diff --git a/CMakeLists.txt b/CMakeLists.txt
index f501673366..e5785f5674 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -347,6 +347,7 @@ option(ENABLE_MITRE "enables MITRE tests -- requires specific environment suppor
 # ---------- LANGUAGE BINDINGS
 cmake_dependent_option(ENABLE_PYTHON3 "if enabled, the python3 swig bindings will be built" ON "PYTHONINTERP_FOUND;SWIG_FOUND;PYTHONLIBS_FOUND" OFF)
 cmake_dependent_option(ENABLE_PERL "if enabled, the perl swig bindings will be built" ON "PERLLIBS_FOUND;SWIG_FOUND" OFF)
+option(ENABLE_ASAN "if enabled, the build using asan" FALSE)
 
 # ---------- NO IDEA WHAT THIS IS FOR
 set(WANT_BASE64 TRUE CACHE BOOL "wants builtin Base64")
@@ -535,6 +536,12 @@ if(APPLE)
 	add_definitions(-D_DARWIN_C_SOURCE)
 endif()
 
+if(ENABLE_ASAN)
+	add_compile_options(-fno-common -fno-omit-frame-pointer -fsanitize=address -fsanitize-address-use-after-scope -fsanitize=pointer-compare -fsanitize=pointer-subtract -fsanitize=undefined)
+	add_link_options(-fno-common -fno-omit-frame-pointer -fsanitize=address -static-libasan -fsanitize-address-use-after-scope -fsanitize=pointer-compare -fsanitize=pointer-subtract -fsanitize=undefined)
+endif()
+
+
 include_directories(
 	"compat/"
 	"src/"
diff --git a/openscap.spec b/openscap.spec
index 2638811025..304843be55 100644
--- a/openscap.spec
+++ b/openscap.spec
@@ -1,50 +1,96 @@
+# build with asan
+# - bindings/sce fail to work because of some asan linkage issues presumed
+%bcond_with asan
+
+# gconf is a legacy system not used any more, and it blocks testing of oscap-anaconda-addon
+# as gconf is no longer part of the installation medium
+%bcond_with gconf
+
+# By default do not build perl swig bindings
+%bcond_with perl
+
 # This spec file is not synchronized to the Fedora downstream.
 # It serves as Fedora CI configuration and as support for downstream updates.
 Name:           openscap
+Version:        1.3.6
 Release:        0%{?dist}
-Version:        1.3.0
 Epoch:          1
 Summary:        Set of open source libraries enabling integration of the SCAP line of standards
 License:        LGPLv2+
 URL:            http://www.open-scap.org/
 Source0:        https://github.com/OpenSCAP/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz
+Source1:        https://github.com/OpenSCAP/yaml-filter/archive/refs/tags/v0.2.0.tar.gz
 BuildRequires:  make
-BuildRequires:  cmake >= 2.6
+BuildRequires:  cmake >= 2.8
+BuildRequires:  ninja-build
+BuildRequires:  pkg-config
+BuildRequires:  systemd-rpm-macros
 BuildRequires:  gcc
 BuildRequires:  gcc-c++
-BuildRequires:  swig libxml2-devel libxslt-devel perl-generators perl-XML-Parser
-BuildRequires:  rpm-devel
-BuildRequires:  libgcrypt-devel
-BuildRequires:  pcre-devel
-BuildRequires:  libacl-devel
-BuildRequires:  libselinux-devel
-BuildRequires:  libcap-devel
-BuildRequires:  libblkid-devel
-BuildRequires:  bzip2-devel
+%if %{with asan}
+BuildRequires:  libasan
+BuildRequires:  libasan-static
+BuildRequires:  libubsan
+%endif
+
+# Try to follow CMakeLists.txt order
+BuildRequires:  pkgconfig(libacl)
+BuildRequires:  pkgconfig(blkid)
+BuildRequires:  pkgconfig(libcap)
+BuildRequires:  pkgconfig(libcurl)
+BuildRequires:  pkgconfig(dbus-1)
+BuildRequires:  doxygen
+%if %{with gconf}
+BuildRequires:  pkgconfig(glib-2.0)
+BuildRequires:  pkgconfig(gobject-2.0)
+BuildRequires:  pkgconfig(gconf-2.0)
+%endif
+BuildRequires:  pkgconfig(ldap)
+BuildRequires:  pkgconfig(opendbx)
+BuildRequires:  pkgconfig(libpcre)
+%if %{with perl}
+BuildRequires:  perl-devel
+# BuildRequires:  perl-generators
+%endif
+BuildRequires:  pkgconfig(popt)
+BuildRequires:  pkgconfig(libsystemd)
+BuildRequires:  pkgconfig(libprocps)
+BuildRequires:  pkgconfig(python3)
+BuildRequires:  pkgconfig(rpm)
+BuildRequires:  pkgconfig(libselinux)
+BuildRequires:  swig
+BuildRequires:  pkgconfig(libxml-2.0)
+BuildRequires:  pkgconfig(libxslt)
+BuildRequires:  pkgconfig(xmlsec1)
+BuildRequires:  pkgconfig(xmlsec1-openssl)
+BuildRequires:  pkgconfig(openssl)
+BuildRequires:  pkgconfig(bzip2)
+BuildRequires:  pkgconfig(libgcrypt)
+BuildRequires:  pkgconfig(yaml-0.1)
 BuildRequires:  asciidoc
-BuildRequires:  openldap-devel
-BuildRequires:  glib2-devel
-BuildRequires:  dbus-devel
-BuildRequires:  libyaml-devel
-BuildRequires:  xmlsec1-devel xmlsec1-openssl-devel
+BuildRequires:  git
+BuildRequires:  sed
 BuildRequires:  systemd
-%if %{?_with_check:1}%{!?_with_check:0}
-BuildRequires:  perl-XML-XPath
+
+%if %{with check}
 BuildRequires:  bzip2
+BuildRequires:  chkconfig
+BuildRequires:  diffutils
+BuildRequires:  findutils
+BuildRequires:  gawk
+BuildRequires:  hostname
+BuildRequires:  ipcalc
+BuildRequires:  iproute
+BuildRequires:  libselinux-utils
+BuildRequires:  lua
+BuildRequires:  openssl
+BuildRequires:  perl(XML::Parser)
+BuildRequires:  perl(XML::XPath)
+BuildRequires:  procps
+BuildRequires:  rpm-build
+BuildRequires:  tar
+BuildRequires:  tcpdump
 %endif
-Requires:       bash
-Requires:       bzip2-libs
-Requires:       dbus
-Requires:       glib2
-Requires:       libacl
-Requires:       libblkid
-Requires:       libcap
-Requires:       libselinux
-Requires:       openldap
-Requires:       popt
-# Fedora has procps-ng, which provides procps
-Requires:       procps
-Requires:       xmlsec1 xmlsec1-openssl
 
 %description
 OpenSCAP is a set of open source libraries providing an easier path
@@ -55,9 +101,6 @@ for the expression of Computer Network Defense related information.
 %package        devel
 Summary:        Development files for %{name}
 Requires:       %{name}%{?_isa} = %{epoch}:%{version}-%{release}
-Requires:       libxml2-devel
-Requires:       pkgconfig
-BuildRequires:  doxygen
 
 %description    devel
 The %{name}-devel package contains libraries and header files for
@@ -66,7 +109,6 @@ developing applications that use %{name}.
 %package        python3
 Summary:        Python 3 bindings for %{name}
 Requires:       %{name}%{?_isa} = %{epoch}:%{version}-%{release}
-BuildRequires:  python3-devel
 
 %description    python3
 The %{name}-python3 package contains the bindings so that %{name}
@@ -75,8 +117,6 @@ libraries can be used by python3.
 %package        scanner
 Summary:        OpenSCAP Scanner Tool (oscap)
 Requires:       %{name}%{?_isa} = %{epoch}:%{version}-%{release}
-Requires:       libcurl >= 7.12.0
-BuildRequires:  libcurl-devel >= 7.12.0
 
 %description    scanner
 The %{name}-scanner package contains oscap command-line tool. The oscap
@@ -86,6 +126,7 @@ compliance checking using SCAP content.
 %package        utils
 Summary:        OpenSCAP Utilities
 Requires:       %{name}%{?_isa} = %{epoch}:%{version}-%{release}
+# These not probed from: scap-as-rpm
 Requires:       rpmdevtools rpm-build
 Requires:       %{name}-scanner%{?_isa} = %{epoch}:%{version}-%{release}
 
@@ -94,6 +135,7 @@ The %{name}-utils package contains command-line tools build on top
 of OpenSCAP library. Historically, openscap-utils included oscap
 tool which is now separated to %{name}-scanner sub-package.
 
+%if ! %{with asan}
 %package        engine-sce
 Summary:        Script Check Engine plug-in for OpenSCAP
 Requires:       %{name}%{?_isa} = %{epoch}:%{version}-%{release}
@@ -107,16 +149,16 @@ commands using a scripting language (Bash, Perl, Python, Ruby, ...).
 Summary:        Development files for %{name}-engine-sce
 Requires:       %{name}-devel%{?_isa} = %{epoch}:%{version}-%{release}
 Requires:       %{name}-engine-sce%{?_isa} = %{epoch}:%{version}-%{release}
-Requires:       pkgconfig
 
 %description    engine-sce-devel
 The %{name}-engine-sce-devel package contains libraries and header files
 for developing applications that use %{name}-engine-sce.
+%endif
 
 %package        containers
 Summary:        Utils for scanning containers
 Requires:       %{name} = %{epoch}:%{version}-%{release}
-Requires:       %{name}-scanner
+Requires:       %{name}-scanner%{?_isa} = %{epoch}:%{version}-%{release}
 BuildArch:      noarch
 
 %description    containers
@@ -124,27 +166,45 @@ Tool for scanning Atomic containers.
 
 %prep
 %autosetup -p1
+tar xvzf %{SOURCE1} --directory=yaml-filter --strip-components=1
 
 %build
 %undefine __cmake_in_source_build
-# gconf is a legacy system not used any more, and it blocks testing of oscap-anaconda-addon
-# as gconf is no longer part of the installation medium
-%cmake \
-    -DENABLE_PERL=OFF \
+%cmake -G Ninja \
     -DENABLE_DOCS=ON \
+%if %{with asan}
+    -DENABLE_ASAN=TRUE \
+    -DENABLE_PERL=OFF \
+    -DENABLE_PYTHON=OFF \
+    -DENABLE_SCE=OFF \
+%endif
+%if ! %{with gconf}
     -DOPENSCAP_PROBE_UNIX_GCONF=OFF \
-    -DGCONF_LIBRARY=
+    -DGCONF_LIBRARY= \
+%endif
+%if ! %{with perl}
+    -DENABLE_PERL=OFF \
+%endif
+
 %cmake_build
 make docs
 
 %check
-%if %{?_with_check:1}%{!?_with_check:0}
-ctest -V %{?_smp_mflags}
+%if %{with check}
+# Tests use common files. Running tests parallel causes failed tests because of that.
+%undefine _smp_mflags
+%if %{with asan}
+# https://github.com/google/sanitizers/wiki/AddressSanitizer
+# - but do not detect leaks, program is not long running, also numerous leaks so fix these completely would require some effort
+export ASAN_OPTIONS=detect_leaks=0:strict_string_checks=1:detect_stack_use_after_return=1:check_initialization_order=1:strict_init_order=1:detect_invalid_pointer_pairs=2
+%endif
+%ctest
 %endif
 
 %install
 %cmake_install
 
+%if "0%{?!fedora:1}"
 find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';'
 
 # fix python shebangs
@@ -157,6 +217,7 @@ pathfix.py -i %{__python3} -p -n $RPM_BUILD_ROOT%{_bindir}/scap-as-rpm
 # https://bugzilla.redhat.com/show_bug.cgi?id=1833176
 mkdir -p %{buildroot}%{_unitdir}/system-update.target.wants/
 ln -sf ../oscap-remediate.service %{buildroot}%{_unitdir}/system-update.target.wants/oscap-remediate.service
+%endif
 
 %files
 %doc AUTHORS NEWS README.md
@@ -179,40 +240,51 @@ ln -sf ../oscap-remediate.service %{buildroot}%{_unitdir}/system-update.target.w
 %{_libdir}/libopenscap.so
 %{_libdir}/pkgconfig/*.pc
 %{_includedir}/openscap
+%if ! %{with asan}
 %exclude %{_includedir}/openscap/sce_engine_api.h
-
-%files engine-sce-devel
-%{_libdir}/libopenscap_sce.so
-%{_includedir}/openscap/sce_engine_api.h
+%endif
 
 %files scanner
-%{_mandir}/man8/oscap.8*
 %{_bindir}/oscap
 %{_bindir}/oscap-chroot
+%{_mandir}/man8/oscap.8*
+%{_mandir}/man8/oscap-chroot.8*
 %{_sysconfdir}/bash_completion.d
 %{_libexecdir}/oscap-remediate
 %{_unitdir}/oscap-remediate.service
+%if "0%{?!fedora:1}"
 %{_unitdir}/system-update.target.wants/
+%endif
 
 %files utils
 %doc docs/oscap-scan.cron
-%{_mandir}/man8/*
-%exclude %{_mandir}/man8/oscap.8*
-%exclude %{_mandir}/man8/oscap-docker.8*
-%{_bindir}/*
-%exclude %{_bindir}/oscap
-%exclude %{_bindir}/oscap-docker
-%exclude %{_bindir}/oscap-chroot
-
+%{_bindir}/autotailor
+%{_bindir}/oscap-remediate-offline
+%{_bindir}/oscap-ssh
+%{_bindir}/oscap-vm
+%{_bindir}/scap-as-rpm
+%{_mandir}/man8/autotailor.8*
+%{_mandir}/man8/oscap-remediate-offline.8*
+%{_mandir}/man8/oscap-ssh.8*
+%{_mandir}/man8/oscap-vm.8*
+%{_mandir}/man8/scap-as-rpm.8*
+
+%if ! %{with asan}
 %files engine-sce
+%{_bindir}/oscap-run-sce-script
 %{_libdir}/libopenscap_sce.so.*
 
+%files engine-sce-devel
+%{_libdir}/libopenscap_sce.so
+%{_includedir}/openscap/sce_engine_api.h
+%endif
+
 %files containers
 %{_bindir}/oscap-docker
 %{_mandir}/man8/oscap-docker.8*
-%{python3_sitelib}/oscap_docker_python/*
 %{_bindir}/oscap-podman
 %{_mandir}/man8/oscap-podman.8*
+%{python3_sitelib}/oscap_docker_python/*
 
 %changelog
 %autochangelog
diff --git a/utils/CMakeLists.txt b/utils/CMakeLists.txt
index 93ce1f2a9d..e23ba0ec03 100644
--- a/utils/CMakeLists.txt
+++ b/utils/CMakeLists.txt
@@ -1,6 +1,8 @@
-install(PROGRAMS "oscap-run-sce-script"
-	DESTINATION ${CMAKE_INSTALL_BINDIR}
-)
+if(ENABLE_SCE)
+	install(PROGRAMS "oscap-run-sce-script"
+		DESTINATION ${CMAKE_INSTALL_BINDIR}
+	)
+endif()
 
 if(ENABLE_OSCAP_UTIL)
 	file(GLOB UTILS_SOURCES "*.c")