inspec-core 5.22.29 → 5.22.40

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 31c8e898abb240d79f4c564ae182f620d291f0e895b1451185f891c0c03a4d3b
-  data.tar.gz: 513a01ebe59969076c1a9e2c210f41b1366dbb17603e6370bdcb88d162d0d06a
+  metadata.gz: a95805ac2a4faab83d1826792a5d838caa5f1808fcc884e061cf3f7070ab6ef2
+  data.tar.gz: 984dfca55efec04f1e9b98ddfebf5be636b96a91c7fe7dc97f9ffb9789c60af3
 SHA512:
-  metadata.gz: af17576ae657e9ca435998a6a57655f0c78d48782e3c7b1f37f62be74d7f7c40192330c3bb34f81c84c1de5b60aea6694c40c8b9ccdedd7d00dfe756614edc00
-  data.tar.gz: dc279dd3ab134e92c7c318e859f0f4683347980eafaf80385330b3aeb762c9f72863cf66b2def9a2f61daabb378d3356b5110ac981d119e0e52eae009e785818
+  metadata.gz: fb6e20f346e0e5ab27878931b1396c10a633b99767472774299d92fce3ae2ccf01399cb100e5ae4566456039a3d814ac4148670da65b41563e72139d29551ed7
+  data.tar.gz: 0c9c665c3afb6d90121bf40ac00736a900955e0ea5955af58f7e56378d18eecfd7560f40e2cce049afd7156ecb495c77b1c58765c0e69f82bfd03e976c2f367f

data/Gemfile

@@ -11,6 +11,10 @@ gem "inspec-bin", path: "./inspec-bin"
 
 gem "ffi", ">= 1.9.14", "!= 1.13.0", "!= 1.14.2"
 
+# We have a build issue 2023-11-13 with unf_ext 0.0.9 so we are pinning to 0.0.8.2
+# See https://github.com/knu/ruby-unf_ext/issues/74 https://buildkite.com/chef/inspec-inspec-inspec-5-omnibus-release/builds/22
+gem "unf_ext", "= 0.0.8.2"
+
 # inspec tests depend text output that changed in the 3.10 release
 # but our runtime dep is still 3.9+
 gem "rspec", ">= 3.10"

data/lib/inspec/cli.rb

@@ -68,8 +68,14 @@ class Inspec::InspecCLI < Inspec::BaseCLI
     desc: "A list of controls to include. Ignore all other tests."
   option :tags, type: :array,
     desc: "A list of tags to filter controls and include only those. Ignore all other tests."
+  option :legacy_export, type: :boolean, default: false,
+    desc: "Run with legacy export."
   profile_options
   def json(target)
+    # Config initialisation is needed before deprecation warning can be issued
+    # Deprecator calls config get method to fetch the config value
+    # Without config initialisation, the config value is not set and hence calling config get through deprecator will set the value of config as blank, making options of json command inaccessible.
+    config
     # This deprecation warning is ignored currently.
     Inspec.deprecate(:renamed_to_inspec_export)
     export(target, true)
@@ -86,6 +92,8 @@ class Inspec::InspecCLI < Inspec::BaseCLI
     desc: "For --what=profile, a list of controls to include. Ignore all other tests."
   option :tags, type: :array,
     desc: "For --what=profile, a list of tags to filter controls and include only those. Ignore all other tests."
+  option :legacy_export, type: :boolean, default: false,
+         desc: "Run with legacy export."
   profile_options
   def export(target, as_json = false)
     o = config
@@ -121,16 +129,17 @@ class Inspec::InspecCLI < Inspec::BaseCLI
 
     case what
     when "profile"
+      profile_info = o[:legacy_export] ? profile.info : profile.info_from_parse
       if format == "json"
         require "json" unless defined?(JSON)
         # Write JSON
         Inspec::Utils::JsonProfileSummary.produce_json(
-          info: profile.info,
+          info: profile_info,
           write_path: dst
         )
       elsif format == "yaml"
         Inspec::Utils::YamlProfileSummary.produce_yaml(
-          info: profile.info,
+          info: profile_info,
           write_path: dst
         )
       end
@@ -152,6 +161,8 @@ class Inspec::InspecCLI < Inspec::BaseCLI
     desc: "The output format to use. Valid values: `json` and `doc`. Default value: `doc`."
   option :with_cookstyle, type: :boolean,
     desc: "Enable or disable cookstyle checks.", default: false
+  option :legacy_check, type: :boolean, default: false,
+         desc: "Run with legacy check."
   profile_options
   def check(path) # rubocop:disable Metrics/AbcSize,Metrics/MethodLength
     o = config
@@ -166,7 +177,7 @@ class Inspec::InspecCLI < Inspec::BaseCLI
 
     # run check
     profile = Inspec::Profile.for_target(path, o)
-    result = profile.check
+    result = o[:legacy_check] ? profile.legacy_check : profile.check
 
     if o["format"] == "json"
       puts JSON.generate(result)
@@ -248,6 +259,8 @@ class Inspec::InspecCLI < Inspec::BaseCLI
     desc: "Run profile check before archiving."
   option :export, type: :boolean, default: false,
     desc: "Export the profile to inspec.json and include in archive"
+  option :legacy_export, type: :boolean, default: false,
+    desc: "Export the profile in legacy mode to inspec.json and include in archive"
   def archive(path, log_level = nil)
     o = config
     diagnose(o)

data/lib/inspec/config.rb

@@ -448,6 +448,15 @@ module Inspec
       # Reporter options may be defined top-level.
       options.merge!(config_file_reporter_options)
 
+      # when sent reporter from compliance-mode (via chef-client), the reporter is a symbol
+      if @cli_opts.key?(:reporter) && @cli_opts["reporter"].nil?
+        @cli_opts["reporter"] = @cli_opts[:reporter]
+        @cli_opts.delete(:reporter)
+      elsif @cli_opts.key?(:reporter) && @cli_opts.key?("reporter") && @cli_opts["reporter"].is_a?(Array)
+        # combine reporter and "reporter" options into "reporter" option
+        @cli_opts["reporter"] = @cli_opts[:reporter] + @cli_opts["reporter"]
+      end
+
       if @cli_opts["reporter"]
         # Add reporter_cli_opts in options to capture reporter cli opts separately
         options.merge!({ "reporter_cli_opts" => @cli_opts["reporter"] })

data/lib/inspec/dependencies/dependency_set.rb

@@ -26,7 +26,7 @@ module Inspec
       dep_list = {}
       dependencies.each do |d|
         # if depedent profile does not have a source version then only name is used in dependency hash
-        key_name = (d.source_version.blank? ? "#{d.name}" : "#{d.name}-#{d.source_version}") rescue "#{d.name}"
+        key_name = ((d.source_version.nil? || d.source_version.empty?) ? "#{d.name}" : "#{d.name}-#{d.source_version}") rescue "#{d.name}"
         dep_list[key_name] = d
       end
       new(cwd, cache, dep_list, backend)
@@ -42,7 +42,7 @@ module Inspec
       dep_list = {}
       dep_tree.each do |d|
         # if depedent profile does not have a source version then only name is used in dependency hash
-        key_name = (d.source_version.blank? ? "#{d.name}" : "#{d.name}-#{d.source_version}") rescue "#{d.name}"
+        key_name = ((d.source_version.nil? || d.source_version.empty?) ? "#{d.name}" : "#{d.name}-#{d.source_version}") rescue "#{d.name}"
         dep_list[key_name] = d
         dep_list.merge!(flatten_dep_tree(d.dependencies))
       end

data/lib/inspec/dsl.rb

@@ -95,7 +95,7 @@ module Inspec::DSL
         # 1. Fetching VERSION from a profile dependency name which is in a format NAME-VERSION.
         # 2. Matching original profile dependency name with profile name used with include or require control DSL.
         source_version = value.source_version
-        unless source_version.blank?
+        unless source_version.nil? || source_version.empty?
           profile_id_key = key.split("-#{source_version}")[0]
           new_profile_id = key if profile_id_key == profile_id
         end

data/lib/inspec/profile.rb

@@ -15,6 +15,7 @@ require "inspec/dependencies/dependency_set"
 require "inspec/utils/json_profile_summary"
 require "inspec/dependency_loader"
 require "inspec/dependency_installer"
+require "inspec/utils/profile_ast_helpers"
 
 module Inspec
   class Profile
@@ -247,7 +248,7 @@ module Inspec
       ## Find the waivers file
       # - TODO: cli_opts and instance_variable_get could be exposed
       waiver_paths = cfg.instance_variable_get(:@cli_opts)["waiver_file"]
-      if waiver_paths.blank?
+      if waiver_paths.nil? || waiver_paths.empty?
         Inspec::Log.error "Must use --waiver-file with --filter-waived-controls"
         Inspec::UI.new.exit(:usage_error)
       end
@@ -275,7 +276,7 @@ module Inspec
         # be processed and rendered
         tests.each do |control_filename, source_code|
           cleared_tests = source_code.scan(/control\s+['"].+?['"].+?(?=(?:control\s+['"].+?['"])|\z)/m).collect do |element|
-            next if element.blank?
+            next if element.nil? || element.empty?
 
             if element&.match?(waived_control_id_regex)
               splitlines = element.split("\n")
@@ -514,6 +515,135 @@ module Inspec
       res
     end
 
+    # Return data like profile.info(params), but try to do so without evaluating the profile.
+    def info_from_parse(include_tests: false)
+      return @info_from_parse unless @info_from_parse.nil?
+
+      @info_from_parse = {
+        controls: [],
+        groups: [],
+      }
+
+      # TODO - look at the various source contents
+      # PASS 1: parse them using rubocop-ast
+      #   Look for controls, top-level metadata, and inputs
+      # PASS 2: Using the control IDs, deterimine the extents -
+      # line locations - of the coontrol IDs in each file, and
+      # then extract each source code block. Use this to populate the source code
+      # locations and 'code' properties.
+
+      # TODO: Verify that it doesn't do evaluation (ideally shouldn't because it is reading simply yaml file)
+      @info_from_parse = @info_from_parse.merge(metadata.params)
+
+      inputs_hash = {}
+      # Note: This only handles the case when inputs are defined in metadata file
+      if @profile_id.nil?
+        # identifying inputs using profile name
+        inputs_hash = Inspec::InputRegistry.list_inputs_for_profile(@info_from_parse[:name])
+      else
+        inputs_hash = Inspec::InputRegistry.list_inputs_for_profile(@profile_id)
+      end
+
+      # TODO: Verify if I need to do the below conversion for inputs to array
+      if inputs_hash.nil? || inputs_hash.empty?
+        # convert to array for backwards compatability
+        @info_from_parse[:inputs] = []
+      else
+        @info_from_parse[:inputs] = inputs_hash.values.map(&:to_hash)
+      end
+
+      @info_from_parse[:sha256] = sha256
+
+      # Populate :status and :status_message
+      if supports_platform?
+        @info_from_parse[:status_message] = @status_message || ""
+        @info_from_parse[:status] = failed? ? "failed" : "loaded"
+      else
+        @info_from_parse[:status] = "skipped"
+        msg = "Skipping profile: '#{name}' on unsupported platform: '#{backend.platform.name}/#{backend.platform.release}'."
+        @info_from_parse[:status_message] = msg
+      end
+
+      # @source_reader.tests contains a hash mapping control filenames to control file contents
+      @source_reader.tests.each do |control_filename, control_file_source|
+        # Parse the source code
+        src = RuboCop::AST::ProcessedSource.new(control_file_source, RUBY_VERSION.to_f)
+        source_location_ref = @source_reader.target.abs_path(control_filename)
+
+        input_collector = Inspec::Profile::AstHelper::InputCollectorOutsideControlBlock.new(@info_from_parse)
+        ctl_id_collector = Inspec::Profile::AstHelper::ControlIDCollector.new(@info_from_parse, source_location_ref,
+                                                                              include_tests: include_tests)
+
+        # Collect all metadata defined in the control block and inputs defined inside the control block
+        src.ast.each_node { |n|
+          ctl_id_collector.process(n)
+          input_collector.process(n)
+        }
+
+        # For each control ID
+        #  Look for per-control metadata
+        # Filter controls by --controls, list of controls to include is available in include_controls_list
+
+        # NOTE: This is a hack to duplicate refs.
+        # TODO: Fix this in the ref collector or the way we traverse the AST
+        @info_from_parse[:controls].each { |control| control[:refs].uniq! }
+
+        @info_from_parse[:controls] = filter_controls_by_id_and_tags(@info_from_parse[:controls])
+
+        # Update groups after filtering controls to handle --controls option
+        update_groups_from(control_filename, src)
+
+        # NOTE: This is a hack to duplicate inputs.
+        # TODO: Fix this in the input collector or the way we traverse the AST
+        @info_from_parse[:inputs] = @info_from_parse[:inputs].uniq
+      end
+      @info_from_parse
+    end
+
+    def filter_controls_by_id_and_tags(controls)
+      controls.select do |control|
+        tag_ids = get_all_tags_list(control[:tags])
+        (include_controls_list.empty? || include_controls_list.any? { |control_id| control_id.match?(control[:id]) }) &&
+          (include_tags_list.empty? || include_tags_list.any? { |tag_id| tag_ids.any? { |tag| tag_id.match?(tag) } })
+      end
+    end
+
+    def get_all_tags_list(control_tags)
+      all_tags = []
+      control_tags.each do |tags|
+        all_tags.push(tags)
+      end
+      all_tags.flatten.compact.uniq.map(&:to_s)
+    rescue
+      []
+    end
+
+    def include_group_data?(group_data)
+      unless include_controls_list.empty?
+        # {:id=>"controls/example-tmp.rb", :title=>"/ profile", :controls=>["tmp-1.0"]}
+        # Check if the group should be included based on the controls it contains
+        group_data[:controls].any? do |control_id|
+          include_controls_list.any? { |id| id.match?(control_id) }
+        end
+      else
+        true
+      end
+    end
+
+    def update_groups_from(control_filename, src)
+      group_data = {
+        id: control_filename,
+        title: nil,
+      }
+      source_location_ref = @source_reader.target.abs_path(control_filename)
+      Inspec::Profile::AstHelper::TitleCollector.new(group_data)
+        .process(src.ast.child_nodes.first) # Picking the title defined for the whole controls file
+      group_controls = @info_from_parse[:controls].select { |control| control[:source_location][:ref] == source_location_ref }
+      group_data[:controls] = group_controls.map { |control| control[:id] }
+
+      @info_from_parse[:groups].push(group_data) if include_group_data?(group_data)
+    end
+
     def cookstyle_linting_check
       msgs = []
       return msgs if Inspec.locally_windows? # See #5723
@@ -553,6 +683,122 @@ module Inspec
       end
     end
 
+    def legacy_check # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity, Metrics/MethodLength
+      # initial values for response object
+      result = {
+        summary: {
+          valid: false,
+          timestamp: Time.now.iso8601,
+          location: @target,
+          profile: nil,
+          controls: 0,
+        },
+        errors: [],
+        warnings: [],
+        offenses: [],
+      }
+
+      entry = lambda { |file, line, column, control, msg|
+        {
+          file: file,
+          line: line,
+          column: column,
+          control_id: control,
+          msg: msg,
+        }
+      }
+
+      warn = lambda { |file, line, column, control, msg|
+        @logger.warn(msg)
+        result[:warnings].push(entry.call(file, line, column, control, msg))
+      }
+
+      error = lambda { |file, line, column, control, msg|
+        @logger.error(msg)
+        result[:errors].push(entry.call(file, line, column, control, msg))
+      }
+
+      offense = lambda { |file, line, column, control, msg|
+        result[:offenses].push(entry.call(file, line, column, control, msg))
+      }
+
+      @logger.info "Checking profile in #{@target}"
+      meta_path = @source_reader.target.abs_path(@source_reader.metadata.ref)
+
+      # verify metadata
+      m_errors, m_warnings = metadata.valid
+      m_errors.each { |msg| error.call(meta_path, 0, 0, nil, msg) }
+      m_warnings.each { |msg| warn.call(meta_path, 0, 0, nil, msg) }
+      m_unsupported = metadata.unsupported
+      m_unsupported.each { |u| warn.call(meta_path, 0, 0, nil, "doesn't support: #{u}") }
+      @logger.info "Metadata OK." if m_errors.empty? && m_unsupported.empty?
+
+      # only run the vendor check if the legacy profile-path is not used as argument
+      if @legacy_profile_path == false
+        # verify that a lockfile is present if we have dependencies
+        unless metadata.dependencies.empty?
+          error.call(meta_path, 0, 0, nil, "Your profile needs to be vendored with `inspec vendor`.") unless lockfile_exists?
+        end
+
+        if lockfile_exists?
+          # verify if metadata and lockfile are out of sync
+          if lockfile.deps.size != metadata.dependencies.size
+            error.call(meta_path, 0, 0, nil, "inspec.yml and inspec.lock are out-of-sync. Please re-vendor with `inspec vendor`.")
+          end
+
+          # verify if metadata and lockfile have the same dependency names
+          metadata.dependencies.each do |dep|
+            # Skip if the dependency does not specify a name
+            next if dep[:name].nil?
+
+            # TODO: should we also verify that the soure is the same?
+            unless lockfile.deps.map { |x| x[:name] }.include? dep[:name]
+              error.call(meta_path, 0, 0, nil, "Cannot find #{dep[:name]} in lockfile. Please re-vendor with `inspec vendor`.")
+            end
+          end
+        end
+      end
+
+      # extract profile name
+      result[:summary][:profile] = metadata.params[:name]
+
+      count = params[:controls].values.length
+      result[:summary][:controls] = count
+      if count == 0
+        warn.call(nil, nil, nil, nil, "No controls or tests were defined.")
+      else
+        @logger.info("Found #{count} controls.")
+      end
+
+      # iterate over hash of groups
+      params[:controls].each do |id, control|
+        sfile = control[:source_location][:ref]
+        sline = control[:source_location][:line]
+        error.call(sfile, sline, nil, id, "Avoid controls with empty IDs") if id.nil? || id.empty?
+        next if id.start_with? "(generated "
+
+        warn.call(sfile, sline, nil, id, "Control #{id} has no title") if control[:title].to_s.empty?
+        warn.call(sfile, sline, nil, id, "Control #{id} has no descriptions") if control[:descriptions][:default].to_s.empty?
+        warn.call(sfile, sline, nil, id, "Control #{id} has impact > 1.0") if control[:impact].to_f > 1.0
+        warn.call(sfile, sline, nil, id, "Control #{id} has impact < 0.0") if control[:impact].to_f < 0.0
+        warn.call(sfile, sline, nil, id, "Control #{id} has no tests defined") if control[:checks].nil? || control[:checks].empty?
+      end
+
+      # Running cookstyle to check for code offenses
+      if @check_cookstyle
+        cookstyle_linting_check.each do |lint_output|
+          data = lint_output.split(":")
+          msg = "#{data[-2]}:#{data[-1]}"
+          offense.call(data[0], data[1], data[2], nil, msg)
+        end
+      end
+      # profile is valid if we could not find any error & offenses
+      result[:summary][:valid] = result[:errors].empty? && result[:offenses].empty?
+
+      @logger.info "Control definitions OK." if result[:warnings].empty?
+      result
+    end
+
     # Check if the profile is internally well-structured. The logger will be
     # used to print information on errors and warnings which are found.
     #
@@ -572,6 +818,9 @@ module Inspec
         offenses: [],
       }
 
+      # memoize `info_from_parse` with tests
+      info_from_parse(include_tests: true)
+
       entry = lambda { |file, line, column, control, msg|
         {
           file: file,
@@ -600,7 +849,7 @@ module Inspec
       meta_path = @source_reader.target.abs_path(@source_reader.metadata.ref)
 
       # verify metadata
-      m_errors, m_warnings = metadata.valid
+      m_errors, m_warnings = validity_check
       m_errors.each { |msg| error.call(meta_path, 0, 0, nil, msg) }
       m_warnings.each { |msg| warn.call(meta_path, 0, 0, nil, msg) }
       m_unsupported = metadata.unsupported
@@ -634,9 +883,9 @@ module Inspec
       end
 
       # extract profile name
-      result[:summary][:profile] = metadata.params[:name]
+      result[:summary][:profile] = info_from_parse[:name]
 
-      count = controls_count
+      count = info_from_parse[:controls].count
       result[:summary][:controls] = count
       if count == 0
         warn.call(nil, nil, nil, nil, "No controls or tests were defined.")
@@ -645,9 +894,10 @@ module Inspec
       end
 
       # iterate over hash of groups
-      params[:controls].each do |id, control|
+      info_from_parse[:controls].each do |control|
         sfile = control[:source_location][:ref]
         sline = control[:source_location][:line]
+        id = control[:id]
         error.call(sfile, sline, nil, id, "Avoid controls with empty IDs") if id.nil? || id.empty?
         next if id.start_with? "(generated "
 
@@ -673,8 +923,74 @@ module Inspec
       result
     end
 
-    def controls_count
-      params[:controls].values.length
+    def validity_check # rubocop:disable Metrics/AbcSize
+      errors = []
+      warnings = []
+      info_from_parse.merge!(metadata.params)
+
+      %w{name version}.each do |field|
+        next unless info_from_parse[field.to_sym].nil?
+
+        errors.push("Missing profile #{field} in #{metadata.ref}")
+      end
+
+      if %r{[\/\\]} =~ info_from_parse[:name]
+        errors.push("The profile name (#{info_from_parse[:name]}) contains a slash" \
+                      " which is not permitted. Please remove all slashes from `inspec.yml`.")
+      end
+
+      # if version is set, ensure it is correct
+      if !info_from_parse[:version].nil? && !metadata.valid_version?(info_from_parse[:version])
+        errors.push("Version needs to be in SemVer format")
+      end
+
+      if info_from_parse[:entitlement_id] && info_from_parse[:entitlement_id].strip.empty?
+        errors.push("Entitlement ID should not be blank.")
+      end
+
+      unless metadata.supports_runtime?
+        warnings.push("The current inspec version #{Inspec::VERSION} cannot satisfy profile inspec_version constraint #{info_from_parse[:inspec_version]}")
+      end
+
+      %w{title summary maintainer copyright license}.each do |field|
+        next unless info_from_parse[field.to_sym].nil?
+
+        warnings.push("Missing profile #{field} in #{metadata.ref}")
+      end
+
+      # if license is set, ensure it is in SPDX format or marked as proprietary
+      if !info_from_parse[:license].nil? && !metadata.valid_license?(info_from_parse[:license])
+        warnings.push("License '#{info_from_parse[:license]}' needs to be in SPDX format or marked as 'Proprietary'. See https://spdx.org/licenses/.")
+      end
+
+      # If gem_dependencies is set, it must be an array of hashes with keys name and optional version
+      unless info_from_parse[:gem_dependencies].nil?
+        list = info_from_parse[:gem_dependencies]
+        if list.is_a?(Array) && list.all? { |e| e.is_a? Hash }
+          list.each do |entry|
+            errors.push("gem_dependencies entries must all have a 'name' field") unless entry.key?(:name)
+            if entry[:version]
+              orig = entry[:version]
+              begin
+                # Split on commas as we may have a complex dep
+                orig.split(",").map { |c| Gem::Requirement.parse(c) }
+              rescue Gem::Requirement::BadRequirementError
+                errors.push "Unparseable gem dependency '#{orig}' for #{entry[:name]}"
+              rescue Inspec::GemDependencyInstallError => e
+                errors.push e.message
+              end
+            end
+            extra = (entry.keys - %i{name version})
+            unless extra.empty?
+              warnings.push "Unknown gem_dependencies key(s) #{extra.join(",")} seen for entry '#{entry[:name]}'"
+            end
+          end
+        else
+          errors.push("gem_dependencies must be a List of Hashes")
+        end
+      end
+
+      [errors, warnings]
     end
 
     def set_status_message(msg)
@@ -698,9 +1014,11 @@ module Inspec
       # TODO ignore all .files, but add the files to debug output
 
       # Generate temporary inspec.json for archive
-      if opts[:export]
+      export_opt_enabled = opts[:export] || opts[:legacy_export]
+      if export_opt_enabled
+        info_for_profile_summary = opts[:legacy_export] ? info : info_from_parse
         Inspec::Utils::JsonProfileSummary.produce_json(
-          info: info, # TODO: conditionalize and call info_from_parse
+          info: info_for_profile_summary,
           write_path: "#{root_path}inspec.json",
           suppress_output: true
         )
@@ -709,9 +1027,9 @@ module Inspec
       # display all files that will be part of the archive
       @logger.debug "Add the following files to archive:"
       files.each { |f| @logger.debug "    " + f }
-      @logger.debug "    inspec.json" if opts[:export]
+      @logger.debug "    inspec.json" if export_opt_enabled
 
-      archive_files = opts[:export] ? files.push("inspec.json") : files
+      archive_files = export_opt_enabled ? files.push("inspec.json") : files
       if opts[:zip]
         # generate zip archive
         require "inspec/archive/zip"
@@ -725,7 +1043,7 @@ module Inspec
       end
 
       # Cleanup
-      FileUtils.rm_f("#{root_path}inspec.json") if opts[:export]
+      FileUtils.rm_f("#{root_path}inspec.json") if export_opt_enabled
 
       @logger.info "Finished archive generation."
       true

data/lib/inspec/reporters/cli.rb

@@ -317,7 +317,7 @@ module Inspec::Reporters
       not_applicable = 0
 
       all_unique_controls.each do |control|
-        next if control[:status].empty?
+        next if control[:status].nil? || control[:status].empty?
 
         if control[:status] == "failed"
           failed += 1

data/lib/inspec/resources/security_policy.rb

@@ -169,9 +169,14 @@ module Inspec::Resources
       # special handling for string values with "
       elsif !(m = /^\"(.*)\"$/.match(val)).nil?
         m[1]
+      # We get some values of Registry Path as MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Setup\\RecoveryConsole\\SecurityLevel=4,0
+      # which we are not going to split as there are chances that it will break if anyone is using string comparison.
+      # In some cases privilege value which does not have corresponding SID it returns the values in comma seprated which breakes it for some of
+      # the privileges like SeServiceLogonRight as it returns array if previlege values are SID
+      elsif !key.include?("\\") && val.match(/,/)
+        val.split(",")
       else
-        # When there is Registry Values we are not spliting the value for backward compatibility
-        key.include?("\\") ? val : val.split(",")
+        val
       end
     end
 

data/lib/inspec/rule.rb

@@ -375,19 +375,24 @@ module Inspec
     # only_if mechanism)
     # Double underscore: not intended to be called as part of the DSL
     def __apply_waivers
+      @__waiver_data = nil
       control_id = @__rule_id # TODO: control ID slugging
-      waiver_files = Inspec::Config.cached.final_options["waiver_file"] if Inspec::Config.cached.respond_to?(:final_options)
 
-      waiver_data_by_profile = Inspec::WaiverFileReader.fetch_waivers_by_profile(__profile_id, waiver_files) unless waiver_files.nil?
+      waiver_files = Inspec::Config.cached.final_options["waiver_file"] if Inspec::Config.cached.respond_to?(:final_options)
+      unless waiver_files.nil? || waiver_files.empty?
+        waiver_data_by_profile = Inspec::WaiverFileReader.fetch_waivers_by_profile(__profile_id, waiver_files)
+        return unless waiver_data_by_profile && waiver_data_by_profile[control_id] && waiver_data_by_profile[control_id].is_a?(Hash)
 
-      return unless waiver_data_by_profile && waiver_data_by_profile[control_id] && waiver_data_by_profile[control_id].is_a?(Hash)
+        @__waiver_data = waiver_data_by_profile[control_id]
+      else
+        # Support for input registry is provided for backward compatibilty with compliance phase of chef-client
+        # Chef-client sends waiver information in inputs hash
+        input_registry = Inspec::InputRegistry.instance
+        waiver_data_via_input = input_registry.inputs_by_profile.dig(__profile_id, control_id)
+        return unless waiver_data_via_input && waiver_data_via_input.has_value? && waiver_data_via_input.value.is_a?(Hash)
 
-      # An InSpec Input is a datastructure that tracks a profile parameter
-      # over time. Its value can be set by many sources, and it keeps a
-      # log of each "set" event so that when it is collapsed to a value,
-      # it can determine the correct (highest priority) value.
-      # Store in an instance variable for.. later reading???
-      @__waiver_data = waiver_data_by_profile[control_id]
+        @__waiver_data = waiver_data_via_input.value
+      end
 
       __waiver_data["skipped_due_to_waiver"] = false
       __waiver_data["message"] = ""

data/lib/inspec/runner.rb

@@ -142,7 +142,7 @@ module Inspec
             get_check_example(m, a, b)
           end.compact
 
-          examples.map { |example| total_checks += example.examples.count }
+          examples.map { |example| total_checks += example.descendant_filtered_examples.count }
 
           unless control_describe_checks.empty?
             # controls with empty tests are avoided

data/lib/inspec/utils/profile_ast_helpers.rb

@@ -0,0 +1,372 @@
+require "ast"
+require "rubocop-ast"
+module Inspec
+  class Profile
+    class AstHelper
+      class CollectorBase
+        include Parser::AST::Processor::Mixin
+        include RuboCop::AST::Traversal
+
+        attr_reader :memo
+        def initialize(memo)
+          @memo = memo
+        end
+      end
+
+      class InputCollectorBase < CollectorBase
+        VALID_INPUT_OPTIONS = %i{name value type required priority pattern profile sensitive}.freeze
+
+        REQUIRED_VALUES_MAP = {
+          true: true,
+          false: false,
+        }.freeze
+
+        def initialize(memo)
+          @memo = memo
+        end
+
+        def collect_input(input_children)
+          input_name = input_children.children[2].value
+
+          # Check if memo[:inputs] already has a value for the input_name, if yes, then skip adding it to the array
+          unless memo[:inputs].any? { |input| input[:name] == input_name }
+            # The value will be updated if available in the input_children
+            opts = {
+              value: "Input '#{input_name}' does not have a value. Skipping test.",
+            }
+
+            if input_children.children[3]&.type == :hash
+              input_children.children[3].children.each do |child_node|
+                if VALID_INPUT_OPTIONS.include?(child_node.key.value)
+                  if child_node.value.class == RuboCop::AST::Node && REQUIRED_VALUES_MAP.key?(child_node.value.type)
+                    opts.merge!(child_node.key.value => REQUIRED_VALUES_MAP[child_node.value.type])
+                  elsif child_node.value.class == RuboCop::AST::HashNode
+                    # Here value will be a hash
+                    values = {}
+                    child_node.value.children.each do |grand_child_node|
+                      values.merge!(grand_child_node.key.value => grand_child_node.value.value)
+                    end
+                    opts.merge!(child_node.key.value => values)
+                  else
+                    opts.merge!(child_node.key.value => child_node.value.value)
+                  end
+                end
+              end
+            end
+
+            # TODO: Add rules for handling the input options or use existing rules if available
+            # 1. Handle pattern matching for the given input value
+            # 2. Handle data-type matching for the given input value
+            # 3. Handle required flag for the given input value
+            # 4. Handle sensitive flag for the given input value
+            memo[:inputs] ||= []
+            input_hash = {
+              name: input_name,
+              options: opts,
+            }
+            memo[:inputs] << input_hash
+          end
+        end
+
+        def check_and_collect_input(node)
+          if input_pattern_match?(node)
+            collect_input(node)
+          else
+            node.children.each do |child_node|
+              check_and_collect_input(child_node) if input_pattern_match?(child_node)
+            end
+          end
+        end
+
+        def input_pattern_match?(node)
+          RuboCop::AST::NodePattern.new("(send nil? :input ...)").match(node)
+        end
+      end
+
+      class ImpactCollector < CollectorBase
+        def on_send(node)
+          if RuboCop::AST::NodePattern.new("(send nil? :impact ...)").match(node)
+            memo[:impact] = node.children[2].value
+          end
+        end
+      end
+
+      class DescCollector < CollectorBase
+        def on_send(node)
+          if RuboCop::AST::NodePattern.new("(send nil? :desc ...)").match(node)
+            memo[:descriptions] ||= {}
+            if node.children[2] && node.children[3]
+              # NOTE: This assumes the description is as below
+              # desc 'label', 'An optional description with a label' # Pair a part of the description with a label
+              memo[:descriptions] = memo[:descriptions].merge(node.children[2].value => node.children[3].value)
+            else
+              memo[:desc] = node.children[2].value
+              memo[:descriptions] = memo[:descriptions].merge(default: node.children[2].value)
+            end
+          end
+        end
+      end
+
+      class TitleCollector < CollectorBase
+        def on_send(node)
+          if RuboCop::AST::NodePattern.new("(send nil? :title ...)").match(node)
+            # TODO - title may not be a simple string
+            memo[:title] = node.children[2].value
+          end
+        end
+      end
+
+      class TagCollector < CollectorBase
+
+        ACCPETABLE_TAG_TYPE_TO_VALUES = {
+          false: false,
+          true: true,
+          nil: nil,
+        }.freeze
+
+        def on_send(node)
+          if RuboCop::AST::NodePattern.new("(send nil? :tag ...)").match(node)
+            memo[:tags] ||= {}
+
+            node.children[2..-1].each do |tag_node|
+              collect_tags(tag_node)
+            end
+          end
+        end
+
+        private
+
+        def collect_tags(tag_node)
+          if tag_node.type == :str || tag_node.type == :sym
+            memo[:tags] = memo[:tags].merge(tag_node.value => nil)
+          elsif tag_node.type == :hash
+            tags_coll = {}
+            tag_node.children.each do |child_tag|
+              key = child_tag.key.value
+              if child_tag.value.type == :array
+                value = child_tag.value.children.map { |child_node| child_node.type == :str ? child_node.children.first : nil }
+              elsif ACCPETABLE_TAG_TYPE_TO_VALUES.key?(child_tag.value.type)
+                value = ACCPETABLE_TAG_TYPE_TO_VALUES[child_tag.value.type]
+              else
+                if child_tag.value.children.first.class == RuboCop::AST::SendNode
+                  # Cases like this: (where there is no assignment of the value to a variable like gcp_project_id)
+                  # tag project: gcp_project_id.to_s
+                  #
+                  # Lecacy evaluates gcp_project_id.to_s and then passes the value to the tag
+                  # We are not evaluating the value here, so we are just passing the value as it is
+                  #
+                  # TODO: Do we need to evaluate the value here?
+                  # (byebug) child_tag.value
+                  # s(:send,
+                  # s(:send, nil, :gcp_project_id), :to_s)
+                  value = child_tag.value.children.first.children[1]
+                elsif child_tag.value.children.first.class == RuboCop::AST::Node
+                  # Cases like this:
+                  # control_id = '1.1'
+                  # tag cis_gcp: control_id.to_s
+                  value = child_tag.value.children.first.children[0]
+                else
+                  value = child_tag.value.value
+                end
+              end
+              tags_coll.merge!(key => value)
+            end
+            memo[:tags] = memo[:tags].merge(tags_coll)
+          end
+        end
+      end
+
+      class RefCollector < CollectorBase
+        def on_send(node)
+          if RuboCop::AST::NodePattern.new("(send nil? :ref ...)").match(node)
+            # Construct the array of refs hash as below
+
+            # "refs": [
+            #   {
+            #     "url": "http://",
+            #     "ref": "Some ref"
+            #   },
+            #   {
+            #     "ref": "https://",
+            #   }
+            # ]
+
+            # node.children[1] && node.children[1] == :ref - we don't need this check as the pattern match above will take care of it
+            return unless node.children[2]
+
+            references = {}
+
+            if node.children[2].type == :begin
+              # Case for: ref   ({:ref=>"Some ref", :url=>"https://"})
+              # find the hash node
+              iterate_child_and_collect_ref(node.children[2].children, references)
+            elsif node.children[2].type == :str
+              # Case for: ref "ref1", url: "http://",
+              references.merge!(ref: node.children[2].value)
+              iterate_child_and_collect_ref(node.children[3..-1], references)
+            end
+
+            memo[:refs] ||= []
+            memo[:refs] << references
+          end
+        end
+
+        private
+
+        def iterate_child_and_collect_ref(child_node, references = {})
+          child_node.each do |ref_node|
+            if ref_node.type == :hash
+              iterate_hash_node(ref_node, references)
+            elsif ref_node.type == :str
+              references.merge!(ref_node.value => nil)
+            end
+          end
+        end
+
+        def iterate_hash_node(hash_node, references = {})
+          # hash node like this:
+          # s(:hash,
+          #   s(:pair,
+          #     s(:sym, :url),
+          #     s(:str, "https://")))
+          #
+          # or like this:
+          # (byebug) hash_node
+          # s(:hash,
+          # s(:pair,
+          #   s(:sym, :url),
+          #   s(:send,
+          #     s(:send, nil, :cis_url), :to_s)))
+          hash_node.children.each do |child_node|
+            if child_node.type == :pair
+              if child_node.value.children.first.class == RuboCop::AST::SendNode
+                # Case like this  (where there is no assignment of the value to a variable like cis_url)
+                # ref 'CIS Benchmark', url: cis_url.to_s
+                # Lecacy evaluates cis_url.to_s and then passes the value to the ref
+                # We are not evaluating the value here, so we are just passing the value as it is
+                #
+                # TODO: Do we need to evaluate the value here?
+                #
+                # (byebug) child_node.value.children.first
+                # s(:send, nil, :cis_url)
+                value = child_node.value.children.first.children[1]
+              elsif child_node.value.class == RuboCop::AST::SendNode
+                # Cases like this:
+                # cis_url = attribute('cis_url')
+                # ref 'CIS Benchmark', url: cis_url.to_s
+                value = child_node.value.children.first.children[0]
+              else
+                # Cases like this: ref 'CIS Benchmark - 2', url: "https://"
+                # require 'byebug'; byebug
+                value = child_node.value.value
+              end
+              references.merge!(child_node.key.value => value)
+            end
+          end
+        end
+      end
+
+      class ControlIDCollector < CollectorBase
+        attr_reader :seen_control_ids, :source_location_ref, :include_tests
+        def initialize(memo, source_location_ref, include_tests: false)
+          @memo = memo
+          @seen_control_ids = {}
+          @source_location_ref = source_location_ref
+          @include_tests = include_tests
+        end
+
+        def on_block(block_node)
+          if RuboCop::AST::NodePattern.new("(block (send nil? :control ...) ...)").match(block_node)
+            # NOTE: Assuming begin block is at the index 2
+            begin_block = block_node.children[2]
+            control_node = block_node.children[0]
+
+            # TODO - This assumes the control ID is always a plain string, which we know it is often not!
+            control_id = control_node.children[2].value
+            # TODO - BUG - this keeps seeing the same nodes over and over againa, and so repeating control IDs. We are ignoring duplicate control IDs, which is incorrect.
+            return if seen_control_ids[control_id]
+
+            seen_control_ids[control_id] = true
+
+            control_data = {
+              id: control_id,
+              code: block_node.source,
+              source_location: {
+                line: block_node.first_line,
+                ref: source_location_ref,
+              },
+              title: nil,
+              desc: nil,
+              descriptions: {},
+              impact: 0.5,
+              refs: [],
+              tags: {},
+            }
+            control_data[:checks] = [] if include_tests
+
+            # Scan the code block for per-control metadata
+            collectors = []
+            collectors.push ImpactCollector.new(control_data)
+            collectors.push DescCollector.new(control_data)
+            collectors.push TitleCollector.new(control_data)
+            collectors.push TagCollector.new(control_data)
+            collectors.push RefCollector.new(control_data)
+            collectors.push InputCollectorWithinControlBlock.new(@memo)
+            collectors.push TestsCollector.new(control_data) if include_tests
+
+            begin_block.each_node do |node_within_control|
+              collectors.each { |collector| collector.process(node_within_control) }
+            end
+
+            memo[:controls].push control_data
+          end
+        end
+      end
+
+      class InputCollectorWithinControlBlock < InputCollectorBase
+        def initialize(memo)
+          @memo = memo
+        end
+
+        def on_send(node)
+          check_and_collect_input(node)
+        end
+      end
+
+      class InputCollectorOutsideControlBlock < InputCollectorBase
+        def initialize(memo)
+          @memo = memo
+        end
+
+        # TODO: There is scope to refactor InputCollectorOutsideControlBlock and InputCollectorWithinControlBlock
+        # 1. We can have a single class for both the collectors
+        # 2. We can have a on_send and on_lvasgn method in the same class
+        # :lvasgn in ast stands for "local variable assignment"
+        def on_lvasgn(node)
+          # We are looking for the following pattern in the AST
+          # (lvasgn :var_name (send nil? :input ...))
+          # example: a = input('a') or a = input('a', value: 'b')
+          # and not this: a = 1
+          if RuboCop::AST::NodePattern.new("(lvasgn _ (send nil? :input ...))").match(node)
+            input_children = node.children[1]
+            collect_input(input_children)
+          end
+        end
+
+        def on_send(node)
+          check_and_collect_input(node)
+        end
+      end
+
+      class TestsCollector < CollectorBase
+
+        def on_block(node)
+          if RuboCop::AST::NodePattern.new("(block (send nil? :describe ...) ...)").match(node) ||
+              RuboCop::AST::NodePattern.new("(block (send nil? :expect ...) ...)").match(node)
+            memo[:checks] << node.source
+          end
+        end
+      end
+    end
+  end
+end

data/lib/inspec/utils/waivers/csv_file_reader.rb

@@ -19,7 +19,7 @@ module Waivers
         row_hash.delete("control_id")
         row_hash.delete_if { |k, v| k.nil? || v.nil? }
 
-        waiver_data_hash[control_id] = row_hash if control_id && !row_hash.blank?
+        waiver_data_hash[control_id] = row_hash if control_id && !(row_hash.nil? || row_hash.empty?)
       end
 
       waiver_data_hash

data/lib/inspec/utils/waivers/excel_file_reader.rb

@@ -25,7 +25,7 @@ module Waivers
           row_hash.delete_if { |k, v| k.nil? || v.nil? }
         end
 
-        waiver_data_hash[control_id] = row_hash if control_id && !row_hash.blank?
+        waiver_data_hash[control_id] = row_hash if control_id && !(row_hash.nil? || row_hash.empty?)
       end
       waiver_data_hash
     rescue Exception => e

data/lib/inspec/version.rb

@@ -1,3 +1,3 @@
 module Inspec
-  VERSION = "5.22.29".freeze
+  VERSION = "5.22.40".freeze
 end

data/lib/plugins/inspec-compliance/lib/inspec-compliance/cli.rb

@@ -168,10 +168,10 @@ module InspecPlugins
         end
 
         # read profile name from inspec.yml
-        profile_name = profile.params[:name]
+        profile_name = profile.name
 
         # read profile version from inspec.yml
-        profile_version = profile.params[:version]
+        profile_version = profile.version
 
         # check that the profile is not uploaded already,
         # confirm upload to the user (overwrite with --force)

data/lib/plugins/inspec-reporter-html2/templates/control.html.erb

@@ -1,4 +1,5 @@
-<% slugged_id = control.id.tr(" ", "_") %>
+<% slugged_control_id = control.id.tr(" ", "_") %>
+<% slugged_profile_id = profile.name.gsub(/\W/, "_") %>
 <%
     if enhanced_outcomes
       status = control.status
@@ -13,7 +14,7 @@
     end
 %>
 
-<div class="control control-status-<%= status %>" id="control-<%= slugged_id %>">
+<div class="control control-status-<%= status %>" id="profile-<%= slugged_profile_id %>-control-<%= slugged_control_id %>">
 
   <%
     # Determine range of impact
@@ -29,7 +30,7 @@
   %>
 
   <h3 class="control-title">Control <code><%= control.id %></code></h3>
-  <table class="control-metadata info" id="control-metadata-<%= slugged_id %>">
+  <table class="control-metadata info" id="profile-<%= slugged_profile_id %>-control-metadata-<%= slugged_control_id %>">
   <caption>Control Table</caption>
     <tr class="status status-<%= status %>"><th>Status:</th><td><div><%= status.capitalize %></div></td></tr>
     <% if control.title %><tr class="title"><th>Title:</th><td><%= control.title %></td></tr> <% end %>
@@ -64,9 +65,9 @@
     <tr class="code">
       <th>Source Code:</th>
       <td>
-        <input type="button" class="show-source-code" id="show-code-<%= slugged_id %>" value="Show Source"/>
-        <input type="button" class="hide-source-code hidden" id="hide-code-<%= slugged_id %>" value="Hide Source"/>
-        <pre class="source-code hidden" id="source-code-<%= slugged_id %>">
+        <input type="button" class="show-source-code" id="show-code-<%= slugged_profile_id %>-<%= slugged_control_id %>" value="Show Source"/>
+        <input type="button" class="hide-source-code hidden" id="hide-code-<%= slugged_profile_id %>-<%= slugged_control_id %>" value="Hide Source"/>
+        <pre class="source-code hidden" id="source-code-<%= slugged_profile_id %>-<%= slugged_control_id %>">
           <code>
 <%= control.code %>
           </code>

data/lib/plugins/inspec-reporter-html2/templates/default.js

@@ -11,17 +11,17 @@ function removeCssClass(id, cls) {
 }
 
 function handleShowSource(evt) {
-  var control_id = evt.srcElement.id.replace("show-code-", "")
+  var slugged_id = evt.srcElement.id.replace("show-code-", "")
   addCssClass(evt.srcElement.id, "hidden")
-  removeCssClass("hide-code-" + control_id, "hidden")
-  removeCssClass("source-code-" + control_id, "hidden")
+  removeCssClass("hide-code-" + slugged_id, "hidden")
+  removeCssClass("source-code-" + slugged_id, "hidden")
 }
 
 function handleHideSource(evt) {
-  var control_id = evt.srcElement.id.replace("hide-code-", "")
+  var slugged_id = evt.srcElement.id.replace("hide-code-", "")
   addCssClass(evt.srcElement.id, "hidden")
-  addCssClass("source-code-" + control_id, "hidden")
-  removeCssClass("show-code-" + control_id, "hidden")
+  addCssClass("source-code-" + slugged_id, "hidden")
+  removeCssClass("show-code-" + slugged_id, "hidden")
 }
 
 function handleSelectorChange(evt) {

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: inspec-core
 version: !ruby/object:Gem::Version
-  version: 5.22.29
+  version: 5.22.40
 platform: ruby
 authors:
 - Chef InSpec Team
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-10-24 00:00:00.000000000 Z
+date: 2024-01-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: chef-telemetry
@@ -716,6 +716,7 @@ files:
 - lib/inspec/utils/parser.rb
 - lib/inspec/utils/pkey_reader.rb
 - lib/inspec/utils/podman.rb
+- lib/inspec/utils/profile_ast_helpers.rb
 - lib/inspec/utils/run_data_filters.rb
 - lib/inspec/utils/simpleconfig.rb
 - lib/inspec/utils/spdx.rb