inspec-core 4.22.8 → 4.23.15
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Gemfile +2 -1
- data/inspec-core.gemspec +3 -5
- data/lib/bundles/inspec-supermarket/cli.rb +1 -1
- data/lib/inspec/base_cli.rb +11 -1
- data/lib/inspec/cli.rb +4 -2
- data/lib/inspec/config.rb +19 -1
- data/lib/inspec/input.rb +4 -3
- data/lib/inspec/input_registry.rb +7 -1
- data/lib/inspec/plugin/v2/plugin_types/reporter.rb +4 -31
- data/lib/inspec/reporters.rb +0 -3
- data/lib/inspec/reporters/automate.rb +3 -3
- data/lib/inspec/reporters/base.rb +7 -29
- data/lib/inspec/resources/apt.rb +5 -5
- data/lib/inspec/resources/bridge.rb +1 -1
- data/lib/inspec/resources/host.rb +1 -1
- data/lib/inspec/resources/mysql_session.rb +9 -5
- data/lib/inspec/resources/postgres.rb +1 -1
- data/lib/inspec/resources/postgres_session.rb +5 -3
- data/lib/inspec/resources/processes.rb +1 -1
- data/lib/inspec/resources/windows_firewall.rb +110 -0
- data/lib/inspec/resources/windows_firewall_rule.rb +137 -0
- data/lib/inspec/rule.rb +8 -8
- data/lib/inspec/run_data/profile.rb +3 -2
- data/lib/inspec/schema/exec_json.rb +1 -1
- data/lib/inspec/shell.rb +3 -3
- data/lib/inspec/utils/parser.rb +1 -1
- data/lib/inspec/utils/run_data_filters.rb +104 -0
- data/lib/inspec/version.rb +1 -1
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/api.rb +4 -4
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/cli.rb +1 -1
- data/lib/plugins/inspec-init/templates/profiles/aws/README.md +1 -1
- data/lib/plugins/inspec-reporter-html2/README.md +1 -1
- data/lib/plugins/inspec-reporter-junit/README.md +17 -0
- data/lib/plugins/inspec-reporter-junit/lib/inspec-reporter-junit.rb +21 -0
- data/lib/plugins/inspec-reporter-junit/lib/inspec-reporter-junit/reporter.rb +155 -0
- data/lib/plugins/inspec-reporter-junit/lib/inspec-reporter-junit/version.rb +5 -0
- data/lib/plugins/shared/core_plugin_test_helper.rb +0 -16
- metadata +17 -34
- data/README.md +0 -474
- data/lib/inspec/reporters/junit.rb +0 -77
data/lib/inspec/version.rb
CHANGED
@@ -22,7 +22,7 @@ module InspecPlugins
|
|
22
22
|
# return all compliance profiles available for the user
|
23
23
|
# the user is either specified in the options hash or by default
|
24
24
|
# the username of the account is used that is logged in
|
25
|
-
def self.profiles(config, profile_filter = nil) # rubocop:disable PerceivedComplexity, Metrics/CyclomaticComplexity, Metrics/AbcSize, Metrics/MethodLength
|
25
|
+
def self.profiles(config, profile_filter = nil) # rubocop:disable Metrics/PerceivedComplexity, Metrics/CyclomaticComplexity, Metrics/AbcSize, Metrics/MethodLength
|
26
26
|
owner = config["owner"] || config["user"]
|
27
27
|
|
28
28
|
# Chef Compliance
|
@@ -81,13 +81,13 @@ module InspecPlugins
|
|
81
81
|
mapped_profiles.select! do |p|
|
82
82
|
(!ver || p["version"] == ver) && (!id || p["name"] == id)
|
83
83
|
end
|
84
|
-
|
84
|
+
[msg, mapped_profiles]
|
85
85
|
when "401"
|
86
86
|
msg = "401 Unauthorized. Please check your token."
|
87
|
-
|
87
|
+
[msg, []]
|
88
88
|
else
|
89
89
|
msg = "An unexpected error occurred (HTTP #{response_code}): #{response.message}"
|
90
|
-
|
90
|
+
[msg, []]
|
91
91
|
end
|
92
92
|
end
|
93
93
|
|
@@ -126,7 +126,7 @@ module InspecPlugins
|
|
126
126
|
desc: "Overwrite existing profile on Server."
|
127
127
|
option :owner, type: :string, required: false,
|
128
128
|
desc: "Owner that should own the profile"
|
129
|
-
def upload(path) # rubocop:disable Metrics/MethodLength, Metrics/AbcSize, PerceivedComplexity, Metrics/CyclomaticComplexity
|
129
|
+
def upload(path) # rubocop:disable Metrics/MethodLength, Metrics/AbcSize, Metrics/PerceivedComplexity, Metrics/CyclomaticComplexity
|
130
130
|
config = InspecPlugins::Compliance::Configuration.new
|
131
131
|
return unless loggedin(config)
|
132
132
|
|
@@ -26,7 +26,7 @@ Creating new profile at /Users/spaterson/my-profile
|
|
26
26
|
aws_vpc_id: 'custom-vpc-id'
|
27
27
|
```
|
28
28
|
|
29
|
-
The related control will simply be skipped if this is not provided. See the [InSpec DSL documentation](https://
|
29
|
+
The related control will simply be skipped if this is not provided. See the [InSpec DSL documentation](https://docs.chef.io/inspec/dsl_inspec/) for more details on conditional execution using `only_if`.
|
30
30
|
|
31
31
|
## Run the tests
|
32
32
|
|
@@ -24,7 +24,7 @@ Note the `2` in the reporter name. If you omit it and run `--reporter html` inst
|
|
24
24
|
|
25
25
|
## Configuring the Plugin
|
26
26
|
|
27
|
-
The `html2` reporter requires no configuration to function. However, two options--`alternate_css_file` and `alternate_js_file`--are available for customization. The options are set in the JSON-formatted configuration file that Chef InSpec consumes. For details, see [our configuration file documentation](https://
|
27
|
+
The `html2` reporter requires no configuration to function. However, two options--`alternate_css_file` and `alternate_js_file`--are available for customization. The options are set in the JSON-formatted configuration file that Chef InSpec consumes. For details, see [our configuration file documentation](https://docs.chef.io/inspec/config/).
|
28
28
|
|
29
29
|
For example:
|
30
30
|
|
@@ -0,0 +1,17 @@
|
|
1
|
+
# junit and junit2 reporters
|
2
|
+
|
3
|
+
This is the implementation of the junit and junit2 XML reporters.
|
4
|
+
|
5
|
+
## Installation
|
6
|
+
|
7
|
+
This plugin ships with Chef InSpec and requires no additional installation.
|
8
|
+
|
9
|
+
## What These Plugins Do
|
10
|
+
|
11
|
+
`junit` is the legacy Chef InSpec JUnit reporter, which is retained for backwards compatibility. It generates an XML report in Apache Ant JUnit format. The output format is considered nonstandard in several ways. New users are advised to use `junit2`.
|
12
|
+
|
13
|
+
`junit2` is an updated reporter that provides JUnit output according to the schema published by [Windy Road](https://github.com/windyroad/JUnit-Schema).
|
14
|
+
|
15
|
+
## Implementation Note
|
16
|
+
|
17
|
+
This reporter uses the REXML XML generator at runtime, but uses Nokogiri, a more heavyweight XML library, for testing. This design keeps packaging requirements lightweight and free of compiled dependencies.
|
@@ -0,0 +1,21 @@
|
|
1
|
+
require_relative "inspec-reporter-junit/version"
|
2
|
+
module InspecPlugins
|
3
|
+
module JUnitReporter
|
4
|
+
class Plugin < ::Inspec.plugin(2)
|
5
|
+
plugin_name :'inspec-reporter-junit'
|
6
|
+
|
7
|
+
# Legacy JUnit reporter, which generates subtly incorrect XML.
|
8
|
+
reporter :junit do
|
9
|
+
require_relative "inspec-reporter-junit/reporter"
|
10
|
+
InspecPlugins::JUnitReporter::ReporterV1
|
11
|
+
end
|
12
|
+
|
13
|
+
# v2 reporter, which generates valid JUnit XML.
|
14
|
+
reporter :junit2 do
|
15
|
+
require_relative "inspec-reporter-junit/reporter"
|
16
|
+
InspecPlugins::JUnitReporter::ReporterV2
|
17
|
+
end
|
18
|
+
|
19
|
+
end
|
20
|
+
end
|
21
|
+
end
|
@@ -0,0 +1,155 @@
|
|
1
|
+
module InspecPlugins::JUnitReporter
|
2
|
+
class Reporter < Inspec.plugin(2, :reporter)
|
3
|
+
def self.run_data_schema_constraints
|
4
|
+
"~> 0.0"
|
5
|
+
end
|
6
|
+
|
7
|
+
def render
|
8
|
+
require "rexml/document"
|
9
|
+
xml_output = REXML::Document.new
|
10
|
+
xml_output.add(REXML::XMLDecl.new)
|
11
|
+
|
12
|
+
testsuites = REXML::Element.new("testsuites")
|
13
|
+
xml_output.add(testsuites)
|
14
|
+
|
15
|
+
run_data.profiles.each_with_index do |profile, idx|
|
16
|
+
testsuites.add(build_profile_xml(profile, idx))
|
17
|
+
end
|
18
|
+
|
19
|
+
formatter = REXML::Formatters::Pretty.new
|
20
|
+
formatter.compact = true
|
21
|
+
output(formatter.write(xml_output.xml_decl, ""))
|
22
|
+
output(formatter.write(xml_output.root, ""))
|
23
|
+
end
|
24
|
+
|
25
|
+
def count_profile_tests(profile)
|
26
|
+
profile.controls.reduce(0) do |acc, elem|
|
27
|
+
acc + elem.results.count
|
28
|
+
end
|
29
|
+
end
|
30
|
+
|
31
|
+
def count_profile_failed_tests(profile)
|
32
|
+
profile.controls.reduce(0) do |acc, elem|
|
33
|
+
acc + elem.results.reduce(0) do |fail_test_total, test_case|
|
34
|
+
test_case.status == "failed" ? fail_test_total + 1 : fail_test_total
|
35
|
+
end
|
36
|
+
end
|
37
|
+
end
|
38
|
+
|
39
|
+
def count_profile_skipped_tests(profile)
|
40
|
+
profile.controls.reduce(0) do |acc, elem|
|
41
|
+
acc + elem.results.reduce(0) do |skip_test_total, test_case|
|
42
|
+
test_case.status == "skipped" ? skip_test_total + 1 : skip_test_total
|
43
|
+
end
|
44
|
+
end
|
45
|
+
end
|
46
|
+
|
47
|
+
def count_profile_errored_tests(profile)
|
48
|
+
profile.controls.reduce(0) do |acc, elem|
|
49
|
+
acc + elem.results.reduce(0) do |err_test_total, test_case|
|
50
|
+
test_case.backtrace.nil? ? err_test_total : err_test_total + 1
|
51
|
+
end
|
52
|
+
end
|
53
|
+
end
|
54
|
+
end
|
55
|
+
|
56
|
+
# This is the "Legacy" JUnit reporter. It produces XML which is not
|
57
|
+
# correct according to the JUnit standard. It is retained for backwards
|
58
|
+
# compatibility.
|
59
|
+
class ReporterV1 < Reporter
|
60
|
+
def build_profile_xml(profile, _idx)
|
61
|
+
profile_xml = REXML::Element.new("testsuite")
|
62
|
+
profile_xml.add_attribute("name", profile.name)
|
63
|
+
profile_xml.add_attribute("tests", count_profile_tests(profile))
|
64
|
+
profile_xml.add_attribute("failed", count_profile_failed_tests(profile))
|
65
|
+
profile_xml.add_attribute("failures", count_profile_failed_tests(profile))
|
66
|
+
|
67
|
+
profile.controls.each do |control|
|
68
|
+
control.results.each do |result|
|
69
|
+
profile_xml.add(build_result_xml(profile.name, control, result))
|
70
|
+
end
|
71
|
+
end
|
72
|
+
|
73
|
+
profile_xml
|
74
|
+
end
|
75
|
+
|
76
|
+
def build_result_xml(profile_name, control, result)
|
77
|
+
result_xml = REXML::Element.new("testcase")
|
78
|
+
result_xml.add_attribute("name", result.code_desc)
|
79
|
+
result_xml.add_attribute("classname", control.title.nil? ? "#{profile_name}.Anonymous" : "#{profile_name}.#{control.id}")
|
80
|
+
result_xml.add_attribute("target", run_data.platform.target.nil? ? "" : run_data.platform.target.to_s)
|
81
|
+
result_xml.add_attribute("time", result.run_time)
|
82
|
+
|
83
|
+
if result.status == "failed"
|
84
|
+
failure_element = REXML::Element.new("failure")
|
85
|
+
failure_element.add_attribute("message", result[:message])
|
86
|
+
result_xml.add(failure_element)
|
87
|
+
elsif result.status == "skipped"
|
88
|
+
result_xml.add_element("skipped")
|
89
|
+
end
|
90
|
+
|
91
|
+
result_xml
|
92
|
+
end
|
93
|
+
end
|
94
|
+
|
95
|
+
# This is the "Corrected" JUnit reporter. It produces XML which is intended
|
96
|
+
# to be valid. It should be used whenever possible.
|
97
|
+
class ReporterV2 < Reporter
|
98
|
+
def build_profile_xml(profile, idx)
|
99
|
+
profile_xml = REXML::Element.new("testsuite")
|
100
|
+
profile_xml.add_attribute("name", profile.name)
|
101
|
+
profile_xml.add_attribute("tests", count_profile_tests(profile))
|
102
|
+
profile_xml.add_attribute("id", idx + 1)
|
103
|
+
|
104
|
+
# junit2 counts failures and errors separately
|
105
|
+
errors = count_profile_errored_tests(profile)
|
106
|
+
profile_xml.add_attribute("errors", errors)
|
107
|
+
profile_xml.add_attribute("failures", count_profile_failed_tests(profile) - errors)
|
108
|
+
profile_xml.add_attribute("skipped", count_profile_skipped_tests(profile))
|
109
|
+
|
110
|
+
profile_xml.add_attribute("hostname", run_data.platform.target.nil? ? "" : run_data.platform.target.to_s)
|
111
|
+
# Author of the schema specified 8601, then went on to add
|
112
|
+
# a regex that requires no TZ
|
113
|
+
profile_xml.add_attribute("timestamp", Time.now.iso8601.slice(0, 19))
|
114
|
+
|
115
|
+
# These are empty but are just here to satisfy the schema
|
116
|
+
profile_xml.add_attribute("package", "")
|
117
|
+
profile_xml.add(REXML::Element.new("properties"))
|
118
|
+
|
119
|
+
profile_time = 0.0
|
120
|
+
profile.controls.each do |control|
|
121
|
+
control.results.each do |result|
|
122
|
+
profile_time += result.run_time
|
123
|
+
profile_xml.add(build_result_xml(profile.name, control, result))
|
124
|
+
end
|
125
|
+
end
|
126
|
+
profile_xml.add_attribute("time", "%.6f" % profile_time)
|
127
|
+
|
128
|
+
profile_xml.add(REXML::Element.new("system-out"))
|
129
|
+
profile_xml.add(REXML::Element.new("system-err"))
|
130
|
+
|
131
|
+
profile_xml
|
132
|
+
end
|
133
|
+
|
134
|
+
def build_result_xml(profile_name, control, result)
|
135
|
+
result_xml = REXML::Element.new("testcase")
|
136
|
+
result_xml.add_attribute("name", result.code_desc)
|
137
|
+
result_xml.add_attribute("classname", control.title.nil? ? "#{profile_name}.Anonymous" : "#{profile_name}.#{control.id}")
|
138
|
+
|
139
|
+
# <Nokogiri::XML::SyntaxError: 20:0: ERROR: Element 'testcase', attribute 'time': '4.9e-05' is not a valid value of the atomic type 'xs:decimal'.
|
140
|
+
# So, we format it.
|
141
|
+
result_xml.add_attribute("time", "%.6f" % result.run_time)
|
142
|
+
|
143
|
+
if result.status == "failed"
|
144
|
+
failure_element = REXML::Element.new("failure")
|
145
|
+
failure_element.add_attribute("message", result.message)
|
146
|
+
failure_element.add_attribute("type", result.resource_title&.to_s || "")
|
147
|
+
result_xml.add(failure_element)
|
148
|
+
elsif result.status == "skipped"
|
149
|
+
result_xml.add_element("skipped")
|
150
|
+
end
|
151
|
+
|
152
|
+
result_xml
|
153
|
+
end
|
154
|
+
end
|
155
|
+
end
|
@@ -50,22 +50,6 @@ module CorePluginFunctionalHelper
|
|
50
50
|
include CorePluginBaseHelper
|
51
51
|
include FunctionalHelper
|
52
52
|
|
53
|
-
# TODO: so much duplication! Remove everything we can!
|
54
|
-
require "train"
|
55
|
-
TRAIN_CONNECTION = Train.create("local", command_runner: :generic).connection
|
56
|
-
|
57
|
-
# TODO: remove me! it's in test/functional/helper.rb
|
58
|
-
def run_inspec_process(command_line, opts = {})
|
59
|
-
prefix = ""
|
60
|
-
if opts.key?(:prefix)
|
61
|
-
prefix = opts[:prefix]
|
62
|
-
elsif opts.key?(:env)
|
63
|
-
prefix = assemble_env_prefix opts[:env]
|
64
|
-
end
|
65
|
-
|
66
|
-
TRAIN_CONNECTION.run_command("#{prefix} #{exec_inspec} #{command_line}")
|
67
|
-
end
|
68
|
-
|
69
53
|
# This helper does some fancy footwork to make InSpec think a plugin
|
70
54
|
# under development is temporarily installed.
|
71
55
|
# @param String command_line Invocation, without the word 'inspec'
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: inspec-core
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 4.
|
4
|
+
version: 4.23.15
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Chef InSpec Team
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2020-
|
11
|
+
date: 2020-10-22 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: chef-telemetry
|
@@ -33,7 +33,7 @@ dependencies:
|
|
33
33
|
version: 0.2.13
|
34
34
|
- - "<"
|
35
35
|
- !ruby/object:Gem::Version
|
36
|
-
version: '
|
36
|
+
version: '3.0'
|
37
37
|
type: :runtime
|
38
38
|
prerelease: false
|
39
39
|
version_requirements: !ruby/object:Gem::Requirement
|
@@ -43,7 +43,7 @@ dependencies:
|
|
43
43
|
version: 0.2.13
|
44
44
|
- - "<"
|
45
45
|
- !ruby/object:Gem::Version
|
46
|
-
version: '
|
46
|
+
version: '3.0'
|
47
47
|
- !ruby/object:Gem::Dependency
|
48
48
|
name: thor
|
49
49
|
requirement: !ruby/object:Gem::Requirement
|
@@ -229,6 +229,9 @@ dependencies:
|
|
229
229
|
- - ">="
|
230
230
|
- !ruby/object:Gem::Version
|
231
231
|
version: 0.9.0
|
232
|
+
- - "<"
|
233
|
+
- !ruby/object:Gem::Version
|
234
|
+
version: '1.1'
|
232
235
|
type: :runtime
|
233
236
|
prerelease: false
|
234
237
|
version_requirements: !ruby/object:Gem::Requirement
|
@@ -236,6 +239,9 @@ dependencies:
|
|
236
239
|
- - ">="
|
237
240
|
- !ruby/object:Gem::Version
|
238
241
|
version: 0.9.0
|
242
|
+
- - "<"
|
243
|
+
- !ruby/object:Gem::Version
|
244
|
+
version: '1.1'
|
239
245
|
- !ruby/object:Gem::Dependency
|
240
246
|
name: tty-table
|
241
247
|
requirement: !ruby/object:Gem::Requirement
|
@@ -320,20 +326,6 @@ dependencies:
|
|
320
326
|
- - "~>"
|
321
327
|
- !ruby/object:Gem::Version
|
322
328
|
version: '3.0'
|
323
|
-
- !ruby/object:Gem::Dependency
|
324
|
-
name: htmlentities
|
325
|
-
requirement: !ruby/object:Gem::Requirement
|
326
|
-
requirements:
|
327
|
-
- - "~>"
|
328
|
-
- !ruby/object:Gem::Version
|
329
|
-
version: '4.3'
|
330
|
-
type: :runtime
|
331
|
-
prerelease: false
|
332
|
-
version_requirements: !ruby/object:Gem::Requirement
|
333
|
-
requirements:
|
334
|
-
- - "~>"
|
335
|
-
- !ruby/object:Gem::Version
|
336
|
-
version: '4.3'
|
337
329
|
- !ruby/object:Gem::Dependency
|
338
330
|
name: multipart-post
|
339
331
|
requirement: !ruby/object:Gem::Requirement
|
@@ -348,20 +340,6 @@ dependencies:
|
|
348
340
|
- - "~>"
|
349
341
|
- !ruby/object:Gem::Version
|
350
342
|
version: '2.0'
|
351
|
-
- !ruby/object:Gem::Dependency
|
352
|
-
name: term-ansicolor
|
353
|
-
requirement: !ruby/object:Gem::Requirement
|
354
|
-
requirements:
|
355
|
-
- - "~>"
|
356
|
-
- !ruby/object:Gem::Version
|
357
|
-
version: '1.7'
|
358
|
-
type: :runtime
|
359
|
-
prerelease: false
|
360
|
-
version_requirements: !ruby/object:Gem::Requirement
|
361
|
-
requirements:
|
362
|
-
- - "~>"
|
363
|
-
- !ruby/object:Gem::Version
|
364
|
-
version: '1.7'
|
365
343
|
- !ruby/object:Gem::Dependency
|
366
344
|
name: train-core
|
367
345
|
requirement: !ruby/object:Gem::Requirement
|
@@ -389,7 +367,6 @@ extra_rdoc_files: []
|
|
389
367
|
files:
|
390
368
|
- Gemfile
|
391
369
|
- LICENSE
|
392
|
-
- README.md
|
393
370
|
- etc/deprecations.json
|
394
371
|
- etc/plugin_filters.json
|
395
372
|
- inspec-core.gemspec
|
@@ -489,7 +466,6 @@ files:
|
|
489
466
|
- lib/inspec/reporters/cli.rb
|
490
467
|
- lib/inspec/reporters/json.rb
|
491
468
|
- lib/inspec/reporters/json_automate.rb
|
492
|
-
- lib/inspec/reporters/junit.rb
|
493
469
|
- lib/inspec/reporters/yaml.rb
|
494
470
|
- lib/inspec/require_loader.rb
|
495
471
|
- lib/inspec/resource.rb
|
@@ -607,6 +583,8 @@ files:
|
|
607
583
|
- lib/inspec/resources/vbscript.rb
|
608
584
|
- lib/inspec/resources/virtualization.rb
|
609
585
|
- lib/inspec/resources/windows_feature.rb
|
586
|
+
- lib/inspec/resources/windows_firewall.rb
|
587
|
+
- lib/inspec/resources/windows_firewall_rule.rb
|
610
588
|
- lib/inspec/resources/windows_hotfix.rb
|
611
589
|
- lib/inspec/resources/windows_registry_key.rb
|
612
590
|
- lib/inspec/resources/windows_task.rb
|
@@ -666,6 +644,7 @@ files:
|
|
666
644
|
- lib/inspec/utils/object_traversal.rb
|
667
645
|
- lib/inspec/utils/parser.rb
|
668
646
|
- lib/inspec/utils/pkey_reader.rb
|
647
|
+
- lib/inspec/utils/run_data_filters.rb
|
669
648
|
- lib/inspec/utils/simpleconfig.rb
|
670
649
|
- lib/inspec/utils/spdx.rb
|
671
650
|
- lib/inspec/utils/spdx.txt
|
@@ -746,6 +725,10 @@ files:
|
|
746
725
|
- lib/plugins/inspec-reporter-json-min/lib/inspec-reporter-json-min.rb
|
747
726
|
- lib/plugins/inspec-reporter-json-min/lib/inspec-reporter-json-min/reporter.rb
|
748
727
|
- lib/plugins/inspec-reporter-json-min/lib/inspec-reporter-json-min/version.rb
|
728
|
+
- lib/plugins/inspec-reporter-junit/README.md
|
729
|
+
- lib/plugins/inspec-reporter-junit/lib/inspec-reporter-junit.rb
|
730
|
+
- lib/plugins/inspec-reporter-junit/lib/inspec-reporter-junit/reporter.rb
|
731
|
+
- lib/plugins/inspec-reporter-junit/lib/inspec-reporter-junit/version.rb
|
749
732
|
- lib/plugins/shared/core_plugin_test_helper.rb
|
750
733
|
- lib/plugins/things-for-train-integration.rb
|
751
734
|
- lib/source_readers/flat.rb
|
data/README.md
DELETED
@@ -1,474 +0,0 @@
|
|
1
|
-
# Chef InSpec: Inspect Your Infrastructure
|
2
|
-
|
3
|
-
* **Project State: Active**
|
4
|
-
* **Issues Response SLA: 14 business days**
|
5
|
-
* **Pull Request Response SLA: 14 business days**
|
6
|
-
|
7
|
-
For more information on project states and SLAs, see [this documentation](https://github.com/chef/chef-oss-practices/blob/master/repo-management/repo-states.md).
|
8
|
-
|
9
|
-
[![Slack](https://community-slack.chef.io/badge.svg)](https://community-slack.chef.io/)
|
10
|
-
[![Build status](https://badge.buildkite.com/bf4c5fdc3858cc9f8c8bab8376e8e40d625ad046df9d4d8619.svg?branch=master)](https://buildkite.com/chef-oss/inspec-inspec-master-verify)
|
11
|
-
[![Coverage Status](https://coveralls.io/repos/github/inspec/inspec/badge.svg?branch=master)](https://coveralls.io/github/inspec/inspec?branch=master)
|
12
|
-
|
13
|
-
Chef InSpec is an open-source testing framework for infrastructure with a human- and machine-readable language for specifying compliance, security and policy requirements.
|
14
|
-
|
15
|
-
```ruby
|
16
|
-
# Disallow insecure protocols by testing
|
17
|
-
|
18
|
-
describe package('telnetd') do
|
19
|
-
it { should_not be_installed }
|
20
|
-
end
|
21
|
-
|
22
|
-
describe inetd_conf do
|
23
|
-
its("telnet") { should eq nil }
|
24
|
-
end
|
25
|
-
```
|
26
|
-
|
27
|
-
Chef InSpec makes it easy to run your tests wherever you need. More options are found in our [CLI docs](https://www.inspec.io/docs/reference/cli/).
|
28
|
-
|
29
|
-
```bash
|
30
|
-
# run test locally
|
31
|
-
inspec exec test.rb
|
32
|
-
|
33
|
-
# run test on remote host via SSH
|
34
|
-
inspec exec test.rb -t ssh://user@hostname -i /path/to/key
|
35
|
-
|
36
|
-
# run test on remote host using SSH agent private key authentication. Requires Chef InSpec 1.7.1
|
37
|
-
inspec exec test.rb -t ssh://user@hostname
|
38
|
-
|
39
|
-
# run test on remote windows host via WinRM
|
40
|
-
inspec exec test.rb -t winrm://Administrator@windowshost --password 'your-password'
|
41
|
-
|
42
|
-
# run test on remote windows host via WinRM as a domain user
|
43
|
-
inspec exec test.rb -t winrm://windowshost --user 'UserName@domain' --password 'your-password'
|
44
|
-
|
45
|
-
# run test on docker container
|
46
|
-
inspec exec test.rb -t docker://container_id
|
47
|
-
```
|
48
|
-
|
49
|
-
# Features
|
50
|
-
|
51
|
-
- Built-in Compliance: Compliance no longer occurs at the end of the release cycle
|
52
|
-
- Targeted Tests: Chef InSpec writes tests that specifically target compliance issues
|
53
|
-
- Metadata: Includes the metadata required by security and compliance pros
|
54
|
-
- Easy Testing: Includes a command-line interface to run tests quickly
|
55
|
-
|
56
|
-
## Installation
|
57
|
-
|
58
|
-
Chef InSpec requires Ruby ( >= 2.4 ).
|
59
|
-
|
60
|
-
Note: Versions of Chef InSpec 4.0 and later require accepting the EULA to use. Please visit the [license acceptance page](https://docs.chef.io/chef_license_accept.html) on the Chef docs site for more information.
|
61
|
-
|
62
|
-
### Install as package
|
63
|
-
|
64
|
-
The Chef InSpec package is available for MacOS, RedHat, Ubuntu and Windows. Download the latest package at [Chef InSpec Downloads](https://downloads.chef.io/inspec) or install Chef InSpec via script:
|
65
|
-
|
66
|
-
```
|
67
|
-
# RedHat, Ubuntu, and macOS
|
68
|
-
curl https://omnitruck.chef.io/install.sh | sudo bash -s -- -P inspec
|
69
|
-
|
70
|
-
# Windows
|
71
|
-
. { iwr -useb https://omnitruck.chef.io/install.ps1 } | iex; install -project inspec
|
72
|
-
```
|
73
|
-
|
74
|
-
### Install it via rubygems.org
|
75
|
-
|
76
|
-
When installing from source, gem dependencies may require ruby build tools to be installed.
|
77
|
-
|
78
|
-
For CentOS/RedHat/Fedora:
|
79
|
-
|
80
|
-
```bash
|
81
|
-
yum -y install ruby ruby-devel make gcc gcc-c++
|
82
|
-
```
|
83
|
-
|
84
|
-
For Ubuntu:
|
85
|
-
|
86
|
-
```bash
|
87
|
-
apt-get -y install ruby ruby-dev gcc g++ make
|
88
|
-
```
|
89
|
-
|
90
|
-
To install the `inspec` executable, which requires accepting the [Chef License](https://docs.chef.io/chef_license_accept.html), run:
|
91
|
-
|
92
|
-
```bash
|
93
|
-
gem install inspec-bin
|
94
|
-
```
|
95
|
-
|
96
|
-
You may also use `inspec` as a library, with no executable. This does not require accepting the license. To install the library as a gem, run:
|
97
|
-
|
98
|
-
```bash
|
99
|
-
gem install inspec
|
100
|
-
```
|
101
|
-
|
102
|
-
|
103
|
-
### Usage via Docker
|
104
|
-
|
105
|
-
Download the image and define a function for convenience:
|
106
|
-
|
107
|
-
For Linux:
|
108
|
-
|
109
|
-
```
|
110
|
-
docker pull chef/inspec
|
111
|
-
function inspec { docker run -it --rm -v $(pwd):/share chef/inspec "$@"; }
|
112
|
-
```
|
113
|
-
|
114
|
-
For Windows (PowerShell):
|
115
|
-
|
116
|
-
```
|
117
|
-
docker pull chef/inspec
|
118
|
-
function inspec { docker run -it --rm -v "$(pwd):/share" chef/inspec $args; }
|
119
|
-
```
|
120
|
-
|
121
|
-
If you call `inspec` from your shell, it automatically mounts the current directory into the Docker container. Therefore you can easily use local tests and key files. Note: Only files in the current directory and sub-directories are available within the container.
|
122
|
-
|
123
|
-
```
|
124
|
-
$ ls -1
|
125
|
-
vagrant
|
126
|
-
test.rb
|
127
|
-
|
128
|
-
$ inspec exec test.rb -t ssh://root@192.168.64.2:11022 -i vagrant
|
129
|
-
..
|
130
|
-
|
131
|
-
Finished in 0.04321 seconds (files took 0.54917 seconds to load)
|
132
|
-
2 examples, 0 failures
|
133
|
-
```
|
134
|
-
|
135
|
-
|
136
|
-
### Install it from source
|
137
|
-
|
138
|
-
Note that installing from OS packages from [the download page](https://downloads.chef.io) is the preferred method.
|
139
|
-
|
140
|
-
That requires [bundler](http://bundler.io/):
|
141
|
-
|
142
|
-
```bash
|
143
|
-
bundle install
|
144
|
-
bundle exec inspec help
|
145
|
-
```
|
146
|
-
|
147
|
-
To install it as a gem locally, run:
|
148
|
-
|
149
|
-
```bash
|
150
|
-
gem build inspec.gemspec
|
151
|
-
gem install inspec-*.gem
|
152
|
-
```
|
153
|
-
|
154
|
-
On Windows, you need to install [Ruby](http://rubyinstaller.org/downloads/) with [Ruby Development Kit](https://github.com/oneclick/rubyinstaller/wiki/Development-Kit) to build dependencies with its native extensions.
|
155
|
-
|
156
|
-
### Install via Chef Habitat
|
157
|
-
|
158
|
-
Currently, this method of installation only supports Linux. See the [Chef Habitat site](https://www.habitat.sh/) for more information.
|
159
|
-
|
160
|
-
Download the `hab` binary from the [Chef Habitat](https://www.habitat.sh/docs/get-habitat/) site.
|
161
|
-
|
162
|
-
```bash
|
163
|
-
hab pkg install chef/inspec --binlink
|
164
|
-
|
165
|
-
inspec
|
166
|
-
```
|
167
|
-
|
168
|
-
### Run Chef InSpec
|
169
|
-
|
170
|
-
You should now be able to run:
|
171
|
-
|
172
|
-
```bash
|
173
|
-
$ inspec --help
|
174
|
-
Commands:
|
175
|
-
inspec archive PATH # archive a profile to tar.gz (default) ...
|
176
|
-
inspec check PATH # verify all tests at the specified PATH
|
177
|
-
inspec compliance SUBCOMMAND ... # Chef Compliance commands
|
178
|
-
inspec detect # detect the target OS
|
179
|
-
inspec exec PATH(S) # run all test files at the specified PATH.
|
180
|
-
inspec help [COMMAND] # Describe available commands or one spe...
|
181
|
-
inspec init TEMPLATE ... # Scaffolds a new project
|
182
|
-
inspec json PATH # read all tests in PATH and generate a ...
|
183
|
-
inspec shell # open an interactive debugging shell
|
184
|
-
inspec supermarket SUBCOMMAND ... # Supermarket commands
|
185
|
-
inspec version # prints the version of this tool
|
186
|
-
|
187
|
-
Options:
|
188
|
-
[--diagnose], [--no-diagnose] # Show diagnostics (versions, configurations)
|
189
|
-
```
|
190
|
-
|
191
|
-
# Examples
|
192
|
-
|
193
|
-
* Only accept requests on secure ports - This test ensures that a web server is only listening on well-secured ports.
|
194
|
-
|
195
|
-
```ruby
|
196
|
-
describe port(80) do
|
197
|
-
it { should_not be_listening }
|
198
|
-
end
|
199
|
-
|
200
|
-
describe port(443) do
|
201
|
-
it { should be_listening }
|
202
|
-
its('protocols') {should include 'tcp'}
|
203
|
-
end
|
204
|
-
```
|
205
|
-
|
206
|
-
* Use approved strong ciphers - This test ensures that only enterprise-compliant ciphers are used for SSH servers.
|
207
|
-
|
208
|
-
```ruby
|
209
|
-
describe sshd_config do
|
210
|
-
its('Ciphers') { should eq('chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr') }
|
211
|
-
end
|
212
|
-
```
|
213
|
-
|
214
|
-
* Test your `kitchen.yml` file to verify that only Vagrant is configured as the driver. The %w() formatting will
|
215
|
-
pass rubocop linting and allow you to access nested mappings.
|
216
|
-
|
217
|
-
```ruby
|
218
|
-
describe yaml('.kitchen.yml') do
|
219
|
-
its(%w(driver name)) { should eq('vagrant') }
|
220
|
-
end
|
221
|
-
```
|
222
|
-
|
223
|
-
Also have a look at our examples for:
|
224
|
-
- [Using Chef InSpec with Test Kitchen & Chef Infra](https://github.com/chef/inspec/tree/master/examples/kitchen-chef)
|
225
|
-
- [Using Chef InSpec with Test Kitchen & Puppet](https://github.com/chef/inspec/tree/master/examples/kitchen-puppet)
|
226
|
-
- [Using Chef InSpec with Test Kitchen & Ansible](https://github.com/chef/inspec/tree/master/examples/kitchen-ansible)
|
227
|
-
- [Implementing an Chef InSpec profile](https://github.com/chef/inspec/tree/master/examples/profile)
|
228
|
-
|
229
|
-
## Or tests: Testing for a OR b
|
230
|
-
|
231
|
-
* Using describe.one, you can test for a or b. The control will be marked as passing if EITHER condition is met.
|
232
|
-
|
233
|
-
```ruby
|
234
|
-
control 'or-test' do
|
235
|
-
impact 1.0
|
236
|
-
title 'This is a OR test'
|
237
|
-
describe.one do
|
238
|
-
describe ssh_config do
|
239
|
-
its('Protocol') { should eq('3') }
|
240
|
-
end
|
241
|
-
describe ssh_config do
|
242
|
-
its('Protocol') { should eq('2') }
|
243
|
-
end
|
244
|
-
end
|
245
|
-
end
|
246
|
-
```
|
247
|
-
|
248
|
-
## Command Line Usage
|
249
|
-
|
250
|
-
### exec
|
251
|
-
|
252
|
-
Run tests against different targets:
|
253
|
-
|
254
|
-
```bash
|
255
|
-
# run test locally
|
256
|
-
inspec exec test.rb
|
257
|
-
|
258
|
-
# run test on remote host on SSH
|
259
|
-
inspec exec test.rb -t ssh://user@hostname
|
260
|
-
|
261
|
-
# run test on remote windows host on WinRM
|
262
|
-
inspec exec test.rb -t winrm://Administrator@windowshost --password 'your-password'
|
263
|
-
|
264
|
-
# run test on docker container
|
265
|
-
inspec exec test.rb -t docker://container_id
|
266
|
-
|
267
|
-
# run with sudo
|
268
|
-
inspec exec test.rb --sudo [--sudo-password ...] [--sudo-options ...] [--sudo_command ...]
|
269
|
-
|
270
|
-
# run in a subshell
|
271
|
-
inspec exec test.rb --shell [--shell-options ...] [--shell-command ...]
|
272
|
-
|
273
|
-
# run a profile targeting AWS using env vars
|
274
|
-
inspec exec test.rb -t aws://
|
275
|
-
|
276
|
-
# or store your AWS credentials in your ~/.aws/credentials profiles file
|
277
|
-
inspec exec test.rb -t aws://us-east-2/my-profile
|
278
|
-
|
279
|
-
# run a profile targeting Azure using env vars
|
280
|
-
inspec exec test.rb -t azure://
|
281
|
-
|
282
|
-
# or store your Azure credentials in your ~/.azure/credentials profiles file
|
283
|
-
inspec exec test.rb -t azure://subscription_id
|
284
|
-
```
|
285
|
-
|
286
|
-
### detect
|
287
|
-
|
288
|
-
Verify your configuration and detect
|
289
|
-
|
290
|
-
```bash
|
291
|
-
id=$( docker run -dti ubuntu:14.04 /bin/bash )
|
292
|
-
inspec detect -t docker://$id
|
293
|
-
```
|
294
|
-
|
295
|
-
Which will provide you with:
|
296
|
-
|
297
|
-
```
|
298
|
-
{"family":"ubuntu","release":"14.04","arch":null}
|
299
|
-
```
|
300
|
-
|
301
|
-
## Supported OS
|
302
|
-
|
303
|
-
Remote Targets
|
304
|
-
|
305
|
-
| Platform | Versions | Architectures |
|
306
|
-
| ---------------------------- | ------------------------------------------------ | ------------- |
|
307
|
-
| AIX | 6.1, 7.1, 7.2 | ppc64 |
|
308
|
-
| CentOS | 5, 6, 7 | i386, x86_64 |
|
309
|
-
| Debian | 7, 8, 9 | i386, x86_64 |
|
310
|
-
| FreeBSD | 9, 10, 11 | i386, amd64 |
|
311
|
-
| Mac OS X | 10.9, 10.10, 10.11, 10.12, 10.13, 10.14 | x86_64 |
|
312
|
-
| Oracle Enterprise Linux | 5, 6, 7 | i386, x86_64 |
|
313
|
-
| Red Hat Enterprise Linux | 5, 6, 7 | i386, x86_64 |
|
314
|
-
| Solaris | 10, 11 | sparc, x86 |
|
315
|
-
| Windows\* | 8, 8.1, 10, 2012, 2012R2, 2016 | x86, x86_64 |
|
316
|
-
| Ubuntu Linux | | x86, x86_64 |
|
317
|
-
| SUSE Linux Enterprise Server | 11, 12 | x86_64 |
|
318
|
-
| Scientific Linux | 5.x, 6.x and 7.x | i386, x86_64 |
|
319
|
-
| Fedora | | x86_64 |
|
320
|
-
| OpenSUSE | 13, 42 | x86_64 |
|
321
|
-
| OmniOS | | x86_64 |
|
322
|
-
| Gentoo Linux | | x86_64 |
|
323
|
-
| Arch Linux | | x86_64 |
|
324
|
-
| HP-UX | 11.31 | ia64 |
|
325
|
-
|
326
|
-
\**For Windows, PowerShell 5.0 or above is required.*
|
327
|
-
|
328
|
-
In addition, runtime support is provided for:
|
329
|
-
|
330
|
-
| Platform | Versions | Arch |
|
331
|
-
| -------- | -------- | ------ |
|
332
|
-
| Debian | 8, 9 | x86_64 |
|
333
|
-
| RHEL | 6, 7 | x86_64 |
|
334
|
-
| Ubuntu | 12.04+ | x86_64 |
|
335
|
-
| Windows | 8+ | x86_64 |
|
336
|
-
| Windows | 2012+ | x86_64 |
|
337
|
-
|
338
|
-
## Documentation
|
339
|
-
|
340
|
-
Documentation
|
341
|
-
|
342
|
-
* https://www.inspec.io/docs/
|
343
|
-
* https://www.inspec.io/docs/reference/resources/
|
344
|
-
* https://github.com/chef/inspec/tree/master/docs
|
345
|
-
|
346
|
-
Tutorials/Blogs/Podcasts:
|
347
|
-
|
348
|
-
* https://www.inspec.io/tutorials/
|
349
|
-
|
350
|
-
Relationship to other tools (RSpec, Serverspec):
|
351
|
-
|
352
|
-
* https://www.inspec.io/docs/reference/inspec_and_friends/
|
353
|
-
|
354
|
-
## Share your Profiles
|
355
|
-
|
356
|
-
You may share your Chef InSpec Profiles in the [Tools & Plugins section](https://supermarket.chef.io/tools-directory) of the [Chef Supermarket](https://supermarket.chef.io/). [Sign in](https://supermarket.chef.io/sign-in) and [add the details of your profile](https://supermarket.chef.io/tools/new).
|
357
|
-
|
358
|
-
You may also [browse the Supermarket for shared Compliance Profiles](https://supermarket.chef.io/tools?type=compliance_profile).
|
359
|
-
|
360
|
-
## Kudos
|
361
|
-
|
362
|
-
Chef InSpec is inspired by the wonderful [Serverspec](http://serverspec.org) project. Kudos to [mizzy](https://github.com/mizzy) and [all contributors](https://github.com/mizzy/serverspec/graphs/contributors)!
|
363
|
-
|
364
|
-
The AWS resources were inspired by [inspec-aws](https://github.com/arothian/inspec-aws) from [arothian](https://github.com/arothian).
|
365
|
-
|
366
|
-
## Contribute
|
367
|
-
|
368
|
-
1. Fork it
|
369
|
-
1. Create your feature branch (git checkout -b my-new-feature)
|
370
|
-
1. Commit your changes (git commit -am 'Add some feature')
|
371
|
-
1. Push to the branch (git push origin my-new-feature)
|
372
|
-
1. Create new Pull Request
|
373
|
-
|
374
|
-
The Chef InSpec community and maintainers are very active and helpful. This project benefits greatly from this activity.
|
375
|
-
|
376
|
-
If you'd like to chat with the community and maintainers directly join us in the `#inspec` channel on the [Chef Community Slack](http://community-slack.chef.io/).
|
377
|
-
|
378
|
-
As a reminder, all participants are expected to follow the [Code of Conduct](https://github.com/inspec/inspec/blob/master/CODE_OF_CONDUCT.md).
|
379
|
-
|
380
|
-
[![Slack](https://community-slack.chef.io/badge.svg)](https://community-slack.chef.io/)
|
381
|
-
|
382
|
-
## Testing Chef InSpec
|
383
|
-
|
384
|
-
We offer `unit`, `integration`, and `aws` tests.
|
385
|
-
|
386
|
-
- `unit` tests ensure the intended behaviour of the implementation
|
387
|
-
- `integration` tests run against Docker-based VMs via test-kitchen and [kitchen-inspec](https://github.com/chef/kitchen-inspec)
|
388
|
-
- `aws` tests exercise the AWS resources against real AWS accounts
|
389
|
-
|
390
|
-
### Unit tests
|
391
|
-
|
392
|
-
```bash
|
393
|
-
bundle exec rake test
|
394
|
-
```
|
395
|
-
|
396
|
-
If you like to run only one test file:
|
397
|
-
|
398
|
-
```bash
|
399
|
-
bundle exec m test/unit/resources/user_test.rb
|
400
|
-
```
|
401
|
-
|
402
|
-
You may also run a single test within a file by line number:
|
403
|
-
|
404
|
-
```bash
|
405
|
-
bundle exec m test/unit/resources/user_test.rb -l 123
|
406
|
-
```
|
407
|
-
|
408
|
-
### Integration tests
|
409
|
-
|
410
|
-
These tests download various virtual machines, to ensure Chef InSpec is working as expected across different operating systems.
|
411
|
-
|
412
|
-
These tests require the following gems:
|
413
|
-
|
414
|
-
- test-kitchen
|
415
|
-
- kitchen-dokken
|
416
|
-
- kitchen-inspec
|
417
|
-
|
418
|
-
These gems are provided via the `integration` group in the project's Gemfile.
|
419
|
-
|
420
|
-
In addition, these test require Docker to be available on your machine or a remote Docker machine configured via the standard Docker environment variables.
|
421
|
-
|
422
|
-
#### Running Integration tests
|
423
|
-
|
424
|
-
List the various test instances available:
|
425
|
-
|
426
|
-
```bash
|
427
|
-
bundle exec kitchen list
|
428
|
-
```
|
429
|
-
|
430
|
-
The platforms and test suites are configured in the `.kitchen.yml` file. Once you know which instance you wish to test, test that instance:
|
431
|
-
|
432
|
-
```bash
|
433
|
-
bundle exec kitchen test <INSTANCE_NAME>
|
434
|
-
```
|
435
|
-
|
436
|
-
You may test all instances in parallel with:
|
437
|
-
|
438
|
-
```bash
|
439
|
-
bundle exec kitchen test -c
|
440
|
-
```
|
441
|
-
|
442
|
-
### AWS Tests
|
443
|
-
|
444
|
-
Use the rake task `bundle exec rake test:aws` to test the AWS resources against a pair of real AWS accounts.
|
445
|
-
|
446
|
-
Please see [TESTING_AGAINST_AWS.md](./test/integration/aws/TESTING_AGAINST_AWS.md) for details on how to setup the needed AWS accounts to perform testing.
|
447
|
-
|
448
|
-
### Azure Tests
|
449
|
-
|
450
|
-
Use the rake task `bundle exec rake test:azure` to test the Azure resources against an Azure account.
|
451
|
-
|
452
|
-
Please see [TESTING_AGAINST_AZURE.md](./test/integration/azure/TESTING_AGAINST_AZURE.md) for details on how to setup the needed Azure accounts to perform testing.
|
453
|
-
|
454
|
-
## License
|
455
|
-
|
456
|
-
| | |
|
457
|
-
| -------------- | ----------------------------------------- |
|
458
|
-
| **Author:** | Dominik Richter (<drichter@chef.io>) |
|
459
|
-
| **Author:** | Christoph Hartmann (<chartmann@chef.io>) |
|
460
|
-
| **Copyright:** | Copyright (c) 2015 Vulcano Security GmbH. |
|
461
|
-
| **Copyright:** | Copyright (c) 2017-2018 Chef Software Inc.|
|
462
|
-
| **License:** | Apache License, Version 2.0 |
|
463
|
-
|
464
|
-
Licensed under the Apache License, Version 2.0 (the "License");
|
465
|
-
you may not use this file except in compliance with the License.
|
466
|
-
You may obtain a copy of the License at
|
467
|
-
|
468
|
-
http://www.apache.org/licenses/LICENSE-2.0
|
469
|
-
|
470
|
-
Unless required by applicable law or agreed to in writing, software
|
471
|
-
distributed under the License is distributed on an "AS IS" BASIS,
|
472
|
-
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
473
|
-
See the License for the specific language governing permissions and
|
474
|
-
limitations under the License.
|