inspec-core 4.22.22 → 4.24.8

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: feb9a92b579da111caf36845c7ba22e6d0831233d59c5f6f5de0212aa8ef529c
-  data.tar.gz: 945341a0aa073b969ce15e35d058246af5584d3ddfb94a5b7ffbd86cb8162254
+  metadata.gz: 40b226d810bf523c7b914a00d3e3e0556d23eb78b944f12fe7af7fac35a279f4
+  data.tar.gz: ff6cafe82a9e7234814575a3723098ccb1238fb88754cb4891288547e9c3a47b
 SHA512:
-  metadata.gz: 148281428e3b5d2855a2c89eccb3a29e4b159933b025049d9852eab4336b9ffb0f267bb48701b208c06fc71ce2c173fe175466622b3ec535ddb4a2692d3d927f
-  data.tar.gz: ac2e46f5dc21b7359b76df729d6b47c0f51f1f8bd272872121477204f3422d49028982a39a01df60a4ae796f03ccb41f6a448a994e22e2feb7e4d946b574cc27
+  metadata.gz: c663121d4e9dba5764ba321d391b4779f3b9236b827fc7dca58aa2a6a3b9d76a5749205635c38ca6a28f614364f19fef1c7c790321067fef2ae1e1eb9a1dbd74
+  data.tar.gz: da255c1b0637e48aa1f83ea42607829767450bd03fd5f970e527afa81898ba215b7ac4ec66c508d23ef2de74ebb9e3dc26893427c76ab4176e67ffaf5df42c54

data/Gemfile

@@ -11,6 +11,11 @@ gem "inspec-bin", path: "./inspec-bin"
 
 gem "ffi", ">= 1.9.14", "!= 1.13.0"
 
+if Gem.ruby_version.to_s.start_with?("2.5")
+  # 16.7.23 required ruby 2.6+
+  gem "chef-utils", "< 16.7.23" # TODO: remove when we drop ruby 2.5
+end
+
 group :omnibus do
   gem "rb-readline"
   gem "appbundler"
@@ -20,44 +25,31 @@ end
 
 group :test do
   gem "chefstyle", "~> 1.2.1"
-  gem "minitest", "~> 5.5"
-  gem "minitest-sprint", "~> 1.0"
-  gem "rake", ">= 10"
-  gem "simplecov", ["~> 0.10", "<=0.18.2"]
   gem "concurrent-ruby", "~> 1.0"
+  gem "html-proofer", platforms: :ruby # do not attempt to run proofer on windows
+  gem "json_schemer", ">= 0.2.1", "< 0.2.12"
+  gem "m"
+  gem "minitest-sprint", "~> 1.0"
+  gem "minitest", "~> 5.5"
   gem "mocha", "~> 1.1"
+  gem "nokogiri", "~> 1.9"
+  gem "pry-byebug"
+  gem "pry", "~> 0.10"
+  gem "rake", ">= 10"
   gem "ruby-progressbar", "~> 1.8"
+  gem "simplecov", ["~> 0.10", "<=0.18.2"]
   gem "webmock", "~> 3.0"
-  gem "m"
-  gem "pry", "~> 0.10"
-  gem "pry-byebug"
-  gem "html-proofer", platforms: :ruby # do not attempt to run proofer on windows
 end
 
 group :integration do
   gem "berkshelf"
-  gem "test-kitchen"
-  gem "kitchen-vagrant"
-  gem "chef", "< 15"
-  gem "chef-zero", "< 15"
-  gem "kitchen-inspec"
-  gem "kitchen-ec2"
-  gem "kitchen-dokken"
+  gem "test-kitchen", ">= 2.8"
+  gem "kitchen-vagrant", ">= 1.7"
+  gem "kitchen-inspec", ">= 2.0"
+  gem "kitchen-dokken", ">= 2.11"
   gem "git"
 end
 
-# gems for Maintainers.md generation
-group :maintenance do
-  gem "tomlrb"
-
-  # To sync maintainers with github
-  gem "octokit"
-  gem "netrc"
-end
-
 group :deploy do
   gem "inquirer"
-end
-
-# add these additional dependencies into Gemfile.local
-eval_gemfile(__FILE__ + ".local") if File.exist?(__FILE__ + ".local")
+end

data/inspec-core.gemspec

@@ -24,19 +24,18 @@ Gem::Specification.new do |spec|
 
   # Implementation dependencies
   spec.add_dependency "chef-telemetry",     "~> 1.0"
-  spec.add_dependency "license-acceptance", ">= 0.2.13", "< 2.0"
+  spec.add_dependency "license-acceptance", ">= 0.2.13", "< 3.0"
   spec.add_dependency "thor",               ">= 0.20", "< 2.0"
-  spec.add_dependency "json_schemer",       ">= 0.2.1", "< 0.2.12"
   spec.add_dependency "method_source",      ">= 0.8", "< 2.0"
   spec.add_dependency "rubyzip",            "~> 1.2", ">= 1.2.2"
-  spec.add_dependency "rspec",              "~> 3.9"
+  spec.add_dependency "rspec",              "~> 3.9.0"
   spec.add_dependency "rspec-its",          "~> 1.2"
   spec.add_dependency "pry",                "~> 0.13"
   spec.add_dependency "hashie",             "~> 3.4"
   spec.add_dependency "mixlib-log",         "~> 3.0"
   spec.add_dependency "sslshake",           "~> 1.2"
   spec.add_dependency "parallel",           "~> 1.9"
-  spec.add_dependency "faraday",            ">= 0.9.0"
+  spec.add_dependency "faraday",            ">= 0.9.0", "< 1.1"
   spec.add_dependency "tty-table",          "~> 0.10"
   spec.add_dependency "tty-prompt",         "~> 0.17"
   spec.add_dependency "tomlrb",             "~> 1.2.0"

data/lib/inspec/base_cli.rb

@@ -158,6 +158,16 @@ module Inspec
       option :silence_deprecations, type: :array,
         banner: "[all]|[GROUP GROUP...]",
         desc: "Suppress deprecation warnings. See install_dir/etc/deprecations.json for list of GROUPs or use 'all'."
+      option :diff, type: :boolean, default: true,
+        desc: "Use --no-diff to suppress 'diff' output of failed textual test results."
+      option :sort_results_by, type: :string, default: "file", banner: "--sort-results-by=none|control|file|random",
+        desc: "After normal execution order, results are sorted by control ID, or by file (default), or randomly. None uses legacy unsorted mode."
+    end
+
+    def self.help(*args)
+      super(*args)
+      puts "\nAbout #{Inspec::Dist::PRODUCT_NAME}:"
+      puts "  Patents: chef.io/patents\n\n"
     end
 
     def self.format_platform_info(params: {}, indent: 0, color: 39)

data/lib/inspec/cli.rb

@@ -48,7 +48,8 @@ class Inspec::InspecCLI < Inspec::BaseCLI
     desc: "Allow or disable user interaction"
 
   class_option :disable_core_plugins, type: :string, banner: "", # Actually a boolean, but this suppresses the creation of a --no-disable...
-    desc: "Disable loading all plugins that are shipped in the lib/plugins directory of InSpec. Useful in development."
+    desc: "Disable loading all plugins that are shipped in the lib/plugins directory of InSpec. Useful in development.",
+    hide: true
 
   class_option :disable_user_plugins, type: :string, banner: "",
     desc: "Disable loading all plugins that the user installed."
@@ -194,7 +195,8 @@ class Inspec::InspecCLI < Inspec::BaseCLI
     pretty_handle_exception(e)
   end
 
-  desc "exec LOCATIONS", <<~EOT
+  desc "exec LOCATIONS", "Run all tests at LOCATIONS."
+  long_desc <<~EOT
     Run all test files at the specified LOCATIONS.
 
     Loads the given profile(s) and fetches their dependencies if needed. Then

data/lib/inspec/config.rb

@@ -405,6 +405,18 @@ module Inspec
       @plugin_cfg = data
     end
 
+    def validate_sort_results_by!(option_value)
+      expected = %w{
+        none
+        control
+        file
+        random
+      }
+      return if expected.include? option_value
+
+      raise Inspec::ConfigError::Invalid, "--sort-results-by must be one of #{expected.join(", ")}"
+    end
+
     #-----------------------------------------------------------------------#
     #                         Merging Options
     #-----------------------------------------------------------------------#
@@ -435,6 +447,7 @@ module Inspec
       finalize_parse_reporters(options)
       finalize_handle_sudo(options)
       finalize_compliance_login(options)
+      finalize_sort_results(options)
 
       Thor::CoreExt::HashWithIndifferentAccess.new(options)
     end
@@ -509,6 +522,12 @@ module Inspec
       end
     end
 
+    def finalize_sort_results(options)
+      if options.key?("sort_results_by")
+        validate_sort_results_by!(options["sort_results_by"])
+      end
+    end
+
     class Defaults
       DEFAULTS = {
         exec: {

data/lib/inspec/formatters/base.rb

@@ -159,6 +159,14 @@ module Inspec::Formatters
         resource_title: example.metadata[:described_class] || example.metadata[:example_group][:description],
         expectation_message: format_expectation_message(example),
         waiver_data: example.metadata[:waiver_data],
+        # This enforces the resource name as expected based off of the class
+        # name. However, if we wanted the `name` attribute against the class
+        # to be canonical for this case (consider edge cases!) we would use
+        # example.metadata[:described_class].instance_variable_get(:@__resource_name__)&.to_s
+        resource_class: example.metadata[:described_class].class.superclass.name,
+        # This is a raw grep of the text passed to the resource in any format,
+        # and is used to enforce near-uniqueness against the resource.
+        resource_params: find_resource_params(example.metadata[:described_class]),
       }
 
       unless (pid = example.metadata[:profile_id]).nil?
@@ -174,6 +182,14 @@ module Inspec::Formatters
       res
     end
 
+    def find_resource_params(example)
+      if example.class.ancestors.include?(Inspec::Resource)
+        example.instance_variable_get(:@resource_params)
+      else
+        []
+      end
+    end
+
     def format_expectation_message(example)
       if (example.metadata[:example_group][:description_args].first == example.metadata[:example_group][:described_class]) ||
           example.metadata[:example_group][:described_class].nil?

data/lib/inspec/globals.rb

@@ -1,15 +1,21 @@
 require_relative "utils/install_context"
 
 module Inspec
-
   extend Inspec::InstallContextHelpers
 
   def self.config_dir
-    ENV["INSPEC_CONFIG_DIR"] ? ENV["INSPEC_CONFIG_DIR"] : File.join(Dir.home, ".inspec")
+    ENV["INSPEC_CONFIG_DIR"] || File.join(home_path, ".inspec")
   end
 
   def self.src_root
     @src_root ||= File.expand_path(File.join(__FILE__, "../../.."))
   end
 
+  def self.home_path
+    Dir.home
+  rescue ArgumentError, NoMethodError
+    # If ENV['HOME'] is not set, Dir.home will fail due to expanding the ~. Fallback to Etc.
+    require "etc" unless defined?(Etc)
+    Etc.getpwuid.dir
+  end
 end

data/lib/inspec/input.rb

@@ -171,7 +171,7 @@ module Inspec
     # are free to go higher.
     DEFAULT_PRIORITY_FOR_VALUE_SET = 60
 
-    attr_reader :description, :events, :identifier, :name, :required, :title, :type
+    attr_reader :description, :events, :identifier, :name, :required, :sensitive, :title, :type
 
     def initialize(name, options = {})
       @name = name
@@ -264,6 +264,7 @@ module Inspec
       @required = options[:required] if options.key?(:required)
       @identifier = options[:identifier] if options.key?(:identifier) # TODO: determine if this is ever used
       @type = options[:type] if options.key?(:type)
+      @sensitive = options[:sensitive] if options.key?(:sensitive)
     end
 
     def make_creation_event(options)
@@ -320,7 +321,7 @@ module Inspec
 
     def to_hash
       as_hash = { name: name, options: {} }
-      %i{description title identifier type required value}.each do |field|
+      %i{description title identifier type required value sensitive}.each do |field|
         val = send(field)
         next if val.nil?
 
@@ -334,7 +335,7 @@ module Inspec
     #--------------------------------------------------------------------------#
 
     def to_s
-      "Input #{name} with #{current_value}"
+      "Input #{name} with value " + (sensitive ? "*** (senstive)" : "#{current_value}")
     end
 
     #--------------------------------------------------------------------------#

data/lib/inspec/input_registry.rb

@@ -29,6 +29,8 @@ module Inspec
     def_delegator :inputs_by_profile, :select
     def_delegator :profile_aliases, :key?, :profile_alias?
 
+    attr_accessor :cache_inputs
+
     def initialize
       # Keyed on String profile_name => Hash of String input_name => Input object
       @inputs_by_profile = {}
@@ -43,6 +45,9 @@ module Inspec
         activator.activate!
         activator.implementation_class.new
       end
+
+      # Activate caching for inputs by default
+      @cache_inputs = true
     end
 
     #-------------------------------------------------------------#
@@ -84,7 +89,7 @@ module Inspec
 
       # Find or create the input
       inputs_by_profile[profile_name] ||= {}
-      if inputs_by_profile[profile_name].key?(input_name)
+      if inputs_by_profile[profile_name].key?(input_name) && cache_inputs
         inputs_by_profile[profile_name][input_name].update(options)
       else
         inputs_by_profile[profile_name][input_name] = Inspec::Input.new(input_name, options)
@@ -316,6 +321,7 @@ module Inspec
         profile_name,
         type: input_options[:type],
         required: input_options[:required],
+        sensitive: input_options[:sensitive],
         event: evt
       )
     end

data/lib/inspec/plugin/v2/loader.rb

@@ -50,6 +50,11 @@ module Inspec::Plugin::V2
       # we want to allow "sidecar loading", in which case a plugin may add an entry to the registry.
       registry.plugin_names.dup.each do |plugin_name|
         plugin_details = registry[plugin_name]
+
+        # Under some conditions (kitchen-inspec with multiple test suites, for example), this may be
+        # called multple times. Don't reload anything.
+        next if plugin_details.loaded
+
         # We want to capture literally any possible exception here, since we are storing them.
         # rubocop: disable Lint/RescueException
         begin

data/lib/inspec/plugin/v2/plugin_types/reporter.rb

@@ -1,18 +1,20 @@
 require_relative "../../../run_data"
+require_relative "../../../utils/run_data_filters"
 
 module Inspec::Plugin::V2::PluginType
   class Reporter < Inspec::Plugin::V2::PluginBase
     register_plugin_type(:reporter)
+    include Inspec::Utils::RunDataFilters
 
     attr_reader :run_data
 
     def initialize(config)
       @config = config
 
-      # Trim the run_data while still a Hash; if it is huge, this
+      # Filter the run_data while still a Hash; if it is huge, this
       # saves on conversion time
       @run_data = config[:run_data] || {}
-      apply_report_resize_options
+      apply_run_data_filters_to_hash
 
       unless Inspec::RunData.compatible_schema?(self.class.run_data_schema_constraints)
         # Best we can do is warn here, the InSpec run has finished
@@ -24,26 +26,6 @@ module Inspec::Plugin::V2::PluginType
       @output = ""
     end
 
-    # This is a temporary duplication of code from lib/inspec/reporters/base.rb
-    # To be DRY'd up once the core reporters become plugins...
-    # Apply options such as message truncation and removal of backtraces
-    def apply_report_resize_options
-      runtime_config = Inspec::Config.cached.respond_to?(:final_options) ? Inspec::Config.cached.final_options : {}
-
-      message_truncation = runtime_config[:reporter_message_truncation] || "ALL"
-      @trunc = message_truncation == "ALL" ? -1 : message_truncation.to_i
-      include_backtrace = runtime_config[:reporter_backtrace_inclusion].nil? ? true : runtime_config[:reporter_backtrace_inclusion]
-
-      @run_data[:profiles]&.each do |p|
-        p[:controls].each do |c|
-          c[:results]&.map! do |r|
-            r.delete(:backtrace) unless include_backtrace
-            process_message_truncation(r)
-          end
-        end
-      end
-    end
-
     def output(str, newline = true)
       @output << str
       @output << "\n" if newline
@@ -61,14 +43,5 @@ module Inspec::Plugin::V2::PluginType
     def self.run_data_schema_constraints
       raise NotImplementedError, "#{self.class} must implement a `run_data_schema_constraints` class method to declare its compatibiltity with the RunData API."
     end
-
-    private
-
-    def process_message_truncation(result)
-      if result.key?(:message) && result[:message] != "" && @trunc > -1 && result[:message].length > @trunc
-        result[:message] = result[:message][0...@trunc] + "[Truncated to #{@trunc} characters]"
-      end
-      result
-    end
   end
 end

data/lib/inspec/reporters/base.rb

@@ -1,30 +1,17 @@
+require_relative "../utils/run_data_filters"
+
 module Inspec::Reporters
   class Base
+    include Inspec::Utils::RunDataFilters
+
     attr_reader :run_data
 
     def initialize(config)
       @config = config
-      @run_data = config[:run_data]
-      apply_report_resize_options unless @run_data.nil?
-      @output = ""
-    end
-
-    # Apply options such as message truncation and removal of backtraces
-    def apply_report_resize_options
-      runtime_config = Inspec::Config.cached.respond_to?(:final_options) ? Inspec::Config.cached.final_options : {}
+      @run_data = config[:run_data] || {}
+      apply_run_data_filters_to_hash
 
-      message_truncation = runtime_config[:reporter_message_truncation] || "ALL"
-      @trunc = message_truncation == "ALL" ? -1 : message_truncation.to_i
-      include_backtrace = runtime_config[:reporter_backtrace_inclusion].nil? ? true : runtime_config[:reporter_backtrace_inclusion]
-
-      @run_data[:profiles]&.each do |p|
-        p[:controls].each do |c|
-          c[:results]&.map! do |r|
-            r.delete(:backtrace) unless include_backtrace
-            process_message_truncation(r)
-          end
-        end
-      end
+      @output = ""
     end
 
     def output(str, newline = true)
@@ -40,14 +27,5 @@ module Inspec::Reporters
     def render
       raise NotImplementedError, "#{self.class} must implement a `#render` method to format its output."
     end
-
-    private
-
-    def process_message_truncation(result)
-      if result.key?(:message) && result[:message] != "" && @trunc > -1 && result[:message].length > @trunc
-        result[:message] = result[:message][0...@trunc] + "[Truncated to #{@trunc} characters]"
-      end
-      result
-    end
   end
 end

data/lib/inspec/reporters/json.rb

@@ -40,6 +40,8 @@ module Inspec::Reporters
           message:      r[:message],
           exception:    r[:exception],
           backtrace:    r[:backtrace],
+          resource_class: r[:resource_class],
+          resource_params: r[:resource_params].to_s,
         }.reject { |_k, v| v.nil? }
       }
     end

data/lib/inspec/resource.rb

@@ -108,6 +108,7 @@ module Inspec
     # Infrastructure / Bookkeeping
 
     def self.__register(name, resource_klass)
+      # This has bitten us and should be a great candidate to remove in InSpec5
       cl = Class.new(resource_klass) do # TODO: remove
         # As best I can figure out, this anonymous class only exists
         # because we're trying to avoid having resources with
@@ -116,6 +117,7 @@ module Inspec
         # documentation.
         def initialize(backend, name, *args)
           supersuper_initialize(backend, name) do
+            @resource_params = args
             super(*args)
           end
         end

data/lib/inspec/resources/apt.rb

@@ -87,13 +87,13 @@ module Inspec::Resources
         active = raw_line == line
 
         # formats:
-        # deb               "http://archive.ubuntu.com/ubuntu/" wily main restricted ...
-        # deb               http://archive.ubuntu.com/ubuntu/ wily main restricted ...
-        # deb [trusted=yes] http://archive.ubuntu.com/ubuntu/ wily main restricted ...
+        # deb                          "http://archive.ubuntu.com/ubuntu/" wily main restricted ...
+        # deb                          http://archive.ubuntu.com/ubuntu/ wily main restricted ...
+        # deb [trusted=yes]            http://archive.ubuntu.com/ubuntu/ wily main restricted ...
+        # deb [arch=amd64 trusted=yes] http://archive.ubuntu.com/ubuntu/ wily main restricted ...
         # deb cdrom:[Ubuntu 15.10 _Wily Werewolf_ - Release amd64 (20151021)]/ wily main restricted ...
 
-        words = line.split
-        words.delete_at 1 if words[1] && words[1].start_with?("[")
+        words = line.sub(/^(deb|deb-src)\s+\[.+?\]/, '\1').split
         type, url, distro, *components = words
         url = url.delete('"') if url
 

data/lib/inspec/resources/grub_conf.rb

@@ -29,7 +29,7 @@ module Inspec::Resources
       @content = read_file(@conf_path)
       @kernel = kernel || "default"
     rescue UnknownGrubConfig
-      skip_resource "The `grub_config` resource is not supported on your OS yet."
+      skip_resource "The `grub_conf` resource is not yet supported on the target OS #{inspec.os[:name]}."
     end
 
     def config_for_platform(path)
@@ -77,6 +77,7 @@ module Inspec::Resources
 
     def grub2_parse_kernel_lines(content, conf)
       menu_entries = extract_menu_entries(content)
+      return {} if menu_entries.empty?
 
       if @kernel == "default"
         default_menu_entry(menu_entries, conf["GRUB_DEFAULT"])

data/lib/inspec/resources/package.rb

@@ -314,7 +314,7 @@ module Inspec::Resources
       # Find the package
       cmd = inspec.command <<-EOF.gsub(/^\s*/, "")
         Get-ItemProperty (@("#{search_paths.join('", "')}") | Where-Object { Test-Path $_ }) |
-        Where-Object { $_.DisplayName -match "^\s*#{package_name.shellescape}\.*" -or $_.PSChildName -match "^\s*#{package_name.shellescape}\.*" } |
+        Where-Object { $_.DisplayName -like "#{package_name}" -or $_.PSChildName -like "#{package_name}" } |
         Select-Object -Property DisplayName,DisplayVersion | ConvertTo-Json
       EOF
 

data/lib/inspec/resources/platform.rb

@@ -81,7 +81,7 @@ module Inspec::Resources
           when :os, :platform then
             platform?(v)
           when :os_name, :platform_name then
-            name == v
+            check_name(v)
           when :release then
             check_release(v)
           end
@@ -99,6 +99,16 @@ module Inspec::Resources
 
     private
 
+    def check_name(value)
+      # allow wild card matching
+      if value.include?("*")
+        cleaned = Regexp.escape(value).gsub('\*', ".*?")
+        name =~ /#{cleaned}/
+      else
+        name == value
+      end
+    end
+
     def check_release(value)
       # allow wild card matching
       if value.include?("*")

data/lib/inspec/resources/postgres_session.rb

@@ -26,12 +26,13 @@ module Inspec::Resources
     supports platform: "windows"
     desc "Use the postgres_session InSpec audit resource to test SQL commands run against a PostgreSQL database."
     example <<~EXAMPLE
-      sql = postgres_session('username', 'password', 'host')
+      sql = postgres_session('username', 'password', 'host', 'port')
       query('sql_query', ['database_name'])` contains the query and (optional) database to execute
 
       # default values:
       # username: 'postgres'
       # host: 'localhost'
+      # port: 5432
       # db: databse == db_user running the sql query
 
       describe sql.query('SELECT * FROM pg_shadow WHERE passwd IS NULL;') do
@@ -39,10 +40,11 @@ module Inspec::Resources
       end
     EXAMPLE
 
-    def initialize(user, pass, host = nil)
+    def initialize(user, pass, host = nil, port = nil)
       @user = user || "postgres"
       @pass = pass
       @host = host || "localhost"
+      @port = port || 5432
     end
 
     def query(query, db = [])
@@ -64,7 +66,7 @@ module Inspec::Resources
 
     def create_psql_cmd(query, db = [])
       dbs = db.map { |x| "-d #{x}" }.join(" ")
-      "PGPASSWORD='#{@pass}' psql -U #{@user} #{dbs} -h #{@host} -A -t -c #{escaped_query(query)}"
+      "PGPASSWORD='#{@pass}' psql -U #{@user} #{dbs} -h #{@host} -p #{@port} -A -t -c #{escaped_query(query)}"
     end
   end
 end

data/lib/inspec/resources/processes.rb

@@ -138,7 +138,7 @@ module Inspec::Resources
           command: 8,
         }
       else
-        command = "ps axo label,pid,pcpu,pmem,vsz,rss,tty,stat,start,time,user:32,command"
+        command = "ps wwaxo label,pid,pcpu,pmem,vsz,rss,tty,stat,start,time,user:32,command"
         regex = /^(.+?)\s+(\d+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+(\w{3} \d{2}|\d{2}:\d{2}:\d{2})\s+([^ ]+)\s+([^ ]+)\s+(.*)$/
         field_map = {
           label: 1,

data/lib/inspec/resources/wmi.rb

@@ -16,7 +16,10 @@ module Inspec::Resources
         namespace: 'root\\rsop\\computer',
         filter: 'KeyName = \'MinimumPasswordAge\' And precedence=1'
       }) do
-         its('Setting') { should eq true }
+         its('Setting') { should cmp true }
+      end
+      describe wmi({namespace: "root\\cimv2", query: "SELECT installstate FROM win32_optionalfeature"}) do
+        its("installstate") { should include 2 }
       end
     EXAMPLE
 
@@ -66,13 +69,18 @@ module Inspec::Resources
 
       # run wmi command and filter empty wmi
       script = <<-EOH
-      Filter Aggregate
-      {
-          $arr = @{}
-          $_.properties | % {
-              $arr.Add($_.name, $_.value)
+      Function Aggregate {
+        $propsHash = @{}
+        ForEach ($wmiObj in $Input) {
+          ForEach ($wmiProp in $wmiObj.properties) {
+            If($propsHash.ContainsKey($wmiProp.name)) {
+              $propsHash[$wmiProp.name].add($wmiProp.value) | Out-Null
+            } Else {
+              $propsHash[$wmiProp.name] = [System.Collections.ArrayList]@($wmiProp.value)
+            }
           }
-          $arr
+        }
+        $propsHash
       }
       Get-WmiObject #{params} | Aggregate | ConvertTo-Json
       EOH

data/lib/inspec/rule.rb

@@ -343,14 +343,8 @@ module Inspec
       __waiver_data["skipped_due_to_waiver"] = false
       __waiver_data["message"] = ""
 
-      # Waivers should have a hash value with keys possibly including "run" and
-      # expiration_date. We only care here if it has a "run" key and it
-      # is false-like, since all non-skipped waiver operations are handled
-      # during reporting phase.
-      return unless __waiver_data.key?("run") && !__waiver_data["run"]
-
-      # OK, the intent is to skip. Does it have an expiration date, and
-      # if so, is it in the future?
+      # Does it have an expiration date, and if so, is it in the future?
+      # This sets a waiver message before checking `run: true`
       expiry = __waiver_data["expiration_date"]
       if expiry
         # YAML will automagically give us a Date or a Time.
@@ -370,6 +364,12 @@ module Inspec
         end
       end
 
+      # Waivers should have a hash value with keys possibly including "run" and
+      # expiration_date. We only care here if it has a "run" key and it
+      # is false-like, since all non-skipped waiver operations are handled
+      # during reporting phase.
+      return unless __waiver_data.key?("run") && !__waiver_data["run"]
+
       # OK, apply a skip.
       @__skip_rule[:result] = true
       @__skip_rule[:type] = :waiver

data/lib/inspec/run_data.rb

@@ -47,7 +47,7 @@ module Inspec
     # core reporters have been migrated to plugins. It is probable that new data elements
     # and new Hash compatibility behavior will be added during the core reporter plugin
     # conversion process.
-    SCHEMA_VERSION = "0.2.0".freeze
+    SCHEMA_VERSION = "0.3.0".freeze
 
     def self.compatible_schema?(constraints)
       reqs = Gem::Requirement.create(constraints)

data/lib/inspec/run_data/profile.rb

@@ -96,11 +96,12 @@ module Inspec
           # There are probably others
           :value,
           :type,
-          :required
+          :required,
+          :sensitive
         ) do
           include HashLikeStruct
           def initialize(raw_opts_data)
-            %i{value type required}.each { |f| self[f] = raw_opts_data[f] }
+            %i{value type required sensitive}.each { |f| self[f] = raw_opts_data[f] }
           end
         end
       end

data/lib/inspec/run_data/result.rb

@@ -8,6 +8,7 @@ module Inspec
       :run_time,            # Float seconds execution time
       :skip_message,        # String
       :start_time,          # DateTime
+      :resource_params,     # What is passed to the resource as a raw grep
       :status, # String
       :resource_title, # Ugly internals
       # :waiver_data,       # Undocumented tramp data / not exposed in this API
@@ -34,6 +35,7 @@ module Inspec
         end
 
         self.resource_name = raw_res_data[:resource_title].instance_variable_get(:@__resource_name__)&.to_s
+        self.resource_params = raw_res_data[:resource_title].instance_variable_get(:@grep)&.to_s
       end
     end
   end

data/lib/inspec/schema.rb

@@ -56,6 +56,7 @@ module Inspec
         "code_desc" => { "type" => "string" },
         "run_time" => { "type" => "number" },
         "start_time" => { "type" => "string" },
+        "resource_class" => { "type" => "string", "optional" => true },
         "skip_message" => { "type" => "string", "optional" => true },
         "resource" => { "type" => "string", "optional" => true },
         "message" => { "type" => "string", "optional" => true },
@@ -194,6 +195,7 @@ module Inspec
         "profile_sha256" => { "type" => "string" },
         "status" => { "type" => "string" },
         "code_desc" => { "type" => "string" },
+        "resource_class" => { "type" => "string", "optional" => true },
         "skip_message" => { "type" => "string", "optional" => true },
         "resource" => { "type" => "string", "optional" => true },
         "message" => { "type" => "string", "optional" => true },

data/lib/inspec/schema/exec_json.rb

@@ -74,7 +74,7 @@ module Inspec
         },
       }, [CONTROL_DESCRIPTION, Primitives::REFERENCE, Primitives::SOURCE_LOCATION, CONTROL_RESULT])
 
-      # Based loosely on https://www.inspec.io/docs/reference/profiles/ as of July 3, 2019
+      # Based loosely on https://docs.chef.io/inspec/profiles/ as of July 3, 2019
       # However, concessions were made to the reality of current reporters, specifically
       # with how description is omitted and version/inspec_version aren't as advertised online
       PROFILE = Primitives::SchemaType.new("Exec JSON Profile", {

data/lib/inspec/shell.rb

@@ -1,4 +1,4 @@
-require "pry"
+autoload :Pry, "pry"
 
 module Inspec
   # A pry based shell for inspec. Given a runner (with a configured backend and
@@ -137,7 +137,7 @@ module Inspec
         end
 
         info += "#{mark "Web Reference:"}\n\n"
-        info += "https://www.inspec.io/docs/reference/resources/#{topic}\n\n"
+        info += "https://docs.chef.io/inspec/resources/#{topic}\n\n"
         puts info
       else
         begin
@@ -208,7 +208,7 @@ module Inspec
 
           its('content') { should_not match /^MyKey:\\s+some value/ }
 
-        For more examples, see: https://www.inspec.io/docs/reference/matchers/
+        For more examples, see: https://docs.chef.io/inspec/matchers/
 
       EOL
     end

data/lib/inspec/utils/run_data_filters.rb

@@ -0,0 +1,104 @@
+module Inspec
+  module Utils
+    #   RunDataFilters is a mixin for core Reporters and plugin reporters.
+    # The methods operate on the run_data Hash (prior to any conversion to a
+    # full RunData object).
+    #   All methods here operate using the run_data accessor and modify
+    # its contents in place (if needed).
+    module RunDataFilters
+
+      # Long name, but we want to be clear this operates on the Hash
+      # This is the only method that client libraries need to call; any future
+      # feature growth should be handled internally here.
+      def apply_run_data_filters_to_hash
+        @config[:runtime_config] = Inspec::Config.cached || {}
+        apply_report_resize_options
+        redact_sensitive_inputs
+        suppress_diff_output
+        sort_controls
+      end
+
+      # Apply options such as message truncation and removal of backtraces
+      def apply_report_resize_options
+        runtime_config = @config[:runtime_config]
+
+        message_truncation = runtime_config[:reporter_message_truncation] || "ALL"
+        @trunc = message_truncation == "ALL" ? -1 : message_truncation.to_i
+        include_backtrace = runtime_config[:reporter_backtrace_inclusion].nil? ? true : runtime_config[:reporter_backtrace_inclusion]
+
+        @run_data[:profiles]&.each do |p|
+          p[:controls].each do |c|
+            c[:results]&.map! do |r|
+              r.delete(:backtrace) unless include_backtrace
+              process_message_truncation(r)
+            end
+          end
+        end
+      end
+
+      # Find any inputs with :sensitive = true and replace their values with "***"
+      def redact_sensitive_inputs
+        @run_data[:profiles]&.each do |p|
+          p[:inputs]&.each do |i|
+            next unless i[:options][:sensitive]
+
+            i[:options][:value] = "***"
+          end
+        end
+      end
+
+      # Optionally suppress diff output in the message field
+      def suppress_diff_output
+        return if @config[:runtime_config][:diff]
+
+        @run_data[:profiles]&.each do |p|
+          p[:controls]&.each do |c|
+            c[:results]&.each do |r|
+              next unless r[:message] # :message only set on failure
+
+              pos = r[:message].index("\n\nDiff:")
+              next unless pos # Only textual tests get Diffs
+
+              r[:message] = r[:message].slice(0, pos)
+            end
+          end
+        end
+      end
+
+      # Optionally sort controls within each profile in report
+      def sort_controls
+        sort_type = @config[:runtime_config][:sort_results_by]
+        return unless sort_type
+        return if sort_type == "none"
+
+        @run_data[:profiles]&.each do |p|
+          p[:controls] ||= []
+          p[:groups] ||= []
+
+          case sort_type
+          when "control"
+            p[:controls].sort_by! { |c| c[:id] }
+          when "random"
+            p[:controls].shuffle!
+          when "file"
+            # Sort the controls by file, but preserve order within the file.
+            # Files are called "groups" in the run_data, and the filename is in the id.
+            sorted_control_ids = p[:groups].sort_by { |g| g[:id] }.map { |g| g[:controls] }.flatten
+            controls_by_id = {}
+            p[:controls].each { |c| controls_by_id[c[:id]] = c }
+            p[:controls] = sorted_control_ids.map { |cid| controls_by_id[cid] }
+          end
+        end
+      end
+
+      private
+
+      def process_message_truncation(result)
+        if result.key?(:message) && result[:message] != "" && @trunc > -1 && result[:message].length > @trunc
+          result[:message] = result[:message][0...@trunc] + "[Truncated to #{@trunc} characters]"
+        end
+        result
+      end
+    end
+  end
+end

data/lib/inspec/version.rb

@@ -1,3 +1,3 @@
 module Inspec
-  VERSION = "4.22.22".freeze
+  VERSION = "4.24.8".freeze
 end

data/lib/plugins/inspec-init/templates/profiles/aws/README.md

@@ -26,7 +26,7 @@ Creating new profile at /Users/spaterson/my-profile
 aws_vpc_id: 'custom-vpc-id'
 ```
 
-The related control will simply be skipped if this is not provided.  See the [InSpec DSL documentation](https://www.inspec.io/docs/reference/dsl_inspec/) for more details on conditional execution using `only_if`.
+The related control will simply be skipped if this is not provided.  See the [InSpec DSL documentation](https://docs.chef.io/inspec/dsl_inspec/) for more details on conditional execution using `only_if`.
 
 ## Run the tests
 

data/lib/plugins/inspec-reporter-html2/README.md

@@ -24,7 +24,7 @@ Note the `2` in the reporter name. If you omit it and run `--reporter html` inst
 
 ## Configuring the Plugin
 
-The `html2` reporter requires no configuration to function. However, two options--`alternate_css_file` and `alternate_js_file`--are available for customization. The options are set in the JSON-formatted configuration file that Chef InSpec consumes. For details, see [our configuration file documentation](https://www.inspec.io/docs/reference/config/).
+The `html2` reporter requires no configuration to function. However, two options--`alternate_css_file` and `alternate_js_file`--are available for customization. The options are set in the JSON-formatted configuration file that Chef InSpec consumes. For details, see [our configuration file documentation](https://docs.chef.io/inspec/config/).
 
 For example:
 

data/lib/plugins/inspec-reporter-junit/README.md

@@ -1,15 +1,17 @@
-# junit reporter
+# junit and junit2 reporters
 
-This is the implementation of the junit XML reporter.
+This is the implementation of the junit and junit2 XML reporters.
 
-## To Install This Plugin
+## Installation
 
-This plugin is included with inspec. There is no need to install it separately.
+This plugin ships with Chef InSpec and requires no additional installation.
 
-## What This Plugin Does
+## What These Plugins Do
 
-This reporter generates an XML report in Apache Ant JUnit format.
+`junit` is the legacy Chef InSpec JUnit reporter, which is retained for backwards compatibility. It generates an XML report in Apache Ant JUnit format. The output format is considered nonstandard in several ways. New users are advised to use `junit2`.
+
+`junit2` is an updated reporter that provides JUnit output according to the schema published by [Windy Road](https://github.com/windyroad/JUnit-Schema).
 
 ## Implementation Note
 
-This reporter uses the REXML XML generator, but may use more advanced XML systems for testing. This is to keep packaging requirements for CHef InSpec lightweight and free of compiled dependencies.
+This reporter uses the REXML XML generator at runtime, but uses Nokogiri, a more heavyweight XML library, for testing. This design keeps packaging requirements lightweight and free of compiled dependencies.

data/lib/plugins/inspec-reporter-junit/lib/inspec-reporter-junit.rb

@@ -3,10 +3,19 @@ module InspecPlugins
   module JUnitReporter
     class Plugin < ::Inspec.plugin(2)
       plugin_name :'inspec-reporter-junit'
+
+      # Legacy JUnit reporter, which generates subtly incorrect XML.
       reporter :junit do
         require_relative "inspec-reporter-junit/reporter"
-        InspecPlugins::JUnitReporter::Reporter
+        InspecPlugins::JUnitReporter::ReporterV1
       end
+
+      # v2 reporter, which generates valid JUnit XML.
+      reporter :junit2 do
+        require_relative "inspec-reporter-junit/reporter"
+        InspecPlugins::JUnitReporter::ReporterV2
+      end
+
     end
   end
 end

data/lib/plugins/inspec-reporter-junit/lib/inspec-reporter-junit/reporter.rb

@@ -12,8 +12,8 @@ module InspecPlugins::JUnitReporter
       testsuites = REXML::Element.new("testsuites")
       xml_output.add(testsuites)
 
-      run_data.profiles.each do |profile|
-        testsuites.add(build_profile_xml(profile))
+      run_data.profiles.each_with_index do |profile, idx|
+        testsuites.add(build_profile_xml(profile, idx))
       end
 
       formatter = REXML::Formatters::Pretty.new
@@ -22,7 +22,42 @@ module InspecPlugins::JUnitReporter
       output(formatter.write(xml_output.root, ""))
     end
 
-    def build_profile_xml(profile)
+    def count_profile_tests(profile)
+      profile.controls.reduce(0) do |acc, elem|
+        acc + elem.results.count
+      end
+    end
+
+    def count_profile_failed_tests(profile)
+      profile.controls.reduce(0) do |acc, elem|
+        acc + elem.results.reduce(0) do |fail_test_total, test_case|
+          test_case.status == "failed" ? fail_test_total + 1 : fail_test_total
+        end
+      end
+    end
+
+    def count_profile_skipped_tests(profile)
+      profile.controls.reduce(0) do |acc, elem|
+        acc + elem.results.reduce(0) do |skip_test_total, test_case|
+          test_case.status == "skipped" ? skip_test_total + 1 : skip_test_total
+        end
+      end
+    end
+
+    def count_profile_errored_tests(profile)
+      profile.controls.reduce(0) do |acc, elem|
+        acc + elem.results.reduce(0) do |err_test_total, test_case|
+          test_case.backtrace.nil? ? err_test_total : err_test_total + 1
+        end
+      end
+    end
+  end
+
+  # This is the "Legacy" JUnit reporter. It produces XML which is not
+  # correct according to the JUnit standard. It is retained for backwards
+  # compatibility.
+  class ReporterV1 < Reporter
+    def build_profile_xml(profile, _idx)
       profile_xml = REXML::Element.new("testsuite")
       profile_xml.add_attribute("name", profile.name)
       profile_xml.add_attribute("tests", count_profile_tests(profile))
@@ -55,19 +90,66 @@ module InspecPlugins::JUnitReporter
 
       result_xml
     end
+  end
 
-    def count_profile_tests(profile)
-      profile.controls.reduce(0) do |acc, elem|
-        acc + elem.results.count
+  # This is the "Corrected" JUnit reporter. It produces XML which is intended
+  # to be valid. It should be used whenever possible.
+  class ReporterV2 < Reporter
+    def build_profile_xml(profile, idx)
+      profile_xml = REXML::Element.new("testsuite")
+      profile_xml.add_attribute("name", profile.name)
+      profile_xml.add_attribute("tests", count_profile_tests(profile))
+      profile_xml.add_attribute("id", idx + 1)
+
+      # junit2 counts failures and errors separately
+      errors = count_profile_errored_tests(profile)
+      profile_xml.add_attribute("errors", errors)
+      profile_xml.add_attribute("failures", count_profile_failed_tests(profile) - errors)
+      profile_xml.add_attribute("skipped", count_profile_skipped_tests(profile))
+
+      profile_xml.add_attribute("hostname", run_data.platform.target.nil? ? "" : run_data.platform.target.to_s)
+      # Author of the schema specified 8601, then went on to add
+      # a regex that requires no TZ
+      profile_xml.add_attribute("timestamp", Time.now.iso8601.slice(0, 19))
+
+      # These are empty but are just here to satisfy the schema
+      profile_xml.add_attribute("package", "")
+      profile_xml.add(REXML::Element.new("properties"))
+
+      profile_time = 0.0
+      profile.controls.each do |control|
+        control.results.each do |result|
+          profile_time += result.run_time
+          profile_xml.add(build_result_xml(profile.name, control, result))
+        end
       end
+      profile_xml.add_attribute("time", "%.6f" % profile_time)
+
+      profile_xml.add(REXML::Element.new("system-out"))
+      profile_xml.add(REXML::Element.new("system-err"))
+
+      profile_xml
     end
 
-    def count_profile_failed_tests(profile)
-      profile.controls.reduce(0) do |acc, elem|
-        acc + elem.results.reduce(0) do |fail_test_total, test_case|
-          test_case.status == "failed" ? fail_test_total + 1 : fail_test_total
-        end
+    def build_result_xml(profile_name, control, result)
+      result_xml = REXML::Element.new("testcase")
+      result_xml.add_attribute("name", result.code_desc)
+      result_xml.add_attribute("classname", control.title.nil? ? "#{profile_name}.Anonymous" : "#{profile_name}.#{control.id}")
+
+      # <Nokogiri::XML::SyntaxError: 20:0: ERROR: Element 'testcase', attribute 'time': '4.9e-05' is not a valid value of the atomic type 'xs:decimal'.
+      # So, we format it.
+      result_xml.add_attribute("time", "%.6f" % result.run_time)
+
+      if result.status == "failed"
+        failure_element = REXML::Element.new("failure")
+        failure_element.add_attribute("message", result.message)
+        failure_element.add_attribute("type", result.resource_title&.to_s || "")
+        result_xml.add(failure_element)
+      elsif result.status == "skipped"
+        result_xml.add_element("skipped")
       end
+
+      result_xml
     end
   end
 end

data/lib/plugins/shared/core_plugin_test_helper.rb

@@ -50,22 +50,6 @@ module CorePluginFunctionalHelper
   include CorePluginBaseHelper
   include FunctionalHelper
 
-  # TODO: so much duplication! Remove everything we can!
-  require "train"
-  TRAIN_CONNECTION = Train.create("local", command_runner: :generic).connection
-
-  # TODO: remove me! it's in test/functional/helper.rb
-  def run_inspec_process(command_line, opts = {})
-    prefix = ""
-    if opts.key?(:prefix)
-      prefix = opts[:prefix]
-    elsif opts.key?(:env)
-      prefix = assemble_env_prefix opts[:env]
-    end
-
-    TRAIN_CONNECTION.run_command("#{prefix} #{exec_inspec} #{command_line}")
-  end
-
   # This helper does some fancy footwork to make InSpec think a plugin
   # under development is temporarily installed.
   # @param String command_line Invocation, without the word 'inspec'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: inspec-core
 version: !ruby/object:Gem::Version
-  version: 4.22.22
+  version: 4.24.8
 platform: ruby
 authors:
 - Chef InSpec Team
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-08-26 00:00:00.000000000 Z
+date: 2020-12-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: chef-telemetry
@@ -33,7 +33,7 @@ dependencies:
         version: 0.2.13
     - - "<"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '3.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -43,7 +43,7 @@ dependencies:
         version: 0.2.13
     - - "<"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '3.0'
 - !ruby/object:Gem::Dependency
   name: thor
   requirement: !ruby/object:Gem::Requirement
@@ -64,26 +64,6 @@ dependencies:
     - - "<"
       - !ruby/object:Gem::Version
         version: '2.0'
-- !ruby/object:Gem::Dependency
-  name: json_schemer
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 0.2.1
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: 0.2.12
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 0.2.1
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: 0.2.12
 - !ruby/object:Gem::Dependency
   name: method_source
   requirement: !ruby/object:Gem::Requirement
@@ -130,14 +110,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.9'
+        version: 3.9.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.9'
+        version: 3.9.0
 - !ruby/object:Gem::Dependency
   name: rspec-its
   requirement: !ruby/object:Gem::Requirement
@@ -229,6 +209,9 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 0.9.0
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '1.1'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -236,6 +219,9 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 0.9.0
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '1.1'
 - !ruby/object:Gem::Dependency
   name: tty-table
   requirement: !ruby/object:Gem::Requirement
@@ -638,6 +624,7 @@ files:
 - lib/inspec/utils/object_traversal.rb
 - lib/inspec/utils/parser.rb
 - lib/inspec/utils/pkey_reader.rb
+- lib/inspec/utils/run_data_filters.rb
 - lib/inspec/utils/simpleconfig.rb
 - lib/inspec/utils/spdx.rb
 - lib/inspec/utils/spdx.txt