inspec-core 4.22.1 → 4.23.11

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2b4f096b34b4707a39ac4392118bdeadf0ab3b15b2ebea8faf8661902dbf8409
-  data.tar.gz: 60ed138d131e605f8257a541a655757bf819c6e72b169a2c1034a1626db7c4d1
+  metadata.gz: 6a065b3ed549e1beaaa211fc87e50e1f66be56a12c51c942884972d70a55fe6c
+  data.tar.gz: bef9a2f8e84aea96c3917119906bdd251468e4a54a69044f1122c0fbb1b340fe
 SHA512:
-  metadata.gz: 910a8739e4f375d3d573a734f46350e3e609a72b2376d8d9e04757e06e2274da1f728b612ab11312b08f90fafd5baf68f90a179fc90edaac9366ca49701680eb
-  data.tar.gz: 25320c374c74ee45a8ebdcfce19c7fd481a1888c7d7f3250c5a091a3e556096dd42191b570e58572ae382dea7f99661c901ae3822438c52268b76ccef286572f
+  metadata.gz: d985c4562718e2bbd57585f6c6b496970aeaca0aabb0d2101b5b89b22c465d99c5ce5fead723bf4478799331d9a6d3be8d9fcd1786434ebd47bdf4392af19b6e
+  data.tar.gz: bd144e5f250215c64aad78f41ad60804fefe093b7cf234aa09b0ace4c866b5d254ac7ce639405ff33af743f08a4376f1a41cb2f61c2faa0b5ffab4221add290a

data/Gemfile

@@ -19,12 +19,13 @@ group :omnibus do
 end
 
 group :test do
-  gem "chefstyle", "~> 0.13.0"
+  gem "chefstyle", "~> 1.2.1"
   gem "minitest", "~> 5.5"
   gem "minitest-sprint", "~> 1.0"
   gem "rake", ">= 10"
   gem "simplecov", ["~> 0.10", "<=0.18.2"]
   gem "concurrent-ruby", "~> 1.0"
+  gem "nokogiri", "~> 1.9"
   gem "mocha", "~> 1.1"
   gem "ruby-progressbar", "~> 1.8"
   gem "webmock", "~> 3.0"

data/inspec-core.gemspec

@@ -17,14 +17,14 @@ Gem::Specification.new do |spec|
 
   # the gemfile and gemspec are necessary for appbundler so don't remove it
   spec.files =
-    Dir.glob("{{lib,etc}/**/*,README.md,LICENSE,Gemfile,inspec-core.gemspec}")
+    Dir.glob("{{lib,etc}/**/*,LICENSE,Gemfile,inspec-core.gemspec}")
       .grep_v(%r{(?<!inspec-init/templates/profiles/)(aws|azure|gcp)})
       .grep_v(%r{lib/plugins/.*/test/})
       .reject { |f| File.directory?(f) }
 
   # Implementation dependencies
   spec.add_dependency "chef-telemetry",     "~> 1.0"
-  spec.add_dependency "license-acceptance", ">= 0.2.13", "< 2.0"
+  spec.add_dependency "license-acceptance", ">= 0.2.13", "< 3.0"
   spec.add_dependency "thor",               ">= 0.20", "< 2.0"
   spec.add_dependency "json_schemer",       ">= 0.2.1", "< 0.2.12"
   spec.add_dependency "method_source",      ">= 0.8", "< 2.0"
@@ -36,16 +36,14 @@ Gem::Specification.new do |spec|
   spec.add_dependency "mixlib-log",         "~> 3.0"
   spec.add_dependency "sslshake",           "~> 1.2"
   spec.add_dependency "parallel",           "~> 1.9"
-  spec.add_dependency "faraday",            ">= 0.9.0"
+  spec.add_dependency "faraday",            ">= 0.9.0", "< 1.1"
   spec.add_dependency "tty-table",          "~> 0.10"
   spec.add_dependency "tty-prompt",         "~> 0.17"
   spec.add_dependency "tomlrb",             "~> 1.2.0"
   spec.add_dependency "addressable",        "~> 2.4"
   spec.add_dependency "parslet",            "~> 1.5"
   spec.add_dependency "semverse",           "~> 3.0"
-  spec.add_dependency "htmlentities",       "~> 4.3" # TODO: remove when #4853 fixed
   spec.add_dependency "multipart-post",     "~> 2.0"
-  spec.add_dependency "term-ansicolor",     "~> 1.7"
 
   spec.add_dependency "train-core", "~> 3.0"
 end

data/lib/bundles/inspec-supermarket/cli.rb

@@ -5,7 +5,7 @@ module Supermarket
   class SupermarketCLI < Inspec::BaseCLI
     namespace "supermarket"
 
-    # TODO: find another solution, once https://github.com/erikhuda/thor/issues/261 is fixed
+    # TODO: find another solution, once https://github.com/erikhuda/thor/issues/261 is fixed.
     def self.banner(command, _namespace = nil, _subcommand = false)
       "#{basename} #{subcommand_prefix} #{command.usage}"
     end

data/lib/inspec/base_cli.rb

@@ -60,7 +60,7 @@ module Inspec
       true
     end
 
-    def self.target_options # rubocop:disable MethodLength
+    def self.target_options # rubocop:disable Metrics/MethodLength
       option :target, aliases: :t, type: :string,
         desc: "Simple targeting option using URIs, e.g. ssh://user:pass@host:port"
       option :backend, aliases: :b, type: :string,
@@ -158,6 +158,16 @@ module Inspec
       option :silence_deprecations, type: :array,
         banner: "[all]|[GROUP GROUP...]",
         desc: "Suppress deprecation warnings. See install_dir/etc/deprecations.json for list of GROUPs or use 'all'."
+      option :diff, type: :boolean, default: true,
+        desc: "Use --no-diff to suppress 'diff' output of failed textual test results."
+      option :sort_results_by, type: :string, default: "file", banner: "--sort-results-by=none|control|file|random",
+        desc: "After normal execution order, results are sorted by control ID, or by file (default), or randomly. None uses legacy unsorted mode."
+    end
+
+    def self.help(*args)
+      super(*args)
+      puts "\nAbout #{Inspec::Dist::PRODUCT_NAME}:"
+      puts "  Patents: chef.io/patents\n\n"
     end
 
     def self.format_platform_info(params: {}, indent: 0, color: 39)

data/lib/inspec/cli.rb

@@ -48,7 +48,8 @@ class Inspec::InspecCLI < Inspec::BaseCLI
     desc: "Allow or disable user interaction"
 
   class_option :disable_core_plugins, type: :string, banner: "", # Actually a boolean, but this suppresses the creation of a --no-disable...
-    desc: "Disable loading all plugins that are shipped in the lib/plugins directory of InSpec. Useful in development."
+    desc: "Disable loading all plugins that are shipped in the lib/plugins directory of InSpec. Useful in development.",
+    hide: true
 
   class_option :disable_user_plugins, type: :string, banner: "",
     desc: "Disable loading all plugins that the user installed."
@@ -194,7 +195,8 @@ class Inspec::InspecCLI < Inspec::BaseCLI
     pretty_handle_exception(e)
   end
 
-  desc "exec LOCATIONS", <<~EOT
+  desc "exec LOCATIONS", "Run all tests at LOCATIONS."
+  long_desc <<~EOT
     Run all test files at the specified LOCATIONS.
 
     Loads the given profile(s) and fetches their dependencies if needed. Then

data/lib/inspec/config.rb

@@ -344,7 +344,6 @@ module Inspec
         cli
         json
         json-automate
-        junit
         yaml
       }
 
@@ -406,6 +405,18 @@ module Inspec
       @plugin_cfg = data
     end
 
+    def validate_sort_results_by!(option_value)
+      expected = %w{
+        none
+        control
+        file
+        random
+      }
+      return if expected.include? option_value
+
+      raise Inspec::ConfigError::Invalid, "--sort-results-by must be one of #{expected.join(", ")}"
+    end
+
     #-----------------------------------------------------------------------#
     #                         Merging Options
     #-----------------------------------------------------------------------#
@@ -436,6 +447,7 @@ module Inspec
       finalize_parse_reporters(options)
       finalize_handle_sudo(options)
       finalize_compliance_login(options)
+      finalize_sort_results(options)
 
       Thor::CoreExt::HashWithIndifferentAccess.new(options)
     end
@@ -510,6 +522,12 @@ module Inspec
       end
     end
 
+    def finalize_sort_results(options)
+      if options.key?("sort_results_by")
+        validate_sort_results_by!(options["sort_results_by"])
+      end
+    end
+
     class Defaults
       DEFAULTS = {
         exec: {

data/lib/inspec/input.rb

@@ -171,7 +171,7 @@ module Inspec
     # are free to go higher.
     DEFAULT_PRIORITY_FOR_VALUE_SET = 60
 
-    attr_reader :description, :events, :identifier, :name, :required, :title, :type
+    attr_reader :description, :events, :identifier, :name, :required, :sensitive, :title, :type
 
     def initialize(name, options = {})
       @name = name
@@ -264,6 +264,7 @@ module Inspec
       @required = options[:required] if options.key?(:required)
       @identifier = options[:identifier] if options.key?(:identifier) # TODO: determine if this is ever used
       @type = options[:type] if options.key?(:type)
+      @sensitive = options[:sensitive] if options.key?(:sensitive)
     end
 
     def make_creation_event(options)
@@ -320,7 +321,7 @@ module Inspec
 
     def to_hash
       as_hash = { name: name, options: {} }
-      %i{description title identifier type required value}.each do |field|
+      %i{description title identifier type required value sensitive}.each do |field|
         val = send(field)
         next if val.nil?
 
@@ -334,7 +335,7 @@ module Inspec
     #--------------------------------------------------------------------------#
 
     def to_s
-      "Input #{name} with #{current_value}"
+      "Input #{name} with value " + (sensitive ? "*** (senstive)" : "#{current_value}")
     end
 
     #--------------------------------------------------------------------------#

data/lib/inspec/input_registry.rb

@@ -29,6 +29,8 @@ module Inspec
     def_delegator :inputs_by_profile, :select
     def_delegator :profile_aliases, :key?, :profile_alias?
 
+    attr_accessor :cache_inputs
+
     def initialize
       # Keyed on String profile_name => Hash of String input_name => Input object
       @inputs_by_profile = {}
@@ -43,6 +45,9 @@ module Inspec
         activator.activate!
         activator.implementation_class.new
       end
+
+      # Activate caching for inputs by default
+      @cache_inputs = true
     end
 
     #-------------------------------------------------------------#
@@ -84,7 +89,7 @@ module Inspec
 
       # Find or create the input
       inputs_by_profile[profile_name] ||= {}
-      if inputs_by_profile[profile_name].key?(input_name)
+      if inputs_by_profile[profile_name].key?(input_name) && cache_inputs
         inputs_by_profile[profile_name][input_name].update(options)
       else
         inputs_by_profile[profile_name][input_name] = Inspec::Input.new(input_name, options)
@@ -316,6 +321,7 @@ module Inspec
         profile_name,
         type: input_options[:type],
         required: input_options[:required],
+        sensitive: input_options[:sensitive],
         event: evt
       )
     end

data/lib/inspec/plugin/v2/plugin_types/reporter.rb

@@ -1,18 +1,20 @@
 require_relative "../../../run_data"
+require_relative "../../../utils/run_data_filters"
 
 module Inspec::Plugin::V2::PluginType
   class Reporter < Inspec::Plugin::V2::PluginBase
     register_plugin_type(:reporter)
+    include Inspec::Utils::RunDataFilters
 
     attr_reader :run_data
 
     def initialize(config)
       @config = config
 
-      # Trim the run_data while still a Hash; if it is huge, this
+      # Filter the run_data while still a Hash; if it is huge, this
       # saves on conversion time
       @run_data = config[:run_data] || {}
-      apply_report_resize_options
+      apply_run_data_filters_to_hash
 
       unless Inspec::RunData.compatible_schema?(self.class.run_data_schema_constraints)
         # Best we can do is warn here, the InSpec run has finished
@@ -24,29 +26,6 @@ module Inspec::Plugin::V2::PluginType
       @output = ""
     end
 
-    # This is a temporary duplication of code from lib/inspec/reporters/base.rb
-    # To be DRY'd up once the core reporters become plugins...
-    # Apply options such as message truncation and removal of backtraces
-    def apply_report_resize_options
-      runtime_config = Inspec::Config.cached.respond_to?(:final_options) ? Inspec::Config.cached.final_options : {}
-
-      message_truncation = runtime_config[:reporter_message_truncation] || "ALL"
-      trunc = message_truncation == "ALL" ? -1 : message_truncation.to_i
-      include_backtrace = runtime_config[:reporter_backtrace_inclusion].nil? ? true : runtime_config[:reporter_backtrace_inclusion]
-
-      @run_data[:profiles]&.each do |p|
-        p[:controls].each do |c|
-          c[:results]&.map! do |r|
-            r.delete(:backtrace) unless include_backtrace
-            if r.key?(:message) && r[:message] != "" && trunc > -1
-              r[:message] = r[:message][0...trunc] + "[Truncated to #{trunc} characters]"
-            end
-            r
-          end
-        end
-      end
-    end
-
     def output(str, newline = true)
       @output << str
       @output << "\n" if newline

data/lib/inspec/reporters.rb

@@ -2,7 +2,6 @@ require "inspec/reporters/base"
 require "inspec/reporters/cli"
 require "inspec/reporters/json"
 require "inspec/reporters/json_automate"
-require "inspec/reporters/junit"
 require "inspec/reporters/automate"
 require "inspec/reporters/yaml"
 
@@ -20,8 +19,6 @@ module Inspec::Reporters
     # right to introduce breaking changes to this reporter at any time.
     when "json-automate"
       reporter = Inspec::Reporters::JsonAutomate.new(config)
-    when "junit"
-      reporter = Inspec::Reporters::Junit.new(config)
     when "automate"
       reporter = Inspec::Reporters::Automate.new(config)
     when "yaml"

data/lib/inspec/reporters/automate.rb

@@ -49,14 +49,14 @@ module Inspec::Reporters
 
         res = http.request(req)
         if res.is_a?(Net::HTTPSuccess)
-          return true
+          true
         else
           Inspec::Log.error "send_report: POST to #{uri.path} returned: #{res.body}"
-          return false
+          false
         end
       rescue => e
         Inspec::Log.error "send_report: POST to #{uri.path} returned: #{e.message}"
-        return false
+        false
       end
     end
 

data/lib/inspec/reporters/base.rb

@@ -1,33 +1,17 @@
+require_relative "../utils/run_data_filters"
+
 module Inspec::Reporters
   class Base
+    include Inspec::Utils::RunDataFilters
+
     attr_reader :run_data
 
     def initialize(config)
       @config = config
-      @run_data = config[:run_data]
-      apply_report_resize_options unless @run_data.nil?
-      @output = ""
-    end
+      @run_data = config[:run_data] || {}
+      apply_run_data_filters_to_hash
 
-    # Apply options such as message truncation and removal of backtraces
-    def apply_report_resize_options
-      runtime_config = Inspec::Config.cached.respond_to?(:final_options) ? Inspec::Config.cached.final_options : {}
-
-      message_truncation = runtime_config[:reporter_message_truncation] || "ALL"
-      trunc = message_truncation == "ALL" ? -1 : message_truncation.to_i
-      include_backtrace = runtime_config[:reporter_backtrace_inclusion].nil? ? true : runtime_config[:reporter_backtrace_inclusion]
-
-      @run_data[:profiles]&.each do |p|
-        p[:controls].each do |c|
-          c[:results]&.map! do |r|
-            r.delete(:backtrace) unless include_backtrace
-            if r.key?(:message) && r[:message] != "" && trunc > -1
-              r[:message] = r[:message][0...trunc] + "[Truncated to #{trunc} characters]"
-            end
-            r
-          end
-        end
-      end
+      @output = ""
     end
 
     def output(str, newline = true)

data/lib/inspec/resources/apt.rb

@@ -87,13 +87,13 @@ module Inspec::Resources
         active = raw_line == line
 
         # formats:
-        # deb               "http://archive.ubuntu.com/ubuntu/" wily main restricted ...
-        # deb               http://archive.ubuntu.com/ubuntu/ wily main restricted ...
-        # deb [trusted=yes] http://archive.ubuntu.com/ubuntu/ wily main restricted ...
+        # deb                          "http://archive.ubuntu.com/ubuntu/" wily main restricted ...
+        # deb                          http://archive.ubuntu.com/ubuntu/ wily main restricted ...
+        # deb [trusted=yes]            http://archive.ubuntu.com/ubuntu/ wily main restricted ...
+        # deb [arch=amd64 trusted=yes] http://archive.ubuntu.com/ubuntu/ wily main restricted ...
         # deb cdrom:[Ubuntu 15.10 _Wily Werewolf_ - Release amd64 (20151021)]/ wily main restricted ...
 
-        words = line.split
-        words.delete_at 1 if words[1] && words[1].start_with?("[")
+        words = line.sub(/^(deb|deb-src)\s+\[.+?\]/, '\1').split
         type, url, distro, *components = words
         url = url.delete('"') if url
 

data/lib/inspec/resources/bridge.rb

@@ -27,7 +27,7 @@ module Inspec::Resources
       elsif inspec.os.windows?
         @bridge_provider = WindowsBridge.new(inspec)
       else
-        return skip_resource "The `bridge` resource is not supported on your OS yet."
+        skip_resource "The `bridge` resource is not supported on your OS yet."
       end
     end
 

data/lib/inspec/resources/host.rb

@@ -71,7 +71,7 @@ module Inspec::Resources
 
       missing_requirements = @host_provider.missing_requirements(protocol)
       unless missing_requirements.empty?
-        return skip_resource "The following requirements are not met for this resource: " \
+        skip_resource "The following requirements are not met for this resource: " \
           "#{missing_requirements.join(", ")}"
       end
     end

data/lib/inspec/resources/mount.rb

@@ -61,7 +61,7 @@ module Inspec::Resources
       os = inspec.os
       if os.linux?
         LinuxMounts.new(inspec)
-      elsif ["freebsd"].include?(os[:family])
+      elsif os.bsd?
         BsdMounts.new(inspec)
       end
     end

data/lib/inspec/resources/mysql_session.rb

@@ -4,6 +4,27 @@ require "inspec/resources/command"
 require "shellwords"
 
 module Inspec::Resources
+  class Lines
+    attr_reader :output, :stdout, :stderr, :exit_status
+
+    def initialize(raw, desc, exit_status)
+      @output = raw
+      @desc = desc
+      @exit_status = exit_status
+      # backwards compatibility
+      @stdout = raw
+      @stderr = raw
+    end
+
+    def lines
+      output.split("\n")
+    end
+
+    def to_s
+      @desc
+    end
+  end
+
   class MysqlSession < Inspec.resource(1)
     name "mysql_session"
     supports platform: "unix"
@@ -12,7 +33,7 @@ module Inspec::Resources
     example <<~EXAMPLE
       sql = mysql_session('my_user','password','host')
       describe sql.query('show databases like \'test\';') do
-        its('stdout') { should_not match(/test/) }
+        its('output') { should_not match(/test/) }
       end
     EXAMPLE
 
@@ -28,15 +49,17 @@ module Inspec::Resources
 
     def query(q, db = "")
       mysql_cmd = create_mysql_cmd(q, db)
-      cmd = inspec.command(mysql_cmd)
+      cmd = if !@pass.nil?
+              inspec.command(mysql_cmd, redact_regex: /(mysql -u\w+ -p).+(\s-(h|S).*)/)
+            else
+              inspec.command(mysql_cmd)
+            end
       out = cmd.stdout + "\n" + cmd.stderr
-      if out =~ /Can't connect to .* MySQL server/ || out.downcase =~ /^error /
-        # skip this test if the server can't run the query
-        warn("Can't connect to MySQL instance for SQL checks.")
+      if cmd.exit_status != 0 || out =~ /Can't connect to .* MySQL server/ || out.downcase =~ /^error:.*/
+        Lines.new(out, "MySQL query with errors: #{q}", cmd.exit_status)
+      else
+        Lines.new(cmd.stdout.strip, "MySQL query: #{q}", cmd.exit_status)
       end
-
-      # return the raw command output
-      cmd
     end
 
     def to_s