inspec-core 5.22.72 → 5.22.80

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1561e49537c4bd8b615a78d099d922a0915c71429fcdfb4ca6197105712ca3aa
-  data.tar.gz: d756477c4172ff54a6a69f6905c0f0034b484f9ca38b45fda8a7d6efa7c5f748
+  metadata.gz: 6b46f57de93a21fa00ddeb70944cc1bb3cf846c73d1b33c5460496472773b0fa
+  data.tar.gz: a1f020b14dc5f06c81f98d7fabaa593b5a0696b5cd4370625382b627c216493e
 SHA512:
-  metadata.gz: 93849cdca52ac4bc4bec15aebd4933e623229f4c10378fb2d85316c6496d45cc9ebe7ed2e1c1aa4f1a296779237cb06b204f5d61af8f7d1a7b2642c9a9e4720a
-  data.tar.gz: 54988d5e27e76412c03eca453f7887414a536ee16607fbf2c1ecd7e502136f555700bba9c88e59967ab6857fa198c4138b517090183f31b72e88f54a46926669
+  metadata.gz: f72371f72e1195698128502801aefea2e698bd2c705c00b849547c2f8b18881bb05964de87715cbea5301ee6284db60fba6a9f080915d3f672686174c0ec1e59
+  data.tar.gz: 56a96407e6c3dd29f7d33c0ee128cf419aac43e01c48c6c220c3041cf20aeee4478d9be1ec280f2732391ca9d7eef5db19371e69d6105036e13fbbca5a6c3e53

data/Gemfile

@@ -39,7 +39,8 @@ group :test do
   gem "mocha"
   # Pinning this version as it breaking for ruby 3.1.0
   gem "nokogiri", "< 1.17.2"
-  gem "pry-byebug"
+  # Pinning this version as it breaking for ruby 3.0.0
+  gem "pry-byebug", "< 3.11.0"
   gem "pry"
   gem "rake"
   gem "simplecov"

data/inspec-core.gemspec

@@ -55,5 +55,5 @@ Gem::Specification.new do |spec|
   # which was causing a LoadError ('cannot load such file -- ast') for users/applications using 'inspec-core'.
   spec.add_dependency "cookstyle"
 
-  spec.add_dependency "train-core", "~> 3.10"
+  spec.add_dependency "train-core", "~> 3.12.13"
 end

data/lib/inspec/exceptions.rb

@@ -12,5 +12,6 @@ module Inspec
     class ProfileSigningKeyNotFound < ArgumentError; end
     class WaiversFileNotReadable < ArgumentError; end
     class WaiversFileDoesNotExist < ArgumentError; end
+    class WaiversFileInvalidFormatting < ArgumentError; end
   end
 end

data/lib/inspec/profile.rb

@@ -575,7 +575,7 @@ module Inspec
                                                                               include_tests: include_tests)
 
         # Collect all metadata defined in the control block and inputs defined inside the control block
-        src.ast.each_node { |n|
+        src.ast&.each_node { |n|
           ctl_id_collector.process(n)
           input_collector.process(n)
         }
@@ -637,7 +637,7 @@ module Inspec
       }
       source_location_ref = @source_reader.target.abs_path(control_filename)
       Inspec::Profile::AstHelper::TitleCollector.new(group_data)
-        .process(src.ast.child_nodes.first) # Picking the title defined for the whole controls file
+        .process(src.ast&.child_nodes&.first) # Picking the title defined for the whole controls file
       group_controls = @info_from_parse[:controls].select { |control| control[:source_location][:ref] == source_location_ref }
       group_data[:controls] = group_controls.map { |control| control[:id] }
 

data/lib/inspec/resources/audit_policy.rb

@@ -39,11 +39,17 @@ module Inspec::Resources
       # expected result:
       # Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting
       # WIN-MB8NINQ388J,System,Kerberos Authentication Service,{0CCE9242-69AE-11D9-BED3-505054503030},No Auditing,
-      result ||= inspec.command("Auditpol /get /subcategory:'#{key}' /r").stdout
+      auditpol_cmd = "Auditpol /get /subcategory:'#{key}' /r"
+      result ||= inspec.command(auditpol_cmd)
+
+      unless result.exit_status == 0
+        error = result.stdout + "\n" + result.stderr
+        raise Inspec::Exceptions::ResourceFailed, "Error while executing #{auditpol_cmd} command: #{error}"
+      end
 
       # find line
       target = nil
-      result.each_line do |s|
+      result.stdout.each_line do |s|
         target = s.strip if s =~ /\b.*#{key}.*\b/
       end
 

data/lib/inspec/secrets/yaml.rb

@@ -24,12 +24,18 @@ module Secrets
         @inputs = ::YAML.load_file(target)
       end
 
-      if @inputs == false || !@inputs.is_a?(Hash)
-        Inspec::Log.warn("#{self.class} unable to parse #{target}: invalid YAML or contents is not a Hash")
+      # In case of empty yaml file raise the warning else raise the parsing error.
+      if !@inputs || @inputs.empty?
+        Inspec::Log.warn("Unable to parse #{target}: YAML file is empty.")
         @inputs = nil
+      elsif !@inputs.is_a?(Hash)
+        # Exits with usage error.
+        Inspec::Log.error("Unable to parse #{target}: invalid YAML or contents is not a Hash")
+        Inspec::UI.new.exit(:usage_error)
       end
     rescue => e
-      raise "Error reading InSpec inputs: #{e}"
+      # Any other error related to Yaml parsing will be raised here.
+      raise "Error reading YAML file #{target}: #{e}"
     end
   end
 end

data/lib/inspec/version.rb

@@ -1,3 +1,3 @@
 module Inspec
-  VERSION = "5.22.72".freeze
+  VERSION = "5.22.80".freeze
 end

data/lib/inspec/waiver_file_reader.rb

@@ -5,6 +5,8 @@ require "inspec/utils/waivers/json_file_reader"
 module Inspec
   class WaiverFileReader
 
+    SUPPORTED_FILE_EXTENSION = %w{.yaml .yml .csv .json}.freeze
+
     def self.fetch_waivers_by_profile(profile_id, files)
       read_waivers_from_file(profile_id, files) if @waivers_data.nil? || @waivers_data[profile_id].nil?
       @waivers_data[profile_id]
@@ -15,49 +17,105 @@ module Inspec
       output = {}
 
       files.each do |file_path|
-        file_extension = File.extname(file_path)
-        data = nil
-        if [".yaml", ".yml"].include? file_extension
-          data = Secrets::YAML.resolve(file_path)
-          unless data.nil?
-            data = data.inputs
-            validate_json_yaml(data)
-          end
-        elsif file_extension == ".csv"
-          data = Waivers::CSVFileReader.resolve(file_path)
-          headers = Waivers::CSVFileReader.headers
-          validate_headers(headers)
-        elsif file_extension == ".json"
-          data = Waivers::JSONFileReader.resolve(file_path)
-          validate_json_yaml(data) unless data.nil?
-        end
-        output.merge!(data) if !data.nil? && data.is_a?(Hash)
+        next unless valid_waiver_file?(file_path)
 
-        if data.nil?
-          raise Inspec::Exceptions::WaiversFileNotReadable,
-              "Cannot find parser for waivers file '#{file_path}'. " \
-              "Check to make sure file has the appropriate extension."
-        end
+        data = parse_waiver_file(file_path)
+        output.merge!(data) if data.is_a?(Hash)
+      rescue Inspec::Exceptions::WaiversFileNotReadable, Inspec::Exceptions::WaiversFileInvalidFormatting => e
+        Inspec::Log.error "Error reading waivers file #{file_path}. #{e.message}"
+        Inspec::UI.new.exit(:usage_error)
       end
 
       @waivers_data[profile_id] = output
     end
 
-    def self.validate_headers(headers, json_yaml = false)
-      required_fields = json_yaml ? %w{justification} : %w{control_id justification}
-      all_fields = %w{control_id justification expiration_date run}
+    def self.valid_waiver_file?(file_path)
+      # Check if the file is readable
+      file_extension = File.extname(file_path).downcase
+      unless SUPPORTED_FILE_EXTENSION.include?(file_extension)
+        raise Inspec::Exceptions::WaiversFileNotReadable,
+              "Unsupported file extension for '#{file_path}'. Allowed waiver file extensions: #{SUPPORTED_FILE_EXTENSION.join(", ")}"
+      end
+
+      # Check if the file is empty
+      if File.zero?(file_path)
+        Inspec::Log.warn "Waivers file '#{file_path}' is empty. Skipping waivers."
+        return false
+      end
 
-      Inspec::Log.warn "Missing column headers: #{(required_fields - headers)}" unless (required_fields - headers).empty?
-      Inspec::Log.warn "Invalid column header: Column can't be nil" if headers.include? nil
-      Inspec::Log.warn "Extra column headers: #{(headers - all_fields)}" unless (headers - all_fields).empty?
+      true
+    end
+
+    def self.parse_waiver_file(file_path)
+      file_extension = File.extname(file_path).downcase
+
+      case file_extension
+      when ".yaml", ".yml"
+        data = Secrets::YAML.resolve(file_path)&.inputs
+        validate_json_yaml(data)
+      when ".csv"
+        data = Waivers::CSVFileReader.resolve(file_path)
+        validate_csv_headers(Waivers::CSVFileReader.headers)
+      when ".json"
+        data = Waivers::JSONFileReader.resolve(file_path)
+        validate_json_yaml(data)
+      end
+
+      data
+    end
+
+    def self.all_fields
+      %w{control_id justification expiration_date run}
+    end
+
+    def self.validate_csv_headers(headers)
+      invalid_headers_info = fetch_invalid_headers_info(headers)
+      # Warn if blank column found in csv file
+      Inspec::Log.warn "Invalid column headers: Column can't be nil" if invalid_headers_info[:blank_column]
+      # Warn if extra header found in csv file
+      Inspec::Log.warn "Extra header/s #{invalid_headers_info[:extra_headers]}" unless invalid_headers_info[:extra_headers].empty?
+      unless invalid_headers_info[:missing_required_fields].empty?
+        raise Inspec::Exceptions::WaiversFileInvalidFormatting,
+        "Missing required header/s #{invalid_headers_info[:missing_required_fields]}. Fix headers in file to proceed."
+      end
+    end
+
+    def self.fetch_invalid_headers_info(headers, json_yaml = false)
+      required_fields = json_yaml ? %w{justification} : %w{control_id justification}
+      data = {}
+      data[:missing_required_fields] = []
+      # Finds missing required fields
+      unless (required_fields - headers).empty?
+        data[:missing_required_fields] = required_fields - headers
+      end
+      # If column with no header found set the blank_column flag. Only applicable for csv
+      data[:blank_column] = headers.include?(nil) ? true : false
+      # Find extra headers/parameters
+      data[:extra_headers] = (headers - all_fields)
+      data
     end
 
     def self.validate_json_yaml(data)
-      headers = []
-      data.each_value do |value|
-        headers.push value.keys
+      return if data.nil?
+
+      missing_required_field = false
+      data.each do |key, value|
+        # In case of yaml or json we need to validate headers/parametes for each value
+        invalid_headers_info = fetch_invalid_headers_info(value.keys, true)
+        # WARN in case of extra parameters found in each waived control
+        Inspec::Log.warn "Control ID #{key}: extra parameter/s #{invalid_headers_info[:extra_headers]}" unless invalid_headers_info[:extra_headers].empty?
+        unless invalid_headers_info[:missing_required_fields].empty?
+          missing_required_field = true
+          # Log error for each waived control
+          Inspec::Log.error "Control ID #{key}: missing required parameter/s #{invalid_headers_info[:missing_required_fields]}"
+        end
+      end
+
+      # Raise error if any of the waived control has missing required filed
+      if missing_required_field
+        raise Inspec::Exceptions::WaiversFileInvalidFormatting,
+             "Missing required parameter [justification]. Fix parameters in file to proceed."
       end
-      validate_headers(headers.flatten.uniq, true)
     end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: inspec-core
 version: !ruby/object:Gem::Version
-  version: 5.22.72
+  version: 5.22.80
 platform: ruby
 authors:
 - Chef InSpec Team
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2025-03-03 00:00:00.000000000 Z
+date: 2025-04-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: chef-telemetry
@@ -390,14 +390,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.10'
+        version: 3.12.13
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.10'
+        version: 3.12.13
 description: InSpec provides a framework for creating end-to-end infrastructure tests.
   You can use it for integration or even compliance testing. Create fully portable
   test profiles and use them in your workflow to ensure stability and security. Integrate
@@ -874,7 +874,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.3
+rubygems_version: 3.3.27
 signing_key: 
 specification_version: 4
 summary: Infrastructure and compliance testing. Core library.