inspec-core 5.22.50 → 6.8.1

data/lib/inspec/resources/nftables.rb

@@ -135,7 +135,20 @@ module Inspec::Resources
       cmd = inspec.command(nftables_cmd)
       return [] if cmd.exit_status.to_i != 0
 
-      @nftables_cache[idx] = cmd.stdout.gsub("\t", "").split("\n").reject { |line| line =~ /^(table|set|type|size|flags|typeof|auto-merge)/ || line =~ /^}$/ }.map { |line| line.sub("elements = {", "").sub("}", "").split(",") }.flatten.map(&:strip)
+      # https://github.com/inspec/inspec/security/code-scanning/10
+      # Update @nftables_cache with sanitized command output
+      @nftables_cache[idx] = cmd.stdout.gsub("\t", "").split("\n")
+        .reject { |line| line =~ /^(table|set|type|size|flags|typeof|auto-merge)/ || line =~ /^}$/ } # Reject lines that match certain patterns
+        .map { |line| line.gsub("elements = {", "").gsub("}", "").split(",") } # Use gsub to replace all occurrences of specified strings
+        .flatten # Flatten the array of arrays into a single array
+        .map(&:strip) # Remove leading and trailing whitespace from each element
+        .map { |element| sanitize_input(element) } # Sanitize each element to prevent injection attacks
+    end
+
+    # Method to sanitize input
+    def sanitize_input(input)
+      # Replace potentially dangerous characters with their escaped counterparts
+      input.gsub(/([\\'";])/, '\\\\\1')
     end
 
     def retrieve_chain_rules

data/lib/inspec/resources/oracledb_session.rb

@@ -96,8 +96,7 @@ module Inspec::Resources
       if @db_role.nil? || @su_user.nil?
         verified_query = verify_query(query)
       else
-        escaped_query = query.gsub(/\\\\/, "\\").gsub(/"/, '\\"')
-        escaped_query = escaped_query.gsub("$", '\\$') unless escaped_query.include? "\\$"
+        escaped_query = escape_query(query)
         verified_query = verify_query(escaped_query)
       end
 
@@ -134,11 +133,21 @@ module Inspec::Resources
       query
     end
 
+    def escape_query(query)
+      # https://github.com/inspec/inspec/security/code-scanning/7
+      # https://github.com/inspec/inspec/security/code-scanning/8
+      escaped_query = query.gsub(/["\\]/) { |match| match == '"' ? '\\"' : "\\\\" } # Escape backslashes and double quotes
+      escaped_query.gsub!("$", '\\$') unless escaped_query.include? "\\$" # Escape dollar signs, but only if not already escaped
+      escaped_query
+    end
+
     def parse_csv_result(stdout)
       output = stdout.split("oracle_query_string")[-1]
       # comma_query_sub replaces the csv delimiter "," in the output.
       # Handles CSV parsing of data like this (DROP,3) etc
-      output = output.sub(/\r/, "").strip.gsub(",", "comma_query_sub")
+      # Replace all occurrences of the target pattern using gsub instead of sub
+      # Issue detected: https://github.com/inspec/inspec/security/code-scanning/9
+      output = output.gsub(/\r/, "").strip.gsub(",", "comma_query_sub")
       converter = ->(header) { header.downcase }
       CSV.parse(output, headers: true, header_converters: converter).map do |row|
         next if row.entries.flatten.empty?

data/lib/inspec/resources/ssh_config.rb

@@ -38,16 +38,13 @@ module Inspec::Resources
 
     def convert_hash(hash)
       new_hash = {}
-      hash.each do |k, v|
-        new_hash[k.downcase] ||= v
-      end
+      hash.each { |k, v| new_hash[k.downcase] ||= v }
       new_hash
     end
 
     def method_missing(name)
       param = read_params[name.to_s.downcase]
       return nil if param.nil?
-      # extract first value if we have only one value in array
       return param[0] if param.length == 1
 
       param
@@ -73,11 +70,12 @@ module Inspec::Resources
       return @params if defined?(@params)
       return @params = {} if read_content.nil?
 
-      conf = SimpleConfig.new(
-        read_content,
-        assignment_regex: /^\s*(\S+?)\s+(.*?)\s*$/,
-        multiple_values: true
-      )
+      conf =
+        SimpleConfig.new(
+          read_content,
+          assignment_regex: /^\s*(\S+?)\s+(.*?)\s*$/,
+          multiple_values: true
+        )
       @params = convert_hash(conf.params)
     end
 
@@ -121,4 +119,97 @@ module Inspec::Resources
       "/etc/ssh/#{type}"
     end
   end
+
+  class SshdActiveConfig < SshdConfig
+    name "sshd_active_config"
+    supports platform: "unix"
+    supports platform: "windows"
+    desc "Use the sshd_active_config InSpec audit resource to test configuration data for the Open SSH daemon located at /etc/ssh/sshd_config on Linux and UNIX platforms. sshd---the Open SSH daemon---listens on dedicated ports, starts a daemon for each incoming connection, and then handles encryption, authentication, key exchanges, command execution, and data exchanges."
+    example <<~EXAMPLE
+      describe sshd_active_config do
+        its('Protocol') { should eq '2' }
+      end
+    EXAMPLE
+
+    attr_reader :active_path
+
+    def initialize
+      @active_path = dynamic_sshd_config_path
+      super(@active_path)
+    end
+
+    def to_s
+      "SSHD Active Configuration (active path: #{@conf_path})"
+    end
+
+    private
+
+    def ssh_config_file(type)
+      if inspec.os.windows?
+        programdata = inspec.os_env("programdata").content
+        return "#{programdata}\\ssh\\#{type}"
+      end
+
+      "/etc/ssh/#{type}"
+    end
+
+    def dynamic_sshd_config_path
+      if inspec.os.windows?
+        script = <<-EOH
+          $sshdPath = (Get-Command sshd.exe).Source
+          if ($sshdPath -ne $null) {
+            Write-Output $sshdPath
+          } else {
+            Write-Error "sshd.exe not found"
+          }
+        EOH
+        sshd_path_result = inspec.powershell(script).stdout.strip
+        sshd_path = "\"#{sshd_path_result}\""
+        if !sshd_path_result.empty? && sshd_path_result != "sshd.exe not found"
+          command_output = inspec.command("sudo #{sshd_path} -dd 2>&1").stdout
+          dynamic_path =
+            command_output
+              .lines
+              .find { |line| line.include?("filename") }
+              &.split("filename")
+              &.last
+              &.strip
+          env_var_name = dynamic_path.match(/__(.*?)__/)[1]
+          if env_var_name?
+            dynamic_path =
+              dynamic_path.gsub(
+                /__#{env_var_name}__/,
+                inspec.os_env(env_var_name).content
+              )
+          end
+        else
+          Inspec::Log.error("sshd.exe not found using PowerShell script block.")
+          return nil
+        end
+      elsif inspec.os.unix?
+        sshd_path = "/usr/sbin/sshd"
+        command_output = inspec.command("sudo #{sshd_path} -dd 2>&1").stdout
+        dynamic_path =
+          command_output
+            .lines
+            .find { |line| line.include?("filename") }
+            &.split("filename")
+            &.last
+            &.strip
+      else
+        Inspec::Log.error(
+          "Unable to determine sshd configuration path on Windows using -T flag."
+        )
+        return nil
+      end
+
+      if dynamic_path.nil? || dynamic_path.empty?
+        Inspec::Log.warn(
+          "No active SSHD configuration found. Using default configuration."
+        )
+        return ssh_config_file("sshd_config")
+      end
+      dynamic_path
+    end
+  end
 end

data/lib/inspec/resources/ssh_key.rb

@@ -0,0 +1,124 @@
+require "inspec/utils/file_reader"
+require "net/ssh" unless defined?(Net::SSH)
+
+# Change module if required
+module Inspec::Resources
+  class SshKey < FileResource
+    # Every resource requires an internal name.
+    name "ssh_key"
+
+    # Restrict to only run on the below platforms (if none were given,
+    # all OS's and cloud API's supported)
+    supports platform: "unix"
+    supports platform: "windows"
+
+    desc "public/private SSH key pair test"
+
+    example <<~EXAMPLE
+      describe ssh_key('path: ~/.ssh/id_rsa') do
+        its('key_length') { should eq 4096 }
+        its('type') { should cmp /rsa/ }
+        it { should be_private }
+      end
+    EXAMPLE
+
+    include FileReader
+
+    def initialize(keypath, passphrase = nil)
+      skip_resource "The `ssh_key` resource is not yet available on your OS." unless inspec.os.unix? || inspec.os.windows?
+      @key_path = set_ssh_key_path(keypath)
+      @passphrase = passphrase
+      @key = read_ssh_key
+      super(@key_path)
+    end
+
+    def public?
+      return if @key.nil?
+
+      @key[:public]
+    end
+
+    def private?
+      return if @key.nil?
+
+      @key[:private]
+    end
+
+    def key_length
+      return if @key.nil?
+
+      @key[:key_length]
+    end
+
+    def type
+      return if @key.nil?
+
+      @key[:type]
+    end
+
+    # Define a resource ID. This is used in reporting engines to uniquely identify the individual resource.
+    # This might be a file path, or a process ID, or a cloud instance ID. Only meaningful to the implementation.
+    # Must be a string. Defaults to the empty string if not implemented.
+    def resource_id
+      @key_path || "SSH key"
+    end
+
+    def to_s
+      "ssh_key #{@key_path}"
+    end
+
+    private
+
+    def set_ssh_key_path(keypath)
+      if File.exist?(keypath)
+        @key_path = keypath
+      elsif File.exist?(File.join("#{Dir.home}/.ssh/", keypath))
+        @key_path = File.join("#{Dir.home}/.ssh/", keypath)
+      else
+        raise Inspec::Exceptions::ResourceSkipped, "Can't find file: #{keypath}"
+      end
+    end
+
+    def read_ssh_key
+      key_data = {}
+      key = nil
+      filecontent = read_file_content((@key_path), @passphrase)
+      raise Inspec::Exceptions::ResourceSkipped, "File is empty: #{@key_path}" if filecontent.split("\n").empty?
+
+      if filecontent.split("\n")[0].include?("PRIVATE")
+        # Net::SSH::KeyFactory does not have support to load private key for DSA
+        key = Net::SSH::KeyFactory.load_private_key(@key_path, @passphrase, false)
+        unless key.nil?
+          key_data[:private] = true
+          key_data[:public] = false
+          # The data send for ssh type is not in same format so it's good to match on the string
+          key_data[:type] = key.ssh_type
+          key_data[:key_length] = key_lengh(key)
+        end
+      else
+        key = Net::SSH::KeyFactory.load_public_key(@key_path)
+        unless key.nil?
+          key_data[:private] = false
+          key_data[:public] = true
+          # The data send for ssh type is not in same format so it's good to match on the string
+          key_data[:type] = key.ssh_type
+          key_data[:key_length] = key_lengh(key)
+        end
+      end
+
+      key_data
+    rescue OpenSSL::PKey::PKeyError => e
+      raise Inspec::Exceptions::ResourceFailed, "#{e.message}"
+    end
+
+    def key_lengh(key)
+      if key.class.to_s == "OpenSSL::PKey::RSA"
+        key.public_key.n.num_bits
+      else
+        # Unable to get the key lenght data for other types of keys
+        # TODO: Need to check if there is any method that will get this info.
+        nil
+      end
+    end
+  end
+end

data/lib/inspec/resources/sshd_active_config.rb

@@ -0,0 +1,2 @@
+# This is just here to make the dynamic loader happy.
+require "inspec/resources/ssh_config"

data/lib/inspec/resources/sybase_session.rb

@@ -44,10 +44,19 @@ module Inspec::Resources
       # try to get a temp path
       sql_file_path = upload_sql_file(sql)
 
+      # TODO: Find if there is better way to get the current shell
+      current_shell = inspec.command("echo $SHELL")
+
+      res = current_shell.exit_status
+
       # isql reuires that we have a matching locale set, but does not support C.UTF-8. en_US.UTF-8 is the least evil.
-      command = "LANG=en_US.UTF-8 SYBASE=#{sybase_home} #{bin} -s\"#{col_sep}\" -w80000 -S #{server} -U #{username} -D #{database} -P \"#{password}\" < #{sql_file_path}"
-      isql_cmd = inspec.command(command)
+      if res == 0 && ( current_shell.stdout&.include?("/csh") || current_shell.stdout&.include?("/tcsh") )
+        command = "source #{sybase_home}/SYBASE.csh; setenv LANG en_US.UTF-8; #{bin} -s\"#{col_sep}\" -w80000 -S #{server} -U #{username} -D #{database} -P \"#{password}\" < #{sql_file_path}"
+      else
+        command = "LANG=en_US.UTF-8 SYBASE=#{sybase_home} #{bin} -s\"#{col_sep}\" -w80000 -S #{server} -U #{username} -D #{database} -P \"#{password}\" < #{sql_file_path}"
+      end
 
+      isql_cmd = inspec.command(command)
       # Check for isql errors
       res = isql_cmd.exit_status
       raise Inspec::Exceptions::ResourceFailed.new("isql exited with code #{res} and stderr '#{isql_cmd.stderr}', stdout '#{isql_cmd.stdout}'") unless res == 0

data/lib/inspec/resources.rb

@@ -110,6 +110,7 @@ require "inspec/resources/selinux"
 require "inspec/resources/service"
 require "inspec/resources/shadow"
 require "inspec/resources/ssh_config"
+require "inspec/resources/ssh_key"
 require "inspec/resources/ssl"
 require "inspec/resources/sys_info"
 require "inspec/resources/toml"

data/lib/inspec/rule.rb

@@ -379,12 +379,7 @@ module Inspec
       control_id = @__rule_id # TODO: control ID slugging
 
       waiver_files = Inspec::Config.cached.final_options["waiver_file"] if Inspec::Config.cached.respond_to?(:final_options)
-      unless waiver_files.nil? || waiver_files.empty?
-        waiver_data_by_profile = Inspec::WaiverFileReader.fetch_waivers_by_profile(__profile_id, waiver_files)
-        return unless waiver_data_by_profile && waiver_data_by_profile[control_id] && waiver_data_by_profile[control_id].is_a?(Hash)
-
-        @__waiver_data = waiver_data_by_profile[control_id]
-      else
+      if waiver_files.nil? || waiver_files.empty?
         # Support for input registry is provided for backward compatibilty with compliance phase of chef-client
         # Chef-client sends waiver information in inputs hash
         input_registry = Inspec::InputRegistry.instance
@@ -392,6 +387,11 @@ module Inspec
         return unless waiver_data_via_input && waiver_data_via_input.has_value? && waiver_data_via_input.value.is_a?(Hash)
 
         @__waiver_data = waiver_data_via_input.value
+      else
+        waiver_data_by_profile = Inspec::WaiverFileReader.fetch_waivers_by_profile(__profile_id, waiver_files)
+        return unless waiver_data_by_profile && waiver_data_by_profile[control_id] && waiver_data_by_profile[control_id].is_a?(Hash)
+
+        @__waiver_data = waiver_data_by_profile[control_id]
       end
 
       __waiver_data["skipped_due_to_waiver"] = false

data/lib/inspec/run_data.rb

@@ -27,11 +27,13 @@ module Inspec
   ) do
     include HashLikeStruct
     def initialize(raw_run_data)
-      self.controls   = raw_run_data[:controls].map { |c| Inspec::RunData::Control.new(c) }
-      self.profiles   = raw_run_data[:profiles].map { |p| Inspec::RunData::Profile.new(p) }
-      self.statistics = Inspec::RunData::Statistics.new(raw_run_data[:statistics])
-      self.platform   = Inspec::RunData::Platform.new(raw_run_data[:platform])
-      self.version    = raw_run_data[:version]
+      @raw_run_data = raw_run_data
+
+      self.controls   = @raw_run_data[:controls].map { |c| Inspec::RunData::Control.new(c) }
+      self.profiles   = @raw_run_data[:profiles].map { |p| Inspec::RunData::Profile.new(p) }
+      self.statistics = Inspec::RunData::Statistics.new(@raw_run_data[:statistics])
+      self.platform   = Inspec::RunData::Platform.new(@raw_run_data[:platform])
+      self.version    = @raw_run_data[:version]
     end
   end
 

data/lib/inspec/runner.rb

@@ -11,6 +11,8 @@ require "inspec/dependencies/cache"
 require "inspec/dist"
 require "inspec/reporters"
 require "inspec/runner_rspec"
+require "chef-licensing"
+require "inspec/utils/telemetry"
 # spec requirements
 
 module Inspec
@@ -60,11 +62,13 @@ module Inspec
       end
 
       if @conf[:waiver_file]
-        @conf[:waiver_file].each do |file|
-          unless File.file?(file)
-            raise Inspec::Exceptions::WaiversFileDoesNotExist, "Waiver file #{file} does not exist."
+        Inspec.with_feature("inspec-waivers") {
+          @conf[:waiver_file].each do |file|
+            unless File.file?(file)
+              raise Inspec::Exceptions::WaiversFileDoesNotExist, "Waiver file #{file} does not exist."
+            end
           end
-        end
+        }
       end
 
       # About reading inputs:
@@ -86,7 +90,12 @@ module Inspec
     end
 
     def configure_transport
-      @backend = Inspec::Backend.create(@conf)
+      backend = Inspec::Backend.create(@conf)
+      set_backend(backend)
+    end
+
+    def set_backend(new_backend)
+      @backend = new_backend
       @test_collector.backend = @backend
     end
 
@@ -159,16 +168,43 @@ module Inspec
     end
 
     def run(with = nil)
+      ChefLicensing.check_software_entitlement! if Inspec::Dist::EXEC_NAME == "inspec"
+
+      # Validate if profiles are signed and verified
+      # Additional check is required to provide error message in case of inspec exec command (exec command can use multiple profiles as well)
+      # Only runs this block when preview flag CHEF_PREVIEW_MANDATORY_PROFILE_SIGNING is set
+      Inspec.with_feature("inspec-mandatory-profile-signing") {
+        unless @conf.allow_unsigned_profiles?
+          verify_target_profiles_if_signed(@target_profiles)
+        end
+      }
+
       Inspec::Log.debug "Starting run with targets: #{@target_profiles.map(&:to_s)}"
+      Inspec::Telemetry.run_starting(runner: self, conf: @conf)
       load
       run_tests(with)
+    rescue ChefLicensing::SoftwareNotEntitled
+      Inspec::Log.error "License is not entitled to use InSpec."
+      Inspec::UI.new.exit(:license_not_entitled)
+    rescue ChefLicensing::Error => e
+      Inspec::Log.error e.message
+      Inspec::UI.new.exit(:usage_error)
+    end
+
+    def verify_target_profiles_if_signed(target_profiles)
+      unsigned_profiles = []
+      target_profiles.each do |profile|
+        unsigned_profiles << profile.name unless profile.verify_if_signed
+      end
+      raise Inspec::ProfileSignatureRequired, "Signature required for profile/s: #{unsigned_profiles.join(", ")}. Please provide a signed profile. Or set CHEF_ALLOW_UNSIGNED_PROFILES in the environment. Or use `--allow-unsigned-profiles` flag with InSpec CLI. " unless unsigned_profiles.empty?
     end
 
     def render_output(run_data)
       return if @conf["reporter"].nil?
 
       @conf["reporter"].each do |reporter|
-        result = Inspec::Reporters.render(reporter, run_data, @conf["enhanced_outcomes"])
+        enhanced_outcome_flag = @conf["enhanced_outcomes"]
+        result = Inspec::Reporters.render(reporter, run_data, enhanced_outcome_flag)
         raise Inspec::ReporterError, "Error generating reporter '#{reporter[0]}'" if result == false
       end
     end
@@ -193,6 +229,7 @@ module Inspec
       @run_data = @test_collector.run(with)
       # dont output anything if we want a report
       render_output(@run_data) unless @conf["report"]
+      Inspec::Telemetry.run_ending(runner: self, run_data: @run_data, conf: @conf)
       @test_collector.exit_code
     end
 

data/lib/inspec/runner_rspec.rb

@@ -177,16 +177,18 @@ module Inspec
         next unless streaming_reporters.include? streaming_reporter_name
 
         # Activate the plugin so the formatter ID gets registered with RSpec, presumably
-        activator = reg.find_activator(plugin_type: :streaming_reporter, activator_name: streaming_reporter_name.to_sym)
-        activator.activate!
 
-        # We cannot pass in a nil output path. Rspec only accepts a valid string or a IO object.
-        if file_target&.[]("file").nil?
-          RSpec.configuration.add_formatter(activator.implementation_class)
-        else
-          RSpec.configuration.add_formatter(activator.implementation_class, file_target["file"])
-        end
-        @conf["reporter"].delete(streaming_reporter_name)
+        Inspec.with_feature("inspec-reporter-#{streaming_reporter_name}") {
+          activator = reg.find_activator(plugin_type: :streaming_reporter, activator_name: streaming_reporter_name.to_sym)
+          activator.activate!
+          # We cannot pass in a nil output path. Rspec only accepts a valid string or a IO object.
+          if file_target&.[]("file").nil?
+            RSpec.configuration.add_formatter(activator.implementation_class)
+          else
+            RSpec.configuration.add_formatter(activator.implementation_class, file_target["file"])
+          end
+          @conf["reporter"].delete(streaming_reporter_name)
+        }
       end
     end
 
@@ -196,6 +198,7 @@ module Inspec
     def configure_output
       RSpec.configuration.output_stream = $stdout
       @formatter = RSpec.configuration.add_formatter(Inspec::Formatters::Base)
+
       @formatter.enhanced_outcomes = @conf.final_options["enhanced_outcomes"]
       RSpec.configuration.add_formatter(Inspec::Formatters::ShowProgress, $stderr) if @conf[:show_progress]
       set_optional_formatters

data/lib/inspec/secrets/yaml.rb

@@ -24,12 +24,18 @@ module Secrets
         @inputs = ::YAML.load_file(target)
       end
 
-      if @inputs == false || !@inputs.is_a?(Hash)
-        Inspec::Log.warn("#{self.class} unable to parse #{target}: invalid YAML or contents is not a Hash")
+      # In case of empty yaml file raise the warning else raise the parsing error.
+      if !@inputs || @inputs.empty?
+        Inspec::Log.warn("Unable to parse #{target}: YAML file is empty.")
         @inputs = nil
+      elsif !@inputs.is_a?(Hash)
+        # Exits with usage error.
+        Inspec::Log.error("Unable to parse #{target}: invalid YAML or contents is not a Hash")
+        Inspec::UI.new.exit(:usage_error)
       end
     rescue => e
-      raise "Error reading InSpec inputs: #{e}"
+      # Any other error related to Yaml parsing will be raised here.
+      raise "Error reading YAML file #{target}: #{e}"
     end
   end
 end

data/lib/inspec/shell.rb

@@ -1,3 +1,6 @@
+require "chef-licensing"
+require "inspec/dist"
+
 autoload :Pry, "pry"
 
 module Inspec
@@ -10,6 +13,7 @@ module Inspec
     end
 
     def start
+      ChefLicensing.check_software_entitlement! if Inspec::Dist::EXEC_NAME == "inspec"
       # This will hold a single evaluation binding context as opened within
       # the instance_eval context of the anonymous class that the profile
       # context creates to evaluate each individual test file. We want to
@@ -18,6 +22,12 @@ module Inspec
       @ctx_binding = @runner.eval_with_virtual_profile("binding")
       configure_pry
       @ctx_binding.pry
+    rescue ChefLicensing::SoftwareNotEntitled
+      Inspec::Log.error "License is not entitled to use InSpec."
+      Inspec::UI.new.exit(:license_not_entitled)
+    rescue ChefLicensing::Error => e
+      Inspec::Log.error e.message
+      Inspec::UI.new.exit(:usage_error)
     end
 
     def configure_pry # rubocop:disable Metrics/AbcSize

data/lib/inspec/ui.rb

@@ -32,9 +32,13 @@ module Inspec
     EXIT_FATAL_DEPRECATION = 3
     EXIT_GEM_DEPENDENCY_LOAD_ERROR = 4
     EXIT_BAD_SIGNATURE = 5
+    EXIT_SIGNATURE_REQUIRED = 6
     EXIT_LICENSE_NOT_ACCEPTED = 172
+    EXIT_LICENSE_NOT_ENTITLED = 173
+    EXIT_LICENSE_NOT_SET = 174
     EXIT_FAILED_TESTS = 100
     EXIT_SKIPPED_TESTS = 101
+    EXIT_TERMINATED_BY_CTL_C = 130
 
     attr_reader :io
 

data/lib/inspec/utils/licensing_config.rb

@@ -0,0 +1,9 @@
+require_relative "../log"
+require "chef-licensing"
+ChefLicensing.configure do |config|
+  config.chef_product_name = "InSpec"
+  config.chef_entitlement_id = "3ff52c37-e41f-4f6c-ad4d-365192205968"
+  config.chef_executable_name = "inspec"
+  config.license_server_url = "https://services.chef.io/licensing"
+  config.logger = Inspec::Log
+end