OpenSCAP · jan-cerny · Apr 22, 2026 · Apr 17, 2026 · Apr 17, 2026 · Apr 17, 2026
diff --git a/src/CVRF/cvrf_priv.c b/src/CVRF/cvrf_priv.c
@@ -75,14 +75,14 @@
 OSCAP_ACCESSOR_STRING(cvrf_remediation, url)
 OSCAP_ACCESSOR_STRING(cvrf_remediation, entitlement)

 cvrf_remediation_type_t cvrf_remediation_get_type(struct cvrf_remediation *remed) {
 	return remed->type;
 }

 struct oscap_string_iterator *cvrf_remediation_get_product_ids(struct cvrf_remediation *remed) {
 	return oscap_stringlist_get_strings(remed->product_ids);
 }
 struct oscap_string_iterator *cvrf_remediation_get_group_ids(struct cvrf_remediation *remed) {
 	return oscap_stringlist_get_strings(remed->group_ids);
 }

@@ -138,7 +138,7 @@
 OSCAP_ACCESSOR_STRING(cvrf_score_set, vector)
 OSCAP_ACCESSOR_SIMPLE(struct cvss_impact*, cvrf_score_set, impact)

 struct oscap_string_iterator *cvrf_score_set_get_product_ids(struct cvrf_score_set *score_set) {
 	return oscap_stringlist_get_strings(score_set->product_ids);
 }

@@ -149,7 +149,7 @@
 }

 static char *cvrf_score_set_get_score(const struct cvrf_score_set *score_set, enum cvss_category category) {
 	struct cvss_metrics *metric = NULL;
 	if (category == CVSS_BASE) {
 		metric = cvss_impact_get_base_metrics(score_set->impact);
 	} else if (category == CVSS_ENVIRONMENTAL) {
@@ -223,13 +223,13 @@
 OSCAP_ACCESSOR_STRING(cvrf_threat, date)
 OSCAP_ACCESSOR_STRING(cvrf_threat, description)

 cvrf_threat_type_t cvrf_threat_get_threat_type(struct cvrf_threat *threat) {
 	return threat->type;
 }
 struct oscap_string_iterator *cvrf_threat_get_product_ids(struct cvrf_threat *threat) {
 	return oscap_stringlist_get_strings(threat->product_ids);
 }
 struct oscap_string_iterator *cvrf_threat_get_group_ids(struct cvrf_threat *threat) {
 	return oscap_stringlist_get_strings(threat->group_ids);
 }

@@ -280,7 +280,7 @@
 struct oscap_string_iterator *cvrf_product_status_get_ids(struct cvrf_product_status *stat) {
 	return oscap_stringlist_get_strings(stat->product_ids);
 }
 cvrf_product_status_type_t cvrf_product_status_get_type(struct cvrf_product_status *stat) {
 	return stat->type;
 }

@@ -320,7 +320,7 @@
 };
 OSCAP_ACCESSOR_STRING(cvrf_involvement, description)

 cvrf_involvement_status_type_t cvrf_involvement_get_status_type(struct cvrf_involvement *involve) {
 	return involve->status;
 }

@@ -499,7 +499,7 @@
 	clone->ordinal = vuln->ordinal;
 	clone->title = oscap_strdup(vuln->title);
 	clone->system_id = oscap_strdup(vuln->system_id);
-	clone->system_id = oscap_strdup(vuln->system_name);
+	clone->system_name = oscap_strdup(vuln->system_name);
 	clone->discovery_date = oscap_strdup(vuln->discovery_date);
 	clone->release_date = oscap_strdup(vuln->release_date);
 	clone->cwes = oscap_list_clone(vuln->cwes, (oscap_clone_func) cvrf_vulnerability_cwe_clone);
@@ -597,7 +597,7 @@
 OSCAP_ACCESSOR_STRING(cvrf_group, group_id)
 OSCAP_ACCESSOR_STRING(cvrf_group, description)

 struct oscap_string_iterator *cvrf_group_get_product_ids(struct cvrf_group *group) {
 	return oscap_stringlist_get_strings(group->product_ids);
 }

@@ -643,7 +643,7 @@
 OSCAP_ACCESSOR_STRING(cvrf_relationship, relates_to_ref)
 OSCAP_ACCESSOR_SIMPLE(struct cvrf_product_name*, cvrf_relationship, product_name)

 cvrf_relationship_type_t cvrf_relationship_get_relation_type(struct cvrf_relationship *relation) {
 	return relation->relation_type;
 }

@@ -695,7 +695,7 @@
 	return oscap_iterator_new(branch->subbranches);
 }

 cvrf_branch_type_t cvrf_branch_get_branch_type(struct cvrf_branch *branch) {
 	return branch->type;
 }

@@ -818,7 +818,7 @@
 	struct oscap_list *filtered_relation = oscap_list_new();
 	struct cvrf_relationship_iterator *relationships = cvrf_product_tree_get_relationships(tree);
 	while (cvrf_relationship_iterator_has_more(relationships)) {
 		struct cvrf_relationship *relation = cvrf_relationship_iterator_next(relationships);
 		if (!strcmp(branch_id, cvrf_relationship_get_relates_to_ref(relation)))
 			oscap_list_add(filtered_relation, cvrf_relationship_clone(relation));
 	}
@@ -1008,10 +1008,10 @@
 OSCAP_ACCESSOR_STRING(cvrf_doc_tracking, generator_engine)
 OSCAP_ACCESSOR_STRING(cvrf_doc_tracking, generator_date)

 cvrf_doc_status_type_t cvrf_doc_tracking_get_status(struct cvrf_doc_tracking *tracking) {
 	return tracking->status;
 }
 struct oscap_string_iterator *cvrf_doc_tracking_get_aliases(struct cvrf_doc_tracking *tracking) {
 	return oscap_stringlist_get_strings(tracking->aliases);
 }

@@ -1075,7 +1075,7 @@
 OSCAP_ACCESSOR_STRING(cvrf_doc_publisher, contact_details)
 OSCAP_ACCESSOR_STRING(cvrf_doc_publisher, issuing_authority)

 cvrf_doc_publisher_type_t cvrf_doc_publisher_get_type(struct cvrf_doc_publisher *publisher) {
 	return publisher->type;
 }

@@ -1123,7 +1123,7 @@
 OSCAP_ACCESSOR_STRING(cvrf_reference, url)
 OSCAP_ACCESSOR_STRING(cvrf_reference, description)

 cvrf_reference_type_t cvrf_reference_get_reference_type(struct cvrf_reference *reference) {
 	return reference->type;
 }

@@ -1252,8 +1252,8 @@
 	return model->tree;
 }

 const char *cvrf_model_get_identification(struct cvrf_model *model) {
 	struct cvrf_doc_tracking *tracking = cvrf_document_get_tracking(model->document);
 	return (cvrf_doc_tracking_get_tracking_id(tracking));
 }

@@ -1442,12 +1442,12 @@
 }

 static void cvrf_parse_container(xmlTextReaderPtr reader, struct oscap_list *list) {
 	cvrf_item_type_t item_type = cvrf_item_type_from_text((char *)xmlTextReaderConstLocalName(reader));
 	const char *tag = cvrf_item_type_get_text(item_type);
 	if (item_type != CVRF_VULNERABILITY && item_type != CVRF_VULNERABILITY_CWE)
 		xmlTextReaderNextElement(reader);
 	bool error = false;
 	while (xmlStrcmp(xmlTextReaderConstLocalName(reader), BAD_CAST tag) == 0) {
 		if (item_type == CVRF_REVISION) {
 			error = !oscap_list_add(list, cvrf_revision_parse(reader));
 		} else if (item_type == CVRF_NOTE || item_type == CVRF_DOCUMENT_NOTE) {
@@ -1484,7 +1484,7 @@

 static char *cvrf_parse_element(xmlTextReaderPtr reader, const char *tagname, bool next_elm) {
 	char *elm_value = NULL;
 	if (xmlStrcmp(xmlTextReaderConstLocalName(reader), BAD_CAST tagname) == 0) {
 		elm_value = oscap_element_string_copy(reader);
 		if (next_elm)
 			xmlTextReaderNextElement(reader);
@@ -1509,7 +1509,7 @@

 	if (parent == NULL) {
 		const char *container_tag = cvrf_item_type_get_container(cvrf_type);
 		parent = xmlNewNode(NULL, BAD_CAST container_tag);
 	}
 	xmlNode *child = NULL;
 	struct oscap_iterator *it = oscap_iterator_new(list);
@@ -1564,7 +1564,7 @@
 	struct oscap_string_iterator *iterator = oscap_stringlist_get_strings(list);
 	while (oscap_string_iterator_has_more(iterator)) {
 		const char *string = oscap_string_iterator_next(iterator);
 		xmlNewTextChild(parent, NULL, BAD_CAST tag_name, BAD_CAST string);
 	}
 	oscap_string_iterator_free(iterator);
 }
@@ -1573,7 +1573,7 @@
 	if (attr_value == NULL)
 		return;

 	xmlNewProp(element, BAD_CAST attr_name, BAD_CAST attr_value);
 }

 static void cvrf_element_add_ordinal(int ordinal, xmlNode *element) {
@@ -1594,8 +1594,8 @@
 	if (elm_value == NULL)
 		return NULL;

 	xmlNode *elm_node = xmlNewNode(NULL, BAD_CAST elm_name);
 	xmlNodeAddContent(elm_node, BAD_CAST elm_value);
 	return elm_node;
 }

@@ -1623,7 +1623,7 @@
 			oscap_stringlist_add_string(remed->product_ids, oscap_element_string_get(reader));
 		} else if (xmlStrcmp(xmlTextReaderConstLocalName(reader), TAG_GROUP_ID) == 0) {
 			oscap_stringlist_add_string(remed->group_ids, oscap_element_string_get(reader));
 		} else if (xmlStrcmp(xmlTextReaderConstLocalName(reader), BAD_CAST "Entitlement") == 0) {
 			remed->entitlement = oscap_element_string_copy(reader);
 		}
 		xmlTextReaderNextNode(reader);
@@ -1637,7 +1637,7 @@
 	cvrf_element_add_attribute("Type", cvrf_remediation_type_get_text(remed->type), remed_node);

 	xmlNode *desc_node = cvrf_element_to_dom("Description", remed->description);
 	xmlNewProp(desc_node, ATTR_LANG, BAD_CAST "en");
 	xmlAddChild(remed_node, desc_node);
 	cvrf_element_add_child("URL", remed->url, remed_node);
 	cvrf_element_add_child("Entitlement", remed->entitlement, remed_node);
@@ -1808,7 +1808,7 @@
 		if (xmlStrcmp(xmlTextReaderConstLocalName(reader), TAG_TITLE) == 0) {
 			vuln->title = oscap_element_string_copy(reader);
 		} else if (xmlStrcmp(xmlTextReaderConstLocalName(reader), TAG_ID) == 0) {
 			vuln->system_name = (char *)xmlTextReaderGetAttribute(reader, BAD_CAST "SystemName");
 			vuln->system_id = oscap_element_string_copy(reader);
 		} else if (xmlStrcmp(xmlTextReaderConstLocalName(reader), TAG_DISCOVERY_DATE) == 0) {
 			vuln->discovery_date = oscap_element_string_copy(reader);
@@ -1816,7 +1816,7 @@
 			vuln->release_date = oscap_element_string_copy(reader);
 		} else if (xmlStrcmp(xmlTextReaderConstLocalName(reader), TAG_VULNERABILITY_CVE) == 0) {
 			vuln->cve_id = oscap_element_string_copy(reader);
 		} else if (xmlStrcmp(xmlTextReaderConstLocalName(reader), BAD_CAST "Notes") == 0) {
 			cvrf_parse_container(reader, vuln->notes);
 		} else if (xmlStrcmp(xmlTextReaderConstLocalName(reader), TAG_VULNERABILITY_CWE) == 0) {
 			cvrf_parse_container(reader, vuln->cwes);
@@ -1852,7 +1852,7 @@

 	cvrf_element_add_child("Title", vuln->title, vuln_node);
 	if (vuln->system_id) {
 		xmlNode *id_node = xmlNewTextChild(vuln_node, NULL, BAD_CAST "ID", BAD_CAST vuln->system_id);
 		cvrf_element_add_attribute("SystemName", vuln->system_name, id_node);
 	}
 	cvrf_element_add_container(vuln->notes, CVRF_NOTE, vuln_node);
@@ -1880,7 +1880,7 @@
 	return full_name;
 }

 xmlNode *cvrf_product_name_to_dom(struct cvrf_product_name *full_name) {
 	if (full_name->cpe == NULL)
 		return NULL;

@@ -1999,7 +1999,7 @@
 				cvrf_set_parsing_error("FullProductName");
 		} else if (!xmlStrcmp(xmlTextReaderConstLocalName(reader), TAG_BRANCH)) {
 			while(xmlStrcmp(xmlTextReaderConstLocalName(reader), TAG_BRANCH) == 0) {
 				if (!oscap_list_add(tree->branches, cvrf_branch_parse(reader)))
 					cvrf_set_parsing_error("Branch");
 			}
 		} else if (!xmlStrcmp(xmlTextReaderConstLocalName(reader), TAG_RELATIONSHIP)) {
@@ -2068,8 +2068,10 @@
 			continue;
 		}
 		if (xmlStrcmp(xmlTextReaderConstLocalName(reader), TAG_URL) == 0) {
+			free(ref->url);
 			ref->url = oscap_element_string_copy(reader);
 		} else if (xmlStrcmp(xmlTextReaderConstLocalName(reader), TAG_DESCRIPTION) == 0) {
+			free(ref->description);
 			ref->description = oscap_element_string_copy(reader);
 		}
 		xmlTextReaderNextNode(reader);
@@ -2078,7 +2080,7 @@
 	return ref;
 }

 xmlNode *cvrf_reference_to_dom(struct cvrf_reference *ref) {
 	xmlNode *ref_node = xmlNewNode(NULL, TAG_REFERENCE);
 	cvrf_element_add_attribute("Type", cvrf_reference_type_get_text(ref->type), ref_node);
 	cvrf_element_add_child("URL", ref->url, ref_node);
@@ -2097,7 +2099,7 @@

 	note->ordinal = cvrf_parse_ordinal(reader);
 	note->type = cvrf_note_type_parse(reader);
 	note->audience = (char *)xmlTextReaderGetAttribute(reader, BAD_CAST "Audience");
 	note->title = (char *)xmlTextReaderGetAttribute(reader, TAG_TITLE);
 	xmlTextReaderNextNode(reader);
 	note->contents =oscap_element_string_copy(reader);
@@ -2106,7 +2108,7 @@
 	return note;
 }

 xmlNode *cvrf_note_to_dom(struct cvrf_note *note) {
 	xmlNode *note_node = cvrf_element_to_dom("Note", note->contents);
 	cvrf_element_add_ordinal(note->ordinal, note_node);
 	cvrf_element_add_attribute("Type", cvrf_note_type_get_text(note->type), note_node);
@@ -2125,10 +2127,13 @@
 			continue;
 		}
 		if (xmlStrcmp(xmlTextReaderConstLocalName(reader), TAG_NUMBER) == 0) {
+			free(revision->number);
 			revision->number = oscap_element_string_copy(reader);
 		} else if (xmlStrcmp(xmlTextReaderConstLocalName(reader), TAG_DATE) == 0) {
+			free(revision->date);
 			revision->date = oscap_element_string_copy(reader);
 		} else if (xmlStrcmp(xmlTextReaderConstLocalName(reader), TAG_DESCRIPTION) == 0) {
+			free(revision->description);
 			revision->description = oscap_element_string_copy(reader);
 		}
 		xmlTextReaderNextNode(reader);
@@ -2164,7 +2169,7 @@
 			xmlTextReaderNextElementWE(reader, TAG_IDENTIFICATION);
 			tracking->tracking_id = cvrf_parse_element(reader, "ID", false);
 			while (xmlStrcmp(xmlTextReaderConstLocalName(reader), TAG_IDENTIFICATION) != 0) {
 				if (xmlStrcmp(xmlTextReaderConstLocalName(reader), TAG_ALIAS) == 0) {
 					oscap_stringlist_add_string(tracking->aliases, cvrf_parse_element(reader, "Alias", false));
 					xmlTextReaderNextNode(reader);
 				}
@@ -2176,9 +2181,9 @@
 			tracking->version = oscap_element_string_copy(reader);
 		} else if (xmlStrcmp(xmlTextReaderConstLocalName(reader), TAG_REVISION_HISTORY) == 0) {
 			cvrf_parse_container(reader, tracking->revision_history);
 		} else if (xmlStrcmp(xmlTextReaderConstLocalName(reader), BAD_CAST "InitialReleaseDate") == 0) {
 			tracking->init_release_date = oscap_element_string_copy(reader);
 		} else if (xmlStrcmp(xmlTextReaderConstLocalName(reader), BAD_CAST "CurrentReleaseDate") == 0) {
 			tracking->cur_release_date = oscap_element_string_copy(reader);
 		} else if (xmlStrcmp(xmlTextReaderConstLocalName(reader), TAG_GENERATOR) == 0) {
 			xmlTextReaderNextElementWE(reader, TAG_GENERATOR);
@@ -2209,7 +2214,7 @@
 	cvrf_element_add_child("InitialReleaseDate", tracking->init_release_date, tracking_node);
 	cvrf_element_add_child("CurrentReleaseDate", tracking->cur_release_date, tracking_node);
 	if (tracking->generator_engine) {
 		xmlNode *generator_node = xmlNewTextChild(tracking_node, NULL, BAD_CAST "Generator", NULL);
 		cvrf_element_add_child("Engine", tracking->generator_engine, generator_node);
 		cvrf_element_add_child("Date", tracking->generator_date, generator_node);
 	}
@@ -2233,7 +2238,7 @@
 	return publisher;
 }

 xmlNode *cvrf_doc_publisher_to_dom(struct cvrf_doc_publisher *publisher) {
 	xmlNode *pub_node = xmlNewNode(NULL, TAG_PUBLISHER);
 	cvrf_element_add_attribute("Type", cvrf_doc_publisher_type_get_text(publisher->type), pub_node);
 	cvrf_element_add_child("ContactDetails", publisher->contact_details, pub_node);
@@ -2254,7 +2259,7 @@
 			doc->publisher = cvrf_doc_publisher_parse(reader);
 		} else if (xmlStrcmp(xmlTextReaderConstLocalName(reader), TAG_DOCUMENT_TRACKING) == 0) {
 			doc->tracking = cvrf_doc_tracking_parse(reader);
 		} else if (xmlStrcmp(xmlTextReaderConstLocalName(reader), BAD_CAST "DocumentNotes") == 0) {
 			cvrf_parse_container(reader, doc->doc_notes);
 		} else if (xmlStrcmp(xmlTextReaderConstLocalName(reader), TAG_DISTRIBUTION) == 0) {
 			doc->doc_distribution = oscap_element_string_copy(reader);
@@ -2307,15 +2312,15 @@
 	return ret;
 }

 xmlNode *cvrf_model_to_dom(struct cvrf_model *model, xmlDocPtr doc, xmlNode *parent, void *user_args) {
 	xmlNode *root_node = xmlNewNode(NULL, BAD_CAST "cvrfdoc");
 	if (parent == NULL) {
 		xmlDocSetRootElement(doc, root_node);
 	} else {
 		xmlAddChild(parent, root_node);
 	}
 	xmlNewNs(root_node, CVRF_NS, NULL);
 	xmlNewNs(root_node, CVRF_NS, BAD_CAST "cvrf");
 	xmlNode *title_node = xmlNewTextChild(root_node, NULL, TAG_DOC_TITLE, BAD_CAST model->doc_title);
 	cvrf_element_add_attribute("xml:lang", "en", title_node);
 	cvrf_element_add_child("DocumentType", model->doc_type, root_node);
@@ -2341,8 +2346,8 @@
 	return index;
 }

 xmlNode *cvrf_index_to_dom(struct cvrf_index *index, xmlDocPtr doc, xmlNode *parent, void *user_args) {
 	xmlNode *index_node = xmlNewNode(NULL, BAD_CAST "Index");
 	if (parent == NULL) {
 		xmlDocSetRootElement(doc, index_node);
 	} else {