Merge branch 'maint-1.3' after 1.3.2 release

Author: evgenyz

.gitignore

@@ -4,7 +4,9 @@
 .gdb_history
 .libs/
 .*.swp
+*.pyc
 tags
+*.pyc
 
 CMakeLists.txt.user
 build/

.travis.yml

@@ -3,12 +3,10 @@ language: c
 matrix:
   include:
     - os: linux
+      dist: bionic
       addons:
         apt:
-          sources:
-            - ubuntu-toolchain-r-test
           packages:
-            - cmake
             - lcov
             - libdbus-1-dev
             - libdbus-glib-1-dev
@@ -28,21 +26,18 @@ matrix:
             - swig
             - librtmp-dev
             - xsltproc
-            - gcc-7
       before_script:
-        - export CC=gcc-7 GCOV=gcov-7
         - cd build
       script:
         - cmake -DCMAKE_BUILD_TYPE=Debug ../
-        - build-wrapper-linux-x86-64 --out-dir bw-output make all || true  # Will always fail builds on forked repositories.
-        - cd .. && sonar-scanner || true  # Will always fail builds on forked repositories.
+        - build-wrapper-linux-x86-64 --out-dir bw-output make all || make all  # build-wrapper won't work on forked repositories.
+        - ctest --output-on-failure || true  # Tests won't pass on Ubuntu.
+        - (cd .. && sonar-scanner) || true  # Will always fail builds on forked repositories.
       after_success:
         - curl -s https://codecov.io/bash > cov.sh && bash cov.sh -x "$GCOV"
     - os: osx
-      osx_image: xcode8.3
       before_install:
         - brew update
-        - brew upgrade python
         - brew install doxygen
         - brew install opendbx
         - brew install popt
@@ -56,12 +51,6 @@ matrix:
 addons:
   sonarcloud:
     organization: "openscap"
-  apt:
-    sources:
-      - ubuntu-toolchain-r-test
-    packages:
-      - gcc-7
-
 
 cache:
   directories:

AUTHORS

@@ -1,18 +1,27 @@
+Alexander Bergmann <[email protected]>
+Alexander Scheel <[email protected]>
+Axel Nennker <[email protected]>
 Brady Alleman <[email protected]>
 Brandon Dixon <[email protected]>
 Brent Baude <[email protected]>
 Brian Kolbay <[email protected]>
 Bruno Ducrot <[email protected]>
+Bryan Schneiders <[email protected]>
 Charles Bushong <[email protected]>
 Chris Lundquist <[email protected]>
 Dan Kopeček <[email protected]>
 David Niemoller <[email protected]>
+De Huo <[email protected]>
+Dmitry Teselkin <[email protected]>
+DominiqueDevinci <[email protected]>
 Ed Sealing <[email protected]>
 Evgeni Golov <[email protected]>
+Evgeny Kolesnikov <[email protected]>
 Felix Wolfsteller <[email protected]>
 Fen Labalme <[email protected]>
 Francisco Slavin <[email protected]>
-Gabe <[email protected]>
+Gabe Alford <[email protected]>
+Gabriel Gaspar Becker <[email protected]>
 Gary Gapinski <[email protected]>
 Gautam Satish <[email protected]>
 Greg Elin <[email protected]>
@@ -28,45 +37,56 @@ John Whipple <[email protected]>
 Jonathan Zember <[email protected]>
 Josh Kayse <[email protected]>
 Joshua Adams <[email protected]>
+Julian Andres Klode <[email protected]>
 Katarina Jankov <[email protected]>
 Lenka Horáková <[email protected]>
 Lukáš Kuklínek <[email protected]>
+Malte Kraus <[email protected]>
 Marcus Meissner <[email protected]>
 Marek Haičman <[email protected]>
 Maroš Barabas <[email protected]>
 Marshall Miller <[email protected]>
 Martin Preisler <[email protected]>
 Matěj Týč <[email protected]>
+matsushima <[email protected]>
 Matthew Keeler <[email protected]>
 Matus Marhefka <[email protected]>
-Michaël Zaoui
+Michaël Zaoui <[email protected]>
 Michal Šrubař <[email protected]>
 mildew <mildew@sapropelus.(none)>
+Milan Lysonek <[email protected]>
 Miloslav Trmač <[email protected]>
 Miroslav Grepl <[email protected]>
 Mooli Tayer <[email protected]>
+msfuko <[email protected]>
+Nitin Ravindran <[email protected]>
 Ondrej Moriš <[email protected]>
+Panu Matilainen <[email protected]>
 Peter Vrabec <[email protected]>
 Petr Lautrbach <[email protected]>
 Pierre Chifflier <[email protected]>
+Prasanth R <[email protected]>
 Quey-Liang Kao <[email protected]>
 Radzy Radzykewycz <[email protected]>
 Raphael Sanchez Prudencio <[email protected]>
 Reggie Adkins <[email protected]>
 Richard W.M. Jones <[email protected]>
 Riley C. Porter <[email protected]>
+Robert Frohl <[email protected]>
 Ryan E Haggerty <[email protected]>
 Shawn Wells <[email protected]>
 Šimon Lukašík <[email protected]>
 Spencer Shimko <[email protected]>
 Steve Grubb <[email protected]>
 Tomas Heinrich <[email protected]>
+T.O. Radzy Radzykewycz <[email protected]>
 Trey Henefield <[email protected]>
 V. Vinay <[email protected]>
 Vincent Batts <[email protected]>
-Watson Sato <wsato@redhat.com>
+Vojtech Polasek <vpolasek@redhat.com>
 Watson Yuuma Sato <[email protected]>
 Wesley Ceraso Prudencio <[email protected]>
 Xiang Zhai <[email protected]>
 Zbyněk Moravec <[email protected]>
+Yoon Jean Kim <[email protected]>
 Андрей Рудаков <[email protected]>

CMakeLists.txt

@@ -23,15 +23,15 @@ endif()
 # See http://sources.redhat.com/autobook/autobook/autobook_91.html#SEC91 for details
 
 ## increment if the interface has additions, changes, removals.
-set(LT_CURRENT 25)
+set(LT_CURRENT 26)
 
 ## increment any time the source changes; set 0 to if you increment CURRENT
-set(LT_REVISION 1)
+set(LT_REVISION 0)
 
 ## increment if any interfaces have been added; set to 0
 ## if any interfaces have been changed or removed. removal has
 ## precedence over adding, so set to 0 if both happened.
-set(LT_AGE 0)
+set(LT_AGE 1)
 
 math(EXPR LT_CURRENT_MINUS_AGE "${LT_CURRENT} - ${LT_AGE}")
 
@@ -132,6 +132,7 @@ if(RPM_FOUND)
 	check_library_exists("${RPM_LIBRARY}" headerFormat "" HAVE_HEADERFORMAT)
 	check_library_exists("${RPMIO_LIBRARY}" rpmFreeCrypto "" HAVE_RPMFREECRYPTO)
 	check_library_exists("${RPM_LIBRARY}" rpmFreeFilesystems "" HAVE_RPMFREEFILESYSTEMS)
+	check_library_exists("${RPM_LIBRARY}" rpmVerifyFile "" HAVE_RPMVERIFYFILE)
 	set(HAVE_RPMVERCMP 1)
 endif()
 
@@ -339,12 +340,72 @@ message(STATUS " ")
 message(STATUS "OVAL:")
 message(STATUS "base probe support: ${ENABLE_PROBES}")
 message(STATUS "SEAP msgid bit-size: ${SEAP_MSGID_BITS}")
-message(STATUS "independent probes: ${ENABLE_PROBES_INDEPENDENT}")
-message(STATUS "unix probes: ${ENABLE_PROBES_UNIX}")
-message(STATUS "linux probes: ${ENABLE_PROBES_LINUX}")
-message(STATUS "solaris probes: ${ENABLE_PROBES_SOLARIS}")
+
+message(STATUS "")
+message(STATUS "Independent probes: ${ENABLE_PROBES_INDEPENDENT}")
+message(STATUS "  Independent family probe: ${OPENSCAP_PROBE_INDEPENDENT_FAMILY}")
+message(STATUS "  Independent system info probe: ${OPENSCAP_PROBE_INDEPENDENT_SYSTEM_INFO}")
+message(STATUS "  Independent variable probe: ${OPENSCAP_PROBE_INDEPENDENT_VARIABLE}")
+
+message(STATUS "")
+message(STATUS "Independent probes incompatible with WIN32 (WIN32 status: ${IS_WIN32})")
+message(STATUS "  Independent environmentvariable probe: ${OPENSCAP_PROBE_INDEPENDENT_ENVIRONMENTVARIABLE}") 
+message(STATUS "  Independent environmentvariable58 probe: ${OPENSCAP_PROBE_INDEPENDENT_ENVIRONMENTVARIABLE58}")
+message(STATUS "  Independent filehash probe: ${OPENSCAP_PROBE_INDEPENDENT_FILEHASH}")
+message(STATUS "  Independent filehash58 probe: ${OPENSCAP_PROBE_INDEPENDENT_FILEHASH58}")
+message(STATUS "  Independent sql probe (depends on opendbx): ${OPENSCAP_PROBE_INDEPENDENT_SQL}")
+message(STATUS "  Independent sql57 probe (depends on opendbx): ${OPENSCAP_PROBE_INDEPENDENT_SQL57}")
+message(STATUS "  Independent textfilecontent probe: ${OPENSCAP_PROBE_INDEPENDENT_TEXTFILECONTENT}")
+message(STATUS "  Independent textfilecontent54 probe: ${OPENSCAP_PROBE_INDEPENDENT_TEXTFILECONTENT54}")
+message(STATUS "  Independent xmlfilecontent probe: ${OPENSCAP_PROBE_INDEPENDENT_XMLFILECONTENT}")
+message(STATUS " ")
+
+
+message(STATUS "Unix probes: ${ENABLE_PROBES_UNIX}")
+message(STATUS "  Unix dnscache probe: ${OPENSCAP_PROBE_UNIX_DNSCACHE}")
+message(STATUS "  Unix file probe: ${OPENSCAP_PROBE_UNIX_FILE}")
+message(STATUS "  Unix fileextendedattribute probe (depends on xattrh): ${OPENSCAP_PROBE_UNIX_FILEEXTENDEDATTRIBUTE}")
+message(STATUS "  Unix gconf probe (depends on gconf): ${OPENSCAP_PROBE_UNIX_GCONF}")
+message(STATUS "  Unix interface probe: ${OPENSCAP_PROBE_UNIX_INTERFACE}")
+message(STATUS "  Unix password probe: ${OPENSCAP_PROBE_UNIX_PASSWORD}")
+message(STATUS "  Unix process probe: ${OPENSCAP_PROBE_UNIX_PROCESS}")
+message(STATUS "  Unix process58 probe (depends on CAP): ${OPENSCAP_PROBE_UNIX_PROCESS58}")
+message(STATUS "  Unix routingtable probe: ${OPENSCAP_PROBE_UNIX_ROUTINGTABLE}")
+message(STATUS "  Unix runlevel probe: ${OPENSCAP_PROBE_UNIX_RUNLEVEL}")
+message(STATUS "  Unix shadow probe: ${OPENSCAP_PROBE_UNIX_SHADOW}")
+message(STATUS "  Unix symlink probe: ${OPENSCAP_PROBE_UNIX_SYMLINK}")
+message(STATUS "  Unix sysctl probe: ${OPENSCAP_PROBE_UNIX_SYSCTL}")
+message(STATUS "  Unix uname probe: ${OPENSCAP_PROBE_UNIX_UNAME}")
+message(STATUS "  Unix xinetd probe: ${OPENSCAP_PROBE_UNIX_XINETD}")
+message(STATUS " ")
+
+message(STATUS "Linux probes: ${ENABLE_PROBES_LINUX}")
+message(STATUS "  Linux dpkginfo probe (depends on aptpkg): ${OPENSCAP_PROBE_LINUX_DPKGINFO}")
+message(STATUS "  Linux iflisteners probe: ${OPENSCAP_PROBE_LINUX_IFLISTENERS}")
+message(STATUS "  Linux inetlisteningservers probe: ${OPENSCAP_PROBE_LINUX_INETLISTENINGSERVERS}")
+message(STATUS "  Linux partition probe (depends on blkid): ${OPENSCAP_PROBE_LINUX_PARTITION}")
+message(STATUS "  Linux rpminfo probe (depends on rpm): ${OPENSCAP_PROBE_LINUX_RPMINFO}")
+message(STATUS "  Linux rpmverify probe (depends on rpm): ${OPENSCAP_PROBE_LINUX_RPMVERIFY}")
+message(STATUS "  Linux rpmverifyfile probe (depends on rpm): ${OPENSCAP_PROBE_LINUX_RPMVERIFYFILE}")
+message(STATUS "  Linux rpmverifypackage probe (depends on rpm): ${OPENSCAP_PROBE_LINUX_RPMVERIFYPACKAGE}")
+message(STATUS "  Linux selinuxboolean probe (depends on selinux): ${OPENSCAP_PROBE_LINUX_SELINUXBOOLEAN}")
+message(STATUS "  Linux selinuxsecuritycontext probe (depends on selinux): ${OPENSCAP_PROBE_LINUX_SELINUXSECURITYCONTEXT}")
+message(STATUS "  Linux systemdunitdependency probe (depends on dbus): ${OPENSCAP_PROBE_LINUX_SYSTEMDUNITDEPENDENCY}")
+message(STATUS "  Linux systemdunitproperty probe (depends on dbus): ${OPENSCAP_PROBE_LINUX_SYSTEMDUNITPROPERTY}")
 message(STATUS " ")
 
+message(STATUS "Solaris probes: ${ENABLE_PROBES_SOLARIS}")
+message(STATUS "  Solaris isainfo probe: ${OPENSCAP_PROBE_SOLARIS_ISAINFO}")
+message(STATUS " ")
+
+
+message(STATUS "Windows probes: ${ENABLE_PROBES_WINDOWS}")
+message(STATUS "  Windows accesstoken probe: ${OPENSCAP_PROBE_WINDOWS_ACCESSTOKEN}")
+message(STATUS "  Windows registry probe: ${OPENSCAP_PROBE_WINDOWS_REGISTRY}")
+message(STATUS "  Windows wmi57 probe: ${OPENSCAP_PROBE_WINDOWS_WMI57}")
+message(STATUS " ")
+
+
 message(STATUS "Language bindings:")
 message(STATUS "python3 bindings: ${ENABLE_PYTHON3}")
 message(STATUS "perl bindings: ${ENABLE_PERL}")

NEWS

@@ -1,4 +1,24 @@
-openscap-1.3.1                                                  12-06-2018
+openscap-1.3.2                                                  13-01-2020
+  - New features
+    - Offline mode support for environmentvariable58 probe
+    - The oscap-docker wrapper is available without Atomic
+  - Maintenance, bug fixes
+    - Improved support of multi-check rules (report, remediations, console output)
+    - Improved HTML report look and feel, including printed version
+    - Less clutter in verbose mode output; some warnings and errors demoted to verbose mode levels
+    - Probe rpmverifyfile uses and returns canonical paths
+    - Improved a11y of HTML reports and guides
+    - Fixes and improvements for SWIG Python bindings
+    - #1403 fixed: Scanner would not apply remediation for multicheck rules (verbosity)
+    - Fixed URL link mechanism for Red Hat Errata
+    - New STIG Viewer URI: public.cyber.mil
+    - Probe selinuxsecuritycontext would not check if SELinux is enabled
+    - Scanner would provide information about unsupported OVAL objects
+    - Added more tests for offline mode (probes, remediation)
+    - #528 fixed: Eval SCE script when /tmp is in mode noexec
+    - #1173, RHBZ#1603347 fixed: Double chdir/chroot in probe rpmverifypackage
+
+openscap-1.3.1                                                  12-06-2019
   - New features
     - Support for SCAP 1.3 Source Datastreams (evaluating, XML schemas,
       validation)

config.h.in

@@ -39,6 +39,7 @@
 #cmakedefine HAVE_HEADERFORMAT
 #cmakedefine HAVE_RPMFREECRYPTO
 #cmakedefine HAVE_RPMFREEFILESYSTEMS
+#cmakedefine HAVE_RPMVERIFYFILE
 
 #cmakedefine HAVE_RPMVERCMP
 #cmakedefine RPM46_FOUND

cpe/openscap-cpe-dict.xml

@@ -125,6 +125,10 @@
             <title xml:lang="en-us">Fedora 31</title>
             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="openscap-cpe-oval.xml">oval:org.open-scap.cpe.fedora:def:31</check>
       </cpe-item>
+      <cpe-item name="cpe:/o:fedoraproject:fedora:32">
+            <title xml:lang="en-us">Fedora 32</title>
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="openscap-cpe-oval.xml">oval:org.open-scap.cpe.fedora:def:32</check>
+      </cpe-item>
       <cpe-item name="cpe:/o:suse:sle">
             <title xml:lang="en-us">SUSE Linux Enterprise all versions</title>
             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="openscap-cpe-oval.xml">oval:org.open-scap.cpe.sle:def:1</check>
@@ -214,6 +218,10 @@
             <title xml:lang="en-us">Wind River Linux 8</title>
             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="openscap-cpe-oval.xml">oval:org.open-scap.cpe.wrlinux:def:8</check>
       </cpe-item>
+      <cpe-item name="cpe:/o:windriver:wrlinux:1019">
+            <title xml:lang="en-us">Wind River Linux 1019</title>
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="openscap-cpe-oval.xml">oval:org.open-scap.cpe.wrlinux:def:1019</check>
+      </cpe-item>
       <cpe-item name="cpe:/o:microsoft:windows_7">
             <title xml:lang="en-us">Microsoft Windows 7</title>
             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="openscap-cpe-oval.xml">oval:org.open-scap.cpe.windows:def:7</check>