diff --git a/README.debrand b/README.debrand
deleted file mode 100644
index 01c46d2..0000000
--- a/README.debrand
+++ /dev/null
@@ -1,2 +0,0 @@
-Warning: This package was configured for automatic debranding, but the changes
-failed to apply.
diff --git a/SOURCES/sos-bz2098639-ovirt-obfuscation_answer_file.patch b/SOURCES/sos-bz2098639-ovirt-obfuscation_answer_file.patch
new file mode 100644
index 0000000..b8101b6
--- /dev/null
+++ b/SOURCES/sos-bz2098639-ovirt-obfuscation_answer_file.patch
@@ -0,0 +1,66 @@
+From 5fd872c64c53af37015f366295e0c2418c969757 Mon Sep 17 00:00:00 2001
+From: Yedidyah Bar David <didi@redhat.com>
+Date: Thu, 26 May 2022 16:43:21 +0300
+Subject: [PATCH] [ovirt] answer files: Filter out all password keys
+
+Instead of hard-coding specific keys and having to maintain them over
+time, replace the values of all keys that have 'password' in their name.
+I think this covers all our current and hopefully future keys. It might
+add "false positives" - keys that are not passwords but have 'password'
+in their name - and I think that's a risk worth taking.
+
+Sadly, the engine admin password prompt's name is
+'OVESETUP_CONFIG_ADMIN_SETUP', which does not include 'password', so has
+to be listed specifically.
+
+A partial list of keys added since the replaced code was written:
+- grafana-related stuff
+- keycloak-related stuff
+- otopi-style answer files
+
+Signed-off-by: Yedidyah Bar David <didi@redhat.com>
+Change-Id: I416c6e4078e7c3638493eb271d08d73a0c22b5ba
+---
+ sos/report/plugins/ovirt.py | 23 +++++++++++++----------
+ 1 file changed, 13 insertions(+), 10 deletions(-)
+
+diff --git a/sos/report/plugins/ovirt.py b/sos/report/plugins/ovirt.py
+index 09647bf1..3b1bb29b 100644
+--- a/sos/report/plugins/ovirt.py
++++ b/sos/report/plugins/ovirt.py
+@@ -241,19 +241,22 @@ class Ovirt(Plugin, RedHatPlugin):
+                 r'{key}=********'.format(key=key)
+             )
+ 
+-        # Answer files contain passwords
+-        for key in (
+-            'OVESETUP_CONFIG/adminPassword',
+-            'OVESETUP_CONFIG/remoteEngineHostRootPassword',
+-            'OVESETUP_DWH_DB/password',
+-            'OVESETUP_DB/password',
+-            'OVESETUP_REPORTS_CONFIG/adminPassword',
+-            'OVESETUP_REPORTS_DB/password',
++        # Answer files contain passwords.
++        # Replace all keys that have 'password' in them, instead of hard-coding
++        # here the list of keys, which changes between versions.
++        # Sadly, the engine admin password prompt name does not contain
++        # 'password'... so neither does the env key.
++        for item in (
++            'password',
++            'OVESETUP_CONFIG_ADMIN_SETUP',
+         ):
+             self.do_path_regex_sub(
+                 r'/var/lib/ovirt-engine/setup/answers/.*',
+-                r'{key}=(.*)'.format(key=key),
+-                r'{key}=********'.format(key=key)
++                re.compile(
++                    r'(?P<key>[^=]*{item}[^=]*)=.*'.format(item=item),
++                    flags=re.IGNORECASE
++                ),
++                r'\g<key>=********'
+             )
+ 
+         # aaa profiles contain passwords
+-- 
+2.27.0
+
diff --git a/SOURCES/sos-bz2098643-crio-output-to-json.patch b/SOURCES/sos-bz2098643-crio-output-to-json.patch
new file mode 100644
index 0000000..2f5dd3b
--- /dev/null
+++ b/SOURCES/sos-bz2098643-crio-output-to-json.patch
@@ -0,0 +1,73 @@
+From c2e66fa4dae51f03c7310ba5278897ddecac1aad Mon Sep 17 00:00:00 2001
+From: Nadia Pinaeva <npinaeva@redhat.com>
+Date: Thu, 2 Jun 2022 15:43:09 +0200
+Subject: [PATCH] crio: switch from parsing output in table format to json
+
+Signed-off-by: Nadia Pinaeva <npinaeva@redhat.com>
+---
+ sos/policies/runtimes/crio.py | 30 ++++++++++++++++++++----------
+ 1 file changed, 20 insertions(+), 10 deletions(-)
+
+diff --git a/sos/policies/runtimes/crio.py b/sos/policies/runtimes/crio.py
+index 55082d07..4cae1ecc 100644
+--- a/sos/policies/runtimes/crio.py
++++ b/sos/policies/runtimes/crio.py
+@@ -7,6 +7,7 @@
+ # version 2 of the GNU General Public License.
+ #
+ # See the LICENSE file in the source distribution for further information.
++import json
+ 
+ from sos.policies.runtimes import ContainerRuntime
+ from sos.utilities import sos_get_command_output
+@@ -29,14 +30,15 @@ class CrioContainerRuntime(ContainerRuntime):
+         :type get_all: ``bool``
+         """
+         containers = []
+-        _cmd = "%s ps %s" % (self.binary, '-a' if get_all else '')
++        _cmd = "%s ps %s -o json" % (self.binary, '-a' if get_all else '')
+         if self.active:
+             out = sos_get_command_output(_cmd, chroot=self.policy.sysroot)
+-            if out['status'] == 0:
+-                for ent in out['output'].splitlines()[1:]:
+-                    ent = ent.split()
++            if out["status"] == 0:
++                out_json = json.loads(out["output"])
++                for container in out_json["containers"]:
+                     # takes the form (container_id, container_name)
+-                    containers.append((ent[0], ent[-3]))
++                    containers.append(
++                        (container["id"], container["metadata"]["name"]))
+         return containers
+ 
+     def get_images(self):
+@@ -47,13 +49,21 @@ class CrioContainerRuntime(ContainerRuntime):
+         """
+         images = []
+         if self.active:
+-            out = sos_get_command_output("%s images" % self.binary,
++            out = sos_get_command_output("%s images -o json" % self.binary,
+                                          chroot=self.policy.sysroot)
+             if out['status'] == 0:
+-                for ent in out['output'].splitlines():
+-                    ent = ent.split()
+-                    # takes the form (image_name, image_id)
+-                    images.append((ent[0] + ':' + ent[1], ent[2]))
++                out_json = json.loads(out["output"])
++                for image in out_json["images"]:
++                    # takes the form (repository:tag, image_id)
++                    if len(image["repoTags"]) > 0:
++                        for repo_tag in image["repoTags"]:
++                            images.append((repo_tag, image["id"]))
++                    else:
++                        if len(image["repoDigests"]) == 0:
++                            image_name = "<none>"
++                        else:
++                            image_name = image["repoDigests"][0].split("@")[0]
++                        images.append((image_name + ":<none>", image["id"]))
+         return images
+ 
+     def fmt_container_cmd(self, container, cmd, quotecmd):
+-- 
+2.27.0
+
diff --git a/SPECS/sos.spec b/SPECS/sos.spec
index d0b093e..6b2ea9b 100644
--- a/SPECS/sos.spec
+++ b/SPECS/sos.spec
@@ -5,7 +5,7 @@
 Summary: A set of tools to gather troubleshooting information from a system
 Name: sos
 Version: 4.2
-Release: 19%{?dist}
+Release: 20%{?dist}
 Group: Applications/System
 Source0: https://github.com/sosreport/sos/archive/%{version}/sos-%{version}.tar.gz
 Source1: sos-audit-%{auditversion}.tgz
@@ -45,6 +45,8 @@ Patch21: sos-bz2042966-ovn-proper-package-enablement.patch
 Patch22: sos-bz2054882-plugopt-logging-effective-opts.patch
 Patch23: sos-bz2055547-honour-plugins-timeout-hardcoded.patch
 Patch24: sos-bz2071825-merged-8.6.z.patch
+Patch25: sos-bz2098639-ovirt-obfuscation_answer_file.patch
+Patch26: sos-bz2098643-crio-output-to-json.patch
 
 %description
 Sos is a set of tools that gathers information about system
@@ -79,6 +81,8 @@ support technicians and developers.
 %patch22 -p1
 %patch23 -p1
 %patch24 -p1
+%patch25 -p1
+%patch26 -p1
 
 %build
 %py3_build
@@ -145,6 +149,12 @@ of the system. Currently storage and filesystem commands are audited.
 %ghost /etc/audit/rules.d/40-sos-storage.rules
 
 %changelog
+* Fri Jul 24 2022 Jan Jansky <jjansky@redhat.com> = 4.2-20
+- [ovirt] obfuscate answer file
+  Resolves: bz2098639
+- [crio] from output to json
+  Resolves: bz2098643
+
 * Mon May 09 2022 Jan Jansky <jjansky@redhat.com> = 4.2-19
 - OCP backport
   Resolves: bz2071824