inspec-core 5.17.4 → 5.21.29

data/lib/inspec/iaf_file.rb

@@ -0,0 +1,127 @@
+require "base64" unless defined?(Base64)
+require "openssl" unless defined?(OpenSSL)
+require "set" unless defined?(Set)
+require "uri" unless defined?(URI)
+
+module Inspec
+  class IafFile
+    KEY_ALG = OpenSSL::PKey::RSA
+    INSPEC_PROFILE_VERSION_1 = "INSPEC-PROFILE-1".freeze
+    INSPEC_PROFILE_VERSION_2 = "INSPEC-PROFILE-2".freeze
+
+    ARTIFACT_DIGEST = OpenSSL::Digest::SHA512
+    ARTIFACT_DIGEST_NAME = "SHA512".freeze
+
+    VALID_PROFILE_VERSIONS = Set.new [INSPEC_PROFILE_VERSION_1, INSPEC_PROFILE_VERSION_2]
+    VALID_PROFILE_DIGESTS = Set.new [ARTIFACT_DIGEST_NAME]
+
+    def self.find_validation_key(keyname)
+      [
+        ".",
+        File.join(Inspec.config_dir, "keys"),
+        File.join(Inspec.src_root, "etc", "keys"),
+      ].each do |path|
+        filename = File.join(path, "#{keyname}.pem.pub")
+        return filename if File.exist?(filename)
+      rescue ArgumentError => e
+        puts e
+        raise Inspec::Exceptions::ProfileValidationKeyNotFound.new("Validation key #{keyname} not found")
+      end
+
+      # Retry if we can fetch it from github
+      return find_validation_key(keyname) if fetch_validation_key_from_github(keyname)
+
+      raise Inspec::Exceptions::ProfileValidationKeyNotFound.new("Validation key #{keyname} not found")
+    end
+
+    def self.find_signing_key(keyname)
+      [".", File.join(Inspec.config_dir, "keys")].each do |path|
+        filename = File.join(path, "#{keyname}.pem.key")
+        return filename if File.exist?(filename)
+      end
+      raise Inspec::Exceptions::ProfileSigningKeyNotFound.new("Signing key #{keyname} not found")
+    end
+
+    def self.fetch_validation_key_from_github(keyname)
+      URI.open("https://raw.githubusercontent.com/inspec/inspec/main/etc/keys/#{keyname}.pem.pub") do |r|
+        puts "Fetching validation key '#{keyname}' from github"
+        dir = File.join(Inspec.config_dir, "keys")
+        FileUtils.mkdir_p dir
+        key_file = File.join(dir, "#{keyname}.pem.pub")
+        File.open(key_file, "w") do |f|
+          r.each_line do |line|
+            f.puts line
+          end
+        end
+      end
+      true
+    rescue OpenURI::HTTPError
+      false
+    end
+
+    attr_reader :key_name, :version
+
+    def initialize(path)
+      @path = path
+      @key_name = nil
+    end
+
+    def valid?
+      header = []
+      valid = true
+      f = File.open(@path, "rb")
+      @version = f.readline.strip!
+      if version == INSPEC_PROFILE_VERSION_1
+        header << version
+        header << f.readline.strip!
+        header << f.readline.strip!
+
+        file_sig = ""
+        # the signature is multi-line
+        while (line = f.readline) != "\n"
+          file_sig += line
+        end
+        header << file_sig.strip!
+        f.close
+
+        f = File.open(@path, "rb")
+        while f.readline != "\n" do end
+        content = f.read
+        f.close
+      elsif version == INSPEC_PROFILE_VERSION_2
+        header << version
+        header << f.readline.strip!
+        content = f.read
+        f.close
+
+        header_content = content.unpack("h*").pack("H*")
+        header << header_content.slice(0, 100).rstrip
+        header << header_content.slice(100, 20).rstrip
+        header << header_content.slice(120, 370).rstrip + "\n" # \n at the end is require in this field
+        content = content.slice(490, content.length).lstrip
+      else
+        valid = false
+      end
+
+      @key_name = header[2]
+      validation_key_path = Inspec::IafFile.find_validation_key(@key_name)
+
+      unless valid_header?(header)
+        valid = false
+      end
+
+      verification_key = KEY_ALG.new File.read validation_key_path
+      signature = Base64.decode64(header[4])
+      digest = ARTIFACT_DIGEST.new
+      unless verification_key.verify digest, signature, content
+        valid = false
+      end
+
+      valid
+    end
+
+    def valid_header?(header)
+      VALID_PROFILE_VERSIONS.member?(header[0]) && VALID_PROFILE_DIGESTS.member?(header[3])
+    end
+  end
+end

data/lib/inspec/plugin/v2/loader.rb

@@ -178,7 +178,19 @@ module Inspec::Plugin::V2
       # TODO: enforce first-level version pinning
       plugin_deps = [Gem::Dependency.new(plugin_gem_name.to_s, version_constraint)]
       managed_gem_set = Gem::Resolver::VendorSet.new
-      list_managed_gems.each { |spec| managed_gem_set.add_vendor_gem(spec.name, spec.gem_dir) }
+
+      list_managed_gems.each do |spec|
+        if Gem::Specification.load spec.gem_dir
+          managed_gem_set.add_vendor_gem(spec.name, spec.gem_dir)
+        else
+          # In case of invalid gemspec as mentioned in this PR https://github.com/brianmario/yajl-ruby/pull/223
+          # the add_vendor_gem breaks. So this is patch to fix the loading issue.
+          # Horribly, chdir to gemspec path to honor . in gemspec
+          Dir.chdir(spec.gem_dir) do |dir|
+            managed_gem_set.add_vendor_gem(spec.name, spec.gem_dir)
+          end
+        end
+      end
 
       # TODO: Next two lines merge our managed gems with the other gems available
       # in our "local universe" - which may be the system, or it could be in a Bundler microcosm,
@@ -278,7 +290,12 @@ module Inspec::Plugin::V2
         when :user_gem
           status.entry_point = status.name.to_s
           status.version = plugin_entry[:version]
-          status.description = fetch_plugin_specs(status.name.to_s)&.summary
+          # Fetch the summary of the gem from local gemspec file instead of remote call using Gem::SpecFetcher.fetcher.
+          unless plugin_entry[:version].nil? # safe check very rare case.
+            version_string = plugin_entry[:version].gsub(/[=,~,>,<]/, "").strip
+            plugin_name_with_version = "#{status.name}-#{version_string}"
+            status.description = fetch_gemspec(File.join(plugin_gem_path, "gems", plugin_name_with_version, "/", status.name.to_s + ".gemspec"))&.summary
+          end
         when :path
           status.entry_point = plugin_entry[:installation_path]
         end
@@ -287,12 +304,6 @@ module Inspec::Plugin::V2
       end
     end
 
-    def fetch_plugin_specs(plugin_name)
-      fetcher = Gem::SpecFetcher.fetcher
-      plugin_dependency = Gem::Dependency.new(plugin_name)
-      fetcher.spec_for_dependency(plugin_dependency).flatten.first
-    end
-
     def fixup_train_plugin_status(status)
       status.api_generation = :'train-1'
       if status.installation_type == :user_gem

data/lib/inspec/plugin/v2/plugin_types/reporter.rb

@@ -7,6 +7,7 @@ module Inspec::Plugin::V2::PluginType
     include Inspec::Utils::RunDataFilters
 
     attr_reader :run_data
+    attr_accessor :enhanced_outcomes
 
     def initialize(config)
       @config = config

data/lib/inspec/plugin/v2/plugin_types/streaming_reporter.rb

@@ -11,6 +11,7 @@ module Inspec::Plugin::V2::PluginType
       @running_controls_list = []
       @control_checks_count_map = {}
       @controls_count = nil
+      @notifications = {}
     end
 
     private
@@ -49,5 +50,58 @@ module Inspec::Plugin::V2::PluginType
         @control_checks_count_map = RSpec.configuration.formatters.grep(Inspec::Formatters::Base).first.get_control_checks_count_map
       end
     end
+
+    def enhanced_outcomes
+      @enhanced_outcomes ||= RSpec.configuration.formatters.grep(Inspec::Formatters::Base).first.enhanced_outcomes
+    end
+
+    def add_enhanced_outcomes(control_id)
+      if control_has_error(@notifications[control_id])
+        "error"
+      elsif control_has_impact_zero(@notifications[control_id])
+        "not_applicable"
+      elsif control_has_all_tests_skipped(@notifications[control_id])
+        "not_reviewed"
+      elsif control_has_any_tests_failed(@notifications[control_id])
+        "failed"
+      else
+        "passed"
+      end
+    end
+
+    def control_has_error(notifications)
+      notifications.any? do |notification_data|
+        notification, _status = notification_data
+        !notification.example.exception.nil? && !(notification.example.exception.is_a? RSpec::Expectations::ExpectationNotMetError) && !notification.example.exception.backtrace.nil? && (!notification.description.include? "No-op") # No-op exception occurs in case of not_applicable_if
+      end
+    end
+
+    def control_has_all_tests_skipped(notifications)
+      notifications.all? do |notification_data|
+        _notification, status = notification_data
+        status == "skipped"
+      end
+    end
+
+    def control_has_any_tests_failed(notifications)
+      notifications.any? do |notification_data|
+        _notification, status = notification_data
+        status == "failed"
+      end
+    end
+
+    def control_has_impact_zero(notifications)
+      notification_data = notifications.first
+      notification_impact = notification_data.first.example.metadata[:impact]
+      notification_data && !notification_impact.nil? && notification_impact.to_f == 0.0
+    end
+
+    def collect_notifications(notification, control_id, status)
+      if @notifications[control_id].nil?
+        @notifications[control_id] = [[notification, status]]
+      else
+        @notifications[control_id].push([notification, status])
+      end
+    end
   end
 end

data/lib/inspec/profile.rb

@@ -350,22 +350,24 @@ module Inspec
     def load_libraries
       return @runner_context if @libraries_loaded
 
-      locked_dependencies.dep_list.each_with_index do |(_name, dep), i|
+      locked_dependencies.dep_list.each_with_index do |(_name, dep), index|
         d = dep.profile
         # this will force a dependent profile load so we are only going to add
         # this metadata if the parent profile is supported.
         if @supports_platform && !d.supports_platform?
           # since ruby 1.9 hashes are ordered so we can just use index values here
           # TODO: NO! this is a violation of encapsulation to an extreme
-          metadata.dependencies[i][:status] = "skipped"
-          msg = "Skipping profile: '#{d.name}' on unsupported platform: '#{d.backend.platform.name}/#{d.backend.platform.release}'."
-          metadata.dependencies[i][:status_message] = msg
-          metadata.dependencies[i][:skip_message] = msg # Repeat as skip_message for backward compatibility
+          if metadata.dependencies[index]
+            metadata.dependencies[index][:status] = "skipped"
+            msg = "Skipping profile: '#{d.name}' on unsupported platform: '#{d.backend.platform.name}/#{d.backend.platform.release}'."
+            metadata.dependencies[index][:status_message] = msg
+            metadata.dependencies[index][:skip_message] = msg # Repeat as skip_message for backward compatibility
+          end
           next
-        elsif metadata.dependencies[i]
+        elsif metadata.dependencies[index]
           # Currently wrapper profiles will load all dependencies, and then we
           # load them again when we dive down. This needs to be re-done.
-          metadata.dependencies[i][:status] = "loaded"
+          metadata.dependencies[index][:status] = "loaded"
         end
 
         # rubocop:disable Layout/ExtraSpacing
@@ -746,6 +748,14 @@ module Inspec
       @source_reader.target.files
     end
 
+    def readme
+      @source_reader.readme&.values&.first
+    end
+
+    def metadata_src
+      @source_reader.metadata_src
+    end
+
     #
     # TODO(ssd): Relative path handling really needs to be carefully
     # thought through, especially with respect to relative paths in

data/lib/inspec/reporters/base.rb

@@ -5,6 +5,7 @@ module Inspec::Reporters
     include Inspec::Utils::RunDataFilters
 
     attr_reader :run_data
+    attr_accessor :enhanced_outcomes
 
     def initialize(config)
       @config = config

data/lib/inspec/reporters/cli.rb

@@ -9,6 +9,9 @@ module Inspec::Reporters
         "passed" => "\033[0;1;32m",
         "skipped" => "\033[0;37m",
         "reset" => "\033[0m",
+        "error" => "\033[34m",
+        "not_applicable" => "\033[36m",
+        "not_reviewed" => "\033[33m",
       }.freeze
 
       # Most currently available Windows terminals have poor support
@@ -18,6 +21,9 @@ module Inspec::Reporters
         "skipped" => "[SKIP]",
         "passed" => "[PASS]",
         "unknown" => "[UNKN]",
+        "error" => "[ERR]",
+        "not_applicable" => "[N/A]",
+        "not_reviewed" => "[N/R]",
       }.freeze
     else
       # Extended colors for everyone else
@@ -26,6 +32,9 @@ module Inspec::Reporters
         "passed" => "\033[38;5;41m",
         "skipped" => "\033[38;5;247m",
         "reset" => "\033[0m",
+        "error" => "\033[0;38;5;21m",
+        "not_applicable" => "\033[0;38;5;117m",
+        "not_reviewed" => "\033[0;38;5;214m",
       }.freeze
 
       # Groovy UTF-8 characters for everyone else...
@@ -35,6 +44,9 @@ module Inspec::Reporters
         "skipped" => "↺",
         "passed" => "✔",
         "unknown" => "?",
+        "error" => "ERR",
+        "not_applicable" => "N/A",
+        "not_reviewed" => "N/R",
       }.freeze
     end
 
@@ -63,7 +75,11 @@ module Inspec::Reporters
       end
 
       output("")
-      print_profile_summary
+      if enhanced_outcomes
+        print_control_outcomes_summary
+      else
+        print_profile_summary
+      end
       print_tests_summary
     end
 
@@ -88,6 +104,7 @@ module Inspec::Reporters
     def print_standard_control_results(profile)
       standard_controls_from_profile(profile).each do |control_from_profile|
         control = Control.new(control_from_profile)
+        control.enhanced_outcomes = enhanced_outcomes
         next if control.results.nil?
 
         output(format_control_header(control))
@@ -122,7 +139,7 @@ module Inspec::Reporters
     end
 
     def format_control_header(control)
-      impact = control.impact_string
+      impact = enhanced_outcomes ? control.impact_string_for_enhanced_outcomes : control.impact_string
       format_message(
         color: impact,
         indicator: impact,
@@ -292,6 +309,68 @@ module Inspec::Reporters
       }
     end
 
+    def control_outcomes_summary
+      failed = 0
+      passed = 0
+      error = 0
+      not_reviewed = 0
+      not_applicable = 0
+
+      all_unique_controls.each do |control|
+        next if control[:status].empty?
+
+        if control[:status] == "failed"
+          failed += 1
+        elsif control[:status] == "error"
+          error += 1
+        elsif control[:status] == "not_reviewed"
+          not_reviewed += 1
+        elsif control[:status] == "not_applicable"
+          not_applicable += 1
+        else
+          passed += 1
+        end
+      end
+
+      total = failed + passed + error + not_reviewed + not_applicable
+
+      {
+        "total" => total,
+        "failed" => failed,
+        "passed" => passed,
+        "error" => error,
+        "not_reviewed" => not_reviewed,
+        "not_applicable" => not_applicable,
+      }
+    end
+
+    def print_control_outcomes_summary
+      summary = control_outcomes_summary
+      return unless summary["total"] > 0
+
+      success_str = summary["passed"] == 1 ? "1 successful control" : "#{summary["passed"]} successful controls"
+      failed_str  = summary["failed"] == 1 ? "1 control failure" : "#{summary["failed"]} control failures"
+      error_str = summary["error"] == 1 ? "1 control has error" : "#{summary["error"]} controls have error"
+      not_rev_str = summary["not_reviewed"] == 1 ? "1 control not reviewed" : "#{summary["not_reviewed"]} controls not reviewed"
+      not_app_str = summary["not_applicable"] == 1 ? "1 control not applicable" : "#{summary["not_applicable"]} controls not applicable"
+
+      success_color = summary["passed"] > 0 ? "passed" : "no_color"
+      failed_color = summary["failed"] > 0 ? "failed" : "no_color"
+      error_color = summary["error"] > 0 ? "error" : "no_color"
+      not_rev_color = summary["not_reviewed"] > 0 ? "not_reviewed" : "no_color"
+      not_app_color = summary["not_applicable"] > 0 ? "not_applicable" : "no_color"
+
+      s = format(
+        "Profile Summary: %s, %s, %s, %s, %s",
+        format_with_color(success_color, success_str),
+        format_with_color(failed_color, failed_str),
+        format_with_color(not_rev_color, not_rev_str),
+        format_with_color(not_app_color, not_app_str),
+        format_with_color(error_color, error_str)
+      )
+      output(s) if summary["total"] > 0
+    end
+
     def print_profile_summary
       summary = profile_summary
       return unless summary["total"] > 0
@@ -350,6 +429,7 @@ module Inspec::Reporters
 
     class Control
       attr_reader :data
+      attr_accessor :enhanced_outcomes
 
       def initialize(control_hash)
         @data = control_hash
@@ -379,6 +459,10 @@ module Inspec::Reporters
         id.start_with?("(generated from ")
       end
 
+      def status
+        data[:status]
+      end
+
       def title_for_report
         # if this is an anonymous control, just grab the resource title from any result entry
         return results.first[:resource_title] if anonymous?
@@ -392,10 +476,17 @@ module Inspec::Reporters
         # append a failure summary if appropriate.
         title_for_report += " (#{failure_count} failed)" if failure_count > 0
         title_for_report += " (#{skipped_count} skipped)" if skipped_count > 0
-
         title_for_report
       end
 
+      def impact_string_for_enhanced_outcomes
+        if impact.nil?
+          "unknown"
+        else
+          status
+        end
+      end
+
       def impact_string
         if anonymous?
           nil

data/lib/inspec/reporters/json.rb

@@ -114,7 +114,7 @@ module Inspec::Reporters
 
     def profile_controls(profile)
       (profile[:controls] || []).map { |c|
-        {
+        control_hash = {
           id:     c[:id],
           title:  c[:title],
           desc:   c.dig(:descriptions, :default),
@@ -130,6 +130,8 @@ module Inspec::Reporters
           waiver_data: c[:waiver_data] || {},
           results: profile_results(c),
         }
+        control_hash.merge!({ status: c[:status] }) if enhanced_outcomes
+        control_hash
       }
     end
 

data/lib/inspec/reporters/yaml.rb

@@ -3,7 +3,9 @@ require "yaml"
 module Inspec::Reporters
   class Yaml < Base
     def render
-      output(Inspec::Reporters::Json.new({ run_data: run_data }).report.to_yaml, false)
+      json_reporter_obj = Inspec::Reporters::Json.new({ run_data: run_data })
+      json_reporter_obj.enhanced_outcomes = enhanced_outcomes
+      output(json_reporter_obj.report.to_yaml, false)
     end
 
     def report

data/lib/inspec/reporters.rb

@@ -7,7 +7,7 @@ require "inspec/reporters/yaml"
 
 module Inspec::Reporters
   # rubocop:disable Metrics/CyclomaticComplexity
-  def self.render(reporter, run_data)
+  def self.render(reporter, run_data, enhanced_outcomes = false)
     name, config = reporter.dup
     config[:run_data] = run_data
     case name
@@ -29,6 +29,7 @@ module Inspec::Reporters
       activator.activate!
       reporter = activator.implementation_class.new(config)
     end
+    reporter.enhanced_outcomes = enhanced_outcomes
 
     # optional send_report method on reporter
     return reporter.send_report if defined?(reporter.send_report)

data/lib/inspec/resources/aide_conf.rb

@@ -48,6 +48,10 @@ module Inspec::Resources
 
     filter.install_filter_methods_on_resource(self, :params)
 
+    def resource_id
+      @conf_path || "aide_conf"
+    end
+
     def to_s
       "AIDE Config"
     end

data/lib/inspec/resources/apache.rb

@@ -40,6 +40,10 @@ module Inspec::Resources
       end
     end
 
+    def resource_id
+      @conf_path || "apache"
+    end
+
     def to_s
       "Apache Environment"
     end

data/lib/inspec/resources/apache_conf.rb

@@ -124,6 +124,10 @@ module Inspec::Resources
       @params["ServerRoot"] || @params["serverroot"]
     end
 
+    def resource_id
+      @conf_path || "apache_conf"
+    end
+
     def to_s
       "Apache Config #{conf_path}"
     end

data/lib/inspec/resources/apt.rb

@@ -39,10 +39,11 @@ module Inspec::Resources
     EXAMPLE
 
     def initialize(ppa_name)
+      @ppa_name = ppa_name
       @deb_url = nil
       # check if the os is ubuntu or debian
       if inspec.os.debian?
-        @deb_url = determine_ppa_url(ppa_name)
+        @deb_url = determine_ppa_url(@ppa_name)
       else
         # this resource is only supported on ubuntu and debian
         skip_resource "The `apt` resource is not supported on your OS yet."
@@ -61,6 +62,10 @@ module Inspec::Resources
       actives.size == 1 && actives[0] = true
     end
 
+    def resource_id
+      @deb_url || @ppa_name || "apt repository"
+    end
+
     def to_s
       "Apt Repository #{@deb_url}"
     end

data/lib/inspec/resources/audit_policy.rb

@@ -57,6 +57,11 @@ module Inspec::Resources
       values
     end
 
+    # Since this resource does not have any unique identifier for resource, sending the Auditpol command as UUID.
+    def resource_id
+      "audit_policy"
+    end
+
     def to_s
       "Audit Policy"
     end

data/lib/inspec/resources/auditd_conf.rb

@@ -27,6 +27,10 @@ module Inspec::Resources
       read_params[name.to_s]
     end
 
+    def resource_id
+      @conf_path || "auditd_conf"
+    end
+
     def to_s
       "Audit Daemon Config"
     end

data/lib/inspec/resources/bash.rb

@@ -28,6 +28,10 @@ module Inspec::Resources
       super(CommandWrapper.wrap(command, options))
     end
 
+    def resource_id
+      @raw_command || "bash"
+    end
+
     def to_s
       "Bash command #{@raw_command}"
     end

data/lib/inspec/resources/bond.rb

@@ -63,6 +63,10 @@ module Inspec::Resources
       params["Bonding Mode"].first
     end
 
+    def resource_id
+      @path || "bond"
+    end
+
     def to_s
       "Bond #{@bond}"
     end

data/lib/inspec/resources/bridge.rb

@@ -45,6 +45,10 @@ module Inspec::Resources
       bridge_info.nil? ? nil : bridge_info[:interfaces]
     end
 
+    def resource_id
+      @bridge_name || "bridge"
+    end
+
     def to_s
       "Bridge #{@bridge_name}"
     end

data/lib/inspec/resources/cassandradb_conf.rb

@@ -31,6 +31,11 @@ module Inspec::Resources
       super(@conf_path)
     end
 
+    # if system unables to determine the cassandra conf path the @conf_path can be nil so in that case sending "" string as resource_id
+    def resource_id
+      @conf_path || "cassandradb_conf"
+    end
+
     private
 
     def parse(content)