Merge branch 'maint-1.2' into maint-1.3

 Conflicts:
	tests/DS/sds_detect_version/Makefile.am

Author: jan-cerny

cpe/openscap-cpe-oval.xml

@@ -1048,7 +1048,7 @@
                   <lin-def:name>redhat-release</lin-def:name>
             </lin-def:rpminfo_object>
             <lin-def:rpminfo_object id="oval:org.open-scap.cpe.fedora-release:obj:2" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
-                  <lin-def:name>fedora-release</lin-def:name>
+                  <lin-def:name operation="pattern match">^fedora-release.*</lin-def:name>
             </lin-def:rpminfo_object>
             <lin-def:rpmverifyfile_object id="oval:org.open-scap.cpe.redhat-release:obj:3" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
                   <!-- Sadly, OVAL cannot do the right query (rpm -q -whatprovides system-release). Let's check the filename instead. -->

src/OVAL/probes/unix/sysctl_probe.c

@@ -76,7 +76,7 @@ int sysctl_probe_main(probe_ctx *ctx, void *probe_arg)
          */
         ent_attrs = probe_attr_creat("max_depth",           r0 = SEXP_string_newf("%d", PROC_SYS_MAXDEPTH),
                                      "recurse_direction",   r1 = SEXP_string_new("down", 4),
-                                     "recurse_file_system", r2 = SEXP_string_new("local", 7),
+                                     "recurse_file_system", r2 = SEXP_string_new("all", 3),
                                      "recurse", r3 = SEXP_string_new("symlinks and directories", 24),
                                      NULL);
         bh_entity = probe_ent_creat1("behaviors", ent_attrs, NULL);

tests/DS/sds_detect_version/scap-1.2-ds.xml

@@ -1,6 +1,6 @@
 <?xml version="1.0"?>
-<ns0:data-stream-collection xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:html="http://www.w3.org/1999/xhtml" xmlns:ns0="http://scap.nist.gov/schema/scap/source/1.2" xmlns:ns1="http://www.w3.org/1999/xlink" xmlns:ns10="http://checklists.nist.gov/xccdf/1.2" xmlns:ns13="http://cpe.mitre.org/dictionary/2.0" xmlns:ns2="urn:oasis:names:tc:entity:xmlns:xml:catalog" xmlns:ns3="http://scap.nist.gov/schema/ocil/2.0" xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:ns6="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:ns7="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" xmlns:ns8="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" xmlns:ns9="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="scap_org.open-scap_collection_from_xccdf_ssg-rhel8-xccdf-1.2.xml" schematron-version="1.3">
-  <ns0:data-stream id="scap_org.open-scap_datastream_from_xccdf_ssg-rhel8-xccdf-1.2.xml" scap-version="1.3" use-case="OTHER">
+<ns0:data-stream-collection xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:html="http://www.w3.org/1999/xhtml" xmlns:ns0="http://scap.nist.gov/schema/scap/source/1.2" xmlns:ns1="http://www.w3.org/1999/xlink" xmlns:ns10="http://checklists.nist.gov/xccdf/1.2" xmlns:ns13="http://cpe.mitre.org/dictionary/2.0" xmlns:ns2="urn:oasis:names:tc:entity:xmlns:xml:catalog" xmlns:ns3="http://scap.nist.gov/schema/ocil/2.0" xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:ns6="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:ns7="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" xmlns:ns8="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" xmlns:ns9="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="scap_org.open-scap_collection_from_xccdf_ssg-rhel8-xccdf-1.2.xml" schematron-version="X.X">
+  <ns0:data-stream id="scap_org.open-scap_datastream_from_xccdf_ssg-rhel8-xccdf-1.2.xml" scap-version="X.X" use-case="OTHER">
     <ns0:checks>
       <ns0:component-ref id="scap_org.open-scap_cref_ssg-rhel8-oval.xml" ns1:href="#scap_org.open-scap_comp_ssg-rhel8-oval.xml"/>
     </ns0:checks>

tests/DS/sds_detect_version/scap-1.3-ds.xml renamed to tests/DS/sds_detect_version/scap-ds.xml

@@ -12,16 +12,27 @@
 
 set -e -o pipefail
 
+echo $srcdir
+
 function test_oscap_info {
 	version="$1"
 	stdout="$(mktemp)"
 	stderr="$(mktemp)"
-	$OSCAP info $srcdir/scap-$version-ds.xml > $stdout 2> $stderr
+	ds="$(mktemp)"
+	cp $srcdir/scap-ds.xml $ds
+	sed -i "s/X.X/${version}/g" $ds
+
+	$OSCAP info $ds > $stdout 2> $stderr
 	[ ! -s $stderr ]
 	grep -q "Version: $version" $stdout
 	rm $stdout
 	rm $stderr
+	rm $ds
 }
 
-test_oscap_info "1.2"
-test_oscap_info "1.3"
+SDS=$(find $top_srcdir/schemas/sds -maxdepth 1 -mindepth 1 -type d -printf '%f\n')
+
+for sds_version in $SDS
+do
+    test_oscap_info $sds_version
+done

tests/DS/sds_detect_version/test_detect_version.sh

@@ -20,6 +20,7 @@ SYSCTL_BLACKLIST='
 	kernel.usermodehelper.inheritable
 	net.core.bpf_jit_harden
 	net.core.bpf_jit_kallsyms
+	net.core.bpf_jit_limit
 	net.ipv4.tcp_fastopen_key
 	stable_secret
 	vm.mmap_rnd_bits