inspec-core 5.18.14 → 5.22.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ba97ee3e25e02fba9b85f797fa1a773d2e8fa7628112be422d187c0e46cfce40
-  data.tar.gz: a82f51e5c6ba3e1db8c4580f92a33d91bcc2e0c2a8339850e1f168c1569b8818
+  metadata.gz: 257ccbe0a55a1779ee75f8d6e9e8e0ff612990c123e5cdb10d8cf1e19dbade54
+  data.tar.gz: 820f9a0ec86451f48f65f229befe175cf937648ddb5669df1c8a7c27ebfb234b
 SHA512:
-  metadata.gz: beb78893376f0b92b9cf33741f8fab471f66dd328fa1f28c87b05737da7f73266327eded07ca67f0b91a747625dfcb61011b42c06a25914d01f727b07a962456
-  data.tar.gz: 193aeef4576e2af4466a176b80e107cd45fe0c0c0f6db290d17696cec1eb7dbf6b58b555bf8c0df4b9bb4a9d5aa8d26f542993b5be1d600a296c3ec50e531d09
+  metadata.gz: 8150cdd9aca6ac14ae762dd4b6d09867dab6651f0a0705a28f7256a94683a1fd59b7841bfc69e1a362c253d6c2a847d2e9a03b901dd20118ecc1566b4496a8a9
+  data.tar.gz: a3469cb7fa6786e1d9416e9493fed402ccfb6c8e6ac0a2d40a0029ab63c09b09671cf6729736899ed1a039ca75e36a6a57428deba9a8c5d6dbf0975711a06d13

data/Gemfile

@@ -23,9 +23,8 @@ group :omnibus do
 end
 
 group :test do
-  gem "chefstyle", "~> 2.0.3"
+  gem "chefstyle", "~> 2.2.2"
   gem "concurrent-ruby", "~> 1.0"
-  gem "html-proofer", platforms: :ruby # do not attempt to run proofer on windows
   gem "json_schemer", ">= 0.2.1", "< 0.2.19"
   gem "m"
   gem "minitest-sprint", "~> 1.0"
@@ -35,30 +34,33 @@ group :test do
   gem "pry-byebug"
   gem "pry", "~> 0.10"
   gem "rake", ">= 10"
-  gem "ruby-progressbar", "~> 1.8"
   gem "simplecov", "~> 0.21"
   gem "simplecov_json_formatter"
   gem "webmock", "~> 3.0"
+
+  if Gem.ruby_version >= Gem::Version.new("3.0.0")
+    # html-proofer has a dep on io-event, which is ruby-3 only
+    gem "html-proofer", "~> 3.19.4", platforms: :ruby # do not attempt to run proofer on windows. Pinned to 3.19.4 as test is breaking in updated versions.
+  end
 end
 
 group :deploy do
   gem "inquirer"
 end
 
-# Only include Test Kitchen support if we are on Ruby 2.7 or higher
-# as chef-zero support requires Ruby 2.6
-# See https://github.com/inspec/inspec/pull/5341
-if Gem.ruby_version >= Gem::Version.new("2.7.0")
-  group :kitchen do
-    gem "berkshelf"
-    gem "chef", ">= 16.0" # Required to allow net-ssh > 6
-    gem "test-kitchen", ">= 2.8"
-    gem "kitchen-inspec", ">= 2.0"
-    gem "kitchen-dokken", ">= 2.11"
-    gem "git"
+group :kitchen do
+  gem "berkshelf"
+
+  # Chef 18 requires ruby 3
+  if Gem.ruby_version >= Gem::Version.new("3.0.0")
+    gem "chef", ">= 17.0"
+  else
+    # Ruby 2.7 presumably - TODO remove this when 2.7 is sunsetted
+    gem "chef", "~> 16.0"
   end
-end
 
-if Gem.ruby_version < Gem::Version.new("2.7.0")
-  gem "activesupport", "6.1.4.4"
+  gem "test-kitchen", ">= 2.8"
+  gem "kitchen-inspec", ">= 2.0"
+  gem "kitchen-dokken", ">= 2.11"
+  gem "git"
 end

data/inspec-core.gemspec

@@ -18,32 +18,32 @@ Gem::Specification.new do |spec|
   # the gemfile and gemspec are necessary for appbundler so don't remove it
   spec.files =
     Dir.glob("{{lib,etc}/**/*,LICENSE,Gemfile,inspec-core.gemspec}")
-      .grep_v(%r{(?<!inspec-init/templates/profiles/)(aws|azure|gcp)})
+      .grep_v(%r{(?<!inspec-init/templates/profiles/)(aws|azure|gcp|alicloud)})
       .grep_v(%r{lib/plugins/.*/test/})
       .reject { |f| File.directory?(f) }
 
   # Implementation dependencies
-  spec.add_dependency "chef-telemetry",     "~> 1.0", ">= 1.0.8" # 1.0.8+ removes the http dep
-  spec.add_dependency "license-acceptance", ">= 0.2.13", "< 3.0"
-  spec.add_dependency "thor",               ">= 0.20", "< 2.0"
-  spec.add_dependency "method_source",      ">= 0.8", "< 2.0"
-  spec.add_dependency "rubyzip",            ">= 1.2.2", "< 3.0"
-  spec.add_dependency "rspec",              ">= 3.9", "<= 3.11"
-  spec.add_dependency "rspec-its",          "~> 1.2"
-  spec.add_dependency "pry",                "~> 0.13"
-  spec.add_dependency "hashie",             ">= 3.4", "< 5.0"
-  spec.add_dependency "mixlib-log",         "~> 3.0"
-  spec.add_dependency "sslshake",           "~> 1.2"
-  spec.add_dependency "parallel",           "~> 1.9"
-  spec.add_dependency "faraday",            ">= 0.9.0", "< 1.5"
-  spec.add_dependency "faraday_middleware", "~> 1.0"
-  spec.add_dependency "tty-table",          "~> 0.10"
-  spec.add_dependency "tty-prompt",         "~> 0.17"
-  spec.add_dependency "tomlrb",             ">= 1.2", "< 2.1"
-  spec.add_dependency "addressable",        "~> 2.4"
-  spec.add_dependency "parslet",            ">= 1.5", "< 2.0" # Pinned < 2.0, see #5389
-  spec.add_dependency "semverse",           "~> 3.0"
-  spec.add_dependency "multipart-post",     "~> 2.0"
+  spec.add_dependency "chef-telemetry",           "~> 1.0", ">= 1.0.8" # 1.0.8+ removes the http dep
+  spec.add_dependency "license-acceptance",       ">= 0.2.13", "< 3.0"
+  spec.add_dependency "thor",                     ">= 0.20", "< 2.0"
+  spec.add_dependency "method_source",            ">= 0.8", "< 2.0"
+  spec.add_dependency "rubyzip",                  ">= 1.2.2", "< 3.0"
+  spec.add_dependency "rspec",                    ">= 3.9", "<= 3.11"
+  spec.add_dependency "rspec-its",                "~> 1.2"
+  spec.add_dependency "pry",                      "~> 0.13"
+  spec.add_dependency "hashie",                   ">= 3.4", "< 5.0"
+  spec.add_dependency "mixlib-log",               "~> 3.0"
+  spec.add_dependency "sslshake",                 "~> 1.2"
+  spec.add_dependency "parallel",                 "~> 1.9"
+  spec.add_dependency "faraday",                  ">= 1", "< 3"
+  spec.add_dependency "faraday-follow_redirects", "~> 0.3"
+  spec.add_dependency "tty-table",                "~> 0.10"
+  spec.add_dependency "tty-prompt",               "~> 0.17"
+  spec.add_dependency "tomlrb",                   ">= 1.2", "< 2.1"
+  spec.add_dependency "addressable",              "~> 2.4"
+  spec.add_dependency "parslet",                  ">= 1.5", "< 2.0" # Pinned < 2.0, see #5389
+  spec.add_dependency "semverse",                 "~> 3.0"
+  spec.add_dependency "multipart-post",           "~> 2.0"
 
   spec.add_dependency "train-core", "~> 3.10"
 end

data/lib/inspec/base_cli.rb

@@ -100,11 +100,11 @@ module Inspec
       option :ssl, type: :boolean,
         desc: "Use SSL for transport layer encryption (WinRM)."
       option :ssl_peer_fingerprint, type: :string,
-        desc: "Specify peer fingerprint for SSL authentication, used in lieu of certificates"
+        desc: "Specify SSL peer fingerprint in place of certificates for SSL authentication (WinRM)."
       option :self_signed, type: :boolean,
         desc: "Allow remote scans with self-signed certificates (WinRM)."
       option :ca_trust_file, type: :string,
-        desc: "Specify CA trust file for SSL authentication"
+        desc: "Specify CA certificate required for SSL authentication (WinRM)."
       option :client_cert, type: :string,
         desc: "Specify client certificate for SSL authentication"
       option :client_key, type: :string,
@@ -121,32 +121,32 @@ module Inspec
         desc: "Read configuration from JSON file (`-` reads from stdin)."
       option :json_config, type: :string, hide: true
       option :proxy_command, type: :string,
-        desc: "Specifies the command to use to connect to the server"
+        desc: "Specifies the command to use to connect to the server."
       option :bastion_host, type: :string,
-        desc: "Specifies the bastion host if applicable"
+        desc: "Specifies the bastion host if applicable."
       option :bastion_user, type: :string,
-        desc: "Specifies the bastion user if applicable"
+        desc: "Specifies the bastion user if applicable."
       option :bastion_port, type: :string,
-        desc: "Specifies the bastion port if applicable"
+        desc: "Specifies the bastion port if applicable."
       option :insecure, type: :boolean, default: false,
-        desc: "Disable SSL verification on select targets"
+        desc: "Disable SSL verification on select targets."
       option :target_id, type: :string,
-        desc: "Provide a ID which will be included on reports - deprecated"
+        desc: "Provide an ID which will be included on reports - deprecated"
       option :winrm_shell_type, type: :string, default: "powershell",
-        desc: "Specify a shell type for winrm (eg. 'elevated' or 'powershell')"
+        desc: "Specify which shell type to use (powershell, elevated, or cmd), which defaults to powershell (WinRM)."
       option :docker_url, type: :string,
-        desc: "Provides path to Docker API endpoint (Docker)"
+        desc: "Provides path to Docker API endpoint (Docker). Defaults to unix:///var/run/docker.sock on Unix systems and tcp://localhost:2375 on Windows."
       option :ssh_config_file, type: :array,
-        desc: "A list of paths to the ssh config file, e.g ~/.ssh/config or /etc/ssh/ssh_config"
+        desc: "A list of paths to the ssh config file, e.g ~/.ssh/config or /etc/ssh/ssh_config."
       option :podman_url, type: :string,
-        desc: "Provides path to Podman API endpoint"
+        desc: "Provides the path to the Podman API endpoint. Defaults to unix:///run/user/$UID/podman/podman.sock for rootless container, unix:///run/podman/podman.sock for rootful container (for this you need to execute inspec as root user)."
     end
 
     def self.profile_options
       option :profiles_path, type: :string,
         desc: "Folder which contains referenced profiles."
       option :vendor_cache, type: :string,
-        desc: "Use the given path for caching dependencies. (default: ~/.inspec/cache)"
+        desc: "Use the given path for caching dependencies, (default: ~/.inspec/cache)."
       option :auto_install_gems, type: :boolean, default: false,
         desc: "Auto installs gem dependencies of the profile or resource pack."
     end
@@ -174,7 +174,7 @@ module Inspec
       option :input, type: :array, banner: "name1=value1 name2=value2",
         desc: "Specify one or more inputs directly on the command line, as --input NAME=VALUE. Accepts single-quoted YAML and JSON structures."
       option :input_file, type: :array,
-        desc: "Load one or more input files, a YAML file with values for the profile to use"
+        desc: "Load one or more input files, a YAML file with values for the profile to use."
       option :waiver_file, type: :array,
         desc: "Load one or more waiver files."
       option :attrs, type: :array,
@@ -182,14 +182,14 @@ module Inspec
       option :create_lockfile, type: :boolean,
         desc: "Write out a lockfile based on this execution (unless one already exists)"
       option :backend_cache, type: :boolean,
-        desc: "Allow caching for backend command output. (default: true)"
+        desc: "Allow caching for backend command output. (default: true)."
       option :show_progress, type: :boolean,
         desc: "Show progress while executing tests."
       option :distinct_exit, type: :boolean, default: true,
         desc: "Exit with code 101 if any tests fail, and 100 if any are skipped (default).  If disabled, exit 0 on skips and 1 for failures."
       option :silence_deprecations, type: :array,
         banner: "[all]|[GROUP GROUP...]",
-        desc: "Suppress deprecation warnings. See install_dir/etc/deprecations.json for list of GROUPs or use 'all'."
+        desc: "Suppress deprecation warnings. See install_dir/etc/deprecations.json for a list of GROUPs or use 'all'."
       option :diff, type: :boolean, default: true,
         desc: "Use --no-diff to suppress 'diff' output of failed textual test results."
       option :sort_results_by, type: :string, default: "file", banner: "--sort-results-by=none|control|file|random",
@@ -197,7 +197,7 @@ module Inspec
       option :filter_empty_profiles, type: :boolean, default: false,
         desc: "Filter empty profiles (profiles without controls) from the report."
       option :filter_waived_controls, type: :boolean,
-        desc: "Do not execute waived controls in InSpec at all. Must use with --waiver-file. Ignores `run` setting of waiver file."
+        desc: "Do not execute waived controls in InSpec at all. Must use with --waiver-file. Ignores the `run` setting of the waiver file."
       option :retain_waiver_data, type: :boolean,
         desc: "EXPERIMENTAL: Only works in conjunction with --filter-waived-controls, retains waiver data about controls that were skipped"
       option :command_timeout, type: :numeric,
@@ -205,6 +205,8 @@ module Inspec
         long_desc: "Maximum seconds to allow commands to run during execution. A timed out command is considered an error."
       option :reporter_include_source, type: :boolean, default: false,
         desc: "Include full source code of controls in the CLI report"
+      option :enhanced_outcomes, type: :boolean,
+        desc: "Show enhanced outcomes in output"
     end
 
     def self.help(*args)

data/lib/inspec/cli.rb

@@ -61,9 +61,9 @@ class Inspec::InspecCLI < Inspec::BaseCLI
   require "license_acceptance/cli_flags/thor"
   include LicenseAcceptance::CLIFlags::Thor
 
-  desc "json PATH", "read all tests in PATH and generate a JSON summary"
+  desc "json PATH", "read all tests in the PATH and generate a JSON summary."
   option :output, aliases: :o, type: :string,
-    desc: "Save the created profile to a path"
+    desc: "Save the created profile to a path."
   option :controls, type: :array,
     desc: "A list of controls to include. Ignore all other tests."
   option :tags, type: :array,
@@ -81,7 +81,7 @@ class Inspec::InspecCLI < Inspec::BaseCLI
   option :format, type: :string,
     desc: "The output format to use: json, raw, yaml. If valid format is not provided then it will use the default for the given 'what'."
   option :output, aliases: :o, type: :string,
-    desc: "Save the created output to a path"
+    desc: "Save the created output to a path."
   option :controls, type: :array,
     desc: "For --what=profile, a list of controls to include. Ignore all other tests."
   option :tags, type: :array,
@@ -145,9 +145,11 @@ class Inspec::InspecCLI < Inspec::BaseCLI
     pretty_handle_exception(e)
   end
 
-  desc "check PATH", "verify all tests at the specified PATH"
+  desc "check PATH", "Verify the metadata in the `inspec.yml` file,\
+  verify that control blocks have the correct fields (title, description, impact),\
+  and define that all controls have visible tests and the controls are not using deprecated InSpec DSL code"
   option :format, type: :string,
-    desc: "The output format to use doc (default), json. If valid format is not provided then it will use the default."
+    desc: "The output format to use. Valid values: `json` and `doc`. Default value: `doc`."
   option :with_cookstyle, type: :boolean,
     desc: "Enable or disable cookstyle checks.", default: false
   profile_options
@@ -228,10 +230,10 @@ class Inspec::InspecCLI < Inspec::BaseCLI
     vendor_deps(path, o)
   end
 
-  desc "archive PATH", "archive a profile to tar.gz (default) or zip"
+  desc "archive PATH", "Archive a profile to a tar file (default) or zip file."
   profile_options
   option :output, aliases: :o, type: :string,
-    desc: "Save the archive to a path"
+    desc: "Save the archive to a path."
   option :zip, type: :boolean, default: false,
     desc: "Generates a zip archive."
   option :tar, type: :boolean, default: false,
@@ -275,14 +277,10 @@ class Inspec::InspecCLI < Inspec::BaseCLI
     pretty_handle_exception(e)
   end
 
-  desc "exec LOCATIONS", "Run all tests at LOCATIONS."
+  desc "exec LOCATIONS", "Run all test files at the specified locations."
   long_desc <<~EOT
-    Run all test files at the specified LOCATIONS.
-
-    Loads the given profile(s) and fetches their dependencies if needed. Then
-    connects to the target and executes any controls contained in the profiles.
-    One or more reporters are used to generate output.
-
+    The subcommand loads the given profiles, fetches their dependencies if needed, then connects to the target and executes any controls in the profiles.
+    One or more reporters are used to generate the output.
     ```
     Exit codes:
         0  Normal exit, all tests passed
@@ -296,7 +294,7 @@ class Inspec::InspecCLI < Inspec::BaseCLI
 
     Below are some examples of using `exec` with different test LOCATIONS:
 
-    Automate:
+    Chef Automate:
       ```
       #{Inspec::Dist::EXEC_NAME} automate login
       #{Inspec::Dist::EXEC_NAME} exec compliance://username/linux-baseline
@@ -306,7 +304,7 @@ class Inspec::InspecCLI < Inspec::BaseCLI
       #{Inspec::Dist::EXEC_NAME} compliance login
       ```
 
-    Supermarket:
+    Chef Supermarket:
       ```
       #{Inspec::Dist::EXEC_NAME} exec supermarket://username/linux-baseline
       ```
@@ -343,12 +341,12 @@ class Inspec::InspecCLI < Inspec::BaseCLI
       #{Inspec::Dist::EXEC_NAME} exec https://github.com/dev-sec/linux-baseline.git
       ```
 
-    Web hosted fileshare (also supports .zip):
+    Web hosted file (also supports .zip):
       ```
       #{Inspec::Dist::EXEC_NAME} exec https://webserver/linux-baseline.tar.gz
       ```
 
-    Web hosted fileshare with basic authentication (supports .zip):
+    Web hosted file with basic authentication (supports .zip):
       ```
       #{Inspec::Dist::EXEC_NAME} exec https://username:password@webserver/linux-baseline.tar.gz
       ```
@@ -371,7 +369,7 @@ class Inspec::InspecCLI < Inspec::BaseCLI
     pretty_handle_exception(e)
   end
 
-  desc "detect", "detect the target OS"
+  desc "detect", "detects the target OS."
   target_options
   option :format, type: :string
   def detect
@@ -396,7 +394,7 @@ class Inspec::InspecCLI < Inspec::BaseCLI
     pretty_handle_exception(e)
   end
 
-  desc "shell", "open an interactive debugging shell"
+  desc "shell", "open an interactive debugging shell."
   target_options
   option :command, aliases: :c,
     desc: "A single command string to run instead of launching the shell"
@@ -415,6 +413,8 @@ class Inspec::InspecCLI < Inspec::BaseCLI
     desc: "Load one or more input files, a YAML file with values for the shell to use"
   option :input, type: :array, banner: "name1=value1 name2=value2",
     desc: "Specify one or more inputs directly on the command line to the shell, as --input NAME=VALUE. Accepts single-quoted YAML and JSON structures."
+  option :enhanced_outcomes, type: :boolean,
+    desc: "Show enhanced outcomes in output"
   def shell_func
     o = config
     deprecate_target_id(config)
@@ -453,7 +453,7 @@ class Inspec::InspecCLI < Inspec::BaseCLI
     pretty_handle_exception(e)
   end
 
-  desc "env", "Output shell-appropriate completion configuration"
+  desc "env", "Outputs shell-appropriate completion configuration."
   def env(shell = nil)
     p = Inspec::EnvPrinter.new(self.class, shell)
     p.print_and_exit!
@@ -461,11 +461,13 @@ class Inspec::InspecCLI < Inspec::BaseCLI
     pretty_handle_exception(e)
   end
 
+  option :enhanced_outcomes, type: :boolean,
+    desc: "Show enhanced outcomes output"
   desc "schema NAME", "print the JSON schema", hide: true
   def schema(name)
     require "inspec/schema/output_schema"
-
-    puts Inspec::Schema::OutputSchema.json(name)
+    o = config
+    puts Inspec::Schema::OutputSchema.json(name, o)
   rescue StandardError => e
     puts e
     puts "Valid schemas are #{Inspec::Schema::OutputSchema.names.join(", ")}"
@@ -477,7 +479,7 @@ class Inspec::InspecCLI < Inspec::BaseCLI
     puts Inspec::Telemetry::RunContextProbe.guess_run_context
   end
 
-  desc "version", "prints the version of this tool"
+  desc "version", "prints the version of this tool."
   option :format, type: :string
   def version
     if config["format"] == "json"
@@ -491,7 +493,7 @@ class Inspec::InspecCLI < Inspec::BaseCLI
 
   desc "clear_cache", "clears the InSpec cache. Useful for debugging."
   option :vendor_cache, type: :string,
-    desc: "Use the given path for caching dependencies. (default: ~/.inspec/cache)"
+    desc: "Use the given path for caching dependencies, (default: `~/.inspec/cache`)."
   def clear_cache
     o = config
     configure_logger(o)

data/lib/inspec/dependencies/dependency_set.rb

@@ -26,7 +26,7 @@ module Inspec
       dep_list = {}
       dependencies.each do |d|
         # if depedent profile does not have a source version then only name is used in dependency hash
-        key_name = (d.source_version ? "#{d.name}-#{d.source_version}" : "#{d.name}") rescue "#{d.name}"
+        key_name = (d.source_version.blank? ? "#{d.name}" : "#{d.name}-#{d.source_version}") rescue "#{d.name}"
         dep_list[key_name] = d
       end
       new(cwd, cache, dep_list, backend)
@@ -42,7 +42,7 @@ module Inspec
       dep_list = {}
       dep_tree.each do |d|
         # if depedent profile does not have a source version then only name is used in dependency hash
-        key_name = (d.source_version ? "#{d.name}-#{d.source_version}" : "#{d.name}") rescue d.name
+        key_name = (d.source_version.blank? ? "#{d.name}" : "#{d.name}-#{d.source_version}") rescue "#{d.name}"
         dep_list[key_name] = d
         dep_list.merge!(flatten_dep_tree(d.dependencies))
       end

data/lib/inspec/dsl.rb

@@ -91,13 +91,17 @@ module Inspec::DSL
     if profile_version
       new_profile_id = "#{profile_id}-#{profile_version}"
     else
-      dependencies.list.keys.each do |key|
-        # If dep profile does not contain a source version, key does not contain a version as well. In that case new_profile_id will be always nil and instead profile_id would be used to fetch profile from dependency list.
-        profile_id_key = key.split("-")
-        profile_id_key.pop
-        new_profile_id = key if profile_id_key.join("-") == profile_id
+      dependencies.list.each do |key, value|
+        # 1. Fetching VERSION from a profile dependency name which is in a format NAME-VERSION.
+        # 2. Matching original profile dependency name with profile name used with include or require control DSL.
+        source_version = value.source_version
+        unless source_version.blank?
+          profile_id_key = key.split("-#{source_version}")[0]
+          new_profile_id = key if profile_id_key == profile_id
+        end
       end
     end
+    # If dep profile does not contain a source version, key does not contain a version as well. In that case new_profile_id will be always nil and instead profile_id would be used to fetch profile from dependency list.
     dep_entry = new_profile_id ? dependencies.list[new_profile_id] : dependencies.list[profile_id]
 
     if dep_entry.nil?

data/lib/inspec/enhanced_outcomes.rb

@@ -0,0 +1,19 @@
+module Inspec
+  module EnhancedOutcomes
+
+    def self.determine_status(results, impact)
+      # No-op exception occurs in case of not_applicable_if
+      if results.any? { |r| !r[:exception].nil? && !r[:backtrace].nil? && r[:resource_class] != "noop" }
+        "error"
+      elsif !impact.nil? && impact.to_f == 0.0
+        "not_applicable"
+      elsif results.all? { |r| r[:status] == "skipped" }
+        "not_reviewed"
+      elsif results.any? { |r| r[:status] == "failed" }
+        "failed"
+      else
+        "passed"
+      end
+    end
+  end
+end

data/lib/inspec/env_printer.rb

@@ -35,7 +35,7 @@ module Inspec
     private
 
     def print_completion_for_shell
-      erb = ERB.new(File.read(completion_template_path), nil, "-")
+      erb = ERB.new(File.read(completion_template_path), trim_mode: "-")
       puts erb.result(TemplateContext.new(@command_class).get_bindings)
     end
 

data/lib/inspec/exceptions.rb

@@ -10,5 +10,7 @@ module Inspec
     class SecretsBackendNotFound < ArgumentError; end
     class ProfileValidationKeyNotFound < ArgumentError; end
     class ProfileSigningKeyNotFound < ArgumentError; end
+    class WaiversFileNotReadable < ArgumentError; end
+    class WaiversFileDoesNotExist < ArgumentError; end
   end
 end

data/lib/inspec/formatters/base.rb

@@ -1,12 +1,13 @@
 require "rspec/core"
 require "rspec/core/formatters/base_formatter"
 require "set" unless defined?(Set)
+require "inspec/enhanced_outcomes"
 
 module Inspec::Formatters
   class Base < RSpec::Core::Formatters::BaseFormatter
     RSpec::Core::Formatters.register self, :close, :dump_summary, :stop
 
-    attr_accessor :backend, :run_data
+    attr_accessor :backend, :run_data, :enhanced_outcomes
 
     def initialize(output)
       super(output)
@@ -17,6 +18,7 @@ module Inspec::Formatters
       @backend = nil
       @all_controls_count = nil
       @control_checks_count_map = {}
+      @enhanced_outcomes = nil
     end
 
     # RSpec Override: #dump_summary
@@ -50,7 +52,6 @@ module Inspec::Formatters
           else
             hash[:message] = exception_message(e)
           end
-
           next if e.is_a? RSpec::Expectations::ExpectationNotMetError
 
           hash[:exception] = e.class.name
@@ -68,6 +69,8 @@ module Inspec::Formatters
       # flesh out the profiles key with additional profile information
       run_data[:profiles] = profiles_info
 
+      add_enhanced_outcomes_to_controls if enhanced_outcomes
+
       # add the platform information for this particular target
       run_data[:platform] = {
         name: platform(:name),
@@ -110,6 +113,20 @@ module Inspec::Formatters
 
     private
 
+    def add_enhanced_outcomes_to_controls
+      all_unique_controls.each do |control|
+        control[:status] = determine_control_enhanced_outcome(control)
+      end
+    end
+
+    def determine_control_enhanced_outcome(control)
+      if control[:results]
+        Inspec::EnhancedOutcomes.determine_status(control[:results], control[:impact])
+      else
+        "passed"
+      end
+    end
+
     def all_unique_controls
       unique_controls = Set.new
       run_data[:profiles].each do |profile|
@@ -120,25 +137,59 @@ module Inspec::Formatters
     end
 
     def statistics
+      error = 0
+      not_applicable = 0
+      not_reviewed = 0
       failed = 0
-      skipped = 0
       passed = 0
+      skipped = 0
+      enhanced_outcomes_summary = {}
+      if enhanced_outcomes
+        all_unique_controls.each do |control|
+
+          if control[:status] == "error"
+            error += 1
+          elsif control[:status] == "not_applicable"
+            not_applicable += 1
+          elsif control[:status] == "not_reviewed"
+            not_reviewed += 1
+          elsif control[:status] == "failed"
+            failed += 1
+          elsif control[:status] == "passed"
+            passed += 1
+          end
 
-      all_unique_controls.each do |control|
-        next unless control[:results]
-
-        if control[:results].any? { |r| r[:status] == "failed" }
-          failed += 1
-        elsif control[:results].any? { |r| r[:status] == "skipped" }
-          skipped += 1
-        else
-          passed += 1
-        end
-      end
+          # added this additionally because stats summary is also used for determining exit code in runner rspec
+          skipped += 1 if control[:results].any? { |r| r[:status] == "skipped" }
 
-      total = failed + passed + skipped
+        end
+        total = error + not_applicable + not_reviewed + failed + passed
+        enhanced_outcomes_summary = {
+          not_applicable: {
+            total: not_applicable,
+          },
+          not_reviewed: {
+            total: not_reviewed,
+          },
+          error: {
+            total: error,
+          },
+        }
+      else
+        all_unique_controls.each do |control|
+          next unless control[:results]
 
-      {
+          if control[:results].any? { |r| r[:status] == "failed" }
+            failed += 1
+          elsif control[:results].any? { |r| r[:status] == "skipped" }
+            skipped += 1
+          else
+            passed += 1
+          end
+        end
+        total = failed + passed + skipped
+      end
+      final_summary = {
         total: total,
         passed: {
           total: passed,
@@ -150,6 +201,8 @@ module Inspec::Formatters
           total: failed,
         },
       }
+
+      final_summary.merge!(enhanced_outcomes_summary)
     end
 
     def exception_message(exception)