Merge branch 'maint-1.3' after 1.3.10 release

.fmf/version

@@ -0,0 +1 @@
+1

.github/workflows/build.yml

@@ -0,0 +1,184 @@
+# This is a basic workflow to help you get started with Actions
+
+name: Gating
+
+# Controls when the action will run. Triggers the workflow on push or pull request
+# events but only for the main branch
+on:
+  push:
+    branches: [ '*' ]
+  pull_request:
+    branches: [ main, maint-1.3 ]
+
+
+# A workflow run is made up of one or more jobs that can run sequentially or in parallel
+jobs:
+  # This workflow contains a single job called "build"
+  build-ubuntu:
+    # The type of runner that the job will run on
+    name: Build, Test on Ubuntus
+    runs-on: ${{ matrix.os }}
+
+    strategy:
+      matrix:
+        os: [ubuntu-20.04, ubuntu-latest]
+
+    # Steps represent a sequence of tasks that will be executed as part of the job
+    steps:
+    # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
+    - uses: actions/checkout@v3
+      with:
+        submodules: recursive
+
+    # Runs a single command using the runners shell
+    - name: Install Deps
+      run: |
+        sudo apt-get update
+        sudo apt-get -y install lcov swig xsltproc rpm-common lua5.3 libpcre2-dev libyaml-dev libdbus-1-dev libdbus-glib-1-dev libcurl4-openssl-dev libgcrypt-dev libselinux1-dev libgconf2-dev libacl1-dev libblkid-dev libcap-dev libxml2-dev libxslt1-dev libxml-parser-perl libxml-xpath-perl libperl-dev librpm-dev librtmp-dev libxmlsec1-dev libxmlsec1-openssl python3-dbusmock python3-pytest
+        sudo apt-get -y remove rpm
+
+    # Runs a set of commands using the runners shell
+    - name: Build
+      working-directory: ./build
+      run: |
+        cmake -DCMAKE_BUILD_TYPE=RelWithDebInfo -DWITH_PCRE2=True ../
+        make all
+
+    - name: Test
+      working-directory: ./build
+      run: |
+        export $(dbus-launch)
+        ctest --output-on-failure
+
+  build-fedora:
+    name: Build, Test on Fedora Latest (Container)
+    runs-on: ubuntu-latest
+    container:
+      image: fedora:latest
+    steps:
+    - name: Install Deps
+      run: dnf install -y cmake git dbus-devel GConf2-devel libacl-devel libblkid-devel libcap-devel libcurl-devel libgcrypt-devel libselinux-devel libxml2-devel libxslt-devel libattr-devel make openldap-devel pcre2-devel perl-XML-Parser perl-XML-XPath perl-devel python3-devel python3-dbusmock rpm-devel swig bzip2-devel gcc-c++ libyaml-devel xmlsec1-devel xmlsec1-openssl-devel hostname bzip2 lua rpm-build which strace python3-pytest
+    - name: Checkout
+      uses: actions/checkout@v3
+      with:
+        submodules: recursive
+    - name: Build
+      working-directory: ./build
+      run: |
+        cmake -DCMAKE_BUILD_TYPE=RelWithDebInfo -DWITH_PCRE2=True ../
+        make all
+    - name: Test
+      working-directory: ./build
+      run: |
+        export $(dbus-launch)
+        ctest --output-on-failure
+
+  build-fedora-nss:
+    name: Build with NSS, Test on Fedora Latest (Container)
+    runs-on: ubuntu-latest
+    container:
+      image: fedora:latest
+    steps:
+    - name: Install Deps
+      run: dnf install -y cmake git dbus-devel GConf2-devel libacl-devel libblkid-devel libcap-devel libcurl-devel nss-devel libselinux-devel libxml2-devel libxslt-devel libattr-devel make openldap-devel pcre2-devel perl-XML-Parser perl-XML-XPath perl-devel python3-devel python3-dbusmock rpm-devel swig bzip2-devel gcc-c++ libyaml-devel xmlsec1-devel xmlsec1-openssl-devel hostname bzip2 lua rpm-build which strace python3-pytest
+    - name: Checkout
+      uses: actions/checkout@v3
+      with:
+        submodules: recursive
+    - name: Build
+      working-directory: ./build
+      run: |
+        cmake -DCMAKE_BUILD_TYPE=RelWithDebInfo -DWITH_PCRE2=True -DWITH_CRYPTO=nss ../
+        make all
+    - name: Test
+      working-directory: ./build
+      run: |
+        export $(dbus-launch)
+        ctest --output-on-failure
+
+  build-macos:
+    # The type of runner that the job will run on
+    name: Build, Test on macOS Latest
+    runs-on: macos-latest
+
+    # Steps represent a sequence of tasks that will be executed as part of the job
+    steps:
+    # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
+    - uses: actions/checkout@v3
+
+    # Runs a single command using the runners shell
+    - name: Install Deps
+      run: |
+        # Unlink and re-link to prevent errors when GitHub Mac runner images
+        # install Python outside of Brew:
+        brew list -1 | grep python | while read formula; do brew unlink $formula; brew link --overwrite $formula; done
+        brew update
+        brew install doxygen
+        brew install opendbx
+        brew install pkg-config
+        brew install popt
+        brew install swig
+        brew install libxmlsec1
+        brew install openssl
+        brew install pcre2
+
+    # Runs a set of commands using the runners shell
+    - name: Build
+      run: |
+        cd $GITHUB_WORKSPACE/build
+        cmake -DCMAKE_BUILD_TYPE=RelWithDebInfo -DWITH_PCRE2=True -DENABLE_PROBES=False ../
+        make all
+
+    - name: Test
+      run: |
+        cd $GITHUB_WORKSPACE/build
+        echo "Tests are so broken for macOS :("
+  build-windows:
+    name: Build on Windows
+    runs-on: windows-latest
+    env:
+      VCPKG_BINARY_SOURCES: "clear;x-gha,readwrite"
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v3
+
+    - name: Checkout vcpkg
+      uses: actions/checkout@v3
+      with:
+        path: ${{ github.workspace }}/vcpkg
+        repository: microsoft/vcpkg
+        fetch-depth: 1
+
+    - name: Bootstrap vcpkg
+      shell: pwsh
+      run: "${{ github.workspace }}\\vcpkg\\scripts\\bootstrap.ps1 -disableMetrics"
+
+    - name: Export GitHub Actions cache environment variables
+      uses: actions/github-script@v7
+      with:
+        script: |
+          core.exportVariable('ACTIONS_CACHE_URL', process.env.ACTIONS_CACHE_URL || '');
+          core.exportVariable('ACTIONS_RUNTIME_TOKEN', process.env.ACTIONS_RUNTIME_TOKEN || '');
+
+    - name: Install Deps
+      run: "${{ github.workspace }}\\vcpkg\\vcpkg.exe install curl libxml2 libxslt bzip2 pcre pthreads zlib getopt-win32 xmlsec --triplet x64-windows"
+
+    - name: Configure
+      working-directory: ./build
+      run: cmake -DCMAKE_BUILD_TYPE=Release -DENABLE_PYTHON3=FALSE -DCMAKE_TOOLCHAIN_FILE=${{ github.workspace }}/vcpkg/scripts/buildsystems/vcpkg.cmake ..
+
+    - name: Build
+      run: cmake --build . --config Release
+      working-directory: ./build
+
+    - name: Package
+      run: cpack
+      working-directory: build
+
+    - name: Upload Artifacts
+      uses: actions/upload-artifact@v4
+      with:
+        name: openscap-win64
+        path: |-
+          build\OpenSCAP*.msi
+          build\OpenSCAP*.msi.sha512

.github/workflows/codeql.yml

@@ -0,0 +1,59 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ 'maint-1.3', 'maint-1.2', 'master' ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ 'maint-1.3' ]
+  schedule:
+    - cron: '32 17 * * 0'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'cpp', 'python' ]
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
+        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3
+
+    - name: Install Deps
+      run: |
+        sudo apt-get update
+        sudo apt-get -y install lcov swig xsltproc rpm-common lua5.3 libyaml-dev libdbus-1-dev libdbus-glib-1-dev libcurl4-openssl-dev libgcrypt-dev libselinux1-dev libgconf2-dev libacl1-dev libblkid-dev libcap-dev libxml2-dev libxslt1-dev libxml-parser-perl libxml-xpath-perl libperl-dev librpm-dev librtmp-dev libxmlsec1-dev libxmlsec1-openssl python3-dbusmock
+        sudo apt-get -y remove rpm
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v2
+      with:
+        languages: ${{ matrix.language }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+
+        # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+        queries: +security-and-quality
+
+    - name: Build
+      working-directory: ./build
+      run: |
+        cmake -DCMAKE_BUILD_TYPE=RelWithDebInfo ../
+        make all
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v2
+      with:
+        category: "/language:${{matrix.language}}"

.gitignore

@@ -17,6 +17,7 @@ build/
 *.a
 *.la
 .cproject
+.idea
 .project
 .settings/language.settings.xml
 
@@ -29,3 +30,4 @@ build/
 /swig/python3/openscap.py
 /swig/python3/openscap_py_wrap.c
 /swig/python3/openscap_api.pyc
+.vscode/

.packit.yaml

@@ -0,0 +1,27 @@
+downstream_package_name: openscap
+upstream_package_name: openscap
+specfile_path: openscap.spec
+
+actions:
+  get-current-version:
+  - bash -c "source release_tools/versions.sh && echo ${version}"
+
+srpm_build_deps:
+  - bash
+
+jobs:
+- job: copr_build
+  trigger: pull_request
+  metadata:
+    targets:
+    - fedora-all-x86_64
+    - centos-stream-8-x86_64
+    - centos-stream-9-x86_64
+
+- job: tests
+  trigger: pull_request
+  metadata:
+    targets:
+    - fedora-all-x86_64
+    - centos-stream-8-x86_64
+    - centos-stream-9-x86_64

.travis.yml

@@ -1,59 +1,56 @@
 language: c
 
-matrix:
-  include:
-    - os: linux
-      dist: bionic
-      addons:
-        apt:
-          packages:
-            - lcov
-            - libdbus-1-dev
-            - libdbus-glib-1-dev
-            - libcurl4-openssl-dev
-            - libgcrypt-dev
-            - libselinux1-dev
-            - libgconf2-dev
-            - libacl1-dev
-            - libblkid-dev
-            - libcap-dev
-            - libxml2-dev
-            - swig
-            - libxml-parser-perl
-            - libxml-xpath-perl
-            - libperl-dev
-            - librpm-dev
-            - swig
-            - librtmp-dev
-            - xsltproc
-            - rpm-common
-            - lua50
-      before_script:
-        - cd build
-      script:
-        - cmake -DCMAKE_BUILD_TYPE=Debug ../
-        - build-wrapper-linux-x86-64 --out-dir bw-output make all || make all  # build-wrapper won't work on forked repositories.
-        - ctest --output-on-failure
-        - (cd .. && sonar-scanner) || true  # Will always fail builds on forked repositories.
-      after_success:
-        - curl -s https://codecov.io/bash > cov.sh && bash cov.sh -x "$GCOV"
-    - os: osx
-      before_install:
-        - brew update
-        - brew install doxygen
-        - brew install opendbx
-        - brew install popt
-        - brew install swig
-      before_script:
-        - cd build
-      script:
-        - cmake -DENABLE_PROBES=false ../
-        - make -j 4
+os: linux
+dist: bionic
+arch:
+  - arm64
+  - ppc64le
+  - amd64
 
 addons:
   sonarcloud:
     organization: "openscap"
+  apt:
+    packages:
+      - lcov
+      - libdbus-1-dev
+      - libdbus-glib-1-dev
+      - libcurl4-openssl-dev
+      - libgcrypt-dev
+      - libselinux1-dev
+      - libgconf2-dev
+      - libacl1-dev
+      - libblkid-dev
+      - libcap-dev
+      - libxml2-dev
+      - swig
+      - libxml-parser-perl
+      - libxml-xpath-perl
+      - libperl-dev
+      - librpm-dev
+      - swig
+      - librtmp-dev
+      - xsltproc
+      - rpm-common
+      - lua50
+      - libxmlsec1-dev
+      - libxmlsec1-openssl
 
 cache:
   directories:
     - '$HOME/.sonar/cache'
+
+before_script:
+  - cd build
+
+script:
+  - cmake -DCMAKE_BUILD_TYPE=RelWithDebInfo ../
+  # The build-wrapper tool won't work on forked repositories.
+  - case ${TRAVIS_CPU_ARCH} in
+      amd64) build-wrapper-linux-x86-64 --out-dir bw-output make all || make all ;;
+      arm64) build-wrapper-linux-aarch64 --out-dir bw-output make all || make all ;;
+      *) make all ;;
+    esac
+  - ctest --output-on-failure
+  # Will always fail builds on forked repositories.
+  - (cd .. && sonar-scanner) || true