inspec-core 5.17.4 → 5.21.29

data/lib/inspec/rule.rb

@@ -8,13 +8,15 @@ require "inspec/impact"
 require "inspec/resource"
 require "inspec/resources/os"
 require "inspec/input_registry"
+require "inspec/waiver_file_reader"
+require "inspec/utils/convert"
 
 module Inspec
   class Rule
     include ::RSpec::Matchers
 
     attr_reader :__waiver_data
-    attr_accessor :resource_dsl
+    attr_accessor :resource_dsl, :na_impact_freeze
     attr_reader :__profile_id
 
     def initialize(id, profile_id, resource_dsl, opts, &block)
@@ -38,6 +40,7 @@ module Inspec
       @__merge_count = 0
       @__merge_changes = []
       @__skip_only_if_eval = opts[:skip_only_if_eval]
+      @__na_rule = {}
 
       # evaluate the given definition
       return unless block_given?
@@ -73,10 +76,13 @@ module Inspec
     end
 
     def impact(v = nil)
-      if v.is_a?(String)
-        @impact = Inspec::Impact.impact_from_string(v)
-      elsif !v.nil?
-        @impact = v
+      # N/A impact freeze is required when only_applicable_if block has reset impact value to zero"
+      unless na_impact_freeze
+        if v.is_a?(String)
+          @impact = Inspec::Impact.impact_from_string(v)
+        elsif !v.nil?
+          @impact = v
+        end
       end
 
       @impact
@@ -133,15 +139,28 @@ module Inspec
     #
     # @param [Type] &block returns true if tests are added, false otherwise
     # @return [nil]
-    def only_if(message = nil)
+    def only_if(message = nil, impact: nil)
       return unless block_given?
       return if @__skip_only_if_eval == true
 
+      self.impact(impact) if impact && !yield
       @__skip_rule[:result] ||= !yield
       @__skip_rule[:type] = :only_if
       @__skip_rule[:message] = message
     end
 
+    def only_applicable_if(message = nil)
+      return unless block_given?
+      return if yield
+
+      impact(0.0)
+      self.na_impact_freeze = true # this flag prevents impact value to reset to any other value
+
+      @__na_rule[:result] ||= !yield
+      @__na_rule[:type] = :only_applicable_if
+      @__na_rule[:message] = message
+    end
+
     # Describe will add one or more tests to this control. There is 2 ways
     # of calling it:
     #
@@ -252,6 +271,10 @@ module Inspec
       rule.instance_variable_get(:@__skip_rule)
     end
 
+    def self.na_status(rule)
+      rule.instance_variable_get(:@__na_rule)
+    end
+
     def self.set_skip_rule(rule, value, message = nil, type = :only_if)
       rule.instance_variable_set(:@__skip_rule,
                                  {
@@ -273,16 +296,26 @@ module Inspec
     # creates a dummay array of "checks" with a skip outcome
     def self.prepare_checks(rule)
       skip_check = skip_status(rule)
-      return checks(rule) unless skip_check[:result].eql?(true)
+      na_check = na_status(rule)
+      return checks(rule) unless skip_check[:result].eql?(true) || na_check[:result].eql?(true)
 
-      if skip_check[:message]
-        msg = "Skipped control due to #{skip_check[:type]} condition: #{skip_check[:message]}"
+      resource = rule.noop
+      if skip_check[:result].eql?(true)
+        if skip_check[:message]
+          msg = "Skipped control due to #{skip_check[:type]} condition: #{skip_check[:message]}"
+        else
+          msg = "Skipped control due to #{skip_check[:type]} condition."
+        end
+        resource.skip_resource(msg)
       else
-        msg = "Skipped control due to #{skip_check[:type]} condition."
+        if na_check[:message]
+          msg = "N/A control due to #{na_check[:type]} condition: #{na_check[:message]}"
+        else
+          msg = "N/A control due to #{na_check[:type]} condition."
+        end
+        resource.fail_resource(msg)
       end
 
-      resource = rule.noop
-      resource.skip_resource(msg)
       [["describe", [resource], nil]]
     end
 
@@ -337,17 +370,20 @@ module Inspec
     # only_if mechanism)
     # Double underscore: not intended to be called as part of the DSL
     def __apply_waivers
-      input_name = @__rule_id # TODO: control ID slugging
-      registry = Inspec::InputRegistry.instance
-      input = registry.inputs_by_profile.dig(__profile_id, input_name)
-      return unless input && input.has_value? && input.value.is_a?(Hash)
+      control_id = @__rule_id # TODO: control ID slugging
+      waiver_files = Inspec::Config.cached.final_options["waiver_file"] if Inspec::Config.cached.respond_to?(:final_options)
+
+      waiver_data_by_profile = Inspec::WaiverFileReader.fetch_waivers_by_profile(__profile_id, waiver_files) unless waiver_files.nil?
+
+      return unless waiver_data_by_profile && waiver_data_by_profile[control_id] && waiver_data_by_profile[control_id].is_a?(Hash)
 
       # An InSpec Input is a datastructure that tracks a profile parameter
       # over time. Its value can be set by many sources, and it keeps a
       # log of each "set" event so that when it is collapsed to a value,
       # it can determine the correct (highest priority) value.
       # Store in an instance variable for.. later reading???
-      @__waiver_data = input.value
+      @__waiver_data = waiver_data_by_profile[control_id]
+
       __waiver_data["skipped_due_to_waiver"] = false
       __waiver_data["message"] = ""
 
@@ -358,7 +394,7 @@ module Inspec
         # YAML will automagically give us a Date or a Time.
         # If transcoding YAML between languages (e.g. Go) the date might have also ended up as a String.
         # A string that does not represent a valid time results in the date 0000-01-01.
-        if [Date, Time].include?(expiry.class) || (expiry.is_a?(String) && Time.new(expiry).year != 0)
+        if [Date, Time].include?(expiry.class) || (expiry.is_a?(String) && Time.parse(expiry).year != 0)
           expiry = expiry.to_time if expiry.is_a? Date
           expiry = Time.parse(expiry) if expiry.is_a? String
           if expiry < Time.now # If the waiver expired, return - no skip applied
@@ -376,6 +412,7 @@ module Inspec
       # expiration_date. We only care here if it has a "run" key and it
       # is false-like, since all non-skipped waiver operations are handled
       # during reporting phase.
+      __waiver_data["run"] = Converter.to_boolean(__waiver_data["run"]) if __waiver_data.key?("run")
       return unless __waiver_data.key?("run") && !__waiver_data["run"]
 
       # OK, apply a skip.

data/lib/inspec/run_data/control.rb

@@ -1,3 +1,5 @@
+require "inspec/enhanced_outcomes"
+
 module Inspec
   class RunData
     Control = Struct.new(
@@ -31,6 +33,10 @@ module Inspec
         ].each do |field|
           self[field] = raw_ctl_data[field]
         end
+
+        def status
+          Inspec::EnhancedOutcomes.determine_status(results, impact)
+        end
       end
     end
 

data/lib/inspec/run_data/statistics.rb

@@ -16,14 +16,20 @@ module Inspec
         :total,
         :passed,
         :skipped,
-        :failed
+        :failed,
+        :not_reviewed,
+        :not_applicable,
+        :error
       ) do
         include HashLikeStruct
         def initialize(raw_stat_ctl_data)
           self.total = raw_stat_ctl_data[:total]
           self.passed = Inspec::RunData::Statistics::Controls::Total.new(raw_stat_ctl_data[:passed][:total])
-          self.skipped = Inspec::RunData::Statistics::Controls::Total.new(raw_stat_ctl_data[:skipped][:total])
           self.failed = Inspec::RunData::Statistics::Controls::Total.new(raw_stat_ctl_data[:failed][:total])
+          self.skipped = Inspec::RunData::Statistics::Controls::Total.new(raw_stat_ctl_data[:skipped][:total]) if raw_stat_ctl_data[:skipped]
+          self.not_reviewed = Inspec::RunData::Statistics::Controls::Total.new(raw_stat_ctl_data[:not_reviewed][:total]) if raw_stat_ctl_data[:not_reviewed]
+          self.not_applicable = Inspec::RunData::Statistics::Controls::Total.new(raw_stat_ctl_data[:not_applicable][:total]) if raw_stat_ctl_data[:not_applicable]
+          self.error = Inspec::RunData::Statistics::Controls::Total.new(raw_stat_ctl_data[:error][:total]) if raw_stat_ctl_data[:error]
         end
       end
       class Controls

data/lib/inspec/runner.rb

@@ -60,9 +60,11 @@ module Inspec
       end
 
       if @conf[:waiver_file]
-        waivers = @conf.delete(:waiver_file)
-        @conf[:input_file] ||= []
-        @conf[:input_file].concat waivers
+        @conf[:waiver_file].each do |file|
+          unless File.file?(file)
+            raise Inspec::Exceptions::WaiversFileDoesNotExist, "Waiver file #{file} does not exist."
+          end
+        end
       end
 
       # About reading inputs:
@@ -133,12 +135,20 @@ module Inspec
       all_controls.each do |rule|
         unless rule.nil?
           register_rule(rule)
-          checks = ::Inspec::Rule.prepare_checks(rule)
-          unless checks.empty?
+          total_checks = 0
+          control_describe_checks = ::Inspec::Rule.prepare_checks(rule)
+
+          examples = control_describe_checks.flat_map do |m, a, b|
+            get_check_example(m, a, b)
+          end.compact
+
+          examples.map { |example| total_checks += example.examples.count }
+
+          unless control_describe_checks.empty?
             # controls with empty tests are avoided
             # checks represent tests within control
-            controls_count += 1
-            control_checks_count_map[rule.to_s] = checks.count
+            controls_count += 1 if control_checks_count_map[rule.to_s].nil?
+            control_checks_count_map[rule.to_s] = control_checks_count_map[rule.to_s].to_i + total_checks
           end
         end
       end
@@ -158,7 +168,7 @@ module Inspec
       return if @conf["reporter"].nil?
 
       @conf["reporter"].each do |reporter|
-        result = Inspec::Reporters.render(reporter, run_data)
+        result = Inspec::Reporters.render(reporter, run_data, @conf["enhanced_outcomes"])
         raise Inspec::ReporterError, "Error generating reporter '#{reporter[0]}'" if result == false
       end
     end

data/lib/inspec/runner_rspec.rb

@@ -107,11 +107,11 @@ module Inspec
       stats = @formatter.results[:statistics][:controls]
       load_failures = @formatter.results[:profiles]&.select { |p| p[:status] == "failed" }&.any?
       skipped = @formatter.results.dig(:profiles, 0, :status) == "skipped"
-      if stats[:failed][:total] == 0 && stats[:skipped][:total] == 0 && !skipped && !load_failures
+      if stats[:failed][:total] == 0 && stats[:skipped][:total] == 0 && !skipped && !load_failures && (stats[:error] && stats[:error][:total] == 0) # placed error count condition because of enhanced outcomes
         0
       elsif load_failures
         @conf["distinct_exit"] ? 102 : 1
-      elsif stats[:failed][:total] > 0
+      elsif stats[:failed][:total] > 0 || (stats[:error] && stats[:error][:total] > 0)
         @conf["distinct_exit"] ? 100 : 1
       elsif stats[:skipped][:total] > 0 || skipped
         @conf["distinct_exit"] ? 101 : 0
@@ -196,6 +196,7 @@ module Inspec
     def configure_output
       RSpec.configuration.output_stream = $stdout
       @formatter = RSpec.configuration.add_formatter(Inspec::Formatters::Base)
+      @formatter.enhanced_outcomes = @conf.final_options["enhanced_outcomes"]
       RSpec.configuration.add_formatter(Inspec::Formatters::ShowProgress, $stderr) if @conf[:show_progress]
       set_optional_formatters
       RSpec.configuration.color = @conf["color"]

data/lib/inspec/schema/exec_json.rb

@@ -19,8 +19,8 @@ module Inspec
       # Lists the potential values for a control result
       CONTROL_RESULT_STATUS = Primitives::SchemaType.new("Control Result Status", {
         "type" => "string",
-        "enum" => %w{passed failed skipped error},
-      }, [], "The status of a control.  Should be one of 'passed', 'failed', 'skipped', or 'error'.")
+        "enum" => %w{passed failed skipped},
+      }, [], "The status of a control.  Should be one of 'passed', 'failed', or 'skipped'.")
 
       # Represents the statistics/result of a control"s execution
       CONTROL_RESULT = Primitives::SchemaType.new("Control Result", {
@@ -75,6 +75,36 @@ module Inspec
         },
       }, [CONTROL_DESCRIPTION, Primitives::REFERENCE, Primitives::SOURCE_LOCATION, CONTROL_RESULT], "Describes a control and any findings it has.")
 
+      # Represents a control produced with enhanced outcomes option
+      ENHANCED_OUTCOME_CONTROL = Primitives::SchemaType.new("Exec JSON Control", {
+        "type" => "object",
+        "additionalProperties" => true,
+        "required" => %w{id title desc impact refs tags code source_location results},
+        "properties" => {
+          "id" => Primitives.desc(Primitives::STRING, "The id."),
+          "title" => Primitives.desc({ "type" => %w{string null} }, "The title - is nullable."), # Nullable string
+          "desc" => Primitives.desc({ "type" => %w{string null} }, "The description for the overarching control."),
+          "descriptions" => Primitives.desc(Primitives.array(CONTROL_DESCRIPTION.ref), "A set of additional descriptions.  Example: the 'fix' text."),
+          "impact" => Primitives.desc(Primitives::IMPACT, "The impactfulness or severity."),
+          "status" => {
+            "enum" => %w{passed failed not_applicable not_reviewed error},
+            "description" => Primitives.desc(Primitives::STRING, "The enhanced outcome status of the control"),
+          },
+          "refs" => Primitives.desc(Primitives.array(Primitives::REFERENCE.ref), "The set of references to external documents."),
+          "tags" => Primitives.desc(Primitives::TAGS, "A set of tags - usually metadata."),
+          "code" => Primitives.desc(Primitives::STRING, "The raw source code of the control. Note that if this is an overlay control, it does not include the underlying source code."),
+          "source_location" => Primitives.desc(Primitives::SOURCE_LOCATION.ref, "The explicit location of the control within the source code."),
+          "results" => Primitives.desc(Primitives.array(CONTROL_RESULT.ref), %q(
+             The set of all tests within the control and their results and findings.  Example:
+             For Chef Inspec, if in the control's code we had the following:
+               describe sshd_config do
+                 its('Port') { should cmp 22 }
+               end
+             The findings from this block would be appended to the results, as well as those of any other blocks within the control.
+          )),
+        },
+      }, [CONTROL_DESCRIPTION, Primitives::REFERENCE, Primitives::SOURCE_LOCATION, CONTROL_RESULT], "Describes a control and any findings it has.")
+
       # Based loosely on https://docs.chef.io/inspec/profiles/ as of July 3, 2019
       # However, concessions were made to the reality of current reporters, specifically
       # with how description is omitted and version/inspec_version aren't as advertised online
@@ -112,6 +142,40 @@ module Inspec
         },
       }, [CONTROL, Primitives::CONTROL_GROUP, Primitives::DEPENDENCY, Primitives::SUPPORT], "Information on the set of controls assessed.  Example: it can include the name of the Inspec profile and any findings.")
 
+      ENHANCED_OUTCOME_PROFILE = Primitives::SchemaType.new("Exec JSON Profile", {
+        "type" => "object",
+        "additionalProperties" => true,
+        "required" => %w{name sha256 supports attributes groups controls},
+        # Name is mandatory in inspec.yml.
+        # supports, controls, groups, and attributes are always present, even if empty
+        # sha256, status, status_message
+        "properties" => {
+          # These are provided in inspec.yml
+          "name" => Primitives.desc(Primitives::STRING, "The name - must be unique."),
+          "title" => Primitives.desc(Primitives::STRING, "The title - should be human readable."),
+          "maintainer" => Primitives.desc(Primitives::STRING, "The maintainer(s)."),
+          "copyright" => Primitives.desc(Primitives::STRING, "The copyright holder(s)."),
+          "copyright_email" => Primitives.desc(Primitives::STRING, "The email address or other contact information of the copyright holder(s)."),
+          "depends" => Primitives.desc(Primitives.array(Primitives::DEPENDENCY.ref), "The set of dependencies this profile depends on.  Example: an overlay profile is dependent on another profile."),
+          "parent_profile" => Primitives.desc(Primitives::STRING, "The name of the parent profile if the profile is a dependency of another."),
+          "license" => Primitives.desc(Primitives::STRING, "The copyright license.  Example: the full text or the name, such as 'Apache License, Version 2.0'."),
+          "summary" => Primitives.desc(Primitives::STRING, "The summary.  Example: the Security Technical Implementation Guide (STIG) header."),
+          "version" => Primitives.desc(Primitives::STRING, "The version of the profile."),
+          "supports" => Primitives.desc(Primitives.array(Primitives::SUPPORT.ref), "The set of supported platform targets."),
+          "description" => Primitives.desc(Primitives::STRING, "The description - should be more detailed than the summary."),
+          "inspec_version" => Primitives.desc(Primitives::STRING, "The version of Inspec."),
+
+          # These are generated at runtime, and all except status_message and skip_message are guaranteed
+          "sha256" => Primitives.desc(Primitives::STRING, "The checksum of the profile."),
+          "status" => Primitives.desc(Primitives::STRING, "The status.  Example: loaded."), # enum? loaded, failed, skipped
+          "status_message" => Primitives.desc(Primitives::STRING, "The reason for the status.  Example: why it was skipped or failed to load."),
+          "skip_message" => Primitives.desc(Primitives::STRING, "The reason for skipping if it was skipped."), # Deprecated field - status_message should be used instead.
+          "controls" => Primitives.desc(Primitives.array(CONTROL.ref), "The set of controls including any findings."),
+          "groups" => Primitives.desc(Primitives.array(Primitives::CONTROL_GROUP.ref), "A set of descriptions for the control groups.  Example: the ids of the controls."),
+          "attributes" => Primitives.desc(Primitives.array(Primitives::INPUT), "The input(s) or attribute(s) used in the run."),
+        },
+      }, [ENHANCED_OUTCOME_CONTROL, Primitives::CONTROL_GROUP, Primitives::DEPENDENCY, Primitives::SUPPORT], "Information on the set of controls assessed.  Example: it can include the name of the Inspec profile and any findings.")
+
       # Result of exec json. Top level value
       # TODO: Include the format of top level controls. This was omitted for lack of sufficient examples
       OUTPUT = Primitives::SchemaType.new("Exec JSON Output", {
@@ -125,6 +189,18 @@ module Inspec
           "version" => Primitives.desc(Primitives::STRING, "Version number of the tool that generated the findings.  Example: '4.18.108' is a version of Chef InSpec."),
         },
       }, [Primitives::PLATFORM, PROFILE, Primitives::STATISTICS], "The top level value containing all of the results.")
+
+      ENHANCED_OUTCOME_OUTPUT = Primitives::SchemaType.new("Exec JSON Output", {
+        "type" => "object",
+        "additionalProperties" => true,
+        "required" => %w{platform profiles statistics version},
+        "properties" => {
+          "platform" => Primitives.desc(Primitives::PLATFORM.ref, "Information on the platform the run from the tool that generated the findings was from.  Example: the name of the operating system."),
+          "profiles" => Primitives.desc(Primitives.array(PROFILE.ref), "Information on the run(s) from the tool that generated the findings.  Example: the findings."),
+          "statistics" => Primitives.desc(Primitives::STATISTICS.ref, "Statistics for the run(s) from the tool that generated the findings.  Example: the runtime duration."),
+          "version" => Primitives.desc(Primitives::STRING, "Version number of the tool that generated the findings.  Example: '4.18.108' is a version of Chef InSpec."),
+        },
+      }, [Primitives::PLATFORM, ENHANCED_OUTCOME_PROFILE, Primitives::STATISTICS], "The top level value containing all of the results.")
     end
   end
 end

data/lib/inspec/schema/output_schema.rb

@@ -30,6 +30,8 @@ module Inspec
         "profile-json" => OutputSchema.finalize(Schema::ProfileJson::PROFILE),
         "exec-json" => OutputSchema.finalize(Schema::ExecJson::OUTPUT),
         "exec-jsonmin" => OutputSchema.finalize(Schema::ExecJsonMin::OUTPUT),
+        "profile-json-enhanced-outcomes" => OutputSchema.finalize(Schema::ProfileJson::ENHANCED_OUTCOME_PROFILE),
+        "exec-json-enhanced-outcomes" => OutputSchema.finalize(Schema::ExecJson::ENHANCED_OUTCOME_OUTPUT),
         "platforms" => PLATFORMS,
       }.freeze
 
@@ -37,7 +39,8 @@ module Inspec
         LIST.keys
       end
 
-      def self.json(name)
+      def self.json(name, opts)
+        name += "-enhanced-outcomes" if opts["enhanced_outcomes"]
         if !LIST.key?(name)
           raise("Cannot find schema #{name.inspect}.")
         elsif LIST[name].is_a?(Proc)

data/lib/inspec/schema/profile_json.rb

@@ -31,6 +31,28 @@ module Inspec
         },
       }, [CONTROL_DESCRIPTIONS, Primitives::REFERENCE, Primitives::SOURCE_LOCATION], "The set of all tests within the control.")
 
+      # Represents a control with enhanced outcomes status information
+      ENHANCED_OUTCOME_CONTROL = Primitives::SchemaType.new("Profile JSON Control", {
+        "type" => "object",
+        "additionalProperties" => true,
+        "required" => %w{id title desc impact tags code},
+        "properties" => {
+          "id" => Primitives.desc(Primitives::STRING, "The id."),
+          "title" => Primitives.desc({ "type" => %w{string null} }, "The title - is nullable."),
+          "desc" => Primitives.desc({ "type" => %w{string null} }, "The description for the overarching control."),
+          "descriptions" => Primitives.desc(CONTROL_DESCRIPTIONS.ref, "A set of additional descriptions.  Example: the 'fix' text."),
+          "impact" => Primitives.desc(Primitives::IMPACT, "The impactfulness or severity."),
+          "status" => {
+            "enum" => %w{passed failed not_applicable not_reviewed error},
+            "description" => Primitives.desc(Primitives::STRING, "The enhanced outcome status of the control"),
+          },
+          "refs" => Primitives.desc(Primitives.array(Primitives::REFERENCE.ref), "The set of references to external documents."),
+          "tags" => Primitives.desc(Primitives::TAGS, "A set of tags - usually metadata."),
+          "code" => Primitives.desc(Primitives::STRING, "The raw source code of the control. Note that if this is an overlay control, it does not include the underlying source code."),
+          "source_location" => Primitives.desc(Primitives::SOURCE_LOCATION.ref, "The explicit location of the control within the source code."),
+        },
+      }, [CONTROL_DESCRIPTIONS, Primitives::REFERENCE, Primitives::SOURCE_LOCATION], "The set of all tests within the control.")
+
       # A profile that has not been run.
       PROFILE = Primitives::SchemaType.new("Profile JSON Profile", {
         "type" => "object",
@@ -55,6 +77,30 @@ module Inspec
           "depends" => Primitives.desc(Primitives.array(Primitives::DEPENDENCY.ref), "The set of dependencies this profile depends on.  Example: an overlay profile is dependent on another profile."), # Can have depends, but NOT a parentprofile
         },
       }, [Primitives::SUPPORT, CONTROL, Primitives::CONTROL_GROUP, Primitives::DEPENDENCY, Primitives::GENERATOR], "Information on the set of controls that can be assessed.  Example: it can include the name of the Inspec profile.")
+
+      ENHANCED_OUTCOME_PROFILE = Primitives::SchemaType.new("Profile JSON Profile", {
+        "type" => "object",
+        "additionalProperties" => true, # Anything in the yaml will be put in here. LTTODO: Make this stricter!
+        "required" => %w{name supports controls groups sha256},
+        "properties" => {
+          "name" => Primitives.desc(Primitives::STRING, "The name - must be unique."),
+          "supports" => Primitives.desc(Primitives.array(Primitives::SUPPORT.ref), "The set of supported platform targets."),
+          "controls" => Primitives.desc(Primitives.array(CONTROL.ref), "The set of controls - contains no findings as the assessment has not yet occurred."),
+          "groups" => Primitives.desc(Primitives.array(Primitives::CONTROL_GROUP.ref), "A set of descriptions for the control groups.  Example: the ids of the controls."),
+          "inputs" => Primitives.desc(Primitives.array(Primitives::INPUT), "The input(s) or attribute(s) used to be in the run."),
+          "sha256" => Primitives.desc(Primitives::STRING, "The checksum of the profile."),
+          "status" => Primitives.desc(Primitives::STRING, "The status.  Example: skipped."),
+          "generator" => Primitives.desc(Primitives::GENERATOR.ref, "The tool that generated this file.  Example: Chef Inspec."),
+          "version" => Primitives.desc(Primitives::STRING, "The version of the profile."),
+
+          # Other properties possible in inspec docs, but that aren"t guaranteed
+          "title" => Primitives.desc(Primitives::STRING, "The title - should be human readable."),
+          "maintainer" => Primitives.desc(Primitives::STRING, "The maintainer(s)."),
+          "copyright" => Primitives.desc(Primitives::STRING, "The copyright holder(s)."),
+          "copyright_email" => Primitives.desc(Primitives::STRING, "The email address or other contract information of the copyright holder(s)."),
+          "depends" => Primitives.desc(Primitives.array(Primitives::DEPENDENCY.ref), "The set of dependencies this profile depends on.  Example: an overlay profile is dependent on another profile."), # Can have depends, but NOT a parentprofile
+        },
+      }, [Primitives::SUPPORT, ENHANCED_OUTCOME_CONTROL, Primitives::CONTROL_GROUP, Primitives::DEPENDENCY, Primitives::GENERATOR], "Information on the set of controls that can be assessed.  Example: it can include the name of the Inspec profile.")
     end
   end
 end

data/lib/inspec/schema.rb

@@ -111,6 +111,43 @@ module Inspec
       },
     }.freeze
 
+    CONTROL_ENHANCED_OUTCOME = {
+      "type" => "object",
+      "additionalProperties" => false,
+      "properties" => {
+        "id" => { "type" => "string" },
+        "title" => { "type" => %w{string null} },
+        "desc" => { "type" => %w{string null} },
+        "descriptions" => { "type" => %w{array} },
+        "impact" => { "type" => "number" },
+        "status" => {
+          "enum" => %w{passed failed not_applicable not_reviewed error},
+          "description" => Primitives.desc(Primitives::STRING, "The enhanced outcome status of the control"),
+        },
+        "refs" => REFS,
+        "tags" => TAGS,
+        "code" => { "type" => "string" },
+        "source_location" => {
+          "type" => "object",
+          "properties" => {
+            "ref" => { "type" => "string" },
+            "line" => { "type" => "number" },
+          },
+        },
+        "results" => { "type" => "array", "items" => RESULT },
+        "waiver_data" => {
+          "type" => "object",
+          "properties" => {
+            "skipped_due_to_waiver" => { "type" => "string" },
+            "run" => { "type" => "boolean" },
+            "message" => { "type" => "string" },
+            "expiration_date" => { "type" => "string" },
+            "justification" => { "type" => "string" },
+          },
+        },
+      },
+    }.freeze
+
     SUPPORTS = {
       "type" => "object",
       "additionalProperties" => false,
@@ -173,6 +210,45 @@ module Inspec
       },
     }.freeze
 
+    PROFILE_ENHANCED_OUTCOME = {
+      "type" => "object",
+      "additionalProperties" => false,
+      "properties" => {
+        "name" => { "type" => "string" },
+        "version" => { "type" => "string", "optional" => true },
+        "sha256" => { "type" => "string", "optional" => false },
+
+        "title" => { "type" => "string", "optional" => true },
+        "maintainer" => { "type" => "string", "optional" => true },
+        "copyright" => { "type" => "string", "optional" => true },
+        "copyright_email" => { "type" => "string", "optional" => true },
+        "license" => { "type" => "string", "optional" => true },
+        "summary" => { "type" => "string", "optional" => true },
+        "status" => { "type" => "string", "optional" => false },
+        "status_message" => { "type" => "string", "optional" => true },
+        # skip_message is deprecated, status_message should be used to store the reason for skipping
+        "skip_message" => { "type" => "string", "optional" => true },
+
+        "supports" => {
+          "type" => "array",
+          "items" => SUPPORTS,
+          "optional" => true,
+        },
+        "controls" => {
+          "type" => "array",
+          "items" => CONTROL_ENHANCED_OUTCOME,
+        },
+        "groups" => {
+          "type" => "array",
+          "items" => CONTROL_GROUP,
+        },
+        "attributes" => { # TODO: rename to inputs, refs #3802
+          "type" => "array",
+          # TODO: more detailed specification needed
+        },
+      },
+    }.freeze
+
     EXEC_JSON = {
       "type" => "object",
       "additionalProperties" => false,
@@ -187,6 +263,20 @@ module Inspec
       },
     }.freeze
 
+    EXEC_JSON_ENHANCED_OUTCOME = {
+      "type" => "object",
+      "additionalProperties" => false,
+      "properties" => {
+        "platform" => PLATFORM,
+        "profiles" => {
+          "type" => "array",
+          "items" => PROFILE_ENHANCED_OUTCOME,
+        },
+        "statistics" => STATISTICS,
+        "version" => { "type" => "string" },
+      },
+    }.freeze
+
     MIN_CONTROL = {
       "type" => "object",
       "additionalProperties" => false,
@@ -228,6 +318,7 @@ module Inspec
     LIST = {
       "exec-json" => EXEC_JSON,
       "exec-jsonmin" => EXEC_JSONMIN,
+      "exec-json-enhanced-outcome" => EXEC_JSON_ENHANCED_OUTCOME,
       "platforms" => PLATFORMS,
     }.freeze
 

data/lib/inspec/secrets/yaml.rb

@@ -16,7 +16,13 @@ module Secrets
 
     # array of yaml file paths
     def initialize(target)
-      @inputs = ::YAML.load_file(target)
+      # Ruby 3.1 treats YAML load as a dangerous operation by default, requiring us to declare date and time classes as permitted
+      # It's not a valid option in 3.0.x
+      if Gem.ruby_version >= Gem::Version.new("3.1.0")
+        @inputs = ::YAML.load_file(target, permitted_classes: [Date, Time])
+      else
+        @inputs = ::YAML.load_file(target)
+      end
 
       if @inputs == false || !@inputs.is_a?(Hash)
         Inspec::Log.warn("#{self.class} unable to parse #{target}: invalid YAML or contents is not a Hash")

data/lib/inspec/ui.rb

@@ -31,6 +31,7 @@ module Inspec
     EXIT_PLUGIN_ERROR = 2
     EXIT_FATAL_DEPRECATION = 3
     EXIT_GEM_DEPENDENCY_LOAD_ERROR = 4
+    EXIT_BAD_SIGNATURE = 5
     EXIT_LICENSE_NOT_ACCEPTED = 172
     EXIT_FAILED_TESTS = 100
     EXIT_SKIPPED_TESTS = 101

data/lib/inspec/utils/convert.rb

@@ -5,4 +5,12 @@ module Converter
     val = val.to_i if val =~ /^\d+$/
     val
   end
+
+  def self.to_boolean(value)
+    if ["true", "True", "TRUE", true, "yes", "y", "YES", "Y"].include? value
+      true
+    elsif ["false", "False", "FALSE", false, "no", "n", "NO", "N"].include? value
+      false
+    end
+  end
 end

data/lib/inspec/utils/podman.rb

@@ -0,0 +1,24 @@
+require "inspec/resources/command"
+
+module Inspec
+  module Utils
+    module Podman
+      def podman_running?
+        inspec.command("podman version").exit_status == 0
+      end
+
+      # Generates the template in this format using labels hash: "\"id\": {{json .ID}}, \"name\": {{json .Name}}",
+      def generate_go_template(labels)
+        (labels.map { |k, v| "\"#{k}\": {{json .#{v}}}" }).join(", ")
+      end
+
+      def parse_command_output(output)
+        require "json" unless defined?(JSON)
+        JSON.parse(output)
+      rescue JSON::ParserError => _e
+        warn "Could not parse the command output"
+        {}
+      end
+    end
+  end
+end