inspec-core 5.18.14 → 5.21.29

data/lib/inspec/schema.rb

@@ -111,6 +111,43 @@ module Inspec
       },
     }.freeze
 
+    CONTROL_ENHANCED_OUTCOME = {
+      "type" => "object",
+      "additionalProperties" => false,
+      "properties" => {
+        "id" => { "type" => "string" },
+        "title" => { "type" => %w{string null} },
+        "desc" => { "type" => %w{string null} },
+        "descriptions" => { "type" => %w{array} },
+        "impact" => { "type" => "number" },
+        "status" => {
+          "enum" => %w{passed failed not_applicable not_reviewed error},
+          "description" => Primitives.desc(Primitives::STRING, "The enhanced outcome status of the control"),
+        },
+        "refs" => REFS,
+        "tags" => TAGS,
+        "code" => { "type" => "string" },
+        "source_location" => {
+          "type" => "object",
+          "properties" => {
+            "ref" => { "type" => "string" },
+            "line" => { "type" => "number" },
+          },
+        },
+        "results" => { "type" => "array", "items" => RESULT },
+        "waiver_data" => {
+          "type" => "object",
+          "properties" => {
+            "skipped_due_to_waiver" => { "type" => "string" },
+            "run" => { "type" => "boolean" },
+            "message" => { "type" => "string" },
+            "expiration_date" => { "type" => "string" },
+            "justification" => { "type" => "string" },
+          },
+        },
+      },
+    }.freeze
+
     SUPPORTS = {
       "type" => "object",
       "additionalProperties" => false,
@@ -173,6 +210,45 @@ module Inspec
       },
     }.freeze
 
+    PROFILE_ENHANCED_OUTCOME = {
+      "type" => "object",
+      "additionalProperties" => false,
+      "properties" => {
+        "name" => { "type" => "string" },
+        "version" => { "type" => "string", "optional" => true },
+        "sha256" => { "type" => "string", "optional" => false },
+
+        "title" => { "type" => "string", "optional" => true },
+        "maintainer" => { "type" => "string", "optional" => true },
+        "copyright" => { "type" => "string", "optional" => true },
+        "copyright_email" => { "type" => "string", "optional" => true },
+        "license" => { "type" => "string", "optional" => true },
+        "summary" => { "type" => "string", "optional" => true },
+        "status" => { "type" => "string", "optional" => false },
+        "status_message" => { "type" => "string", "optional" => true },
+        # skip_message is deprecated, status_message should be used to store the reason for skipping
+        "skip_message" => { "type" => "string", "optional" => true },
+
+        "supports" => {
+          "type" => "array",
+          "items" => SUPPORTS,
+          "optional" => true,
+        },
+        "controls" => {
+          "type" => "array",
+          "items" => CONTROL_ENHANCED_OUTCOME,
+        },
+        "groups" => {
+          "type" => "array",
+          "items" => CONTROL_GROUP,
+        },
+        "attributes" => { # TODO: rename to inputs, refs #3802
+          "type" => "array",
+          # TODO: more detailed specification needed
+        },
+      },
+    }.freeze
+
     EXEC_JSON = {
       "type" => "object",
       "additionalProperties" => false,
@@ -187,6 +263,20 @@ module Inspec
       },
     }.freeze
 
+    EXEC_JSON_ENHANCED_OUTCOME = {
+      "type" => "object",
+      "additionalProperties" => false,
+      "properties" => {
+        "platform" => PLATFORM,
+        "profiles" => {
+          "type" => "array",
+          "items" => PROFILE_ENHANCED_OUTCOME,
+        },
+        "statistics" => STATISTICS,
+        "version" => { "type" => "string" },
+      },
+    }.freeze
+
     MIN_CONTROL = {
       "type" => "object",
       "additionalProperties" => false,
@@ -228,6 +318,7 @@ module Inspec
     LIST = {
       "exec-json" => EXEC_JSON,
       "exec-jsonmin" => EXEC_JSONMIN,
+      "exec-json-enhanced-outcome" => EXEC_JSON_ENHANCED_OUTCOME,
       "platforms" => PLATFORMS,
     }.freeze
 

data/lib/inspec/utils/convert.rb

@@ -5,4 +5,12 @@ module Converter
     val = val.to_i if val =~ /^\d+$/
     val
   end
+
+  def self.to_boolean(value)
+    if ["true", "True", "TRUE", true, "yes", "y", "YES", "Y"].include? value
+      true
+    elsif ["false", "False", "FALSE", false, "no", "n", "NO", "N"].include? value
+      false
+    end
+  end
 end

data/lib/inspec/utils/podman.rb

@@ -0,0 +1,24 @@
+require "inspec/resources/command"
+
+module Inspec
+  module Utils
+    module Podman
+      def podman_running?
+        inspec.command("podman version").exit_status == 0
+      end
+
+      # Generates the template in this format using labels hash: "\"id\": {{json .ID}}, \"name\": {{json .Name}}",
+      def generate_go_template(labels)
+        (labels.map { |k, v| "\"#{k}\": {{json .#{v}}}" }).join(", ")
+      end
+
+      def parse_command_output(output)
+        require "json" unless defined?(JSON)
+        JSON.parse(output)
+      rescue JSON::ParserError => _e
+        warn "Could not parse the command output"
+        {}
+      end
+    end
+  end
+end

data/lib/inspec/utils/waivers/csv_file_reader.rb

@@ -0,0 +1,34 @@
+require "csv" unless defined?(CSV)
+
+module Waivers
+  class CSVFileReader
+    def self.resolve(path)
+      return nil unless File.file?(path)
+
+      @headers ||= []
+      fetch_data(path)
+    end
+
+    def self.fetch_data(path)
+      waiver_data_hash = {}
+      CSV.foreach(path, headers: true) do |row|
+        row_hash = row.to_hash
+        @headers = row_hash.keys if @headers.empty?
+        control_id = row_hash["control_id"]
+        # delete keys and values not required in final hash
+        row_hash.delete("control_id")
+        row_hash.delete_if { |k, v| k.nil? || v.nil? }
+
+        waiver_data_hash[control_id] = row_hash if control_id && !row_hash.blank?
+      end
+
+      waiver_data_hash
+    rescue CSV::MalformedCSVError => e
+      raise "Error reading InSpec waivers in CSV: #{e}"
+    end
+
+    def self.headers
+      @headers
+    end
+  end
+end

data/lib/inspec/utils/waivers/excel_file_reader.rb

@@ -0,0 +1,39 @@
+require "roo"
+require "roo-xls"
+
+module Waivers
+  class ExcelFileReader
+    def self.resolve(path)
+      return nil unless File.file?(path)
+
+      @headers ||= []
+      fetch_data(path)
+    end
+
+    def self.fetch_data(path)
+      waiver_data_hash = {}
+      file_extension = File.extname(path) == ".xlsx" ? :xlsx : :xls
+      excel_file = Roo::Spreadsheet.open(path, extension: file_extension)
+      excel_file.sheet(0).parse(headers: true).each_with_index do |row, index|
+        if index == 0
+          @headers = row.keys
+        else
+          row_hash = row
+          control_id = row_hash["control_id"]
+          # delete keys and values not required in final hash
+          row_hash.delete("control_id")
+          row_hash.delete_if { |k, v| k.nil? || v.nil? }
+        end
+
+        waiver_data_hash[control_id] = row_hash if control_id && !row_hash.blank?
+      end
+      waiver_data_hash
+    rescue Exception => e
+      raise "Error reading InSpec waivers in Excel: #{e}"
+    end
+
+    def self.headers
+      @headers
+    end
+  end
+end

data/lib/inspec/utils/waivers/json_file_reader.rb

@@ -0,0 +1,15 @@
+module Waivers
+  class JSONFileReader
+    def self.resolve(path)
+      return nil unless File.file?(path)
+
+      fetch_data(path)
+    end
+
+    def self.fetch_data(path)
+      JSON.parse(File.read(path))
+    rescue JSON::ParserError => e
+      raise "Error reading InSpec waivers in JSON: #{e}"
+    end
+  end
+end

data/lib/inspec/version.rb

@@ -1,3 +1,3 @@
 module Inspec
-  VERSION = "5.18.14".freeze
+  VERSION = "5.21.29".freeze
 end

data/lib/inspec/waiver_file_reader.rb

@@ -0,0 +1,61 @@
+require "inspec/secrets/yaml"
+require "inspec/utils/waivers/csv_file_reader"
+require "inspec/utils/waivers/json_file_reader"
+
+module Inspec
+  class WaiverFileReader
+
+    def self.fetch_waivers_by_profile(profile_id, files)
+      read_waivers_from_file(profile_id, files) if @waivers_data.nil? || @waivers_data[profile_id].nil?
+      @waivers_data[profile_id]
+    end
+
+    def self.read_waivers_from_file(profile_id, files)
+      @waivers_data ||= {}
+      output = {}
+
+      files.each do |file_path|
+        file_extension = File.extname(file_path)
+        data = nil
+        if [".yaml", ".yml"].include? file_extension
+          data = Secrets::YAML.resolve(file_path)
+          data = data.inputs unless data.nil?
+          validate_json_yaml(data)
+        elsif file_extension == ".csv"
+          data = Waivers::CSVFileReader.resolve(file_path)
+          headers = Waivers::CSVFileReader.headers
+          validate_headers(headers)
+        elsif file_extension == ".json"
+          data = Waivers::JSONFileReader.resolve(file_path)
+          validate_json_yaml(data)
+        end
+        output.merge!(data) if !data.nil? && data.is_a?(Hash)
+
+        if data.nil?
+          raise Inspec::Exceptions::WaiversFileNotReadable,
+              "Cannot find parser for waivers file '#{file_path}'. " \
+              "Check to make sure file has the appropriate extension."
+        end
+      end
+
+      @waivers_data[profile_id] = output
+    end
+
+    def self.validate_headers(headers, json_yaml = false)
+      required_fields = json_yaml ? %w{justification} : %w{control_id justification}
+      all_fields = %w{control_id justification expiration_date run}
+
+      Inspec::Log.warn "Missing column headers: #{(required_fields - headers)}" unless (required_fields - headers).empty?
+      Inspec::Log.warn "Invalid column header: Column can't be nil" if headers.include? nil
+      Inspec::Log.warn "Extra column headers: #{(headers - all_fields)}" unless (headers - all_fields).empty?
+    end
+
+    def self.validate_json_yaml(data)
+      headers = []
+      data.each_value do |value|
+        headers.push value.keys
+      end
+      validate_headers(headers.flatten.uniq, true)
+    end
+  end
+end

data/lib/matchers/matchers.rb

@@ -225,7 +225,11 @@ RSpec::Matchers.define :cmp do |first_expected| # rubocop:disable Metrics/BlockL
   end
 
   def boolean?(value)
-    %w{true false}.include?(value.downcase)
+    if value.respond_to?("downcase")
+      %w{true false}.include?(value.downcase)
+    else
+      value.is_a?(TrueClass) || value.is_a?(FalseClass)
+    end
   end
 
   def version?(value)
@@ -252,6 +256,8 @@ RSpec::Matchers.define :cmp do |first_expected| # rubocop:disable Metrics/BlockL
       return actual.send(op, expected.to_i)
     elsif expected.is_a?(String) && boolean?(expected) && [true, false].include?(actual)
       return actual.send(op, to_boolean(expected))
+    elsif boolean?(expected) && %w{true false}.include?(actual)
+      return actual.send(op, expected.to_s)
     elsif expected.is_a?(Integer) && actual.is_a?(String) && integer?(actual)
       return actual.to_i.send(op, expected)
     elsif expected.is_a?(Float) && float?(actual)

data/lib/plugins/inspec-init/templates/profiles/alicloud/README.md

@@ -0,0 +1,27 @@
+# Example InSpec Profile For AliCloud
+
+This example shows the implementation of an InSpec profile for AliCloud.
+
+The related control will simply be skipped if this is not provided.  See the [InSpec DSL documentation](https://docs.chef.io/inspec/dsl_inspec/) for more details on conditional execution using `only_if`.
+
+## Run the test
+
+```bash
+$ cd my-alicloud-sample-profile/
+$ inspec exec . -t alicloud://
+```
+
+```
+Profile:   Ali Cloud InSpec Profile (my-alicloud-profile)
+Version:   0.1.0
+Target:    alicloud://ap-south-1
+    ✔  ali-cloud-instances-1.0: Ensure AliCloud ECS Instances has correct attributes.
+         ✔  AliCloud ECS Instances (All) is expected to exist
+         ✔  AliCloud ECS Instances (All) entries.count is expected to be >= 1
+Profile:   AliCloud Resource Pack (inspec-alicloud)
+Version:   0.10.8
+Target:    alicloud://ap-south-1
+     No tests executed.
+Profile Summary: 1 successful controls, 0 control failures, 0 controls skipped
+Test Summary: 1 successful, 0 failures, 0 skipped
+```

data/lib/plugins/inspec-init/templates/profiles/alicloud/controls/example.rb

@@ -0,0 +1,10 @@
+title "Test AliCloud Instances count"
+
+control "ali-cloud-instances-1.0" do
+  impact 1.0
+  title "Ensure AliCloud ECS Instances Class has correct attributes."
+  describe alicloud_ecs_instances do
+    it { should exist }
+    its("entries.count") { should be >= 1 }
+  end
+end

data/lib/plugins/inspec-init/templates/profiles/alicloud/inputs.yml

@@ -0,0 +1 @@
+

data/lib/plugins/inspec-init/templates/profiles/alicloud/inspec.yml

@@ -0,0 +1,14 @@
+name: my-alicloud-sample-profile
+title: Ali Cloud InSpec Profile
+maintainer: The Authors
+copyright: The Authors
+copyright_email: you@example.com
+license: Apache-2.0
+summary: An InSpec Compliance Profile For Ali CLoud
+version: 0.1.0
+inspec_version: '~> 5'
+depends:
+  - name: inspec-alicloud
+    url: https://github.com/inspec/inspec-alicloud/archive/main.tar.gz
+supports:
+  - platform: alicloud

data/lib/plugins/inspec-reporter-html2/README.md

@@ -50,4 +50,4 @@ Specifies the full path to the location of a JavaScript file that will be read a
 
 ## Developing This Plugin
 
-This plugin is part of the Chef InSpec source code. While it has its own tests, the general contribution policy is dictated by the Chef InSpec project at https://github.com/inspec/inspec/blob/master/CONTRIBUTING.md
+This plugin is part of the Chef InSpec source code. While it has its own tests, the general contribution policy is dictated by the Chef InSpec project at https://github.com/inspec/inspec/blob/main/CONTRIBUTING.md

data/lib/plugins/inspec-reporter-html2/templates/body.html.erb

@@ -36,8 +36,14 @@
       <caption>Control Statistics</caption>
         <tr><th colspan="2"><h4 id="statistics-label">Control Statistics</h4></th></tr>
         <tr class= "passed"><th>Passed:</th><td><%= run_data.statistics.controls.passed.total %></td></tr>
-        <tr class= "skipped"><th>Skipped:</th><td><%= run_data.statistics.controls.skipped.total %></td></tr>
         <tr class= "failed"><th>Failed:</th><td><%= run_data.statistics.controls.failed.total %></td></tr>
+        <% if enhanced_outcomes %>
+          <tr class= "not_reviewed"><th>Not Reviewed:</th><td><%= run_data.statistics.controls.not_reviewed.total %></td></tr>
+          <tr class= "not_applicable"><th>Not Applicable:</th><td><%= run_data.statistics.controls.not_applicable.total %></td></tr>
+          <tr class= "error"><th>Error:</th><td><%= run_data.statistics.controls.error.total %></td></tr>
+        <% else %>
+          <tr class= "skipped"><th>Skipped:</th><td><%= run_data.statistics.controls.skipped.total %></td></tr>
+        <% end %>
         <tr class= "duration"><th>Duration:</th><td><%= run_data.statistics.duration %> seconds</td></tr>
         <tr class= "date"><th>Time Finished:</th><td><%= Time.now %></td></tr>
       </table>

data/lib/plugins/inspec-reporter-html2/templates/control.html.erb

@@ -1,11 +1,15 @@
 <% slugged_id = control.id.tr(" ", "_") %>
 <%
-    # Determine status of control
-    status = "passed"
-    if control.results.any? { |r| r.status == "failed" }
-      status = "failed"
-    elsif control.results.any? { |r| r.status == "skipped" }
-      status = "skipped"
+    if enhanced_outcomes
+      status = control.status
+    else
+      # Determine status of control
+      status = "passed"
+      if control.results.any? { |r| r.status == "failed" }
+        status = "failed"
+      elsif control.results.any? { |r| r.status == "skipped" }
+        status = "skipped"
+      end
     end
 %>
 

data/lib/plugins/inspec-reporter-html2/templates/default.css

@@ -60,6 +60,18 @@ pre code {
 .result-metadata .status-skipped div  {
   background-color: grey;
 }
+.control-metadata .status-error div,
+.result-metadata .status-error div  {
+  background-color: rgb(63, 15, 183);
+}
+.control-metadata .status-not_applicable div,
+.result-metadata .status-not_applicable div  {
+  background-color: rgb(135, 206, 250);
+}
+.control-metadata .status-not_reviewed div,
+.result-metadata .status-not_reviewed div  {
+  background-color: rgb(255, 194, 0);
+}
 .result-metadata,
 .control-metadata {
   margin: 0 0 0 5%;

data/lib/plugins/inspec-reporter-html2/templates/selector.html.erb

@@ -1,8 +1,14 @@
 <div class="selector-panel">
   <p id="selector-instructions">Display controls that are:</p>
   <input class="selector-checkbox" id="passed-checkbox" type="checkbox" checked="checked"/><label for="passed-checkbox">Passed</label>
-  <input class="selector-checkbox" id="skipped-checkbox" type="checkbox" checked="checked"/><label for="skipped-checkbox">Skipped</label>
   <input class="selector-checkbox" id="failed-checkbox" type="checkbox" checked="checked"/><label for="failed-checkbox">Failed</label>
+  <% if enhanced_outcomes %>
+    <input class="selector-checkbox" id="not_reviewed-checkbox" type="checkbox" checked="checked"/><label for="not_reviewed-checkbox">Not Reviewed</label>
+    <input class="selector-checkbox" id="not_applicable-checkbox" type="checkbox" checked="checked"/><label for="not_applicable-checkbox">Not Applicable</label>
+    <input class="selector-checkbox" id="error-checkbox" type="checkbox" checked="checked"/><label for="error-checkbox">Error</label>
+  <% else %>
+    <input class="selector-checkbox" id="skipped-checkbox" type="checkbox" checked="checked"/><label for="skipped-checkbox">Skipped</label>
+  <% end %>
   <p id="selector-instructions">Display profiles that are:</p>
   <input class="profile-selector-checkbox" id="child-profile-checkbox" type="checkbox" /><label for="child-profile-checkbox">Dependent Profiles</label>
 </div>

data/lib/plugins/inspec-sign/lib/inspec-sign/base.rb

@@ -59,11 +59,14 @@ module InspecPlugins
         # Read name and version from metadata and use them to form the filename
         profile_md = artifact.read_profile_metadata(profile_path)
 
-        artifact_filename = "#{profile_md["name"]}-#{profile_md["version"]}.#{SIGNED_PROFILE_SUFFIX}"
+        # Behave same as archive filename for iaf filename
+        slug = profile_md["name"].downcase.strip.tr(" ", "-").gsub(/[^\w-]/, "_")
+        filename = "#{slug}-#{profile_md["version"]}"
+        artifact_filename = "#{filename}.#{SIGNED_PROFILE_SUFFIX}"
 
         # Generating tar.gz file using archive method of Inspec Cli
         Inspec::InspecCLI.new.archive(profile_path, "error")
-        tarfile = "#{profile_md["name"]}-#{profile_md["version"]}.tar.gz"
+        tarfile = "#{filename}.tar.gz"
         tar_content = IO.binread(tarfile)
         FileUtils.rm(tarfile)
 

data/lib/plugins/inspec-streaming-reporter-progress-bar/lib/inspec-streaming-reporter-progress-bar/streaming_reporter.rb

@@ -20,6 +20,9 @@ module InspecPlugins::StreamingReporterProgressBar
         "passed" => "\033[0;1;32m",
         "skipped" => "\033[0;37m",
         "reset" => "\033[0m",
+        "error" => "\033[34m",
+        "not_applicable" => "\033[36m",
+        "not_reviewed" => "\033[33m",
       }.freeze
 
       # Most currently available Windows terminals have poor support
@@ -28,6 +31,9 @@ module InspecPlugins::StreamingReporterProgressBar
         "failed" => "[FAIL]",
         "skipped" => "[SKIP]",
         "passed" => "[PASS]",
+        "error" => "  [ERROR]  ",
+        "not_applicable" => "  [N/A]    ",
+        "not_reviewed" => "  [N/R]    ",
       }.freeze
     else
       # Extended colors for everyone else
@@ -36,6 +42,9 @@ module InspecPlugins::StreamingReporterProgressBar
         "passed" => "\033[38;5;41m",
         "skipped" => "\033[38;5;247m",
         "reset" => "\033[0m",
+        "error" => "\033[0;38;5;21m",
+        "not_applicable" => "\033[0;38;5;117m",
+        "not_reviewed" => "\033[0;38;5;214m",
       }.freeze
 
       # Groovy UTF-8 characters for everyone else...
@@ -44,6 +53,9 @@ module InspecPlugins::StreamingReporterProgressBar
         "failed" => "× [FAILED] ",
         "skipped" => "↺ [SKIPPED]",
         "passed" => "✔ [PASSED] ",
+        "error" => "× [ERROR]  ",
+        "not_applicable" => "  [N/A]    ",
+        "not_reviewed" => "  [N/R]    ",
       }.freeze
     end
 
@@ -71,29 +83,43 @@ module InspecPlugins::StreamingReporterProgressBar
       control_id = notification.example.metadata[:id]
       title = notification.example.metadata[:title]
       full_description = notification.example.metadata[:full_description]
-      control_impact = notification.example.metadata[:impact]
+
+      # No-op exception occurs in case of not_applicable_if
+      if (full_description.include? "No-op") && notification.example.exception
+        full_description += notification.example.exception.message
+      end
+
       set_status_mapping(control_id, status)
-      show_progress(control_id, title, full_description, control_impact) if control_ended?(control_id)
+      collect_notifications(notification, control_id, status)
+      control_ended = control_ended?(control_id)
+      if control_ended
+        control_outcome = add_enhanced_outcomes(control_id) if enhanced_outcomes
+        show_progress(control_id, title, full_description, control_outcome)
+      end
     end
 
-    def show_progress(control_id, title, full_description, control_impact)
+    def show_progress(control_id, title, full_description, control_outcome)
       @bar ||= ProgressBar.new(controls_count, :bar, :counter, :percentage)
       sleep 0.1
       @bar.increment!
-      @bar.puts format_it(control_id, title, full_description, control_impact)
+      @bar.puts format_it(control_id, title, full_description, control_outcome)
     rescue StandardError => e
       raise "Exception in Progress Bar streaming reporter: #{e}"
     end
 
-    def format_it(control_id, title, full_description, control_impact)
-      control_status = if @status_mapping[control_id].include? "failed"
-                         "failed"
-                       elsif @status_mapping[control_id].include? "passed"
-                         "passed"
-                       else
-                         @status_mapping[control_id].include? "skipped"
-                         "skipped"
-                       end
+    def format_it(control_id, title, full_description, control_outcome)
+      if control_outcome
+        control_status = control_outcome
+      else
+        control_status = if @status_mapping[control_id].include? "failed"
+                           "failed"
+                         elsif @status_mapping[control_id].include? "passed"
+                           "passed"
+                         else
+                           @status_mapping[control_id].include? "skipped"
+                           "skipped"
+                         end
+      end
       indicator = INDICATORS[control_status]
       message_to_format = ""
       message_to_format += "#{indicator}  "