inspec-core 6.8.1 → 6.8.24

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 935114b2bfd94c210bbaa34c7dcb77185f41d3fe40f2460f0cc202fc81bcf229
-  data.tar.gz: 1b32490bab8349155734d036c8690460436c13531318427a1a7cbbe4d1556479
+  metadata.gz: '06894dd5c2b09dac3432041d74b257a5b25dd00c9c0a2d623e7343e6a651e1b6'
+  data.tar.gz: 20592025afc13ecdcae95fcde514b8bc4b5855358e93dcef24365d15aa773eb1
 SHA512:
-  metadata.gz: ebc7bfa5348adaf7ef7f6fa066ced78691167acb491fa1d30dc70fba35125f7b44d9598be47b4868c280796e902e86ca8efcac1d4a71f294b5725b6f3c80a813
-  data.tar.gz: 426261a3570f1db8a1a99f0a07cd6f92eea754943c4d6e904b8a73f7e7dea49bc1758989d94047ca1689efa1c78d2149ca532c345e380c595e103e799f29c1d4
+  metadata.gz: 2d0a1749cfa6f3d1f517f31e5bc722f85ad5ecf8dd4d155df88afcc41c76c93ba21bba3749b534fd1515a724af17bedc706755606a4a3c109a655ef891bc0e0d
+  data.tar.gz: 2f0b14a4f79fad859d931a8d0427d88306beb44b7b4f8698910a053d383ebc05a28b9b440c7164cfd5f712d56ba08aeb35afa51b21ef1c5f157b4fb525dd2d3c

data/etc/deprecations.json

@@ -73,6 +73,11 @@
       "action": "exit",
       "suffix": "This resource was removed in InSpec 4.0."
     },
+    "core_resource_moved_to_rp": {
+      "action": "warn",
+      "suffix": "This resource will be moved to a separate resource pack. Additional details will be provided with the InSpec 7 release.",
+      "comment": "Deprecation notice for core resource which are getting moved to resource packs."
+    },
     "resource_iis_website": {
       "action": "exit",
       "suffix": "This resource was removed in InSpec 4.0.",

data/lib/inspec/base_cli.rb

@@ -54,6 +54,9 @@ module Inspec
       rescue ChefLicensing::LicenseKeyFetcher::LicenseKeyNotFetchedError
         Inspec::Log.error "#{Inspec::Dist::PRODUCT_NAME} cannot execute without valid licenses."
         Inspec::UI.new.exit(:license_not_set)
+      rescue ChefLicensing::SoftwareNotEntitled
+        Inspec::Log.error "License is not entitled to use InSpec."
+        Inspec::UI.new.exit(:license_not_entitled)
       rescue ChefLicensing::Error => e
         Inspec::Log.error e.message
         Inspec::UI.new.exit(:usage_error)

data/lib/inspec/dsl.rb

@@ -2,6 +2,7 @@
 require "inspec/log"
 require "inspec/plugin/v2"
 require "inspec/utils/deprecated_cloud_resources_list"
+require "inspec/utils/deprecated_core_resources_list"
 
 module Inspec::DSL
   attr_accessor :backend
@@ -38,6 +39,10 @@ module Inspec::DSL
     return unless backend
 
     begin
+      include DeprecatedCoreResourcesList
+      if CORE_RESOURCES_DEPRECATED.include? id
+        Inspec.deprecate(:core_resource_moved_to_rp, "The resource '#{id}' will not be part of the InSpec 7 core.")
+      end
       require "inspec/resources/#{id}"
     rescue LoadError => e
       include DeprecatedCloudResourcesList

data/lib/inspec/input_registry.rb

@@ -173,7 +173,7 @@ module Inspec
             raise ArgumentError, "ERROR: An '=' is required when using --input. Usage: --input input_name1=input_value1 input2=value2"
           end
         end
-        pair = pair.match(/(.*?)=(.*)/)
+        pair = pair.match(/^([^=]+)=(.*)$/)
         input_name, input_value = pair[1], pair[2]
         input_value = parse_cli_input_value(input_name, input_value)
         evt = Inspec::Input::Event.new(

data/lib/inspec/reporters/automate.rb

@@ -66,9 +66,9 @@ module Inspec::Reporters
     # Then it downgrades the 160bit SHA1 to a 128bit
     # then we format it as a valid UUIDv5.
     def uuid_from_string(string)
-      hash = Digest::SHA1.new
+      hash = Digest::SHA256.new
       hash.update(string)
-      ary = hash.digest.unpack("NnnnnN")
+      ary = hash.digest[0, 16].unpack("NnnnnN")
       ary[2] = (ary[2] & 0x0FFF) | (5 << 12)
       ary[3] = (ary[3] & 0x3FFF) | 0x8000
       # rubocop:disable Style/FormatString

data/lib/inspec/resources/auditd.rb

@@ -193,7 +193,7 @@ module Inspec::Resources
     #
     # @return [Array[String,String]]
     def action_list_for(line)
-      action_list = line.scan(/-a ([^,]+),([^ ]+)\s?/).flatten
+      action_list = line.scan(/-a ([^,\s]+),([^,\s]+)(?:\s|$)/).flatten
 
       # Actions and lists can be in either order
       valid_actions = %w{never always}

data/lib/inspec/resources/oracledb_session.rb

@@ -57,7 +57,7 @@ module Inspec::Resources
       inspec_cmd = inspec.command(command)
       out = inspec_cmd.stdout + "\n" + inspec_cmd.stderr
 
-      if inspec_cmd.exit_status != 0 || !inspec_cmd.stderr.empty? || out.downcase =~ /^error.*/
+      if inspec_cmd.exit_status != 0 || out.downcase =~ /^error.*/
         raise Inspec::Exceptions::ResourceFailed, "Oracle query with errors: #{out}"
       else
         begin
@@ -134,10 +134,8 @@ module Inspec::Resources
     end
 
     def escape_query(query)
-      # https://github.com/inspec/inspec/security/code-scanning/7
-      # https://github.com/inspec/inspec/security/code-scanning/8
-      escaped_query = query.gsub(/["\\]/) { |match| match == '"' ? '\\"' : "\\\\" } # Escape backslashes and double quotes
-      escaped_query.gsub!("$", '\\$') unless escaped_query.include? "\\$" # Escape dollar signs, but only if not already escaped
+      escaped_query = query.gsub(/\\\\/, "\\").gsub(/"/, '\\"')
+      escaped_query = escaped_query.gsub("$", '\\$') unless escaped_query.include? "\\$"
       escaped_query
     end
 
@@ -145,9 +143,8 @@ module Inspec::Resources
       output = stdout.split("oracle_query_string")[-1]
       # comma_query_sub replaces the csv delimiter "," in the output.
       # Handles CSV parsing of data like this (DROP,3) etc
-      # Replace all occurrences of the target pattern using gsub instead of sub
-      # Issue detected: https://github.com/inspec/inspec/security/code-scanning/9
-      output = output.gsub(/\r/, "").strip.gsub(",", "comma_query_sub")
+
+      output = output.sub(/\r/, "").strip.gsub(",", "comma_query_sub")
       converter = ->(header) { header.downcase }
       CSV.parse(output, headers: true, header_converters: converter).map do |row|
         next if row.entries.flatten.empty?

data/lib/inspec/resources/port.rb

@@ -300,7 +300,7 @@ module Inspec::Resources
     def parse_netstat_line(line)
       # parse each line
       # 1 - Socket, 2 - Proto, 3 - Receive-Q, 4 - Send-Q, 5 - Local address, 6 - Foreign Address, 7 - State
-      parsed = /^(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)?\s+(\S+)/.match(line)
+      parsed = /^(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)(?:\s+(\S+))?\s+(\S+)$/.match(line)
       return {} if parsed.nil?
 
       # parse ip4 and ip6 addresses
@@ -488,7 +488,7 @@ module Inspec::Resources
       # 1 - Proto, 2 - Recv-Q, 3 - Send-Q, 4 - Local Address, 5 - Foreign Address, 6 - State, 7 - User, 8 - Inode, 9 - PID/Program name
       # * UDP lines have an empty State column and the Busybox variant lacks
       # the User and Inode columns.
-      reg =  /^(?<proto>\S+)\s+(\S+)\s+(\S+)\s+(?<local_addr>\S+)\s+(?<foreign_addr>\S+)\s+(\S+)?\s+((\S+)\s+(\S+)\s+)?(?<pid_prog>\S+)/
+      reg = /^(?<proto>\S+)\s+(\S+)\s+(\S+)\s+(?<local_addr>\S+)\s+(?<foreign_addr>\S+)\s+(?:\S+\s+){0,2}(?<pid_prog>\S+)$/
       parsed = reg.match(line)
 
       return {} if parsed.nil? || line.match(/^proto/i)

data/lib/inspec/resources/postgres_session.rb

@@ -1,7 +1,7 @@
 # copyright: 2015, Vulcano Security GmbH
 
 require "shellwords" unless defined?(Shellwords)
-
+require "cgi" unless defined?(CGI)
 module Inspec::Resources
   class Lines
     attr_reader :output, :exit_status
@@ -55,7 +55,7 @@ module Inspec::Resources
       psql_cmd = create_psql_cmd(query, db)
       cmd = inspec.command(psql_cmd, redact_regex: %r{(:\/\/[a-z]*:).*(@)})
       out = cmd.stdout + "\n" + cmd.stderr
-      if cmd.exit_status != 0 && ( out =~ /could not connect to/ || out =~ /password authentication failed/ ) && out.downcase =~ /error:/
+      if cmd.exit_status != 0 && ( out =~ /could not connect to/ || out =~ /password authentication failed/ ) && (out.downcase =~ /error:/ || out.downcase =~ /fatal:/)
         raise Inspec::Exceptions::ResourceFailed, "PostgreSQL connection error: #{out}"
       elsif cmd.exit_status != 0 && out.downcase =~ /error:/
         Lines.new(out, "PostgreSQL query with error: #{query}", cmd.exit_status)
@@ -74,6 +74,10 @@ module Inspec::Resources
       Shellwords.escape(query)
     end
 
+    def encoded_password(password)
+      CGI.escape(password)
+    end
+
     def create_psql_cmd(query, db = [])
       dbs = db.map { |x| "#{x}" }.join(" ")
 
@@ -82,14 +86,14 @@ module Inspec::Resources
         # Socket connection only enabled for non-windows platforms
         # Windows does not support unix domain sockets
         option_port = @port.nil? ? "" : "-p #{@port}" # add explicit port if specified
-        "psql -d postgresql://#{@user}:#{@pass}@/#{dbs}?host=#{@socket_path} #{option_port} -A -t -w -c #{escaped_query(query)}"
+        "psql -d postgresql://#{@user}:#{encoded_password(@pass)}@/#{dbs}?host=#{@socket_path} #{option_port} -A -t -w -c #{escaped_query(query)}"
       else
         # Host in connection string establishes tcp/ip connection
         if inspec.os.windows?
           warn "Socket based connection not supported in windows, connecting using host" if @socket_path
-          "psql -d postgresql://#{@user}:#{@pass}@#{@host}:#{@port}/#{dbs} -A -t -w -c \"#{query}\""
+          "psql -d postgresql://#{@user}:#{encoded_password(@pass)}@#{@host}:#{@port}/#{dbs} -A -t -w -c \"#{query}\""
         else
-          "psql -d postgresql://#{@user}:#{@pass}@#{@host}:#{@port}/#{dbs} -A -t -w -c #{escaped_query(query)}"
+          "psql -d postgresql://#{@user}:#{encoded_password(@pass)}@#{@host}:#{@port}/#{dbs} -A -t -w -c #{escaped_query(query)}"
         end
       end
     end

data/lib/inspec/resources/yum.rb

@@ -121,7 +121,7 @@ module Inspec::Resources
     # extracts the shortname from a repo id
     # e.g. extras/7/x86_64 -> extras
     def shortname(id)
-      val = %r{^\s*([^/]*?)/(.*?)\s*$}.match(id)
+      val = %r{^([^/]+)/.*$}.match(id)
       val.nil? ? nil : val[1]
     end
 

data/lib/inspec/runner.rb

@@ -168,7 +168,16 @@ module Inspec
     end
 
     def run(with = nil)
-      ChefLicensing.check_software_entitlement! if Inspec::Dist::EXEC_NAME == "inspec"
+      product_dist_name = Inspec::Dist::PRODUCT_NAME
+      if Inspec::Dist::EXEC_NAME == "inspec"
+        if Inspec::Telemetry::RunContextProbe.guess_run_context == "test-kitchen"
+          product_dist_name = "Chef Workstation"
+          configure_licensing_config_for_kitchen(@conf)
+          # Persist the license key in file when passed via test-kitchen
+          ChefLicensing.fetch_and_persist if @conf[:chef_license_key]
+        end
+        ChefLicensing.check_software_entitlement!
+      end
 
       # Validate if profiles are signed and verified
       # Additional check is required to provide error message in case of inspec exec command (exec command can use multiple profiles as well)
@@ -183,8 +192,11 @@ module Inspec
       Inspec::Telemetry.run_starting(runner: self, conf: @conf)
       load
       run_tests(with)
+    rescue ChefLicensing::LicenseKeyFetcher::LicenseKeyNotFetchedError
+      Inspec::Log.error "#{product_dist_name} cannot execute without valid licenses."
+      Inspec::UI.new.exit(:license_not_set)
     rescue ChefLicensing::SoftwareNotEntitled
-      Inspec::Log.error "License is not entitled to use InSpec."
+      Inspec::Log.error "License is not entitled to use #{product_dist_name}."
       Inspec::UI.new.exit(:license_not_entitled)
     rescue ChefLicensing::Error => e
       Inspec::Log.error e.message

data/lib/inspec/utils/deprecated_core_resources_list.rb

@@ -0,0 +1,25 @@
+module DeprecatedCoreResourcesList
+  CORE_RESOURCES_DEPRECATED = %i{
+    docker_container
+    docker_image
+    docker_plugin
+    docker_service
+    elasticsearch
+    ibmdb2_conf
+    ibmdb2_session
+    mongodb
+    mongodb_conf
+    mongodb_session
+    podman
+    podman_container
+    podman_image
+    podman_network
+    podman_pod
+    podman_volume
+    rabbitmq_config
+    ssh_config
+    ssh_key
+    sybase_conf
+    sybase_session
+  }.freeze
+end

data/lib/inspec/utils/deprecation/deprecator.rb

@@ -61,7 +61,8 @@ module Inspec
 
         suffix += (" (used at " + opts[:used_at_stack_frame].path + ":" + opts[:used_at_stack_frame].lineno.to_s + ")") if opts.key?(:used_at_stack_frame)
 
-        "DEPRECATION: " + prefix + message + suffix
+        keyword = group.name.to_s == "core_resource_moved_to_rp" ? "CHANGE NOTICE: " : "DEPRECATION: "
+        keyword + prefix + message + suffix
       end
 
       def called_from_control?

data/lib/inspec/utils/licensing_config.rb

@@ -4,6 +4,20 @@ ChefLicensing.configure do |config|
   config.chef_product_name = "InSpec"
   config.chef_entitlement_id = "3ff52c37-e41f-4f6c-ad4d-365192205968"
   config.chef_executable_name = "inspec"
-  config.license_server_url = "https://services.chef.io/licensing"
+  config.license_server_url = ENV["CHEF_LICENSE_SERVER"] || "https://services.chef.io/licensing"
   config.logger = Inspec::Log
 end
+
+def configure_licensing_config_for_kitchen(opts = {})
+  ChefLicensing.configure do |config|
+    # Reset entitlement ID to the ID of Chef Workstation
+    config.chef_entitlement_id = "x6f3bc76-a94f-4b6c-bc97-4b7ed2b045c0"
+    # Reset Chef License server via kitchen when passed in kitchen.yml
+    opts["chef_license_server"] = opts["chef_license_server"].join(",") if opts["chef_license_server"].is_a? Array
+    unless opts["chef_license_server"].nil? || opts["chef_license_server"].empty?
+      ENV["CHEF_LICENSE_SERVER"] = opts["chef_license_server"]
+    end
+  end
+  # Reset Chef License key via kitchen when passed in kitchen.yml
+  ENV["CHEF_LICENSE_KEY"] = opts["chef_license_key"] if opts["chef_license_key"]
+end

data/lib/inspec/utils/parser.rb

@@ -72,15 +72,23 @@ module Inspec
         if includes_whitespaces?(mount_line)
           # Device-/Sharenames and Mountpoints including whitespaces require special treatment:
           # We use the keyword ' type ' to split up and rebuild the desired array of fields
-          type_split = mount_line.split(" type ")
-          fs_path = type_split[0]
-          other_opts = type_split[1]
-          fs, path = fs_path.match(%r{^(.+?)\son\s(/.+?)$}).captures
+          # Split the mount line by the keyword ' type '
+          fs_path, other_opts = mount_line.split(" type ", 2)
+
+          # Manually split fs_path into the filesystem and path parts
+          fs, path = fs_path.split(" on ", 2)
+
+          # Start building the mount array
           mount = [fs, "on", path, "type"]
-          mount.concat(other_opts.scan(/\S+/))
+
+          # Split the remaining options by spaces
+          other_opts = other_opts.split(/\s+/)
+
+          # Concatenate the options to the mount array
+          mount.concat(other_opts)
         else
-          # ... otherwise we just split the fields by whitespaces
-          mount = mount_line.scan(/\S+/)
+          # If no whitespace, simply split by spaces
+          mount = mount_line.split(/\s+/)
         end
 
         # parse device and type
@@ -109,8 +117,10 @@ module Inspec
 
       # Device-/Sharename or Mountpoint includes whitespaces?
       def includes_whitespaces?(mount_line)
-        ws = mount_line.match(/^(.+)\son\s(.+)\stype\s.*$/)
-        ws.captures[0].include?(" ") || ws.captures[1].include?(" ")
+        # Split the mount_line by " on "
+        parts = mount_line.split(" on ")
+        # Check if either part contains spaces
+        parts.any? { |part| part.include?(" ") }
       end
     end
 

data/lib/inspec/utils/telemetry/http.rb

@@ -6,11 +6,8 @@ module Inspec
   class Telemetry
     class HTTP < Base
       TELEMETRY_JOBS_PATH = "v1/job"
-      TELEMETRY_URL = if ChefLicensing::Config.license_server_url&.match?("acceptance")
-                        ENV["CHEF_TELEMETRY_URL"]
-                      else
-                        "https://services.chef.io/telemetry/"
-                      end
+      # Allow dev/CI to override the telemetry URL to a staging service
+      TELEMETRY_URL = ENV["CHEF_TELEMETRY_URL"] || "https://services.chef.io/telemetry/"
       def run_ending(opts)
         payload = super
         response = connection.post(TELEMETRY_JOBS_PATH) do |req|

data/lib/inspec/utils/telemetry.rb

@@ -18,10 +18,12 @@ module Inspec
       # Don't perform telemetry action for other InSpec distros
       # Don't perform telemetry action if running under Automate - Automate does LDC tracking for us
       # Don't perform telemetry action if license is a commercial license
+      # Don't perform telemetry action if running under Test Kitchen
 
       if Inspec::Dist::EXEC_NAME != "inspec" ||
           Inspec::Telemetry::RunContextProbe.under_automate? ||
-          license&.license_type&.downcase == "commercial"
+          license&.license_type&.downcase == "commercial" ||
+          Inspec::Telemetry::RunContextProbe.guess_run_context == "test-kitchen"
 
         Inspec::Log.debug "Determined telemetry operation is not applicable and hence aborting it."
         return Inspec::Telemetry::Null

data/lib/inspec/version.rb

@@ -1,3 +1,3 @@
 module Inspec
-  VERSION = "6.8.1".freeze
+  VERSION = "6.8.24".freeze
 end

data/lib/plugins/inspec-compliance/README.md

@@ -14,8 +14,18 @@ To use the CLI, this InSpec add-on adds the following commands:
  * `$ inspec automate profiles` - list all available Compliance profiles
  * `$ inspec exec compliance://profile` - runs a Compliance profile
  * `$ inspec automate upload path/to/local/profile` - uploads a local profile to Chef Automate/Chef Compliance
+ * `$ inspec automate upload path/to/local/profile --legacy` - uploads a local profile to Chef Automate/Chef Compliance using legacy functionalities of inspec check and inspec export
+
+    *Options*:
+    ```
+      [--overwrite], [--no-overwrite]  # Overwrite existing profile on Server.
+      [--owner=OWNER]                  # Owner that should own the profile
+      [--legacy], [--no-legacy]        # Enable legacy functionality, activating both legacy export and legacy check.
+
+    uploads a local profile to Chef Automate
+    ```
  * `$ inspec automate logout` - logout of Chef Automate/Chef Compliance
- 
+
  Similar to these CLI commands are:
 
  * `$ inspec compliance login` - authentication of the API token against Chef Automate/Chef Compliance

data/lib/plugins/inspec-compliance/lib/inspec-compliance/cli.rb

@@ -136,6 +136,8 @@ module InspecPlugins
         desc: "Overwrite existing profile on Server."
       option :owner, type: :string, required: false,
         desc: "Owner that should own the profile"
+      option :legacy, type: :boolean, default: false,
+        desc: "Enable legacy functionality, activating both legacy export and legacy check."
       def upload(path) # rubocop:disable Metrics/MethodLength, Metrics/AbcSize, Metrics/PerceivedComplexity, Metrics/CyclomaticComplexity
         Inspec.with_feature("inspec-cli-compliance-upload") {
           config = InspecPlugins::Compliance::Configuration.new
@@ -169,7 +171,7 @@ module InspecPlugins
             puts msg
           }
 
-          result = profile.check
+          result = options["legacy"] ? profile.legacy_check : profile.check
           unless result[:summary][:valid]
             error.call("Profile check failed. Please fix the profile before upload.")
           else
@@ -205,7 +207,7 @@ module InspecPlugins
             generated = true
             archive_path = Dir::Tmpname.create([profile_name, ".tar.gz"]) {}
             puts "Generate temporary profile archive at #{archive_path}"
-            profile.archive({ output: archive_path, ignore_errors: false, overwrite: true })
+            profile.archive({ output: archive_path, ignore_errors: false, overwrite: true, legacy_export: options["legacy"] })
           else
             archive_path = path
           end

data/lib/plugins/inspec-plugin-manager-cli/lib/inspec-plugin-manager-cli/cli_command.rb

@@ -425,8 +425,10 @@ module InspecPlugins
                  "our apologies for the misunderstanding, and open an issue " \
                  "at https://github.com/inspec/inspec/issues/new")
         ui.exit Inspec::UI::EXIT_PLUGIN_ERROR
-      rescue Inspec::Plugin::V2::InstallError
-        raise if Inspec::Log.level == :debug
+      rescue Inspec::Plugin::V2::InstallError => e
+        # This change is compatible with various versions of Ruby, including Ruby 3.3
+        # Using Inspec::Log::level breaks with error `undefined method nil` in Ruby log library
+        Inspec::Log.debug e.backtrace
 
         results = installer.search(plugin_name, exact: true)
         source_host = URI(options[:source] || "https://rubygems.org/").host

data/lib/source_readers/inspec.rb

@@ -66,7 +66,7 @@ module SourceReaders
     end
 
     def load_readme
-      load_all(/README.md/)
+      load_all(/README(\.md)?$/)
     end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: inspec-core
 version: !ruby/object:Gem::Version
-  version: 6.8.1
+  version: 6.8.24
 platform: ruby
 authors:
 - Chef InSpec Team
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-07-25 00:00:00.000000000 Z
+date: 2025-01-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: chef-telemetry
@@ -734,6 +734,7 @@ files:
 - lib/inspec/utils/convert.rb
 - lib/inspec/utils/database_helpers.rb
 - lib/inspec/utils/deprecated_cloud_resources_list.rb
+- lib/inspec/utils/deprecated_core_resources_list.rb
 - lib/inspec/utils/deprecation.rb
 - lib/inspec/utils/deprecation/config_file.rb
 - lib/inspec/utils/deprecation/deprecator.rb