Accepting request 651059 from home:rfrohl:branches:security

- Update to openscap-1.3.0 - move to cmake - improve unit test, planned for inclusion with 1.3.1 - tests do no complete as of yet, still future work needed OBS-URL: https://build.opensuse.org/request/show/651059 OBS-URL: https://build.opensuse.org/package/show/security/openscap?expand=0&rev=225
2018-11-22 10:48:01 +00:00 · 2018-11-22 10:48:01 +00:00 · 4d33f05db9
commit 4d33f05db9
parent 619b3160ac
12 changed files with 274 additions and 268 deletions
--- a/1.2.17.tar.gz
+++ b/1.2.17.tar.gz
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:877eeb69cf19f8cef9d161fabaa389b0a85477ddaf3be21e9ee3b84d4ca1841b
 size 12517674
--- a/1.3.0.tar.gz
+++ b/1.3.0.tar.gz
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:70bab797f956c5130dac862ccf79724ef795466ad59c4411ac8e2a7e0066493b
 size 12327473
--- a/openscap-new-suse.patch
+++ b/openscap-new-suse.patch
@ -1,8 +1,8 @@
-Index: openscap-1.2.16/cpe/openscap-cpe-dict.xml
+Index: openscap-1.3.0/cpe/openscap-cpe-dict.xml
 ===================================================================
--- openscap-1.2.16.orig/cpe/openscap-cpe-dict.xml
+--- openscap-1.3.0.orig/cpe/openscap-cpe-dict.xml
-+++ openscap-1.2.16/cpe/openscap-cpe-dict.xml
+++ openscap-1.3.0/cpe/openscap-cpe-dict.xml
-@@ -133,6 +133,14 @@
+@@ -141,6 +141,14 @@
             <title xml:lang="en-us">SUSE Linux Enterprise Desktop 12</title>
             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="openscap-cpe-oval.xml">oval:org.open-scap.cpe.sled:def:12</check>
       </cpe-item>
@ -17,36 +17,11 @@ Index: openscap-1.2.16/cpe/openscap-cpe-dict.xml
       <cpe-item name="cpe:/o:opensuse:opensuse:11.4">
             <title xml:lang="en-us">openSUSE 11.4</title>
             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="openscap-cpe-oval.xml">oval:org.open-scap.cpe.opensuse:def:114</check>
-@@ -145,14 +153,22 @@
+Index: openscap-1.3.0/cpe/openscap-cpe-oval.xml
             <title xml:lang="en-us">openSUSE 13.2</title>
             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="openscap-cpe-oval.xml">oval:org.open-scap.cpe.opensuse:def:132</check>
       </cpe-item>
 -      <cpe-item name="cpe:/o:novell:leap:42.1">
 +      <cpe-item name="cpe:/o:opensuse:leap:42.1">
             <title xml:lang="en-us">openSUSE 42.1</title>
             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="openscap-cpe-oval.xml">oval:org.open-scap.cpe.opensuse:def:421</check>
       </cpe-item>
 -      <cpe-item name="cpe:/o:novell:leap:42.2">
 +      <cpe-item name="cpe:/o:opensuse:leap:42.2">
             <title xml:lang="en-us">openSUSE 42.2</title>
             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="openscap-cpe-oval.xml">oval:org.open-scap.cpe.opensuse:def:422</check>
       </cpe-item>
 +      <cpe-item name="cpe:/o:opensuse:leap:42.3">
 +            <title xml:lang="en-us">openSUSE Leap 42.3</title>
 +            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="openscap-cpe-oval.xml">oval:org.open-scap.cpe.opensuse:def:423</check>
 +      </cpe-item>
 +      <cpe-item name="cpe:/o:opensuse:leap:15.0">
 +            <title xml:lang="en-us">openSUSE Leap 15.0</title>
 +            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="openscap-cpe-oval.xml">oval:org.open-scap.cpe.opensuse:def:150</check>
 +      </cpe-item>
       <cpe-item name="cpe:/o:opensuse:opensuse">
             <title xml:lang="en-us">openSUSE All Versions</title>
             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="openscap-cpe-oval.xml">oval:org.open-scap.cpe.opensuse:def:1</check>
 Index: openscap-1.2.16/cpe/openscap-cpe-oval.xml
 ===================================================================
--- openscap-1.2.16.orig/cpe/openscap-cpe-oval.xml
+--- openscap-1.3.0.orig/cpe/openscap-cpe-oval.xml
-+++ openscap-1.2.16/cpe/openscap-cpe-oval.xml
+++ openscap-1.3.0/cpe/openscap-cpe-oval.xml
-@@ -449,6 +449,34 @@
+@@ -475,6 +475,34 @@
                   </criteria>
             </definition>
@ -81,54 +56,7 @@ Index: openscap-1.2.16/cpe/openscap-cpe-oval.xml
             <definition class="inventory" id="oval:org.open-scap.cpe.opensuse:def:1" version="1">
                   <metadata>
                         <title>openSUSE All Versions</title>
-@@ -519,17 +547,43 @@
+@@ -870,6 +898,11 @@
             </definition>
             <definition class="inventory" id="oval:org.open-scap.cpe.opensuse:def:422" version="1">
                   <metadata>
 -                        <title>openSUSE 42.2</title>
 +                        <title>openSUSE Leap 42.2</title>
                         <affected family="unix">
 -                            <platform>openSUSE 42.2</platform>
 +                            <platform>openSUSE Leap 42.2</platform>
                         </affected>
                         <reference ref_id="cpe:/o:novell:leap:42.2" source="CPE"/>
 -                        <description>The operating system installed on the system is openSUSE 42.2</description>
 +                        <description>The operating system installed on the system is openSUSE Leap 42.2</description>
                   </metadata>
                   <criteria>
                         <criterion comment="openSUSE 42.2 is installed" test_ref="oval:org.open-scap.cpe.opensuse:tst:422"/>
                   </criteria>
             </definition>
 +            <definition class="inventory" id="oval:org.open-scap.cpe.opensuse:def:423" version="1">
 +                  <metadata>
 +                        <title>openSUSE Leap 42.3</title>
 +                        <affected family="unix">
 +                            <platform>openSUSE Leap 42.3</platform>
 +                        </affected>
 +                        <reference ref_id="cpe:/o:novell:leap:42.3" source="CPE"/>
 +                        <description>The operating system installed on the system is openSUSE Leap 42.3</description>
 +                  </metadata>
 +                  <criteria>
 +                        <criterion comment="openSUSE 42.3 is installed" test_ref="oval:org.open-scap.cpe.opensuse:tst:423"/>
 +                  </criteria>
 +            </definition>
 +            <definition class="inventory" id="oval:org.open-scap.cpe.opensuse:def:150" version="1">
 +                  <metadata>
 +                        <title>openSUSE Leap 15.0</title>
 +                        <affected family="unix">
 +                            <platform>openSUSE Leap 15.0</platform>
 +                        </affected>
 +                        <reference ref_id="cpe:/o:novell:leap:15.0" source="CPE"/>
 +                        <description>The operating system installed on the system is openSUSE Leap 15.0</description>
 +                  </metadata>
 +                  <criteria>
 +                        <criterion comment="openSUSE 42.3 is installed" test_ref="oval:org.open-scap.cpe.opensuse:tst:423"/>
 +                  </criteria>
 +            </definition>
             <definition class="inventory" id="oval:org.open-scap.cpe.wrlinux:def:1" version="1" >
                   <metadata>
                         <title>Wind River Linux</title>
@@ -715,6 +769,11 @@
                   <object object_ref="oval:org.open-scap.cpe.sles-release:obj:1"/>
                   <state state_ref="oval:org.open-scap.cpe.sles:ste:12"/>
             </rpminfo_test>
@ -140,7 +68,7 @@ Index: openscap-1.2.16/cpe/openscap-cpe-oval.xml
             <rpminfo_test check_existence="at_least_one_exists" id="oval:org.open-scap.cpe.sled:tst:10" version="1" check="at least one" comment="sled-release is version 10"
                   xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
                   <object object_ref="oval:org.open-scap.cpe.sled-release:obj:1"/>
-@@ -730,6 +789,11 @@
+@@ -885,6 +918,11 @@
                   <object object_ref="oval:org.open-scap.cpe.sled-release:obj:1"/>
                   <state state_ref="oval:org.open-scap.cpe.sled:ste:12"/>
             </rpminfo_test>
@ -152,24 +80,7 @@ Index: openscap-1.2.16/cpe/openscap-cpe-oval.xml
             <rpminfo_test check_existence="at_least_one_exists" id="oval:org.open-scap.cpe.opensuse:tst:1" version="1" check="at least one" comment="openSUSE-release is version 11.4"
                   xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
                   <object object_ref="oval:org.open-scap.cpe.openSUSE-release:obj:1"/>
-@@ -760,6 +824,16 @@
+@@ -1159,6 +1207,9 @@
                   <object object_ref="oval:org.open-scap.cpe.openSUSE-release:obj:1"/>
                   <state state_ref="oval:org.open-scap.cpe.opensuse:ste:422"/>
             </rpminfo_test>
 +            <rpminfo_test check_existence="at_least_one_exists" id="oval:org.open-scap.cpe.opensuse:tst:423" version="2" check="at least one" comment="openSUSE-release is version 42.2"
 +                  xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
 +                  <object object_ref="oval:org.open-scap.cpe.openSUSE-release:obj:1"/>
 +                  <state state_ref="oval:org.open-scap.cpe.opensuse:ste:423"/>
 +            </rpminfo_test>
 +            <rpminfo_test check_existence="at_least_one_exists" id="oval:org.open-scap.cpe.opensuse:tst:150" version="2" check="at least one" comment="openSUSE-release is version 42.2"
 +                  xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
 +                  <object object_ref="oval:org.open-scap.cpe.openSUSE-release:obj:1"/>
 +                  <state state_ref="oval:org.open-scap.cpe.opensuse:ste:150"/>
 +            </rpminfo_test>
             <family_test check_existence="at_least_one_exists" id="oval:org.open-scap.cpe.wrlinux:tst:1" version="1" check="only one"
                   comment="Installed operating system is part of the Unix family."
                   xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
@@ -955,6 +1029,9 @@
             <rpminfo_state id="oval:org.open-scap.cpe.sles:ste:12" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
                   <version operation="pattern match">^12($|[^\d])</version>
             </rpminfo_state>
@ -179,7 +90,7 @@ Index: openscap-1.2.16/cpe/openscap-cpe-oval.xml
             <rpminfo_state id="oval:org.open-scap.cpe.sled:ste:10" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
                   <version operation="pattern match">^10($|[^\d])</version>
             </rpminfo_state>
-@@ -964,6 +1041,9 @@
+@@ -1168,6 +1219,9 @@
             <rpminfo_state id="oval:org.open-scap.cpe.sled:ste:12" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
                   <version operation="pattern match">^12($|[^\d])</version>
             </rpminfo_state>
@ -189,16 +100,3 @@ Index: openscap-1.2.16/cpe/openscap-cpe-oval.xml
             <rpminfo_state id="oval:org.open-scap.cpe.opensuse:ste:2" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
                   <name operation="pattern match">^openSUSE-release</name>
             </rpminfo_state>
@@ -982,6 +1062,12 @@
             <rpminfo_state id="oval:org.open-scap.cpe.opensuse:ste:422" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
                   <version operation="pattern match">^42.2$</version>
             </rpminfo_state>
 +            <rpminfo_state id="oval:org.open-scap.cpe.opensuse:ste:423" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
 +                  <version operation="pattern match">^42.3$</version>
 +            </rpminfo_state>
 +            <rpminfo_state id="oval:org.open-scap.cpe.opensuse:ste:150" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
 +                  <version operation="pattern match">^15.0$</version>
 +            </rpminfo_state>
             <textfilecontent54_state
                             id="oval:org.open-scap.cpe.wrlinux-release:ste:8"
                             comment="Check the /etc/wrlinux-release file for VERSION 8 specification."
--- a/4
+++ b/4
@ -0,0 +1,4 @@
 # can not change docs implementation
 addFilter("files-duplicate /usr/share/doc/openscap/html/search")
 # ignore duplicates in different schema versions
 addFilter("files-duplicate /usr/share/openscap/schemas")
--- a/openscap-xattr.patch
+++ b/openscap-xattr.patch
@ -1,26 +0,0 @@
 Index: openscap-1.2.17/configure.ac
 ===================================================================
 --- openscap-1.2.17.orig/configure.ac
 +++ openscap-1.2.17/configure.ac
@@ -476,7 +476,7 @@ AC_CHECK_HEADERS([acl/libacl.h sys/acl.h
 echo
 echo ' * Checking presence of required headers for the fileextendedattribute probe'
 -AC_CHECK_HEADERS([attr/xattr.h errno.h limits.h pthread.h stdlib.h string.h sys/stat.h sys/types.h ],[],[probe_fileextendedattribute_req_deps_ok=no; probe_fileextendedattribute_req_deps_missing='header files'],[-])
 +AC_CHECK_HEADERS([attr/libattr.h errno.h limits.h pthread.h stdlib.h string.h sys/stat.h sys/types.h ],[],[probe_fileextendedattribute_req_deps_ok=no; probe_fileextendedattribute_req_deps_missing='header files'],[-])
 echo
 echo ' * Checking presence of required headers for the password probe'
 Index: openscap-1.2.17/src/OVAL/probes/unix/fileextendedattribute.c
 ===================================================================
 --- openscap-1.2.17.orig/src/OVAL/probes/unix/fileextendedattribute.c
 +++ openscap-1.2.17/src/OVAL/probes/unix/fileextendedattribute.c
@@ -41,7 +41,7 @@
 #include <limits.h>
 #include <sys/types.h>
 -#include <attr/xattr.h>
 +#include <attr/libattr.h>
 #include <probe/probe.h>
 #include <probe/option.h>
--- a/openscap.changes
+++ b/openscap.changes
@ -1,3 +1,28 @@
 -------------------------------------------------------------------
 Fri Oct 19 15:46:44 UTC 2018 - Robert Frohl <rfrohl@suse.com>
 - openscap-1.3.0 
  - New features
 	- Introduced a virtual '(all)' profile selecting all rules
 	- Verbose mode is a global option in all modules
 	- Added Microsoft Windows CPEs
 	- oscap-ssh can supply SSH options into an environment variable
  - Maintenance
 	- Removed SEXP parser
 	- Added Fedora 30 CPE
 	- Fixed many Coverity defects (memory leaks etc.)
 	- SCE builds are enabled by default
 	- Moved many low-level functions out of public API
 	- Removed unused and dead code
 	- Updated manual pages
 	- Numerous small fixes
 - xinetd_probe.patch: fix trailing whitespace in config
 - test_probes_rpmverifypackage-disable-epoch-test.patch: fix rpmverifypackage unit test
 - sysctl_unittest.patch: fix sysctl unit test
 - rpmverifyfile_unittest.patch: fix rpmverifyfile unit test
 - rpmverify_unittest.patch: fix rpmverify unit test
 - openscap-xattr.patch: removed, included by upstream
 -------------------------------------------------------------------
 Wed Sep 12 05:56:03 UTC 2018 - meissner@suse.com
--- a/openscap.spec
+++ b/openscap.spec
@ -12,7 +12,7 @@
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.
-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
 #
@ -21,11 +21,11 @@
  %define _fillupdir /var/adm/fillup-templates
 %endif
-%define sover 8
+%define sover 25
 %define with_bindings 0
 Name:           openscap
-Version:        1.2.17
+Version:        1.3.0
 Release:        1.0
 Source:         https://github.com/OpenSCAP/openscap/archive/%{version}.tar.gz
 Source2:        sysconfig.oscap-scan
@ -37,31 +37,47 @@ Source4:        scap-yast2sec-oval.xml
 Source5:        oscap-scan.service
 Source6:        oscap-scan.sh
 Patch0:         openscap-new-suse.patch
-Patch1:         openscap-xattr.patch
+Patch1:         xinetd_probe.patch
 Patch2:         test_probes_rpmverifypackage-disable-epoch-test.patch
 Patch3:         sysctl_unittest.patch
 Patch4:         rpmverifyfile_unittest.patch
 Patch5:         rpmverify_unittest.patch
 Url:            http://www.open-scap.org/
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  asciidoc
 BuildRequires:  doxygen
 # Next few lines are needed for unit tests, they expect /etc/os-release to exist
 %if !0%{?is_opensuse} && 0%{?sle_version} < 130000 
 BuildRequires:  sles-release
 %else
 BuildRequires:  dummy-release
 %endif
 BuildRequires:  libacl-devel
 BuildRequires:  libattr-devel
 BuildRequires:  libbz2-devel
 BuildRequires:  libcurl-devel
 BuildRequires:  libgcrypt-devel
 BuildRequires:  libxml2-devel
 # Use package name cause of "have choice for perl(XML::Parser): brp-check-suse perl-XML-Parser"
-BuildRequires:  autoconf
+BuildRequires:  cmake
-BuildRequires:  automake
+BuildRequires:  gcc-c++
 BuildRequires:  gconf2-devel
 BuildRequires:  libblkid-devel
 BuildRequires:  libcap-devel
 BuildRequires:  libselinux-devel
 BuildRequires:  libtool
 BuildRequires:  libxslt-devel
 BuildRequires:  lua
 BuildRequires:  openldap2-devel
 BuildRequires:  pcre-devel
 BuildRequires:  perl-XML-Parser
 BuildRequires:  perl-XML-XPath
 BuildRequires:  pkg-config
 BuildRequires:  procps
 BuildRequires:  procps-devel
 BuildRequires:  python-devel
 BuildRequires:  rpm-devel
 BuildRequires:  sendmail
 BuildRequires:  swig
 BuildRequires:  unixODBC-devel
 Summary:        A Set of Libraries for Integration with SCAP
@ -79,37 +95,6 @@ related information.
 More information about SCAP can be found at nvd.nist.gov.
 %package -n libopenscap%{sover}
 Summary:        OpenSCAP C Library
 Group:          System/Libraries
 %description -n libopenscap%{sover}
 The OpenSCAP C Library for easy integration with SCAP.
 %package docker
 Summary:        Docker plugin for OpenSCAP
 Group:          System/Libraries
 %description docker
 This package contains the Docker support for OpenSCAP.
 %package engine-sce
 Summary:        Script Checking Engine for OpenSCAP
 Group:          System/Libraries
 %description engine-sce
 This package contains the Script Checking Engine (SCE) support for OpenSCAP.
 %package -n libopenscap_sce%{sover}
 Summary:        Script Checking Engine Library for OpenSCAP
 Group:          System/Libraries
 Recommends:     openscap-engine-sce
 %description -n libopenscap_sce%{sover}
 This package contains the Script Checking Engine Library (SCE) for OpenSCAP.
 %package devel
 Requires:       %{name} = %{version}-%{release}
 Requires:       libopenscap%{sover} = %{version}
@ -120,6 +105,13 @@ Group:          Development/Libraries/C and C++
 This package contains the development files (mainly C header files) for the 
 OpenSCAP C library.
 %package docker
 Summary:        Docker plugin for OpenSCAP
 Group:          System/Libraries
 %description docker
 This package contains the Docker support for OpenSCAP.
 %if 0%{?with_bindings}
 %package -n python-openscap
 %py_requires
@ -142,6 +134,13 @@ Group:          Development/Libraries/Perl
 The OpenSCAP Perl Library for easy integration with SCAP.
 %endif
 %package -n libopenscap%{sover}
 Summary:        OpenSCAP C Library
 Group:          System/Libraries
 %description -n libopenscap%{sover}
 The OpenSCAP C Library for easy integration with SCAP.
 %package        utils
 Summary:        Openscap utilities
 Group:          System/Monitoring
@ -152,7 +151,6 @@ PreReq:         %fillup_prereq
 %description    utils
 The %{name}-utils package contains various utilities based on %{name} library.
 %package        content
 Summary:        SCAP content
 Group:          System/Monitoring
@ -161,16 +159,12 @@ Requires:       %{name} = %{version}-%{release}
 %description    content
 SCAP content for Fedora delivered by Open-SCAP project.
 %package -n libopenscap_sce%{sover}
 Summary:        Script Checking Engine Library for OpenSCAP
 Group:          System/Libraries
-%package        extra-probes
+%description -n libopenscap_sce%{sover}
-Summary:        SCAP probes
+This package contains the Script Checking Engine Library (SCE) for OpenSCAP.
 Group:          System/Monitoring
 Requires:       %{name} = %{version}-%{release}
 #BuildRequires:  opendbx - for sql
 %description    extra-probes
 The %{name}-extra-probes package contains additional probes that are not
 commonly used and require additional dependencies.
 %{!?python_sitearch: %global python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")}
@ -178,102 +172,70 @@ commonly used and require additional dependencies.
 %setup -q
 %patch0 -p1
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
 %build
 bash ./autogen.sh
 %if 0%{?with_bindings}
-%configure --disable-silent-rules --enable-sce --enable-cce
+%cmake -DENABLE_DOCS=TRUE -DCMAKE_SHARED_LINKER_FLAGS=""
 %else
-%configure --disable-silent-rules --enable-sce --enable-cce --disable-bindings --disable-python --disable-python3
+%cmake -DENABLE_DOCS=TRUE -DENABLE_PYTHON3=FALSE -DENABLE_PERL=FALSE -DCMAKE_SHARED_LINKER_FLAGS=""
 %endif
-make %{?_smp_mflags}
+%make_jobs
 cd docs
 doxygen
 cd ..
 %check
-make check %{?_smp_mflags} || :
+export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:%{buildroot}/%{_libdir}
 cd build
 # unit tests do not succeed, while working on 1.3 migration we submitted a few
 # patches upstream but there is still one unit test that always fails and 1-3
 # which fail occasionally
 ctest %{?_smp_mflags} || :
 cd ..
 %install
-make install DESTDIR=%{buildroot}
+%cmake_install
 find %{buildroot} -name "*.la" -delete
 # last python2 user in oscap-utils ... needs porting to python3
 rm %{buildroot}/usr/bin/scap-as-rpm
 mkdir -p %{buildroot}/%{_fillupdir}
 install -m 644 %{SOURCE2} %{buildroot}/%{_fillupdir}
 mkdir -p %{buildroot}/%{_libexecdir}/openscap
 mkdir -p %{buildroot}/%{_libdir}/openscap
 install -m 644 %{SOURCE3} %{buildroot}/%{_datadir}/openscap
 install -m 644 %{SOURCE4} %{buildroot}/%{_datadir}/openscap
 # specific local scan during boot script
 mkdir -p %{buildroot}/%{_unitdir}
 install -m 644 %{SOURCE5} %{buildroot}/%{_unitdir}/oscap-scan.service
 mkdir -p %{buildroot}/%{_bindir}
 install -m 755 %{SOURCE6} %{buildroot}/%{_bindir}/oscap-scan
 mkdir -p %{buildroot}/%{_sbindir}
 ln -sf %{_sbindir}/service %{buildroot}/%{_sbindir}/rcoscap-scan
 mkdir -p %{buildroot}%{_datadir}/bash-completion/completions
 mv %{buildroot}%{_sysconfdir}/bash_completion.d/* %{buildroot}%{_datadir}/bash-completion/completions/
 # create symlinks to default content
 ln -s  %{_datadir}/openscap/scap-yast2sec-oval.xml %{buildroot}/%{_datadir}/openscap/scap-oval.xml
 ln -s  %{_datadir}/openscap/scap-yast2sec-xccdf.xml %{buildroot}/%{_datadir}/openscap/scap-xccdf.xml
 %post -n libopenscap%{sover} -p /sbin/ldconfig
 %post -n libopenscap_sce%{sover} -p /sbin/ldconfig
 %post -n openscap-utils %service_add_post oscap-scan.service
 %postun -n libopenscap%{sover} -p /sbin/ldconfig
 %postun -n libopenscap_sce%{sover} -p /sbin/ldconfig
 %postun -n openscap-utils %service_del_postun oscap-scan.service
-%preun utils
+%pre -n openscap-utils %service_add_pre oscap-scan.service
-%service_del_preun oscap-scan.service
+%preun -n openscap-utils %service_del_preun oscap-scan.service
 %post utils
 %service_add_post oscap-scan.service
 %{fillup_only -n oscap-scan}
 %postun utils
 %service_del_postun oscap-scan.service
 %pre utils
 %service_add_pre oscap-scan.service
 %files
 %defattr(-, root, root)
-%doc AUTHORS COPYING NEWS
+%license COPYING
-%dir %{_libexecdir}/openscap
+%doc AUTHORS NEWS
 %{_libexecdir}/openscap/probe_dnscache
 %{_libexecdir}/openscap/probe_environmentvariable
 %{_libexecdir}/openscap/probe_environmentvariable58
 %{_libexecdir}/openscap/probe_family
 %{_libexecdir}/openscap/probe_file
 %{_libexecdir}/openscap/probe_fileextendedattribute
 %{_libexecdir}/openscap/probe_filehash
 %{_libexecdir}/openscap/probe_filehash58
 %{_libexecdir}/openscap/probe_iflisteners
 %{_libexecdir}/openscap/probe_inetlisteningservers
 %{_libexecdir}/openscap/probe_interface
 %{_libexecdir}/openscap/probe_partition
 %{_libexecdir}/openscap/probe_password
 %{_libexecdir}/openscap/probe_process
 %{_libexecdir}/openscap/probe_process58
 %{_libexecdir}/openscap/probe_routingtable
 %{_libexecdir}/openscap/probe_rpminfo
 %{_libexecdir}/openscap/probe_rpmverify*
 %{_libexecdir}/openscap/probe_runlevel
 %{_libexecdir}/openscap/probe_selinuxboolean
 %{_libexecdir}/openscap/probe_selinuxsecuritycontext
 %{_libexecdir}/openscap/probe_shadow
 %{_libexecdir}/openscap/probe_symlink
 %{_libexecdir}/openscap/probe_sysctl
 %{_libexecdir}/openscap/probe_systemdunitdependency
 %{_libexecdir}/openscap/probe_systemdunitproperty
 %{_libexecdir}/openscap/probe_system_info
 %{_libexecdir}/openscap/probe_textfilecontent
 %{_libexecdir}/openscap/probe_textfilecontent54
 %{_libexecdir}/openscap/probe_uname
 %{_libexecdir}/openscap/probe_variable
 %{_libexecdir}/openscap/probe_xinetd
 %{_libexecdir}/openscap/probe_xmlfilecontent
 %dir %{_datadir}/openscap
 %dir %{_datadir}/openscap/cpe
 %dir %{_datadir}/openscap/schemas
@ -288,7 +250,8 @@ ln -s  %{_datadir}/openscap/scap-yast2sec-xccdf.xml %{buildroot}/%{_datadir}/ope
 %files devel
 %defattr(-, root, root)
-%doc docs/{html,examples}/
+%dir /usr/share/doc/openscap
 /usr/share/doc/openscap/*
 %{_includedir}/*
 %{_libdir}/*.so
 %{_libdir}/pkgconfig/*.pc
@ -310,7 +273,7 @@ ln -s  %{_datadir}/openscap/scap-yast2sec-xccdf.xml %{buildroot}/%{_datadir}/ope
 %files -n perl-openscap
 %defattr(-, root, root)
 %{perl_vendorlib}/openscap.pm
-%{perl_vendorarch}/_openscap_pm.so
+%{perl_vendorarch}/openscap_pm.so
 %endif
 %files utils
@ -324,27 +287,16 @@ ln -s  %{_datadir}/openscap/scap-yast2sec-xccdf.xml %{buildroot}/%{_datadir}/ope
 %{_bindir}/oscap-scan
 %{_bindir}/oscap-ssh
 %{_bindir}/oscap-chroot
-# currently not shipped as it is still python2
+%{_bindir}/scap-as-rpm
-#{_bindir}/scap-as-rpm
+%{_sbindir}/rcoscap-scan
-%config %{_sysconfdir}/bash_completion.d/*
+%{_datadir}/bash-completion/completions/*
 %files content
 %defattr(-,root,root,-)
 %{_datadir}/openscap/scap*.xml
 %files engine-sce
 %defattr(-,root,root,-)
 %dir %{_datadir}/openscap
 %dir %{_datadir}/openscap/sectool-sce/
 %{_datadir}/openscap/sectool-sce/*
 %files -n libopenscap_sce%{sover}
 %defattr(-,root,root,-)
 %{_libdir}/libopenscap_sce.so.*
 %files extra-probes
 %defattr(-,root,root,-)
 %{_libexecdir}/openscap/probe_ldap57
 %{_libexecdir}/openscap/probe_gconf
 %changelog
--- a/rpmverify_unittest.patch
+++ b/rpmverify_unittest.patch
@ -0,0 +1,19 @@
 diff --git a/tests/probes/rpmverify/test_not_equals_operation.xml b/tests/probes/rpmverify/test_not_equals_operation.xml
 index abdfcc4c7..1855b981e 100644
 --- a/tests/probes/rpmverify/test_not_equals_operation.xml
 +++ b/tests/probes/rpmverify/test_not_equals_operation.xml
@@ -29,12 +29,12 @@
   <objects>
     <rpmverify_object id="oval:x:obj:1" version="1" comment="should return precisely one package" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
       <name operation="pattern match"/>
 -      <filepath>/</filepath>
 +      <filepath>/etc</filepath>
     </rpmverify_object>
     <rpmverify_object id="oval:x:obj:2" version="1" comment="the path should match two packages but the result should only be one package" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
       <name operation="not equal" var_ref="oval:x:var:1"/>
 -      <filepath operation="pattern match">(^/$|^/etc/passwd$)</filepath>
 +      <filepath operation="pattern match">(^/etc$|^/etc/os-release$)</filepath>
     </rpmverify_object>
   </objects>
--- a/rpmverifyfile_unittest.patch
+++ b/rpmverifyfile_unittest.patch
@ -0,0 +1,52 @@
 diff --git a/tests/probes/rpmverifyfile/test_probes_rpmverifyfile.sh b/tests/probes/rpmverifyfile/test_probes_rpmverifyfile.sh
 index ee93a7058..0299ec6e0 100755
 --- a/tests/probes/rpmverifyfile/test_probes_rpmverifyfile.sh
 +++ b/tests/probes/rpmverifyfile/test_probes_rpmverifyfile.sh
@@ -40,7 +40,7 @@ function test_probes_rpmverifyfile {
     assert_exists 1 'oval_results/oval_definitions/objects/lin-def:rpmverifyfile_object/lin-def:release'
     assert_exists 1 'oval_results/oval_definitions/objects/lin-def:rpmverifyfile_object/lin-def:arch'
     assert_exists 1 'oval_results/oval_definitions/objects/lin-def:rpmverifyfile_object/lin-def:filepath'
 -    assert_exists 1 'oval_results/oval_definitions/objects/lin-def:rpmverifyfile_object/lin-def:filepath[text()="/etc/passwd"]'
 +    assert_exists 1 'oval_results/oval_definitions/objects/lin-def:rpmverifyfile_object/lin-def:filepath[text()="/etc/os-release"]'
     sc='oval_results/results/system/oval_system_characteristics/'
     sd=$sc'system_data/'
     assert_exists 1 $sc'collected_objects/object'
 diff --git a/tests/probes/rpmverifyfile/test_probes_rpmverifyfile.xml b/tests/probes/rpmverifyfile/test_probes_rpmverifyfile.xml
 index 049b82627..b36428582 100644
 --- a/tests/probes/rpmverifyfile/test_probes_rpmverifyfile.xml
 +++ b/tests/probes/rpmverifyfile/test_probes_rpmverifyfile.xml
@@ -30,7 +30,7 @@
         <lin-def:version operation="pattern match"/>
         <lin-def:release operation="pattern match"/>
         <lin-def:arch operation="pattern match"/>
 -        <lin-def:filepath>/etc/passwd</lin-def:filepath>
 +        <lin-def:filepath>/etc/os-release</lin-def:filepath>
     </lin-def:rpmverifyfile_object>
   </objects>
 diff --git a/tests/probes/rpmverifyfile/test_probes_rpmverifyfile_older.sh b/tests/probes/rpmverifyfile/test_probes_rpmverifyfile_older.sh
 index 642f209e9..f9486e314 100755
 --- a/tests/probes/rpmverifyfile/test_probes_rpmverifyfile_older.sh
 +++ b/tests/probes/rpmverifyfile/test_probes_rpmverifyfile_older.sh
@@ -39,7 +39,7 @@ function test_probes_rpmverifyfile {
     assert_exists 1 'oval_results/oval_definitions/objects/lin-def:rpmverifyfile_object/lin-def:release'
     assert_exists 1 'oval_results/oval_definitions/objects/lin-def:rpmverifyfile_object/lin-def:arch'
     assert_exists 1 'oval_results/oval_definitions/objects/lin-def:rpmverifyfile_object/lin-def:filepath'
 -    assert_exists 1 'oval_results/oval_definitions/objects/lin-def:rpmverifyfile_object/lin-def:filepath[text()="/etc/passwd"]'
 +    assert_exists 1 'oval_results/oval_definitions/objects/lin-def:rpmverifyfile_object/lin-def:filepath[text()="/etc/os-release"]'
     sc='oval_results/results/system/oval_system_characteristics/'
     sd=$sc'system_data/'
     assert_exists 1 $sc'collected_objects/object'
 diff --git a/tests/probes/rpmverifyfile/test_probes_rpmverifyfile_older.xml b/tests/probes/rpmverifyfile/test_probes_rpmverifyfile_older.xml
 index fe83a1e1c..c39282f51 100644
 --- a/tests/probes/rpmverifyfile/test_probes_rpmverifyfile_older.xml
 +++ b/tests/probes/rpmverifyfile/test_probes_rpmverifyfile_older.xml
@@ -30,7 +30,7 @@
         <lin-def:version operation="pattern match"/>
         <lin-def:release operation="pattern match"/>
         <lin-def:arch operation="pattern match"/>
 -        <lin-def:filepath>/etc/passwd</lin-def:filepath>
 +        <lin-def:filepath>/etc/os-release</lin-def:filepath>
     </lin-def:rpmverifyfile_object>
   </objects>
--- a/sysctl_unittest.patch
+++ b/sysctl_unittest.patch
@ -0,0 +1,29 @@
 diff --git a/tests/probes/sysctl/test_sysctl_probe_all.sh b/tests/probes/sysctl/test_sysctl_probe_all.sh
 index bb9859d71..6534e1142 100755
 --- a/tests/probes/sysctl/test_sysctl_probe_all.sh
 +++ b/tests/probes/sysctl/test_sysctl_probe_all.sh
@@ -4,6 +4,12 @@
 set -e -o pipefail
 +# on some systems sysctl might live in sbin, which can cause problems for
 +# non root users
 +PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin
 +# non root users are not able to access some kernel params, so they get blacklisted
 +SYSCTL_BLACKLIST='stable_secret\|vm.stat_refresh\|fs.protected_hardlinks\|fs.protected_symlinks\|kernel.cad_pid\|kernel.unprivileged_userns_apparmor_policy\|kernel.usermodehelper.bset\|kernel.usermodehelper.inheritable\|net.core.bpf_jit_harden\|net.core.bpf_jit_kallsyms\|net.ipv4.tcp_fastopen_key\|vm.mmap_rnd_bits\|vm.mmap_rnd_compat_bits'
 +
 function perform_test {
 probecheck "sysctl" || return 255
@@ -24,9 +30,9 @@ $OSCAP oval eval --results $result $srcdir/test_sysctl_probe_all.oval.xml > /dev
 # sysctl has duplicities in output
 # hide permission errors like: "sysctl: permission denied on key 'fs.protected_hardlinks'"
 # kernel parameters might use "/" and "." separators interchangeably - normalizing
 -sysctl -aN --deprecated 2> /dev/null | tr "/" "." | sort -u > "$sysctlNames"
 +sysctl -aN --deprecated 2> /dev/null | grep -v $SYSCTL_BLACKLIST | tr "/" "." | sort -u > "$sysctlNames"
 -grep unix-sys:name "$result" | sed -E 's;.*>(.*)<.*;\1;g' | sort > "$ourNames"
 +grep unix-sys:name "$result" | grep -v $SYSCTL_BLACKLIST | sed -E 's;.*>(.*)<.*;\1;g' | sort > "$ourNames"
 diff "$sysctlNames" "$ourNames"
--- a/test_probes_rpmverifypackage-disable-epoch-test.patch
+++ b/test_probes_rpmverifypackage-disable-epoch-test.patch
@ -0,0 +1,23 @@
 diff --git a/tests/probes/rpmverifypackage/test_probes_rpmverifypackage.sh b/tests/probes/rpmverifypackage/test_probes_rpmverifypackage.sh
 index f4179e063..475ebf0b3 100755
 --- a/tests/probes/rpmverifypackage/test_probes_rpmverifypackage.sh
 +++ b/tests/probes/rpmverifypackage/test_probes_rpmverifypackage.sh
@@ -11,6 +11,8 @@
 . $builddir/tests/test_common.sh
 +[ -f /etc/os-release ] && . /etc/os-release
 +
 set -e -o pipefail
 set -x
@@ -79,7 +81,9 @@ function test_probes_rpmverifypackage_noepoch {
 test_init
 +if [[ $ID_LIKE != *"suse"* ]]; then
 test_run "test_probes_rpmverifypackage_epoch" test_probes_rpmverifypackage_epoch
 +fi
 test_run "test_probes_rpmverifypackage_noepoch" test_probes_rpmverifypackage_noepoch
 test_exit
--- a/xinetd_probe.patch
+++ b/xinetd_probe.patch
@ -0,0 +1,30 @@
 diff --git a/src/OVAL/probes/unix/xinetd_probe.c b/src/OVAL/probes/unix/xinetd_probe.c
 index 965d8cd04..e911ecc29 100644
 --- a/src/OVAL/probes/unix/xinetd_probe.c
 +++ b/src/OVAL/probes/unix/xinetd_probe.c
@@ -1298,6 +1298,7 @@ int op_merge_u16(void *dst, void *src, int type)
 int op_assign_str(void *var, char *val)
 {
 +	char *strend = NULL;
 	if (var == NULL) {
 		return -1;
 	}
@@ -1306,7 +1307,16 @@ int op_assign_str(void *var, char *val)
 	while(isspace(*val)) ++val;
 	if (*val != '\0') {
 -		*((char **)(var)) = strdup(val);
 +		strend = strrchr(val, '\0');
 +		/* strip trailing whitespaces */
 +		do {
 +			strend--;
 +		} while(isspace(*strend));
 +		if((strend-val) < 0) {
 +			dE("Error stripping white space from string '%s'", val);
 +			return (-1);
 +		}
 +		*((char **)(var)) = strndup(val, (strend-val+1));
 		return (0);
 	} else
 		return (-1);