Maint 1.3

.github/workflows/codeql.yml

@@ -32,7 +32,7 @@ jobs:
     - name: Install Deps
       run: |
         sudo apt-get update
-        sudo apt-get -y install lcov swig xsltproc rpm-common lua5.3 libyaml-dev libdbus-1-dev libdbus-glib-1-dev libcurl4-openssl-dev libgcrypt-dev libselinux1-dev libgconf2-dev libacl1-dev libblkid-dev libcap-dev libxml2-dev libxslt1-dev libxml-parser-perl libxml-xpath-perl libperl-dev librpm-dev librtmp-dev libxmlsec1-dev libxmlsec1-openssl python3-dbusmock
+        sudo apt-get -y install lcov swig xsltproc rpm-common lua5.3 libyaml-dev libdbus-1-dev libdbus-glib-1-dev libcurl4-openssl-dev libgcrypt-dev libselinux1-dev libglib2.0-dev libacl1-dev libblkid-dev libcap-dev libxml2-dev libxslt1-dev libxml-parser-perl libxml-xpath-perl libperl-dev librpm-dev librtmp-dev libxmlsec1-dev libxmlsec1-openssl python3-dbusmock
         sudo apt-get -y remove rpm
 
     # Initializes the CodeQL tools for scanning.

AUTHORS

@@ -18,6 +18,7 @@ Dirk Müller <dirk@dmllr.de>
 Dmitry Teselkin <dteselkin@mirantis.com>
 DominiqueDevinci <dominique.blaze@edu.devinci.fr>
 Ed Sealing <esealing@tresys.com>
+Edgar Aguilar <edgar.aguilar@oracle.com>
 Evgeni Golov <egolov@redhat.com>
 Evgeny Kolesnikov <ekolesni@redhat.com>
 Felix Wolfsteller <felix.wolfsteller@greenbone.net>
@@ -29,6 +30,7 @@ Gary Gapinski <gary@garygapinski.com>
 Gautam Satish <gautams@hpe.com>
 Greg Elin <greg@fotonotes.net>
 Hideki Yamane <henrich@debian.org>
+Hugo Beauzée-Luyssen <hugo.beauzee@datadoghq.com>
 Ilya Okomin <ilya.okomin@oracle.com>
 Jacob Varughese <jacob.varughese@oracle.com>
 Jakub Jelen <jjelen@redhat.com>

CMakeLists.txt

@@ -11,7 +11,7 @@ endif()
 project("openscap")
 set(OPENSCAP_VERSION_MAJOR "1")
 set(OPENSCAP_VERSION_MINOR "3")
-set(OPENSCAP_VERSION_PATCH "12")
+set(OPENSCAP_VERSION_PATCH "13")
 
 if(OPENSCAP_VERSION_SUFFIX)
 	set(OPENSCAP_VERSION "${OPENSCAP_VERSION_MAJOR}.${OPENSCAP_VERSION_MINOR}.${OPENSCAP_VERSION_PATCH}_${OPENSCAP_VERSION_SUFFIX}")
@@ -26,7 +26,7 @@ endif()
 set(LT_CURRENT 32)
 
 ## increment any time the source changes; set 0 to if you increment CURRENT
-set(LT_REVISION 1)
+set(LT_REVISION 2)
 
 ## increment if any interfaces have been added; set to 0
 ## if any interfaces have been changed or removed. removal has
@@ -535,7 +535,7 @@ if (MSVC)
 endif()
 
 if (${CMAKE_C_COMPILER_ID} STREQUAL "GNU" OR ${CMAKE_C_COMPILER_ID} STREQUAL "Clang")
-	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -pipe -W -Wall -Wnonnull -Wshadow -Wformat -Wundef -Wno-unused-parameter -Wmissing-prototypes -Wno-unknown-pragmas -Wno-int-conversion -Werror=implicit-function-declaration -D_GNU_SOURCE -std=c99")
+	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -pipe -W -Wall -Wnonnull -Wshadow -Wformat -Wundef -Wno-unused-parameter -Wmissing-prototypes -Wno-unknown-pragmas -Wno-int-conversion -Werror=implicit-function-declaration -D_GNU_SOURCE -DRBT_IMPLICIT_LOCKING=1 -std=c99")
 	add_link_options(-Wl,-z,now)
 endif()
 if(${CMAKE_SYSTEM_NAME} STREQUAL "FreeBSD")

CODEOWNERS

@@ -0,0 +1,2 @@
+/tests/ @jan-cerny @evgenyz @mab879 @matusmarhefka
+/CODEOWNERS @jan-cerny @evgenyz @mab879 @matusmarhefka

NEWS

@@ -1,3 +1,9 @@
+openscap-1.3.12                                                 07-04-2025
+- Maintenance, bug fix
+  - Fix thread synchronization bugs
+  - Fix textfilecontent54_probe behaviour for negative instance numbers
+  - Fix signature obtaining in rpm_info probe
+
 openscap-1.3.11                                                 2025-02-10
 - New features
   - Introduce "oscap-im" - script that can be used in Containerfiles to build

docs/manual/manual.adoc

@@ -1655,11 +1655,13 @@ Also, OpenSCAP uses `libcurl` library which also can be configured using environ
 
 == Using external or remote resources
 
-Some SCAP content references external resources. For example SCAP Security Guide
-uses external OVAL file to check that the system is up to date and has no known
+Some SCAP content references external resources. For example, older versions of SCAP Security Guide (prior to version 0.1.73)
+used external OVAL file to check that the system is up to date and has no known
 security vulnerabilities. However, other content can use external resources for
 other purposes.
 
+NOTE: Starting with version 0.1.73, SCAP Security Guide content doesn't use external resources anymore.
+
 When you are evaluating SCAP content with external resources the `oscap` tool
 will warn you:
 
@@ -1708,6 +1710,8 @@ $ wget -O ~/scap-files/security-data-oval-com.redhat.rhsa-RHEL8.xml https://www.
 $ oscap xccdf eval --local-files ~/scap-files --profile ospp ssg-rhel8-ds.xml
 ----
 
+NOTE: The `--local-files` option works only with SCAP 1.3 source data streams. It can't be used with SCAP 1.2 source data streams.
+
 == Practical Examples
 This section demonstrates practical usage of certain security content provided
 for Red Hat products.
@@ -2297,4 +2301,5 @@ You can find the ID of the customized profile with `oscap info <your_tailoring_f
 
 Yes, it's possible, you can download the file on other computer that is connected to the internet and then copy the file to the system where you run `oscap`.
 Instead of the `--fetch-remote-resources` option you will use the `--local-files` option.
+This option works only with SCAP 1.3 source data streams. It can't be used with SCAP 1.2 source data streams.
 For more information, please refer to section <<_using_external_or_remote_resources,Using external or remote resources>>.

release_tools/versions.sh

@@ -1,4 +1,4 @@
-version=1.3.12
-previous_version=1.3.11
+version=1.3.13
+previous_version=1.3.12
 
 version_major_minor="${version%.*}"

src/DS/ds_sds_session.c

@@ -343,6 +343,25 @@ void ds_sds_session_configure_remote_resources(struct ds_sds_session *session, b
 	session->fetch_remote_resources = allowed;
 	session->local_files = local_files;
 	session->progress = (callback != NULL) ? callback : download_progress_empty_calllback;
+	if (local_files != NULL) {
+		struct ds_sds_index *idx = ds_sds_session_get_sds_idx(session);
+		struct ds_stream_index_iterator *streams = ds_sds_index_get_streams(idx);
+		while (ds_stream_index_iterator_has_more(streams)) {
+			struct ds_stream_index *stream = ds_stream_index_iterator_next(streams);
+			const char *version = ds_stream_index_get_version(stream);
+			if (strcmp(version, "1.3")) {
+				ds_sds_session_remote_resources_progress(session)(
+					true,
+					"WARNING: The '--local-files' option can be used only with "
+					"SCAP 1.3 source data streams, but the provided data stream "
+					"is version '%s'. No local files will be used.\n",
+					version);
+				break;
+			}
+
+		}
+		ds_stream_index_iterator_free(streams);
+	}
 }
 
 void ds_sds_session_set_remote_resources(struct ds_sds_session *session, bool allowed, download_progress_calllback_t callback)

src/OVAL/probes/SEAP/seap-command.c

@@ -205,7 +205,7 @@ static SEXP_t *__SEAP_cmd_sync_handler (SEXP_t *res, void *arg)
         h->args = res;
         (void) pthread_mutex_lock (&h->mtx);
         h->signaled = 1;
-        (void) pthread_cond_signal (&h->cond);
+        (void) pthread_cond_broadcast (&h->cond);
         (void) pthread_mutex_unlock (&h->mtx);
 
         return (NULL);
@@ -322,9 +322,6 @@ SEXP_t *SEAP_cmd_exec (SEAP_CTX_t    *ctx,
                         h.args = NULL;
                         h.signaled = 0;
 
-                        if (pthread_mutex_lock (&(h.mtx)) != 0)
-                                abort ();
-
                         rec = SEAP_cmdrec_new ();
                         rec->code = cmdptr->id;
                         rec->func = &__SEAP_cmd_sync_handler;
@@ -377,8 +374,6 @@ SEXP_t *SEAP_cmd_exec (SEAP_CTX_t    *ctx,
                                   timeout.tv_nsec = 0;
                                 */
                                 for (;;) {
-                                        pthread_mutex_unlock(&h.mtx);
-
                                         if (SEAP_packet_recv(ctx, sd, &packet_rcv) != 0) {
                                                 dD("FAIL: ctx=%p, sd=%d, errno=%u, %s.", ctx, sd, errno, strerror(errno));
 						SEAP_packet_free(packet);
@@ -407,21 +402,23 @@ SEXP_t *SEAP_cmd_exec (SEAP_CTX_t    *ctx,
                                         }
 
                                         /* Morbo: THIS IS NOT HOW SYCHNRONIZATION WORKS! */
-                                        if (h.signaled)
+                                        if (h.signaled) {
+						h.signaled = 0;
                                                 break;
+					}
                                 }
                         } else {
                                 /*
                                  * Someone else does receiving of events for us.
                                  * Just wait for the condition to be signaled.
                                  */
-                                if (pthread_cond_wait(&h.cond, &h.mtx) != 0) {
-                                        /*
-                                         * Fatal error - don't know how to handle
-                                         * this so let's just call abort()...
-                                         */
-                                        abort();
-                                }
+				pthread_mutex_lock(&h.mtx);
+				while (!h.signaled) {
+					pthread_cond_wait(&h.cond, &h.mtx);
+				}
+				// This might not be needed, but still
+				h.signaled = 0;
+				pthread_mutex_unlock(&h.mtx);
                         }
 
                         dD("cond return: h.args=%p", h.args);
@@ -436,7 +433,6 @@ SEXP_t *SEAP_cmd_exec (SEAP_CTX_t    *ctx,
                         /*
                          * SEAP_cmdtbl_del(dsc->cmd_w_table, rec);
                          */
-                        pthread_mutex_unlock (&(h.mtx));
                         pthread_cond_destroy (&(h.cond));
                         pthread_mutex_destroy (&(h.mtx));
                         SEAP_packet_free(packet);

src/OVAL/probes/SEAP/seap-packet.c

@@ -206,9 +206,14 @@ static int SEAP_packet_sexp2msg (SEXP_t *sexp_msg, SEAP_msg_t *seap_msg)
         _A(attr_i >= (SEXP_list_length (sexp_msg) - 4)/2);
 
         seap_msg->attrs_cnt = attr_i;
-        void *new_attrs = realloc(seap_msg->attrs, sizeof(SEAP_attr_t) * seap_msg->attrs_cnt);
-        if (new_attrs != NULL || seap_msg->attrs_cnt == 0)
+        if (seap_msg->attrs_cnt == 0) {
+                free(seap_msg->attrs);
+                seap_msg->attrs = NULL;
+        } else {
+                void *new_attrs = realloc(seap_msg->attrs, sizeof(SEAP_attr_t) * seap_msg->attrs_cnt);
                 seap_msg->attrs = new_attrs;
+        }
+
         seap_msg->sexp = SEXP_list_last (sexp_msg);
 
         return (0);

src/OVAL/probes/independent/textfilecontent54_probe.c

@@ -123,12 +123,15 @@ struct pfdata {
 static int process_file(const char *prefix, const char *path, const char *file, struct pfdata *pfd, oval_schema_version_t over, struct oscap_list *blocked_paths)
 {
 	int ret = 0, path_len, file_len, cur_inst = 0, fd = -1, substr_cnt,
-		buf_size = 0, buf_used = 0, ofs = 0, buf_inc = 4096;
+		buf_size = 0, buf_used = 0, ofs = 0, buf_inc = 4096, instance_count = 0,
+		want_instance = 1, negative_instance_value = 0;
 	char **substrs = NULL;
 	char *whole_path = NULL, *whole_path_with_prefix = NULL, *buf = NULL;
-	SEXP_t *next_inst = NULL;
+	SEXP_t *next_inst = NULL, *items = SEXP_list_new(NULL), *instance_value_list = NULL,
+		*instance_value = NULL;
 	struct stat st;
 
+
 	if (file == NULL)
 		goto cleanup;
 
@@ -210,16 +213,6 @@ static int process_file(const char *prefix, const char *path, const char *file,
 	buf[buf_used++] = '\0';
 
 	do {
-		int want_instance;
-
-		next_inst = SEXP_number_newi_32(cur_inst + 1);
-
-		if (probe_entobj_cmp(pfd->instance_ent, next_inst) == OVAL_RESULT_TRUE)
-			want_instance = 1;
-		else
-			want_instance = 0;
-
-		SEXP_free(next_inst);
 		substr_cnt = oscap_pcre_get_substrings(buf, &ofs, pfd->compiled_regex, want_instance, &substrs);
 
 		if (substr_cnt < 0) {
@@ -235,27 +228,49 @@ static int process_file(const char *prefix, const char *path, const char *file,
 		}
 
 		if (substr_cnt > 0) {
-			++cur_inst;
-
-			if (want_instance) {
-				int k;
-				SEXP_t *item;
-
-				item = create_item(path, file, pfd->pattern,
-						cur_inst, substrs, substr_cnt, over);
-
-				for (k = 0; k < substr_cnt; ++k)
-					free(substrs[k]);
-				free(substrs);
-				int pic_ret = probe_item_collect(pfd->ctx, item);
-				if (pic_ret == 2 || pic_ret == -1) {
-					ret = -4;
-					break;
-				}
-			}
+			int k;
+			instance_count++;
+
+			SEXP_list_add(items, create_item(path, file, pfd->pattern,
+				instance_count, substrs, substr_cnt, over));
+
+			for (k = 0; k < substr_cnt; ++k)
+				free(substrs[k]);
+			free(substrs);
 		}
 	} while (substr_cnt > 0 && ofs < buf_used);
 
+	probe_ent_getvals(pfd->instance_ent, &instance_value_list);
+	instance_value = SEXP_list_first(instance_value_list);
+	negative_instance_value = SEXP_number_geti_64(instance_value) < 0;
+	SEXP_free(instance_value_list);
+	SEXP_free(instance_value);
+
+	for(cur_inst = 0; cur_inst < instance_count; cur_inst++){
+		if (negative_instance_value)
+			next_inst = SEXP_number_newi_32(cur_inst - instance_count);
+
+		else
+			next_inst = SEXP_number_newi_32(cur_inst + 1);
+
+		if (probe_entobj_cmp(pfd->instance_ent, next_inst) == OVAL_RESULT_TRUE)
+			want_instance = 1;
+		else
+			want_instance = 0;
+
+		SEXP_free(next_inst);
+
+		if (want_instance) {
+			int pic_ret = probe_item_collect(pfd->ctx, SEXP_list_nth(items, cur_inst + 1));
+			if (pic_ret == 2 || pic_ret == -1) {
+				ret = -4;
+				break;
+			}
+		}
+		else
+			SEXP_free(SEXP_list_nth(items, cur_inst + 1));
+	}
+
  cleanup:
 	if (fd != -1)
 		close(fd);

src/OVAL/probes/probe/icache.c

@@ -201,7 +201,7 @@ const char* thread_name = "icache_worker";
 	pair = &pair_mem;
         dD("icache worker ready");
 
-        switch (errno = pthread_barrier_wait(&OSCAP_GSYM(th_barrier)))
+        switch (errno = pthread_barrier_wait(cache->th_barrier))
         {
         case 0:
         case PTHREAD_BARRIER_SERIAL_THREAD:
@@ -309,7 +309,7 @@ const char* thread_name = "icache_worker";
         return (NULL);
 }
 
-probe_icache_t *probe_icache_new(void)
+probe_icache_t *probe_icache_new(pthread_barrier_t *th_barrier)
 {
         probe_icache_t *cache = malloc(sizeof(probe_icache_t));
         cache->tree = rbt_i64_new();
@@ -323,6 +323,7 @@ probe_icache_t *probe_icache_new(void)
         cache->queue_end = 0;
         cache->queue_cnt = 0;
         cache->queue_max = PROBE_IQUEUE_CAPACITY;
+        cache->th_barrier = th_barrier;
 
         if (pthread_cond_init(&cache->queue_notempty, NULL) != 0) {
                 dE("Can't initialize icache queue condition variable (notempty): %u, %s",

src/OVAL/probes/probe/icache.h

@@ -25,6 +25,7 @@
 #include <stddef.h>
 #include <sexp.h>
 #include "../SEAP/generic/rbt/rbt.h"
+#include "common/compat_pthread_barrier.h"
 
 #ifndef PROBE_IQUEUE_CAPACITY
 #define PROBE_IQUEUE_CAPACITY 1024
@@ -41,6 +42,7 @@ typedef struct {
 typedef struct {
         rbt_t    *tree; /* XXX: rewrite to extensible or linear hashing */
         pthread_t thid;
+        pthread_barrier_t *th_barrier;
 
         pthread_mutex_t queue_mutex;
         pthread_cond_t  queue_notempty;
@@ -58,7 +60,7 @@ typedef struct {
         uint16_t  count;
 } probe_citem_t;
 
-probe_icache_t *probe_icache_new(void);
+probe_icache_t *probe_icache_new(pthread_barrier_t *th_barrier);
 int probe_icache_add(probe_icache_t *cache, SEXP_t *cobj, SEXP_t *item);
 int probe_icache_nop(probe_icache_t *cache);
 void probe_icache_free(probe_icache_t *cache);

src/OVAL/probes/probe/input_handler.c

@@ -85,7 +85,7 @@ void *probe_input_handler(void *arg)
 
 	pthread_cleanup_push(pthread_attr_cleanup_handler, (void *)&pth_attr);
 
-        switch (errno = pthread_barrier_wait(&OSCAP_GSYM(th_barrier)))
+        switch (errno = pthread_barrier_wait(probe->th_barrier))
         {
         case 0:
         case PTHREAD_BARRIER_SERIAL_THREAD:

src/OVAL/probes/probe/probe.h

@@ -66,6 +66,7 @@ typedef struct {
 
 	pthread_t th_input;
 	pthread_t th_signal;
+	pthread_barrier_t *th_barrier;
 
         rbt_t    *workers;
         uint32_t  max_threads;
@@ -105,6 +106,4 @@ typedef enum {
 	PROBE_OFFLINE_ALL = 0x0f
 } probe_offline_flags;
 
-extern pthread_barrier_t OSCAP_GSYM(th_barrier);
-
 #endif /* PROBE_H */