inspec-core 4.20.2 → 4.22.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2395ce22d38edca9eaac2fad00c1fc61f3fb95a154618540d23bc2a1e6ce0fcd
-  data.tar.gz: 4ebdbe5526025408e729b52e0614b43fe89f70b0faae5eeecc8c23db8f0f1ff9
+  metadata.gz: 5517c996bd812fed2bb1190f2db0ae0f38ae3eddeab32494fb82dd843c9d9ef3
+  data.tar.gz: e293cd323bec3ac3da7300e52d49637a322f6a7a3ac156be4c45bfdc9b4a7440
 SHA512:
-  metadata.gz: f2b21bfbc96b4830edf20f1d48493257845bfbeb52137141269371066c47359092d3ed280cc64e9358b3587d0ddb0c54a643cafd730d57ad2d7ba2331d35b33a
-  data.tar.gz: 84bc11b59621836d20c045efcdee955cc97c605e5902fafaa79c8756dd44f66334731256c6ba4273484d645484f374b1ec2daf471a6dc56805ea819ab2685f38
+  metadata.gz: dbb3737b7b031b251d78fadc50e50d32612b5a8a8a183ef204e3abe3b005c5f937850206347ba350f1584145b124bf4ddbdeaf2e6f5c5bbe93a20e979c9883dc
+  data.tar.gz: d128dbec0edc3ef77481bf8cb2dd5d70f48189d7c53e1abe19e52480361edcfbbc865f84b2a085cf2b8ab0a27de5ee26c96921f4fba1dca9b688ea9147ac7c65

data/Gemfile

@@ -9,7 +9,7 @@ gem "inspec", path: "."
 # in it in order to package the executable. Hence the odd backwards dependency.
 gem "inspec-bin", path: "./inspec-bin"
 
-gem "ffi", [">= 1.9.14", "< 1.13"] # 1.13 does not work on Windows: https://github.com/ffi/ffi/issues/784
+gem "ffi", ">= 1.9.14", "!= 1.13.0"
 
 group :omnibus do
   gem "rb-readline"
@@ -31,6 +31,7 @@ group :test do
   gem "m"
   gem "pry", "~> 0.10"
   gem "pry-byebug"
+  gem "html-proofer", platforms: :ruby # do not attempt to run proofer on windows
 end
 
 group :integration do

data/inspec-core.gemspec

@@ -39,7 +39,7 @@ Gem::Specification.new do |spec|
   spec.add_dependency "faraday",            ">= 0.9.0"
   spec.add_dependency "tty-table",          "~> 0.10"
   spec.add_dependency "tty-prompt",         "~> 0.17"
-  spec.add_dependency "tomlrb",             "~> 1.2"
+  spec.add_dependency "tomlrb",             "~> 1.2.0"
   spec.add_dependency "addressable",        "~> 2.4"
   spec.add_dependency "parslet",            "~> 1.5"
   spec.add_dependency "semverse",           "~> 3.0"

data/lib/inspec/base_cli.rb

@@ -231,7 +231,7 @@ module Inspec
 
     private
 
-    ALL_OF_OUR_REPORTERS = %w{json json-min json-rspec json-automate junit html yaml documentation progress}.freeze # BUT WHY?!?!
+    ALL_OF_OUR_REPORTERS = %w{json json-min json-rspec json-automate junit html html2 yaml documentation progress}.freeze # BUT WHY?!?!
 
     def suppress_log_output?(opts)
       return false if opts["reporter"].nil?

data/lib/inspec/cli.rb

@@ -375,6 +375,12 @@ class Inspec::InspecCLI < Inspec::BaseCLI
     puts "Valid schemas are #{Inspec::Schema::OutputSchema.names.join(", ")}"
   end
 
+  desc "run_context", "used to test run-context detection", hide: true
+  def run_context
+    require "inspec/utils/telemetry/run_context_probe"
+    puts Inspec::Telemetry::RunContextProbe.guess_run_context
+  end
+
   desc "version", "prints the version of this tool"
   option :format, type: :string
   def version
@@ -387,11 +393,6 @@ class Inspec::InspecCLI < Inspec::BaseCLI
   end
   map %w{-v --version} => :version
 
-  desc "nothing", "does nothing"
-  def nothing
-    puts "you did nothing"
-  end
-
   private
 
   def run_command(opts)

data/lib/inspec/config.rb

@@ -344,7 +344,6 @@ module Inspec
         cli
         json
         json-automate
-        json-min
         junit
         yaml
       }

data/lib/inspec/exceptions.rb

@@ -4,6 +4,7 @@ module Inspec
   module Exceptions
     class InputsFileDoesNotExist < ArgumentError; end
     class InputsFileNotReadable < ArgumentError; end
+    class ProfileLoadFailed < StandardError; end
     class ResourceFailed < StandardError; end
     class ResourceSkipped < StandardError; end
     class SecretsBackendNotFound < ArgumentError; end

data/lib/inspec/input_registry.rb

@@ -165,7 +165,8 @@ module Inspec
             raise ArgumentError, "ERROR: An '=' is required when using --input. Usage: --input input_name1=input_value1 input2=value2"
           end
         end
-        input_name, input_value = pair.split("=")
+        pair = pair.match(/(.*?)=(.*)/)
+        input_name, input_value = pair[1], pair[2]
         input_value = parse_cli_input_value(input_name, input_value)
         evt = Inspec::Input::Event.new(
           value: input_value,

data/lib/inspec/metadata.rb

@@ -9,7 +9,12 @@ require "inspec/version"
 require "inspec/utils/spdx"
 
 module Inspec
-  # Extract metadata.rb information
+  # The Metadata class represents a profile's metadata.
+  # This includes the metadata stored in the profile's metadata.rb file, as well as inferred
+  # metadata like if this profile supports the current runtime and the intended target.
+  # This class does NOT represent the runtime state of a profile during execution.
+  # See lib/inspec/profile.rb for the runtime representation of a profile.
+  #
   # A Metadata object may be created and finalized with invalid data.
   # This allows the check CLI command to analyse the issues.
   # Use valid? to determine if the metadata is coherent.

data/lib/inspec/profile.rb

@@ -94,6 +94,7 @@ module Inspec
       @input_values = options[:inputs]
       @tests_collected = false
       @libraries_loaded = false
+      @state = :loaded
       @check_mode = options[:check_mode] || false
       @parent_profile = options[:parent_profile]
       @legacy_profile_path = options[:profiles_path] || false
@@ -146,7 +147,12 @@ module Inspec
         options[:profile_context] ||
         Inspec::ProfileContext.for_profile(self, @backend)
 
-      @supports_platform = metadata.supports_platform?(@backend)
+      if metadata.supports_platform?(@backend)
+        @supports_platform = true
+      else
+        @supports_platform = false
+        @state = :skipped
+      end
       @supports_runtime = metadata.supports_runtime?
     end
 
@@ -162,6 +168,10 @@ module Inspec
       @writable
     end
 
+    def failed?
+      @state == :failed
+    end
+
     #
     # Is this profile is supported on the current platform of the
     # backend machine and the current inspec version.
@@ -197,7 +207,7 @@ module Inspec
     end
 
     def collect_tests(include_list = @controls)
-      unless @tests_collected
+      unless @tests_collected || failed?
         return unless supports_platform?
 
         locked_dependencies.each(&:collect_tests)
@@ -206,7 +216,12 @@ module Inspec
           next if content.nil? || content.empty?
 
           abs_path = source_reader.target.abs_path(path)
-          @runner_context.load_control_file(content, abs_path, nil)
+          begin
+            @runner_context.load_control_file(content, abs_path, nil)
+          rescue => e
+            @state = :failed
+            raise Inspec::Exceptions::ProfileLoadFailed, "Failed to load source for #{path}: #{e}"
+          end
         end
         @tests_collected = true
       end
@@ -249,12 +264,13 @@ module Inspec
         d = dep.profile
         # this will force a dependent profile load so we are only going to add
         # this metadata if the parent profile is supported.
-        if supports_platform? && !d.supports_platform?
+        if @supports_platform && !d.supports_platform?
           # since ruby 1.9 hashes are ordered so we can just use index values here
           # TODO: NO! this is a violation of encapsulation to an extreme
           metadata.dependencies[i][:status] = "skipped"
           msg = "Skipping profile: '#{d.name}' on unsupported platform: '#{d.backend.platform.name}/#{d.backend.platform.release}'."
-          metadata.dependencies[i][:skip_message] = msg
+          metadata.dependencies[i][:status_message] = msg
+          metadata.dependencies[i][:skip_message] = msg # Repeat as skip_message for backward compatibility
           next
         elsif metadata.dependencies[i]
           # Currently wrapper profiles will load all dependencies, and then we
@@ -324,12 +340,13 @@ module Inspec
       res[:sha256] = sha256
       res[:parent_profile] = parent_profile unless parent_profile.nil?
 
-      if !supports_platform?
+      if @supports_platform
+        res[:status_message] = @status_message || ""
+        res[:status] = failed? ? "failed" : "loaded"
+      else
         res[:status] = "skipped"
         msg = "Skipping profile: '#{name}' on unsupported platform: '#{backend.platform.name}/#{backend.platform.release}'."
-        res[:skip_message] = msg
-      else
-        res[:status] = "loaded"
+        res[:status_message] = msg
       end
 
       # convert legacy os-* supports to their platform counterpart
@@ -455,6 +472,10 @@ module Inspec
       params[:controls].values.length
     end
 
+    def set_status_message(msg)
+      @status_message = msg.to_s
+    end
+
     # generates a archive of a folder profile
     # assumes that the profile was checked before
     def archive(opts)

data/lib/inspec/reporters.rb

@@ -2,7 +2,6 @@ require "inspec/reporters/base"
 require "inspec/reporters/cli"
 require "inspec/reporters/json"
 require "inspec/reporters/json_automate"
-require "inspec/reporters/json_min"
 require "inspec/reporters/junit"
 require "inspec/reporters/automate"
 require "inspec/reporters/yaml"
@@ -21,8 +20,6 @@ module Inspec::Reporters
     # right to introduce breaking changes to this reporter at any time.
     when "json-automate"
       reporter = Inspec::Reporters::JsonAutomate.new(config)
-    when "json-min"
-      reporter = Inspec::Reporters::JsonMin.new(config)
     when "junit"
       reporter = Inspec::Reporters::Junit.new(config)
     when "automate"
@@ -60,15 +57,23 @@ module Inspec::Reporters
     case name
     when "json"
       reporter = Inspec::Reporters::Json.new(config)
-    when "json-min"
-      reporter = Inspec::Reporters::JsonMin.new(config)
     when "json-automate"
       reporter = Inspec::Reporters::JsonAutomate.new(config)
     when "yaml"
       reporter = Inspec::Reporters::Yaml.new(config)
     else
-      # use base run_data hash for any other report
-      return run_data
+      # If we made it here, it might be a plugin
+      begin
+        activator = Inspec::Plugin::V2::Registry.instance.find_activator(plugin_type: :reporter, activator_name: name.to_sym)
+        activator.activate!
+        reporter = activator.implementation_class.new(config)
+        unless reporter.respond_to(:report?)
+          return run_data
+        end
+      rescue Inspec::Plugin::V2::LoadError
+        # Must not have been a plugin - just return the run_data
+        return run_data
+      end
     end
 
     reporter.report

data/lib/inspec/reporters/cli.rb

@@ -72,6 +72,7 @@ module Inspec::Reporters
         "Profile" => format_profile_name(profile),
         "Version" => profile[:version] || "(not specified)",
       }
+      header["Failure Message"] = profile[:status_message] if profile[:status] == "failed"
       header["Target"] = run_data[:platform][:target] unless run_data[:platform][:target].nil?
       header["Target ID"] = @config["target_id"] unless @config["target_id"].nil?
 

data/lib/inspec/reporters/json.rb

@@ -45,8 +45,8 @@ module Inspec::Reporters
     end
 
     def profiles
-      run_data[:profiles].map { |p|
-        {
+      run_data[:profiles].map do |p|
+        res = {
           name:            p[:name],
           version:         p[:version],
           sha256:          p[:sha256],
@@ -64,10 +64,15 @@ module Inspec::Reporters
           groups:          profile_groups(p),
           controls:        profile_controls(p),
           status:          p[:status],
-          skip_message:    p[:skip_message],
+          status_message:  p[:status_message],
           waiver_data:     p[:waiver_data],
         }.reject { |_k, v| v.nil? }
-      }
+
+        # For backwards compatibility
+        res[:skip_message] = res[:status_message] if res[:status] == "skipped"
+
+        res
+      end
     end
 
     def profile_groups(profile)

data/lib/inspec/resources/apt.rb

@@ -90,12 +90,14 @@ module Inspec::Resources
         # deb               "http://archive.ubuntu.com/ubuntu/" wily main restricted ...
         # deb               http://archive.ubuntu.com/ubuntu/ wily main restricted ...
         # deb [trusted=yes] http://archive.ubuntu.com/ubuntu/ wily main restricted ...
+        # deb cdrom:[Ubuntu 15.10 _Wily Werewolf_ - Release amd64 (20151021)]/ wily main restricted ...
 
         words = line.split
         words.delete_at 1 if words[1] && words[1].start_with?("[")
         type, url, distro, *components = words
         url = url.delete('"') if url
 
+        next if words[1] && words[1].start_with?("cdrom:") # skip unsupported apt-cdrom repos
         next if components.empty?
         next unless URI::HTTP === URI.parse(url)
         next unless %w{deb deb-src}.include? type

data/lib/inspec/resources/interface.rb

@@ -47,10 +47,18 @@ module Inspec::Resources
       ipv6_addresses && !ipv6_addresses.empty?
     end
 
+    def ipv4_address
+      ipv4_addresses.first
+    end
+
     def ipv4_addresses
       ipv4_cidrs.map { |i| i.split("/")[0] }
     end
 
+    def ipv6_address
+      ipv6_addresses.first
+    end
+
     def ipv6_addresses
       ipv6_cidrs.map { |i| i.split("/")[0] }
     end
@@ -85,6 +93,7 @@ module Inspec::Resources
       @cache ||= begin
                    provider = LinuxInterface.new(inspec) if inspec.os.linux?
                    provider = WindowsInterface.new(inspec) if inspec.os.windows?
+                   provider = BsdInterface.new(inspec) if inspec.os.bsd? # includes macOS
                    Hash(provider && provider.interface_info(@iface))
                  end
     end
@@ -98,6 +107,52 @@ module Inspec::Resources
     end
   end
 
+  class BsdInterface < InterfaceInfo
+    def interface_info(iface)
+      cmd = inspec.command("ifconfig #{iface}")
+      return nil if cmd.exit_status.to_i != 0
+
+      lines = cmd.stdout.split("\n")
+      iface_info = {
+        name: iface,
+        ipv4_addresses: [], # Actually CIDRs
+        ipv6_addresses: [], # are expected to go here
+      }
+
+      iface_info[:up] = lines[0].include?("UP")
+      lines.each do |line|
+        # IPv4 case
+        m = line.match(/^\s+inet\s+((?:\d{1,3}\.){3}\d{1,3})\s+netmask\s+(0x[a-f0-9]{8})/)
+        if m
+          ip = m[1]
+          hex_mask = m[2]
+          cidr = hex_mask.to_i(16).to_s(2).count("1")
+          iface_info[:ipv4_addresses] << "#{ip}/#{cidr}"
+          next
+        end
+
+        # IPv6 case
+        m = line.match(/^\s+inet6\s+([a-f0-9:]+)%#{iface}\s+prefixlen\s+(\d+)/)
+        if m
+          ip = m[1]
+          cidr = m[2]
+          iface_info[:ipv6_addresses] << "#{ip}/#{cidr}"
+          next
+        end
+
+        # Speed detect, crummy - can't detect wifi, finds any number in the string
+        # Ethernet autoselect (1000baseT <full-duplex>)
+        m = line.match(/^\s+media:\D+(\d+)/)
+        if m
+          iface_info[:speed] = m[1].to_i
+          next
+        end
+      end
+
+      iface_info
+    end
+  end
+
   class LinuxInterface < InterfaceInfo
     def interface_info(iface)
       # will return "[mtu]\n1500\n[type]\n1"

data/lib/inspec/resources/interfaces.rb

@@ -0,0 +1,119 @@
+require "inspec/utils/filter"
+require "inspec/resources/command"
+
+module Inspec::Resources
+  class Interfaces < Inspec.resource(1)
+    name "interfaces"
+    supports platform: "unix"
+    supports platform: "windows"
+    desc "Use the interfaces InSpec audit resource to test properties for multiple network interfaces installed on the system"
+    example <<~EXAMPLE
+      describe interfaces do
+        its('names') { should include 'eth0' }
+      end
+    EXAMPLE
+
+    attr_reader :iface_data
+
+    def to_s
+      "Interfaces"
+    end
+
+    filter = FilterTable.create
+    filter.register_column(:names, field: "name")
+      .install_filter_methods_on_resource(self, :scan_interfaces)
+
+    def ipv4_address
+      require "ipaddr"
+
+      # Loop over interface names
+      # Select those that are up and have an ipv4 address
+      interfaces = names.map { |n| inspec.interface(n) }.select do |i|
+        i.ipv4_address? && i.up?
+      end
+
+      addrs = interfaces.map(&:ipv4_addresses).flatten.map { |a| IPAddr.new(a) }
+
+      # Look for progressively "better" IP addresses
+      [
+        # Loopback and private IP ranges
+        IPAddr.new("127.0.0.0/8"),
+        IPAddr.new("192.168.0.0/16"),
+        IPAddr.new("172.16.0.0/12"),
+        IPAddr.new("10.0.0.0/8"),
+      ].each do |private_range|
+        filtered_addrs = addrs.reject { |a| private_range.include?(a) }
+        if filtered_addrs.empty?
+          # Everything we had was a private or loopback IP. Return the "best" thing we were left with.
+          return addrs.first.to_s
+        end
+
+        addrs = filtered_addrs
+      end
+      addrs.first.to_s
+    end
+
+    private
+
+    def scan_interfaces
+      @iface_data ||= begin
+                    provider = LinuxInterfaceLister.new(inspec) if inspec.os.linux?
+                    provider = WindowsInterfaceLister.new(inspec) if inspec.os.windows?
+                    provider = BsdInterfaceLister.new(inspec) if inspec.os.bsd? # includes macOS
+                    Array(provider && provider.scan_interfaces)
+                  end
+    end
+
+    class InterfaceLister
+      attr_reader :inspec
+      def initialize(inspec)
+        @inspec = inspec
+      end
+    end
+
+    class BsdInterfaceLister < InterfaceLister
+      def scan_interfaces
+        iface_data = []
+        cmd = inspec.command("ifconfig -a")
+        cmd.stdout.split("\n").each do |line|
+          # lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
+          m = line.match(/^(\S+):/)
+          if m
+            iface_data << { "name" => m[1] }
+          end
+        end
+        iface_data
+      end
+    end
+
+    class LinuxInterfaceLister < InterfaceLister
+      def scan_interfaces
+        iface_data = []
+        cmd = inspec.command("ls /sys/class/net")
+        cmd.stdout.split("\n").each do |iface|
+          iface_data << { "name" => iface }
+        end
+        iface_data
+      end
+    end
+
+    class WindowsInterfaceLister < InterfaceLister
+      def scan_interfaces
+        iface_data = []
+        cmd = inspec.command("Get-NetAdapter | Select-Object -Property Name | ConvertTo-Json")
+        begin
+          adapter_info = JSON.parse(cmd.stdout)
+          # May be a Hash if only one, or Array if multiple - normalize to Array
+          adapter_info = [ adapter_info ] if adapter_info.is_a? Hash
+        rescue JSON::ParserError => _e
+          return nil
+        end
+        adapter_info.each do |info|
+          iface_data << { "name" => info["Name"] }
+        end
+        iface_data
+      end
+    end
+
+  end
+end