inspec-core 5.22.65 → 5.22.80

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5a7f8456410caebef0bb3dfdad7df4d9aac0e72d33effef12d1581c919be2e54
-  data.tar.gz: ca21ae25ee3c9d43e1820d45663b6232e0be0dd3c336305acf15628c1cc68c37
+  metadata.gz: 6b46f57de93a21fa00ddeb70944cc1bb3cf846c73d1b33c5460496472773b0fa
+  data.tar.gz: a1f020b14dc5f06c81f98d7fabaa593b5a0696b5cd4370625382b627c216493e
 SHA512:
-  metadata.gz: 0f822677d07b5c1d2c8b70f23ad6cf94f303686200cc9b68683fc54af2d0e362ae257278bdcb510febeefff2e1f163aadc42a019dbe39089444665d80c29da28
-  data.tar.gz: 6800aef92c54e66bc4fcf2fe604326c8caaae4514bbf2a11aa913d3a2f18a9f8d6775427d81fdc1bf1c59f25a588f36b94c59af4ab69f155634b47eaf3944015
+  metadata.gz: f72371f72e1195698128502801aefea2e698bd2c705c00b849547c2f8b18881bb05964de87715cbea5301ee6284db60fba6a9f080915d3f672686174c0ec1e59
+  data.tar.gz: 56a96407e6c3dd29f7d33c0ee128cf419aac43e01c48c6c220c3041cf20aeee4478d9be1ec280f2732391ca9d7eef5db19371e69d6105036e13fbbca5a6c3e53

data/Gemfile

@@ -12,7 +12,7 @@ gem "inspec-bin", path: "./inspec-bin"
 # ffi version v1.17.0 is breaking verify pipeline as it requires
 # rubygems version to be upgraded to >= 3.3.22 Ref:https://buildkite.com/chef/inspec-inspec-main-verify-private/builds/812#018fe177-2ccb-45ed-a25e-213c8a6453df/698-707
 
-gem "ffi", ">= 1.15.5", "< 1.18.0"
+gem "ffi", ">= 1.15.5", "< 1.17.0"
 
 # We have a build issue 2023-11-13 with unf_ext 0.0.9 so we are pinning to 0.0.8.2
 # See https://github.com/knu/ruby-unf_ext/issues/74 https://buildkite.com/chef/inspec-inspec-inspec-5-omnibus-release/builds/22
@@ -37,8 +37,10 @@ group :test do
   gem "minitest-sprint", "~> 1.0"
   gem "minitest", "5.15.0"
   gem "mocha"
-  gem "nokogiri"
-  gem "pry-byebug"
+  # Pinning this version as it breaking for ruby 3.1.0
+  gem "nokogiri", "< 1.17.2"
+  # Pinning this version as it breaking for ruby 3.0.0
+  gem "pry-byebug", "< 3.11.0"
   gem "pry"
   gem "rake"
   gem "simplecov"
@@ -61,6 +63,11 @@ end
 # Remove this pin when upgrading to Ruby 3.2 or higher.
 gem "zeitwerk", "~> 2.6.0", "< 2.7"
 
+# Pinning dry-core,dry-core,dry-types to < 1.1.0 as it is breaking the build because 1.1.0 is incompatible with the current version, ruby 3.0.x on CI
+gem "dry-types", "<= 1.7.2" if RUBY_VERSION < "3.1.0"
+gem "dry-core", "> 1.0.0", "< 1.1.0" if RUBY_VERSION < "3.1.0"
+gem "dry-inflector", "<= 1.1.0" if RUBY_VERSION < "3.1.0"
+
 # Pinning securerandom to < 0.4.0 as it is breaking the build because 0.4.0 is incompatible with the current version, ruby 3.0.x on CI
 # Remove this pin when upgrading to Ruby 3.1 or higher on CI.
 gem "securerandom", "< 0.4.0" if RUBY_VERSION < "3.1.0"

data/inspec-core.gemspec

@@ -36,7 +36,7 @@ Gem::Specification.new do |spec|
   spec.add_dependency "rspec-its",                "~> 1.2"
   spec.add_dependency "pry",                      "~> 0.13"
   spec.add_dependency "hashie",                   ">= 3.4", "< 6.0"
-  spec.add_dependency "mixlib-log",               "~> 3.0"
+  spec.add_dependency "mixlib-log",               "~> 3.0", "< 3.2"
   spec.add_dependency "sslshake",                 "~> 1.2"
   spec.add_dependency "parallel",                 "~> 1.9"
   spec.add_dependency "faraday",                  ">= 1", "< 3"
@@ -55,5 +55,5 @@ Gem::Specification.new do |spec|
   # which was causing a LoadError ('cannot load such file -- ast') for users/applications using 'inspec-core'.
   spec.add_dependency "cookstyle"
 
-  spec.add_dependency "train-core", "~> 3.10"
+  spec.add_dependency "train-core", "~> 3.12.13"
 end

data/lib/inspec/exceptions.rb

@@ -12,5 +12,6 @@ module Inspec
     class ProfileSigningKeyNotFound < ArgumentError; end
     class WaiversFileNotReadable < ArgumentError; end
     class WaiversFileDoesNotExist < ArgumentError; end
+    class WaiversFileInvalidFormatting < ArgumentError; end
   end
 end

data/lib/inspec/profile.rb

@@ -575,7 +575,7 @@ module Inspec
                                                                               include_tests: include_tests)
 
         # Collect all metadata defined in the control block and inputs defined inside the control block
-        src.ast.each_node { |n|
+        src.ast&.each_node { |n|
           ctl_id_collector.process(n)
           input_collector.process(n)
         }
@@ -637,7 +637,7 @@ module Inspec
       }
       source_location_ref = @source_reader.target.abs_path(control_filename)
       Inspec::Profile::AstHelper::TitleCollector.new(group_data)
-        .process(src.ast.child_nodes.first) # Picking the title defined for the whole controls file
+        .process(src.ast&.child_nodes&.first) # Picking the title defined for the whole controls file
       group_controls = @info_from_parse[:controls].select { |control| control[:source_location][:ref] == source_location_ref }
       group_data[:controls] = group_controls.map { |control| control[:id] }
 

data/lib/inspec/resources/audit_policy.rb

@@ -39,11 +39,17 @@ module Inspec::Resources
       # expected result:
       # Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting
       # WIN-MB8NINQ388J,System,Kerberos Authentication Service,{0CCE9242-69AE-11D9-BED3-505054503030},No Auditing,
-      result ||= inspec.command("Auditpol /get /subcategory:'#{key}' /r").stdout
+      auditpol_cmd = "Auditpol /get /subcategory:'#{key}' /r"
+      result ||= inspec.command(auditpol_cmd)
+
+      unless result.exit_status == 0
+        error = result.stdout + "\n" + result.stderr
+        raise Inspec::Exceptions::ResourceFailed, "Error while executing #{auditpol_cmd} command: #{error}"
+      end
 
       # find line
       target = nil
-      result.each_line do |s|
+      result.stdout.each_line do |s|
         target = s.strip if s =~ /\b.*#{key}.*\b/
       end
 

data/lib/inspec/resources/groups.rb

@@ -200,8 +200,60 @@ module Inspec::Resources
   # implements generic unix groups via /etc/group
   class UnixGroup < GroupInfo
     def groups
+      get_group_info
+    end
+
+    private
+
+    def get_group_info
+      # First, try to fetch group info using getent
+      group_info = fetch_group_info_using_getent
+
+      return group_info unless group_info.empty?
+
+      # If getent fails, fallback to reading group info from /etc/group using inspec.etc_group.entries
+      Inspec::Log.debug("Falling back to reading group info from /etc/group as getent is unavailable or failed.")
       inspec.etc_group.entries
     end
+
+    # Fetches group information using the getent utility
+    def fetch_group_info_using_getent
+      # Find getent utility on the system
+      bin = find_getent_utility
+
+      # If getent is available, fetch group info
+      return [] unless bin
+
+      cmd = inspec.command("#{bin} group")
+      return parse_group_info(cmd) if cmd.exit_status.to_i == 0
+
+      # If getent fails, log the error and return an empty array
+      Inspec::Log.debug("Failed to execute #{bin} group: #{cmd.stderr}.")
+      []
+    end
+
+    # Parses group info from the command output
+    def parse_group_info(cmd)
+      cmd.stdout.strip.split("\n").map do |line|
+        name, password, gid, members = line.split(":")
+        {
+          "name" => name,
+          "password" => password,
+          "gid" => gid.to_i,
+          "members" => members,
+        }
+      end
+    end
+
+    # Checks if getent exists on the system
+    def find_getent_utility
+      %w{/usr/bin/getent /bin/getent getent}.each do |cmd|
+        return cmd if inspec.command(cmd).exist?
+      end
+      # Log debug information if getent is not found
+      Inspec::Log.debug("Could not find `getent` on your system.")
+      nil # Return nil if getent is not found
+    end
   end
 
   # OSX uses opendirectory for groups, so `/etc/group` may not be fully accurate

data/lib/inspec/resources/postgres_session.rb

@@ -1,7 +1,7 @@
 # copyright: 2015, Vulcano Security GmbH
 
 require "shellwords" unless defined?(Shellwords)
-
+require "cgi" unless defined?(CGI)
 module Inspec::Resources
   class Lines
     attr_reader :output, :exit_status
@@ -74,6 +74,10 @@ module Inspec::Resources
       Shellwords.escape(query)
     end
 
+    def encoded_password(password)
+      CGI.escape(password)
+    end
+
     def create_psql_cmd(query, db = [])
       dbs = db.map { |x| "#{x}" }.join(" ")
 
@@ -82,14 +86,14 @@ module Inspec::Resources
         # Socket connection only enabled for non-windows platforms
         # Windows does not support unix domain sockets
         option_port = @port.nil? ? "" : "-p #{@port}" # add explicit port if specified
-        "psql -d postgresql://#{@user}:#{@pass}@/#{dbs}?host=#{@socket_path} #{option_port} -A -t -w -c #{escaped_query(query)}"
+        "psql -d postgresql://#{@user}:#{encoded_password(@pass)}@/#{dbs}?host=#{@socket_path} #{option_port} -A -t -w -c #{escaped_query(query)}"
       else
         # Host in connection string establishes tcp/ip connection
         if inspec.os.windows?
           warn "Socket based connection not supported in windows, connecting using host" if @socket_path
-          "psql -d postgresql://#{@user}:#{@pass}@#{@host}:#{@port}/#{dbs} -A -t -w -c \"#{query}\""
+          "psql -d postgresql://#{@user}:#{encoded_password(@pass)}@#{@host}:#{@port}/#{dbs} -A -t -w -c \"#{query}\""
         else
-          "psql -d postgresql://#{@user}:#{@pass}@#{@host}:#{@port}/#{dbs} -A -t -w -c #{escaped_query(query)}"
+          "psql -d postgresql://#{@user}:#{encoded_password(@pass)}@#{@host}:#{@port}/#{dbs} -A -t -w -c #{escaped_query(query)}"
         end
       end
     end

data/lib/inspec/secrets/yaml.rb

@@ -24,12 +24,18 @@ module Secrets
         @inputs = ::YAML.load_file(target)
       end
 
-      if @inputs == false || !@inputs.is_a?(Hash)
-        Inspec::Log.warn("#{self.class} unable to parse #{target}: invalid YAML or contents is not a Hash")
+      # In case of empty yaml file raise the warning else raise the parsing error.
+      if !@inputs || @inputs.empty?
+        Inspec::Log.warn("Unable to parse #{target}: YAML file is empty.")
         @inputs = nil
+      elsif !@inputs.is_a?(Hash)
+        # Exits with usage error.
+        Inspec::Log.error("Unable to parse #{target}: invalid YAML or contents is not a Hash")
+        Inspec::UI.new.exit(:usage_error)
       end
     rescue => e
-      raise "Error reading InSpec inputs: #{e}"
+      # Any other error related to Yaml parsing will be raised here.
+      raise "Error reading YAML file #{target}: #{e}"
     end
   end
 end

data/lib/inspec/version.rb

@@ -1,3 +1,3 @@
 module Inspec
-  VERSION = "5.22.65".freeze
+  VERSION = "5.22.80".freeze
 end

data/lib/inspec/waiver_file_reader.rb

@@ -5,6 +5,8 @@ require "inspec/utils/waivers/json_file_reader"
 module Inspec
   class WaiverFileReader
 
+    SUPPORTED_FILE_EXTENSION = %w{.yaml .yml .csv .json}.freeze
+
     def self.fetch_waivers_by_profile(profile_id, files)
       read_waivers_from_file(profile_id, files) if @waivers_data.nil? || @waivers_data[profile_id].nil?
       @waivers_data[profile_id]
@@ -15,49 +17,105 @@ module Inspec
       output = {}
 
       files.each do |file_path|
-        file_extension = File.extname(file_path)
-        data = nil
-        if [".yaml", ".yml"].include? file_extension
-          data = Secrets::YAML.resolve(file_path)
-          unless data.nil?
-            data = data.inputs
-            validate_json_yaml(data)
-          end
-        elsif file_extension == ".csv"
-          data = Waivers::CSVFileReader.resolve(file_path)
-          headers = Waivers::CSVFileReader.headers
-          validate_headers(headers)
-        elsif file_extension == ".json"
-          data = Waivers::JSONFileReader.resolve(file_path)
-          validate_json_yaml(data) unless data.nil?
-        end
-        output.merge!(data) if !data.nil? && data.is_a?(Hash)
+        next unless valid_waiver_file?(file_path)
 
-        if data.nil?
-          raise Inspec::Exceptions::WaiversFileNotReadable,
-              "Cannot find parser for waivers file '#{file_path}'. " \
-              "Check to make sure file has the appropriate extension."
-        end
+        data = parse_waiver_file(file_path)
+        output.merge!(data) if data.is_a?(Hash)
+      rescue Inspec::Exceptions::WaiversFileNotReadable, Inspec::Exceptions::WaiversFileInvalidFormatting => e
+        Inspec::Log.error "Error reading waivers file #{file_path}. #{e.message}"
+        Inspec::UI.new.exit(:usage_error)
       end
 
       @waivers_data[profile_id] = output
     end
 
-    def self.validate_headers(headers, json_yaml = false)
-      required_fields = json_yaml ? %w{justification} : %w{control_id justification}
-      all_fields = %w{control_id justification expiration_date run}
+    def self.valid_waiver_file?(file_path)
+      # Check if the file is readable
+      file_extension = File.extname(file_path).downcase
+      unless SUPPORTED_FILE_EXTENSION.include?(file_extension)
+        raise Inspec::Exceptions::WaiversFileNotReadable,
+              "Unsupported file extension for '#{file_path}'. Allowed waiver file extensions: #{SUPPORTED_FILE_EXTENSION.join(", ")}"
+      end
+
+      # Check if the file is empty
+      if File.zero?(file_path)
+        Inspec::Log.warn "Waivers file '#{file_path}' is empty. Skipping waivers."
+        return false
+      end
 
-      Inspec::Log.warn "Missing column headers: #{(required_fields - headers)}" unless (required_fields - headers).empty?
-      Inspec::Log.warn "Invalid column header: Column can't be nil" if headers.include? nil
-      Inspec::Log.warn "Extra column headers: #{(headers - all_fields)}" unless (headers - all_fields).empty?
+      true
+    end
+
+    def self.parse_waiver_file(file_path)
+      file_extension = File.extname(file_path).downcase
+
+      case file_extension
+      when ".yaml", ".yml"
+        data = Secrets::YAML.resolve(file_path)&.inputs
+        validate_json_yaml(data)
+      when ".csv"
+        data = Waivers::CSVFileReader.resolve(file_path)
+        validate_csv_headers(Waivers::CSVFileReader.headers)
+      when ".json"
+        data = Waivers::JSONFileReader.resolve(file_path)
+        validate_json_yaml(data)
+      end
+
+      data
+    end
+
+    def self.all_fields
+      %w{control_id justification expiration_date run}
+    end
+
+    def self.validate_csv_headers(headers)
+      invalid_headers_info = fetch_invalid_headers_info(headers)
+      # Warn if blank column found in csv file
+      Inspec::Log.warn "Invalid column headers: Column can't be nil" if invalid_headers_info[:blank_column]
+      # Warn if extra header found in csv file
+      Inspec::Log.warn "Extra header/s #{invalid_headers_info[:extra_headers]}" unless invalid_headers_info[:extra_headers].empty?
+      unless invalid_headers_info[:missing_required_fields].empty?
+        raise Inspec::Exceptions::WaiversFileInvalidFormatting,
+        "Missing required header/s #{invalid_headers_info[:missing_required_fields]}. Fix headers in file to proceed."
+      end
+    end
+
+    def self.fetch_invalid_headers_info(headers, json_yaml = false)
+      required_fields = json_yaml ? %w{justification} : %w{control_id justification}
+      data = {}
+      data[:missing_required_fields] = []
+      # Finds missing required fields
+      unless (required_fields - headers).empty?
+        data[:missing_required_fields] = required_fields - headers
+      end
+      # If column with no header found set the blank_column flag. Only applicable for csv
+      data[:blank_column] = headers.include?(nil) ? true : false
+      # Find extra headers/parameters
+      data[:extra_headers] = (headers - all_fields)
+      data
     end
 
     def self.validate_json_yaml(data)
-      headers = []
-      data.each_value do |value|
-        headers.push value.keys
+      return if data.nil?
+
+      missing_required_field = false
+      data.each do |key, value|
+        # In case of yaml or json we need to validate headers/parametes for each value
+        invalid_headers_info = fetch_invalid_headers_info(value.keys, true)
+        # WARN in case of extra parameters found in each waived control
+        Inspec::Log.warn "Control ID #{key}: extra parameter/s #{invalid_headers_info[:extra_headers]}" unless invalid_headers_info[:extra_headers].empty?
+        unless invalid_headers_info[:missing_required_fields].empty?
+          missing_required_field = true
+          # Log error for each waived control
+          Inspec::Log.error "Control ID #{key}: missing required parameter/s #{invalid_headers_info[:missing_required_fields]}"
+        end
+      end
+
+      # Raise error if any of the waived control has missing required filed
+      if missing_required_field
+        raise Inspec::Exceptions::WaiversFileInvalidFormatting,
+             "Missing required parameter [justification]. Fix parameters in file to proceed."
       end
-      validate_headers(headers.flatten.uniq, true)
     end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: inspec-core
 version: !ruby/object:Gem::Version
-  version: 5.22.65
+  version: 5.22.80
 platform: ruby
 authors:
 - Chef InSpec Team
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-12-12 00:00:00.000000000 Z
+date: 2025-04-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: chef-telemetry
@@ -185,6 +185,9 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3.2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -192,6 +195,9 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3.2'
 - !ruby/object:Gem::Dependency
   name: sslshake
   requirement: !ruby/object:Gem::Requirement
@@ -384,14 +390,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.10'
+        version: 3.12.13
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.10'
+        version: 3.12.13
 description: InSpec provides a framework for creating end-to-end infrastructure tests.
   You can use it for integration or even compliance testing. Create fully portable
   test profiles and use them in your workflow to ensure stability and security. Integrate
@@ -868,7 +874,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.3
+rubygems_version: 3.3.27
 signing_key: 
 specification_version: 4
 summary: Infrastructure and compliance testing. Core library.