inspec-core 4.18.100 → 4.19.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 699f8109813626e556c8f56fe2324ac80e444b62265808cbe37619d3ae5a46b2
-  data.tar.gz: 45f7ade4fe0020e8bec0f7f21bd9819807df1ed48666e65e7ab994e24fe97cb5
+  metadata.gz: 0c6037004db1c4ef1ba337ea6ef710938a2ce1d02c45e56b0bdfe7349b146a92
+  data.tar.gz: 926e31bc929c5e5c76e3a5e89ed686218000a2ad5374c6b7901ac006ee2536a7
 SHA512:
-  metadata.gz: b85550dd9d166506cbcda16e776db29edff56cf2f174c91dee528498d6224232dcd8c5d8b11ec8a56252cf40c03ed43205de56d802ea36f6ad8a03740c368826
-  data.tar.gz: a5b46d86ecf6762dd6f2643e67a0dc3274a36c71da4acd81950211ba19ac5f388f7eff2c7b860b65f168299df96d76727a083a0e8d9c50fa1184fb39a221c0a3
+  metadata.gz: 36c0d1cf39247500f0bc33a633279c08bdaeab0c2dc848fc14f54405cb8c3b3fb1d86ae0ef0afc0ce1394c73b6de978fc61e4ff523b2dfc56d58536920caae47
+  data.tar.gz: c385ff9ee77aca4689dc4a83c8bef4984a3b509e6a7f459655e44a5f1a1944792c2ac1f78b0626cde72697c2b6fee1d4c2eb05ae566d928596e447d5d08f2e34

data/README.md

@@ -141,7 +141,7 @@ That requires [bundler](http://bundler.io/):
 
 ```bash
 bundle install
-bundle exec bin/inspec help
+bundle exec inspec help
 ```
 
 To install it as a gem locally, run:

data/inspec-core.gemspec

@@ -27,11 +27,11 @@ Gem::Specification.new do |spec|
   spec.add_dependency "license-acceptance", ">= 0.2.13", "< 2.0"
   spec.add_dependency "thor",               ">= 0.20", "< 2.0"
   spec.add_dependency "json_schemer",       "~> 0.2.1"
-  spec.add_dependency "method_source",      "~> 0.8"
+  spec.add_dependency "method_source",      ">= 0.8", "< 2.0"
   spec.add_dependency "rubyzip",            "~> 1.2", ">= 1.2.2"
   spec.add_dependency "rspec",              "~> 3.9"
   spec.add_dependency "rspec-its",          "~> 1.2"
-  spec.add_dependency "pry",                "~> 0"
+  spec.add_dependency "pry",                "~> 0.13"
   spec.add_dependency "hashie",             "~> 3.4"
   spec.add_dependency "mixlib-log",         "~> 3.0"
   spec.add_dependency "sslshake",           "~> 1.2"

data/lib/inspec/base_cli.rb

@@ -135,6 +135,10 @@ module Inspec
       option :reporter, type: :array,
         banner: "one two:/output/file/path",
         desc: "Enable one or more output reporters: cli, documentation, html, progress, json, json-min, json-rspec, junit, yaml"
+      option :reporter_message_truncation, type: :string,
+        desc: "Number of characters to truncate failure messages in report data to (default: no truncation)"
+      option :reporter_backtrace_inclusion, type: :boolean,
+        desc: "Include a code backtrace in report data (default: true)"
       option :input, type: :array, banner: "name1=value1 name2=value2",
         desc: "Specify one or more inputs directly on the command line, as --input NAME=VALUE"
       option :input_file, type: :array,

data/lib/inspec/cli.rb

@@ -4,6 +4,7 @@ require "inspec/utils/deprecation/deprecator"
 require "inspec/dist"
 require "inspec/backend"
 require "inspec/dependencies/cache"
+require "inspec/utils/json_profile_summary"
 
 module Inspec # TODO: move this somewhere "better"?
   autoload :BaseCLI,       "inspec/base_cli"
@@ -77,24 +78,13 @@ class Inspec::InspecCLI < Inspec::BaseCLI
     o[:vendor_cache] = Inspec::Cache.new(o[:vendor_cache])
 
     profile = Inspec::Profile.for_target(target, o)
-    info = profile.info
-    # add in inspec version
-    info[:generator] = {
-      name: "inspec",
-      version: Inspec::VERSION,
-    }
     dst = o[:output].to_s
-    if dst.empty?
-      puts JSON.dump(info)
-    else
-      if File.exist? dst
-        puts "----> updating #{dst}"
-      else
-        puts "----> creating #{dst}"
-      end
-      fdst = File.expand_path(dst)
-      File.write(fdst, JSON.dump(info))
-    end
+
+    # Write JSON
+    Inspec::Utils::JsonProfileSummary.produce_json(
+      info: profile.info,
+      write_path: dst
+    )
   rescue StandardError => e
     pretty_handle_exception(e)
   end

data/lib/inspec/config.rb

@@ -328,21 +328,36 @@ module Inspec
     def validate_reporters!(reporters)
       return if reporters.nil?
 
-      # TODO: move this into a reporter plugin type system
-      valid_types = %w{
-        automate
-        cli
+      # These "reporters" are actually RSpec Formatters.
+      # json-rspec is our alias for RSpec's json formatter.
+      rspec_built_in_formatters = %w{
         documentation
         html
+        json-rspec
+        progress
+      }
+
+      # These are true reporters, but have not been migrated to be plugins yet.
+      # Tracked on https://github.com/inspec/inspec/issues/3667
+      inspec_reporters_that_are_not_yet_plugins = %w{
+        automate
+        cli
         json
         json-automate
         json-min
-        json-rspec
         junit
-        progress
         yaml
       }
 
+      # Additional reporters may be loaded via plugins. They will have already been detected at
+      # this point (see v2_loader.load_all in cli.rb) but they may not (and need not) be
+      # activated at this point. We only care about their existance and their name, for validation's sake.
+      plugin_reporters = Inspec::Plugin::V2::Registry.instance\
+        .find_activators(plugin_type: :reporter)\
+        .map(&:activator_name).map(&:to_s)
+
+      valid_types = rspec_built_in_formatters + inspec_reporters_that_are_not_yet_plugins + plugin_reporters
+
       reporters.each do |reporter_name, reporter_config|
         raise NotImplementedError, "'#{reporter_name}' is not a valid reporter type." unless valid_types.include?(reporter_name)
 
@@ -360,6 +375,13 @@ module Inspec
       end
 
       raise ArgumentError, "The option --reporter can only have a single report outputting to stdout." if stdout_reporters > 1
+
+      # reporter_message_truncation needs to either be the string "ALL", an Integer, or a string representing an integer
+      if (truncation = @merged_options["reporter_message_truncation"])
+        unless truncation == "ALL" || truncation.is_a?(Integer) || truncation.to_i.to_s == truncation
+          raise ArgumentError, "reporter_message_truncation is set to #{truncation}. It must be set to an integer value or ALL to indicate no truncation."
+        end
+      end
     end
 
     def validate_plugins!

data/lib/inspec/fetcher/git.rb

@@ -99,7 +99,7 @@ module Inspec::Fetcher
     def cache_key
       return resolved_ref unless @relative_path
 
-      OpenSSL::Digest::SHA256.hexdigest(resolved_ref + @relative_path)
+      OpenSSL::Digest.hexdigest("SHA256", resolved_ref + @relative_path)
     end
 
     def archive_path

data/lib/inspec/fetcher/local.rb

@@ -104,7 +104,7 @@ module Inspec::Fetcher
       return @archive_shasum if @archive_shasum
       raise(Inspec::FetcherFailure, "Profile dependency local path '#{target}' does not exist") unless File.exist?(target)
 
-      @archive_shasum = OpenSSL::Digest::SHA256.digest(File.read(target)).unpack("H*")[0]
+      @archive_shasum = OpenSSL::Digest.digest("SHA256", File.read(target)).unpack("H*")[0]
     end
 
     def resolved_source

data/lib/inspec/fetcher/url.rb

@@ -127,7 +127,7 @@ module Inspec::Fetcher
     end
 
     def sha256
-      @archive_shasum ||= OpenSSL::Digest::SHA256.digest(File.read(@archive_path || temp_archive_path)).unpack("H*")[0]
+      @archive_shasum ||= OpenSSL::Digest.digest("SHA256", File.read(@archive_path || temp_archive_path)).unpack("H*")[0]
     end
 
     def file_type_from_remote(remote)

data/lib/inspec/input.rb

@@ -98,15 +98,15 @@ module Inspec
     # not been assigned a value. This allows a user to explicitly assign nil
     # to an input.
     class NO_VALUE_SET # rubocop: disable Naming/ClassAndModuleCamelCase
-      def initialize(name)
+      def initialize(name, warn_on_create = true)
         @name = name
 
         # output warn message if we are in a exec call
-        if Inspec::BaseCLI.inspec_cli_command == :exec
+        if warn_on_create && Inspec::BaseCLI.inspec_cli_command == :exec
           Inspec::Log.warn(
             "Input '#{@name}' does not have a value. "\
-            "Use --input-file to provide a value for '#{@name}' or specify a  "\
-            "value with `attribute('#{@name}', value: 'somevalue', ...)`."
+            "Use --input-file or --input to provide a value for '#{@name}' or specify a  "\
+            "value with `input('#{@name}', value: 'somevalue', ...)`."
           )
         end
       end
@@ -277,7 +277,7 @@ module Inspec
     end
 
     # Determine the current winning value, but don't validate it
-    def current_value
+    def current_value(warn_on_missing = true)
       # Examine the events to determine highest-priority value. Tie-break
       # by using the last one set.
       events_that_set_a_value = events.select(&:value_has_been_set?)
@@ -287,7 +287,7 @@ module Inspec
 
       if winning_event.nil?
         # No value has been set - return special no value object
-        NO_VALUE_SET.new(name)
+        NO_VALUE_SET.new(name, warn_on_missing)
       else
         winning_event.value # May still be nil
       end
@@ -315,7 +315,7 @@ module Inspec
     end
 
     def has_value?
-      !current_value.is_a? NO_VALUE_SET
+      !current_value(false).is_a? NO_VALUE_SET
     end
 
     def to_hash
@@ -348,7 +348,7 @@ module Inspec
       # skip if we are not doing an exec call (archive/vendor/check)
       return unless Inspec::BaseCLI.inspec_cli_command == :exec
 
-      proposed_value = current_value
+      proposed_value = current_value(false)
       if proposed_value.nil? || proposed_value.is_a?(NO_VALUE_SET)
         error = Inspec::Input::RequiredError.new
         error.input_name = name
@@ -363,7 +363,7 @@ module Inspec
       type_req = type
       return if type_req == "Any"
 
-      proposed_value = current_value
+      proposed_value = current_value(false)
 
       invalid_type = false
       if type_req == "Regexp"

data/lib/inspec/plugin/v2/installer.rb

@@ -3,6 +3,7 @@
 require "singleton"
 require "forwardable"
 require "fileutils"
+require "uri"
 
 # Gem extensions for doing unusual things - not loaded by Gem default
 require "rubygems/package"
@@ -56,6 +57,7 @@ module Inspec::Plugin::V2
     # @option opts [String] :gem_file Path to a local gem file to install from
     # @option opts [String] :path Path to a file to be used as the entry point for a path-based plugin
     # @option opts [String] :version Version constraint for remote gem installs
+    # @option opts [String] :source Alternate URL to use instead of rubygems.org
     def install(plugin_name, opts = {})
       # TODO: - check plugins.json for validity before trying anything that needs to modify it.
       validate_installation_opts(plugin_name, opts)
@@ -127,6 +129,11 @@ module Inspec::Plugin::V2
       validate_search_opts(plugin_query, opts)
 
       fetcher = Gem::SpecFetcher.fetcher
+      if opts[:source]
+        source_list = Gem::SourceList.from([opts[:source]])
+        fetcher = Gem::SpecFetcher.new(source_list)
+      end
+
       matched_tuples = []
       if opts[:exact]
         matched_tuples = fetcher.detect(opts[:scope]) { |tuple| tuple.name == plugin_query }
@@ -284,8 +291,22 @@ module Inspec::Plugin::V2
 
     def install_from_remote_gems(requested_plugin_name, opts)
       plugin_dependency = Gem::Dependency.new(requested_plugin_name, opts[:version] || "> 0")
-      # BestSet is rubygems.org API + indexing
-      install_gem_to_plugins_dir(plugin_dependency, [Gem::Resolver::BestSet.new], opts[:update_mode])
+
+      # BestSet is rubygems.org API + indexing, APISet is for custom sources
+      sources = if opts[:source]
+                  Gem::Resolver::APISet.new(URI.join(opts[:source] + "/api/v1/dependencies"))
+                else
+                  Gem::Resolver::BestSet.new
+                end
+
+      begin
+        install_gem_to_plugins_dir(plugin_dependency, [sources], opts[:update_mode])
+      rescue Gem::RemoteFetcher::FetchError => gem_ex
+        # TODO: Give a hint if the host was not resolvable or a 404 occured
+        ex = Inspec::Plugin::V2::InstallError.new(gem_ex.message)
+        ex.plugin_name = requested_plugin_name
+        raise ex
+      end
     end
 
     def install_gem_to_plugins_dir(new_plugin_dependency, # rubocop: disable Metrics/AbcSize

data/lib/inspec/plugin/v2/plugin_types/reporter.rb

@@ -0,0 +1,68 @@
+require_relative "../../../run_data"
+
+module Inspec::Plugin::V2::PluginType
+  class Reporter < Inspec::Plugin::V2::PluginBase
+    register_plugin_type(:reporter)
+
+    attr_reader :run_data
+
+    def initialize(config)
+      @config = config
+
+      # Trim the run_data while still a Hash; if it is huge, this
+      # saves on conversion time
+      @run_data = config[:run_data] || {}
+      apply_report_resize_options
+
+      unless Inspec::RunData.compatible_schema?(self.class.run_data_schema_constraints)
+        # Best we can do is warn here, the InSpec run has finished
+        # TODO: one day, perhaps switch RunData implementations to try to satisfy constraints?
+        Inspec::Log.warn "Reporter does not support RunData API (#{Inspec::RunData::SCHEMA_VERSION}), Reporter constraints: '#{self.class.run_data_schema_constraints}'"
+      end
+      # Convert to RunData object for consumption by Reporter
+      @run_data = Inspec::RunData.new(@run_data)
+      @output = ""
+    end
+
+    # This is a temporary duplication of code from lib/inspec/reporters/base.rb
+    # To be DRY'd up once the core reporters become plugins...
+    # Apply options such as message truncation and removal of backtraces
+    def apply_report_resize_options
+      runtime_config = Inspec::Config.cached.respond_to?(:final_options) ? Inspec::Config.cached.final_options : {}
+
+      message_truncation = runtime_config[:reporter_message_truncation] || "ALL"
+      trunc = message_truncation == "ALL" ? -1 : message_truncation.to_i
+      include_backtrace = runtime_config[:reporter_backtrace_inclusion].nil? ? true : runtime_config[:reporter_backtrace_inclusion]
+
+      @run_data[:profiles]&.each do |p|
+        p[:controls].each do |c|
+          c[:results]&.map! do |r|
+            r.delete(:backtrace) unless include_backtrace
+            if r.key?(:message) && r[:message] != "" && trunc > -1
+              r[:message] = r[:message][0...trunc] + "[Truncated to #{trunc} characters]"
+            end
+            r
+          end
+        end
+      end
+    end
+
+    def output(str, newline = true)
+      @output << str
+      @output << "\n" if newline
+    end
+
+    def rendered_output
+      @output
+    end
+
+    # each reporter must implement #render
+    def render
+      raise NotImplementedError, "#{self.class} must implement a `#render` method to format its output."
+    end
+
+    def self.run_data_schema_constraints
+      raise NotImplementedError, "#{self.class} must implement a `run_data_schema_constraints` class method to declare its compatibiltity with the RunData API."
+    end
+  end
+end

data/lib/inspec/profile.rb

@@ -12,6 +12,7 @@ require "inspec/method_source"
 require "inspec/dependencies/cache"
 require "inspec/dependencies/lockfile"
 require "inspec/dependencies/dependency_set"
+require "inspec/utils/json_profile_summary"
 
 module Inspec
   class Profile
@@ -465,28 +466,39 @@ module Inspec
       end
 
       # remove existing archive
-      File.delete(dst) if dst.exist?
+      FileUtils.rm_f(dst) if dst.exist?
       @logger.info "Generate archive #{dst}."
 
       # filter files that should not be part of the profile
       # TODO ignore all .files, but add the files to debug output
 
+      # Generate temporary inspec.json for archive
+      Inspec::Utils::JsonProfileSummary.produce_json(
+        info: info,
+        write_path: "#{root_path}inspec.json",
+        suppress_output: true
+      )
+
       # display all files that will be part of the archive
       @logger.debug "Add the following files to archive:"
       files.each { |f| @logger.debug "    " + f }
+      @logger.debug "    inspec.json"
 
       if opts[:zip]
         # generate zip archive
         require "inspec/archive/zip"
         zag = Inspec::Archive::ZipArchiveGenerator.new
-        zag.archive(root_path, files, dst)
+        zag.archive(root_path, files.push("inspec.json"), dst)
       else
         # generate tar archive
         require "inspec/archive/tar"
         tag = Inspec::Archive::TarArchiveGenerator.new
-        tag.archive(root_path, files, dst)
+        tag.archive(root_path, files.push("inspec.json"), dst)
       end
 
+      # Cleanup
+      FileUtils.rm_f("#{root_path}inspec.json")
+
       @logger.info "Finished archive generation."
       true
     end
@@ -559,7 +571,7 @@ module Inspec
       # get all dependency checksums
       deps = Hash[locked_dependencies.list.map { |k, v| [k, v.profile.sha256] }]
 
-      res = OpenSSL::Digest::SHA256.new
+      res = OpenSSL::Digest.new("SHA256")
       files = source_reader.tests.to_a + source_reader.libraries.to_a +
         source_reader.data_files.to_a +
         [["inspec.yml", source_reader.metadata.content]] +

data/lib/inspec/reporters.rb

@@ -30,7 +30,10 @@ module Inspec::Reporters
     when "yaml"
       reporter = Inspec::Reporters::Yaml.new(config)
     else
-      raise NotImplementedError, "'#{name}' is not a valid reporter type."
+      # If we made it here, it must be a plugin, and we know it exists (because we validated it in config.rb)
+      activator = Inspec::Plugin::V2::Registry.instance.find_activator(plugin_type: :reporter, activator_name: name.to_sym)
+      activator.activate!
+      reporter = activator.implementation_class.new(config)
     end
 
     # optional send_report method on reporter

data/lib/inspec/reporters/base.rb

@@ -5,9 +5,31 @@ module Inspec::Reporters
     def initialize(config)
       @config = config
       @run_data = config[:run_data]
+      apply_report_resize_options unless @run_data.nil?
       @output = ""
     end
 
+    # Apply options such as message truncation and removal of backtraces
+    def apply_report_resize_options
+      runtime_config = Inspec::Config.cached.respond_to?(:final_options) ? Inspec::Config.cached.final_options : {}
+
+      message_truncation = runtime_config[:reporter_message_truncation] || "ALL"
+      trunc = message_truncation == "ALL" ? -1 : message_truncation.to_i
+      include_backtrace = runtime_config[:reporter_backtrace_inclusion].nil? ? true : runtime_config[:reporter_backtrace_inclusion]
+
+      @run_data[:profiles]&.each do |p|
+        p[:controls].each do |c|
+          c[:results]&.map! do |r|
+            r.delete(:backtrace) unless include_backtrace
+            if r.key?(:message) && r[:message] != "" && trunc > -1
+              r[:message] = r[:message][0...trunc] + "[Truncated to #{trunc} characters]"
+            end
+            r
+          end
+        end
+      end
+    end
+
     def output(str, newline = true)
       @output << str
       @output << "\n" if newline