inspec-core 5.22.50 → 6.6.0

data/lib/inspec/reporters.rb

@@ -4,76 +4,89 @@ require "inspec/reporters/json"
 require "inspec/reporters/json_automate"
 require "inspec/reporters/automate"
 require "inspec/reporters/yaml"
+require "inspec/feature"
 
 module Inspec::Reporters
   # rubocop:disable Metrics/CyclomaticComplexity
   def self.render(reporter, run_data, enhanced_outcomes = false)
     name, config = reporter.dup
-    config[:run_data] = run_data
-    case name
-    when "cli"
-      reporter = Inspec::Reporters::CLI.new(config)
-    when "json"
-      reporter = Inspec::Reporters::Json.new(config)
-    # This reporter is only used for Chef internal. We reserve the
-    # right to introduce breaking changes to this reporter at any time.
-    when "json-automate"
-      reporter = Inspec::Reporters::JsonAutomate.new(config)
-    when "automate"
-      reporter = Inspec::Reporters::Automate.new(config)
-    when "yaml"
-      reporter = Inspec::Reporters::Yaml.new(config)
-    else
-      # If we made it here, it must be a plugin, and we know it exists (because we validated it in config.rb)
-      activator = Inspec::Plugin::V2::Registry.instance.find_activator(plugin_type: :reporter, activator_name: name.to_sym)
-      activator.activate!
-      reporter = activator.implementation_class.new(config)
-    end
-    reporter.enhanced_outcomes = enhanced_outcomes
+    Inspec.with_feature("inspec-reporter-#{name}") {
+      config[:run_data] = run_data
+      case name
+      when "cli"
+        reporter = Inspec::Reporters::CLI.new(config)
+      when "json"
+        reporter = Inspec::Reporters::Json.new(config)
+      # This reporter is only used for Chef internal. We reserve the
+      # right to introduce breaking changes to this reporter at any time.
+      when "json-automate"
+        reporter = Inspec::Reporters::JsonAutomate.new(config)
+      when "automate"
+        reporter = Inspec::Reporters::Automate.new(config)
+      when "yaml"
+        reporter = Inspec::Reporters::Yaml.new(config)
+      else
+        # If we made it here, it must be a plugin, and we know it exists (because we validated it in config.rb)
+        activator = Inspec::Plugin::V2::Registry.instance.find_activator(plugin_type: :reporter, activator_name: name.to_sym)
+        activator.activate!
+        reporter = activator.implementation_class.new(config)
+      end
 
-    # optional send_report method on reporter
-    return reporter.send_report if defined?(reporter.send_report)
+      if enhanced_outcomes
+        Inspec.with_feature("inspec-enhanced-outcomes") {
+          reporter.enhanced_outcomes = enhanced_outcomes
+        }
+      else
+        reporter.enhanced_outcomes = enhanced_outcomes
+      end
 
-    reporter.render
-    output = reporter.rendered_output
+      # optional send_report method on reporter
+      return reporter.send_report if defined?(reporter.send_report)
 
-    if config["file"]
-      # create destination directory if it does not exist
-      dirname = File.dirname(config["file"])
-      FileUtils.mkdir_p(dirname) unless File.directory?(dirname)
+      reporter.render
+      output = reporter.rendered_output
+      config_file = config["file"]
+      if config_file
+        config_file.gsub!("CHILD_PID", Process.pid.to_s)
+        # create destination directory if it does not exist
+        dirname = File.dirname(config_file)
+        FileUtils.mkdir_p(dirname) unless File.directory?(dirname)
 
-      File.write(config["file"], output)
-    elsif config["stdout"] == true
-      print output
-      $stdout.flush
-    end
+        File.write(config_file, output)
+      elsif config["stdout"] == true
+        print output
+        $stdout.flush
+      end
+    }
   end
 
   def self.report(reporter, run_data)
     name, config = reporter.dup
-    config[:run_data] = run_data
-    case name
-    when "json"
-      reporter = Inspec::Reporters::Json.new(config)
-    when "json-automate"
-      reporter = Inspec::Reporters::JsonAutomate.new(config)
-    when "yaml"
-      reporter = Inspec::Reporters::Yaml.new(config)
-    else
-      # If we made it here, it might be a plugin
-      begin
-        activator = Inspec::Plugin::V2::Registry.instance.find_activator(plugin_type: :reporter, activator_name: name.to_sym)
-        activator.activate!
-        reporter = activator.implementation_class.new(config)
-        unless reporter.respond_to(:report?)
+    Inspec.with_feature("inspec-reporter-#{name}") {
+      config[:run_data] = run_data
+      case name
+      when "json"
+        reporter = Inspec::Reporters::Json.new(config)
+      when "json-automate"
+        reporter = Inspec::Reporters::JsonAutomate.new(config)
+      when "yaml"
+        reporter = Inspec::Reporters::Yaml.new(config)
+      else
+        # If we made it here, it might be a plugin
+        begin
+          activator = Inspec::Plugin::V2::Registry.instance.find_activator(plugin_type: :reporter, activator_name: name.to_sym)
+          activator.activate!
+          reporter = activator.implementation_class.new(config)
+          unless reporter.respond_to(:report?)
+            return run_data
+          end
+        rescue Inspec::Plugin::V2::LoadError
+          # Must not have been a plugin - just return the run_data
           return run_data
         end
-      rescue Inspec::Plugin::V2::LoadError
-        # Must not have been a plugin - just return the run_data
-        return run_data
       end
-    end
 
-    reporter.report
+      reporter.report
+    }
   end
 end

data/lib/inspec/resources/virtualization.rb

@@ -223,7 +223,7 @@ module Inspec::Resources
       elsif cgroup_content =~ %r{^\d+:[^:]+:/(kubepods)/.+$}
         @virtualization_data[:system] = $1
         @virtualization_data[:role] = "guest"
-      elsif /container=podman/.match?(inspec.file("/proc/1/environ").content)
+      elsif /container=podman/.match?(file_read("/proc/1/environ"))
         @virtualization_data[:system] = "podman"
         @virtualization_data[:role] = "guest"
       elsif lxc_version_exists? && cgroup_content =~ %r{\d:[^:]+:/$}

data/lib/inspec/rule.rb

@@ -375,24 +375,19 @@ module Inspec
     # only_if mechanism)
     # Double underscore: not intended to be called as part of the DSL
     def __apply_waivers
-      @__waiver_data = nil
       control_id = @__rule_id # TODO: control ID slugging
-
       waiver_files = Inspec::Config.cached.final_options["waiver_file"] if Inspec::Config.cached.respond_to?(:final_options)
-      unless waiver_files.nil? || waiver_files.empty?
-        waiver_data_by_profile = Inspec::WaiverFileReader.fetch_waivers_by_profile(__profile_id, waiver_files)
-        return unless waiver_data_by_profile && waiver_data_by_profile[control_id] && waiver_data_by_profile[control_id].is_a?(Hash)
 
-        @__waiver_data = waiver_data_by_profile[control_id]
-      else
-        # Support for input registry is provided for backward compatibilty with compliance phase of chef-client
-        # Chef-client sends waiver information in inputs hash
-        input_registry = Inspec::InputRegistry.instance
-        waiver_data_via_input = input_registry.inputs_by_profile.dig(__profile_id, control_id)
-        return unless waiver_data_via_input && waiver_data_via_input.has_value? && waiver_data_via_input.value.is_a?(Hash)
+      waiver_data_by_profile = Inspec::WaiverFileReader.fetch_waivers_by_profile(__profile_id, waiver_files) unless waiver_files.nil?
 
-        @__waiver_data = waiver_data_via_input.value
-      end
+      return unless waiver_data_by_profile && waiver_data_by_profile[control_id] && waiver_data_by_profile[control_id].is_a?(Hash)
+
+      # An InSpec Input is a datastructure that tracks a profile parameter
+      # over time. Its value can be set by many sources, and it keeps a
+      # log of each "set" event so that when it is collapsed to a value,
+      # it can determine the correct (highest priority) value.
+      # Store in an instance variable for.. later reading???
+      @__waiver_data = waiver_data_by_profile[control_id]
 
       __waiver_data["skipped_due_to_waiver"] = false
       __waiver_data["message"] = ""

data/lib/inspec/run_data.rb

@@ -27,11 +27,13 @@ module Inspec
   ) do
     include HashLikeStruct
     def initialize(raw_run_data)
-      self.controls   = raw_run_data[:controls].map { |c| Inspec::RunData::Control.new(c) }
-      self.profiles   = raw_run_data[:profiles].map { |p| Inspec::RunData::Profile.new(p) }
-      self.statistics = Inspec::RunData::Statistics.new(raw_run_data[:statistics])
-      self.platform   = Inspec::RunData::Platform.new(raw_run_data[:platform])
-      self.version    = raw_run_data[:version]
+      @raw_run_data = raw_run_data
+
+      self.controls   = @raw_run_data[:controls].map { |c| Inspec::RunData::Control.new(c) }
+      self.profiles   = @raw_run_data[:profiles].map { |p| Inspec::RunData::Profile.new(p) }
+      self.statistics = Inspec::RunData::Statistics.new(@raw_run_data[:statistics])
+      self.platform   = Inspec::RunData::Platform.new(@raw_run_data[:platform])
+      self.version    = @raw_run_data[:version]
     end
   end
 

data/lib/inspec/runner.rb

@@ -11,6 +11,7 @@ require "inspec/dependencies/cache"
 require "inspec/dist"
 require "inspec/reporters"
 require "inspec/runner_rspec"
+require "chef-licensing"
 # spec requirements
 
 module Inspec
@@ -60,11 +61,13 @@ module Inspec
       end
 
       if @conf[:waiver_file]
-        @conf[:waiver_file].each do |file|
-          unless File.file?(file)
-            raise Inspec::Exceptions::WaiversFileDoesNotExist, "Waiver file #{file} does not exist."
+        Inspec.with_feature("inspec-waivers") {
+          @conf[:waiver_file].each do |file|
+            unless File.file?(file)
+              raise Inspec::Exceptions::WaiversFileDoesNotExist, "Waiver file #{file} does not exist."
+            end
           end
-        end
+        }
       end
 
       # About reading inputs:
@@ -142,7 +145,7 @@ module Inspec
             get_check_example(m, a, b)
           end.compact
 
-          examples.map { |example| total_checks += example.descendant_filtered_examples.count }
+          examples.map { |example| total_checks += example.examples.count }
 
           unless control_describe_checks.empty?
             # controls with empty tests are avoided
@@ -159,16 +162,42 @@ module Inspec
     end
 
     def run(with = nil)
+      ChefLicensing.check_software_entitlement! if Inspec::Dist::EXEC_NAME == "inspec"
+
+      # Validate if profiles are signed and verified
+      # Additional check is required to provide error message in case of inspec exec command (exec command can use multiple profiles as well)
+      # Only runs this block when preview flag CHEF_PREVIEW_MANDATORY_PROFILE_SIGNING is set
+      Inspec.with_feature("inspec-mandatory-profile-signing") {
+        unless @conf.allow_unsigned_profiles?
+          verify_target_profiles_if_signed(@target_profiles)
+        end
+      }
+
       Inspec::Log.debug "Starting run with targets: #{@target_profiles.map(&:to_s)}"
       load
       run_tests(with)
+    rescue ChefLicensing::SoftwareNotEntitled
+      Inspec::Log.error "License is not entitled to use InSpec."
+      Inspec::UI.new.exit(:license_not_entitled)
+    rescue ChefLicensing::Error => e
+      Inspec::Log.error e.message
+      Inspec::UI.new.exit(:usage_error)
+    end
+
+    def verify_target_profiles_if_signed(target_profiles)
+      unsigned_profiles = []
+      target_profiles.each do |profile|
+        unsigned_profiles << profile.name unless profile.verify_if_signed
+      end
+      raise Inspec::ProfileSignatureRequired, "Signature required for profile/s: #{unsigned_profiles.join(", ")}. Please provide a signed profile. Or set CHEF_ALLOW_UNSIGNED_PROFILES in the environment. Or use `--allow-unsigned-profiles` flag with InSpec CLI. " unless unsigned_profiles.empty?
     end
 
     def render_output(run_data)
       return if @conf["reporter"].nil?
 
       @conf["reporter"].each do |reporter|
-        result = Inspec::Reporters.render(reporter, run_data, @conf["enhanced_outcomes"])
+        enhanced_outcome_flag = @conf["enhanced_outcomes"]
+        result = Inspec::Reporters.render(reporter, run_data, enhanced_outcome_flag)
         raise Inspec::ReporterError, "Error generating reporter '#{reporter[0]}'" if result == false
       end
     end

data/lib/inspec/runner_rspec.rb

@@ -177,16 +177,18 @@ module Inspec
         next unless streaming_reporters.include? streaming_reporter_name
 
         # Activate the plugin so the formatter ID gets registered with RSpec, presumably
-        activator = reg.find_activator(plugin_type: :streaming_reporter, activator_name: streaming_reporter_name.to_sym)
-        activator.activate!
 
-        # We cannot pass in a nil output path. Rspec only accepts a valid string or a IO object.
-        if file_target&.[]("file").nil?
-          RSpec.configuration.add_formatter(activator.implementation_class)
-        else
-          RSpec.configuration.add_formatter(activator.implementation_class, file_target["file"])
-        end
-        @conf["reporter"].delete(streaming_reporter_name)
+        Inspec.with_feature("inspec-reporter-#{streaming_reporter_name}") {
+          activator = reg.find_activator(plugin_type: :streaming_reporter, activator_name: streaming_reporter_name.to_sym)
+          activator.activate!
+          # We cannot pass in a nil output path. Rspec only accepts a valid string or a IO object.
+          if file_target&.[]("file").nil?
+            RSpec.configuration.add_formatter(activator.implementation_class)
+          else
+            RSpec.configuration.add_formatter(activator.implementation_class, file_target["file"])
+          end
+          @conf["reporter"].delete(streaming_reporter_name)
+        }
       end
     end
 
@@ -196,6 +198,7 @@ module Inspec
     def configure_output
       RSpec.configuration.output_stream = $stdout
       @formatter = RSpec.configuration.add_formatter(Inspec::Formatters::Base)
+
       @formatter.enhanced_outcomes = @conf.final_options["enhanced_outcomes"]
       RSpec.configuration.add_formatter(Inspec::Formatters::ShowProgress, $stderr) if @conf[:show_progress]
       set_optional_formatters

data/lib/inspec/secrets/yaml.rb

@@ -24,12 +24,18 @@ module Secrets
         @inputs = ::YAML.load_file(target)
       end
 
-      if @inputs == false || !@inputs.is_a?(Hash)
-        Inspec::Log.warn("#{self.class} unable to parse #{target}: invalid YAML or contents is not a Hash")
+      # In case of empty yaml file raise the warning else raise the parsing error.
+      if !@inputs || @inputs.empty?
+        Inspec::Log.warn("Unable to parse #{target}: YAML file is empty.")
         @inputs = nil
+      elsif !@inputs.is_a?(Hash)
+        # Exits with usage error.
+        Inspec::Log.error("Unable to parse #{target}: invalid YAML or contents is not a Hash")
+        Inspec::UI.new.exit(:usage_error)
       end
     rescue => e
-      raise "Error reading InSpec inputs: #{e}"
+      # Any other error related to Yaml parsing will be raised here.
+      raise "Error reading YAML file #{target}: #{e}"
     end
   end
 end

data/lib/inspec/shell.rb

@@ -1,3 +1,6 @@
+require "chef-licensing"
+require "inspec/dist"
+
 autoload :Pry, "pry"
 
 module Inspec
@@ -10,6 +13,7 @@ module Inspec
     end
 
     def start
+      ChefLicensing.check_software_entitlement! if Inspec::Dist::EXEC_NAME == "inspec"
       # This will hold a single evaluation binding context as opened within
       # the instance_eval context of the anonymous class that the profile
       # context creates to evaluate each individual test file. We want to
@@ -18,6 +22,12 @@ module Inspec
       @ctx_binding = @runner.eval_with_virtual_profile("binding")
       configure_pry
       @ctx_binding.pry
+    rescue ChefLicensing::SoftwareNotEntitled
+      Inspec::Log.error "License is not entitled to use InSpec."
+      Inspec::UI.new.exit(:license_not_entitled)
+    rescue ChefLicensing::Error => e
+      Inspec::Log.error e.message
+      Inspec::UI.new.exit(:usage_error)
     end
 
     def configure_pry # rubocop:disable Metrics/AbcSize

data/lib/inspec/ui.rb

@@ -32,9 +32,13 @@ module Inspec
     EXIT_FATAL_DEPRECATION = 3
     EXIT_GEM_DEPENDENCY_LOAD_ERROR = 4
     EXIT_BAD_SIGNATURE = 5
+    EXIT_SIGNATURE_REQUIRED = 6
     EXIT_LICENSE_NOT_ACCEPTED = 172
+    EXIT_LICENSE_NOT_ENTITLED = 173
+    EXIT_LICENSE_NOT_SET = 174
     EXIT_FAILED_TESTS = 100
     EXIT_SKIPPED_TESTS = 101
+    EXIT_TERMINATED_BY_CTL_C = 130
 
     attr_reader :io
 

data/lib/inspec/utils/licensing_config.rb

@@ -0,0 +1,9 @@
+require_relative "../log"
+require "chef-licensing"
+ChefLicensing.configure do |config|
+  config.chef_product_name = "InSpec"
+  config.chef_entitlement_id = "3ff52c37-e41f-4f6c-ad4d-365192205968"
+  config.chef_executable_name = "inspec"
+  config.license_server_url = "https://services.chef.io/licensing"
+  config.logger = Inspec::Log
+end

data/lib/inspec/utils/profile_ast_helpers.rb

@@ -3,7 +3,8 @@ require "rubocop-ast"
 module Inspec
   class Profile
     class AstHelper
-      class CollectorBase < Parser::AST::Processor
+      class CollectorBase
+        include Parser::AST::Processor::Mixin
         include RuboCop::AST::Traversal
 
         attr_reader :memo

data/lib/inspec/utils/waivers/csv_file_reader.rb

@@ -19,7 +19,7 @@ module Waivers
         row_hash.delete("control_id")
         row_hash.delete_if { |k, v| k.nil? || v.nil? }
 
-        waiver_data_hash[control_id] = row_hash if control_id && !(row_hash.nil? || row_hash.empty?)
+        waiver_data_hash[control_id] = row_hash if control_id && !row_hash.blank?
       end
 
       waiver_data_hash

data/lib/inspec/utils/waivers/excel_file_reader.rb

@@ -25,7 +25,7 @@ module Waivers
           row_hash.delete_if { |k, v| k.nil? || v.nil? }
         end
 
-        waiver_data_hash[control_id] = row_hash if control_id && !(row_hash.nil? || row_hash.empty?)
+        waiver_data_hash[control_id] = row_hash if control_id && !row_hash.blank?
       end
       waiver_data_hash
     rescue Exception => e

data/lib/inspec/version.rb

@@ -1,3 +1,3 @@
 module Inspec
-  VERSION = "5.22.50".freeze
+  VERSION = "6.6.0".freeze
 end

data/lib/inspec/waiver_file_reader.rb

@@ -15,49 +15,90 @@ module Inspec
       output = {}
 
       files.each do |file_path|
-        file_extension = File.extname(file_path)
-        data = nil
-        if [".yaml", ".yml"].include? file_extension
-          data = Secrets::YAML.resolve(file_path)
-          unless data.nil?
-            data = data.inputs
-            validate_json_yaml(data)
-          end
-        elsif file_extension == ".csv"
-          data = Waivers::CSVFileReader.resolve(file_path)
-          headers = Waivers::CSVFileReader.headers
-          validate_headers(headers)
-        elsif file_extension == ".json"
-          data = Waivers::JSONFileReader.resolve(file_path)
-          validate_json_yaml(data) unless data.nil?
-        end
+        data = read_from_file(file_path)
         output.merge!(data) if !data.nil? && data.is_a?(Hash)
 
         if data.nil?
           raise Inspec::Exceptions::WaiversFileNotReadable,
-              "Cannot find parser for waivers file '#{file_path}'. " \
+              "Cannot find parser for waivers file." \
               "Check to make sure file has the appropriate extension."
         end
+      rescue Inspec::Exceptions::WaiversFileNotReadable, Inspec::Exceptions::WaiversFileInvalidFormatting => e
+        Inspec::Log.error "Error reading waivers file #{file_path}. #{e.message}"
+        Inspec::UI.new.exit(:usage_error)
       end
 
       @waivers_data[profile_id] = output
     end
 
-    def self.validate_headers(headers, json_yaml = false)
-      required_fields = json_yaml ? %w{justification} : %w{control_id justification}
-      all_fields = %w{control_id justification expiration_date run}
+    def self.read_from_file(file_path)
+      data = nil
+      file_extension = File.extname(file_path)
+      if [".yaml", ".yml"].include? file_extension
+        data = Secrets::YAML.resolve(file_path)
+        data = data.inputs unless data.nil?
+        validate_json_yaml(data)
+      elsif file_extension == ".csv"
+        data = Waivers::CSVFileReader.resolve(file_path)
+        headers = Waivers::CSVFileReader.headers
+        validate_csv_headers(headers)
+      elsif file_extension == ".json"
+        data = Waivers::JSONFileReader.resolve(file_path)
+        validate_json_yaml(data) unless data.nil?
+      end
+      data
+    end
+
+    def self.all_fields
+      %w{control_id justification expiration_date run}
+    end
+
+    def self.validate_csv_headers(headers)
+      invalid_headers_info = fetch_invalid_headers_info(headers)
+      # Warn if blank column found in csv file
+      Inspec::Log.warn "Invalid column headers: Column can't be nil" if invalid_headers_info[:blank_column]
+      # Warn if extra header found in csv file
+      Inspec::Log.warn "Extra header/s #{invalid_headers_info[:extra_headers]}" unless invalid_headers_info[:extra_headers].empty?
+      unless invalid_headers_info[:missing_required_fields].empty?
+        raise Inspec::Exceptions::WaiversFileInvalidFormatting,
+        "Missing required header/s #{invalid_headers_info[:missing_required_fields]}. Fix headers in file to proceed."
+      end
+    end
 
-      Inspec::Log.warn "Missing column headers: #{(required_fields - headers)}" unless (required_fields - headers).empty?
-      Inspec::Log.warn "Invalid column header: Column can't be nil" if headers.include? nil
-      Inspec::Log.warn "Extra column headers: #{(headers - all_fields)}" unless (headers - all_fields).empty?
+    def self.fetch_invalid_headers_info(headers, json_yaml = false)
+      required_fields = json_yaml ? %w{justification} : %w{control_id justification}
+      data = {}
+      data[:missing_required_fields] = []
+      # Finds missing required fields
+      unless (required_fields - headers).empty?
+        data[:missing_required_fields] = required_fields - headers
+      end
+      # If column with no header found set the blank_column flag. Only applicable for csv
+      data[:blank_column] = headers.include?(nil) ? true : false
+      # Find extra headers/parameters
+      data[:extra_headers] = (headers - all_fields)
+      data
     end
 
     def self.validate_json_yaml(data)
-      headers = []
-      data.each_value do |value|
-        headers.push value.keys
+      missing_required_field = false
+      data.each do |key, value|
+        # In case of yaml or json we need to validate headers/parametes for each value
+        invalid_headers_info = fetch_invalid_headers_info(value.keys, true)
+        # WARN in case of extra parameters found in each waived control
+        Inspec::Log.warn "Control ID #{key}: extra parameter/s #{invalid_headers_info[:extra_headers]}" unless invalid_headers_info[:extra_headers].empty?
+        unless invalid_headers_info[:missing_required_fields].empty?
+          missing_required_field = true
+          # Log error for each waived control
+          Inspec::Log.error "Control ID #{key}: missing required parameter/s #{invalid_headers_info[:missing_required_fields]}"
+        end
+      end
+
+      # Raise error if any of the waived control has missing required filed
+      if missing_required_field
+        raise Inspec::Exceptions::WaiversFileInvalidFormatting,
+             "Missing required parameter [justification]. Fix parameters in file to proceed."
       end
-      validate_headers(headers.flatten.uniq, true)
     end
   end
 end

data/lib/inspec.rb

@@ -4,6 +4,7 @@ libdir = File.dirname(__FILE__)
 $LOAD_PATH.unshift(libdir) unless $LOAD_PATH.include?(libdir)
 
 require "inspec/version"
+require "inspec/utils/licensing_config"
 require "inspec/exceptions"
 require "inspec/utils/deprecation"
 require "inspec/profile"
@@ -30,4 +31,4 @@ require "inspec/source_reader"
 require "inspec/resource"
 
 require "inspec/dependency_loader"
-require "inspec/dependency_installer"
+require "inspec/dependency_installer"

data/lib/matchers/matchers.rb

@@ -299,9 +299,9 @@ RSpec::Matchers.define :cmp do |first_expected| # rubocop:disable Metrics/BlockL
     end
   end
 
-  def format_actual(actual, negate = false)
+  def format_actual(actual)
     actual = "0%o" % actual if octal?(@expected) && !actual.nil?
-    "\n%s\n     got: %s\n\n(compared using `cmp` matcher)\n" % [format_expectation(negate), actual]
+    "\n%s\n     got: %s\n\n(compared using `cmp` matcher)\n" % [format_expectation(false), actual]
   end
 
   def format_expectation(negate)
@@ -316,7 +316,7 @@ RSpec::Matchers.define :cmp do |first_expected| # rubocop:disable Metrics/BlockL
   end
 
   failure_message_when_negated do |actual|
-    format_actual actual, true
+    format_actual actual
   end
 
   description do