inspec-core 4.21.3 → 4.22.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/inspec/exceptions.rb +1 -0
- data/lib/inspec/input_registry.rb +2 -1
- data/lib/inspec/metadata.rb +6 -1
- data/lib/inspec/profile.rb +30 -9
- data/lib/inspec/reporters/cli.rb +1 -0
- data/lib/inspec/reporters/json.rb +9 -4
- data/lib/inspec/resources/apt.rb +2 -0
- data/lib/inspec/resources/service.rb +1 -1
- data/lib/inspec/run_data.rb +1 -1
- data/lib/inspec/run_data/profile.rb +4 -4
- data/lib/inspec/runner.rb +8 -2
- data/lib/inspec/runner_rspec.rb +4 -1
- data/lib/inspec/schema.rb +2 -0
- data/lib/inspec/schema/exec_json.rb +4 -3
- data/lib/inspec/schema/primitives.rb +1 -1
- data/lib/inspec/version.rb +1 -1
- data/lib/plugins/inspec-reporter-html2/templates/profile.html.erb +5 -2
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 5517c996bd812fed2bb1190f2db0ae0f38ae3eddeab32494fb82dd843c9d9ef3
|
|
4
|
+
data.tar.gz: e293cd323bec3ac3da7300e52d49637a322f6a7a3ac156be4c45bfdc9b4a7440
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: dbb3737b7b031b251d78fadc50e50d32612b5a8a8a183ef204e3abe3b005c5f937850206347ba350f1584145b124bf4ddbdeaf2e6f5c5bbe93a20e979c9883dc
|
|
7
|
+
data.tar.gz: d128dbec0edc3ef77481bf8cb2dd5d70f48189d7c53e1abe19e52480361edcfbbc865f84b2a085cf2b8ab0a27de5ee26c96921f4fba1dca9b688ea9147ac7c65
|
data/lib/inspec/exceptions.rb
CHANGED
|
@@ -4,6 +4,7 @@ module Inspec
|
|
|
4
4
|
module Exceptions
|
|
5
5
|
class InputsFileDoesNotExist < ArgumentError; end
|
|
6
6
|
class InputsFileNotReadable < ArgumentError; end
|
|
7
|
+
class ProfileLoadFailed < StandardError; end
|
|
7
8
|
class ResourceFailed < StandardError; end
|
|
8
9
|
class ResourceSkipped < StandardError; end
|
|
9
10
|
class SecretsBackendNotFound < ArgumentError; end
|
|
@@ -165,7 +165,8 @@ module Inspec
|
|
|
165
165
|
raise ArgumentError, "ERROR: An '=' is required when using --input. Usage: --input input_name1=input_value1 input2=value2"
|
|
166
166
|
end
|
|
167
167
|
end
|
|
168
|
-
|
|
168
|
+
pair = pair.match(/(.*?)=(.*)/)
|
|
169
|
+
input_name, input_value = pair[1], pair[2]
|
|
169
170
|
input_value = parse_cli_input_value(input_name, input_value)
|
|
170
171
|
evt = Inspec::Input::Event.new(
|
|
171
172
|
value: input_value,
|
data/lib/inspec/metadata.rb
CHANGED
|
@@ -9,7 +9,12 @@ require "inspec/version"
|
|
|
9
9
|
require "inspec/utils/spdx"
|
|
10
10
|
|
|
11
11
|
module Inspec
|
|
12
|
-
#
|
|
12
|
+
# The Metadata class represents a profile's metadata.
|
|
13
|
+
# This includes the metadata stored in the profile's metadata.rb file, as well as inferred
|
|
14
|
+
# metadata like if this profile supports the current runtime and the intended target.
|
|
15
|
+
# This class does NOT represent the runtime state of a profile during execution.
|
|
16
|
+
# See lib/inspec/profile.rb for the runtime representation of a profile.
|
|
17
|
+
#
|
|
13
18
|
# A Metadata object may be created and finalized with invalid data.
|
|
14
19
|
# This allows the check CLI command to analyse the issues.
|
|
15
20
|
# Use valid? to determine if the metadata is coherent.
|
data/lib/inspec/profile.rb
CHANGED
|
@@ -94,6 +94,7 @@ module Inspec
|
|
|
94
94
|
@input_values = options[:inputs]
|
|
95
95
|
@tests_collected = false
|
|
96
96
|
@libraries_loaded = false
|
|
97
|
+
@state = :loaded
|
|
97
98
|
@check_mode = options[:check_mode] || false
|
|
98
99
|
@parent_profile = options[:parent_profile]
|
|
99
100
|
@legacy_profile_path = options[:profiles_path] || false
|
|
@@ -146,7 +147,12 @@ module Inspec
|
|
|
146
147
|
options[:profile_context] ||
|
|
147
148
|
Inspec::ProfileContext.for_profile(self, @backend)
|
|
148
149
|
|
|
149
|
-
|
|
150
|
+
if metadata.supports_platform?(@backend)
|
|
151
|
+
@supports_platform = true
|
|
152
|
+
else
|
|
153
|
+
@supports_platform = false
|
|
154
|
+
@state = :skipped
|
|
155
|
+
end
|
|
150
156
|
@supports_runtime = metadata.supports_runtime?
|
|
151
157
|
end
|
|
152
158
|
|
|
@@ -162,6 +168,10 @@ module Inspec
|
|
|
162
168
|
@writable
|
|
163
169
|
end
|
|
164
170
|
|
|
171
|
+
def failed?
|
|
172
|
+
@state == :failed
|
|
173
|
+
end
|
|
174
|
+
|
|
165
175
|
#
|
|
166
176
|
# Is this profile is supported on the current platform of the
|
|
167
177
|
# backend machine and the current inspec version.
|
|
@@ -197,7 +207,7 @@ module Inspec
|
|
|
197
207
|
end
|
|
198
208
|
|
|
199
209
|
def collect_tests(include_list = @controls)
|
|
200
|
-
unless @tests_collected
|
|
210
|
+
unless @tests_collected || failed?
|
|
201
211
|
return unless supports_platform?
|
|
202
212
|
|
|
203
213
|
locked_dependencies.each(&:collect_tests)
|
|
@@ -206,7 +216,12 @@ module Inspec
|
|
|
206
216
|
next if content.nil? || content.empty?
|
|
207
217
|
|
|
208
218
|
abs_path = source_reader.target.abs_path(path)
|
|
209
|
-
|
|
219
|
+
begin
|
|
220
|
+
@runner_context.load_control_file(content, abs_path, nil)
|
|
221
|
+
rescue => e
|
|
222
|
+
@state = :failed
|
|
223
|
+
raise Inspec::Exceptions::ProfileLoadFailed, "Failed to load source for #{path}: #{e}"
|
|
224
|
+
end
|
|
210
225
|
end
|
|
211
226
|
@tests_collected = true
|
|
212
227
|
end
|
|
@@ -249,12 +264,13 @@ module Inspec
|
|
|
249
264
|
d = dep.profile
|
|
250
265
|
# this will force a dependent profile load so we are only going to add
|
|
251
266
|
# this metadata if the parent profile is supported.
|
|
252
|
-
if supports_platform
|
|
267
|
+
if @supports_platform && !d.supports_platform?
|
|
253
268
|
# since ruby 1.9 hashes are ordered so we can just use index values here
|
|
254
269
|
# TODO: NO! this is a violation of encapsulation to an extreme
|
|
255
270
|
metadata.dependencies[i][:status] = "skipped"
|
|
256
271
|
msg = "Skipping profile: '#{d.name}' on unsupported platform: '#{d.backend.platform.name}/#{d.backend.platform.release}'."
|
|
257
|
-
metadata.dependencies[i][:
|
|
272
|
+
metadata.dependencies[i][:status_message] = msg
|
|
273
|
+
metadata.dependencies[i][:skip_message] = msg # Repeat as skip_message for backward compatibility
|
|
258
274
|
next
|
|
259
275
|
elsif metadata.dependencies[i]
|
|
260
276
|
# Currently wrapper profiles will load all dependencies, and then we
|
|
@@ -324,12 +340,13 @@ module Inspec
|
|
|
324
340
|
res[:sha256] = sha256
|
|
325
341
|
res[:parent_profile] = parent_profile unless parent_profile.nil?
|
|
326
342
|
|
|
327
|
-
if
|
|
343
|
+
if @supports_platform
|
|
344
|
+
res[:status_message] = @status_message || ""
|
|
345
|
+
res[:status] = failed? ? "failed" : "loaded"
|
|
346
|
+
else
|
|
328
347
|
res[:status] = "skipped"
|
|
329
348
|
msg = "Skipping profile: '#{name}' on unsupported platform: '#{backend.platform.name}/#{backend.platform.release}'."
|
|
330
|
-
res[:
|
|
331
|
-
else
|
|
332
|
-
res[:status] = "loaded"
|
|
349
|
+
res[:status_message] = msg
|
|
333
350
|
end
|
|
334
351
|
|
|
335
352
|
# convert legacy os-* supports to their platform counterpart
|
|
@@ -455,6 +472,10 @@ module Inspec
|
|
|
455
472
|
params[:controls].values.length
|
|
456
473
|
end
|
|
457
474
|
|
|
475
|
+
def set_status_message(msg)
|
|
476
|
+
@status_message = msg.to_s
|
|
477
|
+
end
|
|
478
|
+
|
|
458
479
|
# generates a archive of a folder profile
|
|
459
480
|
# assumes that the profile was checked before
|
|
460
481
|
def archive(opts)
|
data/lib/inspec/reporters/cli.rb
CHANGED
|
@@ -72,6 +72,7 @@ module Inspec::Reporters
|
|
|
72
72
|
"Profile" => format_profile_name(profile),
|
|
73
73
|
"Version" => profile[:version] || "(not specified)",
|
|
74
74
|
}
|
|
75
|
+
header["Failure Message"] = profile[:status_message] if profile[:status] == "failed"
|
|
75
76
|
header["Target"] = run_data[:platform][:target] unless run_data[:platform][:target].nil?
|
|
76
77
|
header["Target ID"] = @config["target_id"] unless @config["target_id"].nil?
|
|
77
78
|
|
|
@@ -45,8 +45,8 @@ module Inspec::Reporters
|
|
|
45
45
|
end
|
|
46
46
|
|
|
47
47
|
def profiles
|
|
48
|
-
run_data[:profiles].map
|
|
49
|
-
{
|
|
48
|
+
run_data[:profiles].map do |p|
|
|
49
|
+
res = {
|
|
50
50
|
name: p[:name],
|
|
51
51
|
version: p[:version],
|
|
52
52
|
sha256: p[:sha256],
|
|
@@ -64,10 +64,15 @@ module Inspec::Reporters
|
|
|
64
64
|
groups: profile_groups(p),
|
|
65
65
|
controls: profile_controls(p),
|
|
66
66
|
status: p[:status],
|
|
67
|
-
|
|
67
|
+
status_message: p[:status_message],
|
|
68
68
|
waiver_data: p[:waiver_data],
|
|
69
69
|
}.reject { |_k, v| v.nil? }
|
|
70
|
-
|
|
70
|
+
|
|
71
|
+
# For backwards compatibility
|
|
72
|
+
res[:skip_message] = res[:status_message] if res[:status] == "skipped"
|
|
73
|
+
|
|
74
|
+
res
|
|
75
|
+
end
|
|
71
76
|
end
|
|
72
77
|
|
|
73
78
|
def profile_groups(profile)
|
data/lib/inspec/resources/apt.rb
CHANGED
|
@@ -90,12 +90,14 @@ module Inspec::Resources
|
|
|
90
90
|
# deb "http://archive.ubuntu.com/ubuntu/" wily main restricted ...
|
|
91
91
|
# deb http://archive.ubuntu.com/ubuntu/ wily main restricted ...
|
|
92
92
|
# deb [trusted=yes] http://archive.ubuntu.com/ubuntu/ wily main restricted ...
|
|
93
|
+
# deb cdrom:[Ubuntu 15.10 _Wily Werewolf_ - Release amd64 (20151021)]/ wily main restricted ...
|
|
93
94
|
|
|
94
95
|
words = line.split
|
|
95
96
|
words.delete_at 1 if words[1] && words[1].start_with?("[")
|
|
96
97
|
type, url, distro, *components = words
|
|
97
98
|
url = url.delete('"') if url
|
|
98
99
|
|
|
100
|
+
next if words[1] && words[1].start_with?("cdrom:") # skip unsupported apt-cdrom repos
|
|
99
101
|
next if components.empty?
|
|
100
102
|
next unless URI::HTTP === URI.parse(url)
|
|
101
103
|
next unless %w{deb deb-src}.include? type
|
data/lib/inspec/run_data.rb
CHANGED
|
@@ -47,7 +47,7 @@ module Inspec
|
|
|
47
47
|
# core reporters have been migrated to plugins. It is probable that new data elements
|
|
48
48
|
# and new Hash compatibility behavior will be added during the core reporter plugin
|
|
49
49
|
# conversion process.
|
|
50
|
-
SCHEMA_VERSION = "0.
|
|
50
|
+
SCHEMA_VERSION = "0.2.0".freeze
|
|
51
51
|
|
|
52
52
|
def self.compatible_schema?(constraints)
|
|
53
53
|
reqs = Gem::Requirement.create(constraints)
|
|
@@ -15,7 +15,7 @@ module Inspec
|
|
|
15
15
|
:summary,
|
|
16
16
|
:supports, # complex local
|
|
17
17
|
:parent_profile,
|
|
18
|
-
:
|
|
18
|
+
:status_message,
|
|
19
19
|
:waiver_data, # Undocumented but used in JSON reporter - should not be?
|
|
20
20
|
:title,
|
|
21
21
|
:version
|
|
@@ -40,7 +40,7 @@ module Inspec
|
|
|
40
40
|
title
|
|
41
41
|
version
|
|
42
42
|
parent_profile
|
|
43
|
-
|
|
43
|
+
status_message
|
|
44
44
|
waiver_data
|
|
45
45
|
}.each do |field|
|
|
46
46
|
self[field] = raw_prof_data[field]
|
|
@@ -51,11 +51,11 @@ module Inspec
|
|
|
51
51
|
class Profile
|
|
52
52
|
# Good candidate for keyword_init, but that is not in 2.4
|
|
53
53
|
Dependency = Struct.new(
|
|
54
|
-
:name, :path, :status, :
|
|
54
|
+
:name, :path, :status, :status_message, :git, :url, :compliance, :supermarket, :branch, :tag, :commit, :version, :relative_path
|
|
55
55
|
) do
|
|
56
56
|
include HashLikeStruct
|
|
57
57
|
def initialize(raw_dep_data)
|
|
58
|
-
%i{name path status
|
|
58
|
+
%i{name path status status_message git url supermarket compliance branch tag commit version relative_path}.each { |f| self[f] = raw_dep_data[f] }
|
|
59
59
|
end
|
|
60
60
|
end
|
|
61
61
|
|
data/lib/inspec/runner.rb
CHANGED
|
@@ -115,8 +115,14 @@ module Inspec
|
|
|
115
115
|
@test_collector.add_profile(requirement.profile)
|
|
116
116
|
end
|
|
117
117
|
|
|
118
|
-
|
|
119
|
-
|
|
118
|
+
begin
|
|
119
|
+
tests = profile.collect_tests
|
|
120
|
+
all_controls += tests unless tests.nil?
|
|
121
|
+
rescue Inspec::Exceptions::ProfileLoadFailed => e
|
|
122
|
+
Inspec::Log.error "Failed to load profile #{profile.name}: #{e}"
|
|
123
|
+
profile.set_status_message e.to_s
|
|
124
|
+
next
|
|
125
|
+
end
|
|
120
126
|
end
|
|
121
127
|
|
|
122
128
|
all_controls.each do |rule|
|
data/lib/inspec/runner_rspec.rb
CHANGED
|
@@ -90,9 +90,12 @@ module Inspec
|
|
|
90
90
|
return @rspec_exit_code if @formatter.results.empty?
|
|
91
91
|
|
|
92
92
|
stats = @formatter.results[:statistics][:controls]
|
|
93
|
+
load_failures = @formatter.results[:profiles]&.select { |p| p[:status] == "failed" }&.any?
|
|
93
94
|
skipped = @formatter.results.dig(:profiles, 0, :status) == "skipped"
|
|
94
|
-
if stats[:failed][:total] == 0 && stats[:skipped][:total] == 0 && !skipped
|
|
95
|
+
if stats[:failed][:total] == 0 && stats[:skipped][:total] == 0 && !skipped && !load_failures
|
|
95
96
|
0
|
|
97
|
+
elsif load_failures
|
|
98
|
+
@conf["distinct_exit"] ? 102 : 1
|
|
96
99
|
elsif stats[:failed][:total] > 0
|
|
97
100
|
@conf["distinct_exit"] ? 100 : 1
|
|
98
101
|
elsif stats[:skipped][:total] > 0 || skipped
|
data/lib/inspec/schema.rb
CHANGED
|
@@ -147,6 +147,8 @@ module Inspec
|
|
|
147
147
|
"license" => { "type" => "string", "optional" => true },
|
|
148
148
|
"summary" => { "type" => "string", "optional" => true },
|
|
149
149
|
"status" => { "type" => "string", "optional" => false },
|
|
150
|
+
"status_message" => { "type" => "string", "optional" => true },
|
|
151
|
+
# skip_message is deprecated, status_message should be used to store the reason for skipping
|
|
150
152
|
"skip_message" => { "type" => "string", "optional" => true },
|
|
151
153
|
|
|
152
154
|
"supports" => {
|
|
@@ -83,7 +83,7 @@ module Inspec
|
|
|
83
83
|
"required" => %w{name sha256 supports attributes groups controls},
|
|
84
84
|
# Name is mandatory in inspec.yml.
|
|
85
85
|
# supports, controls, groups, and attributes are always present, even if empty
|
|
86
|
-
# sha256, status,
|
|
86
|
+
# sha256, status, status_message
|
|
87
87
|
"properties" => {
|
|
88
88
|
# These are provided in inspec.yml
|
|
89
89
|
"name" => Primitives::STRING,
|
|
@@ -100,10 +100,11 @@ module Inspec
|
|
|
100
100
|
"description" => Primitives::STRING,
|
|
101
101
|
"inspec_version" => Primitives::STRING,
|
|
102
102
|
|
|
103
|
-
# These are generated at runtime, and all except skip_message are guaranteed
|
|
103
|
+
# These are generated at runtime, and all except status_message and skip_message are guaranteed
|
|
104
104
|
"sha256" => Primitives::STRING,
|
|
105
105
|
"status" => Primitives::STRING,
|
|
106
|
-
"
|
|
106
|
+
"status_message" => Primitives::STRING, # If skipped or failed to load, why
|
|
107
|
+
"skip_message" => Primitives::STRING, # Deprecated field storing reason for skipping. status_message should be used instead.
|
|
107
108
|
"controls" => Primitives.array(CONTROL.ref),
|
|
108
109
|
"groups" => Primitives.array(Primitives::CONTROL_GROUP.ref),
|
|
109
110
|
"attributes" => Primitives.array(Primitives::INPUT),
|
data/lib/inspec/version.rb
CHANGED
|
@@ -7,8 +7,11 @@
|
|
|
7
7
|
<% if profile.summary %>
|
|
8
8
|
<tr class="profile-summary"><th>Summary:</th><td><%= profile.summary %></td></tr>
|
|
9
9
|
<% end %>
|
|
10
|
-
<% if profile.
|
|
11
|
-
<tr class="profile-
|
|
10
|
+
<% if profile.status != "loaded" %>
|
|
11
|
+
<tr class="profile-status"><th>Status:</th><td><%= profile.status %></td></tr>
|
|
12
|
+
<% end %>
|
|
13
|
+
<% if profile.status_message && !profile.status_message.empty? %>
|
|
14
|
+
<tr class="profile-status-message"><th>Status Message:</th><td><%= profile.status_message %></td></tr>
|
|
12
15
|
<% end %>
|
|
13
16
|
</table>
|
|
14
17
|
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: inspec-core
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 4.
|
|
4
|
+
version: 4.22.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Chef InSpec Team
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2020-
|
|
11
|
+
date: 2020-07-15 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: chef-telemetry
|