inspec-core 5.24.7 → 6.6.0

data/lib/inspec/reporters.rb

@@ -4,76 +4,89 @@ require "inspec/reporters/json"
 require "inspec/reporters/json_automate"
 require "inspec/reporters/automate"
 require "inspec/reporters/yaml"
+require "inspec/feature"
 
 module Inspec::Reporters
   # rubocop:disable Metrics/CyclomaticComplexity
   def self.render(reporter, run_data, enhanced_outcomes = false)
     name, config = reporter.dup
-    config[:run_data] = run_data
-    case name
-    when "cli"
-      reporter = Inspec::Reporters::CLI.new(config)
-    when "json"
-      reporter = Inspec::Reporters::Json.new(config)
-    # This reporter is only used for Chef internal. We reserve the
-    # right to introduce breaking changes to this reporter at any time.
-    when "json-automate"
-      reporter = Inspec::Reporters::JsonAutomate.new(config)
-    when "automate"
-      reporter = Inspec::Reporters::Automate.new(config)
-    when "yaml"
-      reporter = Inspec::Reporters::Yaml.new(config)
-    else
-      # If we made it here, it must be a plugin, and we know it exists (because we validated it in config.rb)
-      activator = Inspec::Plugin::V2::Registry.instance.find_activator(plugin_type: :reporter, activator_name: name.to_sym)
-      activator.activate!
-      reporter = activator.implementation_class.new(config)
-    end
-    reporter.enhanced_outcomes = enhanced_outcomes
+    Inspec.with_feature("inspec-reporter-#{name}") {
+      config[:run_data] = run_data
+      case name
+      when "cli"
+        reporter = Inspec::Reporters::CLI.new(config)
+      when "json"
+        reporter = Inspec::Reporters::Json.new(config)
+      # This reporter is only used for Chef internal. We reserve the
+      # right to introduce breaking changes to this reporter at any time.
+      when "json-automate"
+        reporter = Inspec::Reporters::JsonAutomate.new(config)
+      when "automate"
+        reporter = Inspec::Reporters::Automate.new(config)
+      when "yaml"
+        reporter = Inspec::Reporters::Yaml.new(config)
+      else
+        # If we made it here, it must be a plugin, and we know it exists (because we validated it in config.rb)
+        activator = Inspec::Plugin::V2::Registry.instance.find_activator(plugin_type: :reporter, activator_name: name.to_sym)
+        activator.activate!
+        reporter = activator.implementation_class.new(config)
+      end
 
-    # optional send_report method on reporter
-    return reporter.send_report if defined?(reporter.send_report)
+      if enhanced_outcomes
+        Inspec.with_feature("inspec-enhanced-outcomes") {
+          reporter.enhanced_outcomes = enhanced_outcomes
+        }
+      else
+        reporter.enhanced_outcomes = enhanced_outcomes
+      end
 
-    reporter.render
-    output = reporter.rendered_output
+      # optional send_report method on reporter
+      return reporter.send_report if defined?(reporter.send_report)
 
-    if config["file"]
-      # create destination directory if it does not exist
-      dirname = File.dirname(config["file"])
-      FileUtils.mkdir_p(dirname) unless File.directory?(dirname)
+      reporter.render
+      output = reporter.rendered_output
+      config_file = config["file"]
+      if config_file
+        config_file.gsub!("CHILD_PID", Process.pid.to_s)
+        # create destination directory if it does not exist
+        dirname = File.dirname(config_file)
+        FileUtils.mkdir_p(dirname) unless File.directory?(dirname)
 
-      File.write(config["file"], output)
-    elsif config["stdout"] == true
-      print output
-      $stdout.flush
-    end
+        File.write(config_file, output)
+      elsif config["stdout"] == true
+        print output
+        $stdout.flush
+      end
+    }
   end
 
   def self.report(reporter, run_data)
     name, config = reporter.dup
-    config[:run_data] = run_data
-    case name
-    when "json"
-      reporter = Inspec::Reporters::Json.new(config)
-    when "json-automate"
-      reporter = Inspec::Reporters::JsonAutomate.new(config)
-    when "yaml"
-      reporter = Inspec::Reporters::Yaml.new(config)
-    else
-      # If we made it here, it might be a plugin
-      begin
-        activator = Inspec::Plugin::V2::Registry.instance.find_activator(plugin_type: :reporter, activator_name: name.to_sym)
-        activator.activate!
-        reporter = activator.implementation_class.new(config)
-        unless reporter.respond_to(:report?)
+    Inspec.with_feature("inspec-reporter-#{name}") {
+      config[:run_data] = run_data
+      case name
+      when "json"
+        reporter = Inspec::Reporters::Json.new(config)
+      when "json-automate"
+        reporter = Inspec::Reporters::JsonAutomate.new(config)
+      when "yaml"
+        reporter = Inspec::Reporters::Yaml.new(config)
+      else
+        # If we made it here, it might be a plugin
+        begin
+          activator = Inspec::Plugin::V2::Registry.instance.find_activator(plugin_type: :reporter, activator_name: name.to_sym)
+          activator.activate!
+          reporter = activator.implementation_class.new(config)
+          unless reporter.respond_to(:report?)
+            return run_data
+          end
+        rescue Inspec::Plugin::V2::LoadError
+          # Must not have been a plugin - just return the run_data
           return run_data
         end
-      rescue Inspec::Plugin::V2::LoadError
-        # Must not have been a plugin - just return the run_data
-        return run_data
       end
-    end
 
-    reporter.report
+      reporter.report
+    }
   end
 end

data/lib/inspec/resources/audit_policy.rb

@@ -39,17 +39,11 @@ module Inspec::Resources
       # expected result:
       # Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting
       # WIN-MB8NINQ388J,System,Kerberos Authentication Service,{0CCE9242-69AE-11D9-BED3-505054503030},No Auditing,
-      auditpol_cmd = "Auditpol /get /subcategory:'#{key}' /r"
-      result ||= inspec.command(auditpol_cmd)
-
-      unless result.exit_status == 0
-        error = result.stdout + "\n" + result.stderr
-        raise Inspec::Exceptions::ResourceFailed, "Error while executing #{auditpol_cmd} command: #{error}"
-      end
+      result ||= inspec.command("Auditpol /get /subcategory:'#{key}' /r").stdout
 
       # find line
       target = nil
-      result.stdout.each_line do |s|
+      result.each_line do |s|
         target = s.strip if s =~ /\b.*#{key}.*\b/
       end
 

data/lib/inspec/resources/groups.rb

@@ -200,60 +200,8 @@ module Inspec::Resources
   # implements generic unix groups via /etc/group
   class UnixGroup < GroupInfo
     def groups
-      get_group_info
-    end
-
-    private
-
-    def get_group_info
-      # First, try to fetch group info using getent
-      group_info = fetch_group_info_using_getent
-
-      return group_info unless group_info.empty?
-
-      # If getent fails, fallback to reading group info from /etc/group using inspec.etc_group.entries
-      Inspec::Log.debug("Falling back to reading group info from /etc/group as getent is unavailable or failed.")
       inspec.etc_group.entries
     end
-
-    # Fetches group information using the getent utility
-    def fetch_group_info_using_getent
-      # Find getent utility on the system
-      bin = find_getent_utility
-
-      # If getent is available, fetch group info
-      return [] unless bin
-
-      cmd = inspec.command("#{bin} group")
-      return parse_group_info(cmd) if cmd.exit_status.to_i == 0
-
-      # If getent fails, log the error and return an empty array
-      Inspec::Log.debug("Failed to execute #{bin} group: #{cmd.stderr}.")
-      []
-    end
-
-    # Parses group info from the command output
-    def parse_group_info(cmd)
-      cmd.stdout.strip.split("\n").map do |line|
-        name, password, gid, members = line.split(":")
-        {
-          "name" => name,
-          "password" => password,
-          "gid" => gid.to_i,
-          "members" => members,
-        }
-      end
-    end
-
-    # Checks if getent exists on the system
-    def find_getent_utility
-      %w{/usr/bin/getent /bin/getent getent}.each do |cmd|
-        return cmd if inspec.command(cmd).exist?
-      end
-      # Log debug information if getent is not found
-      Inspec::Log.debug("Could not find `getent` on your system.")
-      nil # Return nil if getent is not found
-    end
   end
 
   # OSX uses opendirectory for groups, so `/etc/group` may not be fully accurate

data/lib/inspec/resources/mssql_session.rb

@@ -30,15 +30,9 @@ module Inspec::Resources
         its('value') { should_not be_empty }
         its('value') { should cmp == 1 }
       end
-
-      # Trust the SQL Server TLS certificate when using sqlcmd
-      sql_tls = mssql_session(user: 'myuser', password: 'mypassword', trust_server_certificate: true)
-      describe sql_tls.query(\"SELECT SERVERPROPERTY('ProductVersion') as \\\"version\\\";\").row(0).column('version') do
-        its('value') { should_not be_empty }
-      end
     EXAMPLE
 
-    attr_reader :user, :password, :host, :port, :instance, :local_mode, :db_name, :trust_server_certificate
+    attr_reader :user, :password, :host, :port, :instance, :local_mode, :db_name
     def initialize(opts = {})
       @user = opts[:user]
       @password = opts[:password] || opts[:pass]
@@ -52,7 +46,6 @@ module Inspec::Resources
       end
       @instance = opts[:instance]
       @db_name = opts[:db_name]
-      @trust_server_certificate = !!opts[:trust_server_certificate] # rubocop:disable Style/DoubleNegation
 
       # check if sqlcmd is available
       raise Inspec::Exceptions::ResourceSkipped, "sqlcmd is missing" unless inspec.command("sqlcmd").exist?
@@ -64,7 +57,6 @@ module Inspec::Resources
       escaped_query = q.gsub(/\\/, "\\\\").gsub(/"/, '""').gsub(/\$/, '\\$')
       # surpress 'x rows affected' in SQLCMD with 'set nocount on;'
       cmd_string = "sqlcmd -Q \"set nocount on; #{escaped_query}\" -W -w 1024 -s ','"
-      cmd_string += " -C" if trust_server_certificate?
       cmd_string += " -U '#{@user}' -P '#{@password}'" unless @user.nil? || @password.nil?
       cmd_string += " -d '#{@db_name}'" unless @db_name.nil?
       unless local_mode?
@@ -102,10 +94,6 @@ module Inspec::Resources
       !!@local_mode # rubocop:disable Style/DoubleNegation
     end
 
-    def trust_server_certificate?
-      @trust_server_certificate
-    end
-
     def test_connection
       !query("select getdate()").empty?
     end

data/lib/inspec/resources/nftables.rb

@@ -135,20 +135,7 @@ module Inspec::Resources
       cmd = inspec.command(nftables_cmd)
       return [] if cmd.exit_status.to_i != 0
 
-      # https://github.com/inspec/inspec/security/code-scanning/10
-      # Update @nftables_cache with sanitized command output
-      @nftables_cache[idx] = cmd.stdout.gsub("\t", "").split("\n")
-        .reject { |line| line =~ /^(table|set|type|size|flags|typeof|auto-merge)/ || line =~ /^}$/ } # Reject lines that match certain patterns
-        .map { |line| line.gsub("elements = {", "").gsub("}", "").split(",") } # Use gsub to replace all occurrences of specified strings
-        .flatten # Flatten the array of arrays into a single array
-        .map(&:strip) # Remove leading and trailing whitespace from each element
-        .map { |element| sanitize_input(element) } # Sanitize each element to prevent injection attacks
-    end
-
-    # Method to sanitize input
-    def sanitize_input(input)
-      # Replace potentially dangerous characters with their escaped counterparts
-      input.gsub(/([\\'";])/, '\\\\\1')
+      @nftables_cache[idx] = cmd.stdout.gsub("\t", "").split("\n").reject { |line| line =~ /^(table|set|type|size|flags|typeof|auto-merge)/ || line =~ /^}$/ }.map { |line| line.sub("elements = {", "").sub("}", "").split(",") }.flatten.map(&:strip)
     end
 
     def retrieve_chain_rules

data/lib/inspec/resources/oracledb_session.rb

@@ -13,29 +13,14 @@ module Inspec::Resources
     supports platform: "windows"
     desc "Use the oracledb_session InSpec resource to test commands against an Oracle database"
     example <<~EXAMPLE
-      # Using password
       sql = oracledb_session(user: 'my_user', pass: 'password')
       describe sql.query(\"SELECT UPPER(VALUE) AS VALUE FROM V$PARAMETER WHERE UPPER(NAME)='AUDIT_SYS_OPERATIONS'\").row(0).column('value') do
         its('value') { should eq 'TRUE' }
       end
-
-      # CHEF-28019: Using TNS alias (recommended for TCPS/SSL connections)
-      sql = oracledb_session(
-        user: 'my_user',
-        password: 'password',
-        tns_alias: 'MYDB_TCPS',
-        env: {
-          'TNS_ADMIN' => '/path/to/tnsnames',
-          'LD_LIBRARY_PATH' => '/opt/oracle/instantclient'
-        }
-      )
-      describe sql.query('SELECT * FROM dual').row(0).column('dummy') do
-        its('value') { should eq 'X' }
-      end
     EXAMPLE
 
     attr_reader :bin, :db_role, :host, :password, :port, :service,
-                :su_user, :user, :tns_alias, :env_vars
+                :su_user, :user
 
     def initialize(opts = {})
       @user = opts[:user]
@@ -52,11 +37,6 @@ module Inspec::Resources
       @db_role = opts[:as_db_role]
       @sqlcl_bin = opts[:sqlcl_bin] || nil
       @sqlplus_bin = opts[:sqlplus_bin] || "sqlplus"
-
-      # CHEF-28019: Support for TNS alias and environment variables
-      @tns_alias = opts[:tns_alias]
-      @env_vars = opts[:env] || {}
-
       skip_resource "Option 'as_os_user' not available in Windows" if inspec.os.windows? && su_user
       fail_resource "Can't run Oracle checks without authentication" unless su_user || (user || password)
     end
@@ -77,7 +57,7 @@ module Inspec::Resources
       inspec_cmd = inspec.command(command)
       out = inspec_cmd.stdout + "\n" + inspec_cmd.stderr
 
-      if inspec_cmd.exit_status != 0 || out.downcase =~ /^error.*/
+      if inspec_cmd.exit_status != 0 || !inspec_cmd.stderr.empty? || out.downcase =~ /^error.*/
         raise Inspec::Exceptions::ResourceFailed, "Oracle query with errors: #{out}"
       else
         begin
@@ -97,10 +77,8 @@ module Inspec::Resources
     end
 
     def resource_id
-      if @tns_alias && !@tns_alias.empty?
-        "#{@tns_alias}-#{@user}" # e.g., "XEPDB1_TCPS-USER"
-      elsif @user
-        "#{@host}-#{@port}-#{@user}" # e.g., "localhost-1521-USER"
+      if @user
+        "#{@host}-#{@port}-#{@user}"
       elsif @su_user
         "#{@host}-#{@port}-#{@su_user}"
       else
@@ -110,14 +88,16 @@ module Inspec::Resources
 
     private
 
-    # CHEF-28019: Build command with support for TNS alias and environment variables
-    # Existing behavior: regular user/password, using db_role, or su with db_role
-    # Added New behavior: TNS alias connections with optional env vars
+    # 3 commands
+    # regular user password
+    # using a db_role
+    # su, using a db_role
     def command_builder(format_options, query)
       if @db_role.nil? || @su_user.nil?
         verified_query = verify_query(query)
       else
-        escaped_query = escape_query(query)
+        escaped_query = query.gsub(/\\\\/, "\\").gsub(/"/, '\\"')
+        escaped_query = escaped_query.gsub("$", '\\$') unless escaped_query.include? "\\$"
         verified_query = verify_query(escaped_query)
       end
 
@@ -137,11 +117,7 @@ module Inspec::Resources
         sql_postfix = %{ <<'EOC'\n#{format_options}\n#{verified_query}\nEXIT\n'EOC'} if shell_is_csh
       end
 
-      # CHEF-28019: New path for TNS alias connections
-      if @tns_alias && !@tns_alias.to_s.empty?
-        build_tns_command(format_options, verified_query, oracle_echo_str)
-      # Original paths preserved
-      elsif @db_role.nil?
+      if @db_role.nil?
         %{#{oracle_echo_str}#{sql_prefix}#{bin} #{user}/#{password}@#{host}:#{port}/#{@service}#{sql_postfix}}
       elsif @su_user.nil?
         %{#{oracle_echo_str}#{sql_prefix}#{bin} #{user}/#{password}@#{host}:#{port}/#{@service} as #{@db_role}#{sql_postfix}}
@@ -158,17 +134,10 @@ module Inspec::Resources
       query
     end
 
-    def escape_query(query)
-      escaped_query = query.gsub(/\\\\/, "\\").gsub(/"/, '\\"')
-      escaped_query = escaped_query.gsub("$", '\\$') unless escaped_query.include? "\\$"
-      escaped_query
-    end
-
     def parse_csv_result(stdout)
       output = stdout.split("oracle_query_string")[-1]
       # comma_query_sub replaces the csv delimiter "," in the output.
       # Handles CSV parsing of data like this (DROP,3) etc
-
       output = output.sub(/\r/, "").strip.gsub(",", "comma_query_sub")
       converter = ->(header) { header.downcase }
       CSV.parse(output, headers: true, header_converters: converter).map do |row|
@@ -178,35 +147,5 @@ module Inspec::Resources
         Hashie::Mash.new([revised_row].to_h)
       end
     end
-
-    # CHEF-28019: Build TNS alias command with environment variables
-    def build_tns_command(format_options, verified_query, oracle_echo_str)
-      env_prefix = build_env_prefix
-      connect_string = build_connect_string
-      heredoc_content = "connect #{connect_string}\n#{format_options}\n#{verified_query}\nEXIT"
-
-      if @su_user
-        cmd = %{su - #{@su_user} -c "#{oracle_echo_str} #{env_prefix} #{@bin} -s /nolog <<'INSPECSQL'\n#{heredoc_content}\nINSPECSQL"}
-      else
-        cmd = %{#{oracle_echo_str}#{bin} -s /nolog <<'INSPECSQL'\n#{heredoc_content}\nINSPECSQL}
-        cmd = "#{env_prefix} #{cmd}" unless env_prefix.empty?
-      end
-
-      cmd
-    end
-
-    # CHEF-28019: Build Oracle connect string for TNS alias
-    def build_connect_string
-      connect_str = "#{@user}/#{@password}@#{@tns_alias}"
-      connect_str += " as #{@db_role}" if @db_role && !@su_user
-      connect_str
-    end
-
-    # CHEF-28019: Build environment variable prefix
-    def build_env_prefix
-      return "" if @env_vars.nil? || @env_vars.empty?
-
-      @env_vars.map { |k, v| "#{k}='#{v}'" }.join(" ")
-    end
   end
 end

data/lib/inspec/resources/postgres_session.rb

@@ -1,7 +1,7 @@
 # copyright: 2015, Vulcano Security GmbH
 
 require "shellwords" unless defined?(Shellwords)
-require "cgi" unless defined?(CGI)
+
 module Inspec::Resources
   class Lines
     attr_reader :output, :exit_status
@@ -55,7 +55,7 @@ module Inspec::Resources
       psql_cmd = create_psql_cmd(query, db)
       cmd = inspec.command(psql_cmd, redact_regex: %r{(:\/\/[a-z]*:).*(@)})
       out = cmd.stdout + "\n" + cmd.stderr
-      if cmd.exit_status != 0 && ( out =~ /could not connect to/ || out =~ /password authentication failed/ ) && (out.downcase =~ /error:/ || out.downcase =~ /fatal:/)
+      if cmd.exit_status != 0 && ( out =~ /could not connect to/ || out =~ /password authentication failed/ ) && out.downcase =~ /error:/
         raise Inspec::Exceptions::ResourceFailed, "PostgreSQL connection error: #{out}"
       elsif cmd.exit_status != 0 && out.downcase =~ /error:/
         Lines.new(out, "PostgreSQL query with error: #{query}", cmd.exit_status)
@@ -74,10 +74,6 @@ module Inspec::Resources
       Shellwords.escape(query)
     end
 
-    def encoded_password(password)
-      CGI.escape(password)
-    end
-
     def create_psql_cmd(query, db = [])
       dbs = db.map { |x| "#{x}" }.join(" ")
 
@@ -86,14 +82,14 @@ module Inspec::Resources
         # Socket connection only enabled for non-windows platforms
         # Windows does not support unix domain sockets
         option_port = @port.nil? ? "" : "-p #{@port}" # add explicit port if specified
-        "psql -d postgresql://#{@user}:#{encoded_password(@pass)}@/#{dbs}?host=#{@socket_path} #{option_port} -A -t -w -c #{escaped_query(query)}"
+        "psql -d postgresql://#{@user}:#{@pass}@/#{dbs}?host=#{@socket_path} #{option_port} -A -t -w -c #{escaped_query(query)}"
       else
         # Host in connection string establishes tcp/ip connection
         if inspec.os.windows?
           warn "Socket based connection not supported in windows, connecting using host" if @socket_path
-          "psql -d postgresql://#{@user}:#{encoded_password(@pass)}@#{@host}:#{@port}/#{dbs} -A -t -w -c \"#{query}\""
+          "psql -d postgresql://#{@user}:#{@pass}@#{@host}:#{@port}/#{dbs} -A -t -w -c \"#{query}\""
         else
-          "psql -d postgresql://#{@user}:#{encoded_password(@pass)}@#{@host}:#{@port}/#{dbs} -A -t -w -c #{escaped_query(query)}"
+          "psql -d postgresql://#{@user}:#{@pass}@#{@host}:#{@port}/#{dbs} -A -t -w -c #{escaped_query(query)}"
         end
       end
     end

data/lib/inspec/resources/sybase_session.rb

@@ -44,19 +44,10 @@ module Inspec::Resources
       # try to get a temp path
       sql_file_path = upload_sql_file(sql)
 
-      # TODO: Find if there is better way to get the current shell
-      current_shell = inspec.command("echo $SHELL")
-
-      res = current_shell.exit_status
-
       # isql reuires that we have a matching locale set, but does not support C.UTF-8. en_US.UTF-8 is the least evil.
-      if res == 0 && ( current_shell.stdout&.include?("/csh") || current_shell.stdout&.include?("/tcsh") )
-        command = "source #{sybase_home}/SYBASE.csh; setenv LANG en_US.UTF-8; #{bin} -s\"#{col_sep}\" -w80000 -S #{server} -U #{username} -D #{database} -P \"#{password}\" < #{sql_file_path}"
-      else
-        command = "LANG=en_US.UTF-8 SYBASE=#{sybase_home} #{bin} -s\"#{col_sep}\" -w80000 -S #{server} -U #{username} -D #{database} -P \"#{password}\" < #{sql_file_path}"
-      end
-
+      command = "LANG=en_US.UTF-8 SYBASE=#{sybase_home} #{bin} -s\"#{col_sep}\" -w80000 -S #{server} -U #{username} -D #{database} -P \"#{password}\" < #{sql_file_path}"
       isql_cmd = inspec.command(command)
+
       # Check for isql errors
       res = isql_cmd.exit_status
       raise Inspec::Exceptions::ResourceFailed.new("isql exited with code #{res} and stderr '#{isql_cmd.stderr}', stdout '#{isql_cmd.stdout}'") unless res == 0

data/lib/inspec/resources/virtualization.rb

@@ -223,7 +223,7 @@ module Inspec::Resources
       elsif cgroup_content =~ %r{^\d+:[^:]+:/(kubepods)/.+$}
         @virtualization_data[:system] = $1
         @virtualization_data[:role] = "guest"
-      elsif /container=podman/.match?(inspec.file("/proc/1/environ").content)
+      elsif /container=podman/.match?(file_read("/proc/1/environ"))
         @virtualization_data[:system] = "podman"
         @virtualization_data[:role] = "guest"
       elsif lxc_version_exists? && cgroup_content =~ %r{\d:[^:]+:/$}

data/lib/inspec/rule.rb

@@ -375,24 +375,19 @@ module Inspec
     # only_if mechanism)
     # Double underscore: not intended to be called as part of the DSL
     def __apply_waivers
-      @__waiver_data = nil
       control_id = @__rule_id # TODO: control ID slugging
-
       waiver_files = Inspec::Config.cached.final_options["waiver_file"] if Inspec::Config.cached.respond_to?(:final_options)
-      unless waiver_files.nil? || waiver_files.empty?
-        waiver_data_by_profile = Inspec::WaiverFileReader.fetch_waivers_by_profile(__profile_id, waiver_files)
-        return unless waiver_data_by_profile && waiver_data_by_profile[control_id] && waiver_data_by_profile[control_id].is_a?(Hash)
 
-        @__waiver_data = waiver_data_by_profile[control_id]
-      else
-        # Support for input registry is provided for backward compatibilty with compliance phase of chef-client
-        # Chef-client sends waiver information in inputs hash
-        input_registry = Inspec::InputRegistry.instance
-        waiver_data_via_input = input_registry.inputs_by_profile.dig(__profile_id, control_id)
-        return unless waiver_data_via_input && waiver_data_via_input.has_value? && waiver_data_via_input.value.is_a?(Hash)
+      waiver_data_by_profile = Inspec::WaiverFileReader.fetch_waivers_by_profile(__profile_id, waiver_files) unless waiver_files.nil?
 
-        @__waiver_data = waiver_data_via_input.value
-      end
+      return unless waiver_data_by_profile && waiver_data_by_profile[control_id] && waiver_data_by_profile[control_id].is_a?(Hash)
+
+      # An InSpec Input is a datastructure that tracks a profile parameter
+      # over time. Its value can be set by many sources, and it keeps a
+      # log of each "set" event so that when it is collapsed to a value,
+      # it can determine the correct (highest priority) value.
+      # Store in an instance variable for.. later reading???
+      @__waiver_data = waiver_data_by_profile[control_id]
 
       __waiver_data["skipped_due_to_waiver"] = false
       __waiver_data["message"] = ""

data/lib/inspec/run_data.rb

@@ -27,11 +27,13 @@ module Inspec
   ) do
     include HashLikeStruct
     def initialize(raw_run_data)
-      self.controls   = raw_run_data[:controls].map { |c| Inspec::RunData::Control.new(c) }
-      self.profiles   = raw_run_data[:profiles].map { |p| Inspec::RunData::Profile.new(p) }
-      self.statistics = Inspec::RunData::Statistics.new(raw_run_data[:statistics])
-      self.platform   = Inspec::RunData::Platform.new(raw_run_data[:platform])
-      self.version    = raw_run_data[:version]
+      @raw_run_data = raw_run_data
+
+      self.controls   = @raw_run_data[:controls].map { |c| Inspec::RunData::Control.new(c) }
+      self.profiles   = @raw_run_data[:profiles].map { |p| Inspec::RunData::Profile.new(p) }
+      self.statistics = Inspec::RunData::Statistics.new(@raw_run_data[:statistics])
+      self.platform   = Inspec::RunData::Platform.new(@raw_run_data[:platform])
+      self.version    = @raw_run_data[:version]
     end
   end
 

data/lib/inspec/runner.rb

@@ -11,6 +11,7 @@ require "inspec/dependencies/cache"
 require "inspec/dist"
 require "inspec/reporters"
 require "inspec/runner_rspec"
+require "chef-licensing"
 # spec requirements
 
 module Inspec
@@ -60,11 +61,13 @@ module Inspec
       end
 
       if @conf[:waiver_file]
-        @conf[:waiver_file].each do |file|
-          unless File.file?(file)
-            raise Inspec::Exceptions::WaiversFileDoesNotExist, "Waiver file #{file} does not exist."
+        Inspec.with_feature("inspec-waivers") {
+          @conf[:waiver_file].each do |file|
+            unless File.file?(file)
+              raise Inspec::Exceptions::WaiversFileDoesNotExist, "Waiver file #{file} does not exist."
+            end
           end
-        end
+        }
       end
 
       # About reading inputs:
@@ -142,7 +145,7 @@ module Inspec
             get_check_example(m, a, b)
           end.compact
 
-          examples.map { |example| total_checks += example.descendant_filtered_examples.count }
+          examples.map { |example| total_checks += example.examples.count }
 
           unless control_describe_checks.empty?
             # controls with empty tests are avoided
@@ -159,16 +162,42 @@ module Inspec
     end
 
     def run(with = nil)
+      ChefLicensing.check_software_entitlement! if Inspec::Dist::EXEC_NAME == "inspec"
+
+      # Validate if profiles are signed and verified
+      # Additional check is required to provide error message in case of inspec exec command (exec command can use multiple profiles as well)
+      # Only runs this block when preview flag CHEF_PREVIEW_MANDATORY_PROFILE_SIGNING is set
+      Inspec.with_feature("inspec-mandatory-profile-signing") {
+        unless @conf.allow_unsigned_profiles?
+          verify_target_profiles_if_signed(@target_profiles)
+        end
+      }
+
       Inspec::Log.debug "Starting run with targets: #{@target_profiles.map(&:to_s)}"
       load
       run_tests(with)
+    rescue ChefLicensing::SoftwareNotEntitled
+      Inspec::Log.error "License is not entitled to use InSpec."
+      Inspec::UI.new.exit(:license_not_entitled)
+    rescue ChefLicensing::Error => e
+      Inspec::Log.error e.message
+      Inspec::UI.new.exit(:usage_error)
+    end
+
+    def verify_target_profiles_if_signed(target_profiles)
+      unsigned_profiles = []
+      target_profiles.each do |profile|
+        unsigned_profiles << profile.name unless profile.verify_if_signed
+      end
+      raise Inspec::ProfileSignatureRequired, "Signature required for profile/s: #{unsigned_profiles.join(", ")}. Please provide a signed profile. Or set CHEF_ALLOW_UNSIGNED_PROFILES in the environment. Or use `--allow-unsigned-profiles` flag with InSpec CLI. " unless unsigned_profiles.empty?
     end
 
     def render_output(run_data)
       return if @conf["reporter"].nil?
 
       @conf["reporter"].each do |reporter|
-        result = Inspec::Reporters.render(reporter, run_data, @conf["enhanced_outcomes"])
+        enhanced_outcome_flag = @conf["enhanced_outcomes"]
+        result = Inspec::Reporters.render(reporter, run_data, enhanced_outcome_flag)
         raise Inspec::ReporterError, "Error generating reporter '#{reporter[0]}'" if result == false
       end
     end