inspec-core 5.22.72 → 5.22.95

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1561e49537c4bd8b615a78d099d922a0915c71429fcdfb4ca6197105712ca3aa
-  data.tar.gz: d756477c4172ff54a6a69f6905c0f0034b484f9ca38b45fda8a7d6efa7c5f748
+  metadata.gz: a7b225f8fda920cb03f73a84eb1edc2b98339058c824f2323bee26995b37c74b
+  data.tar.gz: 5b6eb547488c20ff9e8170066f0ba38871afeead368f91248254ccf171e33327
 SHA512:
-  metadata.gz: 93849cdca52ac4bc4bec15aebd4933e623229f4c10378fb2d85316c6496d45cc9ebe7ed2e1c1aa4f1a296779237cb06b204f5d61af8f7d1a7b2642c9a9e4720a
-  data.tar.gz: 54988d5e27e76412c03eca453f7887414a536ee16607fbf2c1ecd7e502136f555700bba9c88e59967ab6857fa198c4138b517090183f31b72e88f54a46926669
+  metadata.gz: 01e6f8d6a5749288c3a53d9fc0166d3b8e832437cbb63aa86dc67dfe09160a956c528a9fe06e43f7912b497d8201b99556d68f6b4569ba6ac044910db821fea0
+  data.tar.gz: d6e5f9d3e5b5393d3cc0fbe9754ddba827cb1f12df3911fe1486dfe314b1386d5dca7b32a52509b65f9ad10cc6870ba0d990e63b5bb38456df98a57b82667fc2

data/Gemfile

@@ -39,12 +39,17 @@ group :test do
   gem "mocha"
   # Pinning this version as it breaking for ruby 3.1.0
   gem "nokogiri", "< 1.17.2"
-  gem "pry-byebug"
+  # Pinning this version as it breaking for ruby 3.0.0
+  gem "pry-byebug", "< 3.12.0"
   gem "pry"
   gem "rake"
   gem "simplecov"
   gem "simplecov_json_formatter"
   gem "webmock"
+  gem "signet", "< 0.21.0" # 0.20.0+ requires min ruby 3.1
+  # Pinning to 1.15 as multi_json 1.16 require ruby 3.2 version
+  # Ref: https://buildkite.com/chef-oss/inspec-inspec-inspec-5-verify/builds/647#019808ca-087b-43bc-b1f9-40a36f59c5f4
+  gem "multi_json", "~> 1.15.0"
 end
 
 group :deploy do
@@ -52,12 +57,9 @@ group :deploy do
 end
 
 # Build is failing - see: https://buildkite.com/chef-oss/inspec-inspec-inspec-5-verify/builds/442
-# Error:
-# zeitwerk-2.7.1 requires Ruby >= 3.2, which is incompatible with the current version (Ruby 3.0.7p220)
-
+# Error: zeitwerk-2.7.1 requires Ruby >= 3.2, which is incompatible with the current version (Ruby 3.0.7p220)
 # Dependency chain:
 # zeitwerk → dry-configurable, dry-struct, dry-types → k8s-ruby → train-kubernetes
-
 # Pinning zeitwerk to ~> 2.6 to avoid Ruby >= 3.2 requirement.
 # Remove this pin when upgrading to Ruby 3.2 or higher.
 gem "zeitwerk", "~> 2.6.0", "< 2.7"

data/inspec-core.gemspec

@@ -13,9 +13,8 @@ Gem::Specification.new do |spec|
   spec.license       = "Apache-2.0"
   spec.require_paths = ["lib"]
 
-  # We want to support ruby 3.0 as Chef is using ruby to support AIX and we want to make sure InSpec works with it. (Ref: https://github.com/chef/chef/pull/13207)
-  # TODO: Once we have Chef working fully with ruby 3.1 we can drop ruby 3.0
-  spec.required_ruby_version = ">= 3.0.3"
+  # Chef will provide AIX support with ruby 3.0 in separate builds with older versions of InSpec 5, hence we can drop ruby 3.0 support
+  spec.required_ruby_version = ">= 3.1.0"
 
   # the gemfile and gemspec are necessary for appbundler so don't remove it
   spec.files =
@@ -29,11 +28,11 @@ Gem::Specification.new do |spec|
   spec.add_dependency "license-acceptance",       ">= 0.2.13", "< 3.0"
   # TODO: We should remove the thor pinning in next upcoming releases currently it's breaking our unit test in cli_args_test for aliases due to
   # recent changes made in thor library REF: https://github.com/rails/thor/releases/tag/v1.3.0 & https://github.com/rails/thor/pull/800
-  spec.add_dependency "thor",                     ">= 0.20", "< 1.3.0"
+  spec.add_dependency "thor",                     ">= 0.20", "< 1.5.0"
   spec.add_dependency "method_source",            ">= 0.8", "< 2.0"
-  spec.add_dependency "rubyzip",                  ">= 1.2.2", "< 3.0"
-  spec.add_dependency "rspec",                    ">= 3.9", "<= 3.12"
-  spec.add_dependency "rspec-its",                "~> 1.2"
+  spec.add_dependency "rubyzip",                  ">= 1.2.2", "< 4.0"
+  spec.add_dependency "rspec",                    ">= 3.9", "<= 3.14"
+  spec.add_dependency "rspec-its",                ">= 1.2", "< 3.0"
   spec.add_dependency "pry",                      "~> 0.13"
   spec.add_dependency "hashie",                   ">= 3.4", "< 6.0"
   spec.add_dependency "mixlib-log",               "~> 3.0", "< 3.2"
@@ -55,5 +54,5 @@ Gem::Specification.new do |spec|
   # which was causing a LoadError ('cannot load such file -- ast') for users/applications using 'inspec-core'.
   spec.add_dependency "cookstyle"
 
-  spec.add_dependency "train-core", "~> 3.10"
+  spec.add_dependency "train-core", "~> 3.12.13" # Adding tight version constraint for train as it is compatible with Ruby 3.0.x
 end

data/lib/inspec/exceptions.rb

@@ -12,5 +12,6 @@ module Inspec
     class ProfileSigningKeyNotFound < ArgumentError; end
     class WaiversFileNotReadable < ArgumentError; end
     class WaiversFileDoesNotExist < ArgumentError; end
+    class WaiversFileInvalidFormatting < ArgumentError; end
   end
 end

data/lib/inspec/fetcher/git.rb

@@ -68,11 +68,21 @@ module Inspec::Fetcher
       else
         Dir.mktmpdir do |working_dir|
           checkout(working_dir)
+          if git_only_or_empty?(working_dir)
+            # If the temporary working directory is empty after checkout,
+            # this means the git repository did not contain any files (or the checkout failed).
+            # In this case, remove the destination directory to avoid
+            # leaving an empty or invalid profile directory.
+            if Dir.exist?(destination_path)
+              FileUtils.rm_rf(destination_path)
+            end
+            raise Inspec::FetcherFailure, "Profile git dependency failed for #{@remote_url} - no files found in the repository."
+          end
           if @relative_path
             perform_relative_path_fetch(destination_path, working_dir)
           else
             Inspec::Log.debug("Checkout of #{resolved_ref.nil? ? @remote_url : resolved_ref} successful. " \
-                              "Moving checkout to #{destination_path}")
+                                "Moving checkout to #{destination_path}")
             FileUtils.cp_r(working_dir + "/.", destination_path)
           end
         end
@@ -80,6 +90,16 @@ module Inspec::Fetcher
       @repo_directory
     end
 
+    def git_only_or_empty?(dir)
+      return false unless Dir.exist?(dir)
+
+      children = Dir.children(dir)
+      # Return true if:
+      # - directory is completely empty
+      # - or it contains only one entry: '.git'
+      children.empty? || (children - [".git"]).empty?
+    end
+
     def perform_relative_path_fetch(destination_path, working_dir)
       Inspec::Log.debug("Checkout of #{resolved_ref.nil? ? @remote_url : resolved_ref} successful. " \
                         "Moving #{@relative_path} to #{destination_path}")

data/lib/inspec/profile.rb

@@ -256,7 +256,14 @@ module Inspec
       # # Pull together waiver
       waived_control_ids = []
       waiver_paths.each do |waiver_path|
-        waiver_content = YAML.load_file(waiver_path)
+        # Ruby 3.1 treats YAML load as a dangerous operation by default, requiring us to declare date and time classes as permitted
+        # It's not a valid option in 3.0.x
+        if Gem.ruby_version >= Gem::Version.new("3.1.0")
+          waiver_content = ::YAML.load_file(waiver_path, permitted_classes: [Date, Time])
+        else
+          waiver_content = YAML.load_file(waiver_path)
+        end
+
         unless waiver_content
           # Note that we will have already issued a detailed warning
           Inspec::Log.error "YAML parsing error in #{waiver_path}"
@@ -575,7 +582,7 @@ module Inspec
                                                                               include_tests: include_tests)
 
         # Collect all metadata defined in the control block and inputs defined inside the control block
-        src.ast.each_node { |n|
+        src.ast&.each_node { |n|
           ctl_id_collector.process(n)
           input_collector.process(n)
         }
@@ -637,7 +644,7 @@ module Inspec
       }
       source_location_ref = @source_reader.target.abs_path(control_filename)
       Inspec::Profile::AstHelper::TitleCollector.new(group_data)
-        .process(src.ast.child_nodes.first) # Picking the title defined for the whole controls file
+        .process(src.ast&.child_nodes&.first) # Picking the title defined for the whole controls file
       group_controls = @info_from_parse[:controls].select { |control| control[:source_location][:ref] == source_location_ref }
       group_data[:controls] = group_controls.map { |control| control[:id] }
 

data/lib/inspec/resources/audit_policy.rb

@@ -39,11 +39,17 @@ module Inspec::Resources
       # expected result:
       # Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting
       # WIN-MB8NINQ388J,System,Kerberos Authentication Service,{0CCE9242-69AE-11D9-BED3-505054503030},No Auditing,
-      result ||= inspec.command("Auditpol /get /subcategory:'#{key}' /r").stdout
+      auditpol_cmd = "Auditpol /get /subcategory:'#{key}' /r"
+      result ||= inspec.command(auditpol_cmd)
+
+      unless result.exit_status == 0
+        error = result.stdout + "\n" + result.stderr
+        raise Inspec::Exceptions::ResourceFailed, "Error while executing #{auditpol_cmd} command: #{error}"
+      end
 
       # find line
       target = nil
-      result.each_line do |s|
+      result.stdout.each_line do |s|
         target = s.strip if s =~ /\b.*#{key}.*\b/
       end
 

data/lib/inspec/secrets/yaml.rb

@@ -18,18 +18,20 @@ module Secrets
     def initialize(target)
       # Ruby 3.1 treats YAML load as a dangerous operation by default, requiring us to declare date and time classes as permitted
       # It's not a valid option in 3.0.x
-      if Gem.ruby_version >= Gem::Version.new("3.1.0")
-        @inputs = ::YAML.load_file(target, permitted_classes: [Date, Time])
-      else
-        @inputs = ::YAML.load_file(target)
-      end
+      @inputs = ::YAML.load_file(target, permitted_classes: [Date, Time])
 
-      if @inputs == false || !@inputs.is_a?(Hash)
-        Inspec::Log.warn("#{self.class} unable to parse #{target}: invalid YAML or contents is not a Hash")
+      # In case of empty yaml file raise the warning else raise the parsing error.
+      if !@inputs || @inputs.empty?
+        Inspec::Log.warn("Unable to parse #{target}: YAML file is empty.")
         @inputs = nil
+      elsif !@inputs.is_a?(Hash)
+        # Exits with usage error.
+        Inspec::Log.error("Unable to parse #{target}: invalid YAML or contents is not a Hash")
+        Inspec::UI.new.exit(:usage_error)
       end
     rescue => e
-      raise "Error reading InSpec inputs: #{e}"
+      # Any other error related to Yaml parsing will be raised here.
+      raise "Error reading YAML file #{target}: #{e}"
     end
   end
 end

data/lib/inspec/version.rb

@@ -1,3 +1,3 @@
 module Inspec
-  VERSION = "5.22.72".freeze
+  VERSION = "5.22.95".freeze
 end

data/lib/inspec/waiver_file_reader.rb

@@ -5,6 +5,8 @@ require "inspec/utils/waivers/json_file_reader"
 module Inspec
   class WaiverFileReader
 
+    SUPPORTED_FILE_EXTENSION = %w{.yaml .yml .csv .json}.freeze
+
     def self.fetch_waivers_by_profile(profile_id, files)
       read_waivers_from_file(profile_id, files) if @waivers_data.nil? || @waivers_data[profile_id].nil?
       @waivers_data[profile_id]
@@ -15,49 +17,105 @@ module Inspec
       output = {}
 
       files.each do |file_path|
-        file_extension = File.extname(file_path)
-        data = nil
-        if [".yaml", ".yml"].include? file_extension
-          data = Secrets::YAML.resolve(file_path)
-          unless data.nil?
-            data = data.inputs
-            validate_json_yaml(data)
-          end
-        elsif file_extension == ".csv"
-          data = Waivers::CSVFileReader.resolve(file_path)
-          headers = Waivers::CSVFileReader.headers
-          validate_headers(headers)
-        elsif file_extension == ".json"
-          data = Waivers::JSONFileReader.resolve(file_path)
-          validate_json_yaml(data) unless data.nil?
-        end
-        output.merge!(data) if !data.nil? && data.is_a?(Hash)
+        next unless valid_waiver_file?(file_path)
 
-        if data.nil?
-          raise Inspec::Exceptions::WaiversFileNotReadable,
-              "Cannot find parser for waivers file '#{file_path}'. " \
-              "Check to make sure file has the appropriate extension."
-        end
+        data = parse_waiver_file(file_path)
+        output.merge!(data) if data.is_a?(Hash)
+      rescue Inspec::Exceptions::WaiversFileNotReadable, Inspec::Exceptions::WaiversFileInvalidFormatting => e
+        Inspec::Log.error "Error reading waivers file #{file_path}. #{e.message}"
+        Inspec::UI.new.exit(:usage_error)
       end
 
       @waivers_data[profile_id] = output
     end
 
-    def self.validate_headers(headers, json_yaml = false)
-      required_fields = json_yaml ? %w{justification} : %w{control_id justification}
-      all_fields = %w{control_id justification expiration_date run}
+    def self.valid_waiver_file?(file_path)
+      # Check if the file is readable
+      file_extension = File.extname(file_path).downcase
+      unless SUPPORTED_FILE_EXTENSION.include?(file_extension)
+        raise Inspec::Exceptions::WaiversFileNotReadable,
+              "Unsupported file extension for '#{file_path}'. Allowed waiver file extensions: #{SUPPORTED_FILE_EXTENSION.join(", ")}"
+      end
+
+      # Check if the file is empty
+      if File.zero?(file_path)
+        Inspec::Log.warn "Waivers file '#{file_path}' is empty. Skipping waivers."
+        return false
+      end
 
-      Inspec::Log.warn "Missing column headers: #{(required_fields - headers)}" unless (required_fields - headers).empty?
-      Inspec::Log.warn "Invalid column header: Column can't be nil" if headers.include? nil
-      Inspec::Log.warn "Extra column headers: #{(headers - all_fields)}" unless (headers - all_fields).empty?
+      true
+    end
+
+    def self.parse_waiver_file(file_path)
+      file_extension = File.extname(file_path).downcase
+
+      case file_extension
+      when ".yaml", ".yml"
+        data = Secrets::YAML.resolve(file_path)&.inputs
+        validate_json_yaml(data)
+      when ".csv"
+        data = Waivers::CSVFileReader.resolve(file_path)
+        validate_csv_headers(Waivers::CSVFileReader.headers)
+      when ".json"
+        data = Waivers::JSONFileReader.resolve(file_path)
+        validate_json_yaml(data)
+      end
+
+      data
+    end
+
+    def self.all_fields
+      %w{control_id justification expiration_date run}
+    end
+
+    def self.validate_csv_headers(headers)
+      invalid_headers_info = fetch_invalid_headers_info(headers)
+      # Warn if blank column found in csv file
+      Inspec::Log.warn "Invalid column headers: Column can't be nil" if invalid_headers_info[:blank_column]
+      # Warn if extra header found in csv file
+      Inspec::Log.warn "Extra header/s #{invalid_headers_info[:extra_headers]}" unless invalid_headers_info[:extra_headers].empty?
+      unless invalid_headers_info[:missing_required_fields].empty?
+        raise Inspec::Exceptions::WaiversFileInvalidFormatting,
+        "Missing required header/s #{invalid_headers_info[:missing_required_fields]}. Fix headers in file to proceed."
+      end
+    end
+
+    def self.fetch_invalid_headers_info(headers, json_yaml = false)
+      required_fields = json_yaml ? %w{justification} : %w{control_id justification}
+      data = {}
+      data[:missing_required_fields] = []
+      # Finds missing required fields
+      unless (required_fields - headers).empty?
+        data[:missing_required_fields] = required_fields - headers
+      end
+      # If column with no header found set the blank_column flag. Only applicable for csv
+      data[:blank_column] = headers.include?(nil) ? true : false
+      # Find extra headers/parameters
+      data[:extra_headers] = (headers - all_fields)
+      data
     end
 
     def self.validate_json_yaml(data)
-      headers = []
-      data.each_value do |value|
-        headers.push value.keys
+      return if data.nil?
+
+      missing_required_field = false
+      data.each do |key, value|
+        # In case of yaml or json we need to validate headers/parametes for each value
+        invalid_headers_info = fetch_invalid_headers_info(value.keys, true)
+        # WARN in case of extra parameters found in each waived control
+        Inspec::Log.warn "Control ID #{key}: extra parameter/s #{invalid_headers_info[:extra_headers]}" unless invalid_headers_info[:extra_headers].empty?
+        unless invalid_headers_info[:missing_required_fields].empty?
+          missing_required_field = true
+          # Log error for each waived control
+          Inspec::Log.error "Control ID #{key}: missing required parameter/s #{invalid_headers_info[:missing_required_fields]}"
+        end
+      end
+
+      # Raise error if any of the waived control has missing required filed
+      if missing_required_field
+        raise Inspec::Exceptions::WaiversFileInvalidFormatting,
+             "Missing required parameter [justification]. Fix parameters in file to proceed."
       end
-      validate_headers(headers.flatten.uniq, true)
     end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: inspec-core
 version: !ruby/object:Gem::Version
-  version: 5.22.72
+  version: 5.22.95
 platform: ruby
 authors:
 - Chef InSpec Team
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2025-03-03 00:00:00.000000000 Z
+date: 2025-08-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: chef-telemetry
@@ -59,7 +59,7 @@ dependencies:
         version: '0.20'
     - - "<"
       - !ruby/object:Gem::Version
-        version: 1.3.0
+        version: 1.5.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -69,7 +69,7 @@ dependencies:
         version: '0.20'
     - - "<"
       - !ruby/object:Gem::Version
-        version: 1.3.0
+        version: 1.5.0
 - !ruby/object:Gem::Dependency
   name: method_source
   requirement: !ruby/object:Gem::Requirement
@@ -99,7 +99,7 @@ dependencies:
         version: 1.2.2
     - - "<"
       - !ruby/object:Gem::Version
-        version: '3.0'
+        version: '4.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -109,7 +109,7 @@ dependencies:
         version: 1.2.2
     - - "<"
       - !ruby/object:Gem::Version
-        version: '3.0'
+        version: '4.0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -119,7 +119,7 @@ dependencies:
         version: '3.9'
     - - "<="
       - !ruby/object:Gem::Version
-        version: '3.12'
+        version: '3.14'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -129,21 +129,27 @@ dependencies:
         version: '3.9'
     - - "<="
       - !ruby/object:Gem::Version
-        version: '3.12'
+        version: '3.14'
 - !ruby/object:Gem::Dependency
   name: rspec-its
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '1.2'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '1.2'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3.0'
 - !ruby/object:Gem::Dependency
   name: pry
   requirement: !ruby/object:Gem::Requirement
@@ -390,14 +396,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.10'
+        version: 3.12.13
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.10'
+        version: 3.12.13
 description: InSpec provides a framework for creating end-to-end infrastructure tests.
   You can use it for integration or even compliance testing. Create fully portable
   test profiles and use them in your workflow to ensure stability and security. Integrate
@@ -867,14 +873,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 3.0.3
+      version: 3.1.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.3
+rubygems_version: 3.3.27
 signing_key: 
 specification_version: 4
 summary: Infrastructure and compliance testing. Core library.