inspec-core 4.18.114 → 4.20.10

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bee754e41f53d26552da0d2972a28cf55127effcad8c93df678227e99061e676
-  data.tar.gz: 60bd7f57517db8c4e1848ded6ac1fd580b61c29a9b2d24168480b3d62e37557f
+  metadata.gz: ef611d3b2bb1d1c8ddca64adb1ed3eab50fcbec55a45cb49334ed2084c45e7da
+  data.tar.gz: 96664cb6183b137db4f84cd26aed2b19496475045bbb458ea9d9004e92aad3f7
 SHA512:
-  metadata.gz: 7c9b443a572925dd12dc846c094256aff3f9fabcc4508ee51ab813f0ec6221088c500ce9a1c77cca693258b48a94212043d2ffd4eb8c49052dbb15bc8d93cc00
-  data.tar.gz: 55c2e45a2ef2e8c9da30a24eb4b09e213320e1d33d2c50e30856754038d75f59576dd76f084a59ee2028920baa37674c0683b426dce6bb3dc06bc5a8c879566b
+  metadata.gz: f1d44fc61e4663862a0628a0fcc4c4e3538bdb35d50cee94f1130c47fed5a982297da9c559128b0dddc2a7375658252924959020f24f518202b25939357340de
+  data.tar.gz: e33e28b5863ce15a54c8f2f76dd3a458762c24fb7d365ba145ae06b6b0be14134b90da5f2610d834ae71a170e5f6b180c78a8ac8763f484b3bbcfa808eec8565

data/Gemfile

@@ -9,7 +9,7 @@ gem "inspec", path: "."
 # in it in order to package the executable. Hence the odd backwards dependency.
 gem "inspec-bin", path: "./inspec-bin"
 
-gem "ffi", ">= 1.9.14"
+gem "ffi", ">= 1.9.14", "!= 1.13.0"
 
 group :omnibus do
   gem "rb-readline"

data/inspec-core.gemspec

@@ -39,7 +39,7 @@ Gem::Specification.new do |spec|
   spec.add_dependency "faraday",            ">= 0.9.0"
   spec.add_dependency "tty-table",          "~> 0.10"
   spec.add_dependency "tty-prompt",         "~> 0.17"
-  spec.add_dependency "tomlrb",             "~> 1.2"
+  spec.add_dependency "tomlrb",             "~> 1.2.0"
   spec.add_dependency "addressable",        "~> 2.4"
   spec.add_dependency "parslet",            "~> 1.5"
   spec.add_dependency "semverse",           "~> 3.0"

data/lib/inspec/base_cli.rb

@@ -140,7 +140,7 @@ module Inspec
       option :reporter_backtrace_inclusion, type: :boolean,
         desc: "Include a code backtrace in report data (default: true)"
       option :input, type: :array, banner: "name1=value1 name2=value2",
-        desc: "Specify one or more inputs directly on the command line, as --input NAME=VALUE"
+        desc: "Specify one or more inputs directly on the command line, as --input NAME=VALUE. Accepts single-quoted YAML and JSON structures."
       option :input_file, type: :array,
         desc: "Load one or more input files, a YAML file with values for the profile to use"
       option :waiver_file, type: :array,
@@ -155,6 +155,9 @@ module Inspec
         desc: "Show progress while executing tests."
       option :distinct_exit, type: :boolean, default: true,
         desc: "Exit with code 101 if any tests fail, and 100 if any are skipped (default).  If disabled, exit 0 on skips and 1 for failures."
+      option :silence_deprecations, type: :array,
+        banner: "[all]|[GROUP GROUP...]",
+        desc: "Suppress deprecation warnings. See install_dir/etc/deprecations.json for list of GROUPs or use 'all'."
     end
 
     def self.format_platform_info(params: {}, indent: 0, color: 39)

data/lib/inspec/cli.rb

@@ -4,6 +4,7 @@ require "inspec/utils/deprecation/deprecator"
 require "inspec/dist"
 require "inspec/backend"
 require "inspec/dependencies/cache"
+require "inspec/utils/json_profile_summary"
 
 module Inspec # TODO: move this somewhere "better"?
   autoload :BaseCLI,       "inspec/base_cli"
@@ -77,24 +78,13 @@ class Inspec::InspecCLI < Inspec::BaseCLI
     o[:vendor_cache] = Inspec::Cache.new(o[:vendor_cache])
 
     profile = Inspec::Profile.for_target(target, o)
-    info = profile.info
-    # add in inspec version
-    info[:generator] = {
-      name: "inspec",
-      version: Inspec::VERSION,
-    }
     dst = o[:output].to_s
-    if dst.empty?
-      puts JSON.dump(info)
-    else
-      if File.exist? dst
-        puts "----> updating #{dst}"
-      else
-        puts "----> creating #{dst}"
-      end
-      fdst = File.expand_path(dst)
-      File.write(fdst, JSON.dump(info))
-    end
+
+    # Write JSON
+    Inspec::Utils::JsonProfileSummary.produce_json(
+      info: profile.info,
+      write_path: dst
+    )
   rescue StandardError => e
     pretty_handle_exception(e)
   end
@@ -385,6 +375,12 @@ class Inspec::InspecCLI < Inspec::BaseCLI
     puts "Valid schemas are #{Inspec::Schema::OutputSchema.names.join(", ")}"
   end
 
+  desc "run_context", "used to test run-context detection", hide: true
+  def run_context
+    require "inspec/utils/telemetry/run_context_probe"
+    puts Inspec::Telemetry::RunContextProbe.guess_run_context
+  end
+
   desc "version", "prints the version of this tool"
   option :format, type: :string
   def version
@@ -397,11 +393,6 @@ class Inspec::InspecCLI < Inspec::BaseCLI
   end
   map %w{-v --version} => :version
 
-  desc "nothing", "does nothing"
-  def nothing
-    puts "you did nothing"
-  end
-
   private
 
   def run_command(opts)

data/lib/inspec/config.rb

@@ -328,21 +328,35 @@ module Inspec
     def validate_reporters!(reporters)
       return if reporters.nil?
 
-      # TODO: move this into a reporter plugin type system
-      valid_types = %w{
-        automate
-        cli
+      # These "reporters" are actually RSpec Formatters.
+      # json-rspec is our alias for RSpec's json formatter.
+      rspec_built_in_formatters = %w{
         documentation
         html
+        json-rspec
+        progress
+      }
+
+      # These are true reporters, but have not been migrated to be plugins yet.
+      # Tracked on https://github.com/inspec/inspec/issues/3667
+      inspec_reporters_that_are_not_yet_plugins = %w{
+        automate
+        cli
         json
         json-automate
-        json-min
-        json-rspec
         junit
-        progress
         yaml
       }
 
+      # Additional reporters may be loaded via plugins. They will have already been detected at
+      # this point (see v2_loader.load_all in cli.rb) but they may not (and need not) be
+      # activated at this point. We only care about their existance and their name, for validation's sake.
+      plugin_reporters = Inspec::Plugin::V2::Registry.instance\
+        .find_activators(plugin_type: :reporter)\
+        .map(&:activator_name).map(&:to_s)
+
+      valid_types = rspec_built_in_formatters + inspec_reporters_that_are_not_yet_plugins + plugin_reporters
+
       reporters.each do |reporter_name, reporter_config|
         raise NotImplementedError, "'#{reporter_name}' is not a valid reporter type." unless valid_types.include?(reporter_name)
 

data/lib/inspec/fetcher/git.rb

@@ -99,7 +99,7 @@ module Inspec::Fetcher
     def cache_key
       return resolved_ref unless @relative_path
 
-      OpenSSL::Digest::SHA256.hexdigest(resolved_ref + @relative_path)
+      OpenSSL::Digest.hexdigest("SHA256", resolved_ref + @relative_path)
     end
 
     def archive_path

data/lib/inspec/fetcher/local.rb

@@ -104,7 +104,7 @@ module Inspec::Fetcher
       return @archive_shasum if @archive_shasum
       raise(Inspec::FetcherFailure, "Profile dependency local path '#{target}' does not exist") unless File.exist?(target)
 
-      @archive_shasum = OpenSSL::Digest::SHA256.digest(File.read(target)).unpack("H*")[0]
+      @archive_shasum = OpenSSL::Digest.digest("SHA256", File.read(target)).unpack("H*")[0]
     end
 
     def resolved_source

data/lib/inspec/fetcher/url.rb

@@ -127,7 +127,7 @@ module Inspec::Fetcher
     end
 
     def sha256
-      @archive_shasum ||= OpenSSL::Digest::SHA256.digest(File.read(@archive_path || temp_archive_path)).unpack("H*")[0]
+      @archive_shasum ||= OpenSSL::Digest.digest("SHA256", File.read(@archive_path || temp_archive_path)).unpack("H*")[0]
     end
 
     def file_type_from_remote(remote)

data/lib/inspec/input_registry.rb

@@ -166,8 +166,9 @@ module Inspec
           end
         end
         input_name, input_value = pair.split("=")
+        input_value = parse_cli_input_value(input_name, input_value)
         evt = Inspec::Input::Event.new(
-          value: input_value.chomp(","), # Trim trailing comma if any
+          value: input_value,
           provider: :cli,
           priority: 50
         )
@@ -175,6 +176,37 @@ module Inspec
       end
     end
 
+    # Remove trailing commas, resolve type.
+    def parse_cli_input_value(input_name, given_value)
+      value = given_value.chomp(",") # Trim trailing comma if any
+      case value
+      when /^true|false$/i
+        value = !!(value =~ /true/i)
+      when /^-?\d+$/
+        value = value.to_i
+      when /^-?\d+\.\d+$/
+        value = value.to_f
+      when /^(\[|\{).*(\]|\})$/
+        # Look for complex values and try to parse them.
+        require "yaml"
+        begin
+          value = YAML.load(value)
+        rescue Psych::SyntaxError => yaml_error
+          # It could be that we just tried to run JSON through the YAML parser.
+          require "json"
+          begin
+            value = JSON.parse(value)
+          rescue JSON::ParserError => json_error
+            msg = "Unparseable value '#{value}' for --input #{input_name}.\n"
+            msg += "When treated as YAML, error: #{yaml_error.message}\n"
+            msg += "When treated as JSON, error: #{json_error.message}"
+            Inspec::Log.warn msg
+          end
+        end
+      end
+      value
+    end
+
     def bind_inputs_from_runner_api(profile_name, input_hash)
       # TODO: move this into a core plugin
 

data/lib/inspec/plugin/v2/plugin_types/reporter.rb

@@ -0,0 +1,68 @@
+require_relative "../../../run_data"
+
+module Inspec::Plugin::V2::PluginType
+  class Reporter < Inspec::Plugin::V2::PluginBase
+    register_plugin_type(:reporter)
+
+    attr_reader :run_data
+
+    def initialize(config)
+      @config = config
+
+      # Trim the run_data while still a Hash; if it is huge, this
+      # saves on conversion time
+      @run_data = config[:run_data] || {}
+      apply_report_resize_options
+
+      unless Inspec::RunData.compatible_schema?(self.class.run_data_schema_constraints)
+        # Best we can do is warn here, the InSpec run has finished
+        # TODO: one day, perhaps switch RunData implementations to try to satisfy constraints?
+        Inspec::Log.warn "Reporter does not support RunData API (#{Inspec::RunData::SCHEMA_VERSION}), Reporter constraints: '#{self.class.run_data_schema_constraints}'"
+      end
+      # Convert to RunData object for consumption by Reporter
+      @run_data = Inspec::RunData.new(@run_data)
+      @output = ""
+    end
+
+    # This is a temporary duplication of code from lib/inspec/reporters/base.rb
+    # To be DRY'd up once the core reporters become plugins...
+    # Apply options such as message truncation and removal of backtraces
+    def apply_report_resize_options
+      runtime_config = Inspec::Config.cached.respond_to?(:final_options) ? Inspec::Config.cached.final_options : {}
+
+      message_truncation = runtime_config[:reporter_message_truncation] || "ALL"
+      trunc = message_truncation == "ALL" ? -1 : message_truncation.to_i
+      include_backtrace = runtime_config[:reporter_backtrace_inclusion].nil? ? true : runtime_config[:reporter_backtrace_inclusion]
+
+      @run_data[:profiles]&.each do |p|
+        p[:controls].each do |c|
+          c[:results]&.map! do |r|
+            r.delete(:backtrace) unless include_backtrace
+            if r.key?(:message) && r[:message] != "" && trunc > -1
+              r[:message] = r[:message][0...trunc] + "[Truncated to #{trunc} characters]"
+            end
+            r
+          end
+        end
+      end
+    end
+
+    def output(str, newline = true)
+      @output << str
+      @output << "\n" if newline
+    end
+
+    def rendered_output
+      @output
+    end
+
+    # each reporter must implement #render
+    def render
+      raise NotImplementedError, "#{self.class} must implement a `#render` method to format its output."
+    end
+
+    def self.run_data_schema_constraints
+      raise NotImplementedError, "#{self.class} must implement a `run_data_schema_constraints` class method to declare its compatibiltity with the RunData API."
+    end
+  end
+end

data/lib/inspec/profile.rb

@@ -12,6 +12,7 @@ require "inspec/method_source"
 require "inspec/dependencies/cache"
 require "inspec/dependencies/lockfile"
 require "inspec/dependencies/dependency_set"
+require "inspec/utils/json_profile_summary"
 
 module Inspec
   class Profile
@@ -465,28 +466,39 @@ module Inspec
       end
 
       # remove existing archive
-      File.delete(dst) if dst.exist?
+      FileUtils.rm_f(dst) if dst.exist?
       @logger.info "Generate archive #{dst}."
 
       # filter files that should not be part of the profile
       # TODO ignore all .files, but add the files to debug output
 
+      # Generate temporary inspec.json for archive
+      Inspec::Utils::JsonProfileSummary.produce_json(
+        info: info,
+        write_path: "#{root_path}inspec.json",
+        suppress_output: true
+      )
+
       # display all files that will be part of the archive
       @logger.debug "Add the following files to archive:"
       files.each { |f| @logger.debug "    " + f }
+      @logger.debug "    inspec.json"
 
       if opts[:zip]
         # generate zip archive
         require "inspec/archive/zip"
         zag = Inspec::Archive::ZipArchiveGenerator.new
-        zag.archive(root_path, files, dst)
+        zag.archive(root_path, files.push("inspec.json"), dst)
       else
         # generate tar archive
         require "inspec/archive/tar"
         tag = Inspec::Archive::TarArchiveGenerator.new
-        tag.archive(root_path, files, dst)
+        tag.archive(root_path, files.push("inspec.json"), dst)
       end
 
+      # Cleanup
+      FileUtils.rm_f("#{root_path}inspec.json")
+
       @logger.info "Finished archive generation."
       true
     end
@@ -559,7 +571,7 @@ module Inspec
       # get all dependency checksums
       deps = Hash[locked_dependencies.list.map { |k, v| [k, v.profile.sha256] }]
 
-      res = OpenSSL::Digest::SHA256.new
+      res = OpenSSL::Digest.new("SHA256")
       files = source_reader.tests.to_a + source_reader.libraries.to_a +
         source_reader.data_files.to_a +
         [["inspec.yml", source_reader.metadata.content]] +

data/lib/inspec/reporters.rb

@@ -2,7 +2,6 @@ require "inspec/reporters/base"
 require "inspec/reporters/cli"
 require "inspec/reporters/json"
 require "inspec/reporters/json_automate"
-require "inspec/reporters/json_min"
 require "inspec/reporters/junit"
 require "inspec/reporters/automate"
 require "inspec/reporters/yaml"
@@ -21,8 +20,6 @@ module Inspec::Reporters
     # right to introduce breaking changes to this reporter at any time.
     when "json-automate"
       reporter = Inspec::Reporters::JsonAutomate.new(config)
-    when "json-min"
-      reporter = Inspec::Reporters::JsonMin.new(config)
     when "junit"
       reporter = Inspec::Reporters::Junit.new(config)
     when "automate"
@@ -30,7 +27,10 @@ module Inspec::Reporters
     when "yaml"
       reporter = Inspec::Reporters::Yaml.new(config)
     else
-      raise NotImplementedError, "'#{name}' is not a valid reporter type."
+      # If we made it here, it must be a plugin, and we know it exists (because we validated it in config.rb)
+      activator = Inspec::Plugin::V2::Registry.instance.find_activator(plugin_type: :reporter, activator_name: name.to_sym)
+      activator.activate!
+      reporter = activator.implementation_class.new(config)
     end
 
     # optional send_report method on reporter
@@ -57,15 +57,23 @@ module Inspec::Reporters
     case name
     when "json"
       reporter = Inspec::Reporters::Json.new(config)
-    when "json-min"
-      reporter = Inspec::Reporters::JsonMin.new(config)
     when "json-automate"
       reporter = Inspec::Reporters::JsonAutomate.new(config)
     when "yaml"
       reporter = Inspec::Reporters::Yaml.new(config)
     else
-      # use base run_data hash for any other report
-      return run_data
+      # If we made it here, it might be a plugin
+      begin
+        activator = Inspec::Plugin::V2::Registry.instance.find_activator(plugin_type: :reporter, activator_name: name.to_sym)
+        activator.activate!
+        reporter = activator.implementation_class.new(config)
+        unless reporter.respond_to(:report?)
+          return run_data
+        end
+      rescue Inspec::Plugin::V2::LoadError
+        # Must not have been a plugin - just return the run_data
+        return run_data
+      end
     end
 
     reporter.report

data/lib/inspec/resources/x509_certificate.rb

@@ -59,7 +59,7 @@ module Inspec::Resources
     def fingerprint
       return if @cert.nil?
 
-      OpenSSL::Digest::SHA1.new(@cert.to_der).to_s
+      OpenSSL::Digest.new("SHA1", @cert.to_der).to_s
     end
 
     def serial

data/lib/inspec/rule.rb

@@ -353,9 +353,13 @@ module Inspec
       # if so, is it in the future?
       expiry = __waiver_data["expiration_date"]
       if expiry
-        if expiry.is_a?(Date)
-          # It appears that yaml.rb automagically parses dates for us
-          if expiry < Date.today # If the waiver expired, return - no skip applied
+        # YAML will automagically give us a Date or a Time.
+        # If transcoding YAML between languages (e.g. Go) the date might have also ended up as a String.
+        # A string that does not represent a valid time results in the date 0000-01-01.
+        if [Date, Time].include?(expiry.class) || (expiry.is_a?(String) && Time.new(expiry).year != 0)
+          expiry = expiry.to_time if expiry.is_a? Date
+          expiry = Time.new(expiry) if expiry.is_a? String
+          if expiry < Time.now # If the waiver expired, return - no skip applied
             __waiver_data["message"] = "Waiver expired on #{expiry}, evaluating control normally"
             return
           end