inspec-core 4.50.3 → 4.56.19

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 506be4d9918c8af46f6b3784e8a18550cee990ad73c7c731bb1afea7197c5370
-  data.tar.gz: b48fa274325e96ac07185653b2eeb997ed5ea6fa39f570b0400706331a3b4d52
+  metadata.gz: 58efdb5e3457dcb1bf97227b98e1f723c672c7eadc995ef3f07b1f2a910c47db
+  data.tar.gz: 0f789e778551423ccfdacc52dbcda63c597b3e8d83b00739aa36becc52502213
 SHA512:
-  metadata.gz: 4eb19bed92e35c49395e513e263f3afdb3f59abcf873b88f0c7dc07775a64c4e6aea3db57f069b19be73e9aa92de106db95ecb4b60fc3fc4c5b080f4fc97df6c
-  data.tar.gz: e8eac56320e4c0e36078bdcef95dde1b6ec710d7bfdba1bbd4f8301ee0f5799c5a913f96edc5c31ba78c2dcc3647e671454b30ac430729943a0dca071191aa63
+  metadata.gz: 96f3692d1e3dee025002b7e661a635a33cf8ae353e164e2931a6d139d2711c1c94162e69fdc9db52a28fe3a1eb85319f7b08ae27e0f68528603c0e9096a758e2
+  data.tar.gz: dc1ec6f7322e4cbac56cb1cfe6f6761f44b455c77d069b414c3ec759695ce9ff260deee62c9a0a3184f0a800d31e5fdad8c791bd04fc40bc4d0fafc1fe87f84e

data/Gemfile

@@ -11,11 +11,6 @@ gem "inspec-bin", path: "./inspec-bin"
 
 gem "ffi", ">= 1.9.14", "!= 1.13.0", "!= 1.14.2"
 
-if Gem.ruby_version.to_s.start_with?("2.5")
-  # 16.7.23 required ruby 2.6+
-  gem "chef-utils", "< 16.7.23" # TODO: remove when we drop ruby 2.5
-end
-
 # inspec tests depend text output that changed in the 3.10 release
 # but our runtime dep is still 3.9+
 gem "rspec", ">= 3.10"
@@ -30,11 +25,7 @@ end
 group :test do
   gem "chefstyle", "~> 2.0.3"
   gem "concurrent-ruby", "~> 1.0"
-  if Gem.ruby_version.to_s.start_with?("2.5")
-    gem "html-proofer", "= 3.19.1" , platforms: :ruby # do not attempt to run proofer on windows
-  else
-    gem "html-proofer", platforms: :ruby # do not attempt to run proofer on windows
-  end
+  gem "html-proofer", platforms: :ruby # do not attempt to run proofer on windows
   gem "json_schemer", ">= 0.2.1", "< 0.2.19"
   gem "m"
   gem "minitest-sprint", "~> 1.0"
@@ -45,7 +36,8 @@ group :test do
   gem "pry", "~> 0.10"
   gem "rake", ">= 10"
   gem "ruby-progressbar", "~> 1.8"
-  gem "simplecov", "~> 0.18"
+  gem "simplecov", "~> 0.21"
+  gem "simplecov_json_formatter"
   gem "webmock", "~> 3.0"
 end
 
@@ -66,3 +58,7 @@ if Gem.ruby_version >= Gem::Version.new("2.7.0")
     gem "git"
   end
 end
+
+if Gem.ruby_version < Gem::Version.new("2.7.0")
+  gem "activesupport", "6.1.4.4"
+end

data/inspec-core.gemspec

@@ -13,7 +13,7 @@ Gem::Specification.new do |spec|
   spec.license       = "Apache-2.0"
   spec.require_paths = ["lib"]
 
-  spec.required_ruby_version = ">= 2.5"
+  spec.required_ruby_version = ">= 2.6"
 
   # the gemfile and gemspec are necessary for appbundler so don't remove it
   spec.files =
@@ -28,7 +28,7 @@ Gem::Specification.new do |spec|
   spec.add_dependency "thor",               ">= 0.20", "< 2.0"
   spec.add_dependency "method_source",      ">= 0.8", "< 2.0"
   spec.add_dependency "rubyzip",            ">= 1.2.2", "< 3.0"
-  spec.add_dependency "rspec",              ">= 3.9", "< 3.11"
+  spec.add_dependency "rspec",              ">= 3.9", "<= 3.11"
   spec.add_dependency "rspec-its",          "~> 1.2"
   spec.add_dependency "pry",                "~> 0.13"
   spec.add_dependency "hashie",             ">= 3.4", "< 5.0"

data/lib/bundles/inspec-supermarket/README.md

@@ -8,8 +8,27 @@ To use the CLI, this InSpec add-on adds the following commands:
 
  Compliance profiles from Supermarket can be executed in two ways:
 
- - via supermarket exec: `inspec supermarket exec nathenharvey/tmp-compliance-profile`
- - via supermarket scheme: `inspec exec supermarket://nathenharvey/tmp-compliance-profile`
+ - via supermarket exec:
+
+ **Public Supermarket**
+
+ `inspec supermarket exec nathenharvey/tmp-compliance-profile`
+
+ **Private Supermarket**
+
+ `inspec supermarket exec nathenharvey/tmp-compliance-profile --supermarket_url="PRIVATE_SUPERMARKET_URL"`
+
+
+ - via supermarket scheme:
+
+ **Public Supermarket**
+
+ `inspec exec supermarket://nathenharvey/tmp-compliance-profile`
+
+ **Private Supermarket**
+
+ `inspec exec supermarket://nathenharvey/tmp-compliance-profile --supermarket_url="PRIVATE_SUPERMARKET_URL"`
+
 
 ## Usage
 

data/lib/bundles/inspec-supermarket/cli.rb

@@ -15,10 +15,18 @@ module Supermarket
     end
 
     desc "profiles", "list all available profiles in Chef Supermarket"
+    supermarket_options
     def profiles
-      # display profiles in format user/profile
-      supermarket_profiles = Supermarket::API.profiles
+      o = config
+      diagnose(o)
+      configure_logger(o)
 
+      # display profiles in format user/profile
+      supermarket_profiles =  if o["supermarket_url"]
+                                Supermarket::API.profiles(o["supermarket_url"])
+                              else
+                                Supermarket::API.profiles
+                              end
       headline("Available profiles:")
       supermarket_profiles.each do |p|
         li("#{p["tool_name"]} #{mark_text(p["tool_owner"] + "/" + p["slug"])}")
@@ -45,9 +53,18 @@ module Supermarket
     end
 
     desc "info PROFILE", "display Supermarket profile details"
+    supermarket_options
     def info(profile)
+      o = config
+      diagnose(o)
+      configure_logger(o)
+
       # check that the profile is available
-      supermarket_profiles = Supermarket::API.profiles
+      supermarket_profiles =  if o["supermarket_url"]
+                                Supermarket::API.profiles(o["supermarket_url"])
+                              else
+                                Supermarket::API.profiles
+                              end
       found = supermarket_profiles.select do |p|
         profile == "#{p["tool_owner"]}/#{p["slug"]}"
       end

data/lib/bundles/inspec-supermarket/target.rb

@@ -9,10 +9,11 @@ module Supermarket
     priority 500
 
     def self.resolve(target, opts = {})
+      supermarket_url = opts["supermarket_url"] || Supermarket::API::SUPERMARKET_URL
       supermarket_uri, supermarket_server = if target.is_a?(String) && URI(target).scheme == "supermarket"
-                                              [target, Supermarket::API::SUPERMARKET_URL]
+                                              [target, supermarket_url]
                                             elsif target.respond_to?(:key?) && target.key?(:supermarket)
-                                              supermarket_server = target[:supermarket_url] || Supermarket::API::SUPERMARKET_URL
+                                              supermarket_server = target[:supermarket_url] || supermarket_url
                                               ["supermarket://#{target[:supermarket]}", supermarket_server]
                                             end
       return nil unless supermarket_uri

data/lib/inspec/base_cli.rb

@@ -126,6 +126,8 @@ module Inspec
         desc: "Specify a shell type for winrm (eg. 'elevated' or 'powershell')"
       option :docker_url, type: :string,
         desc: "Provides path to Docker API endpoint (Docker)"
+      option :ssh_config_file, type: :array,
+        desc: "A list of paths to the ssh config file, e.g ~/.ssh/config or /etc/ssh/ssh_config"
     end
 
     def self.profile_options
@@ -135,9 +137,15 @@ module Inspec
         desc: "Use the given path for caching dependencies. (default: ~/.inspec/cache)"
     end
 
+    def self.supermarket_options
+      option :supermarket_url, type: :string,
+        desc: "Specify the URL of a private Chef Supermarket."
+    end
+
     def self.exec_options
       target_options
       profile_options
+      supermarket_options
       option :controls, type: :array,
         desc: "A list of control names to run, or a list of /regexes/ to match against control names. Ignore all other tests."
       option :tags, type: :array,

data/lib/inspec/config.rb

@@ -367,7 +367,11 @@ module Inspec
         .find_activators(plugin_type: :reporter)\
         .map(&:activator_name).map(&:to_s)
 
-      valid_types = rspec_built_in_formatters + inspec_reporters_that_are_not_yet_plugins + plugin_reporters
+      streaming_reporters = Inspec::Plugin::V2::Registry.instance\
+        .find_activators(plugin_type: :streaming_reporter)\
+        .map(&:activator_name).map(&:to_s)
+
+      valid_types = rspec_built_in_formatters + inspec_reporters_that_are_not_yet_plugins + plugin_reporters + streaming_reporters
 
       reporters.each do |reporter_name, reporter_config|
         raise NotImplementedError, "'#{reporter_name}' is not a valid reporter type." unless valid_types.include?(reporter_name)

data/lib/inspec/dependencies/requirement.rb

@@ -102,7 +102,8 @@ module Inspec
     end
 
     def fetcher
-      @fetcher ||= Inspec::CachedFetcher.new(opts, @cache)
+      @runner_options ||= (Inspec::Config.cached || {})
+      @fetcher ||= Inspec::CachedFetcher.new(opts, @cache, @runner_options)
     end
 
     # load dependencies of the dependency

data/lib/inspec/formatters/base.rb

@@ -70,6 +70,7 @@ module Inspec::Formatters
         name: platform(:name),
         release: platform(:release),
         target: backend_target,
+        target_id: platform(:uuid),
       }
     end
 
@@ -205,12 +206,13 @@ module Inspec::Formatters
     def platform(field)
       return nil if @backend.nil?
 
-      begin
-        @backend.platform[field]
-      rescue Train::Error => e
-        Inspec::Log.warn(e.message)
-        nil
-      end
+      @backend.platform[field]
+    rescue Train::PlatformUuidDetectionFailed
+      Inspec::Log.warn("Could not find platform target_id.")
+      nil
+    rescue Train::Error => e
+      Inspec::Log.warn(e.message)
+      nil
     end
 
     def backend_target

data/lib/inspec/library_eval_context.rb

@@ -30,6 +30,8 @@ module Inspec
 
       c3 = Class.new do
         include Inspec::DSL::RequireOverride
+        include Inspec::Resources
+
         def initialize(require_loader)
           @require_loader = require_loader
           @inspec_binding = nil

data/lib/inspec/plugin/v1/registry.rb

@@ -11,7 +11,7 @@ class PluginRegistry
   # @return [Plugin] plugin instance if it can be resolved, nil otherwise
   def resolve(target, opts = {})
     modules.each do |m|
-      res = if Inspec::Fetcher::Url == m
+      res = if ["Inspec::Fetcher::Url", "Supermarket::Fetcher"].include? m.to_s
               m.resolve(target, opts)
             else
               m.resolve(target)

data/lib/inspec/plugin/v2/plugin_types/streaming_reporter.rb

@@ -0,0 +1,10 @@
+module Inspec::Plugin::V2::PluginType
+  class StreamingReporter < Inspec::Plugin::V2::PluginBase # TBD Superclass may need to change
+    register_plugin_type(:streaming_reporter)
+
+    #====================================================================#
+    #                StreamingReporter plugin type API
+    #====================================================================#
+    # Implementation classes must implement these methods.
+  end
+end

data/lib/inspec/profile_context.rb

@@ -68,6 +68,7 @@ module Inspec
     end
 
     def reload_dsl
+      @resource_registry.merge!(Inspec::Resource.new_registry)
       @control_eval_context = nil
     end
 
@@ -263,9 +264,3 @@ module Inspec
     end # DomainSpecificLunacy
   end # ProfileContext
 end
-
-if RUBY_VERSION < "2.5"
-  class Module
-    public :define_method
-  end
-end

data/lib/inspec/reporters/automate.rb

@@ -21,7 +21,7 @@ module Inspec::Reporters
       final_report[:type] = "inspec_report"
 
       final_report[:end_time] = Time.now.utc.strftime("%FT%TZ")
-      final_report[:node_uuid] = @config["node_uuid"] || @config["target_id"]
+      final_report[:node_uuid] = report[:platform][:target_id] || @config["node_uuid"] || @config["target_id"]
       raise Inspec::ReporterError, "Cannot find a UUID for your node. Please specify one via json-config." if final_report[:node_uuid].nil?
 
       final_report[:report_uuid] = @config["report_uuid"] || uuid_from_string(final_report[:end_time] + final_report[:node_uuid])

data/lib/inspec/reporters/json.rb

@@ -29,7 +29,7 @@ module Inspec::Reporters
       {
         name:      run_data[:platform][:name],
         release:   run_data[:platform][:release],
-        target_id: @config["target_id"],
+        target_id: run_data[:platform][:target_id] || @config["target_id"],
       }.reject { |_k, v| v.nil? }
     end
 

data/lib/inspec/resources/auditd.rb

@@ -28,12 +28,13 @@ module Inspec::Resources
     EXAMPLE
 
     def initialize
-      unless inspec.command("/sbin/auditctl").exist?
+      @auditctl_cmd_str = inspec.os.name.eql?("alpine") ? "/usr/sbin/auditctl" : "/sbin/auditctl"
+      unless inspec.command(@auditctl_cmd_str).exist?
         raise Inspec::Exceptions::ResourceFailed,
-              "Command `/sbin/auditctl` does not exist"
+              "Command `#{@auditctl_cmd_str}` does not exist"
       end
 
-      auditctl_cmd = "/sbin/auditctl -l"
+      auditctl_cmd = "#{@auditctl_cmd_str} -l"
       result = inspec.command(auditctl_cmd)
 
       if result.exit_status != 0
@@ -68,7 +69,7 @@ module Inspec::Resources
     filter.install_filter_methods_on_resource(self, :params)
 
     def status(name = nil)
-      @status_content ||= inspec.command("/sbin/auditctl -s").stdout.chomp
+      @status_content ||= inspec.command("#{@auditctl_cmd_str} -s").stdout.chomp
 
       # See: https://github.com/inspec/inspec/issues/3113
       if @status_content =~ /^AUDIT_STATUS/

data/lib/inspec/resources/bash.rb

@@ -5,6 +5,8 @@ module Inspec::Resources
   class Bash < Cmd
     name "bash"
     supports platform: "unix"
+    supports platform: "esx"
+
     desc "Run a command or script in BASH."
     example <<~EXAMPLE
       describe bash('ls -al /') do

data/lib/inspec/resources/file.rb

@@ -61,6 +61,24 @@ module Inspec::Resources
       res.force_encoding("utf-8")
     end
 
+    # returns hash containing list of users/groups and their file permissions.
+    def user_permissions
+      return {} unless exist?
+
+      return skip_reource"`user_permissions` is not supported on your OS yet." unless inspec.os.windows?
+
+      @perms_provider.user_permissions(file)
+    end
+
+    # returns true if inheritance is enabled on file or folder
+    def inherited?
+      return false unless exist?
+
+      return skip_resource "`inherited?` is not supported on your OS yet." unless inspec.os.windows?
+
+      @perms_provider.inherited?(file)
+    end
+
     def contain(*_)
       raise "Contain is not supported. Please use standard RSpec matchers."
     end
@@ -244,6 +262,26 @@ module Inspec::Resources
   end
 
   class WindowsFilePermissions < FilePermissions
+
+    def user_permissions(file)
+      script = <<-EOH
+      $Acl = Get-Acl -Path #{file.path}
+      $Result = foreach ($Access in $acl.Access) {
+        [PSCustomObject]@{
+          $Access.IdentityReference.Value  = $Access.FileSystemRights.ToString()
+        }
+      }
+      $Result | ConvertTo-Json
+      EOH
+      result = inspec.powershell(script)
+      JSON.load(result.stdout).inject(&:merge) unless result.stdout.empty?
+    end
+
+    def inherited?(file)
+      cmd = inspec.command("(Get-Acl -Path #{file.path}).access| Where-Object {$_.IsInherited -eq $true} | measure | % { $_.Count }")
+      cmd.stdout.chomp == "0" ? false : true
+    end
+
     def check_file_permission_by_mask(_file, _access_type, _usergroup, _specific_user)
       raise "`check_file_permission_by_mask` is not supported on Windows"
     end

data/lib/inspec/resources/firewalld.rb

@@ -32,6 +32,17 @@ module Inspec::Resources
       .register_column(:interfaces, field: "interfaces")
       .register_column(:sources,    field: "sources")
       .register_column(:services,   field: "services")
+      .register_column(:target, field: "target")
+      .register_column(:ports, field: "ports")
+      .register_column(:protocols, field: "protocols")
+      .register_column(:forward_ports, field: "forward_ports")
+      .register_column(:source_ports, field: "source_ports")
+      .register_column(:icmp_blocks, field: "icmp_blocks")
+      .register_column(:rich_rules, field: "rich_rules")
+      .register_custom_matcher(:icmp_block_inversion?) { |x| x.params[0]["icmp_block_inversion"] }
+      .register_custom_matcher(:has_icmp_block_inversion_enabled?) { |x| x.params[0]["icmp_block_inversion"] }
+      .register_custom_matcher(:masquerade?) { |x| x.params[0]["masquerade"] }
+      .register_custom_matcher(:has_masquerade_enabled?) { |x| x.params[0]["masquerade"] }
 
     filter.install_filter_methods_on_resource(self, :params)
 
@@ -64,28 +75,28 @@ module Inspec::Resources
     end
 
     def has_service_enabled_in_zone?(query_service, query_zone = default_zone)
-      firewalld_command("--zone=#{query_zone} --query-service=#{query_service}") == "yes"
+      firewalld_command("--permanent --zone=#{query_zone} --query-service=#{query_service}") == "yes"
     end
 
     def service_ports_enabled_in_zone(query_service, query_zone = default_zone)
       # return: String of ports open
       # example: ['22/tcp', '4722/tcp']
-      firewalld_command("--zone=#{query_zone} --service=#{query_service} --get-ports --permanent").split(" ")
+      firewalld_command("--permanent --zone=#{query_zone} --service=#{query_service} --get-ports").split(" ")
     end
 
     def service_protocols_enabled_in_zone(query_service, query_zone = default_zone)
-      # return: String of protocoals open
+      # return: String of protocols open
       # example: ['icmp', 'ipv4', 'igmp']
-      firewalld_command("--zone=#{query_zone} --service=#{query_service} --get-protocols --permanent").split(" ")
+      firewalld_command("--permanent --zone=#{query_zone} --service=#{query_service} --get-protocols").split(" ")
     end
 
     def has_port_enabled_in_zone?(query_port, query_zone = default_zone)
-      firewalld_command("--zone=#{query_zone} --query-port=#{query_port}") == "yes"
+      firewalld_command("--permanent --zone=#{query_zone} --query-port=#{query_port}") == "yes"
     end
 
     def has_rule_enabled?(rule, query_zone = default_zone)
       rule = "rule #{rule}" unless rule.start_with?("rule")
-      firewalld_command("--zone=#{query_zone} --query-rich-rule='#{rule}'") == "yes"
+      firewalld_command("--permanent --zone=#{query_zone} --query-rich-rule='#{rule}'") == "yes"
     end
 
     def to_s
@@ -120,19 +131,82 @@ module Inspec::Resources
         "interfaces" => line.split(":")[1].split(" "),
         "services" => services_bound(zone),
         "sources" => sources_bound(zone),
+        "target" => target_bound(zone),
+        "icmp_block_inversion" => icmp_block_inversion_bound?(zone),
+        "ports" => ports_bound(zone),
+        "protocols" => protocols_bound(zone),
+        "masquerade" => masquerade_bound?(zone),
+        "forward_ports" => forward_ports_bound(zone),
+        "source_ports" => source_ports_bound(zone),
+        "icmp_blocks" => icmp_blocks_bound(zone),
+        "rich_rules" => rich_rules_bound(zone),
       }
     end
 
+    def target_bound(query_zone)
+      # result: a target bound for the zone
+      # example: 'DROP'
+      firewalld_command("--permanent --zone=#{query_zone} --get-target").strip
+    end
+
+    def icmp_block_inversion_bound?(query_zone)
+      # result: true/false whether inversion of icmp blocks has been enabled for a zone
+      # example: true
+      firewalld_command("--permanent --zone=#{query_zone} --query-icmp-block-inversion") == "yes"
+    end
+
+    def ports_bound(query_zone)
+      # result: a list of ports bound for a zone
+      # example: ['80/tcp', '443/tcp']
+      firewalld_command("--permanent --zone=#{query_zone} --list-ports").split(" ")
+    end
+
+    def protocols_bound(query_zone)
+      # result: a list of protocols added for a zone
+      # example: ['icmp', 'ipv4', 'igmp']
+      firewalld_command("--permanent --zone=#{query_zone} --list-protocols").split(" ")
+    end
+
+    def masquerade_bound?(query_zone)
+      # result: true/false whether IPv4 masquerading has been enabled for a zone
+      # example: true
+      firewalld_command("--permanent --zone=#{query_zone} --query-masquerade") == "yes"
+    end
+
+    def forward_ports_bound(query_zone)
+      # result: a list of IPv4 forward ports bound to a zone
+      # example: ['port=80:proto=tcp:toport=88', 'port=12345:proto=tcp:toport=54321:toaddr=192.168.1.3']
+      firewalld_command("--permanent --zone=#{query_zone} --list-forward-ports").split("\n")
+    end
+
+    def source_ports_bound(query_zone)
+      # result: a list of source ports bound to a zone
+      # example: ['80/tcp', '8080/tcp']
+      firewalld_command("--permanent --zone=#{query_zone} --list-source-ports").split(" ")
+    end
+
+    def icmp_blocks_bound(query_zone)
+      # result: a list of internet ICMP type blocks bound to a zone
+      # example: ['echo-request', 'echo-reply']
+      firewalld_command("--permanent --zone=#{query_zone} --list-icmp-blocks").split(" ")
+    end
+
+    def rich_rules_bound(query_zone)
+      # result: a list of rich language rules bound to a zone
+      # example: ['rule protocol value="ah" accept', 'rule service name="ftp" log limit value="1/m" audit accept']
+      firewalld_command("--permanent --zone=#{query_zone} --list-rich-rules").split("\n")
+    end
+
     def sources_bound(query_zone)
       # result: a list containing either an ip address or ip address with a mask, or a ipset or an ipset with the ipset prefix.
       # example: ['192.168.0.4', '192.168.0.0/16', '2111:DB28:ABC:12::', '2111:db89:ab3d:0112::0/64']
-      firewalld_command("--zone=#{query_zone} --list-sources").split(" ")
+      firewalld_command("--permanent --zone=#{query_zone} --list-sources").split(" ")
     end
 
     def services_bound(query_zone)
       # result: a list of services bound to a zone.
       # example: ['ssh', 'dhcpv6-client']
-      firewalld_command("--zone=#{query_zone} --list-services").split(" ")
+      firewalld_command("--permanent --zone=#{query_zone} --list-services").split(" ")
     end
 
     def firewalld_command(command)
@@ -145,4 +219,4 @@ module Inspec::Resources
       result.stdout.strip
     end
   end
-end
+end

data/lib/inspec/resources/grub_conf.rb

@@ -162,7 +162,7 @@ module Inspec::Resources
 
         current_kernel = file_line.split(" ", 2)[1]
         lines.drop(index + 1).each do |kernel_line|
-          if kernel_line =~ /^\s.*/
+          if kernel_line =~ /(?:^\s*\w+)/ && !(kernel_line =~ /^title.*/)
             option_type = kernel_line.split(" ")[0]
             line_options = kernel_line.split(" ").drop(1)
             if (menu_entry == conf["default"].to_i && @kernel == "default") || current_kernel == @kernel

data/lib/inspec/resources/http.rb

@@ -121,6 +121,10 @@ module Inspec::Resources
         def max_redirects
           opts.fetch(:max_redirects, nil)
         end
+
+        def proxy
+          opts.fetch(:proxy, nil)
+        end
       end
 
       class Local < Base
@@ -141,12 +145,18 @@ module Inspec::Resources
         def response
           return @response if @response
 
+          Faraday.ignore_env_proxy = true if proxy == "disable"
+
           conn = Faraday.new(url: url, headers: request_headers, params: params, ssl: { verify: ssl_verify? }) do |builder|
             builder.request :url_encoded
             builder.use FaradayMiddleware::FollowRedirects, limit: max_redirects unless max_redirects.nil?
             builder.adapter Faraday.default_adapter
           end
 
+          unless proxy == "disable" || proxy.nil?
+            conn.proxy = proxy
+          end
+
           # set basic authentication
           conn.basic_auth username, password unless username.nil? || password.nil?
 
@@ -252,6 +262,14 @@ module Inspec::Resources
               cmd << "-X #{http_method}"
             end
 
+            cmd << "--noproxy '*'" if proxy == "disable"
+            unless proxy == "disable" || proxy.nil?
+              if proxy.is_a?(Hash)
+                cmd << "--proxy #{proxy[:uri]} --proxy-user #{proxy[:user]}:#{proxy[:password]}"
+              else
+                cmd << "--proxy #{proxy}"
+              end
+            end
             cmd << "--connect-timeout #{open_timeout}"
             cmd << "--max-time #{open_timeout + read_timeout}"
             cmd << "--user \'#{username}:#{password}\'" unless username.nil? || password.nil?
@@ -292,6 +310,17 @@ module Inspec::Resources
           else
             cmd << "'#{url}?#{params.map { |e| e.join("=") }.join("&")}'"
           end
+
+          proxy_script = ""
+          unless proxy == "disable" || proxy.nil?
+            cmd << "-Proxy #{proxy[:uri]}"
+            cmd << "-ProxyCredential $proxyCreds"
+            proxy_script = <<-EOH
+              $secPasswd = ConvertTo-SecureString "#{proxy[:password]}" -AsPlainText -Force
+              $proxyCreds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{proxy[:user]}",$secPasswd
+            EOH
+          end
+
           command = cmd.join(" ")
           body = "\'#{request_body}\'"
           script = <<-EOH
@@ -302,10 +331,10 @@ module Inspec::Resources
             foreach ($property in $Body.PSObject.Properties) {
               $HashTable[$property.Name] = $property.Value
             }
-            $response = #{command} -Body $HashTable
+            $response = #{command} -Body $HashTable -UseBasicParsing
             $response | Select-Object -Property * | ConvertTo-json # We use `Select-Object -Property * ` to get around an odd PowerShell error
           EOH
-          script.strip
+          proxy_script.strip + "\n" + script.strip
         end
       end
     end

data/lib/inspec/resources/ibmdb2_session.rb

@@ -46,12 +46,12 @@ module Inspec::Resources
 
         # check if following specific error is there. Sourcing the db2profile to resolve the error.
         if cmd.exit_status != 0 && out =~ /SQL10007N Message "-1390" could not be retrieved.  Reason code: "3"/
-          cmd = inspec.command(". ~/sqllib/db2profile\; #{@db2_executable_file_path} attach to #{@db_instance}\; #{@db2_executable_file_path} connect to #{@db_name}\; #{@db2_executable_file_path} #{q}\;")
+          cmd = inspec.command(". ~/sqllib/db2profile\; #{@db2_executable_file_path} attach to #{@db_instance}\; #{@db2_executable_file_path} connect to #{@db_name}\; #{@db2_executable_file_path} \"#{q}\"\;")
           out = cmd.stdout + "\n" + cmd.stderr
         end
       elsif inspec.os.platform?("windows")
         # set-item command set the powershell to run the db2 commands.
-        cmd = inspec.command("set-item -path env:DB2CLP -value \"**$$**\"\; db2 connect to #{@db_name}\; db2 #{q}\;")
+        cmd = inspec.command("set-item -path env:DB2CLP -value \"**$$**\"\; db2 connect to #{@db_name}\; db2 \"#{q}\"\;")
         out = cmd.stdout + "\n" + cmd.stderr
       end