diff --git a/SOURCES/openscap-1.3.6-PR-1745-waive-hugepages.patch b/SOURCES/openscap-1.3.6-PR-1745-waive-hugepages.patch
new file mode 100644
index 0000000..4272a78
--- /dev/null
+++ b/SOURCES/openscap-1.3.6-PR-1745-waive-hugepages.patch
@@ -0,0 +1,43 @@
+From 192f908562779fe4c9b7e5cc7605840976a06c85 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Mon, 26 Apr 2021 13:13:26 +0200
+Subject: [PATCH] Waive the known issue with hugepages on ppc64/ppc64le
+
+The known issue has been reported in
+https://bugzilla.redhat.com/show_bug.cgi?id=1642995
+
+This modification is currently applied as a patch applied during setup
+phase of Sanity/smoke-test in Fedora CI gating.
+https://src.fedoraproject.org/tests/openscap/blob/main/f/Sanity/smoke-test
+The patched file got changed recetly so the patch doesn't apply anymore
+which causes the Rawhide gating to fail.
+We have decided to propose the change to upstream to avoid the need
+for modifying the patch in the tests and to prevent similar problems
+in the future.
+---
+ tests/probes/sysctl/test_sysctl_probe_all.sh | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/tests/probes/sysctl/test_sysctl_probe_all.sh b/tests/probes/sysctl/test_sysctl_probe_all.sh
+index 2280ff7ae..c79d7ed18 100755
+--- a/tests/probes/sysctl/test_sysctl_probe_all.sh
++++ b/tests/probes/sysctl/test_sysctl_probe_all.sh
+@@ -73,6 +73,10 @@ if [ "$procps_ver" != "$lowest_ver" ]; then
+ sed -i '/.*vm.stat_refresh/d' "$sysctlNames"
+ fi
+
++if ! grep -q "hugepages" "$ourNames"; then
++ sed -i "/^.*hugepages.*$/d" "$sysctlNames"
++fi
++
+ echo "Diff (sysctlNames / ourNames): ------"
+ diff "$sysctlNames" "$ourNames"
+ echo "-------------------------------------"
+@@ -84,6 +88,7 @@ sed -i -E "/^E: oscap: +Can't read sysctl value from /d" "$stderr"
+ # that can't fit into 8K buffer and result in errno 14
+ # (for example /proc/sys/kernel/spl/hostid could be the case)
+ sed -i -E "/^E: oscap: +An error.*14, Bad address/d" "$stderr"
++sed -i "/^.*hugepages.*$/d" "$stderr"
+
+ echo "Errors (without messages related to permissions):"
+ cat "$stderr"
diff --git a/SOURCES/openscap-1.3.6-PR-1748-covscan.patch b/SOURCES/openscap-1.3.6-PR-1748-covscan.patch
new file mode 100644
index 0000000..9d5661a
--- /dev/null
+++ b/SOURCES/openscap-1.3.6-PR-1748-covscan.patch
@@ -0,0 +1,52 @@
+From 378ef5e438a2f5af7a50374d2bd23bdd3403201f Mon Sep 17 00:00:00 2001
+From: Evgeny Kolesnikov <ekolesni@redhat.com>
+Date: Tue, 4 May 2021 08:41:06 +0200
+Subject: [PATCH] Fix covscan-reported issues in yamlfilecontent probe and
+ schematron
+
+Error: FORWARD_NULL (CWE-476): [#def1]
+/OVAL/probes/independent/yamlfilecontent_probe.c:392: var_compare_op: Comparing "yaml_file" to null implies that "yaml_file" might be null.
+/OVAL/probes/independent/yamlfilecontent_probe.c:417: var_deref_model: Passing null pointer "yaml_file" to "fclose", which dereferences it.
+# 416| cleanup:
+# 417|-> fclose(yaml_file);
+# 418| yaml_parser_delete(&parser);
+
+Error: RESOURCE_LEAK (CWE-772): [#def2] [important]
+/source/schematron.c:549: alloc_fn: Storage is returned from allocation function "xmlXPathNodeEval".
+/source/schematron.c:549: var_assign: Assigning: "component_refs" = storage returned from "xmlXPathNodeEval(data_stream_node, (xmlChar *)"ds:checklists/ds:component-ref", context)".
+/source/schematron.c:551: leaked_storage: Variable "component_refs" going out of scope leaks the storage it points to.
+# 550| if (component_refs == NULL || component_refs->nodesetval == NULL) {
+# 551|-> return res;
+# 552| }
+---
+ src/OVAL/probes/independent/yamlfilecontent_probe.c | 3 ++-
+ src/source/schematron.c | 2 ++
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/OVAL/probes/independent/yamlfilecontent_probe.c b/src/OVAL/probes/independent/yamlfilecontent_probe.c
+index ed5ce0d68..62a8f4ff2 100644
+--- a/src/OVAL/probes/independent/yamlfilecontent_probe.c
++++ b/src/OVAL/probes/independent/yamlfilecontent_probe.c
+@@ -414,7 +414,8 @@ static int process_yaml_file(const char *prefix, const char *path, const char *f
+ }
+
+ cleanup:
+- fclose(yaml_file);
++ if (yaml_file != NULL)
++ fclose(yaml_file);
+ yaml_parser_delete(&parser);
+ free(filepath_with_prefix);
+ free(filepath);
+diff --git a/src/source/schematron.c b/src/source/schematron.c
+index 6cb22658b..c32d5aed6 100644
+--- a/src/source/schematron.c
++++ b/src/source/schematron.c
+@@ -548,6 +548,8 @@ static bool _req_src_346_1_sub1(xmlNodePtr data_stream_node, xmlXPathContextPtr
+ /* every $m in ds:checklists/ds:component-ref satisfies ... */
+ xmlXPathObjectPtr component_refs = xmlXPathNodeEval(data_stream_node, BAD_CAST "ds:checklists/ds:component-ref", context);
+ if (component_refs == NULL || component_refs->nodesetval == NULL) {
++ if (component_refs != NULL)
++ xmlXPathFreeObject(component_refs);
+ return res;
+ }
+ for (int i = 0; i < component_refs->nodesetval->nodeNr; i++) {
diff --git a/SOURCES/openscap-1.3.6-PR-1749-blueprint-fix.patch b/SOURCES/openscap-1.3.6-PR-1749-blueprint-fix.patch
new file mode 100644
index 0000000..0e44989
--- /dev/null
+++ b/SOURCES/openscap-1.3.6-PR-1749-blueprint-fix.patch
@@ -0,0 +1,64 @@
+From 5f0a9033b466d929613a2a55a1524ec75c09b5b0 Mon Sep 17 00:00:00 2001
+From: Evgeny Kolesnikov <ekolesni@redhat.com>
+Date: Thu, 6 May 2021 08:14:12 +0200
+Subject: [PATCH] Introduce OSBuild Blueprint fix type
+
+---
+ utils/oscap-xccdf.c | 7 +++++--
+ utils/oscap.8 | 2 +-
+ xsl/xccdf-share.xsl | 1 +
+ 3 files changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/utils/oscap-xccdf.c b/utils/oscap-xccdf.c
+index 95c1c7658d..801e54fa35 100644
+--- a/utils/oscap-xccdf.c
++++ b/utils/oscap-xccdf.c
+@@ -275,7 +275,8 @@ static struct oscap_module XCCDF_GEN_FIX = {
+ .usage = "[options] xccdf-file.xml",
+ .help = GEN_OPTS
+ "\nFix Options:\n"
+- " --fix-type <type> - Fix type. Should be one of: bash, ansible, puppet, anaconda (default: bash).\n"
++ " --fix-type <type> - Fix type. Should be one of: bash, ansible, puppet, anaconda, ignition, kubernetes,\n"
++ " blueprint (default: bash).\n"
+ " --output <file> - Write the script into file.\n"
+ " --result-id <id> - Fixes will be generated for failed rule-results of the specified TestResult.\n"
+ " --template <id|filename> - Fix template. (default: bash)\n"
+@@ -887,10 +888,12 @@ int app_generate_fix(const struct oscap_action *action)
+ template = "urn:xccdf:fix:script:ignition";
+ } else if (strcmp(action->fix_type, "kubernetes") == 0) {
+ template = "urn:xccdf:fix:script:kubernetes";
++ } else if (strcmp(action->fix_type, "blueprint") == 0) {
++ template = "urn:redhat:osbuild:blueprint";
+ } else {
+ fprintf(stderr,
+ "Unknown fix type '%s'.\n"
+- "Please provide one of: bash, ansible, puppet, anaconda, ignition, kubernetes.\n"
++ "Please provide one of: bash, ansible, puppet, anaconda, ignition, kubernetes, blueprint.\n"
+ "Or provide a custom template using '--template' instead.\n",
+ action->fix_type);
+ return OSCAP_ERROR;
+diff --git a/utils/oscap.8 b/utils/oscap.8
+index 240b829d7b..6cae0ffe8a 100644
+--- a/utils/oscap.8
++++ b/utils/oscap.8
+@@ -395,7 +395,7 @@ Result-oriented fixes are generated using result-id provided to select only the
+ Profile-oriented fixes are generated using all rules within the provided profile. If no result-id/profile are provided, (default) profile will be used to generate fixes.
+ .TP
+ \fB\-\-fix-type TYPE\fR
+-Specify fix type. There are multiple programming languages in which the fix script can be generated. TYPE should be one of: bash, ansible, puppet, anaconda, ignition, kubernetes. Default is bash. This option is mutually exclusive with --template, because fix type already determines the template URN.
++Specify fix type. There are multiple programming languages in which the fix script can be generated. TYPE should be one of: bash, ansible, puppet, anaconda, ignition, kubernetes, blueprint. Default is bash. This option is mutually exclusive with --template, because fix type already determines the template URN.
+ .TP
+ \fB\-\-output FILE\fR
+ Write the report to this file instead of standard output.
+diff --git a/xsl/xccdf-share.xsl b/xsl/xccdf-share.xsl
+index 9f8e587676..d7a9f3b7e2 100644
+--- a/xsl/xccdf-share.xsl
++++ b/xsl/xccdf-share.xsl
+@@ -295,6 +295,7 @@ Authors:
+ <xsl:when test="$fix/@system = 'urn:xccdf:fix:script:puppet'">Puppet snippet</xsl:when>
+ <xsl:when test="$fix/@system = 'urn:redhat:anaconda:pre'">Anaconda snippet</xsl:when>
+ <xsl:when test="$fix/@system = 'urn:xccdf:fix:script:kubernetes'">Kubernetes snippet</xsl:when>
++ <xsl:when test="$fix/@system = 'urn:redhat:osbuild:blueprint'">OSBuild Blueprint snippet</xsl:when>
+ <xsl:otherwise>script</xsl:otherwise>
+ </xsl:choose>
+ </xsl:variable>
diff --git a/SOURCES/openscap-1.3.6-PR-1753-getlogin.patch b/SOURCES/openscap-1.3.6-PR-1753-getlogin.patch
new file mode 100644
index 0000000..a63f094
--- /dev/null
+++ b/SOURCES/openscap-1.3.6-PR-1753-getlogin.patch
@@ -0,0 +1,36 @@
+From b31cff1bc3a298cfa36a10476f2d633c290b6741 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Tue, 11 May 2021 13:20:18 +0200
+Subject: [PATCH] Replace getlogin by cuserid
+
+The getlogin() is used here to fill in the xccdf:identity element which
+shall contain information about the system identity or user employed
+during application of the benchmark. But, the getlogin() can return NULL
+when there is no controlling terminal. This happened when testing oscap
+on a test system with no pty. As an alternative, the system provides
+also cuserid() function which gets the effective user ID of the process.
+However, these 2 values differ when the program is executed under sudo.
+From the user experience point of view, it would be better to have
+displayed there the user logged in on the controlling terminal. As a
+compromise, we will first attempt to obtain the name using getlogin()
+and if that fails we will run cuserid().
+---
+ src/XCCDF/result.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/XCCDF/result.c b/src/XCCDF/result.c
+index cd03e6bd8f..cbe016c44a 100644
+--- a/src/XCCDF/result.c
++++ b/src/XCCDF/result.c
+@@ -217,7 +217,10 @@ static inline void _xccdf_result_fill_identity(struct xccdf_result *result)
+ xccdf_identity_set_authenticated(id, 0);
+ xccdf_identity_set_privileged(id, 0);
+ #ifdef OSCAP_UNIX
+- xccdf_identity_set_name(id, getlogin());
++ char *name = getlogin();
++ if (name == NULL)
++ name = cuserid(NULL);
++ xccdf_identity_set_name(id, name);
+ #elif defined(OS_WINDOWS)
+ GetUserName((TCHAR *) w32_username, &w32_usernamesize); /* XXX: Check the return value? */
+ xccdf_identity_set_name(id, w32_username);
diff --git a/SPECS/openscap.spec b/SPECS/openscap.spec
index 6dca31a..a0b284f 100644
--- a/SPECS/openscap.spec
+++ b/SPECS/openscap.spec
@@ -1,11 +1,15 @@
Name: openscap
Version: 1.3.5
-Release: 2%{?dist}
+Release: 4%{?dist}
Summary: Set of open source libraries enabling integration of the SCAP line of standards
Group: System Environment/Libraries
License: LGPLv2+
URL: http://www.open-scap.org/
Source0: https://github.com/OpenSCAP/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz
+Patch1: openscap-1.3.6-PR-1745-waive-hugepages.patch
+Patch2: openscap-1.3.6-PR-1748-covscan.patch
+Patch3: openscap-1.3.6-PR-1749-blueprint-fix.patch
+Patch4: openscap-1.3.6-PR-1753-getlogin.patch
BuildRequires: cmake >= 2.6
BuildRequires: swig libxml2-devel libxslt-devel perl-generators perl-XML-Parser
BuildRequires: rpm-devel
@@ -214,6 +218,14 @@ rm -rf $RPM_BUILD_ROOT
%{_bindir}/oscap-run-sce-script
%changelog
+* Tue Jun 01 2021 Jan Černý <jcerny@redhat.com> - 1.3.5-4
+- Replace getlogin by cuserid
+
+* Mon May 10 2021 Evgenii Kolesnikov <ekolesni@redhat.com> - 1.3.5-3
+- Waive known issue with hugepages in upstream testsuite (RHBZ#1912000)
+- Fix issues reported by the coverity scan
+- Introduce OSBuild 'blueprint' fix type
+
* Tue May 04 2021 Evgenii Kolesnikov <ekolesni@redhat.com> - 1.3.5-2
- Fix changelog (add missing 1.3.3-6 entry)