inspec-core 5.23.6 → 6.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c009226468213d8efc51bc54b6e315c0d3ac50d9039ee198bbb1b24330a2f2cc
-  data.tar.gz: '0568f87bfec4df5740aaa3de94c1d2bc91b5b9e3f7a59dff8446052a63e83f02'
+  metadata.gz: 2e2d81ddee4b440d4bcb0d00b586707400b189e833942dd65e677bd7f75df0a4
+  data.tar.gz: 69905f313a3303d2e385fe603c6d808970aca2efc7d37498d74ca12727583608
 SHA512:
-  metadata.gz: 90b9f7f4196b68f8bf1b2e33e2c6e4ef1164ede223639115cb1edf04587b9e2b0173fe9bd5badfe84fab507a443844e90d85cd2369b9bd2c44c209c1d9832c4a
-  data.tar.gz: 62f1267747c3fa35f3c75750f9fde168ac4682862a21efd4156b795c56d2cdf5cca580648c3bba9e8d7152139e55a2ff52457d3756ef6dbfcbb3279a0610474b
+  metadata.gz: 754812b73f047d377cdcdfd1c409a15a916ae69d529bded4ace7993b638f1ab6783c7a4394107d538a2df5523887d782a251cfbbf7923a2084961372de1ab12d
+  data.tar.gz: 2ccb38f332159f8af419ef0c343710271d32328198354327489d492ca66c7bad921a5271310f984e844f12eddfa0a70664024be9dac2bdabbf96a0974fc97c74

data/Chef-EULA

@@ -0,0 +1,9 @@
+Packaged distributions of Progress® Chef® products obtained from RubyGems 
+are made available pursuant to the Progress Chef EULA at 
+https://www.chef.io/end-user-license-agreement, unless there is an executed 
+agreement in effect between you and Progress that covers the Progress Chef 
+products ("Master Agreement"), in which case the Master Agreement shall govern.
+
+Source code obtained from the Chef GitHub repository is made available 
+under Apache-2.0, a copy of which can be found in 
+http://www.apache.org/licenses/LICENSE-2.0 

data/Gemfile

@@ -1,3 +1,12 @@
+# For Chef internal builds, allows preview versions of gems if available.
+if ENV["ARTIFACTORY_BASE_URL"]
+  source ENV["ARTIFACTORY_BASE_URL"] + "/artifactory/api/gems/omnibus-gems-local/" do
+    # TODO: either fully populate this list, or revert back to non-block format
+    #       to sweep all Chef gems from Artifactory.
+    gem "chef-licensing"
+  end
+end
+
 source "https://rubygems.org"
 
 gem "inspec", path: "."
@@ -9,14 +18,7 @@ gem "inspec", path: "."
 # in it in order to package the executable. Hence the odd backwards dependency.
 gem "inspec-bin", path: "./inspec-bin"
 
-# ffi version v1.17.0 is breaking verify pipeline as it requires
-# rubygems version to be upgraded to >= 3.3.22 Ref:https://buildkite.com/chef/inspec-inspec-main-verify-private/builds/812#018fe177-2ccb-45ed-a25e-213c8a6453df/698-707
-
-gem "ffi", ">= 1.15.5", "< 1.17.0"
-
-# We have a build issue 2023-11-13 with unf_ext 0.0.9 so we are pinning to 0.0.8.2
-# See https://github.com/knu/ruby-unf_ext/issues/74 https://buildkite.com/chef/inspec-inspec-inspec-5-omnibus-release/builds/22
-gem "unf_ext", "= 0.0.8.2"
+gem "ffi", ">= 1.9.14", "!= 1.13.0", "!= 1.14.2"
 
 # inspec tests depend text output that changed in the 3.10 release
 # but our runtime dep is still 3.9+
@@ -30,45 +32,27 @@ group :omnibus do
 end
 
 group :test do
-  gem "chefstyle"
-  gem "concurrent-ruby"
-  gem "json_schemer"
+  gem "chefstyle", "~> 2.2.2"
+  gem "concurrent-ruby", "~> 1.0"
+  gem "json_schemer", ">= 0.2.1", "< 2.0.1"
   gem "m"
   gem "minitest-sprint", "~> 1.0"
   gem "minitest", "5.15.0"
-  gem "mocha"
-  # Pinning this version as it breaking for ruby 3.1.0
-  gem "nokogiri", "< 1.17.2"
-  # Pinning this version as it breaking for ruby 3.0.0
-  gem "pry-byebug", "< 3.12.0"
-  gem "pry"
-  gem "rake"
-  gem "simplecov"
+  gem "mocha", "~> 1.1"
+  gem "nokogiri", "~> 1.9"
+  gem "pry-byebug"
+  gem "pry", "~> 0.10"
+  gem "rake", ">= 10"
+  gem "simplecov", "~> 0.21"
   gem "simplecov_json_formatter"
-  gem "webmock"
-  gem "signet", "< 0.22.0" # 0.20.0+ requires min ruby 3.1
-  # Pinning to 1.15 as multi_json 1.16 require ruby 3.2 version
-  # Ref: https://buildkite.com/chef-oss/inspec-inspec-inspec-5-verify/builds/647#019808ca-087b-43bc-b1f9-40a36f59c5f4
-  gem "multi_json", "~> 1.15.0"
+  gem "webmock", "~> 3.0"
+
+  if Gem.ruby_version >= Gem::Version.new("3.0.0")
+    # html-proofer has a dep on io-event, which is ruby-3 only
+    gem "html-proofer", "~> 3.19.4", platforms: :ruby # do not attempt to run proofer on windows. Pinned to 3.19.4 as test is breaking in updated versions.
+  end
 end
 
 group :deploy do
   gem "inquirer"
 end
-
-# Build is failing - see: https://buildkite.com/chef-oss/inspec-inspec-inspec-5-verify/builds/442
-# Error: zeitwerk-2.7.1 requires Ruby >= 3.2, which is incompatible with the current version (Ruby 3.0.7p220)
-# Dependency chain:
-# zeitwerk → dry-configurable, dry-struct, dry-types → k8s-ruby → train-kubernetes
-# Pinning zeitwerk to ~> 2.6 to avoid Ruby >= 3.2 requirement.
-# Remove this pin when upgrading to Ruby 3.2 or higher.
-gem "zeitwerk", "~> 2.6.0", "< 2.7"
-
-# Pinning dry-core,dry-core,dry-types to < 1.1.0 as it is breaking the build because 1.1.0 is incompatible with the current version, ruby 3.0.x on CI
-gem "dry-types", "<= 1.7.2" if RUBY_VERSION < "3.1.0"
-gem "dry-core", "> 1.0.0", "< 1.1.0" if RUBY_VERSION < "3.1.0"
-gem "dry-inflector", "<= 1.1.0" if RUBY_VERSION < "3.1.0"
-
-# Pinning securerandom to < 0.4.0 as it is breaking the build because 0.4.0 is incompatible with the current version, ruby 3.0.x on CI
-# Remove this pin when upgrading to Ruby 3.1 or higher on CI.
-gem "securerandom", "< 0.4.0" if RUBY_VERSION < "3.1.0"

data/etc/features.sig

@@ -0,0 +1,6 @@
+LoJePRrMIqFz6d1uu5n3QBqQAPD8wLuLM8PfvdDerFjuX/TFJDFdwdcNZ8b8
+KBxFjR5qUTMZizjIUp5Jd6FFI4gSm0RIMKa4UeJCQQAWKJGo/tIbSKLPLWlV
+m1X1Z869AkvQSJxyaXvS2oKPck/znCbRKEDhuk2kqSyDJlC2BILTVa0sx3nd
+4W2J2CwFBlqmYWI1FARkZCMGlfzkjcUqrVrCb3RcZ7bcEYOT5ebIm9zZlbuV
+n2Di29KFZhl8paEoGq3EYJvxEC7rVtLccei8UteNQcSOWihG61dtPGhHnpS+
+/7RNGjrS8s4i/dQHjZlZgV6guki6EqB+DIirVek9PQ==

data/etc/features.yaml

@@ -0,0 +1,94 @@
+---
+  features:
+    inspec-cli-exec:
+      description: Run InSpec profile code at the command line.
+    inspec-cli-shell:
+      description: Experiment with InSpec Language interactively.
+    inspec-cli-check:
+      description: Examine a profile for problems.
+    inspec-cli-json:
+      description: Generate JSON summary for inspec profile/s.
+    inspec-cli-export:
+      description: Generate summary in specified formats for profile/s.
+    inspec-cli-vendor:
+      description: Download all profile dependencies and generate a lockfile in vendor directory.
+    inspec-cli-archive:
+      description: Archive a profile to tar.gz (default) or zip.
+    inspec-cli-detect:
+      description: Detect the target OS.
+    inspec-cli-env:
+      description: Output shell-appropriate completion configuration.
+    inspec-cli-schema:
+      description: Print the JSON schema.
+    inspec-cli-run-context:
+      description: Test run-context detection.
+    inspec-cli-version:
+      description: Print the version of InSpec.
+    inspec-cli-clear-cache:
+      description: Clear InSpec cache stored in ~/.inspec/cache or specific vendor cache path.
+    inspec-cli-compliance-login:
+      description: Login to Automate Server using InSpec.
+    inspec-cli-compliance-profiles:
+      description: Lists all uploaded profiles from automate server.
+    inspec-cli-compliance-exec:
+      description: Run InSpec profile from a list of profiles in automate server.
+    inspec-cli-compliance-download:
+      description: Download the InSpec profile from automate server.
+    inspec-cli-compliance-upload:
+      description: Upload InSpec profile to automate server.
+    inspec-cli-compliance-version:
+      description: Print the version of Automate Server.
+    inspec-cli-compliance-logout:
+      description: Logout from Automate Server.
+    inspec-cli-habitat-profile-create:
+      description: Create Habitat Artifact for the InSpec profile.
+    inspec-cli-habitat-profile-setup:
+      description: Configure Habitat Artifact.
+    inspec-cli-habitat-profile-upload:
+      description: Upload Habitat Artifact for the InSpec profile to Habitat Builder Depot.
+    inspec-cli-init-profile:
+      description: Generate a new InSpec profile.
+    inspec-cli-init-plugin:
+      description: Generate a new InSpec plugin.
+    inspec-cli-init-resource:
+      description: Generate a new InSpec resource.
+    inspec-cli-parallel-exec:
+      description: Run list of InSpec exec operations parallely.
+    inspec-cli-sign-generate-keys:
+      description: Generate a RSA key pair for signing and verification.
+    inspec-cli-sign-profile:
+      description: Sign InSpec profile and generate .iaf artifact.
+    inspec-cli-sign-verify:
+      description: Verify a signed profile .iaf artifact.
+    inspec-enhanced-outcomes:
+      description: Use enhanced outcomes in reporters
+    inspec-waivers:
+      description: Use waivers mechanism with one or more waiver files.
+    inspec-reporter-cli:
+      description: Use CLI reporter.
+    inspec-reporter-json:
+      description: Use JSON reporter.
+    inspec-reporter-json-automate:
+      description: Use JSON automate reporter.
+    inspec-reporter-automate:
+      description: Use automate reporter.
+    inspec-reporter-yaml:
+      description: Use YAML reporter.
+    inspec-reporter-json-min:
+      description: Use JSON min reporter for minimal JSON output.
+    inspec-reporter-junit:
+      description: Use JUnit reporter.
+    inspec-reporter-junit2:
+      description: Use JUnit2 reporter.
+    inspec-reporter-html2:
+      description: Use HTML reporter.
+    inspec-reporter-progress-bar:
+      description: Use progress bar streaming reporter
+    inspec-reporter-child-status:
+      description: Child status reporter used in inspec parallel reporting.
+    inspec-mandatory-profile-signing:
+      description: Required to use a signed Inspec profile by default with inspec commands
+      env_preview: true
+    inspec-audit-logging:
+      description: Use audit logging.
+      env_preview: true

data/inspec-core.gemspec

@@ -8,17 +8,24 @@ Gem::Specification.new do |spec|
   spec.authors       = ["Chef InSpec Team"]
   spec.email         = ["inspec@chef.io"]
   spec.summary       = "Infrastructure and compliance testing. Core library."
-  spec.description   = "InSpec provides a framework for creating end-to-end infrastructure tests. You can use it for integration or even compliance testing. Create fully portable test profiles and use them in your workflow to ensure stability and security. Integrate InSpec in your change lifecycle for local testing, CI/CD, and deployment verification. This has local support only. See the `inspec` gem for full support."
+  spec.description   = <<-EOT
+InSpec provides a framework for creating end-to-end infrastructure tests. You can use it for integration or even compliance testing. Create fully portable test profiles and use them in your workflow to ensure stability and security. Integrate InSpec in your change lifecycle for local testing, CI/CD, and deployment verification.
+This has local support only. See the `inspec` gem for full support.
+
+Packaged distributions of Progress® Chef® products obtained from RubyGems are made available pursuant to the Progress Chef EULA at https://www.chef.io/end-user-license-agreement, unless there is an executed agreement in effect between you and Progress that covers the Progress Chef products ("Master Agreement"), in which case the Master Agreement shall govern.
+
+Source code obtained from the Chef GitHub repository is made available under Apache-2.0, a copy of which is included.
+
+  EOT
   spec.homepage      = "https://github.com/inspec/inspec"
-  spec.license       = "Apache-2.0"
+  spec.license       = "LicenseRef-Chef-EULA"
   spec.require_paths = ["lib"]
 
-  # Chef will provide AIX support with ruby 3.0 in separate builds with older versions of InSpec 5, hence we can drop ruby 3.0 support
-  spec.required_ruby_version = ">= 3.1.0"
+  spec.required_ruby_version = ">= 2.7"
 
   # the gemfile and gemspec are necessary for appbundler so don't remove it
   spec.files =
-    Dir.glob("{{lib,etc}/**/*,LICENSE,Gemfile,inspec-core.gemspec}")
+    Dir.glob("{{lib,etc}/**/*,LICENSE,Chef-EULA,Gemfile,inspec-core.gemspec}")
       .grep_v(%r{(?<!inspec-init/templates/profiles/)(aws|azure|gcp|alicloud)})
       .grep_v(%r{lib/plugins/.*/test/})
       .reject { |f| File.directory?(f) }
@@ -28,14 +35,14 @@ Gem::Specification.new do |spec|
   spec.add_dependency "license-acceptance",       ">= 0.2.13", "< 3.0"
   # TODO: We should remove the thor pinning in next upcoming releases currently it's breaking our unit test in cli_args_test for aliases due to
   # recent changes made in thor library REF: https://github.com/rails/thor/releases/tag/v1.3.0 & https://github.com/rails/thor/pull/800
-  spec.add_dependency "thor",                     ">= 0.20", "< 1.5.0"
+  spec.add_dependency "thor",                     ">= 0.20", "< 1.3.0"
   spec.add_dependency "method_source",            ">= 0.8", "< 2.0"
-  spec.add_dependency "rubyzip",                  ">= 1.2.2", "< 4.0"
-  spec.add_dependency "rspec",                    ">= 3.9", "<= 3.14"
-  spec.add_dependency "rspec-its",                ">= 1.2", "< 3.0"
+  spec.add_dependency "rubyzip",                  ">= 1.2.2", "< 3.0"
+  spec.add_dependency "rspec",                    ">= 3.9", "<= 3.12"
+  spec.add_dependency "rspec-its",                "~> 1.2"
   spec.add_dependency "pry",                      "~> 0.13"
   spec.add_dependency "hashie",                   ">= 3.4", "< 6.0"
-  spec.add_dependency "mixlib-log",               "~> 3.0", "< 3.2"
+  spec.add_dependency "mixlib-log",               "~> 3.0"
   spec.add_dependency "sslshake",                 "~> 1.2"
   spec.add_dependency "parallel",                 "~> 1.9"
   spec.add_dependency "faraday",                  ">= 1", "< 3"
@@ -44,15 +51,10 @@ Gem::Specification.new do |spec|
   spec.add_dependency "tty-prompt",               "~> 0.17"
   spec.add_dependency "tomlrb",                   ">= 1.2", "< 2.1"
   spec.add_dependency "addressable",              "~> 2.4"
-  spec.add_dependency "parslet",                  ">= 1.5", "< 3.0" # Pinned < 2.0, see #5389
+  spec.add_dependency "parslet",                  ">= 1.5", "< 2.0" # Pinned < 2.0, see #5389
   spec.add_dependency "semverse",                 "~> 3.0"
   spec.add_dependency "multipart-post",           "~> 2.0"
 
-  # cookstyle support for inspec check
-  # This was initially included in 'inspec.gemspec' to keep 'chef-client' lightweight.
-  # However, it has been moved to 'inspec-core.gemspec' due to a dependency on the 'ast' gem,
-  # which was causing a LoadError ('cannot load such file -- ast') for users/applications using 'inspec-core'.
-  spec.add_dependency "cookstyle"
-
-  spec.add_dependency "train-core", "~> 3.13", ">= 3.13.4"
+  spec.add_dependency "train-core", ">= 3.11.0"
+  spec.add_dependency "chef-licensing", ">= 0.7.5"
 end

data/lib/inspec/backend.rb

@@ -61,6 +61,8 @@ module Inspec
       raise "Client error, can't connect to '#{transport_name}' backend: #{e.message}"
     rescue Train::TransportError => e
       raise "Transport error, can't connect to '#{transport_name}' backend: #{e.message}"
+    rescue Errno::ENOENT => e
+      raise "#{e.message}"
     end
 
     def initialize(backend)

data/lib/inspec/base_cli.rb

@@ -1,9 +1,11 @@
 require "thor" # rubocop:disable Chef/Ruby/UnlessDefinedRequire
+require "chef-licensing"
 require "inspec/log"
 require "inspec/ui"
 require "inspec/config"
 require "inspec/dist"
 require "inspec/utils/deprecation/global_method"
+require "inspec/utils/licensing_config"
 
 # Allow end of options during array type parsing
 # https://github.com/erikhuda/thor/issues/631
@@ -30,11 +32,34 @@ module Inspec
     end
 
     def self.start(given_args = ARGV, config = {})
-      check_license! if config[:enforce_license] || config[:enforce_license].nil?
+      if Inspec::Dist::EXEC_NAME == "inspec"
+        check_license! if config[:enforce_license] || config[:enforce_license].nil?
+        fetch_and_persist_license
+      end
 
       super(given_args, config)
     end
 
+    def self.fetch_and_persist_license
+      allowed_commands = ["-h", "--help", "help", "-v", "--version", "version", "license"]
+      begin
+        if (allowed_commands & ARGV.map(&:downcase)).empty? && !ARGV.empty?
+          license_keys = ChefLicensing.fetch_and_persist
+
+          # Only if EULA acceptance or license key args are present. And licenses are successfully persisted, do clean exit.
+          if ARGV.select { |arg| !(arg.include? "--chef-license") }.empty? && !license_keys.blank?
+            Inspec::UI.new.exit
+          end
+        end
+      rescue ChefLicensing::LicenseKeyFetcher::LicenseKeyNotFetchedError
+        Inspec::Log.error "#{Inspec::Dist::PRODUCT_NAME} cannot execute without valid licenses."
+        Inspec::UI.new.exit(:license_not_set)
+      rescue ChefLicensing::Error => e
+        Inspec::Log.error e.message
+        Inspec::UI.new.exit(:usage_error)
+      end
+    end
+
     # EULA acceptance
     def self.check_license!
       allowed_commands = ["-h", "--help", "help", "-v", "--version", "version"]
@@ -48,9 +73,6 @@ module Inspec
             Inspec::VERSION,
             logger: Inspec::Log
           )
-          if license_acceptor_output && ARGV.count == 1 && (ARGV.first.include? "--chef-license")
-            Inspec::UI.new.exit
-          end
           license_acceptor_output
         end
       rescue LicenseAcceptance::LicenseNotAcceptedError
@@ -140,16 +162,6 @@ module Inspec
         desc: "A list of paths to the ssh config file, e.g ~/.ssh/config or /etc/ssh/ssh_config."
       option :podman_url, type: :string,
         desc: "Provides the path to the Podman API endpoint. Defaults to unix:///run/user/$UID/podman/podman.sock for rootless container, unix:///run/podman/podman.sock for rootful container (for this you need to execute inspec as root user)."
-      option :socks_proxy, type: :string,
-         desc: "SOCKS5H proxy URL to tunnel the WinRM connection (e.g., socks5h://proxy-host:1080)."
-      option :socks_user, type: :string,
-         desc: "Username for authenticating with the SOCKS5 proxy."
-      option :socks_password, type: :string, lazy_default: -1,
-         desc: "Password for authenticating with the SOCKS5 proxy."
-      option :kerberos_realm, type: :string,
-         desc: "Kerberos realm used for authentication."
-      option :kerberos_service, type: :string,
-         desc: "Kerberos service principal name (e.g., HTTP, HOST)."
     end
 
     def self.profile_options
@@ -159,6 +171,8 @@ module Inspec
         desc: "Use the given path for caching dependencies, (default: ~/.inspec/cache)."
       option :auto_install_gems, type: :boolean, default: false,
         desc: "Auto installs gem dependencies of the profile or resource pack."
+      option :allow_unsigned_profiles, type: :boolean, default: false,
+        desc: "Allow unsigned profiles to be used in InSpec command."
     end
 
     def self.supermarket_options
@@ -219,8 +233,37 @@ module Inspec
         desc: "Show enhanced outcomes in output"
     end
 
+    def self.audit_log_options
+      option :audit_log_location, type: :string,
+      desc: "Audit log location to send diagnostic log messages to. (default: '~/.inspec/logs/inspec-audit.log')"
+    end
+
     def self.help(*args)
       super(*args)
+      if Inspec::Dist::EXEC_NAME == "inspec"
+        puts <<~CHEF_LICENSE_HELP
+          Chef Compliance has three tiers of licensing:
+
+          * Free-Tier
+            Users are limited to audit maximum of 10 targets
+            Entitled for personal or non-commercial use
+
+          * Trial
+            Entitled for unlimited number of targets
+            Entitled for 30 days only
+            Entitled for commercial use
+
+          * Commercial
+            Entitled for purchased number of targets
+            Entitled for period of subscription purchased
+            Entitled for commercial use
+
+          inspec license add: This command helps users to generate or add an additional license (not applicable to local licensing service)
+
+          For more information please visit:
+          www.chef.io/licensing/faqs
+        CHEF_LICENSE_HELP
+      end
       puts "\nAbout #{Inspec::Dist::PRODUCT_NAME}:"
       puts "  Patents: chef.io/patents\n\n"
     end
@@ -337,6 +380,9 @@ module Inspec
 
     def pretty_handle_exception(exception)
       case exception
+      when Inspec::ProfileSignatureRequired
+        $stderr.puts exception.message
+        Inspec::UI.new.exit(:signature_required)
       when Inspec::InvalidProfileSignature
         $stderr.puts exception.message
         Inspec::UI.new.exit(:bad_signature)
@@ -389,5 +435,25 @@ module Inspec
       end
       o[:logger].level = get_log_level(o["log_level"])
     end
+
+    # This method is currenlty under feature preview flag and audit log will only be enabeld when CHEF_PREVIEW_AUDIT_LOGGING is set in the env variable
+    def set_and_validate_audit_log_options(opts)
+      err = []
+      opts[:enable_audit_log] ||= true
+      if opts[:audit_log_location].nil?
+        opts[:audit_log_location] = "#{Inspec.log_dir}/inspec-audit-#{Time.now.strftime("%Y%m%dT%H%M%S")}-#{Process.pid}.log"
+      elsif File.directory?(File.dirname(opts[:audit_log_location]))
+        file_path = opts[:audit_log_location]
+        # suffix the timestamp and pid to the audit log file name if log location is set through cli option
+        filename  = "#{File.basename(file_path, ".*")}-#{Time.now.strftime("%Y%m%dT%H%M%S")}-#{Process.pid}"
+        opts[:audit_log_location] = File.join( File.dirname(file_path), "#{filename}#{File.extname(file_path)}" )
+      else
+        err << "Audit log location directory #{opts[:audit_log_location]} does not exist."
+      end
+      opts[:audit_log_app_name] = Inspec::Dist::EXEC_NAME
+      unless err.empty?
+        raise Inspec::Exceptions::InvalidAuditLogOption, err.join("\n")
+      end
+    end
   end
 end

data/lib/inspec/cached_fetcher.rb

@@ -39,12 +39,33 @@ module Inspec
     end
 
     def fetch
-      if cache.exists?(cache_key)
+      if cache.exists?(cache_key) && cache.locked?(cache_key)
+        Inspec::Log.debug "Waiting for lock to be released on the cache dir ...."
+        counter = 0
+        until cache.locked?(cache_key) == false
+          if (counter += 1) > 300
+            Inspec::Log.warn "Giving up waiting on cache lock at #{cache_key}"
+            exit 1
+          end
+          sleep 0.1
+        end
+        fetch
+      elsif cache.exists?(cache_key) && !cache.locked?(cache_key)
         Inspec::Log.debug "Using cached dependency for #{target}"
         [cache.prefered_entry_for(cache_key), false]
       else
-        Inspec::Log.debug "Dependency does not exist in the cache #{target}"
-        fetcher.fetch(cache.base_path_for(fetcher.cache_key))
+        begin
+          Inspec::Log.debug "Dependency does not exist in the cache #{target}"
+          cache.lock(cache.base_path_for(fetcher.cache_key)) if fetcher.requires_locking?
+          fetcher.fetch(cache.base_path_for(fetcher.cache_key))
+        rescue SystemExit => e
+          exit_code = e.status || 1
+          Inspec::Log.error "Error while creating cache for dependency ... #{e.message}"
+          FileUtils.rm_rf(cache.base_path_for(fetcher.cache_key))
+          exit(exit_code)
+        ensure
+          cache.unlock(cache.base_path_for(fetcher.cache_key)) if fetcher.requires_locking?
+        end
         assert_cache_sanity!
         [fetcher.archive_path, fetcher.writable?]
       end