inspec-core 4.41.2 → 4.50.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ccadabfe4c0ecceecb305842e1874255ce4797a8df92e9d1d940bfe52f4b2dbb
-  data.tar.gz: 8bed2e86c15c05fcd6ee5974e1167aab1f2ab6c2d321a6f802af738594fafe5b
+  metadata.gz: 506be4d9918c8af46f6b3784e8a18550cee990ad73c7c731bb1afea7197c5370
+  data.tar.gz: b48fa274325e96ac07185653b2eeb997ed5ea6fa39f570b0400706331a3b4d52
 SHA512:
-  metadata.gz: ac9a9e7a80179eaa6f1a77ff4fd4aa4505a39ce389a655bdf853caeece477c58ea7ef46db749cf54a11c2e5dff5e62b09fdd950caac396ffbab4640183549924
-  data.tar.gz: 613c20973b4b10202fe0d0aac0e53b65cb0cb201150b93665304f0a5f7d4341981768cc799865bb3d7b9ad6b9afa93f782a9651d88001001b899d85b4521e1b6
+  metadata.gz: 4eb19bed92e35c49395e513e263f3afdb3f59abcf873b88f0c7dc07775a64c4e6aea3db57f069b19be73e9aa92de106db95ecb4b60fc3fc4c5b080f4fc97df6c
+  data.tar.gz: e8eac56320e4c0e36078bdcef95dde1b6ec710d7bfdba1bbd4f8301ee0f5799c5a913f96edc5c31ba78c2dcc3647e671454b30ac430729943a0dca071191aa63

data/Gemfile

@@ -30,7 +30,11 @@ end
 group :test do
   gem "chefstyle", "~> 2.0.3"
   gem "concurrent-ruby", "~> 1.0"
-  gem "html-proofer", platforms: :ruby # do not attempt to run proofer on windows
+  if Gem.ruby_version.to_s.start_with?("2.5")
+    gem "html-proofer", "= 3.19.1" , platforms: :ruby # do not attempt to run proofer on windows
+  else
+    gem "html-proofer", platforms: :ruby # do not attempt to run proofer on windows
+  end
   gem "json_schemer", ">= 0.2.1", "< 0.2.19"
   gem "m"
   gem "minitest-sprint", "~> 1.0"

data/etc/deprecations.json

@@ -4,7 +4,7 @@
   "groups": {
     "attrs_value_replaces_default": {
       "action": "warn",
-      "prefix": "The 'default' option for attributes is being replaced by 'value' - please use it instead."
+      "prefix": "The 'default' option for inputs is being replaced by 'value' - please use it instead."
     },
     "attrs_dsl": {
       "action": "ignore",

data/lib/inspec/base_cli.rb

@@ -43,11 +43,15 @@ module Inspec
       begin
         if (allowed_commands & ARGV.map(&:downcase)).empty? && # Did they use a non-exempt command?
             !ARGV.empty? # Did they supply at least one command?
-          LicenseAcceptance::Acceptor.check_and_persist(
+          license_acceptor_output = LicenseAcceptance::Acceptor.check_and_persist(
             Inspec::Dist::EXEC_NAME,
             Inspec::VERSION,
             logger: Inspec::Log
           )
+          if license_acceptor_output && ARGV.count == 1 && (ARGV.first.include? "--chef-license")
+            Inspec::UI.new.exit
+          end
+          license_acceptor_output
         end
       rescue LicenseAcceptance::LicenseNotAcceptedError
         Inspec::Log.error "#{Inspec::Dist::PRODUCT_NAME} cannot execute without accepting the license"
@@ -170,6 +174,10 @@ module Inspec
         desc: "After normal execution order, results are sorted by control ID, or by file (default), or randomly. None uses legacy unsorted mode."
       option :filter_empty_profiles, type: :boolean, default: false,
         desc: "Filter empty profiles (profiles without controls) from the report."
+      option :filter_waived_controls, type: :boolean,
+        desc: "Do not execute waived controls in InSpec at all. Must use with --waiver-file. Ignores `run` setting of waiver file."
+      option :retain_waiver_data, type: :boolean,
+        desc: "EXPERIMENTAL: Only works in conjunction with --filter-waived-controls, retains waiver data about controls that were skipped"
       option :command_timeout, type: :numeric,
         desc: "Maximum seconds to allow commands to run during execution.",
         long_desc: "Maximum seconds to allow commands to run during execution. A timed out command is considered an error."

data/lib/inspec/cached_fetcher.rb

@@ -6,9 +6,9 @@ module Inspec
     extend Forwardable
 
     attr_reader :cache, :target, :fetcher
-    def initialize(target, cache)
+    def initialize(target, cache, opts = {})
       @target = target
-      @fetcher = Inspec::Fetcher::Registry.resolve(target)
+      @fetcher = Inspec::Fetcher::Registry.resolve(target, opts)
 
       if @fetcher.nil?
         raise("Could not fetch inspec profile in #{target.inspect}.")

data/lib/inspec/cli.rb

@@ -93,7 +93,8 @@ class Inspec::InspecCLI < Inspec::BaseCLI
   end
 
   desc "check PATH", "verify all tests at the specified PATH"
-  option :format, type: :string
+  option :format, type: :string,
+    desc: "The output format to use doc (default), json. If valid format is not provided then it will use the default."
   profile_options
   def check(path) # rubocop:disable Metrics/AbcSize,Metrics/MethodLength
     o = config
@@ -121,8 +122,13 @@ class Inspec::InspecCLI < Inspec::BaseCLI
       end
       puts
 
-      if result[:errors].empty? && result[:warnings].empty?
-        ui.plain_line("No errors or warnings")
+      enable_offenses = !Inspec.locally_windows? # See 5723
+      if result[:errors].empty? && result[:warnings].empty? && result[:offenses].empty?
+        if enable_offenses
+          ui.plain_line("No errors, warnings, or offenses")
+        else
+          ui.plain_line("No errors or warnings")
+        end
       else
         item_msg = lambda { |item|
           pos = [item[:file], item[:line], item[:column]].compact.join(":")
@@ -134,11 +140,22 @@ class Inspec::InspecCLI < Inspec::BaseCLI
 
         puts
 
+        if enable_offenses && !result[:offenses].empty?
+          puts "Offenses:\n"
+          result[:offenses].each { |item| ui.cyan(" #{Inspec::UI::GLYPHS[:script_x]} #{item_msg.call(item)}\n\n") }
+        end
+
+        offenses = ui.cyan("#{result[:offenses].length} offenses", print: false)
         errors = ui.red("#{result[:errors].length} errors", print: false)
         warnings = ui.yellow("#{result[:warnings].length} warnings", print: false)
-        ui.plain_line("Summary:     #{errors}, #{warnings}")
+        if enable_offenses
+          ui.plain_line("Summary:     #{errors}, #{warnings}, #{offenses}")
+        else
+          ui.plain_line("Summary:     #{errors}, #{warnings}")
+        end
       end
     end
+
     ui.exit Inspec::UI::EXIT_USAGE_ERROR unless result[:summary][:valid]
   rescue StandardError => e
     pretty_handle_exception(e)

data/lib/inspec/control_eval_context.rb

@@ -18,6 +18,7 @@ module Inspec
     attr_accessor :skip_file
     attr_accessor :profile_context
     attr_accessor :resources_dsl
+    attr_accessor :conf
 
     def initialize(profile_context, resources_dsl, backend, conf, dependencies, require_loader, skip_only_if_eval)
       @profile_context = profile_context
@@ -53,19 +54,26 @@ module Inspec
 
     def control(id, opts = {}, &block)
       opts[:skip_only_if_eval] = @skip_only_if_eval
-      tag_ids = control_tags(&block)
-      if (controls_list_empty? && tags_list_empty?) || control_exist_in_controls_list?(id) || tag_exist_in_control_tags?(tag_ids)
+      if (controls_list_empty? && tags_list_empty?) || control_exist_in_controls_list?(id)
         register_control(Inspec::Rule.new(id, profile_id, resources_dsl, opts, &block))
+      elsif !tags_list_empty?
+        # Inside elsif rule is initialised before registering it because it enables fetching of control tags
+        # This condition is only true when --tags option is used
+        inspec_rule = Inspec::Rule.new(id, profile_id, resources_dsl, opts, &block)
+        tag_ids = control_tags(inspec_rule)
+        register_control(inspec_rule) if tag_exist_in_control_tags?(tag_ids)
       end
     end
 
     alias rule control
 
-    def control_tags(&block)
-      tag_source = block.source.split("\n").select { |src| src.split.first.eql?("tag") }
-      tag_source = tag_source.map { |src| src.sub("tag", "").strip }.map { |src| src.split(",").map { |final_src| final_src.sub(/([^:]*):/, "") } }.flatten
-      output = tag_source.map { |src| src.sub(/\[|\]/, "") }.map { |src| instance_eval(src) }
-      output.compact.uniq
+    def control_tags(inspec_rule)
+      all_tags = []
+      inspec_rule.tag.each do |key, value|
+        all_tags.push(key)
+        all_tags.push(value) unless value.nil?
+      end
+      all_tags.flatten.compact.uniq.map(&:to_s)
     rescue
       []
     end
@@ -182,29 +190,24 @@ module Inspec
       @skip_file = true
     end
 
-    private
-
-    def block_location(block, alternate_caller)
-      if block.nil?
-        alternate_caller[/^(.+:\d+):in .+$/, 1] || "unknown"
-      else
-        path, line = block.source_location
-        "#{File.basename(path)}:#{line}"
+    # Check if the given control exist in the --tags option
+    def tag_exist_in_control_tags?(tag_ids)
+      tag_option_matches_with_list = false
+      if !tag_ids.empty? && !tag_ids.nil? && profile_tag_config_exist?
+        tag_option_matches_with_list = !(tag_ids & @conf["profile"].include_tags_list).empty?
+        unless tag_option_matches_with_list
+          @conf["profile"].include_tags_list.any? do |inclusion|
+            # Try to see if the inclusion is a regex, and if it matches
+            if inclusion.is_a?(Regexp)
+              tag_ids.each do |id|
+                tag_option_matches_with_list = (inclusion =~ id)
+                break if tag_option_matches_with_list
+              end
+            end
+          end
+        end
       end
-    end
-
-    # Returns true if configuration hash is not empty and it contains the list of controls is not empty
-    def profile_config_exist?
-      !@conf.empty? && @conf.key?("profile") && !@conf["profile"].include_controls_list.empty?
-    end
-
-    def profile_tag_config_exist?
-      !@conf.empty? && @conf.key?("profile") && !@conf["profile"].include_tags_list.empty?
-    end
-
-    # Returns true if configuration hash is empty or configuration hash does not have the list of controls that needs to be included
-    def controls_list_empty?
-      !@conf.empty? && @conf.key?("profile") && @conf["profile"].include_controls_list.empty? || @conf.empty?
+      tag_option_matches_with_list
     end
 
     def tags_list_empty?
@@ -223,24 +226,29 @@ module Inspec
       id_exist_in_list
     end
 
-    # Check if the given control exist in the --tags option
-    def tag_exist_in_control_tags?(tag_ids)
-      tag_option_matches_with_list = false
-      if !tag_ids.empty? && !tag_ids.nil? && profile_tag_config_exist?
-        tag_option_matches_with_list = !(tag_ids & @conf["profile"].include_tags_list).empty?
-        unless tag_option_matches_with_list
-          @conf["profile"].include_tags_list.any? do |inclusion|
-            # Try to see if the inclusion is a regex, and if it matches
-            if inclusion.is_a?(Regexp)
-              tag_ids.each do |id|
-                tag_option_matches_with_list = (inclusion =~ id)
-                break if tag_option_matches_with_list
-              end
-            end
-          end
-        end
+    # Returns true if configuration hash is empty or configuration hash does not have the list of controls that needs to be included
+    def controls_list_empty?
+      !@conf.empty? && @conf.key?("profile") && @conf["profile"].include_controls_list.empty? || @conf.empty?
+    end
+
+    private
+
+    def block_location(block, alternate_caller)
+      if block.nil?
+        alternate_caller[/^(.+:\d+):in .+$/, 1] || "unknown"
+      else
+        path, line = block.source_location
+        "#{File.basename(path)}:#{line}"
       end
-      tag_option_matches_with_list
+    end
+
+    # Returns true if configuration hash is not empty and it contains the list of controls is not empty
+    def profile_config_exist?
+      !@conf.empty? && @conf.key?("profile") && !@conf["profile"].include_controls_list.empty?
+    end
+
+    def profile_tag_config_exist?
+      !@conf.empty? && @conf.key?("profile") && !@conf["profile"].include_tags_list.empty?
     end
   end
 end

data/lib/inspec/dsl.rb

@@ -93,23 +93,38 @@ module Inspec::DSL
     context = dep_entry.profile.runner_context
     # if we don't want all the rules, then just make 1 pass to get all rule_IDs
     # that we want to keep from the original
-    filter_included_controls(context, dep_entry.profile, &block) unless opts[:include_all]
+    if !opts[:include_all] || !(opts[:conf]["profile"].include_tags_list.empty?) || !opts[:conf]["profile"].include_controls_list.empty?
+      filter_included_controls(context, dep_entry.profile, opts, &block)
+    end
     # interpret the block and skip/modify as required
     context.load(block) if block_given?
     bind_context.add_subcontext(context)
   end
 
-  def self.filter_included_controls(context, profile, &block)
+  def self.filter_included_controls(context, profile, opts, &block)
     mock = Inspec::Backend.create(Inspec::Config.mock)
     include_ctx = Inspec::ProfileContext.for_profile(profile, mock)
     include_ctx.load(block) if block_given?
+    include_ctx.control_eval_context.conf = opts[:conf]
+    control_eval_ctx = include_ctx.control_eval_context
     # remove all rules that were not registered
     context.all_rules.each do |r|
       id = Inspec::Rule.rule_id(r)
       fid = Inspec::Rule.profile_id(r) + "/" + id
-      unless include_ctx.rules[id] || include_ctx.rules[fid]
+      if !opts[:include_all] && !(include_ctx.rules[id] || include_ctx.rules[fid])
         context.remove_rule(fid)
       end
+
+      unless control_eval_ctx.controls_list_empty?
+        # filter the dependent profile controls which are not in the --controls options list
+        context.remove_rule(fid) unless control_eval_ctx.control_exist_in_controls_list?(id)
+      end
+
+      unless control_eval_ctx.tags_list_empty?
+        # filter included controls using --tags
+        tag_ids = control_eval_ctx.control_tags(r)
+        context.remove_rule(fid) unless control_eval_ctx.tag_exist_in_control_tags?(tag_ids)
+      end
     end
   end
 end

data/lib/inspec/fetcher/url.rb

@@ -44,11 +44,17 @@ module Inspec::Fetcher
     #  - Branch URL
     #  - Commit URL
     #
-    # master url:
+    # master url(default branch master):
     # https://github.com/nathenharvey/tmp_compliance_profile/ is transformed to
     # https://github.com/nathenharvey/tmp_compliance_profile/archive/master.tar.gz
     # https://bitbucket.org/username/repo is transformed to
     # https://bitbucket.org/username/repo/get/master.tar.gz
+
+    # main url(default branch main):
+    # https://github.com/nathenharvey/tmp_compliance_profile/ is transformed to
+    # https://github.com/nathenharvey/tmp_compliance_profile/archive/main.tar.gz
+    # https://bitbucket.org/username/repo is transformed to
+    # https://bitbucket.org/username/repo/get/main.tar.gz
     #
     # branch:
     # https://github.com/hardening-io/tests-os-hardening/tree/2.0 is transformed to
@@ -68,14 +74,18 @@ module Inspec::Fetcher
     BITBUCKET_URL_REGEX = %r{^https?://(www\.)?bitbucket\.org/(?<user>[\w-]+)/(?<repo>[\w-]+)(\.git)?(/)?$}.freeze
     BITBUCKET_URL_BRANCH_REGEX = %r{^https?://(www\.)?bitbucket\.org/(?<user>[\w-]+)/(?<repo>[\w-]+)/branch/(?<branch>[\w\.]+)(/)?$}.freeze
     BITBUCKET_URL_COMMIT_REGEX = %r{^https?://(www\.)?bitbucket\.org/(?<user>[\w-]+)/(?<repo>[\w-]+)/commits/(?<commit>[\w\.]+)(/)?$}.freeze
+    GITHUB_URL = "https://github.com".freeze
+    BITBUCKET_URL = "https://bitbucket.org".freeze
 
     def self.transform(target)
       transformed_target = if m = GITHUB_URL_REGEX.match(target) # rubocop:disable Lint/AssignmentInCondition
-                             "https://github.com/#{m[:user]}/#{m[:repo]}/archive/master.tar.gz"
+                             default_branch = default_ref(m, GITHUB_URL)
+                             "https://github.com/#{m[:user]}/#{m[:repo]}/archive/#{default_branch}.tar.gz"
                            elsif m = GITHUB_URL_WITH_TREE_REGEX.match(target) # rubocop:disable Lint/AssignmentInCondition
                              "https://github.com/#{m[:user]}/#{m[:repo]}/archive/#{m[:commit]}.tar.gz"
                            elsif m = BITBUCKET_URL_REGEX.match(target) # rubocop:disable Lint/AssignmentInCondition
-                             "https://bitbucket.org/#{m[:user]}/#{m[:repo]}/get/master.tar.gz"
+                             default_branch = default_ref(m, BITBUCKET_URL)
+                             "https://bitbucket.org/#{m[:user]}/#{m[:repo]}/get/#{default_branch}.tar.gz"
                            elsif m = BITBUCKET_URL_BRANCH_REGEX.match(target) # rubocop:disable Lint/AssignmentInCondition
                              "https://bitbucket.org/#{m[:user]}/#{m[:repo]}/get/#{m[:branch]}.tar.gz"
                            elsif m = BITBUCKET_URL_COMMIT_REGEX.match(target) # rubocop:disable Lint/AssignmentInCondition
@@ -120,6 +130,38 @@ module Inspec::Fetcher
 
     private
 
+    class << self
+      def default_ref(match_data, repo_url)
+        remote_url = "#{repo_url}/#{match_data[:user]}/#{match_data[:repo]}.git"
+        command_string = "git remote show #{remote_url}"
+        cmd = shellout(command_string)
+        unless cmd.exitstatus == 0
+          raise(Inspec::FetcherFailure, "Profile git dependency failed with default reference - #{remote_url} - error running '#{command_string}': #{cmd.stderr}")
+        else
+          ref = cmd.stdout.lines.detect { |l| l.include? "HEAD branch:" }&.split(":")&.last&.strip
+          unless ref
+            raise(Inspec::FetcherFailure, "Profile git dependency failed with default reference - #{remote_url} - error running '#{command_string}': NULL reference")
+          end
+
+          ref
+        end
+      end
+
+      def shellout(cmd, opts = {})
+        Inspec::Log.debug("Running external command: #{cmd} (#{opts})")
+        cmd = Mixlib::ShellOut.new(cmd, opts)
+        cmd.run_command
+        Inspec::Log.debug("External command: completed with exit status: #{cmd.exitstatus}")
+        Inspec::Log.debug("External command: STDOUT BEGIN")
+        Inspec::Log.debug(cmd.stdout)
+        Inspec::Log.debug("External command: STDOUT END")
+        Inspec::Log.debug("External command: STDERR BEGIN")
+        Inspec::Log.debug(cmd.stderr)
+        Inspec::Log.debug("External command: STDERR END")
+        cmd
+      end
+    end
+
     def parse_uri(target)
       return URI.parse(target) if target.is_a?(String)
 

data/lib/inspec/fetcher.rb

@@ -2,12 +2,12 @@ require "inspec/plugin/v1"
 
 module Inspec
   class FetcherRegistry < PluginRegistry
-    def resolve(target)
+    def resolve(target, opts = {})
       if fetcher_specified?(target)
-        super(target)
+        super(target, opts)
       else
         Inspec::Log.debug("Assuming default supermarket source for #{target}")
-        super(with_default_fetcher(target))
+        super(with_default_fetcher(target), opts)
       end
     end
 

data/lib/inspec/globals.rb

@@ -18,4 +18,9 @@ module Inspec
     require "etc" unless defined?(Etc)
     Etc.getpwuid.dir
   end
+
+  def self.locally_windows?
+    require "rbconfig" unless defined?(RbConfig)
+    RbConfig::CONFIG["host_os"] =~ /mswin|mingw|cygwin/
+  end
 end

data/lib/inspec/plugin/v1/registry.rb

@@ -9,9 +9,13 @@ class PluginRegistry
   #
   # @param [String] target to resolve
   # @return [Plugin] plugin instance if it can be resolved, nil otherwise
-  def resolve(target)
+  def resolve(target, opts = {})
     modules.each do |m|
-      res = m.resolve(target)
+      res = if Inspec::Fetcher::Url == m
+              m.resolve(target, opts)
+            else
+              m.resolve(target)
+            end
       return res unless res.nil?
     end
     nil

data/lib/inspec/profile.rb

@@ -18,9 +18,9 @@ module Inspec
   class Profile
     extend Forwardable
 
-    def self.resolve_target(target, cache)
+    def self.resolve_target(target, cache, opts = {})
       Inspec::Log.debug "Resolve #{target} into cache #{cache.path}"
-      Inspec::CachedFetcher.new(target, cache)
+      Inspec::CachedFetcher.new(target, cache, opts)
     end
 
     # Check if the profile contains a vendored cache, move content into global cache
@@ -70,7 +70,11 @@ module Inspec
 
     def self.for_target(target, opts = {})
       opts[:vendor_cache] ||= Cache.new
-      fetcher = resolve_target(target, opts[:vendor_cache])
+      config = {}
+      unless opts[:runner_conf].nil?
+        config = opts[:runner_conf].respond_to?(:final_options) ? opts[:runner_conf].final_options : opts[:runner_conf]
+      end
+      fetcher = resolve_target(target, opts[:vendor_cache], config)
       for_fetcher(fetcher, opts)
     end
 
@@ -213,6 +217,9 @@ module Inspec
 
         locked_dependencies.each(&:collect_tests)
 
+        tests = filter_waived_controls
+
+        # Collect tests
         tests.each do |path, content|
           next if content.nil? || content.empty?
 
@@ -229,6 +236,65 @@ module Inspec
       @runner_context.all_rules
     end
 
+    # Wipe out waived controls
+    def filter_waived_controls
+      cfg = Inspec::Config.cached
+      return tests unless cfg["filter_waived_controls"]
+
+      ## Find the waivers file
+      # - TODO: cli_opts and instance_variable_get could be exposed
+      waiver_paths = cfg.instance_variable_get(:@cli_opts)["waiver_file"]
+      if waiver_paths.blank?
+        Inspec::Log.error "Must use --waiver-file with --filter-waived-controls"
+        Inspec::UI.new.exit(:usage_error)
+      end
+
+      # # Pull together waiver
+      waived_control_ids = []
+      waiver_paths.each do |waiver_path|
+        waiver_content = YAML.load_file(waiver_path)
+        unless waiver_content
+          # Note that we will have already issued a detailed warning
+          Inspec::Log.error "YAML parsing error in #{waiver_path}"
+          Inspec::UI.new.exit(:usage_error)
+        end
+        waived_control_ids << waiver_content.keys
+      end
+      waived_control_id_regex = "(#{waived_control_ids.join("|")})"
+
+      ## Purge tests (this could be doone in next block for performance)
+      ## TODO: implement earlier with pure AST and pure autocorrect AST
+      filtered_tests = {}
+      if cfg["retain_waiver_data"]
+        # VERY EXPERIMENTAL, but an empty describe block at the top level
+        # of the control blocks evaluation of ruby code until later-term
+        # waivers (behind the scenes this tells RSpec to hold on and use its internals to lazy load the code). This allows current waiver-data (e.g. skips) to still
+        # be processed and rendered
+        tests.each do |control_filename, source_code|
+          cleared_tests = source_code.scan(/control\s+['"].+?['"].+?(?=(?:control\s+['"].+?['"])|\z)/m).collect do |element|
+            next if element.blank?
+
+            if element&.match?(waived_control_id_regex)
+              splitlines = element.split("\n")
+              splitlines[0] + "\ndescribe '---' do\n" + splitlines[1..-1].join("\n") + "\nend\n"
+            else
+              element
+            end
+          end.join("")
+          filtered_tests[control_filename] = cleared_tests
+        end
+      else
+        tests.each do |control_filename, source_code|
+          cleared_tests = source_code.scan(/control\s+['"].+?['"].+?(?=(?:control\s+['"].+?['"])|\z)/m).select do |control_code|
+            !control_code.match?(waived_control_id_regex)
+          end.join("")
+
+          filtered_tests[control_filename] = cleared_tests
+        end
+      end
+      filtered_tests
+    end
+
     # This creates the list of controls provided in the --controls options which need to be include
     # for evaluation.
     def include_controls_list
@@ -382,6 +448,45 @@ module Inspec
       res
     end
 
+    def cookstyle_linting_check
+      msgs = []
+      return msgs if Inspec.locally_windows? # See #5723
+
+      output = cookstyle_rake_output.split("Offenses:").last
+      msgs = output.split("\n").select { |x| x =~ /[A-Z]:/ } unless output.nil?
+      msgs
+    end
+
+    # Cookstyle linting rake run output
+    def cookstyle_rake_output
+      require "cookstyle"
+      require "rubocop/rake_task"
+      begin
+        RuboCop::RakeTask.new(:cookstyle_lint) do |spec|
+          spec.options += [
+            "--display-cop-names",
+            "--parallel",
+            "--only=InSpec/Deprecations",
+          ]
+          spec.patterns += Dir.glob("#{@target}/**/*.rb").reject { |f| File.directory?(f) }
+          spec.fail_on_error = false
+        end
+      rescue LoadError
+        puts "Rubocop is not available. Install the rubocop gem to run the lint tests."
+      end
+      begin
+        stdout = StringIO.new
+        $stdout = stdout
+        Rake::Task["cookstyle_lint"].invoke
+        $stdout = STDOUT
+        Rake.application["cookstyle_lint"].reenable
+        stdout.string
+      rescue => e
+        puts "Cookstyle lint checks could not be performed. Error while running cookstyle - #{e}"
+        ""
+      end
+    end
+
     # Check if the profile is internally well-structured. The logger will be
     # used to print information on errors and warnings which are found.
     #
@@ -398,6 +503,7 @@ module Inspec
         },
         errors: [],
         warnings: [],
+        offenses: [],
       }
 
       entry = lambda { |file, line, column, control, msg|
@@ -420,6 +526,10 @@ module Inspec
         result[:errors].push(entry.call(file, line, column, control, msg))
       }
 
+      offense = lambda { |file, line, column, control, msg|
+        result[:offenses].push(entry.call(file, line, column, control, msg))
+      }
+
       @logger.info "Checking profile in #{@target}"
       meta_path = @source_reader.target.abs_path(@source_reader.metadata.ref)
 
@@ -482,8 +592,15 @@ module Inspec
         warn.call(sfile, sline, nil, id, "Control #{id} has no tests defined") if control[:checks].nil? || control[:checks].empty?
       end
 
-      # profile is valid if we could not find any error
-      result[:summary][:valid] = result[:errors].empty?
+      # Running cookstyle to check for code offenses
+      cookstyle_linting_check.each do |lint_output|
+        data = lint_output.split(":")
+        msg = "#{data[-2]}:#{data[-1]}"
+        offense.call(data[0], data[1], data[2], nil, msg)
+      end
+
+      # profile is valid if we could not find any error & offenses
+      result[:summary][:valid] = result[:errors].empty? && result[:offenses].empty?
 
       @logger.info "Control definitions OK." if result[:warnings].empty?
       result

data/lib/inspec/resources/apache_conf.rb

@@ -82,7 +82,7 @@ module Inspec::Resources
           end
         end
 
-        @params.merge!(params)
+        @params.merge!(params) { |key, current_val, new_val| [*current_val].to_a + [*new_val].to_a }
 
         to_read = to_read.drop(1)
         to_read += include_files(params).find_all do |fp|
@@ -101,12 +101,14 @@ module Inspec::Resources
       include_files_optional = params["IncludeOptional"] || []
 
       includes = []
-      (include_files + include_files_optional).each do |f|
-        id    = Pathname.new(f).absolute? ? f : File.join(conf_dir, f)
-        files = find_files(id, depth: 1, type: "file")
-        files += find_files(id, depth: 1, type: "link")
+      unless conf_dir.nil?
+        (include_files + include_files_optional).each do |f|
+          id    = Pathname.new(f).absolute? ? f : File.join(conf_dir, f)
+          files = find_files(id, depth: 1, type: "file")
+          files += find_files(id, depth: 1, type: "link")
 
-        includes.push(files) if files
+          includes.push(files) if files
+        end
       end
 
       # [].flatten! == nil