inspec-core 4.20.10 → 4.22.8

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ef611d3b2bb1d1c8ddca64adb1ed3eab50fcbec55a45cb49334ed2084c45e7da
-  data.tar.gz: 96664cb6183b137db4f84cd26aed2b19496475045bbb458ea9d9004e92aad3f7
+  metadata.gz: b909b05a8f7510d2833aee0e464f0ed9cec64409fe5825fc05078c67b01e4a43
+  data.tar.gz: ee56167e3ab21f7eed5fd938e5728c3f48a7621fe71d1f3294cb4f2991298a79
 SHA512:
-  metadata.gz: f1d44fc61e4663862a0628a0fcc4c4e3538bdb35d50cee94f1130c47fed5a982297da9c559128b0dddc2a7375658252924959020f24f518202b25939357340de
-  data.tar.gz: e33e28b5863ce15a54c8f2f76dd3a458762c24fb7d365ba145ae06b6b0be14134b90da5f2610d834ae71a170e5f6b180c78a8ac8763f484b3bbcfa808eec8565
+  metadata.gz: 116d85fb0ef947cda4beb31c825cb02e134e2c9130338e062cc4e82d2d58a59e6f7fbdc8df4908759c0d508692efc00dac40550d0ce6ae9da72e904336f1fed6
+  data.tar.gz: e6208c479f04da18199aec2b1c8dc4c8e101bb08609b32fb9d026f485f69d7e848d62a68a6087171fa38a3486f44777d0ad56c64fe2743195b4cc1abb58f8ad9

data/Gemfile

@@ -31,6 +31,7 @@ group :test do
   gem "m"
   gem "pry", "~> 0.10"
   gem "pry-byebug"
+  gem "html-proofer", platforms: :ruby # do not attempt to run proofer on windows
 end
 
 group :integration do

data/inspec-core.gemspec

@@ -26,7 +26,7 @@ Gem::Specification.new do |spec|
   spec.add_dependency "chef-telemetry",     "~> 1.0"
   spec.add_dependency "license-acceptance", ">= 0.2.13", "< 2.0"
   spec.add_dependency "thor",               ">= 0.20", "< 2.0"
-  spec.add_dependency "json_schemer",       "~> 0.2.1"
+  spec.add_dependency "json_schemer",       ">= 0.2.1", "< 0.2.12"
   spec.add_dependency "method_source",      ">= 0.8", "< 2.0"
   spec.add_dependency "rubyzip",            "~> 1.2", ">= 1.2.2"
   spec.add_dependency "rspec",              "~> 3.9"

data/lib/inspec/base_cli.rb

@@ -231,7 +231,7 @@ module Inspec
 
     private
 
-    ALL_OF_OUR_REPORTERS = %w{json json-min json-rspec json-automate junit html yaml documentation progress}.freeze # BUT WHY?!?!
+    ALL_OF_OUR_REPORTERS = %w{json json-min json-rspec json-automate junit html html2 yaml documentation progress}.freeze # BUT WHY?!?!
 
     def suppress_log_output?(opts)
       return false if opts["reporter"].nil?

data/lib/inspec/exceptions.rb

@@ -4,6 +4,7 @@ module Inspec
   module Exceptions
     class InputsFileDoesNotExist < ArgumentError; end
     class InputsFileNotReadable < ArgumentError; end
+    class ProfileLoadFailed < StandardError; end
     class ResourceFailed < StandardError; end
     class ResourceSkipped < StandardError; end
     class SecretsBackendNotFound < ArgumentError; end

data/lib/inspec/input_registry.rb

@@ -165,7 +165,8 @@ module Inspec
             raise ArgumentError, "ERROR: An '=' is required when using --input. Usage: --input input_name1=input_value1 input2=value2"
           end
         end
-        input_name, input_value = pair.split("=")
+        pair = pair.match(/(.*?)=(.*)/)
+        input_name, input_value = pair[1], pair[2]
         input_value = parse_cli_input_value(input_name, input_value)
         evt = Inspec::Input::Event.new(
           value: input_value,

data/lib/inspec/metadata.rb

@@ -9,7 +9,12 @@ require "inspec/version"
 require "inspec/utils/spdx"
 
 module Inspec
-  # Extract metadata.rb information
+  # The Metadata class represents a profile's metadata.
+  # This includes the metadata stored in the profile's metadata.rb file, as well as inferred
+  # metadata like if this profile supports the current runtime and the intended target.
+  # This class does NOT represent the runtime state of a profile during execution.
+  # See lib/inspec/profile.rb for the runtime representation of a profile.
+  #
   # A Metadata object may be created and finalized with invalid data.
   # This allows the check CLI command to analyse the issues.
   # Use valid? to determine if the metadata is coherent.

data/lib/inspec/plugin/v2/plugin_types/reporter.rb

@@ -31,17 +31,14 @@ module Inspec::Plugin::V2::PluginType
       runtime_config = Inspec::Config.cached.respond_to?(:final_options) ? Inspec::Config.cached.final_options : {}
 
       message_truncation = runtime_config[:reporter_message_truncation] || "ALL"
-      trunc = message_truncation == "ALL" ? -1 : message_truncation.to_i
+      @trunc = message_truncation == "ALL" ? -1 : message_truncation.to_i
       include_backtrace = runtime_config[:reporter_backtrace_inclusion].nil? ? true : runtime_config[:reporter_backtrace_inclusion]
 
       @run_data[:profiles]&.each do |p|
         p[:controls].each do |c|
           c[:results]&.map! do |r|
             r.delete(:backtrace) unless include_backtrace
-            if r.key?(:message) && r[:message] != "" && trunc > -1
-              r[:message] = r[:message][0...trunc] + "[Truncated to #{trunc} characters]"
-            end
-            r
+            process_message_truncation(r)
           end
         end
       end
@@ -64,5 +61,14 @@ module Inspec::Plugin::V2::PluginType
     def self.run_data_schema_constraints
       raise NotImplementedError, "#{self.class} must implement a `run_data_schema_constraints` class method to declare its compatibiltity with the RunData API."
     end
+
+    private
+
+    def process_message_truncation(result)
+      if result.key?(:message) && result[:message] != "" && @trunc > -1 && result[:message].length > @trunc
+        result[:message] = result[:message][0...@trunc] + "[Truncated to #{@trunc} characters]"
+      end
+      result
+    end
   end
 end

data/lib/inspec/profile.rb

@@ -94,6 +94,7 @@ module Inspec
       @input_values = options[:inputs]
       @tests_collected = false
       @libraries_loaded = false
+      @state = :loaded
       @check_mode = options[:check_mode] || false
       @parent_profile = options[:parent_profile]
       @legacy_profile_path = options[:profiles_path] || false
@@ -146,7 +147,12 @@ module Inspec
         options[:profile_context] ||
         Inspec::ProfileContext.for_profile(self, @backend)
 
-      @supports_platform = metadata.supports_platform?(@backend)
+      if metadata.supports_platform?(@backend)
+        @supports_platform = true
+      else
+        @supports_platform = false
+        @state = :skipped
+      end
       @supports_runtime = metadata.supports_runtime?
     end
 
@@ -162,6 +168,10 @@ module Inspec
       @writable
     end
 
+    def failed?
+      @state == :failed
+    end
+
     #
     # Is this profile is supported on the current platform of the
     # backend machine and the current inspec version.
@@ -197,7 +207,7 @@ module Inspec
     end
 
     def collect_tests(include_list = @controls)
-      unless @tests_collected
+      unless @tests_collected || failed?
         return unless supports_platform?
 
         locked_dependencies.each(&:collect_tests)
@@ -206,7 +216,12 @@ module Inspec
           next if content.nil? || content.empty?
 
           abs_path = source_reader.target.abs_path(path)
-          @runner_context.load_control_file(content, abs_path, nil)
+          begin
+            @runner_context.load_control_file(content, abs_path, nil)
+          rescue => e
+            @state = :failed
+            raise Inspec::Exceptions::ProfileLoadFailed, "Failed to load source for #{path}: #{e}"
+          end
         end
         @tests_collected = true
       end
@@ -249,12 +264,13 @@ module Inspec
         d = dep.profile
         # this will force a dependent profile load so we are only going to add
         # this metadata if the parent profile is supported.
-        if supports_platform? && !d.supports_platform?
+        if @supports_platform && !d.supports_platform?
           # since ruby 1.9 hashes are ordered so we can just use index values here
           # TODO: NO! this is a violation of encapsulation to an extreme
           metadata.dependencies[i][:status] = "skipped"
           msg = "Skipping profile: '#{d.name}' on unsupported platform: '#{d.backend.platform.name}/#{d.backend.platform.release}'."
-          metadata.dependencies[i][:skip_message] = msg
+          metadata.dependencies[i][:status_message] = msg
+          metadata.dependencies[i][:skip_message] = msg # Repeat as skip_message for backward compatibility
           next
         elsif metadata.dependencies[i]
           # Currently wrapper profiles will load all dependencies, and then we
@@ -324,12 +340,13 @@ module Inspec
       res[:sha256] = sha256
       res[:parent_profile] = parent_profile unless parent_profile.nil?
 
-      if !supports_platform?
+      if @supports_platform
+        res[:status_message] = @status_message || ""
+        res[:status] = failed? ? "failed" : "loaded"
+      else
         res[:status] = "skipped"
         msg = "Skipping profile: '#{name}' on unsupported platform: '#{backend.platform.name}/#{backend.platform.release}'."
-        res[:skip_message] = msg
-      else
-        res[:status] = "loaded"
+        res[:status_message] = msg
       end
 
       # convert legacy os-* supports to their platform counterpart
@@ -455,6 +472,10 @@ module Inspec
       params[:controls].values.length
     end
 
+    def set_status_message(msg)
+      @status_message = msg.to_s
+    end
+
     # generates a archive of a folder profile
     # assumes that the profile was checked before
     def archive(opts)

data/lib/inspec/reporters/base.rb

@@ -14,17 +14,14 @@ module Inspec::Reporters
       runtime_config = Inspec::Config.cached.respond_to?(:final_options) ? Inspec::Config.cached.final_options : {}
 
       message_truncation = runtime_config[:reporter_message_truncation] || "ALL"
-      trunc = message_truncation == "ALL" ? -1 : message_truncation.to_i
+      @trunc = message_truncation == "ALL" ? -1 : message_truncation.to_i
       include_backtrace = runtime_config[:reporter_backtrace_inclusion].nil? ? true : runtime_config[:reporter_backtrace_inclusion]
 
       @run_data[:profiles]&.each do |p|
         p[:controls].each do |c|
           c[:results]&.map! do |r|
             r.delete(:backtrace) unless include_backtrace
-            if r.key?(:message) && r[:message] != "" && trunc > -1
-              r[:message] = r[:message][0...trunc] + "[Truncated to #{trunc} characters]"
-            end
-            r
+            process_message_truncation(r)
           end
         end
       end
@@ -43,5 +40,14 @@ module Inspec::Reporters
     def render
       raise NotImplementedError, "#{self.class} must implement a `#render` method to format its output."
     end
+
+    private
+
+    def process_message_truncation(result)
+      if result.key?(:message) && result[:message] != "" && @trunc > -1 && result[:message].length > @trunc
+        result[:message] = result[:message][0...@trunc] + "[Truncated to #{@trunc} characters]"
+      end
+      result
+    end
   end
 end

data/lib/inspec/reporters/cli.rb

@@ -72,6 +72,7 @@ module Inspec::Reporters
         "Profile" => format_profile_name(profile),
         "Version" => profile[:version] || "(not specified)",
       }
+      header["Failure Message"] = profile[:status_message] if profile[:status] == "failed"
       header["Target"] = run_data[:platform][:target] unless run_data[:platform][:target].nil?
       header["Target ID"] = @config["target_id"] unless @config["target_id"].nil?
 

data/lib/inspec/reporters/json.rb

@@ -45,8 +45,8 @@ module Inspec::Reporters
     end
 
     def profiles
-      run_data[:profiles].map { |p|
-        {
+      run_data[:profiles].map do |p|
+        res = {
           name:            p[:name],
           version:         p[:version],
           sha256:          p[:sha256],
@@ -64,10 +64,15 @@ module Inspec::Reporters
           groups:          profile_groups(p),
           controls:        profile_controls(p),
           status:          p[:status],
-          skip_message:    p[:skip_message],
+          status_message:  p[:status_message],
           waiver_data:     p[:waiver_data],
         }.reject { |_k, v| v.nil? }
-      }
+
+        # For backwards compatibility
+        res[:skip_message] = res[:status_message] if res[:status] == "skipped"
+
+        res
+      end
     end
 
     def profile_groups(profile)

data/lib/inspec/resources/apt.rb

@@ -90,12 +90,14 @@ module Inspec::Resources
         # deb               "http://archive.ubuntu.com/ubuntu/" wily main restricted ...
         # deb               http://archive.ubuntu.com/ubuntu/ wily main restricted ...
         # deb [trusted=yes] http://archive.ubuntu.com/ubuntu/ wily main restricted ...
+        # deb cdrom:[Ubuntu 15.10 _Wily Werewolf_ - Release amd64 (20151021)]/ wily main restricted ...
 
         words = line.split
         words.delete_at 1 if words[1] && words[1].start_with?("[")
         type, url, distro, *components = words
         url = url.delete('"') if url
 
+        next if words[1] && words[1].start_with?("cdrom:") # skip unsupported apt-cdrom repos
         next if components.empty?
         next unless URI::HTTP === URI.parse(url)
         next unless %w{deb deb-src}.include? type

data/lib/inspec/resources/interface.rb

@@ -47,10 +47,18 @@ module Inspec::Resources
       ipv6_addresses && !ipv6_addresses.empty?
     end
 
+    def ipv4_address
+      ipv4_addresses.first
+    end
+
     def ipv4_addresses
       ipv4_cidrs.map { |i| i.split("/")[0] }
     end
 
+    def ipv6_address
+      ipv6_addresses.first
+    end
+
     def ipv6_addresses
       ipv6_cidrs.map { |i| i.split("/")[0] }
     end
@@ -85,6 +93,7 @@ module Inspec::Resources
       @cache ||= begin
                    provider = LinuxInterface.new(inspec) if inspec.os.linux?
                    provider = WindowsInterface.new(inspec) if inspec.os.windows?
+                   provider = BsdInterface.new(inspec) if inspec.os.bsd? # includes macOS
                    Hash(provider && provider.interface_info(@iface))
                  end
     end
@@ -98,6 +107,52 @@ module Inspec::Resources
     end
   end
 
+  class BsdInterface < InterfaceInfo
+    def interface_info(iface)
+      cmd = inspec.command("ifconfig #{iface}")
+      return nil if cmd.exit_status.to_i != 0
+
+      lines = cmd.stdout.split("\n")
+      iface_info = {
+        name: iface,
+        ipv4_addresses: [], # Actually CIDRs
+        ipv6_addresses: [], # are expected to go here
+      }
+
+      iface_info[:up] = lines[0].include?("UP")
+      lines.each do |line|
+        # IPv4 case
+        m = line.match(/^\s+inet\s+((?:\d{1,3}\.){3}\d{1,3})\s+netmask\s+(0x[a-f0-9]{8})/)
+        if m
+          ip = m[1]
+          hex_mask = m[2]
+          cidr = hex_mask.to_i(16).to_s(2).count("1")
+          iface_info[:ipv4_addresses] << "#{ip}/#{cidr}"
+          next
+        end
+
+        # IPv6 case
+        m = line.match(/^\s+inet6\s+([a-f0-9:]+)%#{iface}\s+prefixlen\s+(\d+)/)
+        if m
+          ip = m[1]
+          cidr = m[2]
+          iface_info[:ipv6_addresses] << "#{ip}/#{cidr}"
+          next
+        end
+
+        # Speed detect, crummy - can't detect wifi, finds any number in the string
+        # Ethernet autoselect (1000baseT <full-duplex>)
+        m = line.match(/^\s+media:\D+(\d+)/)
+        if m
+          iface_info[:speed] = m[1].to_i
+          next
+        end
+      end
+
+      iface_info
+    end
+  end
+
   class LinuxInterface < InterfaceInfo
     def interface_info(iface)
       # will return "[mtu]\n1500\n[type]\n1"

data/lib/inspec/resources/interfaces.rb

@@ -0,0 +1,119 @@
+require "inspec/utils/filter"
+require "inspec/resources/command"
+
+module Inspec::Resources
+  class Interfaces < Inspec.resource(1)
+    name "interfaces"
+    supports platform: "unix"
+    supports platform: "windows"
+    desc "Use the interfaces InSpec audit resource to test properties for multiple network interfaces installed on the system"
+    example <<~EXAMPLE
+      describe interfaces do
+        its('names') { should include 'eth0' }
+      end
+    EXAMPLE
+
+    attr_reader :iface_data
+
+    def to_s
+      "Interfaces"
+    end
+
+    filter = FilterTable.create
+    filter.register_column(:names, field: "name")
+      .install_filter_methods_on_resource(self, :scan_interfaces)
+
+    def ipv4_address
+      require "ipaddr"
+
+      # Loop over interface names
+      # Select those that are up and have an ipv4 address
+      interfaces = names.map { |n| inspec.interface(n) }.select do |i|
+        i.ipv4_address? && i.up?
+      end
+
+      addrs = interfaces.map(&:ipv4_addresses).flatten.map { |a| IPAddr.new(a) }
+
+      # Look for progressively "better" IP addresses
+      [
+        # Loopback and private IP ranges
+        IPAddr.new("127.0.0.0/8"),
+        IPAddr.new("192.168.0.0/16"),
+        IPAddr.new("172.16.0.0/12"),
+        IPAddr.new("10.0.0.0/8"),
+      ].each do |private_range|
+        filtered_addrs = addrs.reject { |a| private_range.include?(a) }
+        if filtered_addrs.empty?
+          # Everything we had was a private or loopback IP. Return the "best" thing we were left with.
+          return addrs.first.to_s
+        end
+
+        addrs = filtered_addrs
+      end
+      addrs.first.to_s
+    end
+
+    private
+
+    def scan_interfaces
+      @iface_data ||= begin
+                    provider = LinuxInterfaceLister.new(inspec) if inspec.os.linux?
+                    provider = WindowsInterfaceLister.new(inspec) if inspec.os.windows?
+                    provider = BsdInterfaceLister.new(inspec) if inspec.os.bsd? # includes macOS
+                    Array(provider && provider.scan_interfaces)
+                  end
+    end
+
+    class InterfaceLister
+      attr_reader :inspec
+      def initialize(inspec)
+        @inspec = inspec
+      end
+    end
+
+    class BsdInterfaceLister < InterfaceLister
+      def scan_interfaces
+        iface_data = []
+        cmd = inspec.command("ifconfig -a")
+        cmd.stdout.split("\n").each do |line|
+          # lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
+          m = line.match(/^(\S+):/)
+          if m
+            iface_data << { "name" => m[1] }
+          end
+        end
+        iface_data
+      end
+    end
+
+    class LinuxInterfaceLister < InterfaceLister
+      def scan_interfaces
+        iface_data = []
+        cmd = inspec.command("ls /sys/class/net")
+        cmd.stdout.split("\n").each do |iface|
+          iface_data << { "name" => iface }
+        end
+        iface_data
+      end
+    end
+
+    class WindowsInterfaceLister < InterfaceLister
+      def scan_interfaces
+        iface_data = []
+        cmd = inspec.command("Get-NetAdapter | Select-Object -Property Name | ConvertTo-Json")
+        begin
+          adapter_info = JSON.parse(cmd.stdout)
+          # May be a Hash if only one, or Array if multiple - normalize to Array
+          adapter_info = [ adapter_info ] if adapter_info.is_a? Hash
+        rescue JSON::ParserError => _e
+          return nil
+        end
+        adapter_info.each do |info|
+          iface_data << { "name" => info["Name"] }
+        end
+        iface_data
+      end
+    end
+
+  end
+end