Skip to content

Releases: OpenSCAP/openscap


Choose a tag to compare
  • New features
    • Select and exclude groups of rules on the command line
    • The boot-time remediation service for systemd's Offline Update mode
    • Memory limit control using OSCAP_PROBE_MEMORY_USAGE_RATIO environment variable
    • Allow disablement of SHA-1 and MD5
    • Allow providing pre-downloaded components
    • Introduce OSBuild Blueprint fix type
  • Maintenance, bug fix
    • Fix coverity issues
    • Patch the segfault in dpkginfo_fini()
    • Add an alternative source of hostname
    • Fail download on HTTP errors
    • Compile "environmentvariable_probe" on Windows
    • FreeBSD build and test fixes
    • Add offline mode for password probe
    • Initialize crypto API only once
    • Fix UBI 9 scan
    • oval/yamlfilecontent: Add 'null' values handling
    • Do not set Rpath
    • Do not split XCCDF:requires with multiple idrefs
    • Allow empty /proc in offline mode


Choose a tag to compare
  • New features
    • Made schematron-based validation enabled by default for validate command of oval and xccdf modules
    • Added SCAP 1.3 source data stream Schematron
    • Added XML Signature Validation
    • Added --enforce-signature option for eval, guide, and fix modules
    • Added entity support (OVAL/yamlfilecontent)
    • Allowed to clamp mtime to SOURCE_DATE_EPOCH
    • Added severity and role attributes
    • Added support for requires/conflicts elements of the Rule and Group (XCCDF)
    • Added Kubernetes remediation to HTML report
  • Maintenance, bug fix
    • Fixed CMake warnings
    • Made 'gpfs', 'proc' and 'sysfs' filesystems non-local
    • Fixed handling of '--arg=val'-styled common options
    • Documented used environment variables
    • Updated man page and help texts
    • Added --skip-validation option synonym for --skip-valid
    • Fixed behavior of StateType operator
    • Fixed some of the coverity warnings
    • Ignoring namespace in XPath expressions
    • Fixed how oval_probe_ext_eval checks absence of the response from the probe (obtrusive data warning)
    • Described SWID tags detection
    • Improved documentation about --stig-viewer option
    • File probe behaviour fixed (symlink traversal now behaves as defined by OVAL)
    • Fixed multiple segfaults and broken test in --stig-viewer feature
    • Added dpkg version comparison algorithm
    • Pluged some memory leaks
    • Fixed TestResult/benchmark/@href attribute
    • Fixed memory allocation
    • Fixed field names for cases where key selection section is followed by a set section (probes/yamfilecontent)
    • Changing hard coded libperl path in favor of FindPerlLibs method
    • Check local filesystems when using 'filepath' element


Choose a tag to compare
  • New features
    • Add support for FreeBSD
    • Make a use of HTTP header content-encoding: gzip if available
    • Improved yamlfilecontent: updated yaml-filter, extend the schema and probe to be able to work with a set of values in maps
  • Maintenance, bug fixes
    • Fixed a lot of warnings (GCC and Clang)
    • Cmake now can find mingw32-winpthreads
    • A lot of memory managements fixes
    • A lot of memory leaks have been plugged
    • Refactored rpmverifyfile probe and fixed memory leak
    • Fixed SEGFAULT caused by recursive and circular dependencies between OVAL definitions
    • Fixed DOM representation of the profile platform
    • Test suit: better portability, more granularity in results, inclusion of memory-related tests
    • Compatibility with uClibc
    • Local and remote file system detection method was improved
    • Fixed dpkginfo probe to use pkgCacheFile instead of manually opening the cache
    • Make the report a valid HTML5 document
    • oscap-podman: force unmount and removal of temporary container
    • Fixed unwanted recursion in file probe
    • oscap-docker: fixed for the case when Atomic is not present


Choose a tag to compare
  • New features
    • Added a Python script that can be used for CLI tailoring (autotailor)
    • Added timezone to XCCDF TestResult start/end time
    • Added yamlfilecontent independent probe (proposal/draft implementation),
      see OVAL-Community/OVAL#91 for more information
    • Introduced urn:xccdf:fix:script:kubernetes fix type in XCCDF
    • Added ability to generate machineconfig fix
  • Maintenance, bug fixes
    • utils/oscap-podman: Detect ambiguous scan target
    • Fixed #170: The rpmverifyfile probe can't verify files from '/bin' directory
    • The data system_info probe return for offline and online modes is consistent and actual
    • Prevent crashes when complicated regexes are executed in textfilecontent58 probe
    • Fixed #1512: Severity refinement lost in generated guide
    • Fixed #1453: Pointer lost in Swig API
    • Evaluation Characteristics of the XCCDF report are now consistent with OVAL entities
      from system_info probe
    • Fixed filepath pattern matching in offline mode in textfilecontent58 probe
    • Fixed infinite recursion in systemdunitdependency probe
    • Fixed the case when CMake couldn't find libacl or xattr.h


Choose a tag to compare
  • New features
    • Offline mode support for environmentvariable58 probe
    • The oscap-docker wrapper is available without Atomic
  • Maintenance, bug fixes
    • Improved support of multi-check rules (report, remediations, console output)
    • Improved HTML report look and feel, including printed version
    • Less clutter in verbose mode output; some warnings and errors demoted to verbose mode levels
    • Probe rpmverifyfile uses and returns canonical paths
    • Improved a11y of HTML reports and guides
    • Fixes and improvements for SWIG Python bindings
    • #1403 fixed: Scanner would not apply remediation for multicheck rules (verbosity)
    • Fixed URL link mechanism for Red Hat Errata
    • New STIG Viewer URI:
    • Probe selinuxsecuritycontext would not check if SELinux is enabled
    • Scanner would provide information about unsupported OVAL objects
    • Added more tests for offline mode (probes, remediation)
    • #528 fixed: Eval SCE script when /tmp is in mode noexec
    • #1173, RHBZ#1603347 fixed: Double chdir/chroot in probe rpmverifypackage


Choose a tag to compare
  • New features
    • Support for SCAP 1.3 Source Datastreams (evaluating, XML schemas,
    • Introduced oscap-podman -- a tool for SCAP evaluation of Podman
      images and containers (rhbz#1642373)
    • Tailoring files are included in ARF result files (#902)
    • OVAL details are always shown in HTML report, users do not have to
      provide --oval-results on command line
    • HTML report displays OVAL test details also for OVAL tests included
      from other OVAL definitions using extend_definition (#916, #954)
    • OVAL test IDs are shown in HTML report
    • Rule IDs are shown in HTML guide (#1293)
    • Added block_size in Linux partition_state defined in OVAL 5.11.2
    • Added oscap_wrapper that can be used to comfortably execute custom
      compiled oscap tool
  • Maintenance, bug fixes
    • Remote filesystems mounted using autofs direct maps are not
      recognized as local filesystems (rhbz#1655943)
    • SCAP source datastreams containing remote components can be
      evaluated without downloading remote data (rhbz#1709423)
    • Fixed duplicated variables in generated Ansible Playbooks
    • Fixed trailing whitespace characters in Ansible Playbooks
    • Correctly handle multiline profile titles and profile descriptions
      in generated Ansible Playbooks (#1112)
    • Fixed STIG Viewer output (--stig-viewer) to handle multiple rules
      that have the same STIG ID
    • Fixed incorrect displaying of OVAL test results in HTML report
    • Fixed segmentation fault in offline mode caused by usage of chroot
      file descriptor after closing (rhbz#1636431)
    • Fixed textfilecontent54 probe to not ignore max_depth, recurse,
      recurse_direction and recurse_file_system attributes of
      behaviors element when filepath element is given (rhbz#1655943)
    • Added CMake policies (CMP0078 and CMP0086) related to UseSWIG
    • Added RHEL 8 CPE, Fedora 31 CPE, Oracle Linux 8 CPE
    • Fedora CPEs fixed to work also on Fedora >= 30
    • Fixed segmentation fault in CVRF module (rhbz#1642283)
    • Fixed unresolved symbols in
    • Fixed memory leaks in Windows registry probe (#1269)
    • Fixed many GCC compiler warnings
    • Removed dead code from fsdev module
    • Many new test cases in upstream test suite
    • Refactoring
    • Updated Developer Guide
    • Updated manual pages


Choose a tag to compare
  • New features
    • Introduced a virtual '(all)' profile selecting all rules
    • Verbose mode is a global option in all modules
    • Added Microsoft Windows CPEs
    • oscap-ssh can supply SSH options into an environment variable
  • Maintenance
    • Removed SEXP parser
    • Added Fedora 30 CPE
    • Fixed many Coverity defects (memory leaks etc.)
    • SCE builds are enabled by default
    • Moved many low-level functions out of public API
    • Removed unused and dead code
    • Updated manual pages
    • Numerous small fixes


Choose a tag to compare
1.3.0_alpha2 Pre-release
  • Maintenance
    • Removed '--probe-root' option
    • Removed '--show' option from 'oscap xccdf generate report'
    • Removed CCE API
    • Removed deprecated option '--sce-results'
    • Removed 'oscap oval list-probes' submodule
    • Removed 'validate-xml' submodule from CPE, OVAL, XCCDF modules
    • Moved OVAL probe handler to private headers
    • Added tests for filehash58 offline mode
    • Fixed broken SCE
    • Fixed problematic versioning in CMake and pkgconfig file
    • Removed many unused code
    • Rewritten test tests/API/XCCDF/default_cpe
    • Started to use asciidoc instead of asciidoctor
    • Fixed many compiler warnings
    • Fixed MinGW builds
    • Documentation updates
    • Small fixes


Choose a tag to compare
1.3.0_alpha1 Pre-release
  • New features
    • Microsoft Windows support (issue #195)
    • new probes:
      • Windows registry probe
      • Windows accesstoken probe
      • Windows wmi57 probe
    • CMake is used as build system (issue #542)
    • CTest is used as test suite driver
  • Maintenance
    • probes are not separate processes, they are threads within oscap
    • OpenSCAP can be compiled using Visual Studio 2017
    • Dropped 53 deprecated API symbols (issue #1088)
    • Removed GNU Automake
    • Removed Python 2 support (issue #1034)
    • Ninja build is supported
    • Public API symbols are marked by OSCAP_API macro
    • Removed variable length arrays
    • Removed custom memory allocation functions (issue #1077)
    • Improved OS X build support
    • Fixed crash when deallocating red-black-tree node in Windows
    • Several large tests are splitted into smaller test cases
    • User manual is splitted in User and Developer manual
    • Many documentation updates (issue #1069, #1066)
    • Stopped using '\r' characters on stdout (issue #579, #1023)
    • Updated release tools to reflect CMake (issue #1036)
    • Dropped Cygwin support from User Manual (issue #1011)
    • source tarball does not contain build artifacts
    • Many small fixes


Choose a tag to compare
  • New features
    • HTML Guide user experience improvements
    • New options in HTML report "Group By" menu
    • oscap-ssh supports --oval-results (issue #863)
  • Maintenance
    • Support comparing state record elements with item
    • Updated Bash completion
    • Make Bash role headers consistent with --help output
    • Fixed problems reported by Coverity (issue #909)
    • Fixed CVE schema to support 4 to 7 digits CVEs
    • Fix output of generated bash role missing fix message
    • Fix oscap-docker to clean up temporary image (RHBZ #1454637)
    • Fix Ansible remediations generation
    • Add a newline between ids in xccdf info (issue #968)
    • Fix unknown subtype handling in oval_subtype_parse (issue #986)
    • Outsourced the pthreads feature check and setup
    • Speed up in debug mode
    • Refactored the Python handling in build scripts
    • Prevent reading from host in offline mode (issue #1001)
    • Many probes use OWN offline mode
    • Improve offline mode logic in OVAL probes
    • Do not use chroot in system_info probe
    • Prevent a segfault in oscap_seterr on Solaris
    • Out of tree build is possible
    • Use chroot for RPM probes in offline mode
    • PEP8 accepts lines up to 99 characters
    • New configure parameter --with-oscap-temp-dir (issue #1016)
    • Fixed OVAL record elements namespace and SEXP conversion
    • Removed '\r' characters from help output (issue #1023)
    • Full Python 3 compatibility
    • Removed basic Python implementation of oval_probes.c
    • Added support for Travis CI and Sonar Cloud
    • Minor fixes inspired by Sonar Cloud
    • Added Fedora 29 CPE
    • New tests in upstream test suite (offline mode, Ansible, etc.)