chef 16.7.61 → 16.8.9

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 45d0c49c6265534a875b8044449678109b0c11a22b83027f28826e3ea14ee792
-  data.tar.gz: a6375a107a0ece5bbd866f42c0d415e582135d24512d8815b894786e64c685b9
+  metadata.gz: c13a95870faf2ddc93377295ea1821d3ee962c422af54147a9a5852266ef9abc
+  data.tar.gz: 06d9ed38997dd63cef3a9d54cf7ffb064c5ca13b668cbea8ee42173ba757d880
 SHA512:
-  metadata.gz: 8cf6a1c8dd0316944eaa700f6c788e2ff6843dc9bd9252b2710e2465498041e1eb8a6990ace8bbef2bb265e3254e1460a56e9f85489d133a0dffbc03b140c928
-  data.tar.gz: e57ee2f117d322936e53b384202691b7d9be946b4be9b4cc697d162163f3b65885109ef5977448861fa6f8db3cafbe364294ab2e30d78b61f7e51d8fc7eed16a
+  metadata.gz: ed8ed48612596fdd94dfab56edda9b66ba3adff6bcca4475bf4d4a9b5ab9dc51f59b3db9d54aa6f468ab33aa4a8f2821a5ab9942379c0d70f641a04f8bfb48d0
+  data.tar.gz: 8f1ebbbdbfe60ed00c66edab06a41821f5d8e9f62ab74d4c322b187b75e4f894e0f59cdf90c61b034a8496ece30e0a6eb71c3c91336a40e966fb6f9001e26d9a

data/Gemfile

@@ -27,8 +27,7 @@ gem "chef-telemetry", ">=1.0.8" # 1.0.8 removes the http dep
 group(:omnibus_package) do
   gem "appbundler"
   gem "rb-readline"
-  gem "inspec-core", "~> 4.18"
-  gem "inspec-core-bin", "~> 4.18" # need to provide the binaries for inspec
+  gem "inspec-core-bin", "~> 4.24" # need to provide the binaries for inspec
   gem "chef-vault"
 end
 

data/README.md

@@ -2,7 +2,7 @@
 [![Code Climate](https://codeclimate.com/github/chef/chef.svg)](https://codeclimate.com/github/chef/chef)
 [![Build Status](https://badge.buildkite.com/c82093430ceec7d27af05febb9dcafe3aa331fff9d74c0ab9d.svg?branch=master)](https://buildkite.com/chef-oss/chef-chef-master-verify)
 [![Gem Version](https://badge.fury.io/rb/chef.svg)](https://badge.fury.io/rb/chef)
-[![](https://img.shields.io/badge/Release%20Policy-Cadence%20Release-brightgreen.svg)](https://github.com/chef/chef/blob/v15.2.21/docs/dev/design_documents/client_release_cadence.md)
+[![](https://img.shields.io/badge/Release%20Policy-Cadence%20Release-brightgreen.svg)](https://github.com/chef/chef/blob/master/docs/dev/design_documents/client_release_cadence.md)
 
 **Umbrella Project**: [Chef Infra](https://github.com/chef/chef-oss-practices/blob/master/projects/chef-infra.md)
 

data/chef.gemspec

@@ -27,10 +27,11 @@ Gem::Specification.new do |s|
   s.add_dependency "mixlib-shellout", ">= 3.1.1", "< 4.0"
   s.add_dependency "mixlib-archive", ">= 0.4", "< 2.0"
   s.add_dependency "ohai", "~> 16.0"
+  s.add_dependency "inspec-core", "~> 4.23"
 
   s.add_dependency "ffi", ">= 1.9.25"
   s.add_dependency "ffi-yajl", "~> 2.2"
-  s.add_dependency "net-ssh", ">= 4.2", "< 7"
+  s.add_dependency "net-ssh", ">= 5.1", "< 7"
   s.add_dependency "net-ssh-multi", "~> 1.2", ">= 1.2.1"
   s.add_dependency "net-sftp", ">= 2.1.2", "< 4.0"
   s.add_dependency "ed25519", "~> 1.2" # ed25519 ssh key support

data/lib/chef/application/base.rb

@@ -366,7 +366,7 @@ class Chef::Application::Base < Chef::Application
     Chef::Log.trace("Download recipes tarball from #{url} to #{path}")
     if File.exist?(url)
       FileUtils.cp(url, path)
-    elsif URI.regexp.match?(url)
+    elsif URI::DEFAULT_PARSER.make_regexp.match?(url)
       File.open(path, "wb") do |f|
         open(url) do |r|
           f.write(r.read)

data/lib/chef/client.rb

@@ -57,6 +57,8 @@ require "ohai" unless defined?(Ohai::System)
 require "rbconfig" unless defined?(RbConfig)
 require "forwardable" unless defined?(Forwardable)
 
+require_relative "compliance/runner"
+
 class Chef
   # == Chef::Client
   # The main object in a Chef run. Preps a Chef::Node and Chef::RunContext,
@@ -235,6 +237,7 @@ class Chef
 
         events.register(Chef::DataCollector::Reporter.new(events))
         events.register(Chef::ActionCollection.new(events))
+        events.register(Chef::Compliance::Runner.new)
 
         run_status.run_id = request_id = Chef::RequestID.instance.request_id
 

data/lib/chef/compliance/default_attributes.rb

@@ -0,0 +1,89 @@
+# Author:: Stephan Renatus <srenatus@chef.io>
+# Copyright:: (c) 2016-2019, Chef Software Inc. <legal@chef.io>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require "chef/node/attribute_collections" # for VividMash
+require "chef/util/path_helper"
+
+class Chef
+  module Compliance
+    DEFAULT_ATTRIBUTES = Chef::Node::VividMash.new(
+      # If enabled, a cache is built for all backend calls. This should only be
+      # disabled if you are expecting unique results from the same backend call.
+      # Under the covers, this controls :command and :file caching on Chef InSpec's
+      # Train connection.
+      "inspec_backend_cache" => true,
+
+      # Controls what is done with the resulting report after the Chef InSpec run.
+      # Accepts a single string value or an array of multiple values.
+      # Accepted values: 'chef-server-automate', 'chef-automate', 'json-file', 'audit-enforcer'
+      "reporter" => "json-file",
+
+      # Controls if Chef InSpec profiles should be fetched from Chef Automate or Chef Infra Server
+      # in addition to the default fetch locations provided by Chef Inspec.
+      # Accepted values: nil, 'chef-server', 'chef-automate'
+      "fetcher" => nil,
+
+      # Allow for connections to HTTPS endpoints using self-signed ssl certificates.
+      "insecure" => nil,
+
+      # Controls verbosity of Chef InSpec runner.
+      "quiet" => true,
+
+      # Chef Inspec Compliance profiles to be used for scan of node.
+      # See README.md for details
+      "profiles" => {},
+
+      # Extra inputs passed to Chef InSpec to allow finer-grained control over behavior.
+      # These are mapped to Chef InSpec's inputs, but are named attributes here for legacy reasons.
+      # See Chef Inspec's documentation for more information: https://docs.chef.io/inspec/inputs/
+      "attributes" => {},
+
+      # A string path or an array of paths to Chef InSpec waiver files.
+      # See Chef Inspec's documentation for more information: https://docs.chef.io/inspec/waivers/
+      "waiver_file" => nil,
+
+      "json_file" => {
+        # The location on disk that Chef InSpec's json reports are saved to when using the
+        # 'json-file' reporter. Defaults to:
+        # <chef_cache_path>/compliance_reports/compliance-<timestamp>.json
+        "location" => Chef::Util::PathHelper.join(
+          Chef::Config[:cache_path],
+          "compliance_reports",
+          Time.now.utc.strftime("compliance-%Y%m%d%H%M%S.json")
+        ),
+      },
+
+      # Control results that have a `run_time` below this limit will
+      # be stripped of the `start_time` and `run_time` fields to
+      # reduce the size of the reports being sent to Chef Automate.
+      "run_time_limit" => 1.0,
+
+      # A control result message that exceeds this character limit will be truncated.
+      # This helps keep reports to a reasonable size. On rare occasions, we've seen messages exceeding 9 MB in size,
+      # causing the report to not be ingested in the backend because of the 4 MB report size rpc limitation.
+      # Chef InSpec will append this text at the end of any truncated messages: `[Truncated to 10000 characters]`
+      "result_message_limit" => 10000,
+
+      # When a Chef InSpec resource throws an exception, results will contain a short error message and a
+      # detailed ruby stacktrace of the error. This attribute instructs Chef InSpec not to include the detailed stacktrace in order
+      # to keep the overall report to a manageable size.
+      "result_include_backtrace" => false,
+
+      # The array of results per control will be truncated at this limit to avoid large reports that cannot be
+      # processed by Chef Automate. A summary of removed results will be sent with each impacted control.
+      "control_results_limit" => 50
+    )
+  end
+end

data/lib/chef/compliance/fetcher/automate.rb

@@ -0,0 +1,69 @@
+require "uri" unless defined?(URI)
+require "plugins/inspec-compliance/lib/inspec-compliance"
+
+class Chef
+  module Compliance
+    module Fetcher
+      class Automate < ::InspecPlugins::Compliance::Fetcher
+        name "chef-automate"
+
+        # it positions itself before `compliance` fetcher
+        # only load it, if you want to use audit cookbook in Chef Solo with Chef Automate
+        priority 502
+
+        CONFIG = {
+          "insecure" => true,
+          "token" => nil,
+          "server_type" => "automate",
+          "automate" => {
+            "ent" => "default",
+            "token_type" => "dctoken",
+          },
+        }.freeze
+
+        def self.resolve(target)
+          uri = get_target_uri(target)
+          return nil if uri.nil?
+
+          config = CONFIG.dup
+
+          # we have detailed information available in our lockfile, no need to ask the server
+          if target.respond_to?(:key?) && target.key?(:url)
+            profile_fetch_url = target[:url]
+          else
+            # verifies that the target e.g base/ssh exists
+            base_path = "/compliance/profiles/#{uri.host}#{uri.path}"
+
+            profile_path = if target.respond_to?(:key?) && target.key?(:version)
+                             "#{base_path}/version/#{target[:version]}/tar"
+                           else
+                             "#{base_path}/tar"
+                           end
+
+            url = URI(Chef::Config[:data_collector][:server_url])
+            url.path = profile_path
+            profile_fetch_url = url.to_s
+
+            config["token"] = Chef::Config[:data_collector][:token]
+
+            if config["token"].nil?
+              raise Inspec::FetcherFailure,
+                "No data-collector token set, which is required by the chef-automate fetcher. " \
+                "Set the `data_collector.token` configuration parameter in your client.rb " \
+                'or use the "chef-server-automate" reporter which does not require any ' \
+                "data-collector settings and uses #{ChefUtils::Dist::Server::PRODUCT} to fetch profiles."
+            end
+          end
+
+          new(profile_fetch_url, config)
+        rescue URI::Error => _e
+          nil
+        end
+
+        def to_s
+          "#{ChefUtils::Dist::Automate::PRODUCT} for #{ChefUtils::Dist::Solo::PRODUCT} Fetcher"
+        end
+      end
+    end
+  end
+end

data/lib/chef/compliance/fetcher/chef_server.rb

@@ -0,0 +1,134 @@
+require "uri" unless defined?(URI)
+require "plugins/inspec-compliance/lib/inspec-compliance"
+
+# This class implements an InSpec fetcher for Chef Server. The implementation
+# is based on the Chef Compliance fetcher and only adapts the calls to redirect
+# the requests via Chef Server.
+#
+# This implementation depends on chef-client runtime, therefore it is only executable
+# inside of a chef-client run
+
+class Chef
+  module Compliance
+    module Fetcher
+      class ChefServer < ::InspecPlugins::Compliance::Fetcher
+        name "chef-server"
+
+        # it positions itself before `compliance` fetcher
+        # only load it, if the Chef Server is integrated with Chef Compliance
+        priority 501
+
+        CONFIG = { "insecure" => true }.freeze
+
+        # Accepts URLs to compliance profiles in one of two forms:
+        # * a String URL with a compliance scheme, like "compliance://namespace/profile_name"
+        # * a Hash with a key of `compliance` and a value like "compliance/profile_name" and optionally a `version` key with a String value
+        def self.resolve(target)
+          profile_uri = get_target_uri(target)
+          return nil if profile_uri.nil?
+
+          organization = Chef::Config[:chef_server_url].split("/").last
+          owner = profile_uri.user ? "#{profile_uri.user}@#{profile_uri.host}" : profile_uri.host
+          version = target[:version] if target.respond_to?(:key?)
+
+          path_parts = [""]
+          path_parts << "compliance" if chef_server_reporter? || chef_server_fetcher?
+          path_parts << "organizations"
+          path_parts << organization
+          path_parts << "owners"
+          path_parts << owner
+          path_parts << "compliance"
+          path_parts << profile_uri.path
+          path_parts << "version/#{version}" if version
+          path_parts << "tar"
+
+          target_url = URI(Chef::Config[:chef_server_url])
+          target_url.path = File.join(path_parts)
+          Chef::Log.info("Fetching profile from: #{target_url}")
+
+          new(target_url, CONFIG)
+        rescue URI::Error => _e
+          nil
+        end
+
+        #
+        # We want to save compliance: in the lockfile rather than url: to
+        # make sure we go back through the ComplianceAPI handling.
+        #
+        def resolved_source
+          { compliance: chef_server_url }
+        end
+
+        # Downloads archive to temporary file using a Chef::ServerAPI
+        # client so that Chef Server's header-based authentication can be
+        # used.
+        def download_archive_to_temp
+          return @temp_archive_path unless @temp_archive_path.nil?
+
+          rest = Chef::ServerAPI.new(@target, Chef::Config.merge(ssl_verify_mode: :verify_none))
+          archive = with_http_rescue do
+            rest.streaming_request(@target)
+          end
+          @archive_type = ".tar.gz"
+
+          if archive.nil?
+            path = @target.respond_to?(:path) ? @target.path : path
+            raise Inspec::FetcherFailure, "Unable to find requested profile on path: '#{path}' on the #{ChefUtils::Dist::Automate::PRODUCT} system."
+          end
+
+          Inspec::Log.debug("Archive stored at temporary location: #{archive.path}")
+          @temp_archive_path = archive.path
+        end
+
+        def with_http_rescue
+          response = yield
+          if response.respond_to?(:code)
+            # handle non 200 error codes, they are not raised as Net::HTTPClientException
+            handle_http_error_code(response.code) if response.code.to_i >= 300
+          end
+          response
+        rescue Net::HTTPClientException => e
+          Chef::Log.error e
+          handle_http_error_code(e.response.code)
+        end
+
+        def handle_http_error_code(code)
+          case code
+          when /401|403/
+            Chef::Log.error "Auth issue: see audit cookbook TROUBLESHOOTING.md"
+          when /404/
+            Chef::Log.error "Object does not exist on remote server."
+          when /413/
+            Chef::Log.error "You most likely hit the erchef request size in #{ChefUtils::Dist::Server::PRODUCT} that defaults to ~2MB. To increase this limit see audit cookbook TROUBLESHOOTING.md OR https://docs.chef.io/config_rb_server.html"
+          when /429/
+            Chef::Log.error "This error typically means the data sent was larger than #{ChefUtils::Dist::Automate::PRODUCT}'s limit (4 MB). Run InSpec locally to identify any controls producing large diffs."
+          end
+          msg = "Received HTTP error #{code}"
+          Chef::Log.error msg
+          raise Inspec::FetcherFailure, msg
+        end
+
+        def to_s
+          "#{ChefUtils::Dist::Server::PRODUCT}/Compliance Profile Loader"
+        end
+
+        CHEF_SERVER_REPORTERS = %w{chef-server chef-server-compliance chef-server-visibility chef-server-automate}.freeze
+        def self.chef_server_reporter?
+          (Array(Chef.node.attributes["audit"]["reporter"]) & CHEF_SERVER_REPORTERS).any?
+        end
+
+        CHEF_SERVER_FETCHERS = %w{chef-server chef-server-compliance chef-server-visibility chef-server-automate}.freeze
+        def self.chef_server_fetcher?
+          CHEF_SERVER_FETCHERS.include?(Chef.node.attributes["audit"]["fetcher"])
+        end
+
+        private
+
+        def chef_server_url
+          m = %r{^#{@config['server']}/owners/(?<owner>[^/]+)/compliance/(?<id>[^/]+)/tar$}.match(@target)
+          "#{m[:owner]}/#{m[:id]}"
+        end
+      end
+    end
+  end
+end

data/lib/chef/compliance/reporter/automate.rb

@@ -0,0 +1,202 @@
+class Chef
+  module Compliance
+    module Reporter
+      #
+      # Used to send inspec reports to Chef Automate via the data_collector service
+      #
+      class Automate
+        def initialize(opts)
+          @entity_uuid           = opts[:entity_uuid]
+          @run_id                = opts[:run_id]
+          @node_name             = opts[:node_info][:node]
+          @environment           = opts[:node_info][:environment]
+          @roles                 = opts[:node_info][:roles]
+          @recipes               = opts[:node_info][:recipes]
+          @insecure              = opts[:insecure]
+          @chef_tags             = opts[:node_info][:chef_tags]
+          @policy_group          = opts[:node_info][:policy_group]
+          @policy_name           = opts[:node_info][:policy_name]
+          @source_fqdn           = opts[:node_info][:source_fqdn]
+          @organization_name     = opts[:node_info][:organization_name]
+          @ipaddress             = opts[:node_info][:ipaddress]
+          @fqdn                  = opts[:node_info][:fqdn]
+          @run_time_limit        = opts[:run_time_limit]
+          @control_results_limit = opts[:control_results_limit]
+          @timestamp             = opts.fetch(:timestamp) { Time.now }
+
+          @url = Chef::Config[:data_collector][:server_url]
+          @token = Chef::Config[:data_collector][:token]
+        end
+
+        # Method used in order to send the inspec report to the data_collector server
+        def send_report(report)
+          unless @entity_uuid && @run_id
+            Chef::Log.error "entity_uuid(#{@entity_uuid}) or run_id(#{@run_id}) can't be nil, not sending report to #{ChefUtils::Dist::Automate::PRODUCT}"
+            return false
+          end
+
+          unless @url && @token
+            Chef::Log.warn "data_collector.token and data_collector.server_url must be defined in client.rb!"
+            Chef::Log.warn "Further information: https://github.com/chef-cookbooks/audit#direct-reporting-to-chef-automate"
+            return false
+          end
+
+          headers = {
+            "Content-Type" => "application/json",
+            "x-data-collector-auth" => "version=1.0",
+            "x-data-collector-token" => @token,
+          }
+
+          all_report_shas = report[:profiles].map { |p| p[:sha256] }
+          missing_report_shas = missing_automate_profiles(headers, all_report_shas)
+
+          full_report = truncate_controls_results(enriched_report(report), @control_results_limit)
+          full_report = strip_profiles_meta(full_report, missing_report_shas, @run_time_limit)
+          json_report = Chef::JSONCompat.to_json(full_report, validate_utf8: false)
+
+          # Automate GRPC currently has a message limit of ~4MB
+          # https://github.com/chef/automate/issues/1417#issuecomment-541908157
+          if json_report.bytesize > 4 * 1024 * 1024
+            Chef::Log.warn "Generated report size is #{(json_report.bytesize / (1024 * 1024.0)).round(2)} MB. #{ChefUtils::Dist::Automate::PRODUCT} has an internal 4MB limit that is not currently configurable."
+          end
+
+          unless json_report
+            Chef::Log.warn "Something went wrong, report can't be nil"
+            return false
+          end
+
+          begin
+            Chef::Log.info "Report to #{ChefUtils::Dist::Automate::PRODUCT}: #{@url}"
+            Chef::Log.debug "Compliance Report: #{json_report}"
+            http_client.post(nil, json_report, headers)
+            true
+          rescue => e
+            Chef::Log.error "send_report: POST to #{@url} returned: #{e.message}"
+            false
+          end
+        end
+
+        def http_client(url = @url)
+          if @insecure
+            Chef::HTTP.new(url, ssl_verify_mode: :verify_none)
+          else
+            Chef::HTTP.new(url)
+          end
+        end
+
+        def enriched_report(final_report)
+          final_report[:profiles].compact!
+
+          # Label this content as an inspec_report
+          final_report[:type] = "inspec_report"
+
+          final_report[:node_name]         = @node_name
+          final_report[:end_time]          = @timestamp.utc.strftime("%FT%TZ")
+          final_report[:node_uuid]         = @entity_uuid
+          final_report[:environment]       = @environment
+          final_report[:roles]             = @roles
+          final_report[:recipes]           = @recipes
+          final_report[:report_uuid]       = @run_id
+          final_report[:source_fqdn]       = @source_fqdn
+          final_report[:organization_name] = @organization_name
+          final_report[:policy_group]      = @policy_group
+          final_report[:policy_name]       = @policy_name
+          final_report[:chef_tags]         = @chef_tags
+          final_report[:ipaddress]         = @ipaddress
+          final_report[:fqdn]              = @fqdn
+
+          final_report
+        end
+
+        CONTROL_RESULT_SORT_ORDER = %w{ failed skipped passed }.freeze
+
+        # Truncates the number of results per control in the report when they exceed max_results.
+        # The truncation prioritizes failed and skipped results over passed ones.
+        # Controls where results have been truncated will get a new object 'removed_results_counts'
+        # with the status counts of the truncated results
+        def truncate_controls_results(report, max_results)
+          return report unless max_results.is_a?(Integer) && max_results > 0
+
+          report.fetch(:profiles, []).each do |profile|
+            profile.fetch(:controls, []).each do |control|
+              # Only bother with truncation if the number of results exceed max_results
+              next unless control[:results].length > max_results
+
+              res = control[:results]
+              res.sort_by! { |r| CONTROL_RESULT_SORT_ORDER.index(r[:status]) }
+
+              # Count the results that will be truncated
+              truncated = { failed: 0, skipped: 0, passed: 0 }
+              (max_results..res.length - 1).each do |i|
+                case res[i][:status]
+                when "failed"
+                  truncated[:failed] += 1
+                when "skipped"
+                  truncated[:skipped] += 1
+                when "passed"
+                  truncated[:passed] += 1
+                end
+              end
+              # Truncate the results array now
+              control[:results] = res[0..max_results - 1]
+              control[:removed_results_counts] = truncated
+            end
+          end
+          report
+        end
+
+        # Contacts the metasearch Automate API to check which of the inspec profile sha256 ids
+        # passed in via `report_shas` are missing from the Automate profiles metadata database.
+        def missing_automate_profiles(headers, report_shas)
+          Chef::Log.debug "Checking the #{ChefUtils::Dist::Automate::PRODUCT} profiles metadata for: #{report_shas}"
+          meta_url = URI(@url)
+          meta_url.path = "/compliance/profiles/metasearch"
+          response_str = http_client(meta_url.to_s).post(nil, "{\"sha256\": #{report_shas}}", headers)
+          missing_shas = Chef::JSONCompat.parse(response_str)["missing_sha256"]
+          unless missing_shas.empty?
+            Chef::Log.info "#{ChefUtils::Dist::Automate::PRODUCT} is missing metadata for the following profile ids: #{missing_shas}"
+          end
+          missing_shas
+        rescue => e
+          Chef::Log.error "missing_automate_profiles error: #{e.message}"
+          # If we get an error it's safer to assume none of the profile shas exist in Automate
+          report_shas
+        end
+
+        # Profile 'name' is a required property.
+        # By not sending it in the report, we make it clear to the ingestion backend that the profile metadata has been stripped from this profile in the report.
+        # Profile 'title' and 'version' are still kept for troubleshooting purposes in the backend.
+        SEEN_PROFILE_UNNECESSARY_FIELDS = %i{ copyright copyright_email groups license maintainer name summary supports}.freeze
+
+        SEEN_PROFILE_UNNECESSARY_CONTROL_FIELDS = %i{ code desc descriptions impact refs source_location tags title }.freeze
+
+        # TODO: This mutates the report and probably doesn't need to.
+        def strip_profiles_meta(report, missing_report_shas, run_time_limit)
+          report[:profiles].each do |p|
+            next if missing_report_shas.include?(p[:sha256])
+
+            p.delete_if { |f| SEEN_PROFILE_UNNECESSARY_FIELDS.include?(f) }
+
+            next unless p[:controls].is_a?(Array)
+
+            p[:controls].each do |c|
+              c.delete_if { |f| SEEN_PROFILE_UNNECESSARY_CONTROL_FIELDS.include?(f) }
+              c.delete(:waiver_data) if c[:waiver_data] == {}
+
+              next unless c[:results].is_a?(Array)
+
+              c[:results].each do |r|
+                if r[:run_time].is_a?(Float) && r[:run_time] < run_time_limit
+                  r.delete(:start_time)
+                  r.delete(:run_time)
+                end
+              end
+            end
+          end
+          report[:run_time_limit] = run_time_limit
+          report
+        end
+      end
+    end
+  end
+end