inspec-core 4.18.108 → 4.20.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 07ce3c9c460909bfb27d25c98f2911d44d3319e287e1befb072b0a8d09e22f3d
-  data.tar.gz: 7158a199c122637211d0a4b9e2e2795b4ec100709a16a1a38be6195d904eaf7d
+  metadata.gz: 2395ce22d38edca9eaac2fad00c1fc61f3fb95a154618540d23bc2a1e6ce0fcd
+  data.tar.gz: 4ebdbe5526025408e729b52e0614b43fe89f70b0faae5eeecc8c23db8f0f1ff9
 SHA512:
-  metadata.gz: e51b5023ca17e20878508e7bb9b7f1abcd8c603676bba0f0a38644d7bd33165700f6fbe251ee61e15beff9c93304b55888bf346ec4228275d57f2201f2dbdcac
-  data.tar.gz: 473ce96487948f10e81af956690fcb7ef1ca6d0924809d15099ff0919a01a2cc15b0c87ca470a0fb277e8d4086384c281ab4f3b86a6fb61d7b2923be4def5d3f
+  metadata.gz: f2b21bfbc96b4830edf20f1d48493257845bfbeb52137141269371066c47359092d3ed280cc64e9358b3587d0ddb0c54a643cafd730d57ad2d7ba2331d35b33a
+  data.tar.gz: 84bc11b59621836d20c045efcdee955cc97c605e5902fafaa79c8756dd44f66334731256c6ba4273484d645484f374b1ec2daf471a6dc56805ea819ab2685f38

data/Gemfile

@@ -9,7 +9,7 @@ gem "inspec", path: "."
 # in it in order to package the executable. Hence the odd backwards dependency.
 gem "inspec-bin", path: "./inspec-bin"
 
-gem "ffi", ">= 1.9.14"
+gem "ffi", [">= 1.9.14", "< 1.13"] # 1.13 does not work on Windows: https://github.com/ffi/ffi/issues/784
 
 group :omnibus do
   gem "rb-readline"

data/README.md

@@ -141,7 +141,7 @@ That requires [bundler](http://bundler.io/):
 
 ```bash
 bundle install
-bundle exec bin/inspec help
+bundle exec inspec help
 ```
 
 To install it as a gem locally, run:

data/lib/inspec/base_cli.rb

@@ -135,8 +135,12 @@ module Inspec
       option :reporter, type: :array,
         banner: "one two:/output/file/path",
         desc: "Enable one or more output reporters: cli, documentation, html, progress, json, json-min, json-rspec, junit, yaml"
+      option :reporter_message_truncation, type: :string,
+        desc: "Number of characters to truncate failure messages in report data to (default: no truncation)"
+      option :reporter_backtrace_inclusion, type: :boolean,
+        desc: "Include a code backtrace in report data (default: true)"
       option :input, type: :array, banner: "name1=value1 name2=value2",
-        desc: "Specify one or more inputs directly on the command line, as --input NAME=VALUE"
+        desc: "Specify one or more inputs directly on the command line, as --input NAME=VALUE. Accepts single-quoted YAML and JSON structures."
       option :input_file, type: :array,
         desc: "Load one or more input files, a YAML file with values for the profile to use"
       option :waiver_file, type: :array,
@@ -151,6 +155,9 @@ module Inspec
         desc: "Show progress while executing tests."
       option :distinct_exit, type: :boolean, default: true,
         desc: "Exit with code 101 if any tests fail, and 100 if any are skipped (default).  If disabled, exit 0 on skips and 1 for failures."
+      option :silence_deprecations, type: :array,
+        banner: "[all]|[GROUP GROUP...]",
+        desc: "Suppress deprecation warnings. See install_dir/etc/deprecations.json for list of GROUPs or use 'all'."
     end
 
     def self.format_platform_info(params: {}, indent: 0, color: 39)

data/lib/inspec/cli.rb

@@ -4,6 +4,7 @@ require "inspec/utils/deprecation/deprecator"
 require "inspec/dist"
 require "inspec/backend"
 require "inspec/dependencies/cache"
+require "inspec/utils/json_profile_summary"
 
 module Inspec # TODO: move this somewhere "better"?
   autoload :BaseCLI,       "inspec/base_cli"
@@ -77,24 +78,13 @@ class Inspec::InspecCLI < Inspec::BaseCLI
     o[:vendor_cache] = Inspec::Cache.new(o[:vendor_cache])
 
     profile = Inspec::Profile.for_target(target, o)
-    info = profile.info
-    # add in inspec version
-    info[:generator] = {
-      name: "inspec",
-      version: Inspec::VERSION,
-    }
     dst = o[:output].to_s
-    if dst.empty?
-      puts JSON.dump(info)
-    else
-      if File.exist? dst
-        puts "----> updating #{dst}"
-      else
-        puts "----> creating #{dst}"
-      end
-      fdst = File.expand_path(dst)
-      File.write(fdst, JSON.dump(info))
-    end
+
+    # Write JSON
+    Inspec::Utils::JsonProfileSummary.produce_json(
+      info: profile.info,
+      write_path: dst
+    )
   rescue StandardError => e
     pretty_handle_exception(e)
   end

data/lib/inspec/config.rb

@@ -328,21 +328,36 @@ module Inspec
     def validate_reporters!(reporters)
       return if reporters.nil?
 
-      # TODO: move this into a reporter plugin type system
-      valid_types = %w{
-        automate
-        cli
+      # These "reporters" are actually RSpec Formatters.
+      # json-rspec is our alias for RSpec's json formatter.
+      rspec_built_in_formatters = %w{
         documentation
         html
+        json-rspec
+        progress
+      }
+
+      # These are true reporters, but have not been migrated to be plugins yet.
+      # Tracked on https://github.com/inspec/inspec/issues/3667
+      inspec_reporters_that_are_not_yet_plugins = %w{
+        automate
+        cli
         json
         json-automate
         json-min
-        json-rspec
         junit
-        progress
         yaml
       }
 
+      # Additional reporters may be loaded via plugins. They will have already been detected at
+      # this point (see v2_loader.load_all in cli.rb) but they may not (and need not) be
+      # activated at this point. We only care about their existance and their name, for validation's sake.
+      plugin_reporters = Inspec::Plugin::V2::Registry.instance\
+        .find_activators(plugin_type: :reporter)\
+        .map(&:activator_name).map(&:to_s)
+
+      valid_types = rspec_built_in_formatters + inspec_reporters_that_are_not_yet_plugins + plugin_reporters
+
       reporters.each do |reporter_name, reporter_config|
         raise NotImplementedError, "'#{reporter_name}' is not a valid reporter type." unless valid_types.include?(reporter_name)
 
@@ -360,6 +375,13 @@ module Inspec
       end
 
       raise ArgumentError, "The option --reporter can only have a single report outputting to stdout." if stdout_reporters > 1
+
+      # reporter_message_truncation needs to either be the string "ALL", an Integer, or a string representing an integer
+      if (truncation = @merged_options["reporter_message_truncation"])
+        unless truncation == "ALL" || truncation.is_a?(Integer) || truncation.to_i.to_s == truncation
+          raise ArgumentError, "reporter_message_truncation is set to #{truncation}. It must be set to an integer value or ALL to indicate no truncation."
+        end
+      end
     end
 
     def validate_plugins!

data/lib/inspec/fetcher/git.rb

@@ -99,7 +99,7 @@ module Inspec::Fetcher
     def cache_key
       return resolved_ref unless @relative_path
 
-      OpenSSL::Digest::SHA256.hexdigest(resolved_ref + @relative_path)
+      OpenSSL::Digest.hexdigest("SHA256", resolved_ref + @relative_path)
     end
 
     def archive_path

data/lib/inspec/fetcher/local.rb

@@ -104,7 +104,7 @@ module Inspec::Fetcher
       return @archive_shasum if @archive_shasum
       raise(Inspec::FetcherFailure, "Profile dependency local path '#{target}' does not exist") unless File.exist?(target)
 
-      @archive_shasum = OpenSSL::Digest::SHA256.digest(File.read(target)).unpack("H*")[0]
+      @archive_shasum = OpenSSL::Digest.digest("SHA256", File.read(target)).unpack("H*")[0]
     end
 
     def resolved_source

data/lib/inspec/fetcher/url.rb

@@ -127,7 +127,7 @@ module Inspec::Fetcher
     end
 
     def sha256
-      @archive_shasum ||= OpenSSL::Digest::SHA256.digest(File.read(@archive_path || temp_archive_path)).unpack("H*")[0]
+      @archive_shasum ||= OpenSSL::Digest.digest("SHA256", File.read(@archive_path || temp_archive_path)).unpack("H*")[0]
     end
 
     def file_type_from_remote(remote)

data/lib/inspec/input.rb

@@ -98,15 +98,15 @@ module Inspec
     # not been assigned a value. This allows a user to explicitly assign nil
     # to an input.
     class NO_VALUE_SET # rubocop: disable Naming/ClassAndModuleCamelCase
-      def initialize(name)
+      def initialize(name, warn_on_create = true)
         @name = name
 
         # output warn message if we are in a exec call
-        if Inspec::BaseCLI.inspec_cli_command == :exec
+        if warn_on_create && Inspec::BaseCLI.inspec_cli_command == :exec
           Inspec::Log.warn(
             "Input '#{@name}' does not have a value. "\
-            "Use --input-file to provide a value for '#{@name}' or specify a  "\
-            "value with `attribute('#{@name}', value: 'somevalue', ...)`."
+            "Use --input-file or --input to provide a value for '#{@name}' or specify a  "\
+            "value with `input('#{@name}', value: 'somevalue', ...)`."
           )
         end
       end
@@ -277,7 +277,7 @@ module Inspec
     end
 
     # Determine the current winning value, but don't validate it
-    def current_value
+    def current_value(warn_on_missing = true)
       # Examine the events to determine highest-priority value. Tie-break
       # by using the last one set.
       events_that_set_a_value = events.select(&:value_has_been_set?)
@@ -287,7 +287,7 @@ module Inspec
 
       if winning_event.nil?
         # No value has been set - return special no value object
-        NO_VALUE_SET.new(name)
+        NO_VALUE_SET.new(name, warn_on_missing)
       else
         winning_event.value # May still be nil
       end
@@ -315,7 +315,7 @@ module Inspec
     end
 
     def has_value?
-      !current_value.is_a? NO_VALUE_SET
+      !current_value(false).is_a? NO_VALUE_SET
     end
 
     def to_hash
@@ -348,7 +348,7 @@ module Inspec
       # skip if we are not doing an exec call (archive/vendor/check)
       return unless Inspec::BaseCLI.inspec_cli_command == :exec
 
-      proposed_value = current_value
+      proposed_value = current_value(false)
       if proposed_value.nil? || proposed_value.is_a?(NO_VALUE_SET)
         error = Inspec::Input::RequiredError.new
         error.input_name = name
@@ -363,7 +363,7 @@ module Inspec
       type_req = type
       return if type_req == "Any"
 
-      proposed_value = current_value
+      proposed_value = current_value(false)
 
       invalid_type = false
       if type_req == "Regexp"

data/lib/inspec/input_registry.rb

@@ -166,8 +166,9 @@ module Inspec
           end
         end
         input_name, input_value = pair.split("=")
+        input_value = parse_cli_input_value(input_name, input_value)
         evt = Inspec::Input::Event.new(
-          value: input_value.chomp(","), # Trim trailing comma if any
+          value: input_value,
           provider: :cli,
           priority: 50
         )
@@ -175,6 +176,37 @@ module Inspec
       end
     end
 
+    # Remove trailing commas, resolve type.
+    def parse_cli_input_value(input_name, given_value)
+      value = given_value.chomp(",") # Trim trailing comma if any
+      case value
+      when /^true|false$/i
+        value = !!(value =~ /true/i)
+      when /^-?\d+$/
+        value = value.to_i
+      when /^-?\d+\.\d+$/
+        value = value.to_f
+      when /^(\[|\{).*(\]|\})$/
+        # Look for complex values and try to parse them.
+        require "yaml"
+        begin
+          value = YAML.load(value)
+        rescue Psych::SyntaxError => yaml_error
+          # It could be that we just tried to run JSON through the YAML parser.
+          require "json"
+          begin
+            value = JSON.parse(value)
+          rescue JSON::ParserError => json_error
+            msg = "Unparseable value '#{value}' for --input #{input_name}.\n"
+            msg += "When treated as YAML, error: #{yaml_error.message}\n"
+            msg += "When treated as JSON, error: #{json_error.message}"
+            Inspec::Log.warn msg
+          end
+        end
+      end
+      value
+    end
+
     def bind_inputs_from_runner_api(profile_name, input_hash)
       # TODO: move this into a core plugin
 

data/lib/inspec/plugin/v2/plugin_types/reporter.rb

@@ -0,0 +1,68 @@
+require_relative "../../../run_data"
+
+module Inspec::Plugin::V2::PluginType
+  class Reporter < Inspec::Plugin::V2::PluginBase
+    register_plugin_type(:reporter)
+
+    attr_reader :run_data
+
+    def initialize(config)
+      @config = config
+
+      # Trim the run_data while still a Hash; if it is huge, this
+      # saves on conversion time
+      @run_data = config[:run_data] || {}
+      apply_report_resize_options
+
+      unless Inspec::RunData.compatible_schema?(self.class.run_data_schema_constraints)
+        # Best we can do is warn here, the InSpec run has finished
+        # TODO: one day, perhaps switch RunData implementations to try to satisfy constraints?
+        Inspec::Log.warn "Reporter does not support RunData API (#{Inspec::RunData::SCHEMA_VERSION}), Reporter constraints: '#{self.class.run_data_schema_constraints}'"
+      end
+      # Convert to RunData object for consumption by Reporter
+      @run_data = Inspec::RunData.new(@run_data)
+      @output = ""
+    end
+
+    # This is a temporary duplication of code from lib/inspec/reporters/base.rb
+    # To be DRY'd up once the core reporters become plugins...
+    # Apply options such as message truncation and removal of backtraces
+    def apply_report_resize_options
+      runtime_config = Inspec::Config.cached.respond_to?(:final_options) ? Inspec::Config.cached.final_options : {}
+
+      message_truncation = runtime_config[:reporter_message_truncation] || "ALL"
+      trunc = message_truncation == "ALL" ? -1 : message_truncation.to_i
+      include_backtrace = runtime_config[:reporter_backtrace_inclusion].nil? ? true : runtime_config[:reporter_backtrace_inclusion]
+
+      @run_data[:profiles]&.each do |p|
+        p[:controls].each do |c|
+          c[:results]&.map! do |r|
+            r.delete(:backtrace) unless include_backtrace
+            if r.key?(:message) && r[:message] != "" && trunc > -1
+              r[:message] = r[:message][0...trunc] + "[Truncated to #{trunc} characters]"
+            end
+            r
+          end
+        end
+      end
+    end
+
+    def output(str, newline = true)
+      @output << str
+      @output << "\n" if newline
+    end
+
+    def rendered_output
+      @output
+    end
+
+    # each reporter must implement #render
+    def render
+      raise NotImplementedError, "#{self.class} must implement a `#render` method to format its output."
+    end
+
+    def self.run_data_schema_constraints
+      raise NotImplementedError, "#{self.class} must implement a `run_data_schema_constraints` class method to declare its compatibiltity with the RunData API."
+    end
+  end
+end

data/lib/inspec/profile.rb

@@ -12,6 +12,7 @@ require "inspec/method_source"
 require "inspec/dependencies/cache"
 require "inspec/dependencies/lockfile"
 require "inspec/dependencies/dependency_set"
+require "inspec/utils/json_profile_summary"
 
 module Inspec
   class Profile
@@ -465,28 +466,39 @@ module Inspec
       end
 
       # remove existing archive
-      File.delete(dst) if dst.exist?
+      FileUtils.rm_f(dst) if dst.exist?
       @logger.info "Generate archive #{dst}."
 
       # filter files that should not be part of the profile
       # TODO ignore all .files, but add the files to debug output
 
+      # Generate temporary inspec.json for archive
+      Inspec::Utils::JsonProfileSummary.produce_json(
+        info: info,
+        write_path: "#{root_path}inspec.json",
+        suppress_output: true
+      )
+
       # display all files that will be part of the archive
       @logger.debug "Add the following files to archive:"
       files.each { |f| @logger.debug "    " + f }
+      @logger.debug "    inspec.json"
 
       if opts[:zip]
         # generate zip archive
         require "inspec/archive/zip"
         zag = Inspec::Archive::ZipArchiveGenerator.new
-        zag.archive(root_path, files, dst)
+        zag.archive(root_path, files.push("inspec.json"), dst)
       else
         # generate tar archive
         require "inspec/archive/tar"
         tag = Inspec::Archive::TarArchiveGenerator.new
-        tag.archive(root_path, files, dst)
+        tag.archive(root_path, files.push("inspec.json"), dst)
       end
 
+      # Cleanup
+      FileUtils.rm_f("#{root_path}inspec.json")
+
       @logger.info "Finished archive generation."
       true
     end
@@ -559,7 +571,7 @@ module Inspec
       # get all dependency checksums
       deps = Hash[locked_dependencies.list.map { |k, v| [k, v.profile.sha256] }]
 
-      res = OpenSSL::Digest::SHA256.new
+      res = OpenSSL::Digest.new("SHA256")
       files = source_reader.tests.to_a + source_reader.libraries.to_a +
         source_reader.data_files.to_a +
         [["inspec.yml", source_reader.metadata.content]] +

data/lib/inspec/reporters.rb

@@ -30,7 +30,10 @@ module Inspec::Reporters
     when "yaml"
       reporter = Inspec::Reporters::Yaml.new(config)
     else
-      raise NotImplementedError, "'#{name}' is not a valid reporter type."
+      # If we made it here, it must be a plugin, and we know it exists (because we validated it in config.rb)
+      activator = Inspec::Plugin::V2::Registry.instance.find_activator(plugin_type: :reporter, activator_name: name.to_sym)
+      activator.activate!
+      reporter = activator.implementation_class.new(config)
     end
 
     # optional send_report method on reporter

data/lib/inspec/reporters/base.rb

@@ -5,9 +5,31 @@ module Inspec::Reporters
     def initialize(config)
       @config = config
       @run_data = config[:run_data]
+      apply_report_resize_options unless @run_data.nil?
       @output = ""
     end
 
+    # Apply options such as message truncation and removal of backtraces
+    def apply_report_resize_options
+      runtime_config = Inspec::Config.cached.respond_to?(:final_options) ? Inspec::Config.cached.final_options : {}
+
+      message_truncation = runtime_config[:reporter_message_truncation] || "ALL"
+      trunc = message_truncation == "ALL" ? -1 : message_truncation.to_i
+      include_backtrace = runtime_config[:reporter_backtrace_inclusion].nil? ? true : runtime_config[:reporter_backtrace_inclusion]
+
+      @run_data[:profiles]&.each do |p|
+        p[:controls].each do |c|
+          c[:results]&.map! do |r|
+            r.delete(:backtrace) unless include_backtrace
+            if r.key?(:message) && r[:message] != "" && trunc > -1
+              r[:message] = r[:message][0...trunc] + "[Truncated to #{trunc} characters]"
+            end
+            r
+          end
+        end
+      end
+    end
+
     def output(str, newline = true)
       @output << str
       @output << "\n" if newline

data/lib/inspec/resources/x509_certificate.rb

@@ -59,7 +59,7 @@ module Inspec::Resources
     def fingerprint
       return if @cert.nil?
 
-      OpenSSL::Digest::SHA1.new(@cert.to_der).to_s
+      OpenSSL::Digest.new("SHA1", @cert.to_der).to_s
     end
 
     def serial

data/lib/inspec/rule.rb

@@ -332,7 +332,7 @@ module Inspec
       input_name = @__rule_id # TODO: control ID slugging
       registry = Inspec::InputRegistry.instance
       input = registry.inputs_by_profile.dig(__profile_id, input_name)
-      return unless input
+      return unless input && input.has_value? && input.value.is_a?(Hash)
 
       # An InSpec Input is a datastructure that tracks a profile parameter
       # over time. Its value can be set by many sources, and it keeps a
@@ -353,9 +353,13 @@ module Inspec
       # if so, is it in the future?
       expiry = __waiver_data["expiration_date"]
       if expiry
-        if expiry.is_a?(Date)
-          # It appears that yaml.rb automagically parses dates for us
-          if expiry < Date.today # If the waiver expired, return - no skip applied
+        # YAML will automagically give us a Date or a Time.
+        # If transcoding YAML between languages (e.g. Go) the date might have also ended up as a String.
+        # A string that does not represent a valid time results in the date 0000-01-01.
+        if [Date, Time].include?(expiry.class) || (expiry.is_a?(String) && Time.new(expiry).year != 0)
+          expiry = expiry.to_time if expiry.is_a? Date
+          expiry = Time.new(expiry) if expiry.is_a? String
+          if expiry < Time.now # If the waiver expired, return - no skip applied
             __waiver_data["message"] = "Waiver expired on #{expiry}, evaluating control normally"
             return
           end

data/lib/inspec/run_data.rb

@@ -0,0 +1,64 @@
+
+module Inspec
+  module HashLikeStruct
+    def keys
+      members
+    end
+
+    def key?(item)
+      members.include?(item)
+    end
+  end
+
+  RunData = Struct.new(
+    :controls,     # Array of Inspec::RunData::Control (flattened)
+    :other_checks,
+    :profiles,     # Array of Inspec::RunData::Profile
+    :platform,     # Inspec::RunData::Platform
+    :statistics,   # Inspec::RunData::Statistics
+    :version       # String
+  ) do
+    include HashLikeStruct
+    def initialize(raw_run_data)
+      self.controls   = raw_run_data[:controls].map { |c| Inspec::RunData::Control.new(c) }
+      self.profiles   = raw_run_data[:profiles].map { |p| Inspec::RunData::Profile.new(p) }
+      self.statistics = Inspec::RunData::Statistics.new(raw_run_data[:statistics])
+      self.platform   = Inspec::RunData::Platform.new(raw_run_data[:platform])
+      self.version    = raw_run_data[:version]
+    end
+  end
+
+  class RunData
+
+    # This is the data layout version of RunData.
+    # We plan to follow a data-oriented version of semver:
+    #  patch: fixing a bug in the provenance or description of a data element, no key changes
+    #  minor: adding new data elements
+    #  major: deleting or renaming data elements
+    # Less than major version 1.0.0, the API is considered unstable.
+    # The current plan is to bump the major version to 1.0.0 when all of the existing
+    # core reporters have been migrated to plugins. It is probable that new data elements
+    # and new Hash compatibility behavior will be added during the core reporter plugin
+    # conversion process.
+    SCHEMA_VERSION = "0.1.0".freeze
+
+    def self.compatible_schema?(constraints)
+      reqs = Gem::Requirement.create(constraints)
+      reqs.satisfied_by?(Gem::Version.new(SCHEMA_VERSION))
+    end
+
+    Platform = Struct.new(
+      :name, :release, :target
+    ) do
+      include HashLikeStruct
+      def initialize(raw_plat_data)
+        %i{name release target}.each { |f| self[f] = raw_plat_data[f] || "" }
+      end
+    end
+  end
+end
+
+require_relative "run_data/result"
+require_relative "run_data/control"
+require_relative "run_data/profile"
+require_relative "run_data/statistics"

data/lib/inspec/run_data/control.rb

@@ -0,0 +1,83 @@
+module Inspec
+  class RunData
+    Control = Struct.new(
+      :code,            # String
+      :desc,            # String
+      :descriptions,    # Hash with custom keys
+      :id,              # String
+      :impact,          # Float
+      :refs,            # Complex local
+      :results,         # complex standalone
+      :source_location, # Complex local
+      :tags,            # Hash with custom keys
+      :title,           # String
+      :waiver_data      # Complex local
+    ) do
+      include HashLikeStruct
+      def initialize(raw_ctl_data)
+        self.refs = (raw_ctl_data[:refs] || []).map { |r| Inspec::RunData::Control::Ref.new(r) }
+        self.results = (raw_ctl_data[:results] || []).map { |r| Inspec::RunData::Result.new(r) }
+        self.source_location = Inspec::RunData::Control::SourceLocation.new(raw_ctl_data[:source_location] || {})
+        self.waiver_data = Inspec::RunData::Control::WaiverData.new(raw_ctl_data[:waiver_data] || {})
+
+        [
+          :code,            # String
+          :desc,            # String
+          :descriptions,    # Hash with custom keys
+          :id,              # String
+          :impact,          # Float
+          :tags,            # Hash with custom keys
+          :title,           # String
+        ].each do |field|
+          self[field] = raw_ctl_data[field]
+        end
+      end
+    end
+
+    class Control
+      Ref = Struct.new(
+        :url, :ref
+      ) do
+        include HashLikeStruct
+        def initialize(raw_ref_data)
+          %i{url ref}.each { |f| self[f] = raw_ref_data[f] }
+        end
+      end
+
+      SourceLocation = Struct.new(
+        :line, :ref
+      ) do
+        include HashLikeStruct
+        def initialize(raw_sl_data)
+          %i{line ref}.each { |f| self[f] = raw_sl_data[f] }
+        end
+      end
+
+      # {
+      #   "expiration_date"=>#<Date: 2077-06-01 ((2479821j,0s,0n),+0s,2299161j)>,
+      #   "justification"=>"Lack of imagination",
+      #   "run"=>false,
+      #   "skipped_due_to_waiver"=>true,
+      #   "message"=>""}
+      WaiverData = Struct.new(
+        :expiration_date,
+        :justification,
+        :run,
+        :skipped_due_to_waiver,
+        :message
+      ) do
+        include HashLikeStruct
+        def initialize(raw_wv_data)
+          # These have string keys in the raw data!
+          %i{
+            expiration_date
+            justification
+            run
+            skipped_due_to_waiver
+            message
+          }.each { |f| self[f] = raw_wv_data[f.to_s] }
+        end
+      end
+    end
+  end
+end

data/lib/inspec/run_data/profile.rb

@@ -0,0 +1,109 @@
+module Inspec
+  class RunData
+    Profile = Struct.new(
+      :controls,         # complex standalone
+      :copyright,
+      :copyright_email,
+      :depends,          # complex local
+      :groups,           # complex local
+      :inputs,           # complex local
+      :license,
+      :maintainer,
+      :name,
+      :sha256,
+      :status,
+      :summary,
+      :supports,         # complex local
+      :parent_profile,
+      :skip_message,
+      :waiver_data,      # Undocumented but used in JSON reporter - should not be?
+      :title,
+      :version
+    ) do
+      include HashLikeStruct
+      def initialize(raw_prof_data)
+        self.controls = (raw_prof_data[:controls] || []).map { |c| Inspec::RunData::Control.new(c) }
+        self.depends  = (raw_prof_data[:depends]  || []).map { |d| Inspec::RunData::Profile::Dependency.new(d) }
+        self.groups   = (raw_prof_data[:groups]   || []).map { |g| Inspec::RunData::Profile::Group.new(g) }
+        self.inputs   = (raw_prof_data[:inputs]   || []).map { |i| Inspec::RunData::Profile::Input.new(i) }
+        self.supports = (raw_prof_data[:supports] || []).map { |s| Inspec::RunData::Profile::Support.new(s) }
+
+        %i{
+          copyright
+          copyright_email
+          license
+          maintainer
+          name
+          sha256
+          status
+          summary
+          title
+          version
+          parent_profile
+          skip_message
+          waiver_data
+        }.each do |field|
+          self[field] = raw_prof_data[field]
+        end
+      end
+    end
+
+    class Profile
+      # Good candidate for keyword_init, but that is not in 2.4
+      Dependency = Struct.new(
+        :name, :path, :status, :skip_message, :git, :url, :compliance, :supermarket, :branch, :tag, :commit, :version, :relative_path
+      ) do
+        include HashLikeStruct
+        def initialize(raw_dep_data)
+          %i{name path status skip_message git url supermarket compliance branch tag commit version relative_path}.each { |f| self[f] = raw_dep_data[f] }
+        end
+      end
+
+      Support = Struct.new(
+        #  snake case
+        :platform_family, :platform_name, :release, :platform
+      ) do
+        include HashLikeStruct
+        def initialize(raw_sup_data)
+          %i{release platform}.each { |f| self[f] = raw_sup_data[f] }
+          self.platform_family = raw_sup_data[:"platform-family"]
+          self.platform_name = raw_sup_data[:"platform-name"]
+        end
+      end
+
+      # Good candidate for keyword_init, but that is not in 2.4
+      Group = Struct.new(
+        :title, :controls, :id
+      ) do
+        include HashLikeStruct
+        def initialize(raw_grp_data)
+          %i{title id}.each { |f| self[f] = raw_grp_data[f] }
+          [:controls].each { |f| self[f] = raw_grp_data[f] || [] }
+        end
+      end
+
+      Input = Struct.new(
+        :name, :options
+      ) do
+        include HashLikeStruct
+        def initialize(raw_input_data)
+          self.name = raw_input_data[:name]
+          self.options = Inspec::RunData::Profile::Input::Options.new(raw_input_data[:options])
+        end
+      end
+      class Input
+        Options = Struct.new(
+          # There are probably others
+          :value,
+          :type,
+          :required
+        ) do
+          include HashLikeStruct
+          def initialize(raw_opts_data)
+            %i{value type required}.each { |f| self[f] = raw_opts_data[f] }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/inspec/run_data/result.rb

@@ -0,0 +1,40 @@
+module Inspec
+  class RunData
+    Result = Struct.new(
+      :message,             # Human-friendly test failure message
+      :code_desc,           # Generated test description
+      :expectation_message, # a substring of code_desc
+      :resource_name,       # We try to determine this
+      :run_time,            # Float seconds execution time
+      :skip_message,        # String
+      :start_time,          # DateTime
+      :status, # String
+      :resource_title, # Ugly internals
+      # :waiver_data,       # Undocumented tramp data / not exposed in this API
+      :resource, # Undocumented, what is this
+      :exception,
+      :backtrace
+    ) do
+      include HashLikeStruct
+      def initialize(raw_res_data)
+        [
+          :status,              # String
+          :code_desc,           # Generated test description
+          :expectation_message, # a substring of code_desc
+          :skip_message,        # String
+          :run_time,
+          :start_time,
+          :resource_title,
+          :resource,
+          :exception,
+          :backtrace,
+          :message,
+        ].each do |field|
+          self[field] = raw_res_data[field]
+        end
+
+        self.resource_name = raw_res_data[:resource_title].instance_variable_get(:@__resource_name__)&.to_s
+      end
+    end
+  end
+end

data/lib/inspec/run_data/statistics.rb

@@ -0,0 +1,36 @@
+module Inspec
+  class RunData
+    # {:duration=>0.018407, :controls=>{:total=>3, :passed=>{:total=>3}, :skipped=>{:total=>0}, :failed=>{:total=>0}}}
+    Statistics = Struct.new(
+      :duration,
+      :controls
+    ) do
+      include HashLikeStruct
+      def initialize(raw_stat_data)
+        self.controls = Inspec::RunData::Statistics::Controls.new(raw_stat_data[:controls])
+        self.duration = raw_stat_data[:duration]
+      end
+    end
+    class Statistics
+      Controls = Struct.new(
+        :total,
+        :passed,
+        :skipped,
+        :failed
+      ) do
+        include HashLikeStruct
+        def initialize(raw_stat_ctl_data)
+          self.total = raw_stat_ctl_data[:total]
+          self.passed = Inspec::RunData::Statistics::Controls::Total.new(raw_stat_ctl_data[:passed][:total])
+          self.skipped = Inspec::RunData::Statistics::Controls::Total.new(raw_stat_ctl_data[:skipped][:total])
+          self.failed = Inspec::RunData::Statistics::Controls::Total.new(raw_stat_ctl_data[:failed][:total])
+        end
+      end
+      class Controls
+        Total = Struct.new(:total) do
+          include HashLikeStruct
+        end
+      end
+    end
+  end
+end

data/lib/inspec/utils/deprecation/config_file.rb

@@ -1,6 +1,7 @@
 require "stringio"
 require "json"
 require "inspec/globals"
+require "inspec/config"
 
 module Inspec
   module Deprecation
@@ -32,6 +33,7 @@ module Inspec
         @groups = {}
         @unknown_group_action = :warn
         validate!
+        silence_deprecations_from_cli
       end
 
       private
@@ -45,6 +47,25 @@ module Inspec
         File.open(default_path)
       end
 
+      def silence_deprecations_from_cli
+        # Read --silence-deprecations CLI option
+        cfg = Inspec::Config.cached
+        return unless cfg[:silence_deprecations]
+
+        groups_to_silence = cfg[:silence_deprecations]
+        silence_all = groups_to_silence.include?("all")
+
+        groups.each do |group_name, group|
+          # Only silence things that warn. Don't silence things that exit;
+          # those harsher measures are usually protecting removed code and ignoring
+          # and continuing regardless would be perilous and lead to errors.
+          if %i{warn fail_control}.include?(group.action) &&
+              (silence_all || groups_to_silence.include?(group_name.to_s))
+            group.action = :ignore
+          end
+        end
+      end
+
       #====================================================================================================#
       #                                          Validation
       #====================================================================================================#

data/lib/inspec/utils/json_profile_summary.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+module Inspec
+  module Utils
+    #
+    # Inspec::Utils::JsonProfileSummary takes in certain information to identify a
+    # profile and then produces a JSON-formatted summary of that profile. It can
+    # return the results to STDOUT or a file. It is currently used in several
+    # places in the CLI such as `json`, `archive` and `artifact`.
+    #
+    #
+    module JsonProfileSummary
+      def self.produce_json(info:, write_path: "", suppress_output: false)
+        # add in inspec version
+        info[:generator] = {
+          name: "inspec",
+          version: Inspec::VERSION,
+        }
+        if write_path.empty?
+          puts JSON.dump(info)
+        else
+          unless suppress_output
+            if File.exist? write_path
+              Inspec::Log.info "----> updating #{write_path}"
+            else
+              Inspec::Log.info "----> creating #{write_path}"
+            end
+          end
+          full_write_path = File.expand_path(write_path)
+          File.write(full_write_path, JSON.dump(info))
+        end
+      end
+    end
+  end
+end

data/lib/inspec/version.rb

@@ -1,3 +1,3 @@
 module Inspec
-  VERSION = "4.18.108".freeze
+  VERSION = "4.20.2".freeze
 end

data/lib/plugins/inspec-artifact/lib/inspec-artifact/base.rb

@@ -5,6 +5,7 @@ require "set"
 require "tempfile"
 require "yaml"
 require "inspec/dist"
+require "inspec/utils/json_profile_summary"
 
 module InspecPlugins
   module Artifact
@@ -40,9 +41,13 @@ module InspecPlugins
 
       def self.profile_sign(options)
         artifact = new
+        path_to_profile = options["profile"]
+
+        # Write inspec.json file within artifact
+        write_inspec_json(path_to_profile, options)
+
         Dir.mktmpdir do |workdir|
           puts "Signing #{options["profile"]} with key #{options["keyname"]}"
-          path_to_profile = options["profile"]
           profile_md = artifact.read_profile_metadata(path_to_profile)
           artifact_filename = "#{profile_md["name"]}-#{profile_md["version"]}.#{SIGNED_PROFILE_SUFFIX}"
           tarfile = artifact.profile_compress(path_to_profile, profile_md, workdir)
@@ -63,6 +68,9 @@ module InspecPlugins
           end
           puts "Successfully generated #{artifact_filename}"
         end
+
+        # Cleanup
+        File.delete("#{path_to_profile}/inspec.json")
       end
 
       def self.profile_verify(options)
@@ -165,6 +173,15 @@ module InspecPlugins
           raise "Artifact is invalid"
         end
       end
+
+      def self.write_inspec_json(root_path, opts)
+        profile = Inspec::Profile.for_path(root_path, opts)
+        Inspec::Utils::JsonProfileSummary.produce_json(
+          info: profile.info,
+          write_path: "#{root_path}/inspec.json",
+          suppress_output: true
+        )
+      end
     end
   end
 end

data/lib/plugins/inspec-init/lib/inspec-init/cli_plugin.rb

@@ -41,8 +41,9 @@ module InspecPlugins
           templates_path: TEMPLATES_PATH,
           overwrite: options[:overwrite],
           file_rename_map: make_rename_map(plugin_type, plugin_name, snake_case),
-          skip_files: make_skip_list,
+          skip_files: make_skip_list(template_vars["hooks"].keys),
         }
+
         renderer = InspecPlugins::Init::Renderer.new(ui, render_opts)
 
         renderer.render_with_values(template_path, plugin_type + " plugin", template_vars)
@@ -72,6 +73,7 @@ module InspecPlugins
           File.join("lib", "inspec-plugin-template") => File.join("lib", plugin_name),
           File.join("lib", "inspec-plugin-template.rb") => File.join("lib", plugin_name + ".rb"),
           File.join("lib", "inspec-plugin-template", "cli_command.rb") => File.join("lib", plugin_name, "cli_command.rb"),
+          File.join("lib", "inspec-plugin-template", "reporter.rb") => File.join("lib", plugin_name, "reporter.rb"),
           File.join("lib", "inspec-plugin-template", "plugin.rb") => File.join("lib", plugin_name, "plugin.rb"),
           File.join("lib", "inspec-plugin-template", "version.rb") => File.join("lib", plugin_name, "version.rb"),
           File.join("test", "functional", "inspec_plugin_template_test.rb") => File.join("test", "functional", snake_case + "_test.rb"),
@@ -168,6 +170,9 @@ module InspecPlugins
         if hooks_by_type.key?(:cli_command)
           vars[:command_name_dashes] = hooks_by_type[:cli_command].tr("_", "-")
           vars[:command_name_snake] = hooks_by_type[:cli_command].tr("-", "_")
+        elsif hooks_by_type.key?(:reporter)
+          vars[:reporter_name_dashes] = hooks_by_type[:reporter].tr("_", "-")
+          vars[:reporter_name_snake] = hooks_by_type[:reporter].tr("-", "_")
         end
         vars
       end
@@ -205,19 +210,20 @@ module InspecPlugins
         end
       end
 
-      def make_skip_list
+      def make_skip_list(requested_hooks)
+        skips = []
         case options[:detail]
-        when "full"
-          []
+        when "full" # rubocop: disable Lint/EmptyWhen
+          # Do nothing but allow this case for validation
         when "core"
-          [
+          skips += [
             "Gemfile",
             "inspec-plugin-template.gemspec",
             "LICENSE",
             "Rakefile",
           ]
         when "test-fixture"
-          [
+          skips += [
             "Gemfile",
             "inspec-plugin-template.gemspec",
             "LICENSE",
@@ -237,6 +243,22 @@ module InspecPlugins
           ui.error "Unrecognized value for 'detail': #{options[:detail]} - expected one of full, core, test-fixture"
           ui.exit(:usage_error)
         end
+
+        # Remove hook-specific files
+        unless requested_hooks.include?(:cli_command)
+          skips += [
+            File.join("lib", "inspec-plugin-template", "cli_command.rb"),
+            File.join("test", "unit", "cli_args_test.rb"),
+            File.join("test", "functional", "inspec_plugin_template_test.rb"),
+          ]
+        end
+        unless requested_hooks.include?(:reporter)
+          skips += [
+            File.join("lib", "inspec-plugin-template", "reporter.rb"),
+          ]
+        end
+
+        skips.uniq
       end
     end
   end

data/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/plugin.rb

@@ -28,6 +28,7 @@ module InspecPlugins
       # Internal machine name of the plugin. InSpec will use this in errors, etc.
       plugin_name :'<%= plugin_name %>'
 
+      <% if hooks[:cli_command] %>
       # Define a new CLI subcommand.
       # The argument here will be used to match against the command line args,
       # and if the user said `inspec list-resources`, this hook will get called.
@@ -48,6 +49,23 @@ module InspecPlugins
         # CLI engine tap into it.
         InspecPlugins::<%= module_name %>::CliCommand
       end
+      <% end %>
+
+      <% if hooks[:reporter] %>
+      # Define a new Reporter.
+      # The argument here will be used to match against the CLI --reporter option.
+      # `--reporter <%= reporter_name_snake %>` will load your reporter and call its renderer.
+      reporter :<%= reporter_name_snake %> do
+        # Calling this hook doesn't mean the reporter is being executed - just
+        # that we should be ready to do so. So, load the file that defines the
+        # functionality.
+        require '<%= plugin_name %>/reporter'
+
+        # Having loaded our functionality, return a class that will let the
+        # reporting engine tap into it.
+        InspecPlugins::<%= module_name %>::Reporter
+      end
+      <% end %>
     end
   end
 end

data/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/reporter.rb

@@ -0,0 +1,27 @@
+module InspecPlugins::<%= module_name %>
+  # This class will provide the actual Reporter implementation.
+  # Its superclass is provided by another call to Inspec.plugin,
+  # this time with two args.  The first arg specifies we are requesting
+  # version 2 of the Plugins API.  The second says we are making a
+  # Reporter plugin component, so please make available any DSL needed
+  # for that.
+
+  class Reporter < Inspec.plugin(2, :reporter)
+
+    # All a Reporter *must* do is define a render() method that calls
+    # output(). You should access the run_data accessor to read off the
+    # results of the run.
+    def render
+      # There is much more to explore in the run_data structure!
+      run_data[:profiles].each do |profile|
+        output(profile[:title])
+        profile[:controls].each do |control|
+          output(control[:title])
+          control[:results].each do |test|
+            output(test[:status])
+          end
+        end
+      end
+    end
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: inspec-core
 version: !ruby/object:Gem::Version
-  version: 4.18.108
+  version: 4.20.2
 platform: ruby
 authors:
 - Chef InSpec Team
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-04-23 00:00:00.000000000 Z
+date: 2020-06-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: chef-telemetry
@@ -471,6 +471,7 @@ files:
 - lib/inspec/plugin/v2/plugin_types/dsl.rb
 - lib/inspec/plugin/v2/plugin_types/input.rb
 - lib/inspec/plugin/v2/plugin_types/mock.rb
+- lib/inspec/plugin/v2/plugin_types/reporter.rb
 - lib/inspec/plugin/v2/registry.rb
 - lib/inspec/plugin/v2/status.rb
 - lib/inspec/profile.rb
@@ -613,6 +614,11 @@ files:
 - lib/inspec/resources/zfs_pool.rb
 - lib/inspec/rspec_extensions.rb
 - lib/inspec/rule.rb
+- lib/inspec/run_data.rb
+- lib/inspec/run_data/control.rb
+- lib/inspec/run_data/profile.rb
+- lib/inspec/run_data/result.rb
+- lib/inspec/run_data/statistics.rb
 - lib/inspec/runner.rb
 - lib/inspec/runner_mock.rb
 - lib/inspec/runner_rspec.rb
@@ -648,6 +654,7 @@ files:
 - lib/inspec/utils/hash.rb
 - lib/inspec/utils/install_context.rb
 - lib/inspec/utils/json_log.rb
+- lib/inspec/utils/json_profile_summary.rb
 - lib/inspec/utils/modulator.rb
 - lib/inspec/utils/nginx_parser.rb
 - lib/inspec/utils/object_traversal.rb
@@ -697,6 +704,7 @@ files:
 - lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template.rb
 - lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/cli_command.rb
 - lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/plugin.rb
+- lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/reporter.rb
 - lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/version.rb
 - lib/plugins/inspec-init/templates/profiles/aws/README.md
 - lib/plugins/inspec-init/templates/profiles/aws/attributes.yml