inspec-core 5.23.6 → 5.24.7

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c009226468213d8efc51bc54b6e315c0d3ac50d9039ee198bbb1b24330a2f2cc
-  data.tar.gz: '0568f87bfec4df5740aaa3de94c1d2bc91b5b9e3f7a59dff8446052a63e83f02'
+  metadata.gz: 1d51433ba0116888c84236e9e10a00eed659241c97bc52bc28adab5d166747b1
+  data.tar.gz: fbcdb575d6d6e318080fe33c9480d97a886e18795f8d9d70b631744998985039
 SHA512:
-  metadata.gz: 90b9f7f4196b68f8bf1b2e33e2c6e4ef1164ede223639115cb1edf04587b9e2b0173fe9bd5badfe84fab507a443844e90d85cd2369b9bd2c44c209c1d9832c4a
-  data.tar.gz: 62f1267747c3fa35f3c75750f9fde168ac4682862a21efd4156b795c56d2cdf5cca580648c3bba9e8d7152139e55a2ff52457d3756ef6dbfcbb3279a0610474b
+  metadata.gz: bd38bce6f7c2f0f53effda98239dc918e002c1f06266f32905fe464c22c4bcbc2c09a475c4b3e7eb9b902a50252b9f4c83978e1e857fb0bd0f78fb1e8ced781a
+  data.tar.gz: b9ae97157012e01b7522afc285b307b4042178900c25ba7f9e72898d4aa1670d97906ba8e8b50bab0cf04645d809a6bad2229d567eb658b1a2f327b359b0014a

data/Gemfile

@@ -27,6 +27,8 @@ group :omnibus do
   gem "appbundler"
   gem "ed25519" # ed25519 ssh key support done here as its a native gem we can't put in the gemspec
   gem "bcrypt_pbkdf" # ed25519 ssh key support done here as its a native gem we can't put in the gemspec
+  # pinning at < 0.6, 0.6 requires ruby 3.2+, InSpec5 does not support Ruby 3.2
+  gem "net-imap", ">= 0.2.5", "< 0.6"
 end
 
 group :test do
@@ -34,13 +36,12 @@ group :test do
   gem "concurrent-ruby"
   gem "json_schemer"
   gem "m"
-  gem "minitest-sprint", "~> 1.0"
+  # 1.4.0+ requires min ruby 3.2, InSpec5 does not support Ruby 3.2
+  gem "minitest-sprint", "~> 1.3.0" , "< 1.4.0"
   gem "minitest", "5.15.0"
   gem "mocha"
-  # Pinning this version as it breaking for ruby 3.1.0
   gem "nokogiri", "< 1.17.2"
-  # Pinning this version as it breaking for ruby 3.0.0
-  gem "pry-byebug", "< 3.12.0"
+  gem "pry-byebug"
   gem "pry"
   gem "rake"
   gem "simplecov"
@@ -49,7 +50,7 @@ group :test do
   gem "signet", "< 0.22.0" # 0.20.0+ requires min ruby 3.1
   # Pinning to 1.15 as multi_json 1.16 require ruby 3.2 version
   # Ref: https://buildkite.com/chef-oss/inspec-inspec-inspec-5-verify/builds/647#019808ca-087b-43bc-b1f9-40a36f59c5f4
-  gem "multi_json", "~> 1.15.0"
+  gem "multi_json", "~> 1.18.0"
 end
 
 group :deploy do
@@ -64,11 +65,5 @@ end
 # Remove this pin when upgrading to Ruby 3.2 or higher.
 gem "zeitwerk", "~> 2.6.0", "< 2.7"
 
-# Pinning dry-core,dry-core,dry-types to < 1.1.0 as it is breaking the build because 1.1.0 is incompatible with the current version, ruby 3.0.x on CI
-gem "dry-types", "<= 1.7.2" if RUBY_VERSION < "3.1.0"
-gem "dry-core", "> 1.0.0", "< 1.1.0" if RUBY_VERSION < "3.1.0"
-gem "dry-inflector", "<= 1.1.0" if RUBY_VERSION < "3.1.0"
-
-# Pinning securerandom to < 0.4.0 as it is breaking the build because 0.4.0 is incompatible with the current version, ruby 3.0.x on CI
-# Remove this pin when upgrading to Ruby 3.1 or higher on CI.
-gem "securerandom", "< 0.4.0" if RUBY_VERSION < "3.1.0"
+# Pinning connection_pool to < 3.0.0 as 3.0.0+ requires Ruby >= 3.2.0
+gem "connection_pool", ">= 2.5", "< 3.0"

data/inspec-core.gemspec

@@ -43,7 +43,8 @@ Gem::Specification.new do |spec|
   spec.add_dependency "tty-table",                "~> 0.10"
   spec.add_dependency "tty-prompt",               "~> 0.17"
   spec.add_dependency "tomlrb",                   ">= 1.2", "< 2.1"
-  spec.add_dependency "addressable",              "~> 2.4"
+  # Pinning to < 2.8.8 because public_suffix 7.0 requires Ruby 3.2 or higher, InSpec5 does not support Ruby 3.2
+  spec.add_dependency "addressable",              "< 2.8.8"
   spec.add_dependency "parslet",                  ">= 1.5", "< 3.0" # Pinned < 2.0, see #5389
   spec.add_dependency "semverse",                 "~> 3.0"
   spec.add_dependency "multipart-post",           "~> 2.0"
@@ -53,6 +54,5 @@ Gem::Specification.new do |spec|
   # However, it has been moved to 'inspec-core.gemspec' due to a dependency on the 'ast' gem,
   # which was causing a LoadError ('cannot load such file -- ast') for users/applications using 'inspec-core'.
   spec.add_dependency "cookstyle"
-
-  spec.add_dependency "train-core", "~> 3.13", ">= 3.13.4"
+  spec.add_dependency "train-core", "~> 3.16", ">= 3.16.1"
 end

data/lib/inspec/archive/tar.rb

@@ -1,4 +1,5 @@
 require "rubygems/package" unless defined?(Gem::Package)
+require "rubygems/package/tar_writer" unless defined?(Gem::Package::TarWriter)
 
 module Inspec::Archive
   class TarArchiveGenerator

data/lib/inspec/file_provider.rb

@@ -1,4 +1,5 @@
 require "rubygems/package" unless defined?(Gem::Package)
+require "rubygems/package/tar_header" unless defined?(Gem::Package::TarHeader)
 require "pathname" unless defined?(Pathname)
 require "zlib" unless defined?(Zlib)
 require "zip" unless defined?(Zip)

data/lib/inspec/resources/mssql_session.rb

@@ -30,9 +30,15 @@ module Inspec::Resources
         its('value') { should_not be_empty }
         its('value') { should cmp == 1 }
       end
+
+      # Trust the SQL Server TLS certificate when using sqlcmd
+      sql_tls = mssql_session(user: 'myuser', password: 'mypassword', trust_server_certificate: true)
+      describe sql_tls.query(\"SELECT SERVERPROPERTY('ProductVersion') as \\\"version\\\";\").row(0).column('version') do
+        its('value') { should_not be_empty }
+      end
     EXAMPLE
 
-    attr_reader :user, :password, :host, :port, :instance, :local_mode, :db_name
+    attr_reader :user, :password, :host, :port, :instance, :local_mode, :db_name, :trust_server_certificate
     def initialize(opts = {})
       @user = opts[:user]
       @password = opts[:password] || opts[:pass]
@@ -46,6 +52,7 @@ module Inspec::Resources
       end
       @instance = opts[:instance]
       @db_name = opts[:db_name]
+      @trust_server_certificate = !!opts[:trust_server_certificate] # rubocop:disable Style/DoubleNegation
 
       # check if sqlcmd is available
       raise Inspec::Exceptions::ResourceSkipped, "sqlcmd is missing" unless inspec.command("sqlcmd").exist?
@@ -57,6 +64,7 @@ module Inspec::Resources
       escaped_query = q.gsub(/\\/, "\\\\").gsub(/"/, '""').gsub(/\$/, '\\$')
       # surpress 'x rows affected' in SQLCMD with 'set nocount on;'
       cmd_string = "sqlcmd -Q \"set nocount on; #{escaped_query}\" -W -w 1024 -s ','"
+      cmd_string += " -C" if trust_server_certificate?
       cmd_string += " -U '#{@user}' -P '#{@password}'" unless @user.nil? || @password.nil?
       cmd_string += " -d '#{@db_name}'" unless @db_name.nil?
       unless local_mode?
@@ -94,6 +102,10 @@ module Inspec::Resources
       !!@local_mode # rubocop:disable Style/DoubleNegation
     end
 
+    def trust_server_certificate?
+      @trust_server_certificate
+    end
+
     def test_connection
       !query("select getdate()").empty?
     end

data/lib/inspec/resources/oracledb_session.rb

@@ -13,14 +13,29 @@ module Inspec::Resources
     supports platform: "windows"
     desc "Use the oracledb_session InSpec resource to test commands against an Oracle database"
     example <<~EXAMPLE
+      # Using password
       sql = oracledb_session(user: 'my_user', pass: 'password')
       describe sql.query(\"SELECT UPPER(VALUE) AS VALUE FROM V$PARAMETER WHERE UPPER(NAME)='AUDIT_SYS_OPERATIONS'\").row(0).column('value') do
         its('value') { should eq 'TRUE' }
       end
+
+      # CHEF-28019: Using TNS alias (recommended for TCPS/SSL connections)
+      sql = oracledb_session(
+        user: 'my_user',
+        password: 'password',
+        tns_alias: 'MYDB_TCPS',
+        env: {
+          'TNS_ADMIN' => '/path/to/tnsnames',
+          'LD_LIBRARY_PATH' => '/opt/oracle/instantclient'
+        }
+      )
+      describe sql.query('SELECT * FROM dual').row(0).column('dummy') do
+        its('value') { should eq 'X' }
+      end
     EXAMPLE
 
     attr_reader :bin, :db_role, :host, :password, :port, :service,
-                :su_user, :user
+                :su_user, :user, :tns_alias, :env_vars
 
     def initialize(opts = {})
       @user = opts[:user]
@@ -37,6 +52,11 @@ module Inspec::Resources
       @db_role = opts[:as_db_role]
       @sqlcl_bin = opts[:sqlcl_bin] || nil
       @sqlplus_bin = opts[:sqlplus_bin] || "sqlplus"
+
+      # CHEF-28019: Support for TNS alias and environment variables
+      @tns_alias = opts[:tns_alias]
+      @env_vars = opts[:env] || {}
+
       skip_resource "Option 'as_os_user' not available in Windows" if inspec.os.windows? && su_user
       fail_resource "Can't run Oracle checks without authentication" unless su_user || (user || password)
     end
@@ -77,8 +97,10 @@ module Inspec::Resources
     end
 
     def resource_id
-      if @user
-        "#{@host}-#{@port}-#{@user}"
+      if @tns_alias && !@tns_alias.empty?
+        "#{@tns_alias}-#{@user}" # e.g., "XEPDB1_TCPS-USER"
+      elsif @user
+        "#{@host}-#{@port}-#{@user}" # e.g., "localhost-1521-USER"
       elsif @su_user
         "#{@host}-#{@port}-#{@su_user}"
       else
@@ -88,10 +110,9 @@ module Inspec::Resources
 
     private
 
-    # 3 commands
-    # regular user password
-    # using a db_role
-    # su, using a db_role
+    # CHEF-28019: Build command with support for TNS alias and environment variables
+    # Existing behavior: regular user/password, using db_role, or su with db_role
+    # Added New behavior: TNS alias connections with optional env vars
     def command_builder(format_options, query)
       if @db_role.nil? || @su_user.nil?
         verified_query = verify_query(query)
@@ -116,7 +137,11 @@ module Inspec::Resources
         sql_postfix = %{ <<'EOC'\n#{format_options}\n#{verified_query}\nEXIT\n'EOC'} if shell_is_csh
       end
 
-      if @db_role.nil?
+      # CHEF-28019: New path for TNS alias connections
+      if @tns_alias && !@tns_alias.to_s.empty?
+        build_tns_command(format_options, verified_query, oracle_echo_str)
+      # Original paths preserved
+      elsif @db_role.nil?
         %{#{oracle_echo_str}#{sql_prefix}#{bin} #{user}/#{password}@#{host}:#{port}/#{@service}#{sql_postfix}}
       elsif @su_user.nil?
         %{#{oracle_echo_str}#{sql_prefix}#{bin} #{user}/#{password}@#{host}:#{port}/#{@service} as #{@db_role}#{sql_postfix}}
@@ -153,5 +178,35 @@ module Inspec::Resources
         Hashie::Mash.new([revised_row].to_h)
       end
     end
+
+    # CHEF-28019: Build TNS alias command with environment variables
+    def build_tns_command(format_options, verified_query, oracle_echo_str)
+      env_prefix = build_env_prefix
+      connect_string = build_connect_string
+      heredoc_content = "connect #{connect_string}\n#{format_options}\n#{verified_query}\nEXIT"
+
+      if @su_user
+        cmd = %{su - #{@su_user} -c "#{oracle_echo_str} #{env_prefix} #{@bin} -s /nolog <<'INSPECSQL'\n#{heredoc_content}\nINSPECSQL"}
+      else
+        cmd = %{#{oracle_echo_str}#{bin} -s /nolog <<'INSPECSQL'\n#{heredoc_content}\nINSPECSQL}
+        cmd = "#{env_prefix} #{cmd}" unless env_prefix.empty?
+      end
+
+      cmd
+    end
+
+    # CHEF-28019: Build Oracle connect string for TNS alias
+    def build_connect_string
+      connect_str = "#{@user}/#{@password}@#{@tns_alias}"
+      connect_str += " as #{@db_role}" if @db_role && !@su_user
+      connect_str
+    end
+
+    # CHEF-28019: Build environment variable prefix
+    def build_env_prefix
+      return "" if @env_vars.nil? || @env_vars.empty?
+
+      @env_vars.map { |k, v| "#{k}='#{v}'" }.join(" ")
+    end
   end
 end

data/lib/inspec/utils/profile_ast_helpers.rb

@@ -24,6 +24,37 @@ module Inspec
           @memo = memo
         end
 
+        def extract_node_value(node)
+          case node.class.to_s
+          when "RuboCop::AST::HashNode"
+            # Handle hash nodes
+            values = {}
+            node.children.each do |pair_node|
+              values.merge!(pair_node.key.value => extract_node_value(pair_node.value))
+            end
+            values
+          when "RuboCop::AST::ArrayNode"
+            # Handle array nodes
+            node.children.map { |element| extract_node_value(element) }
+          else
+            # Handle simple nodes (strings, numbers, symbols, booleans, nil, etc.)
+            if node.respond_to?(:type)
+              case node.type
+              when :true
+                true
+              when :false
+                false
+              when :nil
+                nil
+              else
+                node.respond_to?(:value) ? node.value : node
+              end
+            else
+              node.respond_to?(:value) ? node.value : node
+            end
+          end
+        end
+
         def collect_input(input_children)
           input_name = input_children.children[2].value
 
@@ -39,15 +70,9 @@ module Inspec
                 if VALID_INPUT_OPTIONS.include?(child_node.key.value)
                   if child_node.value.class == RuboCop::AST::Node && REQUIRED_VALUES_MAP.key?(child_node.value.type)
                     opts.merge!(child_node.key.value => REQUIRED_VALUES_MAP[child_node.value.type])
-                  elsif child_node.value.class == RuboCop::AST::HashNode
-                    # Here value will be a hash
-                    values = {}
-                    child_node.value.children.each do |grand_child_node|
-                      values.merge!(grand_child_node.key.value => grand_child_node.value.value)
-                    end
-                    opts.merge!(child_node.key.value => values)
                   else
-                    opts.merge!(child_node.key.value => child_node.value.value)
+                    # Use the helper method to recursively extract values from any node type
+                    opts.merge!(child_node.key.value => extract_node_value(child_node.value))
                   end
                 end
               end
@@ -313,8 +338,11 @@ module Inspec
             collectors.push InputCollectorWithinControlBlock.new(@memo)
             collectors.push TestsCollector.new(control_data) if include_tests
 
-            begin_block.each_node do |node_within_control|
-              collectors.each { |collector| collector.process(node_within_control) }
+            # Handle empty control blocks (e.g., control "id" do end)
+            if begin_block
+              begin_block.each_node do |node_within_control|
+                collectors.each { |collector| collector.process(node_within_control) }
+              end
             end
 
             memo[:controls].push control_data

data/lib/inspec/version.rb

@@ -1,3 +1,3 @@
 module Inspec
-  VERSION = "5.23.6".freeze
+  VERSION = "5.24.7".freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: inspec-core
 version: !ruby/object:Gem::Version
-  version: 5.23.6
+  version: 5.24.7
 platform: ruby
 authors:
 - Chef InSpec Team
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2025-09-23 00:00:00.000000000 Z
+date: 2026-02-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: chef-telemetry
@@ -318,16 +318,16 @@ dependencies:
   name: addressable
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - "<"
       - !ruby/object:Gem::Version
-        version: '2.4'
+        version: 2.8.8
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - "<"
       - !ruby/object:Gem::Version
-        version: '2.4'
+        version: 2.8.8
 - !ruby/object:Gem::Dependency
   name: parslet
   requirement: !ruby/object:Gem::Requirement
@@ -396,20 +396,20 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.13'
+        version: '3.16'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 3.13.4
+        version: 3.16.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.13'
+        version: '3.16'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 3.13.4
+        version: 3.16.1
 description: InSpec provides a framework for creating end-to-end infrastructure tests.
   You can use it for integration or even compliance testing. Create fully portable
   test profiles and use them in your workflow to ensure stability and security. Integrate