inspec-core 5.22.3 → 5.22.36

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 257ccbe0a55a1779ee75f8d6e9e8e0ff612990c123e5cdb10d8cf1e19dbade54
-  data.tar.gz: 820f9a0ec86451f48f65f229befe175cf937648ddb5669df1c8a7c27ebfb234b
+  metadata.gz: bbe23835cae58303aa3ac665ecd59e269752bbe4f6448e33db3219df0f04dbc8
+  data.tar.gz: 9a6d1e0e7758054f4d2746355a0c5538ede8af58a4220b3160d999f5e3093f34
 SHA512:
-  metadata.gz: 8150cdd9aca6ac14ae762dd4b6d09867dab6651f0a0705a28f7256a94683a1fd59b7841bfc69e1a362c253d6c2a847d2e9a03b901dd20118ecc1566b4496a8a9
-  data.tar.gz: a3469cb7fa6786e1d9416e9493fed402ccfb6c8e6ac0a2d40a0029ab63c09b09671cf6729736899ed1a039ca75e36a6a57428deba9a8c5d6dbf0975711a06d13
+  metadata.gz: c074f69651db5a586e4fee3b1a621ef9cc43d05634136dae9e0008a22c2d74d0515fe2938f83df42aace4ad089bbab3e95cf3d70bf3825b88aaca5e8e0696518
+  data.tar.gz: f01196343c6f7109cb44ced5f3a23a2b3f7b543f88a48d34d0b49c2b2a47dae31c599af4f51febca1afecbc1355f471c543c2ac8484c5c1a669ea4fec41cfe45

data/Gemfile

@@ -11,6 +11,10 @@ gem "inspec-bin", path: "./inspec-bin"
 
 gem "ffi", ">= 1.9.14", "!= 1.13.0", "!= 1.14.2"
 
+# We have a build issue 2023-11-13 with unf_ext 0.0.9 so we are pinning to 0.0.8.2
+# See https://github.com/knu/ruby-unf_ext/issues/74 https://buildkite.com/chef/inspec-inspec-inspec-5-omnibus-release/builds/22
+gem "unf_ext", "= 0.0.8.2"
+
 # inspec tests depend text output that changed in the 3.10 release
 # but our runtime dep is still 3.9+
 gem "rspec", ">= 3.10"
@@ -25,11 +29,11 @@ end
 group :test do
   gem "chefstyle", "~> 2.2.2"
   gem "concurrent-ruby", "~> 1.0"
-  gem "json_schemer", ">= 0.2.1", "< 0.2.19"
+  gem "json_schemer", ">= 0.2.1", "< 2.0.1"
   gem "m"
   gem "minitest-sprint", "~> 1.0"
   gem "minitest", "5.15.0"
-  gem "mocha", "~> 1.1"
+  gem "mocha", "~> 2.1"
   gem "nokogiri", "~> 1.9"
   gem "pry-byebug"
   gem "pry", "~> 0.10"
@@ -47,20 +51,3 @@ end
 group :deploy do
   gem "inquirer"
 end
-
-group :kitchen do
-  gem "berkshelf"
-
-  # Chef 18 requires ruby 3
-  if Gem.ruby_version >= Gem::Version.new("3.0.0")
-    gem "chef", ">= 17.0"
-  else
-    # Ruby 2.7 presumably - TODO remove this when 2.7 is sunsetted
-    gem "chef", "~> 16.0"
-  end
-
-  gem "test-kitchen", ">= 2.8"
-  gem "kitchen-inspec", ">= 2.0"
-  gem "kitchen-dokken", ">= 2.11"
-  gem "git"
-end

data/inspec-core.gemspec

@@ -25,13 +25,15 @@ Gem::Specification.new do |spec|
   # Implementation dependencies
   spec.add_dependency "chef-telemetry",           "~> 1.0", ">= 1.0.8" # 1.0.8+ removes the http dep
   spec.add_dependency "license-acceptance",       ">= 0.2.13", "< 3.0"
-  spec.add_dependency "thor",                     ">= 0.20", "< 2.0"
+  # TODO: We should remove the thor pinning in next upcoming releases currently it's breaking our unit test in cli_args_test for aliases due to
+  # recent changes made in thor library REF: https://github.com/rails/thor/releases/tag/v1.3.0 & https://github.com/rails/thor/pull/800
+  spec.add_dependency "thor",                     ">= 0.20", "< 1.3.0"
   spec.add_dependency "method_source",            ">= 0.8", "< 2.0"
   spec.add_dependency "rubyzip",                  ">= 1.2.2", "< 3.0"
-  spec.add_dependency "rspec",                    ">= 3.9", "<= 3.11"
+  spec.add_dependency "rspec",                    ">= 3.9", "<= 3.12"
   spec.add_dependency "rspec-its",                "~> 1.2"
   spec.add_dependency "pry",                      "~> 0.13"
-  spec.add_dependency "hashie",                   ">= 3.4", "< 5.0"
+  spec.add_dependency "hashie",                   ">= 3.4", "< 6.0"
   spec.add_dependency "mixlib-log",               "~> 3.0"
   spec.add_dependency "sslshake",                 "~> 1.2"
   spec.add_dependency "parallel",                 "~> 1.9"
@@ -41,7 +43,7 @@ Gem::Specification.new do |spec|
   spec.add_dependency "tty-prompt",               "~> 0.17"
   spec.add_dependency "tomlrb",                   ">= 1.2", "< 2.1"
   spec.add_dependency "addressable",              "~> 2.4"
-  spec.add_dependency "parslet",                  ">= 1.5", "< 2.0" # Pinned < 2.0, see #5389
+  spec.add_dependency "parslet",                  ">= 1.5", "< 3.0" # Pinned < 2.0, see #5389
   spec.add_dependency "semverse",                 "~> 3.0"
   spec.add_dependency "multipart-post",           "~> 2.0"
 

data/lib/inspec/cli.rb

@@ -68,8 +68,14 @@ class Inspec::InspecCLI < Inspec::BaseCLI
     desc: "A list of controls to include. Ignore all other tests."
   option :tags, type: :array,
     desc: "A list of tags to filter controls and include only those. Ignore all other tests."
+  option :legacy_export, type: :boolean, default: false,
+    desc: "Run with legacy export."
   profile_options
   def json(target)
+    # Config initialisation is needed before deprecation warning can be issued
+    # Deprecator calls config get method to fetch the config value
+    # Without config initialisation, the config value is not set and hence calling config get through deprecator will set the value of config as blank, making options of json command inaccessible.
+    config
     # This deprecation warning is ignored currently.
     Inspec.deprecate(:renamed_to_inspec_export)
     export(target, true)
@@ -86,6 +92,8 @@ class Inspec::InspecCLI < Inspec::BaseCLI
     desc: "For --what=profile, a list of controls to include. Ignore all other tests."
   option :tags, type: :array,
     desc: "For --what=profile, a list of tags to filter controls and include only those. Ignore all other tests."
+  option :legacy_export, type: :boolean, default: false,
+         desc: "Run with legacy export."
   profile_options
   def export(target, as_json = false)
     o = config
@@ -121,16 +129,17 @@ class Inspec::InspecCLI < Inspec::BaseCLI
 
     case what
     when "profile"
+      profile_info = o[:legacy_export] ? profile.info : profile.info_from_parse
       if format == "json"
         require "json" unless defined?(JSON)
         # Write JSON
         Inspec::Utils::JsonProfileSummary.produce_json(
-          info: profile.info,
+          info: profile_info,
           write_path: dst
         )
       elsif format == "yaml"
         Inspec::Utils::YamlProfileSummary.produce_yaml(
-          info: profile.info,
+          info: profile_info,
           write_path: dst
         )
       end
@@ -152,6 +161,8 @@ class Inspec::InspecCLI < Inspec::BaseCLI
     desc: "The output format to use. Valid values: `json` and `doc`. Default value: `doc`."
   option :with_cookstyle, type: :boolean,
     desc: "Enable or disable cookstyle checks.", default: false
+  option :legacy_check, type: :boolean, default: false,
+         desc: "Run with legacy check."
   profile_options
   def check(path) # rubocop:disable Metrics/AbcSize,Metrics/MethodLength
     o = config
@@ -166,7 +177,7 @@ class Inspec::InspecCLI < Inspec::BaseCLI
 
     # run check
     profile = Inspec::Profile.for_target(path, o)
-    result = profile.check
+    result = o[:legacy_check] ? profile.legacy_check : profile.check
 
     if o["format"] == "json"
       puts JSON.generate(result)
@@ -244,6 +255,12 @@ class Inspec::InspecCLI < Inspec::BaseCLI
     desc: "Fallback to using local archives if fetching fails."
   option :ignore_errors, type: :boolean, default: false,
     desc: "Ignore profile warnings."
+  option :check, type: :boolean, default: false,
+    desc: "Run profile check before archiving."
+  option :export, type: :boolean, default: false,
+    desc: "Export the profile to inspec.json and include in archive"
+  option :legacy_export, type: :boolean, default: false,
+    desc: "Export the profile in legacy mode to inspec.json and include in archive"
   def archive(path, log_level = nil)
     o = config
     diagnose(o)
@@ -264,7 +281,7 @@ class Inspec::InspecCLI < Inspec::BaseCLI
       o[:logger].warn "Archiving a profile that contains gem dependencies, but InSpec cannot package gems with the profile! Please archive your ~/.inspec/gems directory separately."
     end
 
-    result = profile.check
+    result = profile.check if o[:check]
 
     if result && !o[:ignore_errors] == false
       o[:logger].info "Profile check failed. Please fix the profile before generating an archive."
@@ -514,7 +531,7 @@ class Inspec::InspecCLI < Inspec::BaseCLI
   end
 
   def run_command(opts)
-    runner = Inspec::Runner.new(Inspec::Config.new(opts))
+    runner = Inspec::Runner.new(opts)
     res = runner.eval_with_virtual_profile(opts[:command])
     runner.load
 

data/lib/inspec/config.rb

@@ -448,6 +448,22 @@ module Inspec
       # Reporter options may be defined top-level.
       options.merge!(config_file_reporter_options)
 
+      # when sent reporter from compliance-mode (via chef-client), the reporter is a symbol
+      if @cli_opts.key?(:reporter) && @cli_opts["reporter"].nil?
+        @cli_opts["reporter"] = @cli_opts[:reporter]
+        @cli_opts.delete(:reporter)
+      elsif @cli_opts.key?(:reporter) && @cli_opts.key?("reporter") && @cli_opts["reporter"].is_a?(Array)
+        # combine reporter and "reporter" options into "reporter" option
+        @cli_opts["reporter"] = @cli_opts[:reporter] + @cli_opts["reporter"]
+      end
+
+      if @cli_opts["reporter"]
+        # Add reporter_cli_opts in options to capture reporter cli opts separately
+        options.merge!({ "reporter_cli_opts" => @cli_opts["reporter"] })
+        # Delete reporter from cli_opts to avoid direct merging of reporter info of cli and config
+        @cli_opts.delete("reporter")
+      end
+
       # Highest precedence: merge in any options defined via the CLI
       options.merge!(@cli_opts)
 
@@ -476,13 +492,13 @@ module Inspec
     end
 
     def finalize_parse_reporters(options) # rubocop:disable Metrics/AbcSize
-      # default to cli report for ad-hoc runners
-      options["reporter"] = ["cli"] if options["reporter"].nil?
+      # Default to cli report for ad-hoc runners
+      options["reporter_cli_opts"] = ["cli"] if (options["reporter"].nil? || options["reporter"].empty?) && options["reporter_cli_opts"].nil?
 
-      # parse out cli to proper report format
-      if options["reporter"].is_a?(Array)
+      # Parse out reporter_cli_opts to proper report format
+      if options["reporter_cli_opts"].is_a?(Array)
         reports = {}
-        options["reporter"].each do |report|
+        options["reporter_cli_opts"].each do |report|
           reporter_name, destination = report.split(":", 2)
           if destination.nil? || destination.strip == "-"
             reports[reporter_name] = { "stdout" => true }
@@ -494,7 +510,12 @@ module Inspec
             reports[reporter_name]["target_id"] = options["target_id"] if options["target_id"]
           end
         end
-        options["reporter"] = reports
+
+        if options["reporter"].nil? || options["reporter"].empty?
+          options["reporter"] = reports
+        else
+          options["reporter"].merge!(reports)
+        end
       end
 
       # add in stdout if not specified
@@ -507,6 +528,10 @@ module Inspec
       end
 
       validate_reporters!(options["reporter"])
+
+      # Delete reporter_cli_opts after graceful merging of cli and config reporters
+      options.delete("reporter_cli_opts")
+
       options
     end
 
@@ -548,15 +573,12 @@ module Inspec
     class Defaults
       DEFAULTS = {
         exec: {
-          "reporter" => ["cli"],
           "show_progress" => false,
           "color" => true,
           "create_lockfile" => true,
           "backend_cache" => true,
         },
-        shell: {
-          "reporter" => ["cli"],
-        },
+        shell: {},
       }.freeze
 
       def self.for_command(command_name)

data/lib/inspec/fetcher/git.rb

@@ -41,6 +41,7 @@ module Inspec::Fetcher
       @ref = opts[:ref]
       @remote_url = expand_local_path(remote_url)
       @repo_directory = nil
+      @resolved_ref = nil
       @relative_path = opts[:relative_path] if opts[:relative_path] && !opts[:relative_path].empty?
     end
 
@@ -70,7 +71,7 @@ module Inspec::Fetcher
           if @relative_path
             perform_relative_path_fetch(destination_path, working_dir)
           else
-            Inspec::Log.debug("Checkout of #{resolved_ref} successful. " \
+            Inspec::Log.debug("Checkout of #{resolved_ref.nil? ? @remote_url : resolved_ref} successful. " \
                               "Moving checkout to #{destination_path}")
             FileUtils.cp_r(working_dir + "/.", destination_path)
           end
@@ -80,14 +81,14 @@ module Inspec::Fetcher
     end
 
     def perform_relative_path_fetch(destination_path, working_dir)
-      Inspec::Log.debug("Checkout of #{resolved_ref} successful. " \
+      Inspec::Log.debug("Checkout of #{resolved_ref.nil? ? @remote_url : resolved_ref} successful. " \
                         "Moving #{@relative_path} to #{destination_path}")
       unless File.exist?("#{working_dir}/#{@relative_path}")
         # Cleanup the destination path - otherwise we'll have an empty dir
         # in the cache, which is enough to confuse the cache reader
         # This is a courtesy, assuming we're writing to the cache; if we're
         # vendoring to something more complex, don't bother.
-        FileUtils.rmdir(destination_path) if Dir.empty?(destination_path)
+        FileUtils.rm_r(destination_path) if Dir.exist?(destination_path)
 
         raise Inspec::FetcherFailure, "Cannot find relative path '#{@relative_path}' " \
                                       "within profile in git repo specified by '#{@remote_url}'"
@@ -96,9 +97,16 @@ module Inspec::Fetcher
     end
 
     def cache_key
-      return resolved_ref unless @relative_path
-
-      OpenSSL::Digest.hexdigest("SHA256", resolved_ref + @relative_path)
+      cache_key = if @relative_path && !resolved_ref.nil?
+                    OpenSSL::Digest.hexdigest("SHA256", resolved_ref + @relative_path)
+                  elsif @relative_path && resolved_ref.nil?
+                    OpenSSL::Digest.hexdigest("SHA256", @remote_url + @relative_path)
+                  elsif resolved_ref.nil?
+                    OpenSSL::Digest.hexdigest("SHA256", @remote_url)
+                  else
+                    resolved_ref
+                  end
+      cache_key
     end
 
     def archive_path
@@ -106,7 +114,11 @@ module Inspec::Fetcher
     end
 
     def resolved_source
-      source = { git: @remote_url, ref: resolved_ref }
+      if resolved_ref.nil?
+        source = { git: @remote_url }
+      else
+        source = { git: @remote_url, ref: resolved_ref }
+      end
       source[:relative_path] = @relative_path if @relative_path
       source
     end
@@ -125,33 +137,27 @@ module Inspec::Fetcher
                         elsif @tag
                           resolve_ref(@tag)
                         else
-                          resolve_ref(default_ref)
+                          resolve_ref
                         end
     end
 
-    def default_ref
-      command_string = "git remote show #{@remote_url}"
+    def resolve_ref(ref_name = nil)
+      command_string = if ref_name.nil?
+                         # Running git ls-remote command helps to raise error if git URL is invalid and avoids cache_key creation
+                         "git ls-remote \"#{@remote_url}\""
+                       else
+                         "git ls-remote \"#{@remote_url}\" \"#{ref_name}*\""
+                       end
       cmd = shellout(command_string)
-      unless cmd.exitstatus == 0
-        raise(Inspec::FetcherFailure, "Profile git dependency failed with default reference - #{@remote_url} - error running '#{command_string}': #{cmd.stderr}")
+      raise(Inspec::FetcherFailure, "Profile git dependency failed for #{@remote_url} - error running '#{command_string}': #{cmd.stderr}") unless cmd.exitstatus == 0
+
+      if ref_name.nil?
+        ref = nil
       else
-        ref = cmd.stdout.lines.detect { |l| l.include? "HEAD branch:" }&.split(":")&.last&.strip
+        ref = parse_ls_remote(cmd.stdout, ref_name)
         unless ref
-          raise(Inspec::FetcherFailure, "Profile git dependency failed with default reference - #{@remote_url} - error running '#{command_string}': NULL reference")
+          raise Inspec::FetcherFailure, "Profile git dependency failed - unable to resolve #{ref_name} to a specific git commit for #{@remote_url}"
         end
-
-        ref
-      end
-    end
-
-    def resolve_ref(ref_name)
-      command_string = "git ls-remote \"#{@remote_url}\" \"#{ref_name}*\""
-      cmd = shellout(command_string)
-      raise(Inspec::FetcherFailure, "Profile git dependency failed for #{@remote_url} - error running '#{command_string}': #{cmd.stderr}") unless cmd.exitstatus == 0
-
-      ref = parse_ls_remote(cmd.stdout, ref_name)
-      unless ref
-        raise Inspec::FetcherFailure, "Profile git dependency failed - unable to resolve #{ref_name} to a specific git commit for #{@remote_url}"
       end
 
       ref
@@ -200,7 +206,14 @@ module Inspec::Fetcher
 
     def checkout(dir = @repo_directory)
       clone(dir)
-      git_cmd("checkout #{resolved_ref}", dir)
+      # In case of branch, tag or git reference is not provided by User the resolved_ref will always be nil
+      # and will always checkout the default HEAD branch, else it will checkout specific branch, tag or git reference.
+      if resolved_ref.nil?
+        git_cmd("checkout", dir)
+      else
+        git_cmd("checkout #{resolved_ref}", dir)
+      end
+
       @repo_directory
     end
 
@@ -208,6 +221,8 @@ module Inspec::Fetcher
       cmd = shellout("git #{cmd}", cwd: dir)
       cmd.error!
       cmd.status
+    rescue Mixlib::ShellOut::ShellCommandFailed => e
+      raise Inspec::FetcherFailure, "Error while running git command. #{e.message} "
     rescue Errno::ENOENT
       raise Inspec::FetcherFailure, "Profile git dependency failed for #{@remote_url} - to use git sources, you must have git installed."
     end

data/lib/inspec/formatters/base.rb

@@ -160,7 +160,7 @@ module Inspec::Formatters
           end
 
           # added this additionally because stats summary is also used for determining exit code in runner rspec
-          skipped += 1 if control[:results].any? { |r| r[:status] == "skipped" }
+          skipped += 1 if control[:results] && (control[:results].any? { |r| r[:status] == "skipped" })
 
         end
         total = error + not_applicable + not_reviewed + failed + passed