_remote_resources = allowed;
-- session->oval.use_local_file = use_local_file;
-+ session->oval.local_files = local_files;
- session->oval.progress = callback;
-
- if (xccdf_session_is_sds(session)) {
- // We have to propagate this option to allow loading
- // of external datastream components
-- ds_sds_session_configure_remote_resources(xccdf_session_get_ds_sds_session(session), allowed, use_local_file, callback);
-+ ds_sds_session_configure_remote_resources(xccdf_session_get_ds_sds_session(session), allowed, local_files, callback);
- }
- }
-
- void xccdf_session_set_remote_resources(struct xccdf_session *session, bool allowed, download_progress_calllback_t callback)
- {
-- xccdf_session_configure_remote_resources(session, allowed, false, callback);
-+ xccdf_session_configure_remote_resources(session, allowed, NULL, callback);
- }
-
- void xccdf_session_set_loading_flags(struct xccdf_session *session, xccdf_session_loading_flags_t flags)
-diff --git a/tests/DS/test_ds_use_local_remote_resources.sh b/tests/DS/test_ds_use_local_remote_resources.sh
-index 706f38c2bc..e4a1f0eedd 100755
---- a/tests/DS/test_ds_use_local_remote_resources.sh
-+++ b/tests/DS/test_ds_use_local_remote_resources.sh
-@@ -11,12 +11,14 @@ set -x
- PROFILE="xccdf_com.example.www_profile_test_remote_res"
- result=$(mktemp)
- stderr=$(mktemp)
--tmpdir=$(mktemp -d)
--cp "${srcdir}/ds_use_local_remote_resources/remote_content_1.3.ds.xml" "$tmpdir"
--cp "${srcdir}/ds_use_local_remote_resources/remote.oval.xml" "$tmpdir"
--pushd "$tmpdir"
--
--$OSCAP xccdf eval --use-local-file --profile "$PROFILE" --results "$result" "remote_content_1.3.ds.xml" 2>"$stderr" || ret=$?
-+tmpdir1=$(mktemp -d)
-+tmpdir2=$(mktemp -d)
-+tmpdir3=$(mktemp -d)
-+cp "${srcdir}/ds_use_local_remote_resources/remote_content_1.3.ds.xml" "$tmpdir2"
-+cp "${srcdir}/ds_use_local_remote_resources/remote.oval.xml" "$tmpdir3"
-+pushd "$tmpdir1"
-+
-+$OSCAP xccdf eval --local-files "$tmpdir3" --profile "$PROFILE" --results "$result" "$tmpdir2/remote_content_1.3.ds.xml" 2>"$stderr" || ret=$?
- [ "$ret" = 2 ]
-
- grep -q "WARNING: Datastream component 'scap_org.open-scap_cref_remote.oval.xml' points out to the remote 'https://www.example.com/security/data/oval/remote.oval.xml'. Use '--fetch-remote-resources' option to download it." "$stderr" && false
-@@ -30,10 +32,9 @@ assert_exists 1 '//rule-result[@idref="xccdf_com.example.www_rule_test-pass2"]/r
-
- popd
- rm -f "$result" "$stderr"
--rm -rf "$tmpdir"
--
-+rm -rf "$tmpdir1" "$tmpdir2" "$tmpdir3"
-
--# test the same without --use-local-file to make sure the $tmpdir/remote.oval.xml isn't loaded by oscap
-+# test the same without --local-files to make sure the $tmpdir/remote.oval.xml isn't loaded by oscap
-
- result=$(mktemp)
- stderr=$(mktemp)
-diff --git a/utils/oscap-ds.c b/utils/oscap-ds.c
-index 6a42724597..8207f097ec 100644
---- a/utils/oscap-ds.c
-+++ b/utils/oscap-ds.c
-@@ -172,7 +172,8 @@ static struct oscap_module* DS_SUBMODULES[DS_SUBMODULES_NUM] = {
- enum ds_opt {
- DS_OPT_DATASTREAM_ID = 1,
- DS_OPT_XCCDF_ID,
-- DS_OPT_REPORT_ID
-+ DS_OPT_REPORT_ID,
-+ DS_OPT_LOCAL_FILES
- };
-
- bool getopt_ds(int argc, char **argv, struct oscap_action *action) {
-@@ -187,7 +188,7 @@ bool getopt_ds(int argc, char **argv, struct oscap_action *action) {
- {"xccdf-id", required_argument, NULL, DS_OPT_XCCDF_ID},
- {"report-id", required_argument, NULL, DS_OPT_REPORT_ID},
- {"fetch-remote-resources", no_argument, &action->remote_resources, 1},
-- {"use-local-file", no_argument, &action->use_local_file, 1},
-+ {"local-files", required_argument, NULL, DS_OPT_LOCAL_FILES},
- // end
- {0, 0, 0, 0}
- };
-@@ -199,6 +200,9 @@ bool getopt_ds(int argc, char **argv, struct oscap_action *action) {
- case DS_OPT_DATASTREAM_ID: action->f_datastream_id = optarg; break;
- case DS_OPT_XCCDF_ID: action->f_xccdf_id = optarg; break;
- case DS_OPT_REPORT_ID: action->f_report_id = optarg; break;
-+ case DS_OPT_LOCAL_FILES:
-+ action->local_files = optarg;
-+ break;
- case 0: break;
- default: return oscap_module_usage(action->module, stderr, NULL);
- }
-@@ -310,7 +314,7 @@ int app_ds_sds_split(const struct oscap_action *action) {
- }
- ds_sds_session_set_datastream_id(session, f_datastream_id);
-
-- ds_sds_session_configure_remote_resources(session, action->remote_resources, action->use_local_file, download_reporting_callback);
-+ ds_sds_session_configure_remote_resources(session, action->remote_resources, action->local_files, download_reporting_callback);
- ds_sds_session_set_target_dir(session, action->ds_action->target);
- if (ds_sds_session_register_component_with_dependencies(session, "checklists", f_component_id, NULL) != 0) {
- goto cleanup;
-diff --git a/utils/oscap-info.c b/utils/oscap-info.c
-index 01db5153b3..2e6f5003aa 100644
---- a/utils/oscap-info.c
-+++ b/utils/oscap-info.c
-@@ -63,7 +63,7 @@ struct oscap_module OSCAP_INFO_MODULE = {
- .usage = "some-file.xml",
- .help = "Options:\n"
- " --fetch-remote-resources - Download remote content referenced by data stream.\n"
-- " --use-local-file - Use a locally downloaded copy of the remote resource if it exists.\n"
-+ " --local-files <dir> - Use locally downloaded copies of remote resources stored in the given directory.\n"
- " --profile <id> - Show info of the profile with the given ID.\n"
- " --profiles - Show profiles from the input file in the <id>:<title> format, one line per profile.\n",
- .opt_parser = getopt_info,
-@@ -532,7 +532,7 @@ static int app_info_sds(struct oscap_source *source, const struct oscap_action *
- return OSCAP_ERROR;
- }
-
-- ds_sds_session_configure_remote_resources(session, action->remote_resources, action->use_local_file, download_reporting_callback);
-+ ds_sds_session_configure_remote_resources(session, action->remote_resources, action->local_files, download_reporting_callback);
-
- /* get collection */
- struct ds_sds_index *sds = ds_sds_session_get_sds_idx(session);
-@@ -763,7 +763,7 @@ bool getopt_info(int argc, char **argv, struct oscap_action *action)
- /* Command-options */
- const struct option long_options[] = {
- {"fetch-remote-resources", no_argument, &action->remote_resources, 1},
-- {"use-local-file", no_argument, &action->use_local_file, 1},
-+ {"local-files", required_argument, NULL, 'l'},
- {"profile", required_argument, 0, 'p'},
- {"profiles", no_argument, 0, 'n'},
- // end
-@@ -781,6 +781,9 @@ bool getopt_info(int argc, char **argv, struct oscap_action *action)
- action->show_profiles_only = 1;
- action->provide_machine_readable_output = 1;
- break;
-+ case 'l':
-+ action->local_files = optarg;
-+ break;
- default: return oscap_module_usage(action->module, stderr, NULL);
- }
- }
-diff --git a/utils/oscap-oval.c b/utils/oscap-oval.c
-index 582a5695e3..3a206bb3c4 100644
---- a/utils/oscap-oval.c
-+++ b/utils/oscap-oval.c
-@@ -116,7 +116,7 @@ static struct oscap_module OVAL_EVAL = {
- " (only applicable for source data streams)\n"
- " --fetch-remote-resources - Download remote content referenced by OVAL Definitions.\n"
- " (only applicable for source data streams)\n"
-- " --use-local-file - Use a locally downloaded copy of the remote resource if it exists.\n",
-+ " --local-files <dir> - Use locally downloaded copies of remote resources stored in the given directory.\n",
- .opt_parser = getopt_oval_eval,
- .func = app_evaluate_oval
- };
-@@ -345,7 +345,7 @@ int app_evaluate_oval(const struct oscap_action *action)
- /* set OVAL Variables */
- oval_session_set_variables(session, action->f_variables);
-
-- oval_session_configure_remote_resources(session, action->remote_resources, action->use_local_file, download_reporting_callback);
-+ oval_session_configure_remote_resources(session, action->remote_resources, action->local_files, download_reporting_callback);
- /* load all necesary OVAL Definitions and bind OVAL Variables if provided */
- if ((oval_session_load(session)) != 0)
- goto cleanup;
-@@ -500,7 +500,8 @@ enum oval_opt {
- OVAL_OPT_DIRECTIVES,
- OVAL_OPT_DATASTREAM_ID,
- OVAL_OPT_OVAL_ID,
-- OVAL_OPT_OUTPUT = 'o'
-+ OVAL_OPT_OUTPUT = 'o',
-+ OVAL_OPT_LOCAL_FILES
- };
-
- #if defined(OVAL_PROBES_ENABLED)
-@@ -521,7 +522,7 @@ bool getopt_oval_eval(int argc, char **argv, struct oscap_action *action)
- { "skip-valid", no_argument, &action->validate, 0 },
- { "skip-validation", no_argument, &action->validate, 0 },
- { "fetch-remote-resources", no_argument, &action->remote_resources, 1},
-- { "use-local-file", no_argument, &action->use_local_file, 1},
-+ { "local-files", required_argument, NULL, OVAL_OPT_LOCAL_FILES},
- { 0, 0, 0, 0 }
- };
-
-@@ -535,6 +536,9 @@ bool getopt_oval_eval(int argc, char **argv, struct oscap_action *action)
- case OVAL_OPT_DIRECTIVES: action->f_directives = optarg; break;
- case OVAL_OPT_DATASTREAM_ID: action->f_datastream_id = optarg; break;
- case OVAL_OPT_OVAL_ID: action->f_oval_id = optarg; break;
-+ case OVAL_OPT_LOCAL_FILES:
-+ action->local_files = optarg;
-+ break;
- case 0: break;
- default: return oscap_module_usage(action->module, stderr, NULL);
- }
-diff --git a/utils/oscap-tool.h b/utils/oscap-tool.h
-index a3b8781b27..c0596f3e60 100644
---- a/utils/oscap-tool.h
-+++ b/utils/oscap-tool.h
-@@ -174,7 +174,7 @@ struct oscap_action {
- int list_dynamic;
- char *verbosity_level;
- char *fix_type;
-- int use_local_file;
-+ char *local_files;
- };
-
- int app_xslt(const char *infile, const char *xsltfile, const char *outfile, const char **params);
-diff --git a/utils/oscap-xccdf.c b/utils/oscap-xccdf.c
-index ef2768bdef..54b8df5467 100644
---- a/utils/oscap-xccdf.c
-+++ b/utils/oscap-xccdf.c
-@@ -129,7 +129,7 @@ static struct oscap_module XCCDF_EXPORT_OVAL_VARIABLES = {
- " --skip-valid - Skip validation.\n"
- " --skip-validation\n"
- " --fetch-remote-resources - Download remote content referenced by XCCDF.\n"
-- " --use-local-file - Use a locally downloaded copy of the remote resource if it exists.\n"
-+ " --local-files <dir> - Use locally downloaded copies of remote resources stored in the given directory.\n"
- " --datastream-id <id> - ID of the data stream in the collection to use.\n"
- " (only applicable for source data streams)\n"
- " --xccdf-id <id> - ID of component-ref with XCCDF in the data stream that should be evaluated.\n"
-@@ -172,7 +172,7 @@ static struct oscap_module XCCDF_EVAL = {
- " (only applicable for source data streams)\n"
- " --enforce-signature - Process only signed data streams.\n"
- " --fetch-remote-resources - Download remote content referenced by XCCDF.\n"
-- " --use-local-file - Use a locally downloaded copy of the remote resource if it exists.\n"
-+ " --local-files <dir> - Use locally downloaded copies of remote resources stored in the given directory.\n"
- " --progress - Switch to sparse output suitable for progress reporting.\n"
- " Format is \"$rule_id:$result\\n\".\n"
- " --datastream-id <id> - ID of the data stream in the collection to use.\n"
-@@ -201,7 +201,7 @@ static struct oscap_module XCCDF_REMEDIATE = {
- " --cpe <name> - Use given CPE dictionary or language (autodetected)\n"
- " for applicability checks.\n"
- " --fetch-remote-resources - Download remote content referenced by XCCDF.\n"
-- " --use-local-file - Use a locally downloaded copy of the remote resource if it exists.\n"
-+ " --local-files <dir> - Use locally downloaded copies of remote resources stored in the given directory.\n"
- " --results <file> - Write XCCDF Results into file.\n"
- " --results-arf <file> - Write ARF (result data stream) into file.\n"
- " --stig-viewer <file> - Writes XCCDF results into FILE in a format readable by DISA STIG Viewer\n"
-@@ -576,7 +576,7 @@ int app_evaluate_xccdf(const struct oscap_action *action)
- if (action->tailoring_file != NULL)
- xccdf_session_set_user_tailoring_file(session, action->tailoring_file);
- xccdf_session_set_user_tailoring_cid(session, action->tailoring_id);
-- xccdf_session_configure_remote_resources(session, action->remote_resources, action->use_local_file, download_reporting_callback);
-+ xccdf_session_configure_remote_resources(session, action->remote_resources, action->local_files, download_reporting_callback);
- xccdf_session_set_custom_oval_files(session, action->f_ovals);
- xccdf_session_set_product_cpe(session, OSCAP_PRODUCTNAME);
- xccdf_session_set_rule(session, action->rule);
-@@ -681,7 +681,7 @@ static int app_xccdf_export_oval_variables(const struct oscap_action *action)
- xccdf_session_set_benchmark_id(session, action->f_benchmark_id);
- }
- xccdf_session_set_user_cpe(session, action->cpe);
-- xccdf_session_configure_remote_resources(session, action->remote_resources, action->use_local_file, download_reporting_callback);
-+ xccdf_session_configure_remote_resources(session, action->remote_resources, action->local_files, download_reporting_callback);
- xccdf_session_set_custom_oval_files(session, action->f_ovals);
- xccdf_session_set_custom_oval_eval_fn(session, resolve_variables_wrapper);
-
-@@ -724,7 +724,7 @@ int app_xccdf_remediate(const struct oscap_action *action)
- goto cleanup;
- xccdf_session_set_validation(session, action->validate, getenv("OSCAP_FULL_VALIDATION") != NULL);
- xccdf_session_set_user_cpe(session, action->cpe);
-- xccdf_session_configure_remote_resources(session, action->remote_resources, action->use_local_file, download_reporting_callback);
-+ xccdf_session_configure_remote_resources(session, action->remote_resources, action->local_files, download_reporting_callback);
- xccdf_session_set_custom_oval_files(session, action->f_ovals);
-
- if (xccdf_session_load(session) != 0)
-@@ -940,7 +940,7 @@ int app_generate_fix(const struct oscap_action *action)
- xccdf_session_set_signature_validation(session, action->validate_signature);
- xccdf_session_set_signature_enforcement(session, action->enforce_signature);
- xccdf_session_set_user_cpe(session, action->cpe);
-- xccdf_session_configure_remote_resources(session, action->remote_resources, action->use_local_file, download_reporting_callback);
-+ xccdf_session_configure_remote_resources(session, action->remote_resources, action->local_files, download_reporting_callback);
- xccdf_session_set_custom_oval_files(session, action->f_ovals);
- xccdf_session_set_user_tailoring_file(session, action->tailoring_file);
- xccdf_session_set_user_tailoring_cid(session, action->tailoring_id);
-@@ -1015,7 +1015,7 @@ int app_generate_guide(const struct oscap_action *action)
- xccdf_session_set_validation(session, action->validate, getenv("OSCAP_FULL_VALIDATION") != NULL);
- xccdf_session_set_signature_validation(session, action->validate_signature);
- xccdf_session_set_signature_enforcement(session, action->enforce_signature);
-- xccdf_session_configure_remote_resources(session, action->remote_resources, action->use_local_file, download_reporting_callback);
-+ xccdf_session_configure_remote_resources(session, action->remote_resources, action->local_files, download_reporting_callback);
- xccdf_session_set_user_tailoring_file(session, action->tailoring_file);
- xccdf_session_set_user_tailoring_cid(session, action->tailoring_id);
- if (xccdf_session_is_sds(session)) {
-@@ -1128,7 +1128,8 @@ enum oval_opt {
- XCCDF_OPT_CPE_DICT,
- XCCDF_OPT_OUTPUT = 'o',
- XCCDF_OPT_RESULT_ID = 'i',
-- XCCDF_OPT_FIX_TYPE
-+ XCCDF_OPT_FIX_TYPE,
-+ XCCDF_OPT_LOCAL_FILES
- };
-
- bool getopt_xccdf(int argc, char **argv, struct oscap_action *action)
-@@ -1160,6 +1161,7 @@ bool getopt_xccdf(int argc, char **argv, struct oscap_action *action)
- {"cpe-dict", required_argument, NULL, XCCDF_OPT_CPE_DICT}, // DEPRECATED!
- {"sce-template", required_argument, NULL, XCCDF_OPT_SCE_TEMPLATE},
- {"fix-type", required_argument, NULL, XCCDF_OPT_FIX_TYPE},
-+ {"local-files", required_argument, NULL, XCCDF_OPT_LOCAL_FILES},
- // flags
- {"force", no_argument, &action->force, 1},
- {"oval-results", no_argument, &action->oval_results, 1},
-@@ -1169,7 +1171,6 @@ bool getopt_xccdf(int argc, char **argv, struct oscap_action *action)
- {"skip-signature-validation", no_argument, &action->validate_signature, 0},
- {"enforce-signature", no_argument, &action->enforce_signature, 1},
- {"fetch-remote-resources", no_argument, &action->remote_resources, 1},
-- {"use-local-file", no_argument, &action->use_local_file, 1},
- {"progress", no_argument, &action->progress, 1},
- {"remediate", no_argument, &action->remediate, 1},
- {"hide-profile-info", no_argument, &action->hide_profile_info, 1},
-@@ -1215,6 +1216,9 @@ bool getopt_xccdf(int argc, char **argv, struct oscap_action *action)
- case XCCDF_OPT_FIX_TYPE:
- action->fix_type = optarg;
- break;
-+ case XCCDF_OPT_LOCAL_FILES:
-+ action->local_files = optarg;
-+ break;
- case 0: break;
- default: return oscap_module_usage(action->module, stderr, NULL);
- }
-diff --git a/utils/oscap.8 b/utils/oscap.8
-index 8dcb9ca330..4f5f6259e3 100644
---- a/utils/oscap.8
-+++ b/utils/oscap.8
-@@ -72,9 +72,9 @@ For XCCDF or SCAP source data stream files, the info module prints out IDs of in
- Allow download of remote components referenced from data stream.
- .RE
- .TP
--\fB\-\-use-local-file\fR
-+\fB\-\-local-files DIRECTORY\fR
- .RS
--Instead of downloading remote data stream components from the network, use a data stream component stored locally in a file. In place of the remote data stream component OpenSCAP will attempt to use a file whose file name is equal to @name attribute of the uri element within the catalog element within the component-ref element in the data stream if such file exists.
-+Instead of downloading remote data stream components from the network, use data stream components stored locally as files in the given directory. In place of the remote data stream component OpenSCAP will attempt to use a file whose file name is equal to @name attribute of the uri element within the catalog element within the component-ref element in the data stream if such file exists.
- .RE
- .TP
- \fB\-\-profile PROFILE\fR
-@@ -206,9 +206,9 @@ Process only digitally signed SCAP source data streams. Data streams without a s
- Allow download of remote OVAL content referenced from XCCDF by check-content-ref/@href.
- .RE
- .TP
--\fB\-\-use-local-file\fR
-+\fB\-\-local-files DIRECTORY\fR
- .RS
--Instead of downloading remote data stream components from the network, use a data stream component stored locally in a file. In place of the remote data stream component OpenSCAP will attempt to use a file whose file name is equal to @name attribute of the uri element within the catalog element within the component-ref element in the data stream if such file exists.
-+Instead of downloading remote data stream components from the network, use data stream components stored locally as files in the given directory. In place of the remote data stream component OpenSCAP will attempt to use a file whose file name is equal to @name attribute of the uri element within the catalog element within the component-ref element in the data stream if such file exists.
- .RE
- .TP
- \fB\-\-remediate\fR
-@@ -236,9 +236,9 @@ Do not validate input/output files.
- Allow download of remote OVAL content referenced from XCCDF by check-content-ref/@href.
- .RE
- .TP
--\fB\-\-use-local-file\fR
-+\fB\-\-local-files DIRECTORY\fR
- .RS
--Instead of downloading remote data stream components from the network, use a data stream component stored locally in a file. In place of the remote data stream component OpenSCAP will attempt to use a file whose file name is equal to @name attribute of the uri element within the catalog element within the component-ref element in the data stream if such file exists.
-+Instead of downloading remote data stream components from the network, use data stream components stored locally as files in the given directory. In place of the remote data stream component OpenSCAP will attempt to use a file whose file name is equal to @name attribute of the uri element within the catalog element within the component-ref element in the data stream if such file exists.
- .RE
- .TP
- \fB\-\-cpe CPE_FILE\fR
-@@ -318,7 +318,7 @@ Select a particular profile from XCCDF document.
- Allow download of remote OVAL content referenced from XCCDF by check-content-ref/@href.
- .RE
- .TP
--\fB\-\-use-local-file\fR
-+\fB\-\-local-files DIRECTORY\fR
- .RS
- Instead of downloading remote data stream components from the network, use a data stream component stored locally in a file. In place of the remote data stream component OpenSCAP will attempt to use a file whose file name is equal to @name attribute of the uri element within the catalog element within the component-ref element in the data stream if such file exists.
- .RE
-@@ -498,7 +498,7 @@ Do not validate input/output files.
- \fB\-\-fetch-remote-resources\fR
- Allow download of remote components referenced from data stream.
- .TP
--\fB\-\-use-local-file\fR
-+\fB\-\-local-files DIRECTORY\fR
- Instead of downloading remote data stream components from the network, use a data stream component stored locally in a file. In place of the remote data stream component OpenSCAP will attempt to use a file whose file name is equal to @name attribute of the uri element within the catalog element within the component-ref element in the data stream if such file exists.
- .RE
-
-@@ -662,7 +662,7 @@ Do not validate input/output files.
- \fB\-\-fetch-remote-resources\fR
- Allow download of remote components referenced from data stream.
- .TP
--\fB\-\-use-local-file\fR
-+\fB\-\-local-files DIRECTORY\fR
- Instead of downloading remote data stream components from the network, use a data stream component stored locally in a file. In place of the remote data stream component OpenSCAP will attempt to use a file whose file name is equal to @name attribute of the uri element within the catalog element within the component-ref element in the data stream if such file exists.
- .RE
- .TP
-
-From 6732eb94fb6f4606be388e27c347a882917dfb3f Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
-Date: Fri, 23 Jul 2021 12:58:33 +0200
-Subject: [PATCH 04/10] Show a warning
-
-When --local-files is used but the file which is expected to be
-loaded instead of the remote data stream component doesn't exist
-we will print a warning so that the user is informed and he would
-know what file is expected.
-
-Also added a simple test to test the aforementioned warning scenario.
----
- src/DS/sds.c | 7 ++++-
- .../DS/test_ds_use_local_remote_resources.sh | 26 ++++++++++++++++++-
- 2 files changed, 31 insertions(+), 2 deletions(-)
-
-diff --git a/src/DS/sds.c b/src/DS/sds.c
-index 365ae96987..a6e7b27ac9 100644
---- a/src/DS/sds.c
-+++ b/src/DS/sds.c
-@@ -451,7 +451,12 @@ static int ds_sds_dump_component_by_href(struct ds_sds_session *session, char* x
- free(local_filepath);
- return 0;
- } else {
-- dW("Can't use local file '%s' instead of '%s'", local_filepath, xlink_href);
-+ ds_sds_session_remote_resources_progress(session)(true,
-+ "WARNING: Data stream component '%s' points out to the remote '%s'. " \
-+ "The option --local-files '%s' has been provided, but the file '%s' can't be used locally: %s.\n",
-+ cref_id, url, local_files, local_filepath, strerror(errno));
-+ free(local_filepath);
-+ return -2;
- }
- free(local_filepath);
- }
-diff --git a/tests/DS/test_ds_use_local_remote_resources.sh b/tests/DS/test_ds_use_local_remote_resources.sh
-index e4a1f0eedd..789dc8326c 100755
---- a/tests/DS/test_ds_use_local_remote_resources.sh
-+++ b/tests/DS/test_ds_use_local_remote_resources.sh
-@@ -9,6 +9,7 @@ set -x
- . $builddir/tests/test_common.sh
-
- PROFILE="xccdf_com.example.www_profile_test_remote_res"
-+
- result=$(mktemp)
- stderr=$(mktemp)
- tmpdir1=$(mktemp -d)
-@@ -55,4 +56,27 @@ assert_exists 1 '//rule-result[@idref="xccdf_com.example.www_rule_test-pass2"]/r
-
- popd
- rm -f "$result" "$stderr"
--rm -rf "$tmpdir"
-\ No newline at end of file
-+rm -rf "$tmpdir"
-+
-+# test that a warning is shown when --local-files is provided but the file doesn't exist
-+result=$(mktemp)
-+stderr=$(mktemp)
-+tmpdir1=$(mktemp -d)
-+tmpdir2=$(mktemp -d)
-+tmpdir3=$(mktemp -d)
-+cp "${srcdir}/ds_use_local_remote_resources/remote_content_1.3.ds.xml" "$tmpdir2"
-+pushd "$tmpdir1"
-+
-+# $tmpdir3 is empty, it doesn't contain any content
-+$OSCAP xccdf eval --local-files "$tmpdir3" --profile "$PROFILE" --results "$result" "$tmpdir2/remote_content_1.3.ds.xml" 2>"$stderr" || ret=$?
-+[ "$ret" = 2 ]
-+
-+grep -q "WARNING: Data stream component 'scap_org.open-scap_cref_remote.oval.xml' points out to the remote 'https://www.example.com/security/data/oval/remote.oval.xml'. The option --local-files '$tmpdir3' has been provided, but the file '$tmpdir3/remote.oval.xml' can't be used locally: No such file or directory." "$stderr"
-+
-+assert_exists 1 '//rule-result[@idref="xccdf_com.example.www_rule_test-pass"]/result[text()="pass"]'
-+assert_exists 1 '//rule-result[@idref="xccdf_com.example.www_rule_test-remote_res"]/result[text()="notchecked"]'
-+assert_exists 1 '//rule-result[@idref="xccdf_com.example.www_rule_test-pass2"]/result[text()="pass"]'
-+
-+popd
-+rm -f "$result" "$stderr"
-+rm -rf "$tmpdir1" "$tmpdir2" "$tmpdir3"
-
-From 34ebf46a84a9bd4d9727739c514faaf0e41858ac Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
-Date: Fri, 23 Jul 2021 17:07:44 +0200
-Subject: [PATCH 05/10] Update bash completion
-
-with --local-files
----
- dist/bash_completion.d/oscap | 12 ++++++------
- 1 file changed, 6 insertions(+), 6 deletions(-)
-
-diff --git a/dist/bash_completion.d/oscap b/dist/bash_completion.d/oscap
-index 030c250ebe..329f0736e3 100644
---- a/dist/bash_completion.d/oscap
-+++ b/dist/bash_completion.d/oscap
-@@ -27,14 +27,14 @@ function _oscap {
- local -A opts=()
- opts[oscap]="--version --quiet --help -V -q -h"
- opts[oscap:oval:validate]="--version --definitions --variables --syschar --results --directives --skip-schematron"
-- opts[oscap:oval:eval]="--datastream-id --oval-id --id --variables --directives --without-syschar --results --report --skip-valid --skip-validation --fetch-remote-resources --verbose --verbose-log-file"
-+ opts[oscap:oval:eval]="--datastream-id --oval-id --id --variables --directives --without-syschar --results --report --skip-valid --skip-validation --fetch-remote-resources --local-files --verbose --verbose-log-file"
- opts[oscap:oval:analyse]="--variables --directives --verbose --verbose-log-file --skip-valid --skip-validation"
- opts[oscap:oval:collect]="--id --syschar --skip-valid --skip-validation --variables --verbose --verbose-log-file"
- opts[oscap:oval:generate:report]="-o --output"
-- opts[oscap:xccdf:eval]="--benchmark-id --check-engine-results --cpe --datastream-id --enforce-signature --export-variables --fetch-remote-resources --oval-results --profile --progress --remediate --report --results --results-arf --rule --skip-valid --skip-validation --skip-signature-validation --stig-viewer --tailoring-file --tailoring-id --thin-results --verbose --verbose-log-file --without-syschar --xccdf-id"
-+ opts[oscap:xccdf:eval]="--benchmark-id --check-engine-results --cpe --datastream-id --enforce-signature --export-variables --fetch-remote-resources --local-files --oval-results --profile --progress --remediate --report --results --results-arf --rule --skip-valid --skip-validation --skip-signature-validation --stig-viewer --tailoring-file --tailoring-id --thin-results --verbose --verbose-log-file --without-syschar --xccdf-id"
- opts[oscap:xccdf:validate]="--skip-schematron"
-- opts[oscap:xccdf:export-oval-variables]="--datastream-id --xccdf-id --profile --skip-valid --skip-validation --fetch-remote-resources --cpe"
-- opts[oscap:xccdf:remediate]="--result-id --skip-valid --skip-validation --fetch-remote-resources --results --results-arf --report --oval-results --export-variables --cpe --check-engine-results --progress"
-+ opts[oscap:xccdf:export-oval-variables]="--datastream-id --xccdf-id --profile --skip-valid --skip-validation --fetch-remote-resources --local-files --cpe"
-+ opts[oscap:xccdf:remediate]="--result-id --skip-valid --skip-validation --fetch-remote-resources --local-files --results --results-arf --report --oval-results --export-variables --cpe --check-engine-results --progress"
- opts[oscap:xccdf:resolve]="-o --output -f --force"
- opts[oscap:xccdf:generate]="--profile"
- opts[oscap:xccdf:generate:report]="-o --output --result-id --profile --oval-template --sce-template"
-@@ -43,12 +43,12 @@ function _oscap {
- opts[oscap:xccdf:generate:custom]="-o --output --stylesheet"
- opts[oscap:ds:sds-add]="--datastream-id --skip-valid --skip-validation"
- opts[oscap:ds:sds-compose]="--skip-valid --skip-validation"
-- opts[oscap:ds:sds-split]="--datastream-id --xccdf-id --skip-valid --skip-validation --fetch-remote-resources"
-+ opts[oscap:ds:sds-split]="--datastream-id --xccdf-id --skip-valid --skip-validation --fetch-remote-resources --local-files"
- opts[oscap:ds:rds-create]="--skip-valid --skip-validation"
- opts[oscap:ds:rds-split]="--report-id --skip-valid --skip-validation"
- opts[oscap:cvss:score]=""
- opts[oscap:cvss:describe]=""
-- opts[oscap:info]="--fetch-remote-resources --profile --profiles"
-+ opts[oscap:info]="--fetch-remote-resources --local-files --profile --profiles"
-
- # local variables
- local std cmd i prev
-
-From 66ae271966405596b156bca13e6ca41dc118564b Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
-Date: Fri, 23 Jul 2021 17:08:17 +0200
-Subject: [PATCH 06/10] Support local remote files in wrappers
-
-This adds --local-files to oscap-chroot, oscap-ssh and oscap-vm.
-
-In oscap-ssh we need to copy the files to the remote machine, which
-is a similar thing that we do with tailoring and other files.
----
- utils/oscap-chroot | 1 +
- utils/oscap-chroot.8 | 1 +
- utils/oscap-ssh | 17 +++++++++++++++++
- utils/oscap-ssh.8 | 1 +
- utils/oscap-vm | 1 +
- utils/oscap-vm.8 | 1 +
- 6 files changed, 22 insertions(+)
-
-diff --git a/utils/oscap-chroot b/utils/oscap-chroot
-index c1e35aa652..57ec66c428 100755
---- a/utils/oscap-chroot
-+++ b/utils/oscap-chroot
-@@ -53,6 +53,7 @@ function usage()
- echo " --skip-valid"
- echo " --skip-validation"
- echo " --fetch-remote-resources"
-+ echo " --local-files"
- echo " --progress"
- echo " --datastream-id"
- echo " --xccdf-id"
-diff --git a/utils/oscap-chroot.8 b/utils/oscap-chroot.8
-index d0c75c68e3..e02dd8dbea 100644
---- a/utils/oscap-chroot.8
-+++ b/utils/oscap-chroot.8
-@@ -23,6 +23,7 @@ supported oscap xccdf eval options are:
- --skip-valid
- --skip-validation
- --fetch-remote-resources
-+ --local-files
- --progress
- --datastream-id
- --xccdf-id
-diff --git a/utils/oscap-ssh b/utils/oscap-ssh
-index f428f99a8e..120d4ae8c6 100755
---- a/utils/oscap-ssh
-+++ b/utils/oscap-ssh
-@@ -54,6 +54,7 @@ function usage()
- echo " --skip-valid"
- echo " --skip-validation"
- echo " --fetch-remote-resources"
-+ echo " --local-files"
- echo " --progress"
- echo " --datastream-id"
- echo " --xccdf-id"
-@@ -110,6 +111,12 @@ function scp_copy_to_temp_dir {
- scp -o ControlPath="$MASTER_SOCKET" -P "$SSH_PORT" $SSH_ADDITIONAL_OPTIONS "$1" "$SSH_HOST:$REMOTE_TEMP_DIR/$2"
- }
-
-+# $1: Local directory name to copy
-+# $2: Remote destination
-+function scp_copy_dir_to_temp_dir {
-+ scp -r -o ControlPath="$MASTER_SOCKET" -P "$SSH_PORT" $SSH_ADDITIONAL_OPTIONS "$1" "$SSH_HOST:$REMOTE_TEMP_DIR/$2"
-+}
-+
- # $1: Remote filename to get
- # $2: Local destination
- function scp_retreive_from_temp_dir {
-@@ -196,6 +203,7 @@ oscap_args=("$@")
-
- LOCAL_CONTENT_PATH=""
- LOCAL_TAILORING_PATH=""
-+LOCAL_LOCAL_FILES_PATH=""
- LOCAL_CPE_PATH=""
- LOCAL_VARIABLES_PATH=""
- LOCAL_DIRECTIVES_PATH=""
-@@ -214,6 +222,10 @@ for i in $(seq 0 `expr $# - 1`); do
- LOCAL_TAILORING_PATH=${oscap_args[j]}
- oscap_args[j]="$REMOTE_TEMP_DIR/tailoring.xml"
- ;;
-+ ("--local-files")
-+ LOCAL_LOCAL_FILES_PATH=${oscap_args[j]}
-+ oscap_args[j]="$REMOTE_TEMP_DIR/local_files"
-+ ;;
- ("--cpe")
- LOCAL_CPE_PATH=${oscap_args[j]}
- oscap_args[j]="$REMOTE_TEMP_DIR/cpe.xml"
-@@ -258,6 +270,7 @@ fi
-
- [ "$LOCAL_CONTENT_PATH" == "" ] || [ -f "$LOCAL_CONTENT_PATH" ] || die "Expected the last argument to be an input file, '$LOCAL_CONTENT_PATH' isn't a valid file path or the file doesn't exist!"
- [ "$LOCAL_TAILORING_PATH" == "" ] || [ -f "$LOCAL_TAILORING_PATH" ] || die "Tailoring file path '$LOCAL_TAILORING_PATH' isn't a valid file path or the file doesn't exist!"
-+[ "$LOCAL_LOCAL_FILES_PATH" == "" ] || [ -d "$LOCAL_LOCAL_FILES_PATH" ] || die "Directory '$LOCAL_LOCAL_FILES_PATH' isn't a valid directory path or the directory doesn't exist!"
- [ "$LOCAL_CPE_PATH" == "" ] || [ -f "$LOCAL_CPE_PATH" ] || die "CPE file path '$LOCAL_CPE_PATH' isn't a valid file path or the file doesn't exist!"
- [ "$LOCAL_VARIABLES_PATH" == "" ] || [ -f "$LOCAL_VARIABLES_PATH" ] || die "OVAL variables file path '$LOCAL_VARIABLES_PATH' isn't a valid file path or the file doesn't exist!"
- [ "$LOCAL_DIRECTIVES_PATH" == "" ] || [ -f "$LOCAL_DIRECTIVES_PATH" ] || die "OVAL directives file path '$LOCAL_DIRECTIVES_PATH' isn't a valid file path or the file doesn't exist!"
-@@ -270,6 +283,10 @@ if [ "$LOCAL_TAILORING_PATH" != "" ]; then
- echo "Copying tailoring file '$LOCAL_TAILORING_PATH' to remote working directory '$REMOTE_TEMP_DIR'..."
- scp_copy_to_temp_dir "$LOCAL_TAILORING_PATH" tailoring.xml || die "Failed to copy tailoring file to remote temporary directory!"
- fi
-+if [ "$LOCAL_LOCAL_FILES_PATH" != "" ]; then
-+ echo "Copying directory '$LOCAL_LOCAL_FILES_PATH' to remote working directory '$REMOTE_TEMP_DIR'..."
-+ scp_copy_dir_to_temp_dir "$LOCAL_LOCAL_FILES_PATH" local_files || die "Failed to copy directory $LOCAL_LOCAL_FILES_PATH to remote temporary directory!"
-+fi
- if [ "$LOCAL_CPE_PATH" != "" ]; then
- echo "Copying CPE file '$LOCAL_CPE_PATH' to remote working directory '$REMOTE_TEMP_DIR'..."
- scp_copy_to_temp_dir "$LOCAL_CPE_PATH" cpe.xml || die "Failed to copy CPE file to remote temporary directory!"
-diff --git a/utils/oscap-ssh.8 b/utils/oscap-ssh.8
-index f64855829a..416b1f3e58 100644
---- a/utils/oscap-ssh.8
-+++ b/utils/oscap-ssh.8
-@@ -29,6 +29,7 @@ Supported options are:
- --skip-valid
- --skip-validation
- --fetch-remote-resources
-+ --local-files
- --progress
- --datastream-id
- --xccdf-id
-diff --git a/utils/oscap-vm b/utils/oscap-vm
-index 1a9d6b3bf6..e7ae6e2600 100755
---- a/utils/oscap-vm
-+++ b/utils/oscap-vm
-@@ -51,6 +51,7 @@ function usage()
- echo " --skip-valid"
- echo " --skip-validation"
- echo " --fetch-remote-resources"
-+ echo " --local-files"
- echo " --progress"
- echo " --datastream-id"
- echo " --xccdf-id"
-diff --git a/utils/oscap-vm.8 b/utils/oscap-vm.8
-index a335725e5e..b7276c1128 100644
---- a/utils/oscap-vm.8
-+++ b/utils/oscap-vm.8
-@@ -65,6 +65,7 @@ Supported oscap xccdf eval options are:
- \-\-skip-valid
- \-\-skip-validation
- \-\-fetch-remote-resources
-+ \-\-local-files
- \-\-progress
- \-\-datastream-id <id>
- \-\-xccdf-id <id>
-
-From cac289e1d15cd8f3bde64b94563ed1dcf34652bb Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
-Date: Fri, 23 Jul 2021 17:18:55 +0200
-Subject: [PATCH 07/10] Fix the value to use a correct type
-
----
- src/DS/ds_sds_session.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/DS/ds_sds_session.c b/src/DS/ds_sds_session.c
-index 99f4bc20fd..3a720e8131 100644
---- a/src/DS/ds_sds_session.c
-+++ b/src/DS/ds_sds_session.c
-@@ -347,7 +347,7 @@ void ds_sds_session_configure_remote_resources(struct ds_sds_session *session, b
-
- void ds_sds_session_set_remote_resources(struct ds_sds_session *session, bool allowed, download_progress_calllback_t callback)
- {
-- ds_sds_session_configure_remote_resources(session, allowed, false, callback);
-+ ds_sds_session_configure_remote_resources(session, allowed, NULL, callback);
- }
-
- const char *ds_sds_session_local_files(struct ds_sds_session *session)
-
-From e4e6732ffd23b408c0bf08eea91c406434bd4ec6 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
-Date: Fri, 23 Jul 2021 17:36:36 +0200
-Subject: [PATCH 08/10] Refactor: Extract function _handle_disabled_downloads
-
----
- src/DS/sds.c | 122 ++++++++++++++++++++++++++-------------------------
- 1 file changed, 63 insertions(+), 59 deletions(-)
-
-diff --git a/src/DS/sds.c b/src/DS/sds.c
-index a6e7b27ac9..530e3ad9fa 100644
---- a/src/DS/sds.c
-+++ b/src/DS/sds.c
-@@ -371,6 +371,66 @@ static char *compose_target_filename_dirname(const char *relative_filepath, cons
- return target_filename_dirname;
- }
-
-+static int _handle_disabled_downloads(struct ds_sds_session *session, const char *relative_filepath, const char *xlink_href, const char *component_id, const char *target_filename_dirname, const char *cref_id, const char *url)
-+{
-+ /*
-+ * If fetching remote resources isn't allowed by the user let's take a look
-+ * whether there exists a file whose file name is equal to @name attribute
-+ * of the uri element within the catalog of the previously processed
-+ * component-ref which pointed us to the currently processed component-ref.
-+ * Note that the @name attribute value has been passed as relative_filepath
-+ * in the recursive call of ds_sds_dump_component_ref_as. If such file
-+ * exists, we will assume that it's a local copy of the remote component
-+ * located at the URL defined in @xlink:href. This way people can provide
-+ * the previously downloaded component which might be useful on systems with
-+ * limited internet access. This behavior is allowed only when --local-files
-+ * is used on the command line.
-+ * See: https://bugzilla.redhat.com/show_bug.cgi?id=1970527
-+ * See: https://access.redhat.com/solutions/5185891
-+ */
-+ const char *local_files = ds_sds_session_local_files(session);
-+ if (local_files == NULL) {
-+ static bool fetch_remote_resources_suggested = false;
-+ if (!fetch_remote_resources_suggested) {
-+ fetch_remote_resources_suggested = true;
-+ ds_sds_session_remote_resources_progress(session)(true,
-+ "WARNING: Datastream component '%s' points out to the remote '%s'. Use '--fetch-remote-resources' option to download it.\n",
-+ cref_id, url);
-+ }
-+
-+ ds_sds_session_remote_resources_progress(session)(true,
-+ "WARNING: Skipping '%s' file which is referenced from datastream\n",
-+ url);
-+ // -2 means that remote resources were not downloaded
-+ return -2;
-+ }
-+ char *local_filepath = oscap_path_join(local_files, relative_filepath);
-+ struct stat sb;
-+ if (stat(local_filepath, &sb) == 0) {
-+ dI("Using local file '%s' instead of '%s'", local_filepath, xlink_href);
-+ struct oscap_source *source_file = oscap_source_new_from_file(local_filepath);
-+ xmlDoc *doc = oscap_source_get_xmlDoc(source_file);
-+ if (doc == NULL) {
-+ free(local_filepath);
-+ return -1;
-+ }
-+ xmlNodePtr inner_root = ds_sds_get_component_root_by_id(doc, component_id);
-+
-+ if (ds_sds_register_component(session, doc, inner_root, component_id, target_filename_dirname, relative_filepath) != 0) {
-+ free(local_filepath);
-+ return -1;
-+ }
-+ free(local_filepath);
-+ return 0;
-+ }
-+ ds_sds_session_remote_resources_progress(session)(true,
-+ "WARNING: Data stream component '%s' points out to the remote '%s'. " \
-+ "The option --local-files '%s' has been provided, but the file '%s' can't be used locally: %s.\n",
-+ cref_id, url, local_files, local_filepath, strerror(errno));
-+ free(local_filepath);
-+ return -2;
-+}
-+
- static int ds_sds_dump_component_by_href(struct ds_sds_session *session, char* xlink_href, char *target_filename_dirname, const char* relative_filepath, char* cref_id, char **component_id)
- {
- if (!xlink_href || strlen(xlink_href) < 2)
-@@ -413,65 +473,9 @@ static int ds_sds_dump_component_by_href(struct ds_sds_session *session, char* x
- }
-
- if (!ds_sds_session_fetch_remote_resources(session)) {
-- /*
-- * If fetching remote resources isn't allowed by the user let's take
-- * a look whether there exists a file whose file name is equal to
-- * @name attribute of the uri element within the catalog of the
-- * previously processed component-ref which pointed us to the
-- * currently processed component-ref. Note that the @name attribute
-- * value has been passed as relative_filepath in the recursive call
-- * of ds_sds_dump_component_ref_as. If such file exists, we will
-- * assume that it's a local copy of the remote component located at
-- * the URL defined in @xlink:href. This way people can provide the
-- * previously downloaded component which might be useful on systems
-- * with limited internet access. This behavior is allowed only when
-- * --local-files is used on the command line.
-- * See: https://bugzilla.redhat.com/show_bug.cgi?id=1970527
-- * See: https://access.redhat.com/solutions/5185891
-- */
-- const char *local_files = ds_sds_session_local_files(session);
-- if (local_files != NULL) {
-- char *local_filepath = oscap_path_join(local_files, relative_filepath);
-- struct stat sb;
-- if (stat(local_filepath, &sb) == 0) {
-- //if (ds_sds_session_can_use_local_file(session)) {
-- dI("Using local file '%s' instead of '%s'", local_filepath, xlink_href);
-- struct oscap_source *source_file = oscap_source_new_from_file(local_filepath);
-- xmlDoc *doc = oscap_source_get_xmlDoc(source_file);
-- if (doc == NULL) {
-- free(local_filepath);
-- return -1;
-- }
-- xmlNodePtr inner_root = ds_sds_get_component_root_by_id(doc, *component_id);
--
-- if (ds_sds_register_component(session, doc, inner_root, *component_id, target_filename_dirname, relative_filepath) != 0) {
-- free(local_filepath);
-- return -1;
-- }
-- free(local_filepath);
-- return 0;
-- } else {
-- ds_sds_session_remote_resources_progress(session)(true,
-- "WARNING: Data stream component '%s' points out to the remote '%s'. " \
-- "The option --local-files '%s' has been provided, but the file '%s' can't be used locally: %s.\n",
-- cref_id, url, local_files, local_filepath, strerror(errno));
-- free(local_filepath);
-- return -2;
-- }
-- free(local_filepath);
-- }
--
-- static bool fetch_remote_resources_suggested = false;
--
-- if (!fetch_remote_resources_suggested) {
-- fetch_remote_resources_suggested = true;
-- ds_sds_session_remote_resources_progress(session)(true, "WARNING: Datastream component '%s' points out to the remote '%s'. "
-- "Use '--fetch-remote-resources' option to download it.\n", cref_id, url);
-- }
--
-- ds_sds_session_remote_resources_progress(session)(true, "WARNING: Skipping '%s' file which is referenced from datastream\n", url);
-- // -2 means that remote resources were not downloaded
-- return -2;
-+ return _handle_disabled_downloads(
-+ session, relative_filepath, xlink_href, *component_id,
-+ target_filename_dirname, cref_id, url);
- }
-
- return ds_dsd_dump_remote_component(url, *component_id, session, target_filename_dirname, relative_filepath);
-
-From 9cb39894484e6bdccc235e4138af6447ffc5ee4b Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
-Date: Mon, 26 Jul 2021 16:03:18 +0200
-Subject: [PATCH 09/10] Fix indentation and typos
-
----
- utils/oscap-ds.c | 2 +-
- utils/oscap-info.c | 2 +-
- utils/oscap-oval.c | 2 +-
- utils/oscap-xccdf.c | 6 +++---
- 4 files changed, 6 insertions(+), 6 deletions(-)
-
-diff --git a/utils/oscap-ds.c b/utils/oscap-ds.c
-index 8207f097ec..5f9863414b 100644
---- a/utils/oscap-ds.c
-+++ b/utils/oscap-ds.c
-@@ -83,7 +83,7 @@ static struct oscap_module DS_SDS_SPLIT_MODULE = {
- " --skip-valid - Skips validating of given XCCDF.\n"
- " --skip-validation\n"
- " --fetch-remote-resources - Download remote content referenced by data stream.\n"
-- " --use-local-file - Use a locally downloaded copy of the remote resource if it exists.\n",
-+ " --local-files <dir> - Use locally downloaded copies of remote resources stored in the given directory.\n",
- .opt_parser = getopt_ds,
- .func = app_ds_sds_split
- };
-diff --git a/utils/oscap-info.c b/utils/oscap-info.c
-index 2e6f5003aa..721596a528 100644
---- a/utils/oscap-info.c
-+++ b/utils/oscap-info.c
-@@ -63,7 +63,7 @@ struct oscap_module OSCAP_INFO_MODULE = {
- .usage = "some-file.xml",
- .help = "Options:\n"
- " --fetch-remote-resources - Download remote content referenced by data stream.\n"
-- " --local-files <dir> - Use locally downloaded copies of remote resources stored in the given directory.\n"
-+ " --local-files <dir> - Use locally downloaded copies of remote resources stored in the given directory.\n"
- " --profile <id> - Show info of the profile with the given ID.\n"
- " --profiles - Show profiles from the input file in the <id>:<title> format, one line per profile.\n",
- .opt_parser = getopt_info,
-diff --git a/utils/oscap-oval.c b/utils/oscap-oval.c
-index 3a206bb3c4..da1b1aad86 100644
---- a/utils/oscap-oval.c
-+++ b/utils/oscap-oval.c
-@@ -116,7 +116,7 @@ static struct oscap_module OVAL_EVAL = {
- " (only applicable for source data streams)\n"
- " --fetch-remote-resources - Download remote content referenced by OVAL Definitions.\n"
- " (only applicable for source data streams)\n"
-- " --local-files <dir> - Use locally downloaded copies of remote resources stored in the given directory.\n",
-+ " --local-files <dir> - Use locally downloaded copies of remote resources stored in the given directory.\n",
- .opt_parser = getopt_oval_eval,
- .func = app_evaluate_oval
- };
-diff --git a/utils/oscap-xccdf.c b/utils/oscap-xccdf.c
-index 54b8df5467..a7870c4281 100644
---- a/utils/oscap-xccdf.c
-+++ b/utils/oscap-xccdf.c
-@@ -129,7 +129,7 @@ static struct oscap_module XCCDF_EXPORT_OVAL_VARIABLES = {
- " --skip-valid - Skip validation.\n"
- " --skip-validation\n"
- " --fetch-remote-resources - Download remote content referenced by XCCDF.\n"
-- " --local-files <dir> - Use locally downloaded copies of remote resources stored in the given directory.\n"
-+ " --local-files <dir> - Use locally downloaded copies of remote resources stored in the given directory.\n"
- " --datastream-id <id> - ID of the data stream in the collection to use.\n"
- " (only applicable for source data streams)\n"
- " --xccdf-id <id> - ID of component-ref with XCCDF in the data stream that should be evaluated.\n"
-@@ -172,7 +172,7 @@ static struct oscap_module XCCDF_EVAL = {
- " (only applicable for source data streams)\n"
- " --enforce-signature - Process only signed data streams.\n"
- " --fetch-remote-resources - Download remote content referenced by XCCDF.\n"
-- " --local-files <dir> - Use locally downloaded copies of remote resources stored in the given directory.\n"
-+ " --local-files <dir> - Use locally downloaded copies of remote resources stored in the given directory.\n"
- " --progress - Switch to sparse output suitable for progress reporting.\n"
- " Format is \"$rule_id:$result\\n\".\n"
- " --datastream-id <id> - ID of the data stream in the collection to use.\n"
-@@ -201,7 +201,7 @@ static struct oscap_module XCCDF_REMEDIATE = {
- " --cpe <name> - Use given CPE dictionary or language (autodetected)\n"
- " for applicability checks.\n"
- " --fetch-remote-resources - Download remote content referenced by XCCDF.\n"
-- " --local-files <dir> - Use locally downloaded copies of remote resources stored in the given directory.\n"
-+ " --local-files <dir> - Use locally downloaded copies of remote resources stored in the given directory.\n"
- " --results <file> - Write XCCDF Results into file.\n"
- " --results-arf <file> - Write ARF (result data stream) into file.\n"
- " --stig-viewer <file> - Writes XCCDF results into FILE in a format readable by DISA STIG Viewer\n"
-
-From 7187e2a1e49927884d80702c2e3e6a796996277b Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
-Date: Mon, 26 Jul 2021 16:19:49 +0200
-Subject: [PATCH 10/10] Update description in man page
-
----
- utils/oscap.8 | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/utils/oscap.8 b/utils/oscap.8
-index 4f5f6259e3..dcfa3d0c2f 100644
---- a/utils/oscap.8
-+++ b/utils/oscap.8
-@@ -320,7 +320,7 @@ Allow download of remote OVAL content referenced from XCCDF by check-content-ref
- .TP
- \fB\-\-local-files DIRECTORY\fR
- .RS
--Instead of downloading remote data stream components from the network, use a data stream component stored locally in a file. In place of the remote data stream component OpenSCAP will attempt to use a file whose file name is equal to @name attribute of the uri element within the catalog element within the component-ref element in the data stream if such file exists.
-+Instead of downloading remote data stream components from the network, use data stream components stored locally as files in the given directory. In place of the remote data stream component OpenSCAP will attempt to use a file whose file name is equal to @name attribute of the uri element within the catalog element within the component-ref element in the data stream if such file exists.
- .RE
- .TP
- \fB\-\-skip-valid\fR, \fB\-\-skip-validation\fR
-@@ -499,7 +499,7 @@ Do not validate input/output files.
- Allow download of remote components referenced from data stream.
- .TP
- \fB\-\-local-files DIRECTORY\fR
--Instead of downloading remote data stream components from the network, use a data stream component stored locally in a file. In place of the remote data stream component OpenSCAP will attempt to use a file whose file name is equal to @name attribute of the uri element within the catalog element within the component-ref element in the data stream if such file exists.
-+Instead of downloading remote data stream components from the network, use data stream components stored locally as files in the given directory. In place of the remote data stream component OpenSCAP will attempt to use a file whose file name is equal to @name attribute of the uri element within the catalog element within the component-ref element in the data stream if such file exists.
- .RE
-
- .TP
-@@ -663,7 +663,7 @@ Do not validate input/output files.
- Allow download of remote components referenced from data stream.
- .TP
- \fB\-\-local-files DIRECTORY\fR
--Instead of downloading remote data stream components from the network, use a data stream component stored locally in a file. In place of the remote data stream component OpenSCAP will attempt to use a file whose file name is equal to @name attribute of the uri element within the catalog element within the component-ref element in the data stream if such file exists.
-+Instead of downloading remote data stream components from the network, use data stream components stored locally as files in the given directory. In place of the remote data stream component OpenSCAP will attempt to use a file whose file name is equal to @name attribute of the uri element within the catalog element within the component-ref element in the data stream if such file exists.
- .RE
- .TP
- .B \fBsds-validate\fR SOURCE_DS
diff --git a/SOURCES/openscap-1.3.6-memory-limit-pr-1827.patch b/SOURCES/openscap-1.3.6-memory-limit-pr-1827.patch
deleted file mode 100644
index 32e0280..0000000
--- a/SOURCES/openscap-1.3.6-memory-limit-pr-1827.patch
+++ /dev/null
@@ -1,242 +0,0 @@
-From a7a0c4a3f528594bb3181174b6986e9c50a684b4 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
-Date: Mon, 30 Aug 2021 15:44:37 +0200
-Subject: [PATCH 1/3] Lower memory limits and improve their checking
-
-This patch attempts to mitigate problems caused by a large amount of
-collected objects such as rhbz#1932833.
-
-Specifically, these changes are made:
-- Lower the threshold so that the amount of used memory is checked when
- only 1000 items are collected for the given OVAL object. That's
- because 32768 items (the original value) is already a large amount which
- occupies a lot of memory during further processing.
-- Lower the memory usage ratio limit for the probe to 10 %. We have
- found experimentally that giving the probe 15 % or more will cause the
- oscap process to be killed when processing the collected data and
- generating results.
-- In the calling function probe_item_collect, distinguish between return
- codes which means different behavior when there is insufficient memory
- than when the memory consumption can't be checked.
-- Improve the warning message to show greater details about memory
- consumption to the user.
-- Remove the check for the absolute amount of remaining free memory. As
- we can see on the example of rhbz#1932833, on systems with large
- amount of memory the remaining memory of 512 MB isn't enough memory for
- openscap to process the collected data. At the same time, if we lowered
- the usage ratio, we don't need this anymore.
-- Remove useless message "spt:" from the verbose log because it's
- produced many times and pollutes the log extremely.
----
- src/OVAL/probes/probe/icache.c | 23 +++++++++++------------
- src/common/memusage.c | 2 --
- 2 files changed, 11 insertions(+), 14 deletions(-)
-
-diff --git a/src/OVAL/probes/probe/icache.c b/src/OVAL/probes/probe/icache.c
-index 7e16daa334..af7b528372 100644
---- a/src/OVAL/probes/probe/icache.c
-+++ b/src/OVAL/probes/probe/icache.c
-@@ -487,9 +487,8 @@ int probe_icache_nop(probe_icache_t *cache)
- return (0);
- }
-
--#define PROBE_RESULT_MEMCHECK_CTRESHOLD 32768 /* item count */
--#define PROBE_RESULT_MEMCHECK_MINFREEMEM 512 /* MiB */
--#define PROBE_RESULT_MEMCHECK_MAXRATIO 0.8 /* max. memory usage ratio - used/total */
-+#define PROBE_RESULT_MEMCHECK_CTRESHOLD 1000 /* item count */
-+#define PROBE_RESULT_MEMCHECK_MAXRATIO 0.1 /* max. memory usage ratio - used/total */
-
- /**
- * Returns 0 if the memory constraints are not reached. Otherwise, 1 is returned.
-@@ -511,18 +510,12 @@ static int probe_cobj_memcheck(size_t item_cnt)
- c_ratio = (double)mu_proc.mu_rss/(double)(mu_sys.mu_total);
-
- if (c_ratio > PROBE_RESULT_MEMCHECK_MAXRATIO) {
-- dW("Memory usage ratio limit reached! limit=%f, current=%f",
-- PROBE_RESULT_MEMCHECK_MAXRATIO, c_ratio);
-+ dW("Memory usage ratio limit reached! limit=%f, current=%f, used=%ld MB, free=%ld MB, total=%ld MB, count of items=%ld",
-+ PROBE_RESULT_MEMCHECK_MAXRATIO, c_ratio, mu_proc.mu_rss / 1024, mu_sys.mu_realfree / 1024, mu_sys.mu_total / 1024, item_cnt);
- errno = ENOMEM;
- return (1);
- }
-
-- if ((mu_sys.mu_realfree / 1024) < PROBE_RESULT_MEMCHECK_MINFREEMEM) {
-- dW("Minimum free memory limit reached! limit=%zu, current=%zu",
-- PROBE_RESULT_MEMCHECK_MINFREEMEM, mu_sys.mu_realfree / 1024);
-- errno = ENOMEM;
-- return (1);
-- }
- }
-
- return (0);
-@@ -547,6 +540,7 @@ int probe_item_collect(struct probe_ctx *ctx, SEXP_t *item)
- {
- SEXP_t *cobj_content;
- size_t cobj_itemcnt;
-+ int memcheck_ret;
-
- if (ctx == NULL || ctx->probe_out == NULL || item == NULL) {
- return -1;
-@@ -556,7 +550,12 @@ int probe_item_collect(struct probe_ctx *ctx, SEXP_t *item)
- cobj_itemcnt = SEXP_list_length(cobj_content);
- SEXP_free(cobj_content);
-
-- if (probe_cobj_memcheck(cobj_itemcnt) != 0) {
-+ memcheck_ret = probe_cobj_memcheck(cobj_itemcnt);
-+ if (memcheck_ret == -1) {
-+ dE("Failed to check available memory");
-+ return -1;
-+ }
-+ if (memcheck_ret == 1) {
-
- /*
- * Don't set the message again if the collected object is
-diff --git a/src/common/memusage.c b/src/common/memusage.c
-index fc6909e6fb..c6755f21f1 100644
---- a/src/common/memusage.c
-+++ b/src/common/memusage.c
-@@ -137,8 +137,6 @@ static int read_status(const char *source, void *base, struct stat_parser *spt,
- sp = oscap_bfind(spt, spt_size, sizeof(struct stat_parser),
- linebuf, (int(*)(void *, void *))&cmpkey);
-
-- dD("spt: %s", linebuf);
--
- if (sp == NULL) {
- /* drop end of unread line */
- while (strchr(strval, '\n') == NULL) {
-
-From ded3d58cd62259b217a9ab35030827ac3cb8dd45 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
-Date: Tue, 7 Sep 2021 13:52:50 +0200
-Subject: [PATCH 2/3] Allow to set memory ratio by environment variable
-
-If the probe memory usage ratio limit will be too small or too big
-in some situation, the user will be able to modify the limit easily
-by setting the environment variable OSCAP_PROBE_MEMORY_USAGE_RATIO
-to a different value. This can also help users when debugging memory
-problems.
----
- docs/manual/manual.adoc | 1 +
- src/OVAL/probes/probe/icache.c | 9 ++++-----
- src/OVAL/probes/probe/probe.h | 1 +
- src/OVAL/probes/probe/worker.c | 12 ++++++++++++
- 4 files changed, 18 insertions(+), 5 deletions(-)
-
-diff --git a/docs/manual/manual.adoc b/docs/manual/manual.adoc
-index 90e2cc2c63..825844bc71 100644
---- a/docs/manual/manual.adoc
-+++ b/docs/manual/manual.adoc
-@@ -1613,6 +1613,7 @@ not considered local by the scanner:
- * `OSCAP_PROBE_ROOT` - Path to a directory which contains mounted filesystem to be evaluated. Used for offline scanning.
- * `SEXP_VALIDATE_DISABLE` - If set, `oscap` will not validate SEXP expressions during its execution.
- * `SOURCE_DATE_EPOCH` - Timestamp in seconds since epoch. This timestamp will be used instead of the current time to populate `timestamp` attributes in SCAP source data streams created by `oscap ds sds-compose` sub-module. This is used for reproducible builds of data streams.
-+* `OSCAP_PROBE_MEMORY_USAGE_RATIO` - maximum memory usage ratio (used/total) for OpenSCAP probes, default: 0.1
-
- Also, OpenSCAP uses `libcurl` library which also can be configured using environment variables. See https://curl.se/libcurl/c/libcurl-env.html[the list of libcurl environment variables].
-
-diff --git a/src/OVAL/probes/probe/icache.c b/src/OVAL/probes/probe/icache.c
-index af7b528372..a397d35ec2 100644
---- a/src/OVAL/probes/probe/icache.c
-+++ b/src/OVAL/probes/probe/icache.c
-@@ -488,13 +488,12 @@ int probe_icache_nop(probe_icache_t *cache)
- }
-
- #define PROBE_RESULT_MEMCHECK_CTRESHOLD 1000 /* item count */
--#define PROBE_RESULT_MEMCHECK_MAXRATIO 0.1 /* max. memory usage ratio - used/total */
-
- /**
- * Returns 0 if the memory constraints are not reached. Otherwise, 1 is returned.
- * In case of an error, -1 is returned.
- */
--static int probe_cobj_memcheck(size_t item_cnt)
-+static int probe_cobj_memcheck(size_t item_cnt, double max_ratio)
- {
- if (item_cnt > PROBE_RESULT_MEMCHECK_CTRESHOLD) {
- struct proc_memusage mu_proc;
-@@ -509,9 +508,9 @@ static int probe_cobj_memcheck(size_t item_cnt)
-
- c_ratio = (double)mu_proc.mu_rss/(double)(mu_sys.mu_total);
-
-- if (c_ratio > PROBE_RESULT_MEMCHECK_MAXRATIO) {
-+ if (c_ratio > max_ratio) {
- dW("Memory usage ratio limit reached! limit=%f, current=%f, used=%ld MB, free=%ld MB, total=%ld MB, count of items=%ld",
-- PROBE_RESULT_MEMCHECK_MAXRATIO, c_ratio, mu_proc.mu_rss / 1024, mu_sys.mu_realfree / 1024, mu_sys.mu_total / 1024, item_cnt);
-+ max_ratio, c_ratio, mu_proc.mu_rss / 1024, mu_sys.mu_realfree / 1024, mu_sys.mu_total / 1024, item_cnt);
- errno = ENOMEM;
- return (1);
- }
-@@ -550,7 +549,7 @@ int probe_item_collect(struct probe_ctx *ctx, SEXP_t *item)
- cobj_itemcnt = SEXP_list_length(cobj_content);
- SEXP_free(cobj_content);
-
-- memcheck_ret = probe_cobj_memcheck(cobj_itemcnt);
-+ memcheck_ret = probe_cobj_memcheck(cobj_itemcnt, ctx->max_mem_ratio);
- if (memcheck_ret == -1) {
- dE("Failed to check available memory");
- return -1;
-diff --git a/src/OVAL/probes/probe/probe.h b/src/OVAL/probes/probe/probe.h
-index 1c7a3b1b00..d3a488c4d5 100644
---- a/src/OVAL/probes/probe/probe.h
-+++ b/src/OVAL/probes/probe/probe.h
-@@ -83,6 +83,7 @@ struct probe_ctx {
- SEXP_t *filters; /**< object filters (OVAL 5.8 and higher) */
- probe_icache_t *icache; /**< item cache */
- int offline_mode;
-+ double max_mem_ratio;
- };
-
- typedef enum {
-diff --git a/src/OVAL/probes/probe/worker.c b/src/OVAL/probes/probe/worker.c
-index 94fe5c2037..3ef489b40d 100644
---- a/src/OVAL/probes/probe/worker.c
-+++ b/src/OVAL/probes/probe/worker.c
-@@ -52,6 +52,10 @@ extern int chroot(const char *);
- #include "probe-table.h"
- #include "probe.h"
-
-+/* default max. memory usage ratio - used/total */
-+/* can be overridden by environment variable OSCAP_PROBE_MEMORY_USAGE_RATIO */
-+#define OSCAP_PROBE_MEMORY_USAGE_RATIO_DEFAULT 0.1
-+
- extern bool OSCAP_GSYM(varref_handling);
- extern void *OSCAP_GSYM(probe_arg);
-
-@@ -1064,6 +1068,14 @@ SEXP_t *probe_worker(probe_t *probe, SEAP_msg_t *msg_in, int *ret)
-
- pctx.offline_mode = probe->selected_offline_mode;
-
-+ pctx.max_mem_ratio = OSCAP_PROBE_MEMORY_USAGE_RATIO_DEFAULT;
-+ char *max_ratio_str = getenv("OSCAP_PROBE_MEMORY_USAGE_RATIO");
-+ if (max_ratio_str != NULL) {
-+ double max_ratio = strtod(max_ratio_str, NULL);
-+ if (max_ratio != 0)
-+ pctx.max_mem_ratio = max_ratio;
-+ }
-+
- /* simple object */
- pctx.icache = probe->icache;
- pctx.filters = probe_prepare_filters(probe, probe_in);
-
-From 0f5cf5b09f469920616a2037d0f9c81cf0868a58 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
-Date: Wed, 15 Sep 2021 14:41:30 +0200
-Subject: [PATCH 3/3] Update src/OVAL/probes/probe/worker.c
-
-Co-authored-by: Evgeny Kolesnikov <evgenyz@gmail.com>
----
- src/OVAL/probes/probe/worker.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/OVAL/probes/probe/worker.c b/src/OVAL/probes/probe/worker.c
-index 3ef489b40d..1183ed06bf 100644
---- a/src/OVAL/probes/probe/worker.c
-+++ b/src/OVAL/probes/probe/worker.c
-@@ -1072,7 +1072,7 @@ SEXP_t *probe_worker(probe_t *probe, SEAP_msg_t *msg_in, int *ret)
- char *max_ratio_str = getenv("OSCAP_PROBE_MEMORY_USAGE_RATIO");
- if (max_ratio_str != NULL) {
- double max_ratio = strtod(max_ratio_str, NULL);
-- if (max_ratio != 0)
-+ if (max_ratio > 0)
- pctx.max_mem_ratio = max_ratio;
- }
-
diff --git a/SOURCES/openscap-1.3.6-oscap-ssh-local-files-pr-1786.patch b/SOURCES/openscap-1.3.6-oscap-ssh-local-files-pr-1786.patch
deleted file mode 100644
index a405a67..0000000
--- a/SOURCES/openscap-1.3.6-oscap-ssh-local-files-pr-1786.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From 9f9a322b73e71bb4945a736605eb0515acf9a207 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
-Date: Wed, 28 Jul 2021 08:36:50 +0200
-Subject: [PATCH] Document problems with --local-files in oscap-ssh
-
-Related to: https://github.com/OpenSCAP/openscap/pull/1769
-Thanks @ggbecker for pointing this out.
----
- utils/oscap-ssh.8 | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/utils/oscap-ssh.8 b/utils/oscap-ssh.8
-index 416b1f3e5..05c80cd3c 100644
---- a/utils/oscap-ssh.8
-+++ b/utils/oscap-ssh.8
-@@ -67,6 +67,9 @@ Specific option for oscap-ssh (must be first argument):
- oscap-ssh checks out the SSH_ADDITIONAL_OPTIONS environment variable, and pastes its contents into the command-line of ssh to the location where options are expected.
- Supply the variable in form of a string that corresponds to a section of the ssh command-line and that consists of options you want to pass.
-
-+.SS Using --local-files option
-+The oscap-ssh command supports the --local-files option, but it isn't possible to pass './' and '../' as an argument. Use a full directory path instead.
-+
- .SH EXAMPLE USAGE
- .SS Simple XCCDF evaluation
- The following command evaluates a remote Fedora machine as root. HTML report is written out as report.html on the local machine. Can be executed from any machine that has ssh, scp and bash. The local machine does not need to have openscap installed.
diff --git a/SOURCES/openscap-1.3.6-replace-getlogin-pr-1753.patch b/SOURCES/openscap-1.3.6-replace-getlogin-pr-1753.patch
deleted file mode 100644
index a63f094..0000000
--- a/SOURCES/openscap-1.3.6-replace-getlogin-pr-1753.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From b31cff1bc3a298cfa36a10476f2d633c290b6741 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
-Date: Tue, 11 May 2021 13:20:18 +0200
-Subject: [PATCH] Replace getlogin by cuserid
-
-The getlogin() is used here to fill in the xccdf:identity element which
-shall contain information about the system identity or user employed
-during application of the benchmark. But, the getlogin() can return NULL
-when there is no controlling terminal. This happened when testing oscap
-on a test system with no pty. As an alternative, the system provides
-also cuserid() function which gets the effective user ID of the process.
-However, these 2 values differ when the program is executed under sudo.
-From the user experience point of view, it would be better to have
-displayed there the user logged in on the controlling terminal. As a
-compromise, we will first attempt to obtain the name using getlogin()
-and if that fails we will run cuserid().
----
- src/XCCDF/result.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/src/XCCDF/result.c b/src/XCCDF/result.c
-index cd03e6bd8f..cbe016c44a 100644
---- a/src/XCCDF/result.c
-+++ b/src/XCCDF/result.c
-@@ -217,7 +217,10 @@ static inline void _xccdf_result_fill_identity(struct xccdf_result *result)
- xccdf_identity_set_authenticated(id, 0);
- xccdf_identity_set_privileged(id, 0);
- #ifdef OSCAP_UNIX
-- xccdf_identity_set_name(id, getlogin());
-+ char *name = getlogin();
-+ if (name == NULL)
-+ name = cuserid(NULL);
-+ xccdf_identity_set_name(id, name);
- #elif defined(OS_WINDOWS)
- GetUserName((TCHAR *) w32_username, &w32_usernamesize); /* XXX: Check the return value? */
- xccdf_identity_set_name(id, w32_username);
diff --git a/SOURCES/openscap-1.3.6-rpath-pr-1765.patch b/SOURCES/openscap-1.3.6-rpath-pr-1765.patch
deleted file mode 100644
index bbd07aa..0000000
--- a/SOURCES/openscap-1.3.6-rpath-pr-1765.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From 5f8879927fa34827f1b367eac311845e6ebec9a7 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
-Date: Thu, 10 Jun 2021 13:41:25 +0200
-Subject: [PATCH] Do not set Rpath
-
-See: https://docs.fedoraproject.org/en-US/packaging-guidelines/#_beware_of_rpath
-
-Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1967200
----
- CMakeLists.txt | 18 ------------------
- 1 file changed, 18 deletions(-)
-
-diff --git a/CMakeLists.txt b/CMakeLists.txt
-index c70ba29bf..cc7b5e005 100644
---- a/CMakeLists.txt
-+++ b/CMakeLists.txt
-@@ -482,25 +482,7 @@ else()
- endif()
- set(OSCAP_TEMP_DIR "/tmp" CACHE STRING "use different temporary directory to execute sce scripts (default=/tmp)")
-
--# ---------- RPATHS for linking
-
--# see https://cmake.org/Wiki/CMake_RPATH_handling
--
--# use, i.e. don't skip the full RPATH for the build tree
--set(CMAKE_SKIP_BUILD_RPATH FALSE)
--
--# when building, don't use the install RPATH already
--# (but later on when installing)
--set(CMAKE_BUILD_WITH_INSTALL_RPATH FALSE)
--
--set(CMAKE_INSTALL_RPATH ${CMAKE_INSTALL_FULL_LIBDIR})
--
--# add the automatically determined parts of the RPATH
--# which point to directories outside the build tree to the install RPATH
--set(CMAKE_INSTALL_RPATH_USE_LINK_PATH TRUE)
--
--# Turn on RPATH for OSX for policy warning
--set(CMAKE_MACOSX_RPATH ON)
- # ---------- CONFIGURATION
-
- configure_file("config.h.in" "config.h")
diff --git a/SOURCES/openscap-1.3.6-rpminspect-xml-pr-1773.patch b/SOURCES/openscap-1.3.6-rpminspect-xml-pr-1773.patch
deleted file mode 100644
index c78fa7c..0000000
--- a/SOURCES/openscap-1.3.6-rpminspect-xml-pr-1773.patch
+++ /dev/null
@@ -1,81 +0,0 @@
-From e515fc9694efb8703f6c55782094e0273c0dec9d Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
-Date: Fri, 25 Jun 2021 13:59:59 +0200
-Subject: [PATCH] Workaround rpminspect problem
-
-rpminspect produces this problem:
-
-xml-files:
-----------
-1) File /usr/share/openscap/xsl/oval-results-report.xsl is a malformed XML file on x86_64
-Result: VERIFY
-Waiver Authorization: Anyone
-
-Details:
-No declaration for element stylesheet
-
-Suggested Remedy: Correct the reported errors in the XML document
-
-I assume that it's caused by mixing the DTD and schema - it probably
-expects that the DTD will contain a declaration of the root element
-as well. The workaround simply expands both entities by substituting
-them by their contents.
----
- xsl/oval-results-report.xsl | 18 ++++++------------
- 1 file changed, 6 insertions(+), 12 deletions(-)
-
-diff --git a/xsl/oval-results-report.xsl b/xsl/oval-results-report.xsl
-index fe50717795..744540c8f8 100644
---- a/xsl/oval-results-report.xsl
-+++ b/xsl/oval-results-report.xsl
-@@ -1,10 +1,4 @@
- <?xml version="1.0" encoding="UTF-8"?>
--<!DOCTYPE xsl:stylesheet [
--<!-- check symbol -->
--<!ENTITY resultgood "✓">
--<!-- x symbol -->
--<!ENTITY resultbad "✕">
--]>
- <!--
-
- ****************************************************************************************
-@@ -129,7 +123,7 @@
- <tr class="LightRow">
- <td class="resultbadA ColorBox"/>
- <td class="resultbadB ColorBox"/>
-- <td class="Text" title="Non-Compliant/Vulnerable/Unpatched">&resultbad;</td>
-+ <td class="Text" title="Non-Compliant/Vulnerable/Unpatched">✕</td>
- </tr>
- </table>
- </td>
-@@ -138,7 +132,7 @@
- <tr class="LightRow">
- <td class="resultgoodA ColorBox"/>
- <td class="resultgoodB ColorBox"/>
-- <td class="Text" title="Compliant/Non-Vulnerable/Patched">&resultgood;</td>
-+ <td class="Text" title="Compliant/Non-Vulnerable/Patched">✓</td>
- </tr>
- </table>
- </td>
-@@ -227,8 +221,8 @@
- <table border="1">
- <tr class="Title">
- <td class="TitleLabel" align="center">Systems Analyzed</td>
-- <td class="TitleLabel" align="center" title="Non-Compliant/Vulnerable/Unpatched">&resultbad;</td>
-- <td class="TitleLabel" align="center" title="Compliant/Non-Vulnerable/Patched">&resultgood;</td>
-+ <td class="TitleLabel" align="center" title="Non-Compliant/Vulnerable/Unpatched">✕</td>
-+ <td class="TitleLabel" align="center" title="Compliant/Non-Vulnerable/Patched">✓</td>
- <td class="TitleLabel" align="center">Errors</td>
- <td class="TitleLabel" align="center">Unknown</td>
- <td class="TitleLabel" align="center" title="Inventory/Miscellaneous class, or Not Applicable/Not Evaluated result">Other</td>
-@@ -497,8 +491,8 @@
- <xsl:template name="GeneratorResTotals">
- <xsl:param name="resultsElm"/>
- <tr class="DarkRow Center">
-- <td class="SmallLabel" style="width: 20%;" title="Non-Compliant/Vulnerable/Unpatched">#&resultbad;</td>
-- <td class="SmallLabel" style="width: 20%;" title="Compliant/Non-Vulnerable/Patched">#&resultgood;</td>
-+ <td class="SmallLabel" style="width: 20%;" title="Non-Compliant/Vulnerable/Unpatched">#✕</td>
-+ <td class="SmallLabel" style="width: 20%;" title="Compliant/Non-Vulnerable/Patched">#✓</td>
- <td class="SmallLabel" style="width: 20%;" title="Error">#Error</td>
- <td class="SmallLabel" style="width: 20%;" title="Unknown">#Unknown</td>
- <td class="SmallLabel" style="width: 20%;" title="Inventory/Miscellaneous class, or Not Applicable/Not Evaluated result">#Other</td>
diff --git a/SOURCES/openscap-1.3.6-test-rhbz1959570-pr-1788.patch b/SOURCES/openscap-1.3.6-test-rhbz1959570-pr-1788.patch
deleted file mode 100644
index 2c175b8..0000000
--- a/SOURCES/openscap-1.3.6-test-rhbz1959570-pr-1788.patch
+++ /dev/null
@@ -1,97 +0,0 @@
-From 05faede8f6602b7b71d71fd965276225a986fb1f Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
-Date: Wed, 28 Jul 2021 13:06:25 +0200
-Subject: [PATCH] Add a regression test for rhbz#1959570
-
-The bug was a segmentation fault in filehash58 probe which happened
-in openscap-1.3.3-6.el8_3.
-
-The bug was fixed by https://github.com/OpenSCAP/openscap/pull/1779
-and this patch adds a very small test.
----
- tests/probes/filehash58/CMakeLists.txt | 1 +
- .../probes/filehash58/rhbz1959570_segfault.sh | 19 +++++++++
- .../rhbz1959570_segfault_reproducer.xml | 39 +++++++++++++++++++
- 3 files changed, 59 insertions(+)
- create mode 100755 tests/probes/filehash58/rhbz1959570_segfault.sh
- create mode 100644 tests/probes/filehash58/rhbz1959570_segfault_reproducer.xml
-
-diff --git a/tests/probes/filehash58/CMakeLists.txt b/tests/probes/filehash58/CMakeLists.txt
-index b26d8171fb..cdec0792eb 100644
---- a/tests/probes/filehash58/CMakeLists.txt
-+++ b/tests/probes/filehash58/CMakeLists.txt
-@@ -1,3 +1,4 @@
- if(ENABLE_PROBES_INDEPENDENT)
- add_oscap_test("test_probes_filehash58.sh")
-+ add_oscap_test("rhbz1959570_segfault.sh")
- endif()
-diff --git a/tests/probes/filehash58/rhbz1959570_segfault.sh b/tests/probes/filehash58/rhbz1959570_segfault.sh
-new file mode 100755
-index 0000000000..0c32cc79f1
---- /dev/null
-+++ b/tests/probes/filehash58/rhbz1959570_segfault.sh
-@@ -0,0 +1,19 @@
-+#!/usr/bin/env bash
-+
-+# Copyright 2021 Red Hat Inc., Durham, North Carolina.
-+# All Rights Reserved.
-+#
-+# OpenSCAP Probes Test Suite.
-+#
-+# Authors:
-+# Jan Černý, <jcerny@redhat.com>
-+
-+set -e -o pipefail
-+. $builddir/tests/test_common.sh
-+
-+# Test Cases
-+
-+stderr="$(mktemp)"
-+$OSCAP oval eval --id oval:x:def:1 "$srcdir/rhbz1959570_segfault_reproducer.xml" 2> "$stderr"
-+[ ! -s "$stderr" ]
-+rm "$stderr"
-diff --git a/tests/probes/filehash58/rhbz1959570_segfault_reproducer.xml b/tests/probes/filehash58/rhbz1959570_segfault_reproducer.xml
-new file mode 100644
-index 0000000000..4b3fc4863a
---- /dev/null
-+++ b/tests/probes/filehash58/rhbz1959570_segfault_reproducer.xml
-@@ -0,0 +1,39 @@
-+<?xml version="1.0"?>
-+<oval-def:oval_definitions xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" xmlns:linux="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:unix="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#unix unix-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#linux linux-definitions-schema.xsd">
-+ <oval-def:generator>
-+ <oval:product_name>jcerny</oval:product_name>
-+ <oval:product_version>1</oval:product_version>
-+ <oval:schema_version>5.11</oval:schema_version>
-+ <oval:timestamp>2021-07-28T07:40:55</oval:timestamp>
-+ </oval-def:generator>
-+ <oval-def:definitions>
-+ <oval-def:definition class="compliance" id="oval:x:def:1" version="1">
-+ <oval-def:metadata>
-+ <oval-def:title>title</oval-def:title>
-+ <oval-def:description>description</oval-def:description>
-+ </oval-def:metadata>
-+ <oval-def:criteria>
-+ <oval-def:criterion comment="comment" test_ref="oval:x:tst:1"/>
-+ </oval-def:criteria>
-+ </oval-def:definition>
-+ </oval-def:definitions>
-+ <oval-def:tests>
-+ <ind:filehash58_test check="all" check_existence="all_exist" comment="comment" id="oval:x:tst:1" version="1">
-+ <ind:object object_ref="oval:x:obj:1"/>
-+ <ind:state state_ref="oval:x:ste:1"/>
-+ </ind:filehash58_test>
-+ </oval-def:tests>
-+ <oval-def:objects>
-+ <ind:filehash58_object id="oval:x:obj:1" version="1">
-+ <ind:filepath>/etc/os-release</ind:filepath>
-+ <ind:hash_type>SHA-256</ind:hash_type>
-+ </ind:filehash58_object>
-+ </oval-def:objects>
-+ <oval-def:states>
-+ <ind:filehash58_state id="oval:x:ste:1" version="1">
-+ <ind:filepath>/etc/os-release</ind:filepath>
-+ <ind:hash_type>SHA-256</ind:hash_type>
-+ <ind:hash>6488c757642cd493da09dd78ee27f039711a1ad79039900970553772fd2106af</ind:hash>
-+ </ind:filehash58_state>
-+ </oval-def:states>
-+</oval-def:oval_definitions>
diff --git a/SOURCES/openscap-1.3.6-ubi9-pr-1772.patch b/SOURCES/openscap-1.3.6-ubi9-pr-1772.patch
deleted file mode 100644
index 85311ce..0000000
--- a/SOURCES/openscap-1.3.6-ubi9-pr-1772.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 80543bc666d648d0251e4c7b675489b8011a548a Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
-Date: Fri, 25 Jun 2021 10:19:43 +0200
-Subject: [PATCH] Fix UBI 9 scan
-
-In offline mode when scanning a cointainer based on UBI 9 the
-system_info probe failed because the function `_offline_get_hname` which
-reads from `/etc/hostname` returns an empty string which causes
-`__sysinfo_saneval(hname)` check to return zero which in turn causes the
-probe returns an error. We can prevent this situation by replacing the
-empty string by `"Unknown"`, which we already do when the `hname` is
-`NULL`.
-
-Addressing:
-
-W: oscap: Can't receive message: 125, Operation canceled.
-E: oscap: Recv: retry limit (0) reached.
-OpenSCAP Error: Probe at sd=32 (system_info) reported an error: Invalid type, value or format [/home/jcerny/work/git/openscap/src/OVAL/oval_probe_ext.c:383]
-Unable to receive a message from probe [/home/jcerny/work/git/openscap/src/OVAL/oval_probe_ext.c:572]
-
-Resolves: rhbz#1953610
----
- src/OVAL/probes/independent/system_info_probe.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/OVAL/probes/independent/system_info_probe.c b/src/OVAL/probes/independent/system_info_probe.c
-index 9bdd73556d..8251e655ed 100644
---- a/src/OVAL/probes/independent/system_info_probe.c
-+++ b/src/OVAL/probes/independent/system_info_probe.c
-@@ -732,7 +732,7 @@ int system_info_probe_main(probe_ctx *ctx, void *arg)
- if (!architecture)
- architecture = strdup(unknown);
-
-- if (!hname)
-+ if (!hname || *hname == '\0')
- hname = strdup(unknown);
-
- if (__sysinfo_saneval(os_name) < 1 ||
diff --git a/SOURCES/openscap-1.3.6-waive-hugetables-pr-1745.patch b/SOURCES/openscap-1.3.6-waive-hugetables-pr-1745.patch
deleted file mode 100644
index 4272a78..0000000
--- a/SOURCES/openscap-1.3.6-waive-hugetables-pr-1745.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From 192f908562779fe4c9b7e5cc7605840976a06c85 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
-Date: Mon, 26 Apr 2021 13:13:26 +0200
-Subject: [PATCH] Waive the known issue with hugepages on ppc64/ppc64le
-
-The known issue has been reported in
-https://bugzilla.redhat.com/show_bug.cgi?id=1642995
-
-This modification is currently applied as a patch applied during setup
-phase of Sanity/smoke-test in Fedora CI gating.
-https://src.fedoraproject.org/tests/openscap/blob/main/f/Sanity/smoke-test
-The patched file got changed recetly so the patch doesn't apply anymore
-which causes the Rawhide gating to fail.
-We have decided to propose the change to upstream to avoid the need
-for modifying the patch in the tests and to prevent similar problems
-in the future.
----
- tests/probes/sysctl/test_sysctl_probe_all.sh | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/tests/probes/sysctl/test_sysctl_probe_all.sh b/tests/probes/sysctl/test_sysctl_probe_all.sh
-index 2280ff7ae..c79d7ed18 100755
---- a/tests/probes/sysctl/test_sysctl_probe_all.sh
-+++ b/tests/probes/sysctl/test_sysctl_probe_all.sh
-@@ -73,6 +73,10 @@ if [ "$procps_ver" != "$lowest_ver" ]; then
- sed -i '/.*vm.stat_refresh/d' "$sysctlNames"
- fi
-
-+if ! grep -q "hugepages" "$ourNames"; then
-+ sed -i "/^.*hugepages.*$/d" "$sysctlNames"
-+fi
-+
- echo "Diff (sysctlNames / ourNames): ------"
- diff "$sysctlNames" "$ourNames"
- echo "-------------------------------------"
-@@ -84,6 +88,7 @@ sed -i -E "/^E: oscap: +Can't read sysctl value from /d" "$stderr"
- # that can't fit into 8K buffer and result in errno 14
- # (for example /proc/sys/kernel/spl/hostid could be the case)
- sed -i -E "/^E: oscap: +An error.*14, Bad address/d" "$stderr"
-+sed -i "/^.*hugepages.*$/d" "$stderr"
-
- echo "Errors (without messages related to permissions):"
- cat "$stderr"
diff --git a/SOURCES/openscap-1.3.6-warning-local-files-pr-1826.patch b/SOURCES/openscap-1.3.6-warning-local-files-pr-1826.patch
deleted file mode 100644
index c97dcd6..0000000
--- a/SOURCES/openscap-1.3.6-warning-local-files-pr-1826.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From ce74fde37771fa2cf6d947e5aaeebd9a197db50b Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
-Date: Tue, 9 Nov 2021 09:15:20 +0100
-Subject: [PATCH] Print warning for local files
-
-This will explicitely display users that they're using local
-files instead of the remote resource.
-
-See https://bugzilla.redhat.com/show_bug.cgi?id=1970529#c6
----
- src/DS/sds.c | 4 +++-
- tests/DS/test_ds_use_local_remote_resources.sh | 1 +
- 2 files changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/src/DS/sds.c b/src/DS/sds.c
-index a26fdbb09..243b62968 100644
---- a/src/DS/sds.c
-+++ b/src/DS/sds.c
-@@ -407,7 +407,9 @@ static int _handle_disabled_downloads(struct ds_sds_session *session, const char
- char *local_filepath = oscap_path_join(local_files, relative_filepath);
- struct stat sb;
- if (stat(local_filepath, &sb) == 0) {
-- dI("Using local file '%s' instead of '%s'", local_filepath, xlink_href);
-+ ds_sds_session_remote_resources_progress(session)(true,
-+ "WARNING: Using local file '%s' instead of '%s'",
-+ local_filepath, xlink_href);
- struct oscap_source *source_file = oscap_source_new_from_file(local_filepath);
- xmlDoc *doc = oscap_source_get_xmlDoc(source_file);
- if (doc == NULL) {
-diff --git a/tests/DS/test_ds_use_local_remote_resources.sh b/tests/DS/test_ds_use_local_remote_resources.sh
-index 789dc8326..2feb47da1 100755
---- a/tests/DS/test_ds_use_local_remote_resources.sh
-+++ b/tests/DS/test_ds_use_local_remote_resources.sh
-@@ -24,6 +24,7 @@ $OSCAP xccdf eval --local-files "$tmpdir3" --profile "$PROFILE" --results "$resu
-
- grep -q "WARNING: Datastream component 'scap_org.open-scap_cref_remote.oval.xml' points out to the remote 'https://www.example.com/security/data/oval/remote.oval.xml'. Use '--fetch-remote-resources' option to download it." "$stderr" && false
- grep -q "WARNING: Skipping 'https://www.example.com/security/data/oval/remote.oval.xml' file which is referenced from datastream" "$stderr" && false
-+grep -q "WARNING: Using local file '$tmpdir3/remote.oval.xml' instead of 'https://www.example.com/security/data/oval/remote.oval.xml'" "$stderr"
-
- assert_exists 1 '//rule-result[@idref="xccdf_com.example.www_rule_test-pass"]/result[text()="pass"]'
- # the remote_res rule is a multicheck with 2 oval definitions so it's twice here
diff --git a/SOURCES/openscap-1.3.6-yamlfile-null-pr-1756.patch b/SOURCES/openscap-1.3.6-yamlfile-null-pr-1756.patch
deleted file mode 100644
index 9489211..0000000
--- a/SOURCES/openscap-1.3.6-yamlfile-null-pr-1756.patch
+++ /dev/null
@@ -1,150 +0,0 @@
-From 89f99834ba183284a7d75835932a0c0ea4eb9007 Mon Sep 17 00:00:00 2001
-From: Evgeny Kolesnikov <ekolesni@redhat.com>
-Date: Mon, 17 May 2021 08:40:17 +0200
-Subject: [PATCH] oval/yamlfilecontent: Add 'null' values handling
-
-For now null values would be represented as string '(null)' as
-record's field could not be attributed as nil="true" yet.
----
- .../independent/yamlfilecontent_probe.c | 9 ++++
- .../test_probes_yamlfilecontent_types.sh | 5 ++
- .../test_probes_yamlfilecontent_types.xml | 52 +++++++++++++++++++
- tests/probes/yamlfilecontent/types.yaml | 4 ++
- 4 files changed, 70 insertions(+)
-
-diff --git a/src/OVAL/probes/independent/yamlfilecontent_probe.c b/src/OVAL/probes/independent/yamlfilecontent_probe.c
-index 62a8f4ff29..2d0cac6991 100644
---- a/src/OVAL/probes/independent/yamlfilecontent_probe.c
-+++ b/src/OVAL/probes/independent/yamlfilecontent_probe.c
-@@ -41,6 +41,7 @@
- #define OSCAP_YAML_BOOL_TAG "tag:yaml.org,2002:bool"
- #define OSCAP_YAML_FLOAT_TAG "tag:yaml.org,2002:float"
- #define OSCAP_YAML_INT_TAG "tag:yaml.org,2002:int"
-+#define OSCAP_YAML_NULL_TAG "tag:yaml.org,2002:null"
-
- #define OVECCOUNT 30 /* should be a multiple of 3 */
-
-@@ -135,6 +136,14 @@ static SEXP_t *yaml_scalar_event_to_sexp(yaml_event_t *event)
- return NULL;
- }
- }
-+ if (question || !strcmp(tag, OSCAP_YAML_NULL_TAG)) {
-+ if (match_regex("^(null|Null|NULL|~|)$", value)) {
-+ // TODO: Return real NULL when record's field will support nil="true"
-+ return SEXP_string_new("(null)", strlen("(null)"));
-+ } else if (!question) {
-+ return NULL;
-+ }
-+ }
-
- return SEXP_string_new(value, strlen(value));
- }
-diff --git a/tests/probes/yamlfilecontent/test_probes_yamlfilecontent_types.sh b/tests/probes/yamlfilecontent/test_probes_yamlfilecontent_types.sh
-index 4f110f6eb7..e445771d03 100755
---- a/tests/probes/yamlfilecontent/test_probes_yamlfilecontent_types.sh
-+++ b/tests/probes/yamlfilecontent/test_probes_yamlfilecontent_types.sh
-@@ -60,6 +60,11 @@ function test_probes_yamlfilecontent_types {
- assert_exists 1 $sd'/ind-sys:yamlfilecontent_item/ind-sys:value/field[@name="#" and @datatype!="boolean" and text()="true"]'
- # string_number
- assert_exists 1 $sd'/ind-sys:yamlfilecontent_item/ind-sys:value/field[@name="#" and @datatype!="int" and text()="81"]'
-+ # string_null
-+ assert_exists 1 $sd'/ind-sys:yamlfilecontent_item/ind-sys:value/field[@name="#" and text()="null"]'
-+
-+ # null_1_2_3
-+ assert_exists 3 $sd'/ind-sys:yamlfilecontent_item/ind-sys:value/field[@name="#" and text()="(null)"]'
-
- # bool_error_cast, int_error_cast, float_error_cast
- co='/oval_results/results/system/oval_system_characteristics/collected_objects'
-diff --git a/tests/probes/yamlfilecontent/test_probes_yamlfilecontent_types.xml b/tests/probes/yamlfilecontent/test_probes_yamlfilecontent_types.xml
-index adf96571b8..503ec2d4a4 100644
---- a/tests/probes/yamlfilecontent/test_probes_yamlfilecontent_types.xml
-+++ b/tests/probes/yamlfilecontent/test_probes_yamlfilecontent_types.xml
-@@ -262,6 +262,19 @@
- </criteria>
- </definition>
-
-+ <definition class="compliance" version="1" id="oval:0:def:26">
-+ <metadata>
-+ <title></title>
-+ <description></description>
-+ </metadata>
-+ <criteria operator="AND">
-+ <criterion comment="comment" test_ref="oval:0:tst:26"/>
-+ <criterion comment="comment" test_ref="oval:0:tst:27"/>
-+ <criterion comment="comment" test_ref="oval:0:tst:28"/>
-+ <criterion comment="comment" test_ref="oval:0:tst:29"/>
-+ </criteria>
-+ </definition>
-+
- </definitions>
-
- <tests>
-@@ -364,6 +377,21 @@
- <ind-def:object object_ref="oval:0:obj:25"/>
- </ind-def:yamlfilecontent_test>
-
-+ <ind-def:yamlfilecontent_test version="1" id="oval:0:tst:26" check="all" comment="true">
-+ <ind-def:object object_ref="oval:0:obj:26"/>
-+ </ind-def:yamlfilecontent_test>
-+
-+ <ind-def:yamlfilecontent_test version="1" id="oval:0:tst:27" check="all" comment="true">
-+ <ind-def:object object_ref="oval:0:obj:27"/>
-+ </ind-def:yamlfilecontent_test>
-+
-+ <ind-def:yamlfilecontent_test version="1" id="oval:0:tst:28" check="all" comment="true">
-+ <ind-def:object object_ref="oval:0:obj:28"/>
-+ </ind-def:yamlfilecontent_test>
-+
-+ <ind-def:yamlfilecontent_test version="1" id="oval:0:tst:29" check="all" comment="true">
-+ <ind-def:object object_ref="oval:0:obj:29"/>
-+ </ind-def:yamlfilecontent_test>
- </tests>
-
- <objects>
-@@ -517,6 +545,30 @@
- <ind-def:filename>types.yaml</ind-def:filename>
- <ind-def:yamlpath>.float_error_cast</ind-def:yamlpath>
- </ind-def:yamlfilecontent_object>
-+
-+ <ind-def:yamlfilecontent_object version="1" id="oval:0:obj:26">
-+ <ind-def:path>/tmp</ind-def:path>
-+ <ind-def:filename>types.yaml</ind-def:filename>
-+ <ind-def:yamlpath>.null_1</ind-def:yamlpath>
-+ </ind-def:yamlfilecontent_object>
-+
-+ <ind-def:yamlfilecontent_object version="1" id="oval:0:obj:27">
-+ <ind-def:path>/tmp</ind-def:path>
-+ <ind-def:filename>types.yaml</ind-def:filename>
-+ <ind-def:yamlpath>.null_2</ind-def:yamlpath>
-+ </ind-def:yamlfilecontent_object>
-+
-+ <ind-def:yamlfilecontent_object version="1" id="oval:0:obj:28">
-+ <ind-def:path>/tmp</ind-def:path>
-+ <ind-def:filename>types.yaml</ind-def:filename>
-+ <ind-def:yamlpath>.null_3</ind-def:yamlpath>
-+ </ind-def:yamlfilecontent_object>
-+
-+ <ind-def:yamlfilecontent_object version="1" id="oval:0:obj:29">
-+ <ind-def:path>/tmp</ind-def:path>
-+ <ind-def:filename>types.yaml</ind-def:filename>
-+ <ind-def:yamlpath>.string_null</ind-def:yamlpath>
-+ </ind-def:yamlfilecontent_object>
- </objects>
-
- </oval_definitions>
-diff --git a/tests/probes/yamlfilecontent/types.yaml b/tests/probes/yamlfilecontent/types.yaml
-index f05fa3a967..fb26eab5f0 100644
---- a/tests/probes/yamlfilecontent/types.yaml
-+++ b/tests/probes/yamlfilecontent/types.yaml
-@@ -19,7 +19,11 @@ bool_false_cast: !!bool "false"
- int_cast: !!int "369"
- float_cast: !!float "978.65"
- string_true: "true"
-+string_null: "null"
- string_number: "81"
- bool_error_cast: !!bool "falsee"
- int_error_cast: !!int "50%"
- float_error_cast: !!float "58.41$"
-+null_1: null
-+null_2:
-+null_3: !!null "null"
diff --git a/SOURCES/openscap-1.3.7-PR-1841-coverity.patch b/SOURCES/openscap-1.3.7-PR-1841-coverity.patch
new file mode 100644
index 0000000..ce3e58d
--- /dev/null
+++ b/SOURCES/openscap-1.3.7-PR-1841-coverity.patch
@@ -0,0 +1,104 @@
+From f141dfd0311ec2be4c4c27814d9d6693551cfd76 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Thu, 27 Jan 2022 15:00:33 +0100
+Subject: [PATCH 1/3] Fix shellcheck warning
+
+Addressing:
+
+Error: SHELLCHECK_WARNING (CWE-138): [#def1]
+/usr/libexec/oscap-remediate:110:12: error[SC2145]: Argument mixes string and array. Use * or separate argument.
+ 108| args+=( "--remediate" )
+ 109| args+=( "${OSCAP_REMEDIATE_DS}" )
+ 110|-> log "Args: ${args[@]}"
+ 111|
+ 112| # Now we are good to go
+---
+ utils/oscap-remediate | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/utils/oscap-remediate b/utils/oscap-remediate
+index fc0b7715f..52e29aa66 100755
+--- a/utils/oscap-remediate
++++ b/utils/oscap-remediate
+@@ -107,7 +107,7 @@ args+=( ${OSCAP_REMEDIATE_HTML_REPORT:+"--report=${OSCAP_REMEDIATE_HTML_REPORT}"
+ args+=( "--progress-full" )
+ args+=( "--remediate" )
+ args+=( "${OSCAP_REMEDIATE_DS}" )
+-log "Args: ${args[@]}"
++log "Args: ${args[*]}"
+
+ # Now we are good to go
+ header="OpenSCAP is checking the system for compliance using"$'\n'"${profile_title}"$'\n\n'"Evaluating..."
+
+From d3e7d5be1fcd55ef396de6070f877df0f2c2c58e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Thu, 27 Jan 2022 15:09:02 +0100
+Subject: [PATCH 2/3] Remove superfluous strdup
+
+We can do this because xccdf_session_set_rule calls strdup on the rule
+parameter internally.
+
+Addressing:
+
+Error: RESOURCE_LEAK (CWE-772): [#def2] [important]
+openscap-1.3.6/build/swig/python3/CMakeFiles/_openscap_py.dir/openscapPYTHON_wrap.c:4148: alloc_fn: Storage is returned from allocation function "strdup".
+openscap-1.3.6/build/swig/python3/CMakeFiles/_openscap_py.dir/openscapPYTHON_wrap.c:4148: var_assign: Assigning: "n_rule" = storage returned from "strdup(rule)".
+openscap-1.3.6/build/swig/python3/CMakeFiles/_openscap_py.dir/openscapPYTHON_wrap.c:4149: noescape: Resource "n_rule" is not freed or pointed-to in "xccdf_session_set_rule".
+openscap-1.3.6/build/swig/python3/CMakeFiles/_openscap_py.dir/openscapPYTHON_wrap.c:4150: leaked_storage: Variable "n_rule" going out of scope leaks the storage it points to.
+ 4148| char *n_rule = strdup(rule);
+ 4149| xccdf_session_set_rule(sess, n_rule);
+ 4150|-> }
+ 4151|
+ 4152| void xccdf_session_free_py(struct xccdf_session *sess){
+---
+ swig/openscap.i | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/swig/openscap.i b/swig/openscap.i
+index 2fe1cce99..158a22675 100644
+--- a/swig/openscap.i
++++ b/swig/openscap.i
+@@ -559,8 +559,7 @@ struct xccdf_session {
+ };
+
+ void xccdf_session_set_rule_py(struct xccdf_session *sess, char *rule) {
+- char *n_rule = strdup(rule);
+- xccdf_session_set_rule(sess, n_rule);
++ xccdf_session_set_rule(sess, rule);
+ }
+
+ void xccdf_session_free_py(struct xccdf_session *sess){
+
+From 6ef54336a018566a32f6a95177635ada7f20794e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Thu, 27 Jan 2022 15:16:02 +0100
+Subject: [PATCH 3/3] Add a missing free
+
+Addressing:
+Error: RESOURCE_LEAK (CWE-772): [#def4] [important]
+openscap-1.3.6/src/XCCDF_POLICY/xccdf_policy.c:2144: alloc_fn: Storage is returned from allocation function "oscap_htable_iterator_new".
+openscap-1.3.6/src/XCCDF_POLICY/xccdf_policy.c:2144: var_assign: Assigning: "rit" = storage returned from "oscap_htable_iterator_new(policy->rules)".
+openscap-1.3.6/src/XCCDF_POLICY/xccdf_policy.c:2145: noescape: Resource "rit" is not freed or pointed-to in "oscap_htable_iterator_has_more".
+openscap-1.3.6/src/XCCDF_POLICY/xccdf_policy.c:2146: noescape: Resource "rit" is not freed or pointed-to in "oscap_htable_iterator_next_key".
+openscap-1.3.6/src/XCCDF_POLICY/xccdf_policy.c:2150: leaked_storage: Variable "rit" going out of scope leaks the storage it points to.
+ 2148| oscap_seterr(OSCAP_EFAMILY_XCCDF,
+ 2149| "Rule '%s' not found in selected profile.", rule_id);
+ 2150|-> return NULL;
+ 2151| }
+ 2152| }
+---
+ src/XCCDF_POLICY/xccdf_policy.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/XCCDF_POLICY/xccdf_policy.c b/src/XCCDF_POLICY/xccdf_policy.c
+index b63853a38..4d4b7ad0a 100644
+--- a/src/XCCDF_POLICY/xccdf_policy.c
++++ b/src/XCCDF_POLICY/xccdf_policy.c
+@@ -2147,6 +2147,7 @@ struct xccdf_result * xccdf_policy_evaluate(struct xccdf_policy * policy)
+ if (oscap_htable_get(policy->rules_found, rule_id) == NULL) {
+ oscap_seterr(OSCAP_EFAMILY_XCCDF,
+ "Rule '%s' not found in selected profile.", rule_id);
++ oscap_htable_iterator_free(rit);
+ return NULL;
+ }
+ }
diff --git a/SOURCES/openscap-1.3.7-PR-1843-fix-test-ds-misc.patch b/SOURCES/openscap-1.3.7-PR-1843-fix-test-ds-misc.patch
new file mode 100644
index 0000000..8b09b47
--- /dev/null
+++ b/SOURCES/openscap-1.3.7-PR-1843-fix-test-ds-misc.patch
@@ -0,0 +1,32 @@
+From e49669a0dde7e3a9123925347fbf3234602371ee Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Mon, 31 Jan 2022 13:45:15 +0100
+Subject: [PATCH] Prevent fails of test_ds_misc.sh
+
+The SOURCE_DATE_EPOCH environment variable is effective only when it's
+set to a value that's older than mtime of the processed file. See the
+implementation in ds_sds_compose_add_component_internal in src/DS/sds.c.
+However, the file in our test suite has originally been created before
+(in 2019) and this mtime can be used when a tarball is produced. To
+avoid the test failing, we can modify the mtime using the touch command
+just before we run the tests.
+---
+ tests/DS/test_ds_misc.sh | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/tests/DS/test_ds_misc.sh b/tests/DS/test_ds_misc.sh
+index 159007518..cffbef303 100755
+--- a/tests/DS/test_ds_misc.sh
++++ b/tests/DS/test_ds_misc.sh
+@@ -269,6 +269,8 @@ function test_source_date_epoch() {
+ local timestamp="2020-03-05T12:09:37"
+ export SOURCE_DATE_EPOCH="1583410177"
+ export TZ=UTC
++ # ensure the file mtime is always newer than the $timestamp
++ touch -c "$xccdf"
+ $OSCAP ds sds-compose "$xccdf" "$result"
+ assert_exists 3 '//ds:component[@timestamp="'$timestamp'"]'
+ rm -f "$result"
+--
+2.34.1
+
diff --git a/SOURCES/openscap-1.3.7-PR-1844-fix-test-ds-misc-2.patch b/SOURCES/openscap-1.3.7-PR-1844-fix-test-ds-misc-2.patch
new file mode 100644
index 0000000..25c9e3a
--- /dev/null
+++ b/SOURCES/openscap-1.3.7-PR-1844-fix-test-ds-misc-2.patch
@@ -0,0 +1,27 @@
+From 650656bdac5e8e4df30c11bb4dbc830aab8baa78 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Tue, 1 Feb 2022 15:06:33 +0100
+Subject: [PATCH] Prevent fails of test_ds_misc.sh
+
+Other files from which the datastream is composed might also
+affect the timestamp attributes in result document depending
+on their mtime.
+---
+ tests/DS/test_ds_misc.sh | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/tests/DS/test_ds_misc.sh b/tests/DS/test_ds_misc.sh
+index cffbef303..1777c44f4 100755
+--- a/tests/DS/test_ds_misc.sh
++++ b/tests/DS/test_ds_misc.sh
+@@ -270,7 +270,9 @@ function test_source_date_epoch() {
+ export SOURCE_DATE_EPOCH="1583410177"
+ export TZ=UTC
+ # ensure the file mtime is always newer than the $timestamp
+- touch -c "$xccdf"
++ touch -c "$srcdir/sds_multiple_oval/first-oval.xml"
++ touch -c "$srcdir/sds_multiple_oval/multiple-oval-xccdf.xml"
++ touch -c "$srcdir/sds_multiple_oval/second-oval.xml"
+ $OSCAP ds sds-compose "$xccdf" "$result"
+ assert_exists 3 '//ds:component[@timestamp="'$timestamp'"]'
+ rm -f "$result"
diff --git a/SOURCES/openscap-1.3.7-PR-1846-file-permissions.patch b/SOURCES/openscap-1.3.7-PR-1846-file-permissions.patch
new file mode 100644
index 0000000..ff32d68
--- /dev/null
+++ b/SOURCES/openscap-1.3.7-PR-1846-file-permissions.patch
@@ -0,0 +1,393 @@
+From d000375944e8ec965486cf019c3f75f4c06a4e10 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Thu, 3 Feb 2022 14:14:21 +0100
+Subject: [PATCH 1/5] Prevent file permissions errors
+
+The sysctl setting `fs.protected_regular` doesn't allow `O_CREAT` open
+on regular files that we don't own in world writable sticky directories
+(think `/tmp`). This causes permission denied error when writing HTML
+report to a temporary files created by the `mktemp` command executed as
+a normal user and then executing `sudo oscap`.
+
+See https://bugzilla.redhat.com/show_bug.cgi?id=2048571
+
+If OpenSCAP fails to open the file because of permissions, it will retry
+to open the file without O_CREAT flag.
+
+This fixes only creation of the HTML report using the `--report` option,
+We will have to create a similar patch also for other output options
+such as `--results` or `--results-arf`.
+---
+ src/source/xslt.c | 40 ++++++++++++++++++++++++++++------------
+ 1 file changed, 28 insertions(+), 12 deletions(-)
+
+diff --git a/src/source/xslt.c b/src/source/xslt.c
+index 24c4c46e9..7a3a3f328 100644
+--- a/src/source/xslt.c
++++ b/src/source/xslt.c
+@@ -22,6 +22,7 @@
+ #include <config.h>
+ #endif
+
++#include <fcntl.h>
+ #include <libxml/parser.h>
+ #include <libxslt/xslt.h>
+ #include <libxslt/xsltInternals.h>
+@@ -82,23 +83,38 @@ static int xccdf_ns_xslt_workaround(xmlDocPtr doc, xmlNodePtr node)
+
+ static inline int save_stylesheet_result_to_file(xmlDoc *resulting_doc, xsltStylesheet *stylesheet, const char *outfile)
+ {
+- FILE *f = NULL;
+- if (outfile)
+- f = fopen(outfile, "w");
+- else
+- f = stdout;
+-
+- if (f == NULL) {
+- oscap_seterr(OSCAP_EFAMILY_OSCAP, "Could not open output file '%s'", outfile ? outfile : "stdout");
+- return -1;
++ int fd = STDOUT_FILENO;
++ if (outfile) {
++#ifdef OS_WINDOWS
++ fd = open(outfile, O_WRONLY|O_CREAT|O_TRUNC, S_IREAD|S_IWRITE);
++#else
++ fd = open(outfile, O_WRONLY|O_CREAT|O_TRUNC, S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH);
++#endif
++ if (fd == -1) {
++ if (errno == EACCES) {
++ /* File already exists and we aren't allowed to create a new one
++ with the same name */
++#ifdef OS_WINDOWS
++ fd = open(outfile, O_WRONLY|O_TRUNC, S_IREAD|S_IWRITE);
++#else
++ fd = open(outfile, O_WRONLY|O_TRUNC, S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH);
++#endif
++ }
++ if (fd == -1) {
++ oscap_seterr(OSCAP_EFAMILY_OSCAP,
++ "Could not open output file '%s': %s",
++ outfile, strerror(errno));
++ return -1;
++ }
++ }
+ }
+
+- int ret = xsltSaveResultToFile(f, resulting_doc, stylesheet);
++ int ret = xsltSaveResultToFd(fd, resulting_doc, stylesheet);
+ if (ret < 0) {
+ oscap_seterr(OSCAP_EFAMILY_OSCAP, "Could not save result document");
+ }
+- if (outfile && f)
+- fclose(f);
++ if (fd != STDOUT_FILENO)
++ close(fd);
+ return ret;
+ }
+
+
+From ad3c89a72c0aeb6c6ceab0873c51b07deba45701 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Thu, 3 Feb 2022 15:08:52 +0100
+Subject: [PATCH 2/5] Prevent permission access issues
+
+Very similar to the previous commit, but this time for saving XML
+documents.
+---
+ src/common/elements.c | 19 ++++++++++++++++---
+ 1 file changed, 16 insertions(+), 3 deletions(-)
+
+diff --git a/src/common/elements.c b/src/common/elements.c
+index e512f5e3d..d0d9170f1 100644
+--- a/src/common/elements.c
++++ b/src/common/elements.c
+@@ -233,9 +233,22 @@ int oscap_xml_save_filename(const char *filename, xmlDocPtr doc)
+ int fd = open(filename, O_CREAT|O_TRUNC|O_WRONLY,
+ S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH);
+ #endif
+- if (fd < 0) {
+- oscap_seterr(OSCAP_EFAMILY_GLIBC, "%s '%s'", strerror(errno), filename);
+- return -1;
++ if (fd == -1) {
++ if (errno == EACCES) {
++ /* File already exists and we aren't allowed to create a new one
++ with the same name */
++#ifdef OS_WINDOWS
++ fd = open(filename, O_WRONLY|O_TRUNC, S_IREAD|S_IWRITE);
++#else
++ fd = open(filename, O_WRONLY|O_TRUNC,
++ S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH);
++#endif
++ }
++ if (fd == -1) {
++ oscap_seterr(OSCAP_EFAMILY_GLIBC,
++ "%s '%s'", strerror(errno), filename);
++ return -1;
++ }
+ }
+
+ buff = xmlOutputBufferCreateFd(fd, NULL);
+
+From b2dc90fb80419e30d05676660a2069050693078d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Thu, 3 Feb 2022 15:37:31 +0100
+Subject: [PATCH 3/5] Add a missing include
+
+---
+ src/source/xslt.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/source/xslt.c b/src/source/xslt.c
+index 7a3a3f328..a763d6b59 100644
+--- a/src/source/xslt.c
++++ b/src/source/xslt.c
+@@ -30,6 +30,8 @@
+ #include <libxslt/xsltutils.h>
+ #include <libexslt/exslt.h>
+ #include <string.h>
++#include <sys/stat.h>
++
+ #ifdef OS_WINDOWS
+ #include <io.h>
+ #else
+
+From 13ff98bd744ea542bc782e388fdedb5b7f66e54b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Thu, 3 Feb 2022 16:22:56 +0100
+Subject: [PATCH 4/5] Fix missing STDOUT_FILENO on Windows
+
+---
+ src/source/xslt.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/src/source/xslt.c b/src/source/xslt.c
+index a763d6b59..799d5170d 100644
+--- a/src/source/xslt.c
++++ b/src/source/xslt.c
+@@ -85,7 +85,11 @@ static int xccdf_ns_xslt_workaround(xmlDocPtr doc, xmlNodePtr node)
+
+ static inline int save_stylesheet_result_to_file(xmlDoc *resulting_doc, xsltStylesheet *stylesheet, const char *outfile)
+ {
++#ifdef OS_WINDOWS
++ int fd = _fileno(stdout);
++#else
+ int fd = STDOUT_FILENO;
++#endif
+ if (outfile) {
+ #ifdef OS_WINDOWS
+ fd = open(outfile, O_WRONLY|O_CREAT|O_TRUNC, S_IREAD|S_IWRITE);
+@@ -115,7 +119,11 @@ static inline int save_stylesheet_result_to_file(xmlDoc *resulting_doc, xsltStyl
+ if (ret < 0) {
+ oscap_seterr(OSCAP_EFAMILY_OSCAP, "Could not save result document");
+ }
++#ifdef OS_WINDOWS
++ if (fd != _fileno(stdout))
++#else
+ if (fd != STDOUT_FILENO)
++#endif
+ close(fd);
+ return ret;
+ }
+
+From f00831513ec2cdde13c12820ff6cc0eef8105c65 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Fri, 4 Feb 2022 12:19:50 +0100
+Subject: [PATCH 5/5] Refactor: extract function oscap_open_writable
+
+---
+ src/common/elements.c | 26 ++--------------
+ src/common/util.c | 31 +++++++++++++++++++
+ src/common/util.h | 14 ++++++++-
+ src/source/xslt.c | 27 ++--------------
+ tests/API/XCCDF/unittests/CMakeLists.txt | 2 ++
+ tests/API/XCCDF/unittests/test_oscap_common.c | 1 +
+ 6 files changed, 53 insertions(+), 48 deletions(-)
+
+diff --git a/src/common/elements.c b/src/common/elements.c
+index d0d9170f1..de4be88f1 100644
+--- a/src/common/elements.c
++++ b/src/common/elements.c
+@@ -227,29 +227,9 @@ int oscap_xml_save_filename(const char *filename, xmlDocPtr doc)
+ xmlCode = xmlSaveFormatFileEnc(filename, doc, "UTF-8", 1);
+ }
+ else {
+-#ifdef OS_WINDOWS
+- int fd = open(filename, O_CREAT|O_TRUNC|O_WRONLY, S_IREAD|S_IWRITE);
+-#else
+- int fd = open(filename, O_CREAT|O_TRUNC|O_WRONLY,
+- S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH);
+-#endif
+- if (fd == -1) {
+- if (errno == EACCES) {
+- /* File already exists and we aren't allowed to create a new one
+- with the same name */
+-#ifdef OS_WINDOWS
+- fd = open(filename, O_WRONLY|O_TRUNC, S_IREAD|S_IWRITE);
+-#else
+- fd = open(filename, O_WRONLY|O_TRUNC,
+- S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH);
+-#endif
+- }
+- if (fd == -1) {
+- oscap_seterr(OSCAP_EFAMILY_GLIBC,
+- "%s '%s'", strerror(errno), filename);
+- return -1;
+- }
+- }
++ int fd = oscap_open_writable(filename);
++ if (fd == -1)
++ return -1;
+
+ buff = xmlOutputBufferCreateFd(fd, NULL);
+ if (buff == NULL) {
+diff --git a/src/common/util.c b/src/common/util.c
+index 8f9f751e2..8ca2ad130 100644
+--- a/src/common/util.c
++++ b/src/common/util.c
+@@ -25,12 +25,14 @@
+ #include <config.h>
+ #endif
+
++#include <fcntl.h>
+ #include <string.h>
+ #include <ctype.h>
+ #include <limits.h>
+ #include <stdarg.h>
+ #include <math.h>
+ #include <pcre.h>
++#include <sys/stat.h>
+
+ #include "util.h"
+ #include "_error.h"
+@@ -482,3 +484,32 @@ char *oscap_windows_error_message(unsigned long error_code)
+ return error_message;
+ }
+ #endif
++
++int oscap_open_writable(const char *filename)
++{
++#ifdef OS_WINDOWS
++ int fd = open(filename, O_WRONLY|O_CREAT|O_TRUNC, S_IREAD|S_IWRITE);
++#else
++ int fd = open(filename, O_WRONLY|O_CREAT|O_TRUNC,
++ S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH);
++#endif
++ if (fd == -1) {
++ if (errno == EACCES) {
++ /* File already exists and we aren't allowed to create a new one
++ with the same name */
++#ifdef OS_WINDOWS
++ fd = open(filename, O_WRONLY|O_TRUNC, S_IREAD|S_IWRITE);
++#else
++ fd = open(filename, O_WRONLY|O_TRUNC,
++ S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH);
++#endif
++ }
++ if (fd == -1) {
++ oscap_seterr(OSCAP_EFAMILY_OSCAP,
++ "Could not open output file '%s': %s",
++ filename, strerror(errno));
++ return -1;
++ }
++ }
++ return fd;
++}
+diff --git a/src/common/util.h b/src/common/util.h
+index c48d92a52..5712f2f0b 100644
+--- a/src/common/util.h
++++ b/src/common/util.h
+@@ -524,4 +524,16 @@ wchar_t *oscap_windows_str_to_wstr(const char *str);
+ char *oscap_windows_error_message(unsigned long error_code);
+ #endif
+
+-#endif /* OSCAP_UTIL_H_ */
++/**
++ * Open a file for writing.
++ * The main difference from fopen() is that if the file exists but its opening
++ * for writing fails as permission denied, it will attempt to open it again
++ * without the O_CREAT flag. This is useful when writing to world-writeable
++ * directories with sticky bit such as /tmp on systems with fs.protected_regular
++ * turned on.
++ * @param filename name of the file to be opened
++ * @return file descriptor or -1 on error
++ */
++int oscap_open_writable(const char *filename);
++
++#endif /* OSCAP_UTIL_H_ */
+diff --git a/src/source/xslt.c b/src/source/xslt.c
+index 799d5170d..906bfabdb 100644
+--- a/src/source/xslt.c
++++ b/src/source/xslt.c
+@@ -22,7 +22,6 @@
+ #include <config.h>
+ #endif
+
+-#include <fcntl.h>
+ #include <libxml/parser.h>
+ #include <libxslt/xslt.h>
+ #include <libxslt/xsltInternals.h>
+@@ -30,7 +29,6 @@
+ #include <libxslt/xsltutils.h>
+ #include <libexslt/exslt.h>
+ #include <string.h>
+-#include <sys/stat.h>
+
+ #ifdef OS_WINDOWS
+ #include <io.h>
+@@ -91,29 +89,10 @@ static inline int save_stylesheet_result_to_file(xmlDoc *resulting_doc, xsltStyl
+ int fd = STDOUT_FILENO;
+ #endif
+ if (outfile) {
+-#ifdef OS_WINDOWS
+- fd = open(outfile, O_WRONLY|O_CREAT|O_TRUNC, S_IREAD|S_IWRITE);
+-#else
+- fd = open(outfile, O_WRONLY|O_CREAT|O_TRUNC, S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH);
+-#endif
+- if (fd == -1) {
+- if (errno == EACCES) {
+- /* File already exists and we aren't allowed to create a new one
+- with the same name */
+-#ifdef OS_WINDOWS
+- fd = open(outfile, O_WRONLY|O_TRUNC, S_IREAD|S_IWRITE);
+-#else
+- fd = open(outfile, O_WRONLY|O_TRUNC, S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH);
+-#endif
+- }
+- if (fd == -1) {
+- oscap_seterr(OSCAP_EFAMILY_OSCAP,
+- "Could not open output file '%s': %s",
+- outfile, strerror(errno));
+- return -1;
+- }
+- }
++ fd = oscap_open_writable(outfile);
+ }
++ if (fd == -1)
++ return -1;
+
+ int ret = xsltSaveResultToFd(fd, resulting_doc, stylesheet);
+ if (ret < 0) {
+diff --git a/tests/API/XCCDF/unittests/CMakeLists.txt b/tests/API/XCCDF/unittests/CMakeLists.txt
+index 97e1ab09f..a1c7da67f 100644
+--- a/tests/API/XCCDF/unittests/CMakeLists.txt
++++ b/tests/API/XCCDF/unittests/CMakeLists.txt
+@@ -2,6 +2,8 @@ add_oscap_test_executable(test_oscap_common
+ "test_oscap_common.c"
+ ${CMAKE_SOURCE_DIR}/src/common/util.c
+ ${CMAKE_SOURCE_DIR}/src/common/list.c
++ ${CMAKE_SOURCE_DIR}/src/common/error.c
++ ${CMAKE_SOURCE_DIR}/src/common/err_queue.c
+ )
+
+ add_oscap_test_executable(test_xccdf_overrides
+diff --git a/tests/API/XCCDF/unittests/test_oscap_common.c b/tests/API/XCCDF/unittests/test_oscap_common.c
+index 26ff51d48..939ba8750 100644
+--- a/tests/API/XCCDF/unittests/test_oscap_common.c
++++ b/tests/API/XCCDF/unittests/test_oscap_common.c
+@@ -28,6 +28,7 @@
+ #include <string.h>
+ #include "common/list.h"
+ #include "common/util.h"
++#include "common/_error.h"
+ #include "oscap_assert.h"
+
+ #define SEEN_LEN 9
diff --git a/SPECS/openscap.spec b/SPECS/openscap.spec
index c90b2ed..c755ea0 100644
--- a/SPECS/openscap.spec
+++ b/SPECS/openscap.spec
@@ -1,32 +1,15 @@
Name: openscap
-Version: 1.3.5
-Release: 13%{?dist}
+Version: 1.3.6
+Release: 3%{?dist}
Epoch: 1
Summary: Set of open source libraries enabling integration of the SCAP line of standards
License: LGPLv2+
URL: http://www.open-scap.org/
Source0: https://github.com/OpenSCAP/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz
-Patch1: openscap-1.3.6-waive-hugetables-pr-1745.patch
-Patch2: openscap-1.3.6-replace-getlogin-pr-1753.patch
-Patch3: openscap-1.3.6-rpath-pr-1765.patch
-Patch4: openscap-1.3.6-ubi9-pr-1772.patch
-Patch5: openscap-1.3.6-rpminspect-xml-pr-1773.patch
-Patch6: openscap-1.3.6-fix-failing-test-pr-1775.patch
-Patch7: openscap-1.3.6-yamlfile-null-pr-1756.patch
-Patch8: openscap-1.3.6-coverity-issues-pr-1748.patch
-Patch9: openscap-1.3.6-coverity-issues-pr-1778.patch
-Patch10: openscap-1.3.6-disable-sha1-md5-pr-1781.patch
-Patch11: openscap-1.3.6-http_error_fix-PR_1805.patch
-Patch12: openscap-1.3.6-empty-proc-in-offline-pr-1812.patch
-Patch13: openscap-1.3.6-initialize-crapi-once-pr-1779.patch
-Patch14: openscap-1.3.6-test-rhbz1959570-pr-1788.patch
-Patch15: openscap-1.3.6-blueprint-fix-pr-1749.patch
-Patch16: openscap-1.3.6-blueprint-toml-pr-1810.patch
-Patch17: openscap-1.3.6-local-files-pr-1769.patch
-Patch18: openscap-1.3.6-oscap-ssh-local-files-pr-1786.patch
-Patch19: openscap-1.3.6-alternative-hostname-pr-1806.patch
-Patch20: openscap-1.3.6-memory-limit-pr-1827.patch
-Patch21: openscap-1.3.6-warning-local-files-pr-1826.patch
+Patch1: openscap-1.3.7-PR-1841-coverity.patch
+Patch2: openscap-1.3.7-PR-1843-fix-test-ds-misc.patch
+Patch3: openscap-1.3.7-PR-1844-fix-test-ds-misc-2.patch
+Patch4: openscap-1.3.7-PR-1846-file-permissions.patch
BuildRequires: make
BuildRequires: cmake >= 2.6
BuildRequires: gcc
@@ -165,6 +148,12 @@ pathfix.py -i %{__python3} -p -n $RPM_BUILD_ROOT%{_bindir}/scap-as-rpm
%ldconfig_scriptlets
+# enable oscap-remediate.service here for now
+# https://github.com/hughsie/PackageKit/issues/401
+# https://bugzilla.redhat.com/show_bug.cgi?id=1833176
+mkdir -p %{buildroot}%{_unitdir}/system-update.target.wants/
+ln -sf ../oscap-remediate.service %{buildroot}%{_unitdir}/system-update.target.wants/oscap-remediate.service
+
%files
%doc AUTHORS NEWS README.md
%license COPYING
@@ -197,7 +186,12 @@ pathfix.py -i %{__python3} -p -n $RPM_BUILD_ROOT%{_bindir}/scap-as-rpm
%{_bindir}/oscap
%{_mandir}/man8/oscap-chroot.8.gz
%{_bindir}/oscap-chroot
+%{_mandir}/man8/oscap-remediate-offline.8.gz
+%{_bindir}/oscap-remediate-offline
%{_sysconfdir}/bash_completion.d
+%{_libexecdir}/oscap-remediate
+%{_unitdir}/oscap-remediate.service
+%{_unitdir}/system-update.target.wants/
%files utils
%doc docs/oscap-scan.cron
@@ -217,6 +211,18 @@ pathfix.py -i %{__python3} -p -n $RPM_BUILD_ROOT%{_bindir}/scap-as-rpm
%{_bindir}/oscap-run-sce-script
%changelog
+* Mon Feb 07 2022 Jan Černý <jcerny@redhat.com> - 1:1.3.6-3
+- Prevent file permission errors (rhbz#2048571)
+
+* Mon Jan 31 2022 Jan Černý <jcerny@redhat.com> - 1.3.6-2
+- Fix coverity issues
+- Prevent fails of test_ds_misc.sh
+
+* Thu Jan 20 2022 Jan Černý <jcerny@redhat.com> - 1:1.3.6-1
+- Upgrade to the latest upstream release (rhbz#2041782)
+- Select and exclude groups of rules on the command line (rhbz#2020580, rhbz#2020581)
+- The boot-time remediation service for systemd's Offline Update mode
+
* Fri Nov 19 2021 Jan Černý <jcerny@redhat.com> - 1:1.3.5-13
- Print warning for local files