inspec-core 5.18.14 → 5.21.29

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ba97ee3e25e02fba9b85f797fa1a773d2e8fa7628112be422d187c0e46cfce40
-  data.tar.gz: a82f51e5c6ba3e1db8c4580f92a33d91bcc2e0c2a8339850e1f168c1569b8818
+  metadata.gz: 7f6f86730baadd988c363a823e5e46ba68c318e48b27bbaaba614ce7c33bb71c
+  data.tar.gz: f02ca42e9d4e525b82e9cfa61a04b122dc3b09c1e3c96f2ec4440c3fb3053f25
 SHA512:
-  metadata.gz: beb78893376f0b92b9cf33741f8fab471f66dd328fa1f28c87b05737da7f73266327eded07ca67f0b91a747625dfcb61011b42c06a25914d01f727b07a962456
-  data.tar.gz: 193aeef4576e2af4466a176b80e107cd45fe0c0c0f6db290d17696cec1eb7dbf6b58b555bf8c0df4b9bb4a9d5aa8d26f542993b5be1d600a296c3ec50e531d09
+  metadata.gz: 597fed943b00ed280a749f05c97d01e29b4d5a85034835e9f242990588b35b740bf56a886b65202777d68b79b5cbd1faf1a48a69c1a4f1f8a00a83ecdece3527
+  data.tar.gz: 13aa012d46677b3cd31614dcc118c62b1aa1656f3007d6b105f7822a3c25a45b1b1284eef9fb9e761cf5a03cd8209ffe8518d54ed355c189a2f141788a000694

data/Gemfile

@@ -23,9 +23,8 @@ group :omnibus do
 end
 
 group :test do
-  gem "chefstyle", "~> 2.0.3"
+  gem "chefstyle", "~> 2.2.2"
   gem "concurrent-ruby", "~> 1.0"
-  gem "html-proofer", platforms: :ruby # do not attempt to run proofer on windows
   gem "json_schemer", ">= 0.2.1", "< 0.2.19"
   gem "m"
   gem "minitest-sprint", "~> 1.0"
@@ -39,26 +38,30 @@ group :test do
   gem "simplecov", "~> 0.21"
   gem "simplecov_json_formatter"
   gem "webmock", "~> 3.0"
+
+  if Gem.ruby_version >= Gem::Version.new("3.0.0")
+    # html-proofer has a dep on io-event, which is ruby-3 only
+    gem "html-proofer", "~> 3.19.4", platforms: :ruby # do not attempt to run proofer on windows. Pinned to 3.19.4 as test is breaking in updated versions.
+  end
 end
 
 group :deploy do
   gem "inquirer"
 end
 
-# Only include Test Kitchen support if we are on Ruby 2.7 or higher
-# as chef-zero support requires Ruby 2.6
-# See https://github.com/inspec/inspec/pull/5341
-if Gem.ruby_version >= Gem::Version.new("2.7.0")
-  group :kitchen do
-    gem "berkshelf"
-    gem "chef", ">= 16.0" # Required to allow net-ssh > 6
-    gem "test-kitchen", ">= 2.8"
-    gem "kitchen-inspec", ">= 2.0"
-    gem "kitchen-dokken", ">= 2.11"
-    gem "git"
+group :kitchen do
+  gem "berkshelf"
+
+  # Chef 18 requires ruby 3
+  if Gem.ruby_version >= Gem::Version.new("3.0.0")
+    gem "chef", ">= 17.0"
+  else
+    # Ruby 2.7 presumably - TODO remove this when 2.7 is sunsetted
+    gem "chef", "~> 16.0"
   end
-end
 
-if Gem.ruby_version < Gem::Version.new("2.7.0")
-  gem "activesupport", "6.1.4.4"
+  gem "test-kitchen", ">= 2.8"
+  gem "kitchen-inspec", ">= 2.0"
+  gem "kitchen-dokken", ">= 2.11"
+  gem "git"
 end

data/inspec-core.gemspec

@@ -18,32 +18,32 @@ Gem::Specification.new do |spec|
   # the gemfile and gemspec are necessary for appbundler so don't remove it
   spec.files =
     Dir.glob("{{lib,etc}/**/*,LICENSE,Gemfile,inspec-core.gemspec}")
-      .grep_v(%r{(?<!inspec-init/templates/profiles/)(aws|azure|gcp)})
+      .grep_v(%r{(?<!inspec-init/templates/profiles/)(aws|azure|gcp|alicloud)})
       .grep_v(%r{lib/plugins/.*/test/})
       .reject { |f| File.directory?(f) }
 
   # Implementation dependencies
-  spec.add_dependency "chef-telemetry",     "~> 1.0", ">= 1.0.8" # 1.0.8+ removes the http dep
-  spec.add_dependency "license-acceptance", ">= 0.2.13", "< 3.0"
-  spec.add_dependency "thor",               ">= 0.20", "< 2.0"
-  spec.add_dependency "method_source",      ">= 0.8", "< 2.0"
-  spec.add_dependency "rubyzip",            ">= 1.2.2", "< 3.0"
-  spec.add_dependency "rspec",              ">= 3.9", "<= 3.11"
-  spec.add_dependency "rspec-its",          "~> 1.2"
-  spec.add_dependency "pry",                "~> 0.13"
-  spec.add_dependency "hashie",             ">= 3.4", "< 5.0"
-  spec.add_dependency "mixlib-log",         "~> 3.0"
-  spec.add_dependency "sslshake",           "~> 1.2"
-  spec.add_dependency "parallel",           "~> 1.9"
-  spec.add_dependency "faraday",            ">= 0.9.0", "< 1.5"
-  spec.add_dependency "faraday_middleware", "~> 1.0"
-  spec.add_dependency "tty-table",          "~> 0.10"
-  spec.add_dependency "tty-prompt",         "~> 0.17"
-  spec.add_dependency "tomlrb",             ">= 1.2", "< 2.1"
-  spec.add_dependency "addressable",        "~> 2.4"
-  spec.add_dependency "parslet",            ">= 1.5", "< 2.0" # Pinned < 2.0, see #5389
-  spec.add_dependency "semverse",           "~> 3.0"
-  spec.add_dependency "multipart-post",     "~> 2.0"
+  spec.add_dependency "chef-telemetry",           "~> 1.0", ">= 1.0.8" # 1.0.8+ removes the http dep
+  spec.add_dependency "license-acceptance",       ">= 0.2.13", "< 3.0"
+  spec.add_dependency "thor",                     ">= 0.20", "< 2.0"
+  spec.add_dependency "method_source",            ">= 0.8", "< 2.0"
+  spec.add_dependency "rubyzip",                  ">= 1.2.2", "< 3.0"
+  spec.add_dependency "rspec",                    ">= 3.9", "<= 3.11"
+  spec.add_dependency "rspec-its",                "~> 1.2"
+  spec.add_dependency "pry",                      "~> 0.13"
+  spec.add_dependency "hashie",                   ">= 3.4", "< 5.0"
+  spec.add_dependency "mixlib-log",               "~> 3.0"
+  spec.add_dependency "sslshake",                 "~> 1.2"
+  spec.add_dependency "parallel",                 "~> 1.9"
+  spec.add_dependency "faraday",                  ">= 1", "< 3"
+  spec.add_dependency "faraday-follow_redirects", "~> 0.3"
+  spec.add_dependency "tty-table",                "~> 0.10"
+  spec.add_dependency "tty-prompt",               "~> 0.17"
+  spec.add_dependency "tomlrb",                   ">= 1.2", "< 2.1"
+  spec.add_dependency "addressable",              "~> 2.4"
+  spec.add_dependency "parslet",                  ">= 1.5", "< 2.0" # Pinned < 2.0, see #5389
+  spec.add_dependency "semverse",                 "~> 3.0"
+  spec.add_dependency "multipart-post",           "~> 2.0"
 
   spec.add_dependency "train-core", "~> 3.10"
 end

data/lib/inspec/base_cli.rb

@@ -205,6 +205,8 @@ module Inspec
         long_desc: "Maximum seconds to allow commands to run during execution. A timed out command is considered an error."
       option :reporter_include_source, type: :boolean, default: false,
         desc: "Include full source code of controls in the CLI report"
+      option :enhanced_outcomes, type: :boolean,
+        desc: "Show enhanced outcomes in output"
     end
 
     def self.help(*args)

data/lib/inspec/cli.rb

@@ -415,6 +415,8 @@ class Inspec::InspecCLI < Inspec::BaseCLI
     desc: "Load one or more input files, a YAML file with values for the shell to use"
   option :input, type: :array, banner: "name1=value1 name2=value2",
     desc: "Specify one or more inputs directly on the command line to the shell, as --input NAME=VALUE. Accepts single-quoted YAML and JSON structures."
+  option :enhanced_outcomes, type: :boolean,
+    desc: "Show enhanced outcomes in output"
   def shell_func
     o = config
     deprecate_target_id(config)
@@ -461,11 +463,13 @@ class Inspec::InspecCLI < Inspec::BaseCLI
     pretty_handle_exception(e)
   end
 
+  option :enhanced_outcomes, type: :boolean,
+    desc: "Show enhanced outcomes output"
   desc "schema NAME", "print the JSON schema", hide: true
   def schema(name)
     require "inspec/schema/output_schema"
-
-    puts Inspec::Schema::OutputSchema.json(name)
+    o = config
+    puts Inspec::Schema::OutputSchema.json(name, o)
   rescue StandardError => e
     puts e
     puts "Valid schemas are #{Inspec::Schema::OutputSchema.names.join(", ")}"

data/lib/inspec/dsl.rb

@@ -91,13 +91,19 @@ module Inspec::DSL
     if profile_version
       new_profile_id = "#{profile_id}-#{profile_version}"
     else
+      # This scary regex is used to match version following semantic Versioning (SemVer). Thanks to https://ihateregex.io/expr/semver/
+      regex_for_semver = /(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?/
       dependencies.list.keys.each do |key|
-        # If dep profile does not contain a source version, key does not contain a version as well. In that case new_profile_id will be always nil and instead profile_id would be used to fetch profile from dependency list.
-        profile_id_key = key.split("-")
-        profile_id_key.pop
-        new_profile_id = key if profile_id_key.join("-") == profile_id
+        # 1. Fetching VERSION from a profile dependency name which is in a format NAME-VERSION.
+        # 2. Matching original profile dependency name with profile name used with include or require control DSL.
+        fetching_semver = key.match(regex_for_semver).to_s
+        unless fetching_semver.nil? || fetching_semver.empty?
+          profile_id_key = key.split("-#{fetching_semver}")[0]
+          new_profile_id = key if profile_id_key == profile_id
+        end
       end
     end
+    # If dep profile does not contain a source version, key does not contain a version as well. In that case new_profile_id will be always nil and instead profile_id would be used to fetch profile from dependency list.
     dep_entry = new_profile_id ? dependencies.list[new_profile_id] : dependencies.list[profile_id]
 
     if dep_entry.nil?

data/lib/inspec/enhanced_outcomes.rb

@@ -0,0 +1,19 @@
+module Inspec
+  module EnhancedOutcomes
+
+    def self.determine_status(results, impact)
+      # No-op exception occurs in case of not_applicable_if
+      if results.any? { |r| !r[:exception].nil? && !r[:backtrace].nil? && r[:resource_class] != "noop" }
+        "error"
+      elsif !impact.nil? && impact.to_f == 0.0
+        "not_applicable"
+      elsif results.all? { |r| r[:status] == "skipped" }
+        "not_reviewed"
+      elsif results.any? { |r| r[:status] == "failed" }
+        "failed"
+      else
+        "passed"
+      end
+    end
+  end
+end

data/lib/inspec/env_printer.rb

@@ -35,7 +35,7 @@ module Inspec
     private
 
     def print_completion_for_shell
-      erb = ERB.new(File.read(completion_template_path), nil, "-")
+      erb = ERB.new(File.read(completion_template_path), trim_mode: "-")
       puts erb.result(TemplateContext.new(@command_class).get_bindings)
     end
 

data/lib/inspec/exceptions.rb

@@ -10,5 +10,7 @@ module Inspec
     class SecretsBackendNotFound < ArgumentError; end
     class ProfileValidationKeyNotFound < ArgumentError; end
     class ProfileSigningKeyNotFound < ArgumentError; end
+    class WaiversFileNotReadable < ArgumentError; end
+    class WaiversFileDoesNotExist < ArgumentError; end
   end
 end

data/lib/inspec/formatters/base.rb

@@ -1,12 +1,13 @@
 require "rspec/core"
 require "rspec/core/formatters/base_formatter"
 require "set" unless defined?(Set)
+require "inspec/enhanced_outcomes"
 
 module Inspec::Formatters
   class Base < RSpec::Core::Formatters::BaseFormatter
     RSpec::Core::Formatters.register self, :close, :dump_summary, :stop
 
-    attr_accessor :backend, :run_data
+    attr_accessor :backend, :run_data, :enhanced_outcomes
 
     def initialize(output)
       super(output)
@@ -17,6 +18,7 @@ module Inspec::Formatters
       @backend = nil
       @all_controls_count = nil
       @control_checks_count_map = {}
+      @enhanced_outcomes = nil
     end
 
     # RSpec Override: #dump_summary
@@ -50,7 +52,6 @@ module Inspec::Formatters
           else
             hash[:message] = exception_message(e)
           end
-
           next if e.is_a? RSpec::Expectations::ExpectationNotMetError
 
           hash[:exception] = e.class.name
@@ -68,6 +69,8 @@ module Inspec::Formatters
       # flesh out the profiles key with additional profile information
       run_data[:profiles] = profiles_info
 
+      add_enhanced_outcomes_to_controls if enhanced_outcomes
+
       # add the platform information for this particular target
       run_data[:platform] = {
         name: platform(:name),
@@ -110,6 +113,20 @@ module Inspec::Formatters
 
     private
 
+    def add_enhanced_outcomes_to_controls
+      all_unique_controls.each do |control|
+        control[:status] = determine_control_enhanced_outcome(control)
+      end
+    end
+
+    def determine_control_enhanced_outcome(control)
+      if control[:results]
+        Inspec::EnhancedOutcomes.determine_status(control[:results], control[:impact])
+      else
+        "passed"
+      end
+    end
+
     def all_unique_controls
       unique_controls = Set.new
       run_data[:profiles].each do |profile|
@@ -120,25 +137,59 @@ module Inspec::Formatters
     end
 
     def statistics
+      error = 0
+      not_applicable = 0
+      not_reviewed = 0
       failed = 0
-      skipped = 0
       passed = 0
+      skipped = 0
+      enhanced_outcomes_summary = {}
+      if enhanced_outcomes
+        all_unique_controls.each do |control|
+
+          if control[:status] == "error"
+            error += 1
+          elsif control[:status] == "not_applicable"
+            not_applicable += 1
+          elsif control[:status] == "not_reviewed"
+            not_reviewed += 1
+          elsif control[:status] == "failed"
+            failed += 1
+          elsif control[:status] == "passed"
+            passed += 1
+          end
 
-      all_unique_controls.each do |control|
-        next unless control[:results]
-
-        if control[:results].any? { |r| r[:status] == "failed" }
-          failed += 1
-        elsif control[:results].any? { |r| r[:status] == "skipped" }
-          skipped += 1
-        else
-          passed += 1
-        end
-      end
+          # added this additionally because stats summary is also used for determining exit code in runner rspec
+          skipped += 1 if control[:results].any? { |r| r[:status] == "skipped" }
 
-      total = failed + passed + skipped
+        end
+        total = error + not_applicable + not_reviewed + failed + passed
+        enhanced_outcomes_summary = {
+          not_applicable: {
+            total: not_applicable,
+          },
+          not_reviewed: {
+            total: not_reviewed,
+          },
+          error: {
+            total: error,
+          },
+        }
+      else
+        all_unique_controls.each do |control|
+          next unless control[:results]
 
-      {
+          if control[:results].any? { |r| r[:status] == "failed" }
+            failed += 1
+          elsif control[:results].any? { |r| r[:status] == "skipped" }
+            skipped += 1
+          else
+            passed += 1
+          end
+        end
+        total = failed + passed + skipped
+      end
+      final_summary = {
         total: total,
         passed: {
           total: passed,
@@ -150,6 +201,8 @@ module Inspec::Formatters
           total: failed,
         },
       }
+
+      final_summary.merge!(enhanced_outcomes_summary)
     end
 
     def exception_message(exception)

data/lib/inspec/plugin/v2/loader.rb

@@ -178,7 +178,19 @@ module Inspec::Plugin::V2
       # TODO: enforce first-level version pinning
       plugin_deps = [Gem::Dependency.new(plugin_gem_name.to_s, version_constraint)]
       managed_gem_set = Gem::Resolver::VendorSet.new
-      list_managed_gems.each { |spec| managed_gem_set.add_vendor_gem(spec.name, spec.gem_dir) }
+
+      list_managed_gems.each do |spec|
+        if Gem::Specification.load spec.gem_dir
+          managed_gem_set.add_vendor_gem(spec.name, spec.gem_dir)
+        else
+          # In case of invalid gemspec as mentioned in this PR https://github.com/brianmario/yajl-ruby/pull/223
+          # the add_vendor_gem breaks. So this is patch to fix the loading issue.
+          # Horribly, chdir to gemspec path to honor . in gemspec
+          Dir.chdir(spec.gem_dir) do |dir|
+            managed_gem_set.add_vendor_gem(spec.name, spec.gem_dir)
+          end
+        end
+      end
 
       # TODO: Next two lines merge our managed gems with the other gems available
       # in our "local universe" - which may be the system, or it could be in a Bundler microcosm,
@@ -278,7 +290,12 @@ module Inspec::Plugin::V2
         when :user_gem
           status.entry_point = status.name.to_s
           status.version = plugin_entry[:version]
-          status.description = fetch_plugin_specs(status.name.to_s)&.summary
+          # Fetch the summary of the gem from local gemspec file instead of remote call using Gem::SpecFetcher.fetcher.
+          unless plugin_entry[:version].nil? # safe check very rare case.
+            version_string = plugin_entry[:version].gsub(/[=,~,>,<]/, "").strip
+            plugin_name_with_version = "#{status.name}-#{version_string}"
+            status.description = fetch_gemspec(File.join(plugin_gem_path, "gems", plugin_name_with_version, "/", status.name.to_s + ".gemspec"))&.summary
+          end
         when :path
           status.entry_point = plugin_entry[:installation_path]
         end
@@ -287,12 +304,6 @@ module Inspec::Plugin::V2
       end
     end
 
-    def fetch_plugin_specs(plugin_name)
-      fetcher = Gem::SpecFetcher.fetcher
-      plugin_dependency = Gem::Dependency.new(plugin_name)
-      fetcher.spec_for_dependency(plugin_dependency).flatten.first
-    end
-
     def fixup_train_plugin_status(status)
       status.api_generation = :'train-1'
       if status.installation_type == :user_gem

data/lib/inspec/plugin/v2/plugin_types/reporter.rb

@@ -7,6 +7,7 @@ module Inspec::Plugin::V2::PluginType
     include Inspec::Utils::RunDataFilters
 
     attr_reader :run_data
+    attr_accessor :enhanced_outcomes
 
     def initialize(config)
       @config = config

data/lib/inspec/plugin/v2/plugin_types/streaming_reporter.rb

@@ -11,6 +11,7 @@ module Inspec::Plugin::V2::PluginType
       @running_controls_list = []
       @control_checks_count_map = {}
       @controls_count = nil
+      @notifications = {}
     end
 
     private
@@ -49,5 +50,58 @@ module Inspec::Plugin::V2::PluginType
         @control_checks_count_map = RSpec.configuration.formatters.grep(Inspec::Formatters::Base).first.get_control_checks_count_map
       end
     end
+
+    def enhanced_outcomes
+      @enhanced_outcomes ||= RSpec.configuration.formatters.grep(Inspec::Formatters::Base).first.enhanced_outcomes
+    end
+
+    def add_enhanced_outcomes(control_id)
+      if control_has_error(@notifications[control_id])
+        "error"
+      elsif control_has_impact_zero(@notifications[control_id])
+        "not_applicable"
+      elsif control_has_all_tests_skipped(@notifications[control_id])
+        "not_reviewed"
+      elsif control_has_any_tests_failed(@notifications[control_id])
+        "failed"
+      else
+        "passed"
+      end
+    end
+
+    def control_has_error(notifications)
+      notifications.any? do |notification_data|
+        notification, _status = notification_data
+        !notification.example.exception.nil? && !(notification.example.exception.is_a? RSpec::Expectations::ExpectationNotMetError) && !notification.example.exception.backtrace.nil? && (!notification.description.include? "No-op") # No-op exception occurs in case of not_applicable_if
+      end
+    end
+
+    def control_has_all_tests_skipped(notifications)
+      notifications.all? do |notification_data|
+        _notification, status = notification_data
+        status == "skipped"
+      end
+    end
+
+    def control_has_any_tests_failed(notifications)
+      notifications.any? do |notification_data|
+        _notification, status = notification_data
+        status == "failed"
+      end
+    end
+
+    def control_has_impact_zero(notifications)
+      notification_data = notifications.first
+      notification_impact = notification_data.first.example.metadata[:impact]
+      notification_data && !notification_impact.nil? && notification_impact.to_f == 0.0
+    end
+
+    def collect_notifications(notification, control_id, status)
+      if @notifications[control_id].nil?
+        @notifications[control_id] = [[notification, status]]
+      else
+        @notifications[control_id].push([notification, status])
+      end
+    end
   end
 end

data/lib/inspec/reporters/base.rb

@@ -5,6 +5,7 @@ module Inspec::Reporters
     include Inspec::Utils::RunDataFilters
 
     attr_reader :run_data
+    attr_accessor :enhanced_outcomes
 
     def initialize(config)
       @config = config