inspec-core 5.21.29 → 5.22.29

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7f6f86730baadd988c363a823e5e46ba68c318e48b27bbaaba614ce7c33bb71c
-  data.tar.gz: f02ca42e9d4e525b82e9cfa61a04b122dc3b09c1e3c96f2ec4440c3fb3053f25
+  metadata.gz: 31c8e898abb240d79f4c564ae182f620d291f0e895b1451185f891c0c03a4d3b
+  data.tar.gz: 513a01ebe59969076c1a9e2c210f41b1366dbb17603e6370bdcb88d162d0d06a
 SHA512:
-  metadata.gz: 597fed943b00ed280a749f05c97d01e29b4d5a85034835e9f242990588b35b740bf56a886b65202777d68b79b5cbd1faf1a48a69c1a4f1f8a00a83ecdece3527
-  data.tar.gz: 13aa012d46677b3cd31614dcc118c62b1aa1656f3007d6b105f7822a3c25a45b1b1284eef9fb9e761cf5a03cd8209ffe8518d54ed355c189a2f141788a000694
+  metadata.gz: af17576ae657e9ca435998a6a57655f0c78d48782e3c7b1f37f62be74d7f7c40192330c3bb34f81c84c1de5b60aea6694c40c8b9ccdedd7d00dfe756614edc00
+  data.tar.gz: dc279dd3ab134e92c7c318e859f0f4683347980eafaf80385330b3aeb762c9f72863cf66b2def9a2f61daabb378d3356b5110ac981d119e0e52eae009e785818

data/Gemfile

@@ -25,16 +25,15 @@ end
 group :test do
   gem "chefstyle", "~> 2.2.2"
   gem "concurrent-ruby", "~> 1.0"
-  gem "json_schemer", ">= 0.2.1", "< 0.2.19"
+  gem "json_schemer", ">= 0.2.1", "< 2.0.1"
   gem "m"
   gem "minitest-sprint", "~> 1.0"
   gem "minitest", "5.15.0"
-  gem "mocha", "~> 1.1"
+  gem "mocha", "~> 2.1"
   gem "nokogiri", "~> 1.9"
   gem "pry-byebug"
   gem "pry", "~> 0.10"
   gem "rake", ">= 10"
-  gem "ruby-progressbar", "~> 1.8"
   gem "simplecov", "~> 0.21"
   gem "simplecov_json_formatter"
   gem "webmock", "~> 3.0"
@@ -48,20 +47,3 @@ end
 group :deploy do
   gem "inquirer"
 end
-
-group :kitchen do
-  gem "berkshelf"
-
-  # Chef 18 requires ruby 3
-  if Gem.ruby_version >= Gem::Version.new("3.0.0")
-    gem "chef", ">= 17.0"
-  else
-    # Ruby 2.7 presumably - TODO remove this when 2.7 is sunsetted
-    gem "chef", "~> 16.0"
-  end
-
-  gem "test-kitchen", ">= 2.8"
-  gem "kitchen-inspec", ">= 2.0"
-  gem "kitchen-dokken", ">= 2.11"
-  gem "git"
-end

data/inspec-core.gemspec

@@ -25,13 +25,15 @@ Gem::Specification.new do |spec|
   # Implementation dependencies
   spec.add_dependency "chef-telemetry",           "~> 1.0", ">= 1.0.8" # 1.0.8+ removes the http dep
   spec.add_dependency "license-acceptance",       ">= 0.2.13", "< 3.0"
-  spec.add_dependency "thor",                     ">= 0.20", "< 2.0"
+  # TODO: We should remove the thor pinning in next upcoming releases currently it's breaking our unit test in cli_args_test for aliases due to
+  # recent changes made in thor library REF: https://github.com/rails/thor/releases/tag/v1.3.0 & https://github.com/rails/thor/pull/800
+  spec.add_dependency "thor",                     ">= 0.20", "< 1.3.0"
   spec.add_dependency "method_source",            ">= 0.8", "< 2.0"
   spec.add_dependency "rubyzip",                  ">= 1.2.2", "< 3.0"
-  spec.add_dependency "rspec",                    ">= 3.9", "<= 3.11"
+  spec.add_dependency "rspec",                    ">= 3.9", "<= 3.12"
   spec.add_dependency "rspec-its",                "~> 1.2"
   spec.add_dependency "pry",                      "~> 0.13"
-  spec.add_dependency "hashie",                   ">= 3.4", "< 5.0"
+  spec.add_dependency "hashie",                   ">= 3.4", "< 6.0"
   spec.add_dependency "mixlib-log",               "~> 3.0"
   spec.add_dependency "sslshake",                 "~> 1.2"
   spec.add_dependency "parallel",                 "~> 1.9"
@@ -41,7 +43,7 @@ Gem::Specification.new do |spec|
   spec.add_dependency "tty-prompt",               "~> 0.17"
   spec.add_dependency "tomlrb",                   ">= 1.2", "< 2.1"
   spec.add_dependency "addressable",              "~> 2.4"
-  spec.add_dependency "parslet",                  ">= 1.5", "< 2.0" # Pinned < 2.0, see #5389
+  spec.add_dependency "parslet",                  ">= 1.5", "< 3.0" # Pinned < 2.0, see #5389
   spec.add_dependency "semverse",                 "~> 3.0"
   spec.add_dependency "multipart-post",           "~> 2.0"
 

data/lib/inspec/base_cli.rb

@@ -100,11 +100,11 @@ module Inspec
       option :ssl, type: :boolean,
         desc: "Use SSL for transport layer encryption (WinRM)."
       option :ssl_peer_fingerprint, type: :string,
-        desc: "Specify peer fingerprint for SSL authentication, used in lieu of certificates"
+        desc: "Specify SSL peer fingerprint in place of certificates for SSL authentication (WinRM)."
       option :self_signed, type: :boolean,
         desc: "Allow remote scans with self-signed certificates (WinRM)."
       option :ca_trust_file, type: :string,
-        desc: "Specify CA trust file for SSL authentication"
+        desc: "Specify CA certificate required for SSL authentication (WinRM)."
       option :client_cert, type: :string,
         desc: "Specify client certificate for SSL authentication"
       option :client_key, type: :string,
@@ -121,32 +121,32 @@ module Inspec
         desc: "Read configuration from JSON file (`-` reads from stdin)."
       option :json_config, type: :string, hide: true
       option :proxy_command, type: :string,
-        desc: "Specifies the command to use to connect to the server"
+        desc: "Specifies the command to use to connect to the server."
       option :bastion_host, type: :string,
-        desc: "Specifies the bastion host if applicable"
+        desc: "Specifies the bastion host if applicable."
       option :bastion_user, type: :string,
-        desc: "Specifies the bastion user if applicable"
+        desc: "Specifies the bastion user if applicable."
       option :bastion_port, type: :string,
-        desc: "Specifies the bastion port if applicable"
+        desc: "Specifies the bastion port if applicable."
       option :insecure, type: :boolean, default: false,
-        desc: "Disable SSL verification on select targets"
+        desc: "Disable SSL verification on select targets."
       option :target_id, type: :string,
-        desc: "Provide a ID which will be included on reports - deprecated"
+        desc: "Provide an ID which will be included on reports - deprecated"
       option :winrm_shell_type, type: :string, default: "powershell",
-        desc: "Specify a shell type for winrm (eg. 'elevated' or 'powershell')"
+        desc: "Specify which shell type to use (powershell, elevated, or cmd), which defaults to powershell (WinRM)."
       option :docker_url, type: :string,
-        desc: "Provides path to Docker API endpoint (Docker)"
+        desc: "Provides path to Docker API endpoint (Docker). Defaults to unix:///var/run/docker.sock on Unix systems and tcp://localhost:2375 on Windows."
       option :ssh_config_file, type: :array,
-        desc: "A list of paths to the ssh config file, e.g ~/.ssh/config or /etc/ssh/ssh_config"
+        desc: "A list of paths to the ssh config file, e.g ~/.ssh/config or /etc/ssh/ssh_config."
       option :podman_url, type: :string,
-        desc: "Provides path to Podman API endpoint"
+        desc: "Provides the path to the Podman API endpoint. Defaults to unix:///run/user/$UID/podman/podman.sock for rootless container, unix:///run/podman/podman.sock for rootful container (for this you need to execute inspec as root user)."
     end
 
     def self.profile_options
       option :profiles_path, type: :string,
         desc: "Folder which contains referenced profiles."
       option :vendor_cache, type: :string,
-        desc: "Use the given path for caching dependencies. (default: ~/.inspec/cache)"
+        desc: "Use the given path for caching dependencies, (default: ~/.inspec/cache)."
       option :auto_install_gems, type: :boolean, default: false,
         desc: "Auto installs gem dependencies of the profile or resource pack."
     end
@@ -174,7 +174,7 @@ module Inspec
       option :input, type: :array, banner: "name1=value1 name2=value2",
         desc: "Specify one or more inputs directly on the command line, as --input NAME=VALUE. Accepts single-quoted YAML and JSON structures."
       option :input_file, type: :array,
-        desc: "Load one or more input files, a YAML file with values for the profile to use"
+        desc: "Load one or more input files, a YAML file with values for the profile to use."
       option :waiver_file, type: :array,
         desc: "Load one or more waiver files."
       option :attrs, type: :array,
@@ -182,14 +182,14 @@ module Inspec
       option :create_lockfile, type: :boolean,
         desc: "Write out a lockfile based on this execution (unless one already exists)"
       option :backend_cache, type: :boolean,
-        desc: "Allow caching for backend command output. (default: true)"
+        desc: "Allow caching for backend command output. (default: true)."
       option :show_progress, type: :boolean,
         desc: "Show progress while executing tests."
       option :distinct_exit, type: :boolean, default: true,
         desc: "Exit with code 101 if any tests fail, and 100 if any are skipped (default).  If disabled, exit 0 on skips and 1 for failures."
       option :silence_deprecations, type: :array,
         banner: "[all]|[GROUP GROUP...]",
-        desc: "Suppress deprecation warnings. See install_dir/etc/deprecations.json for list of GROUPs or use 'all'."
+        desc: "Suppress deprecation warnings. See install_dir/etc/deprecations.json for a list of GROUPs or use 'all'."
       option :diff, type: :boolean, default: true,
         desc: "Use --no-diff to suppress 'diff' output of failed textual test results."
       option :sort_results_by, type: :string, default: "file", banner: "--sort-results-by=none|control|file|random",
@@ -197,7 +197,7 @@ module Inspec
       option :filter_empty_profiles, type: :boolean, default: false,
         desc: "Filter empty profiles (profiles without controls) from the report."
       option :filter_waived_controls, type: :boolean,
-        desc: "Do not execute waived controls in InSpec at all. Must use with --waiver-file. Ignores `run` setting of waiver file."
+        desc: "Do not execute waived controls in InSpec at all. Must use with --waiver-file. Ignores the `run` setting of the waiver file."
       option :retain_waiver_data, type: :boolean,
         desc: "EXPERIMENTAL: Only works in conjunction with --filter-waived-controls, retains waiver data about controls that were skipped"
       option :command_timeout, type: :numeric,

data/lib/inspec/cli.rb

@@ -61,9 +61,9 @@ class Inspec::InspecCLI < Inspec::BaseCLI
   require "license_acceptance/cli_flags/thor"
   include LicenseAcceptance::CLIFlags::Thor
 
-  desc "json PATH", "read all tests in PATH and generate a JSON summary"
+  desc "json PATH", "read all tests in the PATH and generate a JSON summary."
   option :output, aliases: :o, type: :string,
-    desc: "Save the created profile to a path"
+    desc: "Save the created profile to a path."
   option :controls, type: :array,
     desc: "A list of controls to include. Ignore all other tests."
   option :tags, type: :array,
@@ -81,7 +81,7 @@ class Inspec::InspecCLI < Inspec::BaseCLI
   option :format, type: :string,
     desc: "The output format to use: json, raw, yaml. If valid format is not provided then it will use the default for the given 'what'."
   option :output, aliases: :o, type: :string,
-    desc: "Save the created output to a path"
+    desc: "Save the created output to a path."
   option :controls, type: :array,
     desc: "For --what=profile, a list of controls to include. Ignore all other tests."
   option :tags, type: :array,
@@ -145,9 +145,11 @@ class Inspec::InspecCLI < Inspec::BaseCLI
     pretty_handle_exception(e)
   end
 
-  desc "check PATH", "verify all tests at the specified PATH"
+  desc "check PATH", "Verify the metadata in the `inspec.yml` file,\
+  verify that control blocks have the correct fields (title, description, impact),\
+  and define that all controls have visible tests and the controls are not using deprecated InSpec DSL code"
   option :format, type: :string,
-    desc: "The output format to use doc (default), json. If valid format is not provided then it will use the default."
+    desc: "The output format to use. Valid values: `json` and `doc`. Default value: `doc`."
   option :with_cookstyle, type: :boolean,
     desc: "Enable or disable cookstyle checks.", default: false
   profile_options
@@ -228,10 +230,10 @@ class Inspec::InspecCLI < Inspec::BaseCLI
     vendor_deps(path, o)
   end
 
-  desc "archive PATH", "archive a profile to tar.gz (default) or zip"
+  desc "archive PATH", "Archive a profile to a tar file (default) or zip file."
   profile_options
   option :output, aliases: :o, type: :string,
-    desc: "Save the archive to a path"
+    desc: "Save the archive to a path."
   option :zip, type: :boolean, default: false,
     desc: "Generates a zip archive."
   option :tar, type: :boolean, default: false,
@@ -242,6 +244,10 @@ class Inspec::InspecCLI < Inspec::BaseCLI
     desc: "Fallback to using local archives if fetching fails."
   option :ignore_errors, type: :boolean, default: false,
     desc: "Ignore profile warnings."
+  option :check, type: :boolean, default: false,
+    desc: "Run profile check before archiving."
+  option :export, type: :boolean, default: false,
+    desc: "Export the profile to inspec.json and include in archive"
   def archive(path, log_level = nil)
     o = config
     diagnose(o)
@@ -262,7 +268,7 @@ class Inspec::InspecCLI < Inspec::BaseCLI
       o[:logger].warn "Archiving a profile that contains gem dependencies, but InSpec cannot package gems with the profile! Please archive your ~/.inspec/gems directory separately."
     end
 
-    result = profile.check
+    result = profile.check if o[:check]
 
     if result && !o[:ignore_errors] == false
       o[:logger].info "Profile check failed. Please fix the profile before generating an archive."
@@ -275,14 +281,10 @@ class Inspec::InspecCLI < Inspec::BaseCLI
     pretty_handle_exception(e)
   end
 
-  desc "exec LOCATIONS", "Run all tests at LOCATIONS."
+  desc "exec LOCATIONS", "Run all test files at the specified locations."
   long_desc <<~EOT
-    Run all test files at the specified LOCATIONS.
-
-    Loads the given profile(s) and fetches their dependencies if needed. Then
-    connects to the target and executes any controls contained in the profiles.
-    One or more reporters are used to generate output.
-
+    The subcommand loads the given profiles, fetches their dependencies if needed, then connects to the target and executes any controls in the profiles.
+    One or more reporters are used to generate the output.
     ```
     Exit codes:
         0  Normal exit, all tests passed
@@ -296,7 +298,7 @@ class Inspec::InspecCLI < Inspec::BaseCLI
 
     Below are some examples of using `exec` with different test LOCATIONS:
 
-    Automate:
+    Chef Automate:
       ```
       #{Inspec::Dist::EXEC_NAME} automate login
       #{Inspec::Dist::EXEC_NAME} exec compliance://username/linux-baseline
@@ -306,7 +308,7 @@ class Inspec::InspecCLI < Inspec::BaseCLI
       #{Inspec::Dist::EXEC_NAME} compliance login
       ```
 
-    Supermarket:
+    Chef Supermarket:
       ```
       #{Inspec::Dist::EXEC_NAME} exec supermarket://username/linux-baseline
       ```
@@ -343,12 +345,12 @@ class Inspec::InspecCLI < Inspec::BaseCLI
       #{Inspec::Dist::EXEC_NAME} exec https://github.com/dev-sec/linux-baseline.git
       ```
 
-    Web hosted fileshare (also supports .zip):
+    Web hosted file (also supports .zip):
       ```
       #{Inspec::Dist::EXEC_NAME} exec https://webserver/linux-baseline.tar.gz
       ```
 
-    Web hosted fileshare with basic authentication (supports .zip):
+    Web hosted file with basic authentication (supports .zip):
       ```
       #{Inspec::Dist::EXEC_NAME} exec https://username:password@webserver/linux-baseline.tar.gz
       ```
@@ -371,7 +373,7 @@ class Inspec::InspecCLI < Inspec::BaseCLI
     pretty_handle_exception(e)
   end
 
-  desc "detect", "detect the target OS"
+  desc "detect", "detects the target OS."
   target_options
   option :format, type: :string
   def detect
@@ -396,7 +398,7 @@ class Inspec::InspecCLI < Inspec::BaseCLI
     pretty_handle_exception(e)
   end
 
-  desc "shell", "open an interactive debugging shell"
+  desc "shell", "open an interactive debugging shell."
   target_options
   option :command, aliases: :c,
     desc: "A single command string to run instead of launching the shell"
@@ -455,7 +457,7 @@ class Inspec::InspecCLI < Inspec::BaseCLI
     pretty_handle_exception(e)
   end
 
-  desc "env", "Output shell-appropriate completion configuration"
+  desc "env", "Outputs shell-appropriate completion configuration."
   def env(shell = nil)
     p = Inspec::EnvPrinter.new(self.class, shell)
     p.print_and_exit!
@@ -481,7 +483,7 @@ class Inspec::InspecCLI < Inspec::BaseCLI
     puts Inspec::Telemetry::RunContextProbe.guess_run_context
   end
 
-  desc "version", "prints the version of this tool"
+  desc "version", "prints the version of this tool."
   option :format, type: :string
   def version
     if config["format"] == "json"
@@ -495,7 +497,7 @@ class Inspec::InspecCLI < Inspec::BaseCLI
 
   desc "clear_cache", "clears the InSpec cache. Useful for debugging."
   option :vendor_cache, type: :string,
-    desc: "Use the given path for caching dependencies. (default: ~/.inspec/cache)"
+    desc: "Use the given path for caching dependencies, (default: `~/.inspec/cache`)."
   def clear_cache
     o = config
     configure_logger(o)
@@ -516,7 +518,7 @@ class Inspec::InspecCLI < Inspec::BaseCLI
   end
 
   def run_command(opts)
-    runner = Inspec::Runner.new(Inspec::Config.new(opts))
+    runner = Inspec::Runner.new(opts)
     res = runner.eval_with_virtual_profile(opts[:command])
     runner.load
 

data/lib/inspec/config.rb

@@ -448,6 +448,13 @@ module Inspec
       # Reporter options may be defined top-level.
       options.merge!(config_file_reporter_options)
 
+      if @cli_opts["reporter"]
+        # Add reporter_cli_opts in options to capture reporter cli opts separately
+        options.merge!({ "reporter_cli_opts" => @cli_opts["reporter"] })
+        # Delete reporter from cli_opts to avoid direct merging of reporter info of cli and config
+        @cli_opts.delete("reporter")
+      end
+
       # Highest precedence: merge in any options defined via the CLI
       options.merge!(@cli_opts)
 
@@ -476,13 +483,13 @@ module Inspec
     end
 
     def finalize_parse_reporters(options) # rubocop:disable Metrics/AbcSize
-      # default to cli report for ad-hoc runners
-      options["reporter"] = ["cli"] if options["reporter"].nil?
+      # Default to cli report for ad-hoc runners
+      options["reporter_cli_opts"] = ["cli"] if (options["reporter"].nil? || options["reporter"].empty?) && options["reporter_cli_opts"].nil?
 
-      # parse out cli to proper report format
-      if options["reporter"].is_a?(Array)
+      # Parse out reporter_cli_opts to proper report format
+      if options["reporter_cli_opts"].is_a?(Array)
         reports = {}
-        options["reporter"].each do |report|
+        options["reporter_cli_opts"].each do |report|
           reporter_name, destination = report.split(":", 2)
           if destination.nil? || destination.strip == "-"
             reports[reporter_name] = { "stdout" => true }
@@ -494,7 +501,12 @@ module Inspec
             reports[reporter_name]["target_id"] = options["target_id"] if options["target_id"]
           end
         end
-        options["reporter"] = reports
+
+        if options["reporter"].nil? || options["reporter"].empty?
+          options["reporter"] = reports
+        else
+          options["reporter"].merge!(reports)
+        end
       end
 
       # add in stdout if not specified
@@ -507,6 +519,10 @@ module Inspec
       end
 
       validate_reporters!(options["reporter"])
+
+      # Delete reporter_cli_opts after graceful merging of cli and config reporters
+      options.delete("reporter_cli_opts")
+
       options
     end
 
@@ -548,15 +564,12 @@ module Inspec
     class Defaults
       DEFAULTS = {
         exec: {
-          "reporter" => ["cli"],
           "show_progress" => false,
           "color" => true,
           "create_lockfile" => true,
           "backend_cache" => true,
         },
-        shell: {
-          "reporter" => ["cli"],
-        },
+        shell: {},
       }.freeze
 
       def self.for_command(command_name)

data/lib/inspec/dependencies/dependency_set.rb

@@ -26,7 +26,7 @@ module Inspec
       dep_list = {}
       dependencies.each do |d|
         # if depedent profile does not have a source version then only name is used in dependency hash
-        key_name = (d.source_version ? "#{d.name}-#{d.source_version}" : "#{d.name}") rescue "#{d.name}"
+        key_name = (d.source_version.blank? ? "#{d.name}" : "#{d.name}-#{d.source_version}") rescue "#{d.name}"
         dep_list[key_name] = d
       end
       new(cwd, cache, dep_list, backend)
@@ -42,7 +42,7 @@ module Inspec
       dep_list = {}
       dep_tree.each do |d|
         # if depedent profile does not have a source version then only name is used in dependency hash
-        key_name = (d.source_version ? "#{d.name}-#{d.source_version}" : "#{d.name}") rescue d.name
+        key_name = (d.source_version.blank? ? "#{d.name}" : "#{d.name}-#{d.source_version}") rescue "#{d.name}"
         dep_list[key_name] = d
         dep_list.merge!(flatten_dep_tree(d.dependencies))
       end

data/lib/inspec/dsl.rb

@@ -91,14 +91,12 @@ module Inspec::DSL
     if profile_version
       new_profile_id = "#{profile_id}-#{profile_version}"
     else
-      # This scary regex is used to match version following semantic Versioning (SemVer). Thanks to https://ihateregex.io/expr/semver/
-      regex_for_semver = /(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?/
-      dependencies.list.keys.each do |key|
+      dependencies.list.each do |key, value|
         # 1. Fetching VERSION from a profile dependency name which is in a format NAME-VERSION.
         # 2. Matching original profile dependency name with profile name used with include or require control DSL.
-        fetching_semver = key.match(regex_for_semver).to_s
-        unless fetching_semver.nil? || fetching_semver.empty?
-          profile_id_key = key.split("-#{fetching_semver}")[0]
+        source_version = value.source_version
+        unless source_version.blank?
+          profile_id_key = key.split("-#{source_version}")[0]
           new_profile_id = key if profile_id_key == profile_id
         end
       end

data/lib/inspec/fetcher/git.rb

@@ -41,6 +41,7 @@ module Inspec::Fetcher
       @ref = opts[:ref]
       @remote_url = expand_local_path(remote_url)
       @repo_directory = nil
+      @resolved_ref = nil
       @relative_path = opts[:relative_path] if opts[:relative_path] && !opts[:relative_path].empty?
     end
 
@@ -70,7 +71,7 @@ module Inspec::Fetcher
           if @relative_path
             perform_relative_path_fetch(destination_path, working_dir)
           else
-            Inspec::Log.debug("Checkout of #{resolved_ref} successful. " \
+            Inspec::Log.debug("Checkout of #{resolved_ref.nil? ? @remote_url : resolved_ref} successful. " \
                               "Moving checkout to #{destination_path}")
             FileUtils.cp_r(working_dir + "/.", destination_path)
           end
@@ -80,14 +81,14 @@ module Inspec::Fetcher
     end
 
     def perform_relative_path_fetch(destination_path, working_dir)
-      Inspec::Log.debug("Checkout of #{resolved_ref} successful. " \
+      Inspec::Log.debug("Checkout of #{resolved_ref.nil? ? @remote_url : resolved_ref} successful. " \
                         "Moving #{@relative_path} to #{destination_path}")
       unless File.exist?("#{working_dir}/#{@relative_path}")
         # Cleanup the destination path - otherwise we'll have an empty dir
         # in the cache, which is enough to confuse the cache reader
         # This is a courtesy, assuming we're writing to the cache; if we're
         # vendoring to something more complex, don't bother.
-        FileUtils.rmdir(destination_path) if Dir.empty?(destination_path)
+        FileUtils.rm_r(destination_path) if Dir.exist?(destination_path)
 
         raise Inspec::FetcherFailure, "Cannot find relative path '#{@relative_path}' " \
                                       "within profile in git repo specified by '#{@remote_url}'"
@@ -96,9 +97,16 @@ module Inspec::Fetcher
     end
 
     def cache_key
-      return resolved_ref unless @relative_path
-
-      OpenSSL::Digest.hexdigest("SHA256", resolved_ref + @relative_path)
+      cache_key = if @relative_path && !resolved_ref.nil?
+                    OpenSSL::Digest.hexdigest("SHA256", resolved_ref + @relative_path)
+                  elsif @relative_path && resolved_ref.nil?
+                    OpenSSL::Digest.hexdigest("SHA256", @remote_url + @relative_path)
+                  elsif resolved_ref.nil?
+                    OpenSSL::Digest.hexdigest("SHA256", @remote_url)
+                  else
+                    resolved_ref
+                  end
+      cache_key
     end
 
     def archive_path
@@ -106,7 +114,11 @@ module Inspec::Fetcher
     end
 
     def resolved_source
-      source = { git: @remote_url, ref: resolved_ref }
+      if resolved_ref.nil?
+        source = { git: @remote_url }
+      else
+        source = { git: @remote_url, ref: resolved_ref }
+      end
       source[:relative_path] = @relative_path if @relative_path
       source
     end
@@ -125,33 +137,27 @@ module Inspec::Fetcher
                         elsif @tag
                           resolve_ref(@tag)
                         else
-                          resolve_ref(default_ref)
+                          resolve_ref
                         end
     end
 
-    def default_ref
-      command_string = "git remote show #{@remote_url}"
+    def resolve_ref(ref_name = nil)
+      command_string = if ref_name.nil?
+                         # Running git ls-remote command helps to raise error if git URL is invalid and avoids cache_key creation
+                         "git ls-remote \"#{@remote_url}\""
+                       else
+                         "git ls-remote \"#{@remote_url}\" \"#{ref_name}*\""
+                       end
       cmd = shellout(command_string)
-      unless cmd.exitstatus == 0
-        raise(Inspec::FetcherFailure, "Profile git dependency failed with default reference - #{@remote_url} - error running '#{command_string}': #{cmd.stderr}")
+      raise(Inspec::FetcherFailure, "Profile git dependency failed for #{@remote_url} - error running '#{command_string}': #{cmd.stderr}") unless cmd.exitstatus == 0
+
+      if ref_name.nil?
+        ref = nil
       else
-        ref = cmd.stdout.lines.detect { |l| l.include? "HEAD branch:" }&.split(":")&.last&.strip
+        ref = parse_ls_remote(cmd.stdout, ref_name)
         unless ref
-          raise(Inspec::FetcherFailure, "Profile git dependency failed with default reference - #{@remote_url} - error running '#{command_string}': NULL reference")
+          raise Inspec::FetcherFailure, "Profile git dependency failed - unable to resolve #{ref_name} to a specific git commit for #{@remote_url}"
         end
-
-        ref
-      end
-    end
-
-    def resolve_ref(ref_name)
-      command_string = "git ls-remote \"#{@remote_url}\" \"#{ref_name}*\""
-      cmd = shellout(command_string)
-      raise(Inspec::FetcherFailure, "Profile git dependency failed for #{@remote_url} - error running '#{command_string}': #{cmd.stderr}") unless cmd.exitstatus == 0
-
-      ref = parse_ls_remote(cmd.stdout, ref_name)
-      unless ref
-        raise Inspec::FetcherFailure, "Profile git dependency failed - unable to resolve #{ref_name} to a specific git commit for #{@remote_url}"
       end
 
       ref
@@ -200,7 +206,14 @@ module Inspec::Fetcher
 
     def checkout(dir = @repo_directory)
       clone(dir)
-      git_cmd("checkout #{resolved_ref}", dir)
+      # In case of branch, tag or git reference is not provided by User the resolved_ref will always be nil
+      # and will always checkout the default HEAD branch, else it will checkout specific branch, tag or git reference.
+      if resolved_ref.nil?
+        git_cmd("checkout", dir)
+      else
+        git_cmd("checkout #{resolved_ref}", dir)
+      end
+
       @repo_directory
     end
 
@@ -208,6 +221,8 @@ module Inspec::Fetcher
       cmd = shellout("git #{cmd}", cwd: dir)
       cmd.error!
       cmd.status
+    rescue Mixlib::ShellOut::ShellCommandFailed => e
+      raise Inspec::FetcherFailure, "Error while running git command. #{e.message} "
     rescue Errno::ENOENT
       raise Inspec::FetcherFailure, "Profile git dependency failed for #{@remote_url} - to use git sources, you must have git installed."
     end

data/lib/inspec/formatters/base.rb

@@ -160,7 +160,7 @@ module Inspec::Formatters
           end
 
           # added this additionally because stats summary is also used for determining exit code in runner rspec
-          skipped += 1 if control[:results].any? { |r| r[:status] == "skipped" }
+          skipped += 1 if control[:results] && (control[:results].any? { |r| r[:status] == "skipped" })
 
         end
         total = error + not_applicable + not_reviewed + failed + passed

data/lib/inspec/profile.rb

@@ -383,24 +383,25 @@ module Inspec
       @runner_context
     end
 
-    def collect_gem_dependencies(profile_context)
+    # This collects the gem dependencies data from parent and its dependent profiles
+    def collect_gem_dependencies
       gem_dependencies = []
-      all_profiles = []
-      profile_context.dependencies.list.values.each do |requirement|
-        all_profiles << requirement.profile
-      end
-      all_profiles << self
-      all_profiles.each do |profile|
+      # This collects the dependent profiles gem dependencies if any
+      locked_dependencies.dep_list.each do |_name, dep|
+        profile = dep.profile
         gem_dependencies << profile.metadata.gem_dependencies unless profile.metadata.gem_dependencies.empty?
       end
+      # Appends the parent profile gem dependencies which are available through metadata
+      gem_dependencies << metadata.gem_dependencies unless metadata.gem_dependencies.empty?
       gem_dependencies.flatten.uniq
     end
 
     # Loads the required gems specified in the Profile's metadata file from default inspec gems path i.e. ~/.inspec/gems
     # else installs and loads them.
     def load_gem_dependencies
-      gem_dependencies = collect_gem_dependencies(load_libraries)
+      gem_dependencies = collect_gem_dependencies
       gem_dependencies.each do |gem_data|
+
         dependency_loader = DependencyLoader.new
         if dependency_loader.gem_version_installed?(gem_data[:name], gem_data[:version]) ||
             dependency_loader.gem_installed?(gem_data[:name])
@@ -681,7 +682,6 @@ module Inspec
     end
 
     # generates a archive of a folder profile
-    # assumes that the profile was checked before
     def archive(opts)
       # check if file exists otherwise overwrite the archive
       dst = archive_name(opts)
@@ -698,31 +698,34 @@ module Inspec
       # TODO ignore all .files, but add the files to debug output
 
       # Generate temporary inspec.json for archive
-      Inspec::Utils::JsonProfileSummary.produce_json(
-        info: info,
-        write_path: "#{root_path}inspec.json",
-        suppress_output: true
-      )
+      if opts[:export]
+        Inspec::Utils::JsonProfileSummary.produce_json(
+          info: info, # TODO: conditionalize and call info_from_parse
+          write_path: "#{root_path}inspec.json",
+          suppress_output: true
+        )
+      end
 
       # display all files that will be part of the archive
       @logger.debug "Add the following files to archive:"
       files.each { |f| @logger.debug "    " + f }
-      @logger.debug "    inspec.json"
+      @logger.debug "    inspec.json" if opts[:export]
 
+      archive_files = opts[:export] ? files.push("inspec.json") : files
       if opts[:zip]
         # generate zip archive
         require "inspec/archive/zip"
         zag = Inspec::Archive::ZipArchiveGenerator.new
-        zag.archive(root_path, files.push("inspec.json"), dst)
+        zag.archive(root_path, archive_files, dst)
       else
         # generate tar archive
         require "inspec/archive/tar"
         tag = Inspec::Archive::TarArchiveGenerator.new
-        tag.archive(root_path, files.push("inspec.json"), dst)
+        tag.archive(root_path, archive_files, dst)
       end
 
       # Cleanup
-      FileUtils.rm_f("#{root_path}inspec.json")
+      FileUtils.rm_f("#{root_path}inspec.json") if opts[:export]
 
       @logger.info "Finished archive generation."
       true
@@ -828,10 +831,12 @@ module Inspec
         return Pathname.new(name)
       end
 
-      name = params[:name] ||
+      # Using metadata to fetch basic info of name and version
+      metadata = @source_reader.metadata.params
+      name = metadata[:name] ||
         raise("Cannot create an archive without a profile name! Please "\
              "specify the name in metadata or use --output to create the archive.")
-      version = params[:version] ||
+      version = metadata[:version] ||
         raise("Cannot create an archive without a profile version! Please "\
              "specify the version in metadata or use --output to create the archive.")
       ext = opts[:zip] ? "zip" : "tar.gz"

data/lib/inspec/resources/host.rb

@@ -319,15 +319,9 @@ module Inspec::Resources
         return nil
       end
 
-      resolve_ipv4 = resolve_ipv4.inject(:merge) if resolve_ipv4.is_a?(Array)
-
       # Append the ipv4 addresses
-      resolve_ipv4.each_value do |ip|
-        matched = ip.to_s.chomp.match(Resolv::IPv4::Regex)
-        next if matched.nil? || addresses.include?(matched.to_s)
-
-        addresses << matched.to_s
-      end
+      resolve_ipv4 = [resolve_ipv4] unless resolve_ipv4.is_a?(Array)
+      resolve_ipv4.each { |entry| addresses << entry["IPAddress"] }
 
       # -Type AAAA is the DNS query for IPv6 server Address.
       cmd = inspec.command("Resolve-DnsName –Type AAAA #{hostname} | ConvertTo-Json")
@@ -337,15 +331,9 @@ module Inspec::Resources
         return nil
       end
 
-      resolve_ipv6 = resolve_ipv6.inject(:merge) if resolve_ipv6.is_a?(Array)
-
       # Append the ipv6 addresses
-      resolve_ipv6.each_value do |ip|
-        matched = ip.to_s.chomp.match(Resolv::IPv6::Regex)
-        next if matched.nil? || addresses.include?(matched.to_s)
-
-        addresses << matched.to_s
-      end
+      resolve_ipv6 = [resolve_ipv6] unless resolve_ipv6.is_a?(Array)
+      resolve_ipv6.each { |entry| addresses << entry["IPAddress"] }
 
       addresses
     end

data/lib/inspec/resources/http.rb

@@ -304,11 +304,11 @@ module Inspec::Resources
           # Insecure not supported simply https://stackoverflow.com/questions/11696944/powershell-v3-invoke-webrequest-https-error
           cmd << "-MaximumRedirection #{max_redirects}" unless max_redirects.nil?
           request_headers["Authorization"] = """ '\"Basic ' + [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes(\"#{username}:#{password}\")) +'\"' """ unless username.nil? || password.nil?
-          request_header_string = nil
+          request_header_array = []
           request_headers.each do |k, v|
-            request_header_string << " #{k} = #{v}"
+            request_header_array << " '#{k}' = '#{v}'"
           end
-          cmd << "-Headers @{#{request_header_string.join(";")}}" unless request_header_string.nil?
+          cmd << "-Headers @{#{request_header_array.join(";")}}" unless request_header_array.empty?
           if params.nil?
             cmd << "'#{url}'"
           else

data/lib/inspec/resources/mongodb_session.rb

@@ -84,6 +84,11 @@ module Inspec::Resources
       options[:ssl_cert] = @ssl_cert unless @ssl_cert.nil?
       options[:ssl_ca_cert] = @ssl_ca_cert unless @ssl_ca_cert.nil?
 
+      # Setting the logger level to INFO as mongo gem version 2.13.2 is using DEBUG as the log level Ref: https://github.com/mongodb/mongo-ruby-driver/blob/v2.13.2/lib/mongo/logger.rb#L79
+      # Latest version of the mongo gem don't have this issue as it set to INFO level Ref: https://github.com/mongodb/mongo-ruby-driver/blob/master/lib/mongo/logger.rb#L82
+      # We pinned the version to 2.13.2 as the latest version of the mongo gem has broken symlink https://jira.mongodb.org/browse/RUBY-2546 which causes omnibus build failure.
+      # Once we get the latest version working we can remove logger level set here.
+      Mongo::Logger.logger.level = Logger::INFO
       @client = Mongo::Client.new([ "#{host}:#{port}" ], options)
 
     rescue => e

data/lib/inspec/resources/nftables.rb

@@ -0,0 +1,251 @@
+require "inspec/resources/command"
+require "json" unless defined?(JSON)
+
+# @see https://wiki.nftables.org/
+# @see https://www.netfilter.org/projects/nftables/manpage.html
+
+# rubocop:disable Style/ClassVars
+
+module Inspec::Resources
+  class NfTables < Inspec.resource(1)
+    name "nftables"
+    supports platform: "linux"
+    desc "Use the nftables InSpec audit resource to test rules and sets that are defined in nftables, which maintains tables of IP packet filtering rules. There may be more than one table. Each table contains one (or more) chains. A chain is a list of rules that match packets. When the rule matches, the rule defines what target to assign to the packet."
+    example <<~EXAMPLE
+      describe nftables(family:'inet', table:'filter', chain: 'INPUT') do
+        its('type') { should eq 'filter' }
+        its('hook') { should eq 'input' }
+        its('prio') { should eq 0 } # filter
+        its('policy') { should eq 'drop' }
+        it { should have_rule('tcp dport { 22, 80, 443 } accept') }
+      end
+    describe nftables(family: 'inet', table: 'filter', set: 'OPEN_PORTS') do
+      its('type') { should eq 'ipv4_addr . inet_proto . inet_service' }
+      its('flags') { should include 'interval' }
+      it { should have_element('1.1.1.1 . tcp . 25-27') }
+    end
+    EXAMPLE
+
+    @@bin = nil
+    @@nft_params = {}
+    @@nft_params["json"] = ""
+    @@nft_params["stateless"] = ""
+    @@nft_params["num"] = ""
+
+    def initialize(params = {})
+      @family = params[:family] || nil
+      @table = params[:table] || nil
+      @chain = params[:chain] || nil
+      @set = params[:set] || nil
+      @ignore_comments = params[:ignore_comments] || false
+      unless @@bin
+        @@bin = find_nftables_or_error
+      end
+
+      # Some old versions of `nft` do not support JSON output or stateless modifier
+      res = inspec.command("#{@@bin} --version").stdout
+      version = Gem::Version.new(/^nftables v(\S+) .*/.match(res)[1])
+      case
+      when version < Gem::Version.new("0.8.0")
+        @@nft_params["num"] = "-nn"
+      when version < Gem::Version.new("0.9.0")
+        @@nft_params["stateless"] = "-s"
+        @@nft_params["num"] = "-nn"
+      when version < Gem::Version.new("0.9.3")
+        @@nft_params["json"] = "-j"
+        @@nft_params["stateless"] = "-s"
+        @@nft_params["num"] = "-nn"
+      when version >= Gem::Version.new("0.9.3")
+        @@nft_params["json"] = "-j"
+        @@nft_params["stateless"] = "-s"
+        @@nft_params["num"] = "-y"
+        ## --terse
+      end
+
+      # family and table attributes are mandatory
+      fail_resource "nftables family and table are mandatory." if @family.nil? || @family.empty? || @table.nil? || @table.empty?
+      # chain name or set name has to be specified and are mutually exclusive
+      fail_resource "You must specify either a chain or a set name." if (@chain.nil? || @chain.empty?) && (@set.nil? || @set.empty?)
+      fail_resource "You must specify either a chain or a set name, not both." if !(@chain.nil? || @chain.empty?) && !(@set.nil? || @set.empty?)
+
+      # we're done if we are on linux
+      return if inspec.os.linux?
+
+      # ensures, all calls are aborted for non-supported os
+      @nftables_cache = {}
+      skip_resource "The `nftables` resource is not supported on your OS yet."
+    end
+
+    # Let's have a generic method to retrieve attributes for chains and sets
+    def _get_attr(name)
+      # Some attributes are valid for chains only, for sets only or for both
+      valid = {
+        "chains" => %w{hook policy prio type},
+        "sets" => %w{flags size type},
+      }
+
+      target_obj = @set.nil? ? "chains" : "sets"
+
+      if valid[target_obj].include?(name)
+        attrs = @set.nil? ? retrieve_chain_attrs : retrieve_set_attrs
+      else
+        raise Inspec::Exceptions::ResourceSkipped, "`#{name}` attribute is not valid for #{target_obj}"
+      end
+      # flags attribute is an array, if not retrieved ensure we return an empty array
+      # otherwise return an empty string
+      default = name == "flags" ? [] : ""
+      val = attrs.key?(name) ? attrs[name] : default
+      # When set type is has multiple data types it's retrieved as an array, make humans life easier
+      # by returning a string representation
+      if name == "type" && target_obj == "sets" && val.is_a?(Array)
+        return val.join(" . ")
+      end
+
+      val
+    end
+
+    # Create a method for each attribute
+    %i{flags hook policy prio size type}.each do |attr_method|
+      define_method attr_method do
+        _get_attr(attr_method.to_s)
+      end
+    end
+
+    def has_rule?(rule = nil, _family = nil, _table = nil, _chain = nil)
+      # checks if the rule is part of the chain
+      # for now, we expect an exact match
+      retrieve_chain_rules.any? { |line| line.casecmp(rule) == 0 }
+    end
+
+    def has_element?(element = nil, _family = nil, _table = nil, _chain = nil)
+      # checks if the element is part of the set
+      # for now, we expect an exact match
+      retrieve_set_elements.any? { |line| line.casecmp(element) == 0 }
+    end
+
+    def retrieve_set_elements
+      idx = "set_#{@family}_#{@table}_#{@set}"
+      return @nftables_cache[idx] if defined?(@nftables_cache) && @nftables_cache.key?(idx)
+
+      @nftables_cache = {} unless defined?(@nftables_cache)
+
+      elem_cmd = "list set #{@family} #{@table} #{@set}"
+      nftables_cmd = format("%s %s %s", @@bin, @@nft_params["stateless"], elem_cmd).strip
+
+      cmd = inspec.command(nftables_cmd)
+      return [] if cmd.exit_status.to_i != 0
+
+      @nftables_cache[idx] = cmd.stdout.gsub("\t", "").split("\n").reject { |line| line =~ /^(table|set|type|size|flags|typeof|auto-merge)/ || line =~ /^}$/ }.map { |line| line.sub("elements = {", "").sub("}", "").split(",") }.flatten.map(&:strip)
+    end
+
+    def retrieve_chain_rules
+      idx = "rule_#{@family}_#{@table}_#{@chain}"
+      return @nftables_cache[idx] if defined?(@nftables_cache) && @nftables_cache.key?(idx)
+
+      @nftables_cache = {} unless defined?(@nftables_cache)
+
+      # construct nftables command to read all rules of the given chain
+      chain_cmd = "list chain #{@family} #{@table} #{@chain}"
+      nftables_cmd = format("%s %s %s %s", @@bin, @@nft_params["stateless"], @@nft_params["num"], chain_cmd).strip
+
+      cmd = inspec.command(nftables_cmd)
+      return [] if cmd.exit_status.to_i != 0
+
+      rules = cmd.stdout.gsub("\t", "").split("\n").reject { |line| line =~ /^(table|chain)/ || line =~ /^}$/ }
+
+      if @ignore_comments
+        # split rules, returns array or rules without any comment
+        @nftables_cache[idx] = remove_comments_from_rules(rules)
+      else
+        # split rules, returns array or rules
+        @nftables_cache[idx] = rules.map(&:strip)
+      end
+    end
+
+    def retrieve_chain_attrs
+      idx = "chain_attrs_#{@family}_#{@table}_#{@chain}"
+      return @nftables_cache[idx] if defined?(@nftables_cache) && @nftables_cache.key?(idx)
+
+      @nftables_cache = {} unless defined?(@nftables_cache)
+
+      chain_cmd = "list chain #{@family} #{@table} #{@chain}"
+      nftables_cmd = format("%s %s %s %s", @@bin, @@nft_params["stateless"], @@nft_params["json"], chain_cmd).strip
+
+      cmd = inspec.command(nftables_cmd)
+      return {} if cmd.exit_status.to_i != 0
+
+      if @@nft_params["json"].empty?
+        res = cmd.stdout.gsub("\t", "").split("\n").select { |line| line =~ /^type/ }[0]
+        parsed = /type (\S+) hook (\S+) priority (\S+); policy (\S+);/.match(res)
+        @nftables_cache[idx] = { "type" => parsed[1], "hook" => parsed[2], "prio" => parsed[3].to_i, "policy" => parsed[4] }
+      else
+        @nftables_cache[idx] = JSON.parse(cmd.stdout)["nftables"].select { |line| line.key?("chain") }[0]["chain"]
+      end
+    end
+
+    def retrieve_set_attrs
+      idx = "set_attrs_#{@family}_#{@table}_#{@chain}"
+      return @nftables_cache[idx] if defined?(@nftables_cache) && @nftables_cache.key?(idx)
+
+      @nftables_cache = {} unless defined?(@nftables_cache)
+
+      chain_cmd = "list set #{@family} #{@table} #{@set}"
+      nftables_cmd = format("%s %s %s %s", @@bin, @@nft_params["stateless"], @@nft_params["json"], chain_cmd).strip
+
+      cmd = inspec.command(nftables_cmd)
+      return {} if cmd.exit_status.to_i != 0
+
+      if @@nft_params["json"].empty?
+        type = ""
+        size = 0
+        flags = []
+        res = cmd.stdout.gsub("\t", "").split("\n").select { |line| line =~ /^(type|size|flags)/ }
+        res.each do |line|
+          parsed = /^type (.*)/.match(line)
+          if parsed
+            type = parsed[1]
+          end
+          parsed = /^flags (.*)/.match(line)
+          if parsed
+            flags = parsed[1].split(",")
+          end
+          parsed = /^size (.*)/.match(line)
+          if parsed
+            size = parsed[1].to_i
+          end
+        end
+        @nftables_cache[idx] = { "type" => type, "size" => size, "flags" => flags }
+      else
+        @nftables_cache[idx] = JSON.parse(cmd.stdout)["nftables"].select { |line| line.key?("set") }[0]["set"]
+      end
+    end
+
+    def resource_id
+      to_s || "nftables"
+    end
+
+    def to_s
+      format("nftables (%s %s %s %s)", @family && "family: #{@family}", @table && "table: #{@table}", @chain && "chain: #{@chain}", @set && "set: #{@set}").strip
+    end
+
+    private
+
+    def remove_comments_from_rules(rules)
+      rules.each do |rule|
+        next if rule.nil?
+
+        rule.gsub!(/ comment "([^"]*)"/, "")
+        rule.strip
+      end
+      rules
+    end
+
+    def find_nftables_or_error
+      %w{/usr/sbin/nft /sbin/nft nft}.each do |cmd|
+        return cmd if inspec.command(cmd).exist?
+      end
+
+      raise Inspec::Exceptions::ResourceFailed, "Could not find `nft`"
+    end
+  end
+end

data/lib/inspec/resources/postgres_session.rb

@@ -81,7 +81,8 @@ module Inspec::Resources
         # Socket path and empty host in the connection string establishes socket connection
         # Socket connection only enabled for non-windows platforms
         # Windows does not support unix domain sockets
-        "psql -d postgresql://#{@user}:#{@pass}@/#{dbs}?host=#{@socket_path} -A -t -w -c #{escaped_query(query)}"
+        option_port = @port.nil? ? "" : "-p #{@port}" # add explicit port if specified
+        "psql -d postgresql://#{@user}:#{@pass}@/#{dbs}?host=#{@socket_path} #{option_port} -A -t -w -c #{escaped_query(query)}"
       else
         # Host in connection string establishes tcp/ip connection
         if inspec.os.windows?

data/lib/inspec/resources.rb

@@ -73,6 +73,7 @@ require "inspec/resources/mssql_sys_conf"
 require "inspec/resources/mysql"
 require "inspec/resources/mysql_conf"
 require "inspec/resources/mysql_session"
+require "inspec/resources/nftables"
 require "inspec/resources/nginx"
 require "inspec/resources/nginx_conf"
 require "inspec/resources/npm"

data/lib/inspec/rule.rb

@@ -63,6 +63,11 @@ module Inspec
           # Rubocop thinks we are raising an exception - we're actually calling RSpec's fail()
           its(location) { fail e.message } # rubocop: disable Style/SignalException
         end
+
+        # instance_eval evaluates the describe block and raise errors if at the resource level any execution is failed
+        # Waived controls expect not to raise any controls and get skipped if run is false so __apply_waivers needs to be called here too
+        # so that waived control are actually gets waived.
+        __apply_waivers
       end
     end
 

data/lib/inspec/utils/simpleconfig.rb

@@ -57,11 +57,18 @@ class SimpleConfig
     m = opts[:assignment_regex].match(line)
     return nil if m.nil?
 
+    values = parse_values(m, opts[:key_values])
+
     if opts[:multiple_values]
       @vals[m[1]] ||= []
-      @vals[m[1]].push(parse_values(m, opts[:key_values]))
+      if opts[:multiple_value_regex] # can be used only if multiple values is set as true
+        value_to_array = values.split(opts[:multiple_value_regex])
+        @vals[m[1]].concat(value_to_array)
+      else
+        @vals[m[1]].push(values)
+      end
     else
-      @vals[m[1]] = parse_values(m, opts[:key_values])
+      @vals[m[1]] = values
     end
   end
 
@@ -116,6 +123,7 @@ class SimpleConfig
       key_values: 1, # default for key=value, may require for 'key val1 val2 val3'
       standalone_comments: false,
       multiple_values: false,
+      multiple_value_regex: nil,
     }
   end
 end

data/lib/inspec/version.rb

@@ -1,3 +1,3 @@
 module Inspec
-  VERSION = "5.21.29".freeze
+  VERSION = "5.22.29".freeze
 end

data/lib/inspec/waiver_file_reader.rb

@@ -19,15 +19,17 @@ module Inspec
         data = nil
         if [".yaml", ".yml"].include? file_extension
           data = Secrets::YAML.resolve(file_path)
-          data = data.inputs unless data.nil?
-          validate_json_yaml(data)
+          unless data.nil?
+            data = data.inputs
+            validate_json_yaml(data)
+          end
         elsif file_extension == ".csv"
           data = Waivers::CSVFileReader.resolve(file_path)
           headers = Waivers::CSVFileReader.headers
           validate_headers(headers)
         elsif file_extension == ".json"
           data = Waivers::JSONFileReader.resolve(file_path)
-          validate_json_yaml(data)
+          validate_json_yaml(data) unless data.nil?
         end
         output.merge!(data) if !data.nil? && data.is_a?(Hash)
 

data/lib/matchers/matchers.rb

@@ -148,7 +148,7 @@ RSpec::Matchers.define :be_resolvable do
   end
 end
 
-# matcher for iptables and ip6tables
+# matcher for iptables, ip6tables and nftables
 RSpec::Matchers.define :have_rule do |rule|
   match do |tables|
     tables.has_rule?(rule)
@@ -163,6 +163,13 @@ RSpec::Matchers.define :have_rule do |rule|
   end
 end
 
+# matcher for nftables sets
+RSpec::Matchers.define :have_element do |elem|
+  match do |sets|
+    sets.has_element?(elem)
+  end
+end
+
 # `be_in` matcher
 # You can use it in the following cases:
 # - check if an item or array is included in a given array

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: inspec-core
 version: !ruby/object:Gem::Version
-  version: 5.21.29
+  version: 5.22.29
 platform: ruby
 authors:
 - Chef InSpec Team
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-01-24 00:00:00.000000000 Z
+date: 2023-10-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: chef-telemetry
@@ -59,7 +59,7 @@ dependencies:
         version: '0.20'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: 1.3.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -69,7 +69,7 @@ dependencies:
         version: '0.20'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: 1.3.0
 - !ruby/object:Gem::Dependency
   name: method_source
   requirement: !ruby/object:Gem::Requirement
@@ -119,7 +119,7 @@ dependencies:
         version: '3.9'
     - - "<="
       - !ruby/object:Gem::Version
-        version: '3.11'
+        version: '3.12'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -129,7 +129,7 @@ dependencies:
         version: '3.9'
     - - "<="
       - !ruby/object:Gem::Version
-        version: '3.11'
+        version: '3.12'
 - !ruby/object:Gem::Dependency
   name: rspec-its
   requirement: !ruby/object:Gem::Requirement
@@ -167,7 +167,7 @@ dependencies:
         version: '3.4'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '5.0'
+        version: '6.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -177,7 +177,7 @@ dependencies:
         version: '3.4'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '5.0'
+        version: '6.0'
 - !ruby/object:Gem::Dependency
   name: mixlib-log
   requirement: !ruby/object:Gem::Requirement
@@ -325,7 +325,7 @@ dependencies:
         version: '1.5'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '3.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -335,7 +335,7 @@ dependencies:
         version: '1.5'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '3.0'
 - !ruby/object:Gem::Dependency
   name: semverse
   requirement: !ruby/object:Gem::Requirement
@@ -584,6 +584,7 @@ files:
 - lib/inspec/resources/mysql.rb
 - lib/inspec/resources/mysql_conf.rb
 - lib/inspec/resources/mysql_session.rb
+- lib/inspec/resources/nftables.rb
 - lib/inspec/resources/nginx.rb
 - lib/inspec/resources/nginx_conf.rb
 - lib/inspec/resources/noop.rb