inspec-core 4.23.4 → 4.24.26
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Gemfile +16 -33
- data/inspec-core.gemspec +8 -9
- data/lib/bundles/inspec-supermarket/api.rb +2 -2
- data/lib/bundles/inspec-supermarket/target.rb +1 -1
- data/lib/inspec/archive/tar.rb +1 -1
- data/lib/inspec/archive/zip.rb +3 -3
- data/lib/inspec/base_cli.rb +7 -1
- data/lib/inspec/cached_fetcher.rb +1 -1
- data/lib/inspec/cli.rb +5 -3
- data/lib/inspec/config.rb +5 -5
- data/lib/inspec/dependencies/cache.rb +1 -1
- data/lib/inspec/env_printer.rb +2 -2
- data/lib/inspec/fetcher/git.rb +3 -3
- data/lib/inspec/fetcher/local.rb +1 -1
- data/lib/inspec/fetcher/url.rb +4 -4
- data/lib/inspec/file_provider.rb +4 -4
- data/lib/inspec/formatters/base.rb +16 -0
- data/lib/inspec/globals.rb +8 -2
- data/lib/inspec/input.rb +3 -0
- data/lib/inspec/input_registry.rb +5 -3
- data/lib/inspec/metadata.rb +1 -1
- data/lib/inspec/plugin/v1/plugins.rb +2 -2
- data/lib/inspec/plugin/v2.rb +5 -0
- data/lib/inspec/plugin/v2/config_file.rb +1 -1
- data/lib/inspec/plugin/v2/filter.rb +2 -2
- data/lib/inspec/plugin/v2/installer.rb +5 -5
- data/lib/inspec/plugin/v2/loader.rb +6 -1
- data/lib/inspec/plugin/v2/registry.rb +2 -2
- data/lib/inspec/profile.rb +3 -3
- data/lib/inspec/profile_context.rb +1 -1
- data/lib/inspec/reporters/automate.rb +2 -2
- data/lib/inspec/reporters/json.rb +3 -1
- data/lib/inspec/reporters/json_automate.rb +1 -1
- data/lib/inspec/resource.rb +2 -0
- data/lib/inspec/resources.rb +5 -5
- data/lib/inspec/resources/apt.rb +6 -6
- data/lib/inspec/resources/auditd.rb +1 -1
- data/lib/inspec/resources/csv.rb +1 -1
- data/lib/inspec/resources/dh_params.rb +1 -1
- data/lib/inspec/resources/file.rb +1 -1
- data/lib/inspec/resources/grub_conf.rb +2 -1
- data/lib/inspec/resources/http.rb +1 -1
- data/lib/inspec/resources/iis_website.rb +1 -1
- data/lib/inspec/resources/interfaces.rb +1 -1
- data/lib/inspec/resources/json.rb +2 -2
- data/lib/inspec/resources/key_rsa.rb +1 -1
- data/lib/inspec/resources/mssql_session.rb +5 -1
- data/lib/inspec/resources/mysql_session.rb +1 -1
- data/lib/inspec/resources/nginx.rb +1 -1
- data/lib/inspec/resources/nginx_conf.rb +1 -1
- data/lib/inspec/resources/npm.rb +1 -1
- data/lib/inspec/resources/oracledb_session.rb +1 -1
- data/lib/inspec/resources/package.rb +1 -1
- data/lib/inspec/resources/parse_config.rb +5 -2
- data/lib/inspec/resources/platform.rb +11 -1
- data/lib/inspec/resources/port.rb +1 -1
- data/lib/inspec/resources/postgres_session.rb +1 -1
- data/lib/inspec/resources/ppa.rb +1 -1
- data/lib/inspec/resources/processes.rb +1 -1
- data/lib/inspec/resources/rabbitmq_conf.rb +1 -1
- data/lib/inspec/resources/registry_key.rb +1 -1
- data/lib/inspec/resources/sshd_config.rb +1 -1
- data/lib/inspec/resources/ssl.rb +2 -2
- data/lib/inspec/resources/toml.rb +1 -1
- data/lib/inspec/resources/vbscript.rb +1 -1
- data/lib/inspec/resources/windows_registry_key.rb +1 -1
- data/lib/inspec/resources/wmi.rb +16 -8
- data/lib/inspec/resources/x509_certificate.rb +1 -1
- data/lib/inspec/resources/xml.rb +1 -1
- data/lib/inspec/rule.rb +8 -8
- data/lib/inspec/run_data.rb +1 -1
- data/lib/inspec/run_data/result.rb +2 -0
- data/lib/inspec/runner.rb +2 -2
- data/lib/inspec/schema.rb +3 -1
- data/lib/inspec/schema/exec_json.rb +1 -1
- data/lib/inspec/schema/output_schema.rb +1 -1
- data/lib/inspec/schema/primitives.rb +1 -1
- data/lib/inspec/shell.rb +3 -3
- data/lib/inspec/shell_detector.rb +2 -2
- data/lib/inspec/utils/command_wrapper.rb +1 -1
- data/lib/inspec/utils/deprecation/config_file.rb +2 -2
- data/lib/inspec/utils/json_log.rb +1 -1
- data/lib/inspec/utils/telemetry/collector.rb +1 -1
- data/lib/inspec/utils/telemetry/data_series.rb +1 -1
- data/lib/inspec/version.rb +1 -1
- data/lib/plugins/inspec-artifact/lib/inspec-artifact/base.rb +5 -5
- data/lib/plugins/inspec-compliance/README.md +1 -1
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/api.rb +3 -3
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/http.rb +2 -2
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/target.rb +2 -2
- data/lib/plugins/inspec-habitat/lib/inspec-habitat/profile.rb +3 -3
- data/lib/plugins/inspec-init/lib/inspec-init/cli.rb +1 -1
- data/lib/plugins/inspec-init/lib/inspec-init/cli_profile.rb +1 -1
- data/lib/plugins/inspec-init/lib/inspec-init/renderer.rb +2 -2
- data/lib/plugins/inspec-init/templates/profiles/aws/README.md +1 -1
- data/lib/plugins/inspec-plugin-manager-cli/lib/inspec-plugin-manager-cli/cli_command.rb +3 -3
- data/lib/plugins/inspec-reporter-html2/README.md +1 -1
- data/lib/plugins/inspec-reporter-html2/lib/inspec-reporter-html2/reporter.rb +1 -1
- data/lib/plugins/inspec-reporter-json-min/lib/inspec-reporter-json-min/reporter.rb +1 -1
- data/lib/plugins/inspec-reporter-junit/README.md +9 -7
- data/lib/plugins/inspec-reporter-junit/lib/inspec-reporter-junit.rb +10 -1
- data/lib/plugins/inspec-reporter-junit/lib/inspec-reporter-junit/reporter.rb +94 -12
- data/lib/plugins/shared/core_plugin_test_helper.rb +6 -22
- metadata +44 -40
@@ -1,2 +1,2 @@
|
|
1
1
|
# This is just here to make the dynamic loader happy.
|
2
|
-
require "inspec/resources/registry_key
|
2
|
+
require "inspec/resources/registry_key"
|
data/lib/inspec/resources/wmi.rb
CHANGED
@@ -16,7 +16,10 @@ module Inspec::Resources
|
|
16
16
|
namespace: 'root\\rsop\\computer',
|
17
17
|
filter: 'KeyName = \'MinimumPasswordAge\' And precedence=1'
|
18
18
|
}) do
|
19
|
-
its('Setting') { should
|
19
|
+
its('Setting') { should cmp true }
|
20
|
+
end
|
21
|
+
describe wmi({namespace: "root\\cimv2", query: "SELECT installstate FROM win32_optionalfeature"}) do
|
22
|
+
its("installstate") { should include 2 }
|
20
23
|
end
|
21
24
|
EXAMPLE
|
22
25
|
|
@@ -36,7 +39,7 @@ module Inspec::Resources
|
|
36
39
|
# returns nil, if not existant or value
|
37
40
|
def method_missing(*keys)
|
38
41
|
# catch behavior of rspec its implementation
|
39
|
-
# @see https://github.com/rspec/rspec-its/blob/
|
42
|
+
# @see https://github.com/rspec/rspec-its/blob/v1.2.0/lib/rspec/its.rb#L110
|
40
43
|
keys.shift if keys.is_a?(Array) && keys[0] == :[]
|
41
44
|
|
42
45
|
# map all symbols to strings
|
@@ -66,13 +69,18 @@ module Inspec::Resources
|
|
66
69
|
|
67
70
|
# run wmi command and filter empty wmi
|
68
71
|
script = <<-EOH
|
69
|
-
|
70
|
-
|
71
|
-
|
72
|
-
$
|
73
|
-
|
72
|
+
Function Aggregate {
|
73
|
+
$propsHash = @{}
|
74
|
+
ForEach ($wmiObj in $Input) {
|
75
|
+
ForEach ($wmiProp in $wmiObj.properties) {
|
76
|
+
If($propsHash.ContainsKey($wmiProp.name)) {
|
77
|
+
$propsHash[$wmiProp.name].add($wmiProp.value) | Out-Null
|
78
|
+
} Else {
|
79
|
+
$propsHash[$wmiProp.name] = [System.Collections.ArrayList]@($wmiProp.value)
|
80
|
+
}
|
74
81
|
}
|
75
|
-
|
82
|
+
}
|
83
|
+
$propsHash
|
76
84
|
}
|
77
85
|
Get-WmiObject #{params} | Aggregate | ConvertTo-Json
|
78
86
|
EOH
|
data/lib/inspec/resources/xml.rb
CHANGED
@@ -13,7 +13,7 @@ module Inspec::Resources
|
|
13
13
|
EXAMPLE
|
14
14
|
|
15
15
|
def parse(content)
|
16
|
-
require "rexml/document"
|
16
|
+
require "rexml/document" unless defined?(REXML::Document)
|
17
17
|
REXML::Document.new(content)
|
18
18
|
rescue => e
|
19
19
|
raise Inspec::Exceptions::ResourceFailed, "Unable to parse XML: #{e.message}"
|
data/lib/inspec/rule.rb
CHANGED
@@ -343,14 +343,8 @@ module Inspec
|
|
343
343
|
__waiver_data["skipped_due_to_waiver"] = false
|
344
344
|
__waiver_data["message"] = ""
|
345
345
|
|
346
|
-
#
|
347
|
-
#
|
348
|
-
# is false-like, since all non-skipped waiver operations are handled
|
349
|
-
# during reporting phase.
|
350
|
-
return unless __waiver_data.key?("run") && !__waiver_data["run"]
|
351
|
-
|
352
|
-
# OK, the intent is to skip. Does it have an expiration date, and
|
353
|
-
# if so, is it in the future?
|
346
|
+
# Does it have an expiration date, and if so, is it in the future?
|
347
|
+
# This sets a waiver message before checking `run: true`
|
354
348
|
expiry = __waiver_data["expiration_date"]
|
355
349
|
if expiry
|
356
350
|
# YAML will automagically give us a Date or a Time.
|
@@ -370,6 +364,12 @@ module Inspec
|
|
370
364
|
end
|
371
365
|
end
|
372
366
|
|
367
|
+
# Waivers should have a hash value with keys possibly including "run" and
|
368
|
+
# expiration_date. We only care here if it has a "run" key and it
|
369
|
+
# is false-like, since all non-skipped waiver operations are handled
|
370
|
+
# during reporting phase.
|
371
|
+
return unless __waiver_data.key?("run") && !__waiver_data["run"]
|
372
|
+
|
373
373
|
# OK, apply a skip.
|
374
374
|
@__skip_rule[:result] = true
|
375
375
|
@__skip_rule[:type] = :waiver
|
data/lib/inspec/run_data.rb
CHANGED
@@ -47,7 +47,7 @@ module Inspec
|
|
47
47
|
# core reporters have been migrated to plugins. It is probable that new data elements
|
48
48
|
# and new Hash compatibility behavior will be added during the core reporter plugin
|
49
49
|
# conversion process.
|
50
|
-
SCHEMA_VERSION = "0.
|
50
|
+
SCHEMA_VERSION = "0.3.0".freeze
|
51
51
|
|
52
52
|
def self.compatible_schema?(constraints)
|
53
53
|
reqs = Gem::Requirement.create(constraints)
|
@@ -8,6 +8,7 @@ module Inspec
|
|
8
8
|
:run_time, # Float seconds execution time
|
9
9
|
:skip_message, # String
|
10
10
|
:start_time, # DateTime
|
11
|
+
:resource_params, # What is passed to the resource as a raw grep
|
11
12
|
:status, # String
|
12
13
|
:resource_title, # Ugly internals
|
13
14
|
# :waiver_data, # Undocumented tramp data / not exposed in this API
|
@@ -34,6 +35,7 @@ module Inspec
|
|
34
35
|
end
|
35
36
|
|
36
37
|
self.resource_name = raw_res_data[:resource_title].instance_variable_get(:@__resource_name__)&.to_s
|
38
|
+
self.resource_params = raw_res_data[:resource_title].instance_variable_get(:@grep)&.to_s
|
37
39
|
end
|
38
40
|
end
|
39
41
|
end
|
data/lib/inspec/runner.rb
CHANGED
data/lib/inspec/schema.rb
CHANGED
@@ -1,4 +1,4 @@
|
|
1
|
-
require "json"
|
1
|
+
require "json" unless defined?(JSON)
|
2
2
|
|
3
3
|
module Inspec
|
4
4
|
class Schema
|
@@ -56,6 +56,7 @@ module Inspec
|
|
56
56
|
"code_desc" => { "type" => "string" },
|
57
57
|
"run_time" => { "type" => "number" },
|
58
58
|
"start_time" => { "type" => "string" },
|
59
|
+
"resource_class" => { "type" => "string", "optional" => true },
|
59
60
|
"skip_message" => { "type" => "string", "optional" => true },
|
60
61
|
"resource" => { "type" => "string", "optional" => true },
|
61
62
|
"message" => { "type" => "string", "optional" => true },
|
@@ -194,6 +195,7 @@ module Inspec
|
|
194
195
|
"profile_sha256" => { "type" => "string" },
|
195
196
|
"status" => { "type" => "string" },
|
196
197
|
"code_desc" => { "type" => "string" },
|
198
|
+
"resource_class" => { "type" => "string", "optional" => true },
|
197
199
|
"skip_message" => { "type" => "string", "optional" => true },
|
198
200
|
"resource" => { "type" => "string", "optional" => true },
|
199
201
|
"message" => { "type" => "string", "optional" => true },
|
@@ -74,7 +74,7 @@ module Inspec
|
|
74
74
|
},
|
75
75
|
}, [CONTROL_DESCRIPTION, Primitives::REFERENCE, Primitives::SOURCE_LOCATION, CONTROL_RESULT])
|
76
76
|
|
77
|
-
# Based loosely on https://
|
77
|
+
# Based loosely on https://docs.chef.io/inspec/profiles/ as of July 3, 2019
|
78
78
|
# However, concessions were made to the reality of current reporters, specifically
|
79
79
|
# with how description is omitted and version/inspec_version aren't as advertised online
|
80
80
|
PROFILE = Primitives::SchemaType.new("Exec JSON Profile", {
|
data/lib/inspec/shell.rb
CHANGED
@@ -1,4 +1,4 @@
|
|
1
|
-
|
1
|
+
autoload :Pry, "pry"
|
2
2
|
|
3
3
|
module Inspec
|
4
4
|
# A pry based shell for inspec. Given a runner (with a configured backend and
|
@@ -137,7 +137,7 @@ module Inspec
|
|
137
137
|
end
|
138
138
|
|
139
139
|
info += "#{mark "Web Reference:"}\n\n"
|
140
|
-
info += "https://
|
140
|
+
info += "https://docs.chef.io/inspec/resources/#{topic}\n\n"
|
141
141
|
puts info
|
142
142
|
else
|
143
143
|
begin
|
@@ -208,7 +208,7 @@ module Inspec
|
|
208
208
|
|
209
209
|
its('content') { should_not match /^MyKey:\\s+some value/ }
|
210
210
|
|
211
|
-
For more examples, see: https://
|
211
|
+
For more examples, see: https://docs.chef.io/inspec/matchers/
|
212
212
|
|
213
213
|
EOL
|
214
214
|
end
|
data/lib/inspec/version.rb
CHANGED
@@ -1,8 +1,8 @@
|
|
1
|
-
require "base64"
|
2
|
-
require "openssl"
|
3
|
-
require "pathname"
|
4
|
-
require "set"
|
5
|
-
require "tempfile"
|
1
|
+
require "base64" unless defined?(Base64)
|
2
|
+
require "openssl" unless defined?(OpenSSL)
|
3
|
+
require "pathname" unless defined?(Pathname)
|
4
|
+
require "set" unless defined?(Set)
|
5
|
+
require "tempfile" unless defined?(Tempfile)
|
6
6
|
require "yaml"
|
7
7
|
require "inspec/dist"
|
8
8
|
require "inspec/utils/json_profile_summary"
|
@@ -71,7 +71,7 @@ $ inspec compliance login https://automate.compliance.test --insecure --user 'ad
|
|
71
71
|
|
72
72
|
You will need an access token for authentication. You can retrieve one via:
|
73
73
|
|
74
|
-
![Chef Compliance Token](images/cc-token.png)
|
74
|
+
![Chef Compliance Token](lib/inspec-compliance/images/cc-token.png)
|
75
75
|
|
76
76
|
You can choose the access token (`--token`) or the refresh token (`--refresh_token`)
|
77
77
|
|
@@ -1,4 +1,4 @@
|
|
1
|
-
require "uri"
|
1
|
+
require "uri" unless defined?(URI)
|
2
2
|
require "inspec/fetcher"
|
3
3
|
require "inspec/errors"
|
4
4
|
require "inspec/dist"
|
@@ -85,7 +85,7 @@ module InspecPlugins
|
|
85
85
|
# If version was specified, it will be the first and only result.
|
86
86
|
# Note we are calling the sha256 as a string, not a symbol since
|
87
87
|
# it was returned as json from the Compliance API.
|
88
|
-
profile_info = profile_result.
|
88
|
+
profile_info = profile_result.min_by { |x| Gem::Version.new(x["version"]) }
|
89
89
|
profile_checksum = profile_info.key?("sha256") ? profile_info["sha256"] : ""
|
90
90
|
end
|
91
91
|
end
|
@@ -1,7 +1,7 @@
|
|
1
1
|
require "inspec/profile_vendor"
|
2
|
-
require "mixlib/shellout"
|
3
|
-
require "tomlrb"
|
4
|
-
require "ostruct"
|
2
|
+
require "mixlib/shellout" unless defined?(Mixlib::ShellOut)
|
3
|
+
require "tomlrb" unless defined?(Tomlrb)
|
4
|
+
require "ostruct" unless defined?(OpenStruct)
|
5
5
|
require "inspec/dist"
|
6
6
|
|
7
7
|
module InspecPlugins
|
@@ -26,7 +26,7 @@ Creating new profile at /Users/spaterson/my-profile
|
|
26
26
|
aws_vpc_id: 'custom-vpc-id'
|
27
27
|
```
|
28
28
|
|
29
|
-
The related control will simply be skipped if this is not provided. See the [InSpec DSL documentation](https://
|
29
|
+
The related control will simply be skipped if this is not provided. See the [InSpec DSL documentation](https://docs.chef.io/inspec/dsl_inspec/) for more details on conditional execution using `only_if`.
|
30
30
|
|
31
31
|
## Run the tests
|
32
32
|
|
@@ -1,4 +1,4 @@
|
|
1
|
-
require "pathname"
|
1
|
+
require "pathname" unless defined?(Pathname)
|
2
2
|
require "inspec/plugin/v2"
|
3
3
|
require "inspec/plugin/v2/installer"
|
4
4
|
require "inspec/dist"
|
@@ -505,8 +505,8 @@ module InspecPlugins
|
|
505
505
|
plugin_name = status.name.to_s
|
506
506
|
Inspec::Plugin::V2::Loader.list_installed_plugin_gems
|
507
507
|
.select { |spec| spec.name == plugin_name }
|
508
|
-
.
|
509
|
-
.
|
508
|
+
.max_by(&:version)
|
509
|
+
.version
|
510
510
|
end
|
511
511
|
when :path
|
512
512
|
"src"
|
@@ -24,7 +24,7 @@ Note the `2` in the reporter name. If you omit it and run `--reporter html` inst
|
|
24
24
|
|
25
25
|
## Configuring the Plugin
|
26
26
|
|
27
|
-
The `html2` reporter requires no configuration to function. However, two options--`alternate_css_file` and `alternate_js_file`--are available for customization. The options are set in the JSON-formatted configuration file that Chef InSpec consumes. For details, see [our configuration file documentation](https://
|
27
|
+
The `html2` reporter requires no configuration to function. However, two options--`alternate_css_file` and `alternate_js_file`--are available for customization. The options are set in the JSON-formatted configuration file that Chef InSpec consumes. For details, see [our configuration file documentation](https://docs.chef.io/inspec/config/).
|
28
28
|
|
29
29
|
For example:
|
30
30
|
|
@@ -1,15 +1,17 @@
|
|
1
|
-
# junit
|
1
|
+
# junit and junit2 reporters
|
2
2
|
|
3
|
-
This is the implementation of the junit XML
|
3
|
+
This is the implementation of the junit and junit2 XML reporters.
|
4
4
|
|
5
|
-
##
|
5
|
+
## Installation
|
6
6
|
|
7
|
-
This plugin
|
7
|
+
This plugin ships with Chef InSpec and requires no additional installation.
|
8
8
|
|
9
|
-
## What
|
9
|
+
## What These Plugins Do
|
10
10
|
|
11
|
-
|
11
|
+
`junit` is the legacy Chef InSpec JUnit reporter, which is retained for backwards compatibility. It generates an XML report in Apache Ant JUnit format. The output format is considered nonstandard in several ways. New users are advised to use `junit2`.
|
12
|
+
|
13
|
+
`junit2` is an updated reporter that provides JUnit output according to the schema published by [Windy Road](https://github.com/windyroad/JUnit-Schema).
|
12
14
|
|
13
15
|
## Implementation Note
|
14
16
|
|
15
|
-
This reporter uses the REXML XML generator, but
|
17
|
+
This reporter uses the REXML XML generator at runtime, but uses Nokogiri, a more heavyweight XML library, for testing. This design keeps packaging requirements lightweight and free of compiled dependencies.
|
@@ -3,10 +3,19 @@ module InspecPlugins
|
|
3
3
|
module JUnitReporter
|
4
4
|
class Plugin < ::Inspec.plugin(2)
|
5
5
|
plugin_name :'inspec-reporter-junit'
|
6
|
+
|
7
|
+
# Legacy JUnit reporter, which generates subtly incorrect XML.
|
6
8
|
reporter :junit do
|
7
9
|
require_relative "inspec-reporter-junit/reporter"
|
8
|
-
InspecPlugins::JUnitReporter::
|
10
|
+
InspecPlugins::JUnitReporter::ReporterV1
|
9
11
|
end
|
12
|
+
|
13
|
+
# v2 reporter, which generates valid JUnit XML.
|
14
|
+
reporter :junit2 do
|
15
|
+
require_relative "inspec-reporter-junit/reporter"
|
16
|
+
InspecPlugins::JUnitReporter::ReporterV2
|
17
|
+
end
|
18
|
+
|
10
19
|
end
|
11
20
|
end
|
12
21
|
end
|