inspec-core 5.18.14 → 5.21.29

data/lib/inspec/resources/podman_pod.rb

@@ -0,0 +1,101 @@
+require "inspec/resources/command"
+require "inspec/utils/podman"
+
+module Inspec::Resources
+  class PodmanPod < Inspec.resource(1)
+    include Inspec::Utils::Podman
+
+    name "podman_pod"
+    supports platform: "unix"
+
+    desc "InSpec core resource to retrieve information about podman pod"
+
+    example <<~EXAMPLE
+      describe podman_pod("nginx-frontend") do
+        it { should exist }
+        its("id") { should eq "fcfe4d471cfface0d1b39bce23af7d31ab8736cd68c0360ade0b4afe364f79d4" }
+        its("name") { should eq "nginx-frontend" }
+        its("created_at") { should eq "2022-07-14T15:47:47.978078124+05:30" }
+        its("create_command") { should include "new:nginx-frontend" }
+        its("state") { should eq "Running" }
+        its("hostname") { should eq "" }
+        its("create_cgroup") { should eq true }
+        its("cgroup_parent") { should eq "user.slice" }
+        its("cgroup_path") { should eq "user.slice/user-libpod_pod_fcfe4d471cfface0d1b39bce23af7d31ab8736cd68c0360ade0b4afe364f79d4.slice" }
+        its("create_infra") { should eq true }
+        its("infra_container_id") { should eq "727538044b32a165934729dc2d47d9d5e981b6496aebfad7de470f7e76ea4251" }
+        its("infra_config") { should include "DNSOption" }
+        its("shared_namespaces") { should include "ipc" }
+        its("num_containers") { should eq 2 }
+        its("containers") { should_not be nil }
+      end
+
+      describe podman_pod("non-existing-pod") do
+        it { should_not exist }
+      end
+    EXAMPLE
+
+    attr_reader :pod_info, :pod_id
+
+    def initialize(pod_id)
+      skip_resource "The `podman_pod` resource is not yet available on your OS." unless inspec.os.unix?
+      raise Inspec::Exceptions::ResourceFailed, "Podman is not running. Please make sure it is installed and running." unless podman_running?
+
+      @pod_id = pod_id
+      @pod_info = get_pod_info
+    end
+
+    LABELS = {
+      "id" => "ID",
+      "name" => "Name",
+      "created_at" => "Created",
+      "create_command" => "CreateCommand",
+      "state" => "State",
+      "hostname" => "Hostname",
+      "create_cgroup" => "CreateCgroup",
+      "cgroup_parent" => "CgroupParent",
+      "cgroup_path" => "CgroupPath",
+      "create_infra" => "CreateInfra",
+      "infra_container_id" => "InfraContainerID",
+      "infra_config" => "InfraConfig",
+      "shared_namespaces" => "SharedNamespaces",
+      "num_containers" => "NumContainers",
+      "containers" => "Containers",
+    }.freeze
+
+    # This creates all the required properties methods dynamically.
+    LABELS.each do |k, _|
+      define_method(k) do
+        pod_info[k.to_s]
+      end
+    end
+
+    def exist?
+      !pod_info.empty?
+    end
+
+    def resource_id
+      pod_id
+    end
+
+    def to_s
+      "Podman Pod #{resource_id}"
+    end
+
+    private
+
+    def get_pod_info
+      json_key_label = generate_go_template(LABELS)
+
+      inspect_pod_cmd = inspec.command("podman pod inspect #{pod_id} --format '{#{json_key_label}}'")
+
+      if inspect_pod_cmd.exit_status == 0
+        parse_command_output(inspect_pod_cmd.stdout)
+      elsif inspect_pod_cmd.stderr =~ /no pod with name or ID/
+        {}
+      else
+        raise Inspec::Exceptions::ResourceFailed, "Unable to retrieve podman pod information for #{pod_id}.\nError message: #{inspect_pod_cmd.stderr}"
+      end
+    end
+  end
+end

data/lib/inspec/resources/podman_volume.rb

@@ -0,0 +1,87 @@
+require "inspec/resources/command"
+require "inspec/utils/podman"
+
+module Inspec::Resources
+  class PodmanVolume < Inspec.resource(1)
+    include Inspec::Utils::Podman
+
+    name "podman_volume"
+    supports platform: "unix"
+
+    desc "InSpec core resource to retrieve information about podman volume"
+
+    example <<~EXAMPLE
+      describe podman_volume("my_volume") do
+        it { should exist }
+        its("name") { should eq "my_volume" }
+        its("driver") { should eq "local" }
+        its("mountpoint") { should eq "/var/home/core/.local/share/containers/storage/volumes/my_volume/_data" }
+        its("created_at") { should eq "2022-07-14T13:21:19.965421792+05:30" }
+        its("labels") { should eq({}) }
+        its("scope") { should eq "local" }
+        its("options") { should eq({}) }
+        its("mount_count") { should eq 0 }
+        its("needs_copy_up") { should eq true }
+        its("needs_chown") { should eq true }
+      end
+    EXAMPLE
+
+    attr_reader :volume_info, :volume_name
+
+    def initialize(volume_name)
+      skip_resource "The `podman_volume` resource is not yet available on your OS." unless inspec.os.unix?
+      raise Inspec::Exceptions::ResourceFailed, "Podman is not running. Please make sure it is installed and running." unless podman_running?
+
+      @volume_name = volume_name
+      @volume_info = get_volume_info
+    end
+
+    LABELS = {
+      "name" => "Name",
+      "driver" => "Driver",
+      "mountpoint" => "Mountpoint",
+      "created_at" => "CreatedAt",
+      "labels" => "Labels",
+      "scope" => "Scope",
+      "options" => "Options",
+      "mount_count" => "MountCount",
+      "needs_copy_up" => "NeedsCopyUp",
+      "needs_chown" => "NeedsChown",
+    }.freeze
+
+    # This creates all the required properties methods dynamically.
+    LABELS.each do |k, _|
+      define_method(k) do
+        volume_info[k.to_s]
+      end
+    end
+
+    def exist?
+      !volume_info.empty?
+    end
+
+    def resource_id
+      volume_name
+    end
+
+    def to_s
+      "podman_volume #{resource_id}"
+    end
+
+    private
+
+    def get_volume_info
+      json_key_label = generate_go_template(LABELS)
+
+      inspect_volume_cmd = inspec.command("podman volume inspect #{volume_name} --format '{#{json_key_label}}'")
+
+      if inspect_volume_cmd.exit_status == 0
+        parse_command_output(inspect_volume_cmd.stdout)
+      elsif inspect_volume_cmd.stderr =~ /inspecting object: no such/
+        {}
+      else
+        raise Inspec::Exceptions::ResourceFailed, "Unable to retrieve podman volume information for #{volume_name}.\nError message: #{inspect_volume_cmd.stderr}"
+      end
+    end
+  end
+end

data/lib/inspec/resources/service.rb

@@ -646,7 +646,7 @@ module Inspec::Resources
       return nil if srv.nil? || srv[0].nil?
 
       # extract values from service
-      parsed_srv = /^(?<pid>[0-9-]+)\t(?<exit>[0-9]+)\t(?<name>\S*)$/.match(srv[0])
+      parsed_srv = /^(?<pid>[0-9-]+)\t(?<exit>[\-0-9]+)\t(?<name>\S*)$/.match(srv[0])
       enabled = !parsed_srv["name"].nil? # it's in the list
 
       # check if the service is running

data/lib/inspec/rule.rb

@@ -8,13 +8,15 @@ require "inspec/impact"
 require "inspec/resource"
 require "inspec/resources/os"
 require "inspec/input_registry"
+require "inspec/waiver_file_reader"
+require "inspec/utils/convert"
 
 module Inspec
   class Rule
     include ::RSpec::Matchers
 
     attr_reader :__waiver_data
-    attr_accessor :resource_dsl
+    attr_accessor :resource_dsl, :na_impact_freeze
     attr_reader :__profile_id
 
     def initialize(id, profile_id, resource_dsl, opts, &block)
@@ -38,6 +40,7 @@ module Inspec
       @__merge_count = 0
       @__merge_changes = []
       @__skip_only_if_eval = opts[:skip_only_if_eval]
+      @__na_rule = {}
 
       # evaluate the given definition
       return unless block_given?
@@ -73,10 +76,13 @@ module Inspec
     end
 
     def impact(v = nil)
-      if v.is_a?(String)
-        @impact = Inspec::Impact.impact_from_string(v)
-      elsif !v.nil?
-        @impact = v
+      # N/A impact freeze is required when only_applicable_if block has reset impact value to zero"
+      unless na_impact_freeze
+        if v.is_a?(String)
+          @impact = Inspec::Impact.impact_from_string(v)
+        elsif !v.nil?
+          @impact = v
+        end
       end
 
       @impact
@@ -133,15 +139,28 @@ module Inspec
     #
     # @param [Type] &block returns true if tests are added, false otherwise
     # @return [nil]
-    def only_if(message = nil)
+    def only_if(message = nil, impact: nil)
       return unless block_given?
       return if @__skip_only_if_eval == true
 
+      self.impact(impact) if impact && !yield
       @__skip_rule[:result] ||= !yield
       @__skip_rule[:type] = :only_if
       @__skip_rule[:message] = message
     end
 
+    def only_applicable_if(message = nil)
+      return unless block_given?
+      return if yield
+
+      impact(0.0)
+      self.na_impact_freeze = true # this flag prevents impact value to reset to any other value
+
+      @__na_rule[:result] ||= !yield
+      @__na_rule[:type] = :only_applicable_if
+      @__na_rule[:message] = message
+    end
+
     # Describe will add one or more tests to this control. There is 2 ways
     # of calling it:
     #
@@ -252,6 +271,10 @@ module Inspec
       rule.instance_variable_get(:@__skip_rule)
     end
 
+    def self.na_status(rule)
+      rule.instance_variable_get(:@__na_rule)
+    end
+
     def self.set_skip_rule(rule, value, message = nil, type = :only_if)
       rule.instance_variable_set(:@__skip_rule,
                                  {
@@ -273,16 +296,26 @@ module Inspec
     # creates a dummay array of "checks" with a skip outcome
     def self.prepare_checks(rule)
       skip_check = skip_status(rule)
-      return checks(rule) unless skip_check[:result].eql?(true)
+      na_check = na_status(rule)
+      return checks(rule) unless skip_check[:result].eql?(true) || na_check[:result].eql?(true)
 
-      if skip_check[:message]
-        msg = "Skipped control due to #{skip_check[:type]} condition: #{skip_check[:message]}"
+      resource = rule.noop
+      if skip_check[:result].eql?(true)
+        if skip_check[:message]
+          msg = "Skipped control due to #{skip_check[:type]} condition: #{skip_check[:message]}"
+        else
+          msg = "Skipped control due to #{skip_check[:type]} condition."
+        end
+        resource.skip_resource(msg)
       else
-        msg = "Skipped control due to #{skip_check[:type]} condition."
+        if na_check[:message]
+          msg = "N/A control due to #{na_check[:type]} condition: #{na_check[:message]}"
+        else
+          msg = "N/A control due to #{na_check[:type]} condition."
+        end
+        resource.fail_resource(msg)
       end
 
-      resource = rule.noop
-      resource.skip_resource(msg)
       [["describe", [resource], nil]]
     end
 
@@ -337,17 +370,20 @@ module Inspec
     # only_if mechanism)
     # Double underscore: not intended to be called as part of the DSL
     def __apply_waivers
-      input_name = @__rule_id # TODO: control ID slugging
-      registry = Inspec::InputRegistry.instance
-      input = registry.inputs_by_profile.dig(__profile_id, input_name)
-      return unless input && input.has_value? && input.value.is_a?(Hash)
+      control_id = @__rule_id # TODO: control ID slugging
+      waiver_files = Inspec::Config.cached.final_options["waiver_file"] if Inspec::Config.cached.respond_to?(:final_options)
+
+      waiver_data_by_profile = Inspec::WaiverFileReader.fetch_waivers_by_profile(__profile_id, waiver_files) unless waiver_files.nil?
+
+      return unless waiver_data_by_profile && waiver_data_by_profile[control_id] && waiver_data_by_profile[control_id].is_a?(Hash)
 
       # An InSpec Input is a datastructure that tracks a profile parameter
       # over time. Its value can be set by many sources, and it keeps a
       # log of each "set" event so that when it is collapsed to a value,
       # it can determine the correct (highest priority) value.
       # Store in an instance variable for.. later reading???
-      @__waiver_data = input.value
+      @__waiver_data = waiver_data_by_profile[control_id]
+
       __waiver_data["skipped_due_to_waiver"] = false
       __waiver_data["message"] = ""
 
@@ -376,6 +412,7 @@ module Inspec
       # expiration_date. We only care here if it has a "run" key and it
       # is false-like, since all non-skipped waiver operations are handled
       # during reporting phase.
+      __waiver_data["run"] = Converter.to_boolean(__waiver_data["run"]) if __waiver_data.key?("run")
       return unless __waiver_data.key?("run") && !__waiver_data["run"]
 
       # OK, apply a skip.

data/lib/inspec/run_data/control.rb

@@ -1,3 +1,5 @@
+require "inspec/enhanced_outcomes"
+
 module Inspec
   class RunData
     Control = Struct.new(
@@ -31,6 +33,10 @@ module Inspec
         ].each do |field|
           self[field] = raw_ctl_data[field]
         end
+
+        def status
+          Inspec::EnhancedOutcomes.determine_status(results, impact)
+        end
       end
     end
 

data/lib/inspec/run_data/statistics.rb

@@ -16,14 +16,20 @@ module Inspec
         :total,
         :passed,
         :skipped,
-        :failed
+        :failed,
+        :not_reviewed,
+        :not_applicable,
+        :error
       ) do
         include HashLikeStruct
         def initialize(raw_stat_ctl_data)
           self.total = raw_stat_ctl_data[:total]
           self.passed = Inspec::RunData::Statistics::Controls::Total.new(raw_stat_ctl_data[:passed][:total])
-          self.skipped = Inspec::RunData::Statistics::Controls::Total.new(raw_stat_ctl_data[:skipped][:total])
           self.failed = Inspec::RunData::Statistics::Controls::Total.new(raw_stat_ctl_data[:failed][:total])
+          self.skipped = Inspec::RunData::Statistics::Controls::Total.new(raw_stat_ctl_data[:skipped][:total]) if raw_stat_ctl_data[:skipped]
+          self.not_reviewed = Inspec::RunData::Statistics::Controls::Total.new(raw_stat_ctl_data[:not_reviewed][:total]) if raw_stat_ctl_data[:not_reviewed]
+          self.not_applicable = Inspec::RunData::Statistics::Controls::Total.new(raw_stat_ctl_data[:not_applicable][:total]) if raw_stat_ctl_data[:not_applicable]
+          self.error = Inspec::RunData::Statistics::Controls::Total.new(raw_stat_ctl_data[:error][:total]) if raw_stat_ctl_data[:error]
         end
       end
       class Controls

data/lib/inspec/runner.rb

@@ -60,9 +60,11 @@ module Inspec
       end
 
       if @conf[:waiver_file]
-        waivers = @conf.delete(:waiver_file)
-        @conf[:input_file] ||= []
-        @conf[:input_file].concat waivers
+        @conf[:waiver_file].each do |file|
+          unless File.file?(file)
+            raise Inspec::Exceptions::WaiversFileDoesNotExist, "Waiver file #{file} does not exist."
+          end
+        end
       end
 
       # About reading inputs:
@@ -133,12 +135,20 @@ module Inspec
       all_controls.each do |rule|
         unless rule.nil?
           register_rule(rule)
-          checks = ::Inspec::Rule.prepare_checks(rule)
-          unless checks.empty?
+          total_checks = 0
+          control_describe_checks = ::Inspec::Rule.prepare_checks(rule)
+
+          examples = control_describe_checks.flat_map do |m, a, b|
+            get_check_example(m, a, b)
+          end.compact
+
+          examples.map { |example| total_checks += example.examples.count }
+
+          unless control_describe_checks.empty?
             # controls with empty tests are avoided
             # checks represent tests within control
-            controls_count += 1
-            control_checks_count_map[rule.to_s] = checks.count
+            controls_count += 1 if control_checks_count_map[rule.to_s].nil?
+            control_checks_count_map[rule.to_s] = control_checks_count_map[rule.to_s].to_i + total_checks
           end
         end
       end
@@ -158,7 +168,7 @@ module Inspec
       return if @conf["reporter"].nil?
 
       @conf["reporter"].each do |reporter|
-        result = Inspec::Reporters.render(reporter, run_data)
+        result = Inspec::Reporters.render(reporter, run_data, @conf["enhanced_outcomes"])
         raise Inspec::ReporterError, "Error generating reporter '#{reporter[0]}'" if result == false
       end
     end

data/lib/inspec/runner_rspec.rb

@@ -107,11 +107,11 @@ module Inspec
       stats = @formatter.results[:statistics][:controls]
       load_failures = @formatter.results[:profiles]&.select { |p| p[:status] == "failed" }&.any?
       skipped = @formatter.results.dig(:profiles, 0, :status) == "skipped"
-      if stats[:failed][:total] == 0 && stats[:skipped][:total] == 0 && !skipped && !load_failures
+      if stats[:failed][:total] == 0 && stats[:skipped][:total] == 0 && !skipped && !load_failures && (stats[:error] && stats[:error][:total] == 0) # placed error count condition because of enhanced outcomes
         0
       elsif load_failures
         @conf["distinct_exit"] ? 102 : 1
-      elsif stats[:failed][:total] > 0
+      elsif stats[:failed][:total] > 0 || (stats[:error] && stats[:error][:total] > 0)
         @conf["distinct_exit"] ? 100 : 1
       elsif stats[:skipped][:total] > 0 || skipped
         @conf["distinct_exit"] ? 101 : 0
@@ -196,6 +196,7 @@ module Inspec
     def configure_output
       RSpec.configuration.output_stream = $stdout
       @formatter = RSpec.configuration.add_formatter(Inspec::Formatters::Base)
+      @formatter.enhanced_outcomes = @conf.final_options["enhanced_outcomes"]
       RSpec.configuration.add_formatter(Inspec::Formatters::ShowProgress, $stderr) if @conf[:show_progress]
       set_optional_formatters
       RSpec.configuration.color = @conf["color"]

data/lib/inspec/schema/exec_json.rb

@@ -19,8 +19,8 @@ module Inspec
       # Lists the potential values for a control result
       CONTROL_RESULT_STATUS = Primitives::SchemaType.new("Control Result Status", {
         "type" => "string",
-        "enum" => %w{passed failed skipped error},
-      }, [], "The status of a control.  Should be one of 'passed', 'failed', 'skipped', or 'error'.")
+        "enum" => %w{passed failed skipped},
+      }, [], "The status of a control.  Should be one of 'passed', 'failed', or 'skipped'.")
 
       # Represents the statistics/result of a control"s execution
       CONTROL_RESULT = Primitives::SchemaType.new("Control Result", {
@@ -75,6 +75,36 @@ module Inspec
         },
       }, [CONTROL_DESCRIPTION, Primitives::REFERENCE, Primitives::SOURCE_LOCATION, CONTROL_RESULT], "Describes a control and any findings it has.")
 
+      # Represents a control produced with enhanced outcomes option
+      ENHANCED_OUTCOME_CONTROL = Primitives::SchemaType.new("Exec JSON Control", {
+        "type" => "object",
+        "additionalProperties" => true,
+        "required" => %w{id title desc impact refs tags code source_location results},
+        "properties" => {
+          "id" => Primitives.desc(Primitives::STRING, "The id."),
+          "title" => Primitives.desc({ "type" => %w{string null} }, "The title - is nullable."), # Nullable string
+          "desc" => Primitives.desc({ "type" => %w{string null} }, "The description for the overarching control."),
+          "descriptions" => Primitives.desc(Primitives.array(CONTROL_DESCRIPTION.ref), "A set of additional descriptions.  Example: the 'fix' text."),
+          "impact" => Primitives.desc(Primitives::IMPACT, "The impactfulness or severity."),
+          "status" => {
+            "enum" => %w{passed failed not_applicable not_reviewed error},
+            "description" => Primitives.desc(Primitives::STRING, "The enhanced outcome status of the control"),
+          },
+          "refs" => Primitives.desc(Primitives.array(Primitives::REFERENCE.ref), "The set of references to external documents."),
+          "tags" => Primitives.desc(Primitives::TAGS, "A set of tags - usually metadata."),
+          "code" => Primitives.desc(Primitives::STRING, "The raw source code of the control. Note that if this is an overlay control, it does not include the underlying source code."),
+          "source_location" => Primitives.desc(Primitives::SOURCE_LOCATION.ref, "The explicit location of the control within the source code."),
+          "results" => Primitives.desc(Primitives.array(CONTROL_RESULT.ref), %q(
+             The set of all tests within the control and their results and findings.  Example:
+             For Chef Inspec, if in the control's code we had the following:
+               describe sshd_config do
+                 its('Port') { should cmp 22 }
+               end
+             The findings from this block would be appended to the results, as well as those of any other blocks within the control.
+          )),
+        },
+      }, [CONTROL_DESCRIPTION, Primitives::REFERENCE, Primitives::SOURCE_LOCATION, CONTROL_RESULT], "Describes a control and any findings it has.")
+
       # Based loosely on https://docs.chef.io/inspec/profiles/ as of July 3, 2019
       # However, concessions were made to the reality of current reporters, specifically
       # with how description is omitted and version/inspec_version aren't as advertised online
@@ -112,6 +142,40 @@ module Inspec
         },
       }, [CONTROL, Primitives::CONTROL_GROUP, Primitives::DEPENDENCY, Primitives::SUPPORT], "Information on the set of controls assessed.  Example: it can include the name of the Inspec profile and any findings.")
 
+      ENHANCED_OUTCOME_PROFILE = Primitives::SchemaType.new("Exec JSON Profile", {
+        "type" => "object",
+        "additionalProperties" => true,
+        "required" => %w{name sha256 supports attributes groups controls},
+        # Name is mandatory in inspec.yml.
+        # supports, controls, groups, and attributes are always present, even if empty
+        # sha256, status, status_message
+        "properties" => {
+          # These are provided in inspec.yml
+          "name" => Primitives.desc(Primitives::STRING, "The name - must be unique."),
+          "title" => Primitives.desc(Primitives::STRING, "The title - should be human readable."),
+          "maintainer" => Primitives.desc(Primitives::STRING, "The maintainer(s)."),
+          "copyright" => Primitives.desc(Primitives::STRING, "The copyright holder(s)."),
+          "copyright_email" => Primitives.desc(Primitives::STRING, "The email address or other contact information of the copyright holder(s)."),
+          "depends" => Primitives.desc(Primitives.array(Primitives::DEPENDENCY.ref), "The set of dependencies this profile depends on.  Example: an overlay profile is dependent on another profile."),
+          "parent_profile" => Primitives.desc(Primitives::STRING, "The name of the parent profile if the profile is a dependency of another."),
+          "license" => Primitives.desc(Primitives::STRING, "The copyright license.  Example: the full text or the name, such as 'Apache License, Version 2.0'."),
+          "summary" => Primitives.desc(Primitives::STRING, "The summary.  Example: the Security Technical Implementation Guide (STIG) header."),
+          "version" => Primitives.desc(Primitives::STRING, "The version of the profile."),
+          "supports" => Primitives.desc(Primitives.array(Primitives::SUPPORT.ref), "The set of supported platform targets."),
+          "description" => Primitives.desc(Primitives::STRING, "The description - should be more detailed than the summary."),
+          "inspec_version" => Primitives.desc(Primitives::STRING, "The version of Inspec."),
+
+          # These are generated at runtime, and all except status_message and skip_message are guaranteed
+          "sha256" => Primitives.desc(Primitives::STRING, "The checksum of the profile."),
+          "status" => Primitives.desc(Primitives::STRING, "The status.  Example: loaded."), # enum? loaded, failed, skipped
+          "status_message" => Primitives.desc(Primitives::STRING, "The reason for the status.  Example: why it was skipped or failed to load."),
+          "skip_message" => Primitives.desc(Primitives::STRING, "The reason for skipping if it was skipped."), # Deprecated field - status_message should be used instead.
+          "controls" => Primitives.desc(Primitives.array(CONTROL.ref), "The set of controls including any findings."),
+          "groups" => Primitives.desc(Primitives.array(Primitives::CONTROL_GROUP.ref), "A set of descriptions for the control groups.  Example: the ids of the controls."),
+          "attributes" => Primitives.desc(Primitives.array(Primitives::INPUT), "The input(s) or attribute(s) used in the run."),
+        },
+      }, [ENHANCED_OUTCOME_CONTROL, Primitives::CONTROL_GROUP, Primitives::DEPENDENCY, Primitives::SUPPORT], "Information on the set of controls assessed.  Example: it can include the name of the Inspec profile and any findings.")
+
       # Result of exec json. Top level value
       # TODO: Include the format of top level controls. This was omitted for lack of sufficient examples
       OUTPUT = Primitives::SchemaType.new("Exec JSON Output", {
@@ -125,6 +189,18 @@ module Inspec
           "version" => Primitives.desc(Primitives::STRING, "Version number of the tool that generated the findings.  Example: '4.18.108' is a version of Chef InSpec."),
         },
       }, [Primitives::PLATFORM, PROFILE, Primitives::STATISTICS], "The top level value containing all of the results.")
+
+      ENHANCED_OUTCOME_OUTPUT = Primitives::SchemaType.new("Exec JSON Output", {
+        "type" => "object",
+        "additionalProperties" => true,
+        "required" => %w{platform profiles statistics version},
+        "properties" => {
+          "platform" => Primitives.desc(Primitives::PLATFORM.ref, "Information on the platform the run from the tool that generated the findings was from.  Example: the name of the operating system."),
+          "profiles" => Primitives.desc(Primitives.array(PROFILE.ref), "Information on the run(s) from the tool that generated the findings.  Example: the findings."),
+          "statistics" => Primitives.desc(Primitives::STATISTICS.ref, "Statistics for the run(s) from the tool that generated the findings.  Example: the runtime duration."),
+          "version" => Primitives.desc(Primitives::STRING, "Version number of the tool that generated the findings.  Example: '4.18.108' is a version of Chef InSpec."),
+        },
+      }, [Primitives::PLATFORM, ENHANCED_OUTCOME_PROFILE, Primitives::STATISTICS], "The top level value containing all of the results.")
     end
   end
 end

data/lib/inspec/schema/output_schema.rb

@@ -30,6 +30,8 @@ module Inspec
         "profile-json" => OutputSchema.finalize(Schema::ProfileJson::PROFILE),
         "exec-json" => OutputSchema.finalize(Schema::ExecJson::OUTPUT),
         "exec-jsonmin" => OutputSchema.finalize(Schema::ExecJsonMin::OUTPUT),
+        "profile-json-enhanced-outcomes" => OutputSchema.finalize(Schema::ProfileJson::ENHANCED_OUTCOME_PROFILE),
+        "exec-json-enhanced-outcomes" => OutputSchema.finalize(Schema::ExecJson::ENHANCED_OUTCOME_OUTPUT),
         "platforms" => PLATFORMS,
       }.freeze
 
@@ -37,7 +39,8 @@ module Inspec
         LIST.keys
       end
 
-      def self.json(name)
+      def self.json(name, opts)
+        name += "-enhanced-outcomes" if opts["enhanced_outcomes"]
         if !LIST.key?(name)
           raise("Cannot find schema #{name.inspect}.")
         elsif LIST[name].is_a?(Proc)

data/lib/inspec/schema/profile_json.rb

@@ -31,6 +31,28 @@ module Inspec
         },
       }, [CONTROL_DESCRIPTIONS, Primitives::REFERENCE, Primitives::SOURCE_LOCATION], "The set of all tests within the control.")
 
+      # Represents a control with enhanced outcomes status information
+      ENHANCED_OUTCOME_CONTROL = Primitives::SchemaType.new("Profile JSON Control", {
+        "type" => "object",
+        "additionalProperties" => true,
+        "required" => %w{id title desc impact tags code},
+        "properties" => {
+          "id" => Primitives.desc(Primitives::STRING, "The id."),
+          "title" => Primitives.desc({ "type" => %w{string null} }, "The title - is nullable."),
+          "desc" => Primitives.desc({ "type" => %w{string null} }, "The description for the overarching control."),
+          "descriptions" => Primitives.desc(CONTROL_DESCRIPTIONS.ref, "A set of additional descriptions.  Example: the 'fix' text."),
+          "impact" => Primitives.desc(Primitives::IMPACT, "The impactfulness or severity."),
+          "status" => {
+            "enum" => %w{passed failed not_applicable not_reviewed error},
+            "description" => Primitives.desc(Primitives::STRING, "The enhanced outcome status of the control"),
+          },
+          "refs" => Primitives.desc(Primitives.array(Primitives::REFERENCE.ref), "The set of references to external documents."),
+          "tags" => Primitives.desc(Primitives::TAGS, "A set of tags - usually metadata."),
+          "code" => Primitives.desc(Primitives::STRING, "The raw source code of the control. Note that if this is an overlay control, it does not include the underlying source code."),
+          "source_location" => Primitives.desc(Primitives::SOURCE_LOCATION.ref, "The explicit location of the control within the source code."),
+        },
+      }, [CONTROL_DESCRIPTIONS, Primitives::REFERENCE, Primitives::SOURCE_LOCATION], "The set of all tests within the control.")
+
       # A profile that has not been run.
       PROFILE = Primitives::SchemaType.new("Profile JSON Profile", {
         "type" => "object",
@@ -55,6 +77,30 @@ module Inspec
           "depends" => Primitives.desc(Primitives.array(Primitives::DEPENDENCY.ref), "The set of dependencies this profile depends on.  Example: an overlay profile is dependent on another profile."), # Can have depends, but NOT a parentprofile
         },
       }, [Primitives::SUPPORT, CONTROL, Primitives::CONTROL_GROUP, Primitives::DEPENDENCY, Primitives::GENERATOR], "Information on the set of controls that can be assessed.  Example: it can include the name of the Inspec profile.")
+
+      ENHANCED_OUTCOME_PROFILE = Primitives::SchemaType.new("Profile JSON Profile", {
+        "type" => "object",
+        "additionalProperties" => true, # Anything in the yaml will be put in here. LTTODO: Make this stricter!
+        "required" => %w{name supports controls groups sha256},
+        "properties" => {
+          "name" => Primitives.desc(Primitives::STRING, "The name - must be unique."),
+          "supports" => Primitives.desc(Primitives.array(Primitives::SUPPORT.ref), "The set of supported platform targets."),
+          "controls" => Primitives.desc(Primitives.array(CONTROL.ref), "The set of controls - contains no findings as the assessment has not yet occurred."),
+          "groups" => Primitives.desc(Primitives.array(Primitives::CONTROL_GROUP.ref), "A set of descriptions for the control groups.  Example: the ids of the controls."),
+          "inputs" => Primitives.desc(Primitives.array(Primitives::INPUT), "The input(s) or attribute(s) used to be in the run."),
+          "sha256" => Primitives.desc(Primitives::STRING, "The checksum of the profile."),
+          "status" => Primitives.desc(Primitives::STRING, "The status.  Example: skipped."),
+          "generator" => Primitives.desc(Primitives::GENERATOR.ref, "The tool that generated this file.  Example: Chef Inspec."),
+          "version" => Primitives.desc(Primitives::STRING, "The version of the profile."),
+
+          # Other properties possible in inspec docs, but that aren"t guaranteed
+          "title" => Primitives.desc(Primitives::STRING, "The title - should be human readable."),
+          "maintainer" => Primitives.desc(Primitives::STRING, "The maintainer(s)."),
+          "copyright" => Primitives.desc(Primitives::STRING, "The copyright holder(s)."),
+          "copyright_email" => Primitives.desc(Primitives::STRING, "The email address or other contract information of the copyright holder(s)."),
+          "depends" => Primitives.desc(Primitives.array(Primitives::DEPENDENCY.ref), "The set of dependencies this profile depends on.  Example: an overlay profile is dependent on another profile."), # Can have depends, but NOT a parentprofile
+        },
+      }, [Primitives::SUPPORT, ENHANCED_OUTCOME_CONTROL, Primitives::CONTROL_GROUP, Primitives::DEPENDENCY, Primitives::GENERATOR], "Information on the set of controls that can be assessed.  Example: it can include the name of the Inspec profile.")
     end
   end
 end