inspec-core 5.18.14 → 5.22.3

data/lib/inspec/runner.rb

@@ -60,9 +60,11 @@ module Inspec
       end
 
       if @conf[:waiver_file]
-        waivers = @conf.delete(:waiver_file)
-        @conf[:input_file] ||= []
-        @conf[:input_file].concat waivers
+        @conf[:waiver_file].each do |file|
+          unless File.file?(file)
+            raise Inspec::Exceptions::WaiversFileDoesNotExist, "Waiver file #{file} does not exist."
+          end
+        end
       end
 
       # About reading inputs:
@@ -133,12 +135,20 @@ module Inspec
       all_controls.each do |rule|
         unless rule.nil?
           register_rule(rule)
-          checks = ::Inspec::Rule.prepare_checks(rule)
-          unless checks.empty?
+          total_checks = 0
+          control_describe_checks = ::Inspec::Rule.prepare_checks(rule)
+
+          examples = control_describe_checks.flat_map do |m, a, b|
+            get_check_example(m, a, b)
+          end.compact
+
+          examples.map { |example| total_checks += example.examples.count }
+
+          unless control_describe_checks.empty?
             # controls with empty tests are avoided
             # checks represent tests within control
-            controls_count += 1
-            control_checks_count_map[rule.to_s] = checks.count
+            controls_count += 1 if control_checks_count_map[rule.to_s].nil?
+            control_checks_count_map[rule.to_s] = control_checks_count_map[rule.to_s].to_i + total_checks
           end
         end
       end
@@ -158,7 +168,7 @@ module Inspec
       return if @conf["reporter"].nil?
 
       @conf["reporter"].each do |reporter|
-        result = Inspec::Reporters.render(reporter, run_data)
+        result = Inspec::Reporters.render(reporter, run_data, @conf["enhanced_outcomes"])
         raise Inspec::ReporterError, "Error generating reporter '#{reporter[0]}'" if result == false
       end
     end

data/lib/inspec/runner_rspec.rb

@@ -107,11 +107,11 @@ module Inspec
       stats = @formatter.results[:statistics][:controls]
       load_failures = @formatter.results[:profiles]&.select { |p| p[:status] == "failed" }&.any?
       skipped = @formatter.results.dig(:profiles, 0, :status) == "skipped"
-      if stats[:failed][:total] == 0 && stats[:skipped][:total] == 0 && !skipped && !load_failures
+      if stats[:failed][:total] == 0 && stats[:skipped][:total] == 0 && !skipped && !load_failures && (stats[:error] && stats[:error][:total] == 0) # placed error count condition because of enhanced outcomes
         0
       elsif load_failures
         @conf["distinct_exit"] ? 102 : 1
-      elsif stats[:failed][:total] > 0
+      elsif stats[:failed][:total] > 0 || (stats[:error] && stats[:error][:total] > 0)
         @conf["distinct_exit"] ? 100 : 1
       elsif stats[:skipped][:total] > 0 || skipped
         @conf["distinct_exit"] ? 101 : 0
@@ -196,6 +196,7 @@ module Inspec
     def configure_output
       RSpec.configuration.output_stream = $stdout
       @formatter = RSpec.configuration.add_formatter(Inspec::Formatters::Base)
+      @formatter.enhanced_outcomes = @conf.final_options["enhanced_outcomes"]
       RSpec.configuration.add_formatter(Inspec::Formatters::ShowProgress, $stderr) if @conf[:show_progress]
       set_optional_formatters
       RSpec.configuration.color = @conf["color"]

data/lib/inspec/schema/exec_json.rb

@@ -19,8 +19,8 @@ module Inspec
       # Lists the potential values for a control result
       CONTROL_RESULT_STATUS = Primitives::SchemaType.new("Control Result Status", {
         "type" => "string",
-        "enum" => %w{passed failed skipped error},
-      }, [], "The status of a control.  Should be one of 'passed', 'failed', 'skipped', or 'error'.")
+        "enum" => %w{passed failed skipped},
+      }, [], "The status of a control.  Should be one of 'passed', 'failed', or 'skipped'.")
 
       # Represents the statistics/result of a control"s execution
       CONTROL_RESULT = Primitives::SchemaType.new("Control Result", {
@@ -75,6 +75,36 @@ module Inspec
         },
       }, [CONTROL_DESCRIPTION, Primitives::REFERENCE, Primitives::SOURCE_LOCATION, CONTROL_RESULT], "Describes a control and any findings it has.")
 
+      # Represents a control produced with enhanced outcomes option
+      ENHANCED_OUTCOME_CONTROL = Primitives::SchemaType.new("Exec JSON Control", {
+        "type" => "object",
+        "additionalProperties" => true,
+        "required" => %w{id title desc impact refs tags code source_location results},
+        "properties" => {
+          "id" => Primitives.desc(Primitives::STRING, "The id."),
+          "title" => Primitives.desc({ "type" => %w{string null} }, "The title - is nullable."), # Nullable string
+          "desc" => Primitives.desc({ "type" => %w{string null} }, "The description for the overarching control."),
+          "descriptions" => Primitives.desc(Primitives.array(CONTROL_DESCRIPTION.ref), "A set of additional descriptions.  Example: the 'fix' text."),
+          "impact" => Primitives.desc(Primitives::IMPACT, "The impactfulness or severity."),
+          "status" => {
+            "enum" => %w{passed failed not_applicable not_reviewed error},
+            "description" => Primitives.desc(Primitives::STRING, "The enhanced outcome status of the control"),
+          },
+          "refs" => Primitives.desc(Primitives.array(Primitives::REFERENCE.ref), "The set of references to external documents."),
+          "tags" => Primitives.desc(Primitives::TAGS, "A set of tags - usually metadata."),
+          "code" => Primitives.desc(Primitives::STRING, "The raw source code of the control. Note that if this is an overlay control, it does not include the underlying source code."),
+          "source_location" => Primitives.desc(Primitives::SOURCE_LOCATION.ref, "The explicit location of the control within the source code."),
+          "results" => Primitives.desc(Primitives.array(CONTROL_RESULT.ref), %q(
+             The set of all tests within the control and their results and findings.  Example:
+             For Chef Inspec, if in the control's code we had the following:
+               describe sshd_config do
+                 its('Port') { should cmp 22 }
+               end
+             The findings from this block would be appended to the results, as well as those of any other blocks within the control.
+          )),
+        },
+      }, [CONTROL_DESCRIPTION, Primitives::REFERENCE, Primitives::SOURCE_LOCATION, CONTROL_RESULT], "Describes a control and any findings it has.")
+
       # Based loosely on https://docs.chef.io/inspec/profiles/ as of July 3, 2019
       # However, concessions were made to the reality of current reporters, specifically
       # with how description is omitted and version/inspec_version aren't as advertised online
@@ -112,6 +142,40 @@ module Inspec
         },
       }, [CONTROL, Primitives::CONTROL_GROUP, Primitives::DEPENDENCY, Primitives::SUPPORT], "Information on the set of controls assessed.  Example: it can include the name of the Inspec profile and any findings.")
 
+      ENHANCED_OUTCOME_PROFILE = Primitives::SchemaType.new("Exec JSON Profile", {
+        "type" => "object",
+        "additionalProperties" => true,
+        "required" => %w{name sha256 supports attributes groups controls},
+        # Name is mandatory in inspec.yml.
+        # supports, controls, groups, and attributes are always present, even if empty
+        # sha256, status, status_message
+        "properties" => {
+          # These are provided in inspec.yml
+          "name" => Primitives.desc(Primitives::STRING, "The name - must be unique."),
+          "title" => Primitives.desc(Primitives::STRING, "The title - should be human readable."),
+          "maintainer" => Primitives.desc(Primitives::STRING, "The maintainer(s)."),
+          "copyright" => Primitives.desc(Primitives::STRING, "The copyright holder(s)."),
+          "copyright_email" => Primitives.desc(Primitives::STRING, "The email address or other contact information of the copyright holder(s)."),
+          "depends" => Primitives.desc(Primitives.array(Primitives::DEPENDENCY.ref), "The set of dependencies this profile depends on.  Example: an overlay profile is dependent on another profile."),
+          "parent_profile" => Primitives.desc(Primitives::STRING, "The name of the parent profile if the profile is a dependency of another."),
+          "license" => Primitives.desc(Primitives::STRING, "The copyright license.  Example: the full text or the name, such as 'Apache License, Version 2.0'."),
+          "summary" => Primitives.desc(Primitives::STRING, "The summary.  Example: the Security Technical Implementation Guide (STIG) header."),
+          "version" => Primitives.desc(Primitives::STRING, "The version of the profile."),
+          "supports" => Primitives.desc(Primitives.array(Primitives::SUPPORT.ref), "The set of supported platform targets."),
+          "description" => Primitives.desc(Primitives::STRING, "The description - should be more detailed than the summary."),
+          "inspec_version" => Primitives.desc(Primitives::STRING, "The version of Inspec."),
+
+          # These are generated at runtime, and all except status_message and skip_message are guaranteed
+          "sha256" => Primitives.desc(Primitives::STRING, "The checksum of the profile."),
+          "status" => Primitives.desc(Primitives::STRING, "The status.  Example: loaded."), # enum? loaded, failed, skipped
+          "status_message" => Primitives.desc(Primitives::STRING, "The reason for the status.  Example: why it was skipped or failed to load."),
+          "skip_message" => Primitives.desc(Primitives::STRING, "The reason for skipping if it was skipped."), # Deprecated field - status_message should be used instead.
+          "controls" => Primitives.desc(Primitives.array(CONTROL.ref), "The set of controls including any findings."),
+          "groups" => Primitives.desc(Primitives.array(Primitives::CONTROL_GROUP.ref), "A set of descriptions for the control groups.  Example: the ids of the controls."),
+          "attributes" => Primitives.desc(Primitives.array(Primitives::INPUT), "The input(s) or attribute(s) used in the run."),
+        },
+      }, [ENHANCED_OUTCOME_CONTROL, Primitives::CONTROL_GROUP, Primitives::DEPENDENCY, Primitives::SUPPORT], "Information on the set of controls assessed.  Example: it can include the name of the Inspec profile and any findings.")
+
       # Result of exec json. Top level value
       # TODO: Include the format of top level controls. This was omitted for lack of sufficient examples
       OUTPUT = Primitives::SchemaType.new("Exec JSON Output", {
@@ -125,6 +189,18 @@ module Inspec
           "version" => Primitives.desc(Primitives::STRING, "Version number of the tool that generated the findings.  Example: '4.18.108' is a version of Chef InSpec."),
         },
       }, [Primitives::PLATFORM, PROFILE, Primitives::STATISTICS], "The top level value containing all of the results.")
+
+      ENHANCED_OUTCOME_OUTPUT = Primitives::SchemaType.new("Exec JSON Output", {
+        "type" => "object",
+        "additionalProperties" => true,
+        "required" => %w{platform profiles statistics version},
+        "properties" => {
+          "platform" => Primitives.desc(Primitives::PLATFORM.ref, "Information on the platform the run from the tool that generated the findings was from.  Example: the name of the operating system."),
+          "profiles" => Primitives.desc(Primitives.array(PROFILE.ref), "Information on the run(s) from the tool that generated the findings.  Example: the findings."),
+          "statistics" => Primitives.desc(Primitives::STATISTICS.ref, "Statistics for the run(s) from the tool that generated the findings.  Example: the runtime duration."),
+          "version" => Primitives.desc(Primitives::STRING, "Version number of the tool that generated the findings.  Example: '4.18.108' is a version of Chef InSpec."),
+        },
+      }, [Primitives::PLATFORM, ENHANCED_OUTCOME_PROFILE, Primitives::STATISTICS], "The top level value containing all of the results.")
     end
   end
 end

data/lib/inspec/schema/output_schema.rb

@@ -30,6 +30,8 @@ module Inspec
         "profile-json" => OutputSchema.finalize(Schema::ProfileJson::PROFILE),
         "exec-json" => OutputSchema.finalize(Schema::ExecJson::OUTPUT),
         "exec-jsonmin" => OutputSchema.finalize(Schema::ExecJsonMin::OUTPUT),
+        "profile-json-enhanced-outcomes" => OutputSchema.finalize(Schema::ProfileJson::ENHANCED_OUTCOME_PROFILE),
+        "exec-json-enhanced-outcomes" => OutputSchema.finalize(Schema::ExecJson::ENHANCED_OUTCOME_OUTPUT),
         "platforms" => PLATFORMS,
       }.freeze
 
@@ -37,7 +39,8 @@ module Inspec
         LIST.keys
       end
 
-      def self.json(name)
+      def self.json(name, opts)
+        name += "-enhanced-outcomes" if opts["enhanced_outcomes"]
         if !LIST.key?(name)
           raise("Cannot find schema #{name.inspect}.")
         elsif LIST[name].is_a?(Proc)

data/lib/inspec/schema/profile_json.rb

@@ -31,6 +31,28 @@ module Inspec
         },
       }, [CONTROL_DESCRIPTIONS, Primitives::REFERENCE, Primitives::SOURCE_LOCATION], "The set of all tests within the control.")
 
+      # Represents a control with enhanced outcomes status information
+      ENHANCED_OUTCOME_CONTROL = Primitives::SchemaType.new("Profile JSON Control", {
+        "type" => "object",
+        "additionalProperties" => true,
+        "required" => %w{id title desc impact tags code},
+        "properties" => {
+          "id" => Primitives.desc(Primitives::STRING, "The id."),
+          "title" => Primitives.desc({ "type" => %w{string null} }, "The title - is nullable."),
+          "desc" => Primitives.desc({ "type" => %w{string null} }, "The description for the overarching control."),
+          "descriptions" => Primitives.desc(CONTROL_DESCRIPTIONS.ref, "A set of additional descriptions.  Example: the 'fix' text."),
+          "impact" => Primitives.desc(Primitives::IMPACT, "The impactfulness or severity."),
+          "status" => {
+            "enum" => %w{passed failed not_applicable not_reviewed error},
+            "description" => Primitives.desc(Primitives::STRING, "The enhanced outcome status of the control"),
+          },
+          "refs" => Primitives.desc(Primitives.array(Primitives::REFERENCE.ref), "The set of references to external documents."),
+          "tags" => Primitives.desc(Primitives::TAGS, "A set of tags - usually metadata."),
+          "code" => Primitives.desc(Primitives::STRING, "The raw source code of the control. Note that if this is an overlay control, it does not include the underlying source code."),
+          "source_location" => Primitives.desc(Primitives::SOURCE_LOCATION.ref, "The explicit location of the control within the source code."),
+        },
+      }, [CONTROL_DESCRIPTIONS, Primitives::REFERENCE, Primitives::SOURCE_LOCATION], "The set of all tests within the control.")
+
       # A profile that has not been run.
       PROFILE = Primitives::SchemaType.new("Profile JSON Profile", {
         "type" => "object",
@@ -55,6 +77,30 @@ module Inspec
           "depends" => Primitives.desc(Primitives.array(Primitives::DEPENDENCY.ref), "The set of dependencies this profile depends on.  Example: an overlay profile is dependent on another profile."), # Can have depends, but NOT a parentprofile
         },
       }, [Primitives::SUPPORT, CONTROL, Primitives::CONTROL_GROUP, Primitives::DEPENDENCY, Primitives::GENERATOR], "Information on the set of controls that can be assessed.  Example: it can include the name of the Inspec profile.")
+
+      ENHANCED_OUTCOME_PROFILE = Primitives::SchemaType.new("Profile JSON Profile", {
+        "type" => "object",
+        "additionalProperties" => true, # Anything in the yaml will be put in here. LTTODO: Make this stricter!
+        "required" => %w{name supports controls groups sha256},
+        "properties" => {
+          "name" => Primitives.desc(Primitives::STRING, "The name - must be unique."),
+          "supports" => Primitives.desc(Primitives.array(Primitives::SUPPORT.ref), "The set of supported platform targets."),
+          "controls" => Primitives.desc(Primitives.array(CONTROL.ref), "The set of controls - contains no findings as the assessment has not yet occurred."),
+          "groups" => Primitives.desc(Primitives.array(Primitives::CONTROL_GROUP.ref), "A set of descriptions for the control groups.  Example: the ids of the controls."),
+          "inputs" => Primitives.desc(Primitives.array(Primitives::INPUT), "The input(s) or attribute(s) used to be in the run."),
+          "sha256" => Primitives.desc(Primitives::STRING, "The checksum of the profile."),
+          "status" => Primitives.desc(Primitives::STRING, "The status.  Example: skipped."),
+          "generator" => Primitives.desc(Primitives::GENERATOR.ref, "The tool that generated this file.  Example: Chef Inspec."),
+          "version" => Primitives.desc(Primitives::STRING, "The version of the profile."),
+
+          # Other properties possible in inspec docs, but that aren"t guaranteed
+          "title" => Primitives.desc(Primitives::STRING, "The title - should be human readable."),
+          "maintainer" => Primitives.desc(Primitives::STRING, "The maintainer(s)."),
+          "copyright" => Primitives.desc(Primitives::STRING, "The copyright holder(s)."),
+          "copyright_email" => Primitives.desc(Primitives::STRING, "The email address or other contract information of the copyright holder(s)."),
+          "depends" => Primitives.desc(Primitives.array(Primitives::DEPENDENCY.ref), "The set of dependencies this profile depends on.  Example: an overlay profile is dependent on another profile."), # Can have depends, but NOT a parentprofile
+        },
+      }, [Primitives::SUPPORT, ENHANCED_OUTCOME_CONTROL, Primitives::CONTROL_GROUP, Primitives::DEPENDENCY, Primitives::GENERATOR], "Information on the set of controls that can be assessed.  Example: it can include the name of the Inspec profile.")
     end
   end
 end

data/lib/inspec/schema.rb

@@ -111,6 +111,43 @@ module Inspec
       },
     }.freeze
 
+    CONTROL_ENHANCED_OUTCOME = {
+      "type" => "object",
+      "additionalProperties" => false,
+      "properties" => {
+        "id" => { "type" => "string" },
+        "title" => { "type" => %w{string null} },
+        "desc" => { "type" => %w{string null} },
+        "descriptions" => { "type" => %w{array} },
+        "impact" => { "type" => "number" },
+        "status" => {
+          "enum" => %w{passed failed not_applicable not_reviewed error},
+          "description" => Primitives.desc(Primitives::STRING, "The enhanced outcome status of the control"),
+        },
+        "refs" => REFS,
+        "tags" => TAGS,
+        "code" => { "type" => "string" },
+        "source_location" => {
+          "type" => "object",
+          "properties" => {
+            "ref" => { "type" => "string" },
+            "line" => { "type" => "number" },
+          },
+        },
+        "results" => { "type" => "array", "items" => RESULT },
+        "waiver_data" => {
+          "type" => "object",
+          "properties" => {
+            "skipped_due_to_waiver" => { "type" => "string" },
+            "run" => { "type" => "boolean" },
+            "message" => { "type" => "string" },
+            "expiration_date" => { "type" => "string" },
+            "justification" => { "type" => "string" },
+          },
+        },
+      },
+    }.freeze
+
     SUPPORTS = {
       "type" => "object",
       "additionalProperties" => false,
@@ -173,6 +210,45 @@ module Inspec
       },
     }.freeze
 
+    PROFILE_ENHANCED_OUTCOME = {
+      "type" => "object",
+      "additionalProperties" => false,
+      "properties" => {
+        "name" => { "type" => "string" },
+        "version" => { "type" => "string", "optional" => true },
+        "sha256" => { "type" => "string", "optional" => false },
+
+        "title" => { "type" => "string", "optional" => true },
+        "maintainer" => { "type" => "string", "optional" => true },
+        "copyright" => { "type" => "string", "optional" => true },
+        "copyright_email" => { "type" => "string", "optional" => true },
+        "license" => { "type" => "string", "optional" => true },
+        "summary" => { "type" => "string", "optional" => true },
+        "status" => { "type" => "string", "optional" => false },
+        "status_message" => { "type" => "string", "optional" => true },
+        # skip_message is deprecated, status_message should be used to store the reason for skipping
+        "skip_message" => { "type" => "string", "optional" => true },
+
+        "supports" => {
+          "type" => "array",
+          "items" => SUPPORTS,
+          "optional" => true,
+        },
+        "controls" => {
+          "type" => "array",
+          "items" => CONTROL_ENHANCED_OUTCOME,
+        },
+        "groups" => {
+          "type" => "array",
+          "items" => CONTROL_GROUP,
+        },
+        "attributes" => { # TODO: rename to inputs, refs #3802
+          "type" => "array",
+          # TODO: more detailed specification needed
+        },
+      },
+    }.freeze
+
     EXEC_JSON = {
       "type" => "object",
       "additionalProperties" => false,
@@ -187,6 +263,20 @@ module Inspec
       },
     }.freeze
 
+    EXEC_JSON_ENHANCED_OUTCOME = {
+      "type" => "object",
+      "additionalProperties" => false,
+      "properties" => {
+        "platform" => PLATFORM,
+        "profiles" => {
+          "type" => "array",
+          "items" => PROFILE_ENHANCED_OUTCOME,
+        },
+        "statistics" => STATISTICS,
+        "version" => { "type" => "string" },
+      },
+    }.freeze
+
     MIN_CONTROL = {
       "type" => "object",
       "additionalProperties" => false,
@@ -228,6 +318,7 @@ module Inspec
     LIST = {
       "exec-json" => EXEC_JSON,
       "exec-jsonmin" => EXEC_JSONMIN,
+      "exec-json-enhanced-outcome" => EXEC_JSON_ENHANCED_OUTCOME,
       "platforms" => PLATFORMS,
     }.freeze
 

data/lib/inspec/utils/convert.rb

@@ -5,4 +5,12 @@ module Converter
     val = val.to_i if val =~ /^\d+$/
     val
   end
+
+  def self.to_boolean(value)
+    if ["true", "True", "TRUE", true, "yes", "y", "YES", "Y"].include? value
+      true
+    elsif ["false", "False", "FALSE", false, "no", "n", "NO", "N"].include? value
+      false
+    end
+  end
 end

data/lib/inspec/utils/podman.rb

@@ -0,0 +1,24 @@
+require "inspec/resources/command"
+
+module Inspec
+  module Utils
+    module Podman
+      def podman_running?
+        inspec.command("podman version").exit_status == 0
+      end
+
+      # Generates the template in this format using labels hash: "\"id\": {{json .ID}}, \"name\": {{json .Name}}",
+      def generate_go_template(labels)
+        (labels.map { |k, v| "\"#{k}\": {{json .#{v}}}" }).join(", ")
+      end
+
+      def parse_command_output(output)
+        require "json" unless defined?(JSON)
+        JSON.parse(output)
+      rescue JSON::ParserError => _e
+        warn "Could not parse the command output"
+        {}
+      end
+    end
+  end
+end

data/lib/inspec/utils/simpleconfig.rb

@@ -57,11 +57,18 @@ class SimpleConfig
     m = opts[:assignment_regex].match(line)
     return nil if m.nil?
 
+    values = parse_values(m, opts[:key_values])
+
     if opts[:multiple_values]
       @vals[m[1]] ||= []
-      @vals[m[1]].push(parse_values(m, opts[:key_values]))
+      if opts[:multiple_value_regex] # can be used only if multiple values is set as true
+        value_to_array = values.split(opts[:multiple_value_regex])
+        @vals[m[1]].concat(value_to_array)
+      else
+        @vals[m[1]].push(values)
+      end
     else
-      @vals[m[1]] = parse_values(m, opts[:key_values])
+      @vals[m[1]] = values
     end
   end
 
@@ -116,6 +123,7 @@ class SimpleConfig
       key_values: 1, # default for key=value, may require for 'key val1 val2 val3'
       standalone_comments: false,
       multiple_values: false,
+      multiple_value_regex: nil,
     }
   end
 end

data/lib/inspec/utils/waivers/csv_file_reader.rb

@@ -0,0 +1,34 @@
+require "csv" unless defined?(CSV)
+
+module Waivers
+  class CSVFileReader
+    def self.resolve(path)
+      return nil unless File.file?(path)
+
+      @headers ||= []
+      fetch_data(path)
+    end
+
+    def self.fetch_data(path)
+      waiver_data_hash = {}
+      CSV.foreach(path, headers: true) do |row|
+        row_hash = row.to_hash
+        @headers = row_hash.keys if @headers.empty?
+        control_id = row_hash["control_id"]
+        # delete keys and values not required in final hash
+        row_hash.delete("control_id")
+        row_hash.delete_if { |k, v| k.nil? || v.nil? }
+
+        waiver_data_hash[control_id] = row_hash if control_id && !row_hash.blank?
+      end
+
+      waiver_data_hash
+    rescue CSV::MalformedCSVError => e
+      raise "Error reading InSpec waivers in CSV: #{e}"
+    end
+
+    def self.headers
+      @headers
+    end
+  end
+end

data/lib/inspec/utils/waivers/excel_file_reader.rb

@@ -0,0 +1,39 @@
+require "roo"
+require "roo-xls"
+
+module Waivers
+  class ExcelFileReader
+    def self.resolve(path)
+      return nil unless File.file?(path)
+
+      @headers ||= []
+      fetch_data(path)
+    end
+
+    def self.fetch_data(path)
+      waiver_data_hash = {}
+      file_extension = File.extname(path) == ".xlsx" ? :xlsx : :xls
+      excel_file = Roo::Spreadsheet.open(path, extension: file_extension)
+      excel_file.sheet(0).parse(headers: true).each_with_index do |row, index|
+        if index == 0
+          @headers = row.keys
+        else
+          row_hash = row
+          control_id = row_hash["control_id"]
+          # delete keys and values not required in final hash
+          row_hash.delete("control_id")
+          row_hash.delete_if { |k, v| k.nil? || v.nil? }
+        end
+
+        waiver_data_hash[control_id] = row_hash if control_id && !row_hash.blank?
+      end
+      waiver_data_hash
+    rescue Exception => e
+      raise "Error reading InSpec waivers in Excel: #{e}"
+    end
+
+    def self.headers
+      @headers
+    end
+  end
+end

data/lib/inspec/utils/waivers/json_file_reader.rb

@@ -0,0 +1,15 @@
+module Waivers
+  class JSONFileReader
+    def self.resolve(path)
+      return nil unless File.file?(path)
+
+      fetch_data(path)
+    end
+
+    def self.fetch_data(path)
+      JSON.parse(File.read(path))
+    rescue JSON::ParserError => e
+      raise "Error reading InSpec waivers in JSON: #{e}"
+    end
+  end
+end

data/lib/inspec/version.rb

@@ -1,3 +1,3 @@
 module Inspec
-  VERSION = "5.18.14".freeze
+  VERSION = "5.22.3".freeze
 end

data/lib/inspec/waiver_file_reader.rb

@@ -0,0 +1,61 @@
+require "inspec/secrets/yaml"
+require "inspec/utils/waivers/csv_file_reader"
+require "inspec/utils/waivers/json_file_reader"
+
+module Inspec
+  class WaiverFileReader
+
+    def self.fetch_waivers_by_profile(profile_id, files)
+      read_waivers_from_file(profile_id, files) if @waivers_data.nil? || @waivers_data[profile_id].nil?
+      @waivers_data[profile_id]
+    end
+
+    def self.read_waivers_from_file(profile_id, files)
+      @waivers_data ||= {}
+      output = {}
+
+      files.each do |file_path|
+        file_extension = File.extname(file_path)
+        data = nil
+        if [".yaml", ".yml"].include? file_extension
+          data = Secrets::YAML.resolve(file_path)
+          data = data.inputs unless data.nil?
+          validate_json_yaml(data)
+        elsif file_extension == ".csv"
+          data = Waivers::CSVFileReader.resolve(file_path)
+          headers = Waivers::CSVFileReader.headers
+          validate_headers(headers)
+        elsif file_extension == ".json"
+          data = Waivers::JSONFileReader.resolve(file_path)
+          validate_json_yaml(data)
+        end
+        output.merge!(data) if !data.nil? && data.is_a?(Hash)
+
+        if data.nil?
+          raise Inspec::Exceptions::WaiversFileNotReadable,
+              "Cannot find parser for waivers file '#{file_path}'. " \
+              "Check to make sure file has the appropriate extension."
+        end
+      end
+
+      @waivers_data[profile_id] = output
+    end
+
+    def self.validate_headers(headers, json_yaml = false)
+      required_fields = json_yaml ? %w{justification} : %w{control_id justification}
+      all_fields = %w{control_id justification expiration_date run}
+
+      Inspec::Log.warn "Missing column headers: #{(required_fields - headers)}" unless (required_fields - headers).empty?
+      Inspec::Log.warn "Invalid column header: Column can't be nil" if headers.include? nil
+      Inspec::Log.warn "Extra column headers: #{(headers - all_fields)}" unless (headers - all_fields).empty?
+    end
+
+    def self.validate_json_yaml(data)
+      headers = []
+      data.each_value do |value|
+        headers.push value.keys
+      end
+      validate_headers(headers.flatten.uniq, true)
+    end
+  end
+end

data/lib/matchers/matchers.rb

@@ -148,7 +148,7 @@ RSpec::Matchers.define :be_resolvable do
   end
 end
 
-# matcher for iptables and ip6tables
+# matcher for iptables, ip6tables and nftables
 RSpec::Matchers.define :have_rule do |rule|
   match do |tables|
     tables.has_rule?(rule)
@@ -163,6 +163,13 @@ RSpec::Matchers.define :have_rule do |rule|
   end
 end
 
+# matcher for nftables sets
+RSpec::Matchers.define :have_element do |elem|
+  match do |sets|
+    sets.has_element?(elem)
+  end
+end
+
 # `be_in` matcher
 # You can use it in the following cases:
 # - check if an item or array is included in a given array
@@ -225,7 +232,11 @@ RSpec::Matchers.define :cmp do |first_expected| # rubocop:disable Metrics/BlockL
   end
 
   def boolean?(value)
-    %w{true false}.include?(value.downcase)
+    if value.respond_to?("downcase")
+      %w{true false}.include?(value.downcase)
+    else
+      value.is_a?(TrueClass) || value.is_a?(FalseClass)
+    end
   end
 
   def version?(value)
@@ -252,6 +263,8 @@ RSpec::Matchers.define :cmp do |first_expected| # rubocop:disable Metrics/BlockL
       return actual.send(op, expected.to_i)
     elsif expected.is_a?(String) && boolean?(expected) && [true, false].include?(actual)
       return actual.send(op, to_boolean(expected))
+    elsif boolean?(expected) && %w{true false}.include?(actual)
+      return actual.send(op, expected.to_s)
     elsif expected.is_a?(Integer) && actual.is_a?(String) && integer?(actual)
       return actual.to_i.send(op, expected)
     elsif expected.is_a?(Float) && float?(actual)