macos/freebsd portability

CMakeLists.txt

@@ -26,7 +26,7 @@ endif()
 set(LT_CURRENT 34)
 
 ## increment any time the source changes; set 0 to if you increment CURRENT
-set(LT_REVISION 2)
+set(LT_REVISION 3)
 
 ## increment if any interfaces have been added; set to 0
 ## if any interfaces have been changed or removed. removal has
@@ -108,6 +108,13 @@ find_package(Ldap)
 find_package(OpenDbx)
 find_package(PCRE2 REQUIRED)
 
+foreach(_perl_cache_var IN ITEMS PERL_INCLUDE_PATH PERL_LIBRARY)
+	if(DEFINED ${_perl_cache_var} AND NOT "${${_perl_cache_var}}" STREQUAL "" AND NOT EXISTS "${${_perl_cache_var}}")
+		message(STATUS "Resetting stale ${_perl_cache_var} cache entry: ${${_perl_cache_var}}")
+		unset(${_perl_cache_var} CACHE)
+	endif()
+endforeach()
+
 find_package(PerlLibs)
 find_package(Popt)
 find_package(Systemd)
@@ -226,7 +233,7 @@ endif()
 mark_as_advanced(ENV_PRESENT VALGRIND_PRESENT)
 find_program(ENV_PRESENT env)
 find_program(VALGRIND_PRESENT valgrind)
-find_program(ASCIIDOC_EXECUTABLE asciidoc)
+find_program(ASCIIDOC_EXECUTABLE NAMES asciidoc asciidoctor)
 find_program(SED_EXECUTABLE sed)
 find_program(GIT_EXECUTABLE git)
 
@@ -529,8 +536,16 @@ if (MSVC)
 endif()
 
 if (${CMAKE_C_COMPILER_ID} STREQUAL "GNU" OR ${CMAKE_C_COMPILER_ID} STREQUAL "Clang")
-	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -pipe -W -Wall -Wnonnull -Wshadow -Wformat -Wundef -Wno-unused-parameter -Wmissing-prototypes -Wno-unknown-pragmas -Wno-int-conversion -Werror=implicit-function-declaration -D_GNU_SOURCE -DRBT_IMPLICIT_LOCKING=1 -std=c99")
-	add_link_options(-Wl,-z,now)
+	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -pipe -W -Wall -Wnonnull -Wshadow -Wformat -Wundef -Wno-unused-parameter -Wmissing-prototypes -Wno-unknown-pragmas -Wno-int-conversion -Werror=implicit-function-declaration -DRBT_IMPLICIT_LOCKING=1 -std=c99")
+	# -D_GNU_SOURCE exposes GNU extensions but changes function signatures on non-glibc
+	# platforms (e.g. strerror_r on macOS becomes XSI). Only set it on glibc systems.
+	if(NOT APPLE AND NOT CMAKE_SYSTEM_NAME STREQUAL "FreeBSD")
+		set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -D_GNU_SOURCE")
+	endif()
+	# -Wl,-z,now is a Linux/ELF linker flag; not supported on macOS (uses -bind_at_load)
+	if(NOT APPLE)
+		add_link_options(-Wl,-z,now)
+	endif()
 endif()
 if(${CMAKE_SYSTEM_NAME} STREQUAL "FreeBSD")
 	add_link_options(-lkvm -lm -lprocstat)

NEWS

@@ -1,3 +1,18 @@
+openscap-1.4.4                                                  03-04-2026
+- New features
+  - List rules and variables in a profile by "oscap info"
+- Maintenance, bug fix
+  - Add null check for ns_uri in cpe_dict_detect_version_priv
+  - Fix autotailor json bugs
+  - Use stable _init_completion API in bash completion
+  - Add PanFS to the list of remote filesystems
+  - Move to localtime_r
+  - Fix Non-constant format string issues
+  - Fix schema ordering when adding tailoring to ARF files
+  - Fix null ptr deref in xccdf_benchmark_parse
+  - Fix name space nulls in OVAL
+  - Fix segfault in error handling for cpe_item_parse
+  - Always check the current lists before inserting on blueprints
 openscap-1.4.3                                                  23-11-2025
 - New features
   - Show rule details in output
@@ -1099,7 +1114,7 @@ openscap-0.6.3                                                  14-09-2010
 - optimizing memory consumption
 - proper result for unsupported OVAL objects
 - many improvements in XSLT transformations
-- supporting  OVAL incomplete objects 
+- supporting  OVAL incomplete objects
 - fixes in directories traversal (findfiles)
 - python API improvements
 - Fedora SCAP content improvements
@@ -1128,7 +1143,7 @@ openscap-0.6.0							14-07-2010
 openscap-0.5.12                                                 30-06-2010
 - OVAL high level API
 - OVAL split system querying and evaluation
-- OVAL variables rebind functionality 
+- OVAL variables rebind functionality
 - XCCDF_POLICY - OVAL integration
 - XCCDF_POLICY - scanner implementation
 - XCCDF - implementation resolve(),
@@ -1188,7 +1203,7 @@ openscap-0.5.8							24-03-2010
 openscap-0.5.7							21-02-2010
 - Debian dpkginfo probe is available now
 - RHEL5 support
-- new command line tool - OVAL scanner 
+- new command line tool - OVAL scanner
 - Fedora 12 OVAL content available
 - documentation is heavy updated (with class diagrams)
 - new tests in make check
@@ -1200,7 +1215,7 @@ openscap-0.5.6							04-01-2010
 - OVAL doxygen documentation is available
 - migration to new checking mechanism is completed
 - new logging and error propagating mechanism
-- many many bugfixes + defensive code 
+- many many bugfixes + defensive code
 
 openscap-0.5.5							12-11-2009
 - many fixes in OVAL
@@ -1213,26 +1228,26 @@ openscap-0.5.4							23-10-2009
 - new CPE model
 - evaluation of set objects and system characteristic output
 - bindings clean up
-- probes tune up, memory leaks fixes 
+- probes tune up, memory leaks fixes
 
 openscap-0.5.3							29-09-2009
 - OVAL results part is code complete
 - improved memory management of definition and system characteristic model (OVAL)
 - improved memory management of S-expressions
 - new probe API
-- refactoring 
+- refactoring
 
 openscap-0.5.2							19-08-2009
 - new family probe
 - simple objects in OVAL content can be processed
 - initial implementation of conversion of S-Expressions to System Characteristic
-- bugfixes 
+- bugfixes
 
 openscap-0.5.1							03-08-2009
 - all code except oval is after refactoring
 - populating of system-characteristics model from xml is available
 - implementation of probes: rpminfo, runlevel, textfilecontent54,xmlfilecontent is done
-- perl and python bindings are up2date 
+- perl and python bindings are up2date
 
 openscap-0.3.2							24-04-2009
 - perl bindings are available

docs/contribute/testing.adoc

@@ -25,6 +25,23 @@ library and then install additional packages required for testing. See the
 *Building OpenSCAP on Linux* section in the link:../developer/developer.adoc[OpenSCAP Developer Manual]
 for more details.
 
+For platform-focused validation, prefer CTest labels over ad-hoc test lists.
+For example, after a successful non-Linux build you can run:
+
+----
+$ ctest -L macos
+$ ctest -L freebsd
+----
+
+For a containerized Linux full-suite run, make sure a local SMTP listener and a
+session D-Bus are available before invoking CTest, otherwise MITRE, `fwupd`,
+and `systemd` coverage may be skipped or fail for environmental reasons:
+
+----
+$ postfix start
+$ dbus-run-session -- ctest --output-on-failure
+----
+
 
 == Writing a new test
 In this guide we will use an example to describe the process of writing a test

docs/developer/developer.adoc

@@ -97,6 +97,12 @@ $ cmake ../
 $ make
 ----
 
+If you reuse an existing build tree after a Perl upgrade or package-manager
+change, CMake may retain stale `PERL_INCLUDE_PATH` or `PERL_LIBRARY` cache
+entries. The top-level build now clears cached Perl paths that no longer exist,
+so rerunning `cmake ../` in the same build directory is usually sufficient.
+If Perl detection still looks wrong, remove `CMakeCache.txt` and reconfigure.
+
 On Ubuntu 18.04 and potentially other distro, the python3 dist-packages path is wrong.
 If the following command:
 
@@ -168,6 +174,43 @@ Now you can execute the following command to run library self-checks:
 $ ctest
 ----
 
+For containerized Linux validation, start a local MTA and provide a session
+D-Bus before invoking the full suite so MITRE, `fwupd`, and `systemd`-related
+coverage stays active:
+
+----
+$ postfix start
+$ dbus-run-session -- ctest --output-on-failure
+----
+
+The test suite supports filtering by labels. This is useful for platform-specific
+or subsystem-specific runs:
+
+----
+$ ctest -L probes
+$ ctest -L api
+$ ctest -L unix
+$ ctest -L independent
+$ ctest -L linux_only
+$ ctest -L macos
+$ ctest -L freebsd
+----
+
+Labels are assigned in `tests/CMakeLists.txt` by helper functions:
+
+* `add_oscap_test(script.sh [LABELS ...])`:
+** registers shell-based tests,
+** always adds `shell`,
+** automatically adds a suite label based on the top-level test path
+  (`api`, `probes`, `report`, `sources`, etc.),
+** appends optional explicit labels (for example `unix`, `linux_only`, `macos`).
+
+* `add_oscap_ctest(name COMMAND ... [LABELS ...])`:
+** registers direct CTest commands (for example Python/pytest tests),
+** always adds `ctest`,
+** automatically adds the same top-level suite label,
+** appends optional explicit labels.
+
 Note that using the `--jobs/-j` flag is currently not supported.
 It will cause unexpected test failures.
 See link:https://github.com/OpenSCAP/openscap/issues/2057[#2057] for more details.
@@ -208,6 +251,55 @@ $ docker build --tag openscap_mitre_tests:latest -f Dockerfiles/mitre_tests . &&
 
 --
 
+== Building on macOS and FreeBSD
+
+OpenSCAP can be built on macOS and FreeBSD with a reduced feature set depending
+on available libraries and enabled probes.
+
+Typical configuration starts with:
+
+----
+$ mkdir -p build && cd build
+$ cmake .. -DENABLE_TESTS=ON -DENABLE_PROBES_LINUX=OFF
+$ make
+----
+
+Notes:
+
+* Linux-specific probes (`ENABLE_PROBES_LINUX`) should be disabled on non-Linux
+  systems unless you are explicitly cross-compiling for Linux.
+* Some tests are intentionally labeled `linux_only` and should be filtered out
+  using CTest labels.
+* After a successful non-Linux build, `ctest -L macos` or `ctest -L freebsd`
+  provides a quick portability smoke test without pulling in Linux-only cases.
+* On macOS, `SCE` is disabled by default in the main CMake configuration.
+
+=== Recent portability updates
+
+The codebase contains recent portability work for macOS/FreeBSD, including:
+
+* `sysctl` probe support for macOS (`/usr/sbin/sysctl -ae`) and FreeBSD/macOS
+  branching, including parsing of multiline BSD `sysctl -ae` values by treating
+  only valid `name=value` headers as new items,
+* `memusage` support on macOS via Mach APIs,
+* `XCCDF` target MAC collection on macOS via `AF_LINK`,
+* fallback parser for password probe offline mode on systems without
+  `fgetpwent(3)`,
+* shadow probe offline mode explicitly marked unsupported on platforms where
+  the Linux-style shadow path does not apply,
+* runlevel probe behavior explicitly marked unsupported on macOS/FreeBSD
+  (SysV runlevels are Linux/Solaris specific).
+
+Targeted regression tests for these portability areas are located in:
+
+* `tests/API/XCCDF/unittests/test_xccdf_result_sysinfo_platform.sh`
+* `tests/API/probes/test_memusage_platform.sh`
+* `tests/probes/password/test_probes_password_offline_fallback.sh`
+* `tests/probes/runlevel/test_probes_runlevel_unsupported.sh`
+* `tests/probes/shadow/test_probes_shadow_offline_unsupported.sh`
+* `tests/probes/sysctl/test_sysctl_probe.sh`
+* `tests/probes/sysctl/test_sysctl_probe_all.sh`
+
 . *Install*
 +
 --
@@ -369,4 +461,3 @@ For more information about OpenSCAP library, you can refer to this online
 reference manual: http://static.open-scap.org/openscap-1.2/[OpenSCAP
 reference manual]. This manual is included in a release tarball and can be
 regenerated from project sources by Doxygen documentation system.
-

schemas/oval/5.11.2/oval-common-schema.xsd

@@ -607,6 +607,16 @@ at_least_one_exists ||  0   |  0+  |  1+  |  0+  ||  Error
                     <xsd:annotation>
                          <xsd:documentation>The windows value describes the Microsoft Windows operating system.</xsd:documentation>
                     </xsd:annotation>
+               </xsd:enumeration> 
+               <xsd:enumeration value="nxos">
+                    <xsd:annotation>
+                         <xsd:documentation>The NX-OS value describes the Cisco NX-OS operating system.</xsd:documentation>
+                    </xsd:annotation>
+               </xsd:enumeration> 
+               <xsd:enumeration value="panos">
+                    <xsd:annotation>
+                         <xsd:documentation>The PAN-OS value describes the Palo Alto Networks PAN-OS operating system.</xsd:documentation>
+                    </xsd:annotation>
                </xsd:enumeration>               
           </xsd:restriction>
      </xsd:simpleType>

schemas/oval/5.11.2/oval-definitions-schema.xsd

@@ -29,6 +29,8 @@
     <xsd:import namespace="http://oval.mitre.org/XMLSchema/oval-definitions-5#solaris" schemaLocation="solaris-definitions-schema.xsd"/>
     <xsd:import namespace="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" schemaLocation="unix-definitions-schema.xsd"/>
     <xsd:import namespace="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows" schemaLocation="windows-definitions-schema.xsd"/>
+    <xsd:import namespace="http://oval.mitre.org/XMLSchema/oval-definitions-5#panos" schemaLocation="panos-definitions-schema.xsd"/>
+    <xsd:import namespace="http://oval.mitre.org/XMLSchema/oval-definitions-5#nxos" schemaLocation="x-nxos-definitions-schema.xsd"/>
     <xsd:annotation>
         <xsd:documentation>The following is a description of the elements, types, and attributes that compose the core schema for encoding Open Vulnerability and Assessment Language (OVAL) Definitions. Some of the objects defined here are extended and enhanced by individual component schemas, which are described in separate documents. Each of the elements, types, and attributes that make up the Core Definition Schema are described in detail and should provide the information necessary to understand what each represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between these objects is not outlined here.</xsd:documentation>
         <xsd:documentation>The OVAL Schema is maintained by OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org.</xsd:documentation>

schemas/oval/5.11.2/oval-system-characteristics-schema.xsd

@@ -30,6 +30,7 @@
     <xsd:import namespace="http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#solaris" schemaLocation="solaris-system-characteristics-schema.xsd"/>
     <xsd:import namespace="http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#unix" schemaLocation="unix-system-characteristics-schema.xsd"/>
     <xsd:import namespace="http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#windows" schemaLocation="windows-system-characteristics-schema.xsd"/>
+    <xsd:import namespace="http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#panos" schemaLocation="panos-system-characteristics-schema.xsd"/>
     <xsd:annotation>
         <xsd:documentation>The following is a description of the elements, types, and attributes that compose the core schema for encoding Open Vulnerability and Assessment Language (OVAL) System Characteristics. The Core System Characteristics Schema defines all operating system independent objects. These objects are extended and enhanced by individual family schemas, which are described in separate documents. Each of the elements, types, and attributes that make up the Core System Characteristics Schema are described in detail and should provide the information necessary to understand what each object represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between these objects is not outlined here.</xsd:documentation>
         <xsd:documentation>The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org.</xsd:documentation>