inspec-core 4.20.10 → 4.22.8

data/lib/inspec/resources/mount.rb

@@ -61,7 +61,7 @@ module Inspec::Resources
       os = inspec.os
       if os.linux?
         LinuxMounts.new(inspec)
-      elsif ["freebsd"].include?(os[:family])
+      elsif os.bsd?
         BsdMounts.new(inspec)
       end
     end

data/lib/inspec/resources/mysql_session.rb

@@ -4,6 +4,23 @@ require "inspec/resources/command"
 require "shellwords"
 
 module Inspec::Resources
+  class Lines
+    attr_reader :output
+
+    def initialize(raw, desc)
+      @output = raw
+      @desc = desc
+    end
+
+    def lines
+      output.split("\n")
+    end
+
+    def to_s
+      @desc
+    end
+  end
+
   class MysqlSession < Inspec.resource(1)
     name "mysql_session"
     supports platform: "unix"
@@ -28,15 +45,17 @@ module Inspec::Resources
 
     def query(q, db = "")
       mysql_cmd = create_mysql_cmd(q, db)
-      cmd = inspec.command(mysql_cmd)
+      cmd = if !@pass.nil?
+              inspec.command(mysql_cmd, redact_regex: /(mysql -u\w+ -p).+(\s-(h|S).*)/)
+            else
+              inspec.command(mysql_cmd)
+            end
       out = cmd.stdout + "\n" + cmd.stderr
-      if out =~ /Can't connect to .* MySQL server/ || out.downcase =~ /^error /
-        # skip this test if the server can't run the query
-        warn("Can't connect to MySQL instance for SQL checks.")
+      if cmd.exit_status != 0 || out =~ /Can't connect to .* MySQL server/ || out.downcase =~ /^error:.*/
+        Lines.new(out, "MySQL query with errors: #{q}")
+      else
+        Lines.new(cmd.stdout.strip, "MySQL query: #{q}")
       end
-
-      # return the raw command output
-      cmd
     end
 
     def to_s

data/lib/inspec/resources/postgres_session.rb

@@ -47,7 +47,7 @@ module Inspec::Resources
 
     def query(query, db = [])
       psql_cmd = create_psql_cmd(query, db)
-      cmd = inspec.command(psql_cmd)
+      cmd = inspec.command(psql_cmd, redact_regex: /(PGPASSWORD=').+(' psql .*)/)
       out = cmd.stdout + "\n" + cmd.stderr
       if cmd.exit_status != 0 || out =~ /could not connect to .*/ || out.downcase =~ /^error:.*/
         Lines.new(out, "PostgreSQL query with errors: #{query}")

data/lib/inspec/resources/service.rb

@@ -141,7 +141,7 @@ module Inspec::Resources
         elsif version > 0
           SysV.new(inspec, service_ctl || "/usr/sbin/service")
         end
-      when "redhat", "fedora", "centos", "oracle", "cloudlinux"
+      when "redhat", "fedora", "centos", "oracle", "cloudlinux", "scientific"
         version = os[:release].to_i
 
         systemd = ((platform != "fedora" && version >= 7) ||
@@ -154,7 +154,7 @@ module Inspec::Resources
         end
       when "wrlinux"
         SysV.new(inspec, service_ctl)
-      when "mac_os_x"
+      when "mac_os_x", "darwin"
         LaunchCtl.new(inspec, service_ctl)
       when "freebsd"
         BSDInit.new(inspec, service_ctl)

data/lib/inspec/resources/users.rb

@@ -20,7 +20,7 @@ module Inspec::Resources
         WindowsUser.new(inspec)
       elsif ["darwin"].include?(os[:family])
         DarwinUser.new(inspec)
-      elsif ["freebsd"].include?(os[:family])
+      elsif ["bsd"].include?(os[:family])
         FreeBSDUser.new(inspec)
       elsif ["aix"].include?(os[:family])
         AixUser.new(inspec)

data/lib/inspec/run_data.rb

@@ -47,7 +47,7 @@ module Inspec
     # core reporters have been migrated to plugins. It is probable that new data elements
     # and new Hash compatibility behavior will be added during the core reporter plugin
     # conversion process.
-    SCHEMA_VERSION = "0.1.0".freeze
+    SCHEMA_VERSION = "0.2.0".freeze
 
     def self.compatible_schema?(constraints)
       reqs = Gem::Requirement.create(constraints)

data/lib/inspec/run_data/profile.rb

@@ -15,7 +15,7 @@ module Inspec
       :summary,
       :supports,         # complex local
       :parent_profile,
-      :skip_message,
+      :status_message,
       :waiver_data,      # Undocumented but used in JSON reporter - should not be?
       :title,
       :version
@@ -40,7 +40,7 @@ module Inspec
           title
           version
           parent_profile
-          skip_message
+          status_message
           waiver_data
         }.each do |field|
           self[field] = raw_prof_data[field]
@@ -51,11 +51,11 @@ module Inspec
     class Profile
       # Good candidate for keyword_init, but that is not in 2.4
       Dependency = Struct.new(
-        :name, :path, :status, :skip_message, :git, :url, :compliance, :supermarket, :branch, :tag, :commit, :version, :relative_path
+        :name, :path, :status, :status_message, :git, :url, :compliance, :supermarket, :branch, :tag, :commit, :version, :relative_path
       ) do
         include HashLikeStruct
         def initialize(raw_dep_data)
-          %i{name path status skip_message git url supermarket compliance branch tag commit version relative_path}.each { |f| self[f] = raw_dep_data[f] }
+          %i{name path status status_message git url supermarket compliance branch tag commit version relative_path}.each { |f| self[f] = raw_dep_data[f] }
         end
       end
 

data/lib/inspec/runner.rb

@@ -115,8 +115,14 @@ module Inspec
           @test_collector.add_profile(requirement.profile)
         end
 
-        tests = profile.collect_tests
-        all_controls += tests unless tests.nil?
+        begin
+          tests = profile.collect_tests
+          all_controls += tests unless tests.nil?
+        rescue Inspec::Exceptions::ProfileLoadFailed => e
+          Inspec::Log.error "Failed to load profile #{profile.name}: #{e}"
+          profile.set_status_message e.to_s
+          next
+        end
       end
 
       all_controls.each do |rule|

data/lib/inspec/runner_rspec.rb

@@ -90,9 +90,12 @@ module Inspec
       return @rspec_exit_code if @formatter.results.empty?
 
       stats = @formatter.results[:statistics][:controls]
+      load_failures = @formatter.results[:profiles]&.select { |p| p[:status] == "failed" }&.any?
       skipped = @formatter.results.dig(:profiles, 0, :status) == "skipped"
-      if stats[:failed][:total] == 0 && stats[:skipped][:total] == 0 && !skipped
+      if stats[:failed][:total] == 0 && stats[:skipped][:total] == 0 && !skipped && !load_failures
         0
+      elsif load_failures
+        @conf["distinct_exit"] ? 102 : 1
       elsif stats[:failed][:total] > 0
         @conf["distinct_exit"] ? 100 : 1
       elsif stats[:skipped][:total] > 0 || skipped

data/lib/inspec/schema.rb

@@ -147,6 +147,8 @@ module Inspec
         "license" => { "type" => "string", "optional" => true },
         "summary" => { "type" => "string", "optional" => true },
         "status" => { "type" => "string", "optional" => false },
+        "status_message" => { "type" => "string", "optional" => true },
+        # skip_message is deprecated, status_message should be used to store the reason for skipping
         "skip_message" => { "type" => "string", "optional" => true },
 
         "supports" => {

data/lib/inspec/schema/exec_json.rb

@@ -83,7 +83,7 @@ module Inspec
         "required" => %w{name sha256 supports attributes groups controls},
         # Name is mandatory in inspec.yml.
         # supports, controls, groups, and attributes are always present, even if empty
-        # sha256, status, skip_message
+        # sha256, status, status_message
         "properties" => {
           # These are provided in inspec.yml
           "name" => Primitives::STRING,
@@ -100,10 +100,11 @@ module Inspec
           "description" => Primitives::STRING,
           "inspec_version" => Primitives::STRING,
 
-          # These are generated at runtime, and all except skip_message are guaranteed
+          # These are generated at runtime, and all except status_message and skip_message are guaranteed
           "sha256" => Primitives::STRING,
           "status" => Primitives::STRING,
-          "skip_message" => Primitives::STRING, # If skipped, why
+          "status_message" => Primitives::STRING, # If skipped or failed to load, why
+          "skip_message" => Primitives::STRING,   # Deprecated field storing reason for skipping. status_message should be used instead.
           "controls" => Primitives.array(CONTROL.ref),
           "groups" => Primitives.array(Primitives::CONTROL_GROUP.ref),
           "attributes" => Primitives.array(Primitives::INPUT),

data/lib/inspec/schema/primitives.rb

@@ -160,7 +160,7 @@ module Inspec
           "url" => URL,
           "branch" => STRING,
           "path" => STRING,
-          "skip_message" => STRING,
+          "status_message" => STRING,
           "status" => STRING,
           "git" => URL,
           "supermarket" => STRING,

data/lib/inspec/version.rb

@@ -1,3 +1,3 @@
 module Inspec
-  VERSION = "4.20.10".freeze
+  VERSION = "4.22.8".freeze
 end

data/lib/plugins/inspec-reporter-html2/README.md

@@ -0,0 +1,53 @@
+# inspec-reporter-html2 Plugin
+
+An "improved" HTML output reporter specifically for Chef InSpec. Unlike the default `html` reporter, which is RSpec-based, this reporter knows about Chef InSpec structures like Controls and Profiles, and includes full metadata such as control tags, etc.
+
+## To Install This Plugin
+
+This plugin ships with Chef InSpec and requires no installation.
+
+It should appear when you run:
+
+```
+you@machine $ inspec plugin list
+```
+
+## How to use this plugin
+
+To generate an HTML report using this plugin and save the output to a file named `report.html`, run:
+
+```
+you@machine $ inspec exec some_profile --reporter html2:report.html
+```
+
+Note the `2` in the reporter name. If you omit it and run `--reporter html` instead, you will run the legacy RSpec HTML reporter.
+
+## Configuring the Plugin
+
+The `html2` reporter requires no configuration to function. However, two options--`alternate_css_file` and `alternate_js_file`--are available for customization. The options are set in the JSON-formatted configuration file that Chef InSpec consumes. For details, see [our configuration file documentation](https://www.inspec.io/docs/reference/config/).
+
+For example:
+
+```json
+{
+  "version": "1.2",
+  "plugins": {
+    "inspec-reporter-html2": {
+      "alternate_js_file":"/var/www/js/my-javascript.js",
+      "alternate_css_file":"/var/www/css/my-style.css"
+    }
+  }
+}
+```
+
+### alternate\_css\_file
+
+Specifies the full path to the location of a CSS file that will be read and inlined into the HTML report. The default CSS will not be included.
+
+### alternate\_js\_file
+
+Specifies the full path to the location of a JavaScript file that will be read and inlined into the HTML report. The default JavaScript will not be included. The JavaScript file should implement at least a `pageLoaded()` function, which will be called by the `onload` event of the HTML `body` element.
+
+## Developing This Plugin
+
+This plugin is part of the Chef InSpec source code. While it has its own tests, the general contribution policy is dictated by the Chef InSpec project at https://github.com/inspec/inspec/blob/master/CONTRIBUTING.md

data/lib/plugins/inspec-reporter-html2/lib/inspec-reporter-html2.rb

@@ -0,0 +1,18 @@
+libdir = File.dirname(__FILE__)
+$LOAD_PATH.unshift(libdir) unless $LOAD_PATH.include?(libdir)
+
+require "inspec-reporter-html2/version"
+module InspecPlugins
+  module Html2Reporter
+    class Plugin < ::Inspec.plugin(2)
+      # Internal machine name of the plugin. InSpec will use this in errors, etc.
+      plugin_name :'inspec-reporter-html2'
+
+      # Define a new Reporter.
+      reporter :html2 do
+        require "inspec-reporter-html2/reporter"
+        InspecPlugins::Html2Reporter::Reporter
+      end
+    end
+  end
+end

data/lib/plugins/inspec-reporter-html2/lib/inspec-reporter-html2/reporter.rb

@@ -0,0 +1,24 @@
+require "erb"
+require "inspec/config"
+
+module InspecPlugins::Html2Reporter
+  class Reporter < Inspec.plugin(2, :reporter)
+    def render
+      template_path = File.expand_path(__FILE__ + "../../../../templates")
+
+      # Read config data from the user's config file. Supports two settings, both of which are absolute filesystem paths:
+      #  alternate_css_file - contents will be used instead of default CSS
+      #  alternate_js_file - contents will be used instead of default JavaScript
+      cfg = Inspec::Config.cached.fetch_plugin_config("inspec-reporter-html2")
+      js_path = cfg[:alternate_js_file] || (template_path + "/default.js")
+      css_path = cfg[:alternate_css_file] || (template_path + "/default.css")
+
+      template = ERB.new(File.read(template_path + "/body.html.erb"))
+      output(template.result(binding))
+    end
+
+    def self.run_data_schema_constraints
+      "~> 0.0"
+    end
+  end
+end

data/lib/plugins/inspec-reporter-html2/lib/inspec-reporter-html2/version.rb

@@ -0,0 +1,8 @@
+# This file simply makes it easier for CI engines to update
+# the version stamp, and provide a clean way for the gemspec
+# to learn the current version.
+module InspecPlugins
+  module Html2Reporter
+    VERSION = "0.1.0".freeze
+  end
+end

data/lib/plugins/inspec-reporter-html2/templates/body.html.erb

@@ -0,0 +1,46 @@
+<!DOCTYPE html>
+<!-- saved from url=(0014)about:internet -->
+<!-- prior comment allows JS to execute on IE when saved as a local file, "MOTW" -->
+<html lang="en">
+  <head>
+    <title><%= Inspec::Dist::PRODUCT_NAME %> Results</title>
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+    <style type="text/css">
+    /* Must inline all CSS files, this is a single-file output that may be airgapped */
+    <%= ERB.new(File.read(css_path), nil, nil, "_css").result(binding)  %>
+    </style>
+    <script type="text/javascript">
+    // <![CDATA[
+    /* Must inline all JavaScript files, this is a single-file output that may be airgapped */
+    <%= ERB.new(File.read(js_path), nil, nil, "_js").result(binding)  %>
+    // ]]>
+    </script>
+  </head>
+  <body onload="pageLoaded()">
+    <%= ERB.new(File.read(template_path + "/selector.html.erb"), nil, nil, "_select").result(binding)  %>
+    <div class="inspec-report">
+    <h1><%= Inspec::Dist::PRODUCT_NAME %> Report</h1>
+    <% run_data.profiles.each do |profile| %>
+      <%= ERB.new(File.read(template_path + "/profile.html.erb"), nil, nil, "_prof").result(binding)  %>
+    <% end %>
+
+    <div class="inspec-summary">
+      <table id="platform" class="info">
+        <tr><th colspan=2><h4 id="platform-label">Platform Information</h4></th></tr>
+        <tr class= "name"><th>Name:</th><td><%= run_data.platform.name %></td></tr>
+        <tr class= "release"><th>Release:</th><td><%= run_data.platform.release %></td></tr>
+        <tr class= "target"><th>Target:</th><td><%= run_data.platform.target %></td></tr>
+      </table>
+      <table id="statistics" class="info">
+        <tr><th colspan="2"><h4 id="statistics-label">Control Statistics</h4></th></tr>
+        <tr class= "passed"><th>Passed:</th><td><%= run_data.statistics.controls.passed.total %></td></tr>
+        <tr class= "skipped"><th>Skipped:</th><td><%= run_data.statistics.controls.skipped.total %></td></tr>
+        <tr class= "failed"><th>Failed:</th><td><%= run_data.statistics.controls.failed.total %></td></tr>
+        <tr class= "duration"><th>Duration:</th><td><%= run_data.statistics.duration %> seconds</td></tr>
+        <tr class= "date"><th>Time Finished:</th><td><%= Time.now %></td></tr>
+      </table>
+      <span id="inspec-version"><%= Inspec::Dist::PRODUCT_NAME %> version <%= run_data.version %></span>
+    </div>
+    </div>
+  </body>
+</html>

data/lib/plugins/inspec-reporter-html2/templates/control.html.erb

@@ -0,0 +1,77 @@
+<% slugged_id = control.id.tr(" ", "_") %>
+<%
+    # Determine status of control
+    status = "passed"
+    if control.results.any? { |r| r.status == "failed" }
+      status = "failed"
+    elsif control.results.any? { |r| r.status == "skipped" }
+      status = "skipped"
+    end
+%>
+
+<div class="control control-status-<%= status %>" id="control-<%= slugged_id %>">
+
+  <%
+    # Determine range of impact
+    i = control.impact || 0.0
+    impact_level = "none"
+    if i < 0.3
+      impact_level = "low"
+    elsif i < 0.7
+      impact_level = "medium"
+    else
+      impact_level = "high"
+    end
+  %>
+
+  <h3 class="control-title">Control <code><%= control.id %></code></h3>
+  <table class="control-metadata info" id="control-metadata-<%= slugged_id %>">
+    <tr class="status status-<%= status %>"><th>Status:</th><td><div><%= status.capitalize %></div></td></tr>
+    <% if control.title %><tr class="title"><th>Title:</th><td><%= control.title %></td></tr> <% end %>
+    <% if control.desc %><tr class="desc"><th>Description:</th><td><%= control.desc %></td></tr> <% end %>
+    <% if control.impact %><tr class="impact impact-<%= impact_level %>"><th>Impact:</th><td><%= control.impact %></td></tr> <% end %>
+    <% unless control.tags.empty? %>
+      <tr class="tags">
+        <th>Tags:</th>
+        <td>
+          <table class="tags">
+            <% control.tags.each do |tag_name, tag_text| %>
+              <tr><td><%= tag_name %></td><td><%= tag_text %></td></tr>
+            <% end %>
+          </table>
+        </td>
+      </tr>
+    <% end %>
+    <% unless control.refs.empty? %>
+      <tr class="refs">
+        <th>References:</th>
+        <td>
+          <ul>
+          <% control.refs.each do |r| %>
+            <li><a href="<%= r.url %>"><%= r.ref %></a></li>
+          <% end %>
+          </ul>
+        </td>
+      </tr>
+    <% end %>
+    <tr class="code">
+      <th>Source Code:</th>
+      <td>
+        <input type="button" class="show-source-code" id="show-code-<%= slugged_id %>" value="Show Source"/>
+        <input type="button" class="hide-source-code hidden" id="hide-code-<%= slugged_id %>" value="Hide Source"/>
+        <pre class="source-code hidden" id="source-code-<%= slugged_id %>">
+          <code>
+<%= control.code %>
+          </code>
+        </pre>
+      </td>
+    </tr>
+  <!-- TODO waiver data -->
+
+  </table>
+
+  <% control.results.each do |result| %>
+    <%= ERB.new(File.read(template_path + "/result.html.erb"), nil, nil, "_rslt").result(binding)  %>
+  <% end %>
+
+</div>