inspec-core 6.6.0 → 6.8.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2e2d81ddee4b440d4bcb0d00b586707400b189e833942dd65e677bd7f75df0a4
-  data.tar.gz: 69905f313a3303d2e385fe603c6d808970aca2efc7d37498d74ca12727583608
+  metadata.gz: 935114b2bfd94c210bbaa34c7dcb77185f41d3fe40f2460f0cc202fc81bcf229
+  data.tar.gz: 1b32490bab8349155734d036c8690460436c13531318427a1a7cbbe4d1556479
 SHA512:
-  metadata.gz: 754812b73f047d377cdcdfd1c409a15a916ae69d529bded4ace7993b638f1ab6783c7a4394107d538a2df5523887d782a251cfbbf7923a2084961372de1ab12d
-  data.tar.gz: 2ccb38f332159f8af419ef0c343710271d32328198354327489d492ca66c7bad921a5271310f984e844f12eddfa0a70664024be9dac2bdabbf96a0974fc97c74
+  metadata.gz: ebc7bfa5348adaf7ef7f6fa066ced78691167acb491fa1d30dc70fba35125f7b44d9598be47b4868c280796e902e86ca8efcac1d4a71f294b5725b6f3c80a813
+  data.tar.gz: 426261a3570f1db8a1a99f0a07cd6f92eea754943c4d6e904b8a73f7e7dea49bc1758989d94047ca1689efa1c78d2149ca532c345e380c595e103e799f29c1d4

data/Gemfile

@@ -1,11 +1,13 @@
+# TODO: Commentine artifactory source block temporarily
+# to addres JIRA #9390 (Chef InSpec  Verify pipeline is failing due to checksum mismatch of mixlib-shellout gem)
 # For Chef internal builds, allows preview versions of gems if available.
-if ENV["ARTIFACTORY_BASE_URL"]
-  source ENV["ARTIFACTORY_BASE_URL"] + "/artifactory/api/gems/omnibus-gems-local/" do
-    # TODO: either fully populate this list, or revert back to non-block format
-    #       to sweep all Chef gems from Artifactory.
-    gem "chef-licensing"
-  end
-end
+# if ENV["ARTIFACTORY_BASE_URL"]
+#   source ENV["ARTIFACTORY_BASE_URL"] + "/artifactory/api/gems/omnibus-gems-local/" do
+#     # TODO: either fully populate this list, or revert back to non-block format
+#     #       to sweep all Chef gems from Artifactory.
+#     gem "chef-licensing"
+#   end
+# end
 
 source "https://rubygems.org"
 
@@ -18,7 +20,10 @@ gem "inspec", path: "."
 # in it in order to package the executable. Hence the odd backwards dependency.
 gem "inspec-bin", path: "./inspec-bin"
 
-gem "ffi", ">= 1.9.14", "!= 1.13.0", "!= 1.14.2"
+# ffi version v1.17.0 is breaking verify pipeline as it requires
+# rubygems version to be upgraded to >= 3.3.22 Ref:https://buildkite.com/chef/inspec-inspec-main-verify-private/builds/812#018fe177-2ccb-45ed-a25e-213c8a6453df/698-707
+
+gem "ffi", ">= 1.15.5", "< 1.17.0"
 
 # inspec tests depend text output that changed in the 3.10 release
 # but our runtime dep is still 3.9+
@@ -32,25 +37,20 @@ group :omnibus do
 end
 
 group :test do
-  gem "chefstyle", "~> 2.2.2"
-  gem "concurrent-ruby", "~> 1.0"
-  gem "json_schemer", ">= 0.2.1", "< 2.0.1"
+  gem "chefstyle"
+  gem "concurrent-ruby"
+  gem "json_schemer"
   gem "m"
   gem "minitest-sprint", "~> 1.0"
   gem "minitest", "5.15.0"
-  gem "mocha", "~> 1.1"
-  gem "nokogiri", "~> 1.9"
+  gem "mocha"
+  gem "nokogiri"
   gem "pry-byebug"
-  gem "pry", "~> 0.10"
-  gem "rake", ">= 10"
-  gem "simplecov", "~> 0.21"
+  gem "pry"
+  gem "rake"
+  gem "simplecov"
   gem "simplecov_json_formatter"
-  gem "webmock", "~> 3.0"
-
-  if Gem.ruby_version >= Gem::Version.new("3.0.0")
-    # html-proofer has a dep on io-event, which is ruby-3 only
-    gem "html-proofer", "~> 3.19.4", platforms: :ruby # do not attempt to run proofer on windows. Pinned to 3.19.4 as test is breaking in updated versions.
-  end
+  gem "webmock"
 end
 
 group :deploy do

data/etc/features.sig

@@ -1,6 +1,6 @@
-LoJePRrMIqFz6d1uu5n3QBqQAPD8wLuLM8PfvdDerFjuX/TFJDFdwdcNZ8b8
-KBxFjR5qUTMZizjIUp5Jd6FFI4gSm0RIMKa4UeJCQQAWKJGo/tIbSKLPLWlV
-m1X1Z869AkvQSJxyaXvS2oKPck/znCbRKEDhuk2kqSyDJlC2BILTVa0sx3nd
-4W2J2CwFBlqmYWI1FARkZCMGlfzkjcUqrVrCb3RcZ7bcEYOT5ebIm9zZlbuV
-n2Di29KFZhl8paEoGq3EYJvxEC7rVtLccei8UteNQcSOWihG61dtPGhHnpS+
-/7RNGjrS8s4i/dQHjZlZgV6guki6EqB+DIirVek9PQ==
+nr7EKXZMiAwYI0Kon1ctCMkDulEkovRbT/FRezvP04yx8wVhJaSi7dMhL/mP
+NvTzMOuT9G4R/QsP6VV7QKs4eBmAOPGrvgZgyfXDvfe1TPYcvpsVncSXm5rx
+TO+g7i0XGz9s/FtvdzOpl2urhgOsQ35wk7IsNu9Ktij2HqZw7UmxMvtT954s
+aQuW6eVvvM9n+bobEBVSErkhgvOvJ7jZyz5r0cv/uuhrayIC6V1qegod9QHa
+uCdasmmEqglyNQYXIM7V7iNrnfuYB80or44Ewi640edHarSw8YU/Tul2Y2l/
+DWeXRHsXxmuEL1wXA9ZIV6wqK0RsxaufwY6M7bqWSQ==

data/etc/features.yaml

@@ -92,3 +92,6 @@
     inspec-audit-logging:
       description: Use audit logging.
       env_preview: true
+    inspec-telemetry-client:
+      description: Perform license usage telemetry.
+      env_preview: true

data/inspec-core.gemspec

@@ -21,7 +21,7 @@ Source code obtained from the Chef GitHub repository is made available under Apa
   spec.license       = "LicenseRef-Chef-EULA"
   spec.require_paths = ["lib"]
 
-  spec.required_ruby_version = ">= 2.7"
+  spec.required_ruby_version = ">= 3.1.0"
 
   # the gemfile and gemspec are necessary for appbundler so don't remove it
   spec.files =
@@ -38,7 +38,7 @@ Source code obtained from the Chef GitHub repository is made available under Apa
   spec.add_dependency "thor",                     ">= 0.20", "< 1.3.0"
   spec.add_dependency "method_source",            ">= 0.8", "< 2.0"
   spec.add_dependency "rubyzip",                  ">= 1.2.2", "< 3.0"
-  spec.add_dependency "rspec",                    ">= 3.9", "<= 3.12"
+  spec.add_dependency "rspec",                    ">= 3.9", "<= 3.14"
   spec.add_dependency "rspec-its",                "~> 1.2"
   spec.add_dependency "pry",                      "~> 0.13"
   spec.add_dependency "hashie",                   ">= 3.4", "< 6.0"
@@ -55,6 +55,13 @@ Source code obtained from the Chef GitHub repository is made available under Apa
   spec.add_dependency "semverse",                 "~> 3.0"
   spec.add_dependency "multipart-post",           "~> 2.0"
 
+  # cookstyle support for inspec check
+  # This was initially included in 'inspec.gemspec' to keep 'chef-client' lightweight.
+  # However, it has been moved to 'inspec-core.gemspec' due to a dependency on the 'ast' gem,
+  # which was causing a LoadError ('cannot load such file -- ast') for users/applications using 'inspec-core'.
+  spec.add_dependency "cookstyle"
+
   spec.add_dependency "train-core", ">= 3.11.0"
-  spec.add_dependency "chef-licensing", ">= 0.7.5"
+  # Minimum major version 1 is required for Chef licensing telemetry
+  spec.add_dependency "chef-licensing", ">= 1.0.2"
 end

data/lib/inspec/base_cli.rb

@@ -47,7 +47,7 @@ module Inspec
           license_keys = ChefLicensing.fetch_and_persist
 
           # Only if EULA acceptance or license key args are present. And licenses are successfully persisted, do clean exit.
-          if ARGV.select { |arg| !(arg.include? "--chef-license") }.empty? && !license_keys.blank?
+          if ARGV.select { |arg| !(arg.include? "--chef-license") }.empty? && !(license_keys.nil? || license_keys.empty?)
             Inspec::UI.new.exit
           end
         end

data/lib/inspec/cli.rb

@@ -57,7 +57,7 @@ class Inspec::InspecCLI < Inspec::BaseCLI
     desc: "Disable loading all plugins that the user installed."
 
   class_option :enable_telemetry, type: :boolean,
-    desc: "Allow or disable telemetry", default: false
+    desc: "Allow or disable telemetry", default: true
 
   require "license_acceptance/cli_flags/thor"
   include LicenseAcceptance::CLIFlags::Thor

data/lib/inspec/config.rb

@@ -470,6 +470,15 @@ module Inspec
       # Reporter options may be defined top-level.
       options.merge!(config_file_reporter_options)
 
+      # when sent reporter from compliance-mode (via chef-client), the reporter is a symbol
+      if @cli_opts.key?(:reporter) && @cli_opts["reporter"].nil?
+        @cli_opts["reporter"] = @cli_opts[:reporter]
+        @cli_opts.delete(:reporter)
+      elsif @cli_opts.key?(:reporter) && @cli_opts.key?("reporter") && @cli_opts["reporter"].is_a?(Array)
+        # combine reporter and "reporter" options into "reporter" option
+        @cli_opts["reporter"] = @cli_opts[:reporter] + @cli_opts["reporter"]
+      end
+
       if @cli_opts["reporter"]
         # Add reporter_cli_opts in options to capture reporter cli opts separately
         options.merge!({ "reporter_cli_opts" => @cli_opts["reporter"] })

data/lib/inspec/dependencies/dependency_set.rb

@@ -26,7 +26,7 @@ module Inspec
       dep_list = {}
       dependencies.each do |d|
         # if depedent profile does not have a source version then only name is used in dependency hash
-        key_name = (d.source_version.blank? ? "#{d.name}" : "#{d.name}-#{d.source_version}") rescue "#{d.name}"
+        key_name = ((d.source_version.nil? || d.source_version.empty?) ? "#{d.name}" : "#{d.name}-#{d.source_version}") rescue "#{d.name}"
         dep_list[key_name] = d
       end
       new(cwd, cache, dep_list, backend)
@@ -42,7 +42,7 @@ module Inspec
       dep_list = {}
       dep_tree.each do |d|
         # if depedent profile does not have a source version then only name is used in dependency hash
-        key_name = (d.source_version.blank? ? "#{d.name}" : "#{d.name}-#{d.source_version}") rescue "#{d.name}"
+        key_name = ((d.source_version.nil? || d.source_version.empty?) ? "#{d.name}" : "#{d.name}-#{d.source_version}") rescue "#{d.name}"
         dep_list[key_name] = d
         dep_list.merge!(flatten_dep_tree(d.dependencies))
       end

data/lib/inspec/dsl.rb

@@ -95,7 +95,7 @@ module Inspec::DSL
         # 1. Fetching VERSION from a profile dependency name which is in a format NAME-VERSION.
         # 2. Matching original profile dependency name with profile name used with include or require control DSL.
         source_version = value.source_version
-        unless source_version.blank?
+        unless source_version.nil? || source_version.empty?
           profile_id_key = key.split("-#{source_version}")[0]
           new_profile_id = key if profile_id_key == profile_id
         end

data/lib/inspec/feature/runner.rb

@@ -11,7 +11,10 @@ module Inspec
         # Validate that the feature is recognized
         feature = config[feature_name]
         unless feature
-          logger.warn "Unrecognized feature name '#{feature_name}'"
+          # Avoid warning for custom plugins
+          user_plugins = Inspec::Plugin::V2::Registry.instance.plugin_statuses.select { |status| status.installation_type == :user_gem }
+          user_plugin_names = user_plugins.collect { |a| a.name.to_s }
+          logger.warn "Unrecognized feature name '#{feature_name}'" unless user_plugin_names.include?(feature_name)
         end
 
         # If the feature is not recognized

data/lib/inspec/feature.rb

@@ -8,11 +8,15 @@ module Inspec
 
   class Feature
     attr_reader :name, :description, :env_preview
+
+    @@features_invoked = []
+
     def initialize(feature_name, feature_yaml_opts)
       @name = feature_name
       feature_yaml_opts ||= {}
       @description = feature_yaml_opts["description"]
       @env_preview = feature_yaml_opts["env_preview"]
+      @@features_invoked << feature_name
     end
 
     def previewable?
@@ -30,5 +34,9 @@ module Inspec
       env_preview_feature_name = name.to_s.split("inspec-")[-1]
       ENV["CHEF_PREVIEW_#{env_preview_feature_name.gsub("-", "_").upcase}"]
     end
+
+    def self.list_all_invoked_features
+      @@features_invoked.uniq
+    end
   end
 end

data/lib/inspec/fetcher/url.rb

@@ -93,7 +93,7 @@ module Inspec::Fetcher
                            end
 
       if transformed_target
-        Inspec::Log.warn("URL target #{target} transformed to #{transformed_target}. Consider using the git fetcher")
+        Inspec::Log.debug("URL target #{target} transformed to #{transformed_target}. Consider using the git fetcher")
         transformed_target
       else
         target
@@ -133,12 +133,14 @@ module Inspec::Fetcher
     class << self
       def default_ref(match_data, repo_url)
         remote_url = "#{repo_url}/#{match_data[:user]}/#{match_data[:repo]}.git"
-        command_string = "git remote show #{remote_url}"
+        command_string = "git ls-remote #{remote_url} HEAD"
         cmd = shellout(command_string)
         unless cmd.exitstatus == 0
           raise(Inspec::FetcherFailure, "Profile git dependency failed with default reference - #{remote_url} - error running '#{command_string}': #{cmd.stderr}")
         else
-          ref = cmd.stdout.lines.detect { |l| l.include? "HEAD branch:" }&.split(":")&.last&.strip
+          # cmd.stdout of "git ls-remote #{remote_url} HEAD" looks like this:
+          # "457d14843ab7c1c3740169eb47cf129a6f417964\tHEAD\n"
+          ref = cmd.stdout.split("\t").first
           unless ref
             raise(Inspec::FetcherFailure, "Profile git dependency failed with default reference - #{remote_url} - error running '#{command_string}': NULL reference")
           end
@@ -246,10 +248,30 @@ module Inspec::Fetcher
       @temp_archive_path = archive.path
     end
 
-    def open(target, opts) # overridden so we can control who we're talking to
-      URI.open(target, opts)
-    rescue NoMethodError   # TODO: remove when we drop ruby 2.4
-      super(target, opts)  # Kernel#open
+    # Opens a URI or local file specified by `target` with options `opts`.
+    # If `target` is a valid URI (http://, https://, ftp://), opens it using URI.open.
+    # If `target` is a local file path, opens it using File.open.
+    # Raises ArgumentError for invalid `target` that is neither a valid URI nor a local file path.
+    # Logs or handles exceptions gracefully using `pretty_handle_exception`.
+    def open(target, opts)
+      if valid_uri?(target)
+        URI(target).open(opts) # Open URI if it's a valid HTTP, HTTPS, or FTP URI
+      elsif File.file?(target)
+        File.open(target, opts) # Open local file if it exists
+      else
+        raise ArgumentError, "Invalid target: #{target}. Must be a valid URI or a local file path."
+      end
+    rescue StandardError => e
+      raise Inspec::FetcherFailure, "Profile URL dependency #{target} could not be fetched: #{e.message}"
+    end
+
+    # Checks if the given `target` string is a valid URI by attempting to parse it.
+    # Returns true if `target` is a valid HTTP, HTTPS, or FTP URI; false otherwise.
+    def valid_uri?(target)
+      uri = URI.parse(target)
+      uri.is_a?(URI::HTTP) || uri.is_a?(URI::HTTPS) || uri.is_a?(URI::FTP)
+    rescue URI::InvalidURIError
+      false
     end
 
     def open_via_uri(target)

data/lib/inspec/iaf_file.rb

@@ -34,8 +34,9 @@ module Inspec
       raise Inspec::Exceptions::ProfileValidationKeyNotFound.new("Validation key #{keyname} not found")
     end
 
-    def self.find_signing_key(keyname)
-      [".", File.join(Inspec.config_dir, "keys")].each do |path|
+    def self.find_signing_key(keyname, config_dir = nil)
+      config_dir ||= Inspec.config_dir
+      [".", File.join(config_dir, "keys")].each do |path|
         filename = File.join(path, "#{keyname}.pem.key")
         return filename if File.exist?(filename)
       end

data/lib/inspec/input_registry.rb

@@ -189,7 +189,11 @@ module Inspec
     def parse_cli_input_value(input_name, given_value)
       value = given_value.chomp(",") # Trim trailing comma if any
       case value
-      when /^true|false$/i
+      # Changed regex to use \A and \z instead of ^ and $ for stricter start and end of string matching.
+      # This prevents potential bypass issues with multi-line input and ensures the entire string
+      # is exactly "true" or "false", enhancing security when dealing with untrusted input.
+      # Issue detected here: https://github.com/inspec/inspec/security/code-scanning/41
+      when /\A(true|false)\z/i
         value = !!(value =~ /true/i)
       when /^-?\d+$/
         value = value.to_i

data/lib/inspec/profile.rb

@@ -291,7 +291,7 @@ module Inspec
       ## Find the waivers file
       # - TODO: cli_opts and instance_variable_get could be exposed
       waiver_paths = cfg.instance_variable_get(:@cli_opts)["waiver_file"]
-      if waiver_paths.blank?
+      if waiver_paths.nil? || waiver_paths.empty?
         Inspec::Log.error "Must use --waiver-file with --filter-waived-controls"
         Inspec::UI.new.exit(:usage_error)
       end
@@ -319,7 +319,7 @@ module Inspec
         # be processed and rendered
         tests.each do |control_filename, source_code|
           cleared_tests = source_code.scan(/control\s+['"].+?['"].+?(?=(?:control\s+['"].+?['"])|\z)/m).collect do |element|
-            next if element.blank?
+            next if element.nil? || element.empty?
 
             if element&.match?(waived_control_id_regex)
               splitlines = element.split("\n")

data/lib/inspec/reporters/cli.rb

@@ -317,7 +317,7 @@ module Inspec::Reporters
       not_applicable = 0
 
       all_unique_controls.each do |control|
-        next if control[:status].blank?
+        next if control[:status].nil? || control[:status].empty?
 
         if control[:status] == "failed"
           failed += 1

data/lib/inspec/resources/nftables.rb

@@ -135,7 +135,20 @@ module Inspec::Resources
       cmd = inspec.command(nftables_cmd)
       return [] if cmd.exit_status.to_i != 0
 
-      @nftables_cache[idx] = cmd.stdout.gsub("\t", "").split("\n").reject { |line| line =~ /^(table|set|type|size|flags|typeof|auto-merge)/ || line =~ /^}$/ }.map { |line| line.sub("elements = {", "").sub("}", "").split(",") }.flatten.map(&:strip)
+      # https://github.com/inspec/inspec/security/code-scanning/10
+      # Update @nftables_cache with sanitized command output
+      @nftables_cache[idx] = cmd.stdout.gsub("\t", "").split("\n")
+        .reject { |line| line =~ /^(table|set|type|size|flags|typeof|auto-merge)/ || line =~ /^}$/ } # Reject lines that match certain patterns
+        .map { |line| line.gsub("elements = {", "").gsub("}", "").split(",") } # Use gsub to replace all occurrences of specified strings
+        .flatten # Flatten the array of arrays into a single array
+        .map(&:strip) # Remove leading and trailing whitespace from each element
+        .map { |element| sanitize_input(element) } # Sanitize each element to prevent injection attacks
+    end
+
+    # Method to sanitize input
+    def sanitize_input(input)
+      # Replace potentially dangerous characters with their escaped counterparts
+      input.gsub(/([\\'";])/, '\\\\\1')
     end
 
     def retrieve_chain_rules

data/lib/inspec/resources/oracledb_session.rb

@@ -96,8 +96,7 @@ module Inspec::Resources
       if @db_role.nil? || @su_user.nil?
         verified_query = verify_query(query)
       else
-        escaped_query = query.gsub(/\\\\/, "\\").gsub(/"/, '\\"')
-        escaped_query = escaped_query.gsub("$", '\\$') unless escaped_query.include? "\\$"
+        escaped_query = escape_query(query)
         verified_query = verify_query(escaped_query)
       end
 
@@ -134,11 +133,21 @@ module Inspec::Resources
       query
     end
 
+    def escape_query(query)
+      # https://github.com/inspec/inspec/security/code-scanning/7
+      # https://github.com/inspec/inspec/security/code-scanning/8
+      escaped_query = query.gsub(/["\\]/) { |match| match == '"' ? '\\"' : "\\\\" } # Escape backslashes and double quotes
+      escaped_query.gsub!("$", '\\$') unless escaped_query.include? "\\$" # Escape dollar signs, but only if not already escaped
+      escaped_query
+    end
+
     def parse_csv_result(stdout)
       output = stdout.split("oracle_query_string")[-1]
       # comma_query_sub replaces the csv delimiter "," in the output.
       # Handles CSV parsing of data like this (DROP,3) etc
-      output = output.sub(/\r/, "").strip.gsub(",", "comma_query_sub")
+      # Replace all occurrences of the target pattern using gsub instead of sub
+      # Issue detected: https://github.com/inspec/inspec/security/code-scanning/9
+      output = output.gsub(/\r/, "").strip.gsub(",", "comma_query_sub")
       converter = ->(header) { header.downcase }
       CSV.parse(output, headers: true, header_converters: converter).map do |row|
         next if row.entries.flatten.empty?

data/lib/inspec/resources/ssh_config.rb

@@ -38,16 +38,13 @@ module Inspec::Resources
 
     def convert_hash(hash)
       new_hash = {}
-      hash.each do |k, v|
-        new_hash[k.downcase] ||= v
-      end
+      hash.each { |k, v| new_hash[k.downcase] ||= v }
       new_hash
     end
 
     def method_missing(name)
       param = read_params[name.to_s.downcase]
       return nil if param.nil?
-      # extract first value if we have only one value in array
       return param[0] if param.length == 1
 
       param
@@ -73,11 +70,12 @@ module Inspec::Resources
       return @params if defined?(@params)
       return @params = {} if read_content.nil?
 
-      conf = SimpleConfig.new(
-        read_content,
-        assignment_regex: /^\s*(\S+?)\s+(.*?)\s*$/,
-        multiple_values: true
-      )
+      conf =
+        SimpleConfig.new(
+          read_content,
+          assignment_regex: /^\s*(\S+?)\s+(.*?)\s*$/,
+          multiple_values: true
+        )
       @params = convert_hash(conf.params)
     end
 
@@ -121,4 +119,97 @@ module Inspec::Resources
       "/etc/ssh/#{type}"
     end
   end
+
+  class SshdActiveConfig < SshdConfig
+    name "sshd_active_config"
+    supports platform: "unix"
+    supports platform: "windows"
+    desc "Use the sshd_active_config InSpec audit resource to test configuration data for the Open SSH daemon located at /etc/ssh/sshd_config on Linux and UNIX platforms. sshd---the Open SSH daemon---listens on dedicated ports, starts a daemon for each incoming connection, and then handles encryption, authentication, key exchanges, command execution, and data exchanges."
+    example <<~EXAMPLE
+      describe sshd_active_config do
+        its('Protocol') { should eq '2' }
+      end
+    EXAMPLE
+
+    attr_reader :active_path
+
+    def initialize
+      @active_path = dynamic_sshd_config_path
+      super(@active_path)
+    end
+
+    def to_s
+      "SSHD Active Configuration (active path: #{@conf_path})"
+    end
+
+    private
+
+    def ssh_config_file(type)
+      if inspec.os.windows?
+        programdata = inspec.os_env("programdata").content
+        return "#{programdata}\\ssh\\#{type}"
+      end
+
+      "/etc/ssh/#{type}"
+    end
+
+    def dynamic_sshd_config_path
+      if inspec.os.windows?
+        script = <<-EOH
+          $sshdPath = (Get-Command sshd.exe).Source
+          if ($sshdPath -ne $null) {
+            Write-Output $sshdPath
+          } else {
+            Write-Error "sshd.exe not found"
+          }
+        EOH
+        sshd_path_result = inspec.powershell(script).stdout.strip
+        sshd_path = "\"#{sshd_path_result}\""
+        if !sshd_path_result.empty? && sshd_path_result != "sshd.exe not found"
+          command_output = inspec.command("sudo #{sshd_path} -dd 2>&1").stdout
+          dynamic_path =
+            command_output
+              .lines
+              .find { |line| line.include?("filename") }
+              &.split("filename")
+              &.last
+              &.strip
+          env_var_name = dynamic_path.match(/__(.*?)__/)[1]
+          if env_var_name?
+            dynamic_path =
+              dynamic_path.gsub(
+                /__#{env_var_name}__/,
+                inspec.os_env(env_var_name).content
+              )
+          end
+        else
+          Inspec::Log.error("sshd.exe not found using PowerShell script block.")
+          return nil
+        end
+      elsif inspec.os.unix?
+        sshd_path = "/usr/sbin/sshd"
+        command_output = inspec.command("sudo #{sshd_path} -dd 2>&1").stdout
+        dynamic_path =
+          command_output
+            .lines
+            .find { |line| line.include?("filename") }
+            &.split("filename")
+            &.last
+            &.strip
+      else
+        Inspec::Log.error(
+          "Unable to determine sshd configuration path on Windows using -T flag."
+        )
+        return nil
+      end
+
+      if dynamic_path.nil? || dynamic_path.empty?
+        Inspec::Log.warn(
+          "No active SSHD configuration found. Using default configuration."
+        )
+        return ssh_config_file("sshd_config")
+      end
+      dynamic_path
+    end
+  end
 end