inspec-core 5.18.14 → 5.22.3

data/lib/inspec/plugin/v2/loader.rb

@@ -178,7 +178,19 @@ module Inspec::Plugin::V2
       # TODO: enforce first-level version pinning
       plugin_deps = [Gem::Dependency.new(plugin_gem_name.to_s, version_constraint)]
       managed_gem_set = Gem::Resolver::VendorSet.new
-      list_managed_gems.each { |spec| managed_gem_set.add_vendor_gem(spec.name, spec.gem_dir) }
+
+      list_managed_gems.each do |spec|
+        if Gem::Specification.load spec.gem_dir
+          managed_gem_set.add_vendor_gem(spec.name, spec.gem_dir)
+        else
+          # In case of invalid gemspec as mentioned in this PR https://github.com/brianmario/yajl-ruby/pull/223
+          # the add_vendor_gem breaks. So this is patch to fix the loading issue.
+          # Horribly, chdir to gemspec path to honor . in gemspec
+          Dir.chdir(spec.gem_dir) do |dir|
+            managed_gem_set.add_vendor_gem(spec.name, spec.gem_dir)
+          end
+        end
+      end
 
       # TODO: Next two lines merge our managed gems with the other gems available
       # in our "local universe" - which may be the system, or it could be in a Bundler microcosm,
@@ -278,7 +290,12 @@ module Inspec::Plugin::V2
         when :user_gem
           status.entry_point = status.name.to_s
           status.version = plugin_entry[:version]
-          status.description = fetch_plugin_specs(status.name.to_s)&.summary
+          # Fetch the summary of the gem from local gemspec file instead of remote call using Gem::SpecFetcher.fetcher.
+          unless plugin_entry[:version].nil? # safe check very rare case.
+            version_string = plugin_entry[:version].gsub(/[=,~,>,<]/, "").strip
+            plugin_name_with_version = "#{status.name}-#{version_string}"
+            status.description = fetch_gemspec(File.join(plugin_gem_path, "gems", plugin_name_with_version, "/", status.name.to_s + ".gemspec"))&.summary
+          end
         when :path
           status.entry_point = plugin_entry[:installation_path]
         end
@@ -287,12 +304,6 @@ module Inspec::Plugin::V2
       end
     end
 
-    def fetch_plugin_specs(plugin_name)
-      fetcher = Gem::SpecFetcher.fetcher
-      plugin_dependency = Gem::Dependency.new(plugin_name)
-      fetcher.spec_for_dependency(plugin_dependency).flatten.first
-    end
-
     def fixup_train_plugin_status(status)
       status.api_generation = :'train-1'
       if status.installation_type == :user_gem

data/lib/inspec/plugin/v2/plugin_types/reporter.rb

@@ -7,6 +7,7 @@ module Inspec::Plugin::V2::PluginType
     include Inspec::Utils::RunDataFilters
 
     attr_reader :run_data
+    attr_accessor :enhanced_outcomes
 
     def initialize(config)
       @config = config

data/lib/inspec/plugin/v2/plugin_types/streaming_reporter.rb

@@ -11,6 +11,7 @@ module Inspec::Plugin::V2::PluginType
       @running_controls_list = []
       @control_checks_count_map = {}
       @controls_count = nil
+      @notifications = {}
     end
 
     private
@@ -49,5 +50,58 @@ module Inspec::Plugin::V2::PluginType
         @control_checks_count_map = RSpec.configuration.formatters.grep(Inspec::Formatters::Base).first.get_control_checks_count_map
       end
     end
+
+    def enhanced_outcomes
+      @enhanced_outcomes ||= RSpec.configuration.formatters.grep(Inspec::Formatters::Base).first.enhanced_outcomes
+    end
+
+    def add_enhanced_outcomes(control_id)
+      if control_has_error(@notifications[control_id])
+        "error"
+      elsif control_has_impact_zero(@notifications[control_id])
+        "not_applicable"
+      elsif control_has_all_tests_skipped(@notifications[control_id])
+        "not_reviewed"
+      elsif control_has_any_tests_failed(@notifications[control_id])
+        "failed"
+      else
+        "passed"
+      end
+    end
+
+    def control_has_error(notifications)
+      notifications.any? do |notification_data|
+        notification, _status = notification_data
+        !notification.example.exception.nil? && !(notification.example.exception.is_a? RSpec::Expectations::ExpectationNotMetError) && !notification.example.exception.backtrace.nil? && (!notification.description.include? "No-op") # No-op exception occurs in case of not_applicable_if
+      end
+    end
+
+    def control_has_all_tests_skipped(notifications)
+      notifications.all? do |notification_data|
+        _notification, status = notification_data
+        status == "skipped"
+      end
+    end
+
+    def control_has_any_tests_failed(notifications)
+      notifications.any? do |notification_data|
+        _notification, status = notification_data
+        status == "failed"
+      end
+    end
+
+    def control_has_impact_zero(notifications)
+      notification_data = notifications.first
+      notification_impact = notification_data.first.example.metadata[:impact]
+      notification_data && !notification_impact.nil? && notification_impact.to_f == 0.0
+    end
+
+    def collect_notifications(notification, control_id, status)
+      if @notifications[control_id].nil?
+        @notifications[control_id] = [[notification, status]]
+      else
+        @notifications[control_id].push([notification, status])
+      end
+    end
   end
 end

data/lib/inspec/profile.rb

@@ -383,24 +383,25 @@ module Inspec
       @runner_context
     end
 
-    def collect_gem_dependencies(profile_context)
+    # This collects the gem dependencies data from parent and its dependent profiles
+    def collect_gem_dependencies
       gem_dependencies = []
-      all_profiles = []
-      profile_context.dependencies.list.values.each do |requirement|
-        all_profiles << requirement.profile
-      end
-      all_profiles << self
-      all_profiles.each do |profile|
+      # This collects the dependent profiles gem dependencies if any
+      locked_dependencies.dep_list.each do |_name, dep|
+        profile = dep.profile
         gem_dependencies << profile.metadata.gem_dependencies unless profile.metadata.gem_dependencies.empty?
       end
+      # Appends the parent profile gem dependencies which are available through metadata
+      gem_dependencies << metadata.gem_dependencies unless metadata.gem_dependencies.empty?
       gem_dependencies.flatten.uniq
     end
 
     # Loads the required gems specified in the Profile's metadata file from default inspec gems path i.e. ~/.inspec/gems
     # else installs and loads them.
     def load_gem_dependencies
-      gem_dependencies = collect_gem_dependencies(load_libraries)
+      gem_dependencies = collect_gem_dependencies
       gem_dependencies.each do |gem_data|
+
         dependency_loader = DependencyLoader.new
         if dependency_loader.gem_version_installed?(gem_data[:name], gem_data[:version]) ||
             dependency_loader.gem_installed?(gem_data[:name])

data/lib/inspec/reporters/base.rb

@@ -5,6 +5,7 @@ module Inspec::Reporters
     include Inspec::Utils::RunDataFilters
 
     attr_reader :run_data
+    attr_accessor :enhanced_outcomes
 
     def initialize(config)
       @config = config

data/lib/inspec/reporters/cli.rb

@@ -9,6 +9,9 @@ module Inspec::Reporters
         "passed" => "\033[0;1;32m",
         "skipped" => "\033[0;37m",
         "reset" => "\033[0m",
+        "error" => "\033[34m",
+        "not_applicable" => "\033[36m",
+        "not_reviewed" => "\033[33m",
       }.freeze
 
       # Most currently available Windows terminals have poor support
@@ -18,6 +21,9 @@ module Inspec::Reporters
         "skipped" => "[SKIP]",
         "passed" => "[PASS]",
         "unknown" => "[UNKN]",
+        "error" => "[ERR]",
+        "not_applicable" => "[N/A]",
+        "not_reviewed" => "[N/R]",
       }.freeze
     else
       # Extended colors for everyone else
@@ -26,6 +32,9 @@ module Inspec::Reporters
         "passed" => "\033[38;5;41m",
         "skipped" => "\033[38;5;247m",
         "reset" => "\033[0m",
+        "error" => "\033[0;38;5;21m",
+        "not_applicable" => "\033[0;38;5;117m",
+        "not_reviewed" => "\033[0;38;5;214m",
       }.freeze
 
       # Groovy UTF-8 characters for everyone else...
@@ -35,6 +44,9 @@ module Inspec::Reporters
         "skipped" => "↺",
         "passed" => "✔",
         "unknown" => "?",
+        "error" => "ERR",
+        "not_applicable" => "N/A",
+        "not_reviewed" => "N/R",
       }.freeze
     end
 
@@ -63,7 +75,11 @@ module Inspec::Reporters
       end
 
       output("")
-      print_profile_summary
+      if enhanced_outcomes
+        print_control_outcomes_summary
+      else
+        print_profile_summary
+      end
       print_tests_summary
     end
 
@@ -88,6 +104,7 @@ module Inspec::Reporters
     def print_standard_control_results(profile)
       standard_controls_from_profile(profile).each do |control_from_profile|
         control = Control.new(control_from_profile)
+        control.enhanced_outcomes = enhanced_outcomes
         next if control.results.nil?
 
         output(format_control_header(control))
@@ -122,7 +139,7 @@ module Inspec::Reporters
     end
 
     def format_control_header(control)
-      impact = control.impact_string
+      impact = enhanced_outcomes ? control.impact_string_for_enhanced_outcomes : control.impact_string
       format_message(
         color: impact,
         indicator: impact,
@@ -292,6 +309,68 @@ module Inspec::Reporters
       }
     end
 
+    def control_outcomes_summary
+      failed = 0
+      passed = 0
+      error = 0
+      not_reviewed = 0
+      not_applicable = 0
+
+      all_unique_controls.each do |control|
+        next if control[:status].empty?
+
+        if control[:status] == "failed"
+          failed += 1
+        elsif control[:status] == "error"
+          error += 1
+        elsif control[:status] == "not_reviewed"
+          not_reviewed += 1
+        elsif control[:status] == "not_applicable"
+          not_applicable += 1
+        else
+          passed += 1
+        end
+      end
+
+      total = failed + passed + error + not_reviewed + not_applicable
+
+      {
+        "total" => total,
+        "failed" => failed,
+        "passed" => passed,
+        "error" => error,
+        "not_reviewed" => not_reviewed,
+        "not_applicable" => not_applicable,
+      }
+    end
+
+    def print_control_outcomes_summary
+      summary = control_outcomes_summary
+      return unless summary["total"] > 0
+
+      success_str = summary["passed"] == 1 ? "1 successful control" : "#{summary["passed"]} successful controls"
+      failed_str  = summary["failed"] == 1 ? "1 control failure" : "#{summary["failed"]} control failures"
+      error_str = summary["error"] == 1 ? "1 control has error" : "#{summary["error"]} controls have error"
+      not_rev_str = summary["not_reviewed"] == 1 ? "1 control not reviewed" : "#{summary["not_reviewed"]} controls not reviewed"
+      not_app_str = summary["not_applicable"] == 1 ? "1 control not applicable" : "#{summary["not_applicable"]} controls not applicable"
+
+      success_color = summary["passed"] > 0 ? "passed" : "no_color"
+      failed_color = summary["failed"] > 0 ? "failed" : "no_color"
+      error_color = summary["error"] > 0 ? "error" : "no_color"
+      not_rev_color = summary["not_reviewed"] > 0 ? "not_reviewed" : "no_color"
+      not_app_color = summary["not_applicable"] > 0 ? "not_applicable" : "no_color"
+
+      s = format(
+        "Profile Summary: %s, %s, %s, %s, %s",
+        format_with_color(success_color, success_str),
+        format_with_color(failed_color, failed_str),
+        format_with_color(not_rev_color, not_rev_str),
+        format_with_color(not_app_color, not_app_str),
+        format_with_color(error_color, error_str)
+      )
+      output(s) if summary["total"] > 0
+    end
+
     def print_profile_summary
       summary = profile_summary
       return unless summary["total"] > 0
@@ -350,6 +429,7 @@ module Inspec::Reporters
 
     class Control
       attr_reader :data
+      attr_accessor :enhanced_outcomes
 
       def initialize(control_hash)
         @data = control_hash
@@ -379,6 +459,10 @@ module Inspec::Reporters
         id.start_with?("(generated from ")
       end
 
+      def status
+        data[:status]
+      end
+
       def title_for_report
         # if this is an anonymous control, just grab the resource title from any result entry
         return results.first[:resource_title] if anonymous?
@@ -392,10 +476,17 @@ module Inspec::Reporters
         # append a failure summary if appropriate.
         title_for_report += " (#{failure_count} failed)" if failure_count > 0
         title_for_report += " (#{skipped_count} skipped)" if skipped_count > 0
-
         title_for_report
       end
 
+      def impact_string_for_enhanced_outcomes
+        if impact.nil?
+          "unknown"
+        else
+          status
+        end
+      end
+
       def impact_string
         if anonymous?
           nil

data/lib/inspec/reporters/json.rb

@@ -114,7 +114,7 @@ module Inspec::Reporters
 
     def profile_controls(profile)
       (profile[:controls] || []).map { |c|
-        {
+        control_hash = {
           id:     c[:id],
           title:  c[:title],
           desc:   c.dig(:descriptions, :default),
@@ -130,6 +130,8 @@ module Inspec::Reporters
           waiver_data: c[:waiver_data] || {},
           results: profile_results(c),
         }
+        control_hash.merge!({ status: c[:status] }) if enhanced_outcomes
+        control_hash
       }
     end
 

data/lib/inspec/reporters/yaml.rb

@@ -3,7 +3,9 @@ require "yaml"
 module Inspec::Reporters
   class Yaml < Base
     def render
-      output(Inspec::Reporters::Json.new({ run_data: run_data }).report.to_yaml, false)
+      json_reporter_obj = Inspec::Reporters::Json.new({ run_data: run_data })
+      json_reporter_obj.enhanced_outcomes = enhanced_outcomes
+      output(json_reporter_obj.report.to_yaml, false)
     end
 
     def report

data/lib/inspec/reporters.rb

@@ -7,7 +7,7 @@ require "inspec/reporters/yaml"
 
 module Inspec::Reporters
   # rubocop:disable Metrics/CyclomaticComplexity
-  def self.render(reporter, run_data)
+  def self.render(reporter, run_data, enhanced_outcomes = false)
     name, config = reporter.dup
     config[:run_data] = run_data
     case name
@@ -29,6 +29,7 @@ module Inspec::Reporters
       activator.activate!
       reporter = activator.implementation_class.new(config)
     end
+    reporter.enhanced_outcomes = enhanced_outcomes
 
     # optional send_report method on reporter
     return reporter.send_report if defined?(reporter.send_report)

data/lib/inspec/resources/file.rb

@@ -66,7 +66,7 @@ module Inspec::Resources
     def user_permissions
       return {} unless exist?
 
-      return skip_reource"`user_permissions` is not supported on your OS yet." unless inspec.os.windows?
+      return skip_resource "`user_permissions` is not supported on your OS yet." unless inspec.os.windows?
 
       @perms_provider.user_permissions(file)
     end

data/lib/inspec/resources/http.rb

@@ -4,7 +4,7 @@
 
 require "inspec/resources/command"
 require "faraday" unless defined?(Faraday)
-require "faraday_middleware"
+require "faraday/follow_redirects"
 require "hashie"
 
 module Inspec::Resources
@@ -153,7 +153,7 @@ module Inspec::Resources
 
           conn = Faraday.new(url: url, headers: request_headers, params: params, ssl: { verify: ssl_verify? }) do |builder|
             builder.request :url_encoded
-            builder.use FaradayMiddleware::FollowRedirects, limit: max_redirects unless max_redirects.nil?
+            builder.use Faraday::FollowRedirects::Middleware, limit: max_redirects unless max_redirects.nil?
             builder.adapter Faraday.default_adapter
           end
 
@@ -304,11 +304,11 @@ module Inspec::Resources
           # Insecure not supported simply https://stackoverflow.com/questions/11696944/powershell-v3-invoke-webrequest-https-error
           cmd << "-MaximumRedirection #{max_redirects}" unless max_redirects.nil?
           request_headers["Authorization"] = """ '\"Basic ' + [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes(\"#{username}:#{password}\")) +'\"' """ unless username.nil? || password.nil?
-          request_header_string = nil
+          request_header_array = []
           request_headers.each do |k, v|
-            request_header_string << " #{k} = #{v}"
+            request_header_array << " '#{k}' = '#{v}'"
           end
-          cmd << "-Headers @{#{request_header_string.join(";")}}" unless request_header_string.nil?
+          cmd << "-Headers @{#{request_header_array.join(";")}}" unless request_header_array.empty?
           if params.nil?
             cmd << "'#{url}'"
           else

data/lib/inspec/resources/lxc.rb

@@ -9,14 +9,26 @@ module Inspec::Resources
       describe lxc("ubuntu-container") do
         it { should exist }
         it { should be_running }
+        its("name") { should eq "ubuntu-container" }
+        its("status") { should cmp "Running" }
+        its("type") { should eq "container" }
+        its("architecture") { should eq "x86_64" }
+        its("pid") { should eq 1378 }
+        its("created_at") { should eq "2022/08/16 12:07 UTC" }
+        its("last_used_at") { should eq "2022/08/17 05:06 UTC" }
+        its("resources") { should include "Disk usage" }
       end
     EXAMPLE
 
+    attr_reader :container_info, :container_name
+
     # Resource initialization.
     def initialize(container_name)
       @container_name = container_name
 
       raise Inspec::Exceptions::ResourceSkipped, "The `lxc` resource is not supported on your OS yet." unless inspec.os.linux?
+
+      @container_info = populate_container_info
     end
 
     def resource_id
@@ -28,17 +40,60 @@ module Inspec::Resources
     end
 
     def exists?
-      lxc_info_cmd.exit_status.to_i == 0
+      !@container_info.empty?
     end
 
     def running?
-      container_info = lxc_info_cmd.stdout.split(":").map(&:strip)
-      container_info[0] == "Status" && container_info[1] == "Running"
+      @container_info.key?("Status") && @container_info["Status"].casecmp("Running") == 0
+    end
+
+    def name
+      @container_info["Name"]
+    end
+
+    def status
+      @container_info["Status"]
+    end
+
+    def type
+      @container_info["Type"]
+    end
+
+    def architecture
+      @container_info["Architecture"]
+    end
+
+    def pid
+      @container_info["PID"]
+    end
+
+    def created_at
+      @container_info["Created"]
+    end
+
+    def last_used_at
+      @container_info["Last Used"]
+    end
+
+    def resources
+      @container_info["Resources"]
     end
 
     private
 
-    # Method to find lxc
+    def populate_container_info
+      lxc_util = find_lxc_or_error
+      lxc_info_cmd = inspec.command("#{lxc_util} info #{@container_name}")
+
+      if lxc_info_cmd.exit_status.to_i == 0
+        parse_command_output(lxc_info_cmd.stdout)
+      elsif lxc_info_cmd.stderr =~ /Error: Instance not found/
+        {}
+      else
+        raise Inspec::Exceptions::ResourceFailed, "Unable to retrieve information for #{container_name}.\n#{lxc_info_cmd.stderr}"
+      end
+    end
+
     def find_lxc_or_error
       %w{/usr/sbin/lxc /sbin/lxc lxc}.each do |cmd|
         return cmd if inspec.command(cmd).exist?
@@ -47,11 +102,12 @@ module Inspec::Resources
       raise Inspec::Exceptions::ResourceFailed, "Could not find `lxc`"
     end
 
-    def lxc_info_cmd
-      bin = find_lxc_or_error
-      info_cmd = "info #{@container_name} | grep -i Status"
-      lxc_cmd = format("%s %s", bin, info_cmd).strip
-      inspec.command(lxc_cmd)
+    def parse_command_output(output)
+      require "yaml" unless defined?(YAML)
+      YAML.load(output)
+    rescue Psych::SyntaxError => e
+      warn "Could not parse the command output.\n#{e.message}"
+      {}
     end
   end
 end

data/lib/inspec/resources/mongodb_session.rb

@@ -84,6 +84,11 @@ module Inspec::Resources
       options[:ssl_cert] = @ssl_cert unless @ssl_cert.nil?
       options[:ssl_ca_cert] = @ssl_ca_cert unless @ssl_ca_cert.nil?
 
+      # Setting the logger level to INFO as mongo gem version 2.13.2 is using DEBUG as the log level Ref: https://github.com/mongodb/mongo-ruby-driver/blob/v2.13.2/lib/mongo/logger.rb#L79
+      # Latest version of the mongo gem don't have this issue as it set to INFO level Ref: https://github.com/mongodb/mongo-ruby-driver/blob/master/lib/mongo/logger.rb#L82
+      # We pinned the version to 2.13.2 as the latest version of the mongo gem has broken symlink https://jira.mongodb.org/browse/RUBY-2546 which causes omnibus build failure.
+      # Once we get the latest version working we can remove logger level set here.
+      Mongo::Logger.logger.level = Logger::INFO
       @client = Mongo::Client.new([ "#{host}:#{port}" ], options)
 
     rescue => e