inspec-core 6.8.24 → 7.0.95

data/lib/inspec/runner.rb

@@ -1,4 +1,6 @@
 # copyright: 2015, Dominik Richter
+# Copyright © 2015-2025 Progress Software Corporation and/or its subsidiaries or affiliates.
+# All Rights Reserved.
 
 require "forwardable" unless defined?(Forwardable)
 require "uri" unless defined?(URI)
@@ -115,7 +117,8 @@ module Inspec
         next unless profile.supports_platform?
 
         write_lockfile(profile) if @create_lockfile
-        profile.locked_dependencies
+        # TODO: InSpec 8: Replace with Profile OnLoad event handling
+        profile.locked_dependencies # Only need to do this once, this recurses down
         profile.load_gem_dependencies
         profile_context = profile.load_libraries
 
@@ -125,6 +128,9 @@ module Inspec
              " on unsupported platform: '#{@backend.platform.name}/#{@backend.platform.release}'."
             next
           end
+          # TODO: InSpec 8: Replace with Profile OnLoad event handling
+          requirement.profile.load_gem_dependencies
+          requirement.profile.load_libraries
           @test_collector.add_profile(requirement.profile)
         end
 

data/lib/inspec/source_reader.rb

@@ -24,3 +24,5 @@ end
 
 require "source_readers/inspec"
 require "source_readers/flat"
+require "source_readers/gem"
+

data/lib/inspec/ui.rb

@@ -39,6 +39,7 @@ module Inspec
     EXIT_FAILED_TESTS = 100
     EXIT_SKIPPED_TESTS = 101
     EXIT_TERMINATED_BY_CTL_C = 130
+    EXIT_GEM_DEPENDENCY_NOT_FOUND = 201
 
     attr_reader :io
 

data/lib/inspec/utils/deprecated_core_resources_list.rb

@@ -10,6 +10,8 @@ module DeprecatedCoreResourcesList
     mongodb
     mongodb_conf
     mongodb_session
+    opa_api
+    opa_cli
     podman
     podman_container
     podman_image
@@ -17,8 +19,6 @@ module DeprecatedCoreResourcesList
     podman_pod
     podman_volume
     rabbitmq_config
-    ssh_config
-    ssh_key
     sybase_conf
     sybase_session
   }.freeze

data/lib/inspec/utils/deprecation/config_file.rb

@@ -7,6 +7,7 @@ module Inspec
   module Deprecation
     class ConfigFile
       GroupEntry = Struct.new(:name, :action, :prefix, :suffix, :exit_status)
+      FallbackEntry = Struct.new(:resource_name_regex, :gem_name, :message)
 
       # What actions may you specify to be taken when a deprecation is encountered?
       VALID_ACTIONS = [
@@ -20,7 +21,7 @@ module Inspec
       # and pass validation.
       VALID_GROUP_FIELDS = %w{action suffix prefix exit_status comment}.freeze
 
-      attr_reader :groups, :unknown_group_action
+      attr_reader :fallback_resource_packs, :groups, :unknown_group_action
 
       def initialize(io = nil)
         io ||= open_default_config_io
@@ -31,6 +32,7 @@ module Inspec
         end
 
         @groups = {}
+        @fallback_resource_packs = []
         @unknown_group_action = :warn
         validate!
         silence_deprecations_from_cli
@@ -83,14 +85,25 @@ module Inspec
         @raw_data["groups"].each do |group_name, group_info|
           validate_group_entry(group_name, group_info)
         end
+
+        unless @raw_data.key?("fallback_resource_packs")
+          raise Inspec::Deprecation::InvalidConfigFileError, "Missing fallback_resource_packs field"
+        end
+        unless @raw_data["fallback_resource_packs"].is_a?(Hash)
+          raise Inspec::Deprecation::InvalidConfigFileError, "fallback_resource_packs field must be a Hash"
+        end
+
+        @raw_data["fallback_resource_packs"].each do |fallback_pat, fallback_info|
+          validate_fallback(fallback_pat, fallback_info)
+        end
       end
 
       def validate_file_version
         unless @raw_data.key?("file_version")
           raise Inspec::Deprecation::InvalidConfigFileError, "Missing file_version field"
         end
-        unless @raw_data["file_version"] == "1.0.0"
-          raise Inspec::Deprecation::InvalidConfigFileError, "Unrecognized file_version '#{@raw_data["file_version"]}' - supported versions: 1.0.0"
+        unless @raw_data["file_version"] == "2.0.0"
+          raise Inspec::Deprecation::InvalidConfigFileError, "Unrecognized file_version '#{@raw_data["file_version"]}' - supported versions: 2.0.0"
         end
       end
 
@@ -125,6 +138,29 @@ module Inspec
 
         groups[name.to_sym] = entry
       end
+
+      def validate_fallback(pattern, raw_info)
+        fallback = FallbackEntry.new
+        begin
+          fallback.resource_name_regex = Regexp.new(pattern)
+        rescue RegexpError
+          raise Inspec::Deprecation::InvalidConfigFileError, "Invalid regular expression in resource pack fallback definition '#{pattern}'"
+        end
+
+        unless raw_info["gem"]
+          raise Inspec::Deprecation::InvalidConfigFileError, "fallback_resource_packs missing gem name for pattern '#{pattern}'"
+        end
+
+        fallback.gem_name = raw_info["gem"]
+
+        unless raw_info["message"]
+          raise Inspec::Deprecation::InvalidConfigFileError, "fallback_resource_packs missing message for pattern '#{pattern}'"
+        end
+
+        fallback.message = raw_info["message"]
+
+        fallback_resource_packs.push fallback
+      end
     end
   end
 end

data/lib/inspec/utils/deprecation/deprecator.rb

@@ -4,11 +4,12 @@ require "inspec/log"
 module Inspec
   module Deprecation
     class Deprecator
-      attr_reader :config, :groups
+      attr_reader :config, :fallback_resource_packs, :groups
 
       def initialize(opts = {})
         @config = Inspec::Deprecation::ConfigFile.new(opts[:config_io])
         @groups = @config.groups
+        @fallback_resource_packs = @config.fallback_resource_packs
       end
 
       def handle_deprecation(group_name, message, opts = {})
@@ -21,6 +22,13 @@ module Inspec
         send(action_method, group_name.to_sym, assembled_message, group)
       end
 
+      # Given a resource name, suggest a gem nam to load and or install
+      def match_gem_for_fallback_resource_name(resource_name)
+        fallback = fallback_resource_packs.find { |fb| fb.resource_name_regex.match(resource_name) }
+        # We have a message here but can't pass it back?
+        fallback&.gem_name
+      end
+
       private
 
       def create_group_entry_for_unknown_group(group_name)
@@ -61,8 +69,7 @@ module Inspec
 
         suffix += (" (used at " + opts[:used_at_stack_frame].path + ":" + opts[:used_at_stack_frame].lineno.to_s + ")") if opts.key?(:used_at_stack_frame)
 
-        keyword = group.name.to_s == "core_resource_moved_to_rp" ? "CHANGE NOTICE: " : "DEPRECATION: "
-        keyword + prefix + message + suffix
+        "DEPRECATION: " + prefix + message + suffix
       end
 
       def called_from_control?

data/lib/inspec/utils/simpleconfig.rb

@@ -1,4 +1,6 @@
 # copyright: 2015, Dominik Richter
+# Copyright © 2015-2025 Progress Software Corporation and/or its subsidiaries or affiliates.
+# All Rights Reserved.
 
 require "inspec/utils/parser"
 require "hashie"

data/lib/inspec/utils/telemetry/run_context_probe.rb

@@ -26,8 +26,11 @@ module Inspec
       end
 
       def self.run_by_thor?(stack)
-        stack_match(stack: stack, path: "thor/command", label: "run") &&
-          stack_match(stack: stack, path: "thor/invocation", label: "invoke_command")
+        # Handled in both ways to fix label differences for Ruby 3.4 and other versions of Ruby
+        (stack_match(stack: stack, path: "thor/command", label: "Thor::Command#run") &&
+          stack_match(stack: stack, path: "thor/invocation", label: "Thor::Invocation#invoke_command")) ||
+          (stack_match(stack: stack, path: "thor/command", label: "run") &&
+            stack_match(stack: stack, path: "thor/invocation", label: "invoke_command"))
       end
 
       def self.kitchen?(stack)

data/lib/inspec/version.rb

@@ -1,3 +1,3 @@
 module Inspec
-  VERSION = "6.8.24".freeze
+  VERSION = "7.0.95".freeze
 end

data/lib/inspec/waiver_file_reader.rb

@@ -5,6 +5,8 @@ require "inspec/utils/waivers/json_file_reader"
 module Inspec
   class WaiverFileReader
 
+    SUPPORTED_FILE_EXTENSION = %w{.yaml .yml .csv .json}.freeze
+
     def self.fetch_waivers_by_profile(profile_id, files)
       read_waivers_from_file(profile_id, files) if @waivers_data.nil? || @waivers_data[profile_id].nil?
       @waivers_data[profile_id]
@@ -15,14 +17,10 @@ module Inspec
       output = {}
 
       files.each do |file_path|
-        data = read_from_file(file_path)
-        output.merge!(data) if !data.nil? && data.is_a?(Hash)
+        next unless valid_waiver_file?(file_path)
 
-        if data.nil?
-          raise Inspec::Exceptions::WaiversFileNotReadable,
-              "Cannot find parser for waivers file." \
-              "Check to make sure file has the appropriate extension."
-        end
+        data = parse_waiver_file(file_path)
+        output.merge!(data) if data.is_a?(Hash)
       rescue Inspec::Exceptions::WaiversFileNotReadable, Inspec::Exceptions::WaiversFileInvalidFormatting => e
         Inspec::Log.error "Error reading waivers file #{file_path}. #{e.message}"
         Inspec::UI.new.exit(:usage_error)
@@ -31,21 +29,38 @@ module Inspec
       @waivers_data[profile_id] = output
     end
 
-    def self.read_from_file(file_path)
-      data = nil
-      file_extension = File.extname(file_path)
-      if [".yaml", ".yml"].include? file_extension
-        data = Secrets::YAML.resolve(file_path)
-        data = data.inputs unless data.nil?
+    def self.valid_waiver_file?(file_path)
+      # Check if the file is readable
+      file_extension = File.extname(file_path).downcase
+      unless SUPPORTED_FILE_EXTENSION.include?(file_extension)
+        raise Inspec::Exceptions::WaiversFileNotReadable,
+              "Unsupported file extension for '#{file_path}'. Allowed waiver file extensions: #{SUPPORTED_FILE_EXTENSION.join(", ")}"
+      end
+
+      # Check if the file is empty
+      if File.zero?(file_path)
+        Inspec::Log.warn "Waivers file '#{file_path}' is empty. Skipping waivers."
+        return false
+      end
+
+      true
+    end
+
+    def self.parse_waiver_file(file_path)
+      file_extension = File.extname(file_path).downcase
+
+      case file_extension
+      when ".yaml", ".yml"
+        data = Secrets::YAML.resolve(file_path)&.inputs
         validate_json_yaml(data)
-      elsif file_extension == ".csv"
+      when ".csv"
         data = Waivers::CSVFileReader.resolve(file_path)
-        headers = Waivers::CSVFileReader.headers
-        validate_csv_headers(headers)
-      elsif file_extension == ".json"
+        validate_csv_headers(Waivers::CSVFileReader.headers)
+      when ".json"
         data = Waivers::JSONFileReader.resolve(file_path)
-        validate_json_yaml(data) unless data.nil?
+        validate_json_yaml(data)
       end
+
       data
     end
 
@@ -81,6 +96,8 @@ module Inspec
     end
 
     def self.validate_json_yaml(data)
+      return if data.nil?
+
       missing_required_field = false
       data.each do |key, value|
         # In case of yaml or json we need to validate headers/parametes for each value

data/lib/inspec.rb

@@ -1,4 +1,6 @@
 # copyright: 2015, Dominik Richter
+# Copyright © 2015-2025 Progress Software Corporation and/or its subsidiaries or affiliates.
+# All Rights Reserved.
 
 libdir = File.dirname(__FILE__)
 $LOAD_PATH.unshift(libdir) unless $LOAD_PATH.include?(libdir)

data/lib/plugins/inspec-plugin-manager-cli/lib/inspec-plugin-manager-cli/cli_command.rb

@@ -426,7 +426,7 @@ module InspecPlugins
                  "at https://github.com/inspec/inspec/issues/new")
         ui.exit Inspec::UI::EXIT_PLUGIN_ERROR
       rescue Inspec::Plugin::V2::InstallError => e
-        # This change is compatible with various versions of Ruby, including Ruby 3.3
+        # This change is required for Ruby 3.3 upgrade
         # Using Inspec::Log::level breaks with error `undefined method nil` in Ruby log library
         Inspec::Log.debug e.backtrace
 

data/lib/plugins/shared/core_plugin_test_helper.rb

@@ -12,7 +12,7 @@ require "tmpdir" unless defined?(Dir.mktmpdir)
 require "pathname" unless defined?(Pathname)
 require "forwardable" unless defined?(Forwardable)
 
-require "functional/helper"
+require_relative "../../../test/functional/helper"
 require "inspec/plugin/v2"
 
 # Configure Minitest to expose things like `let`

data/lib/source_readers/gem.rb

@@ -0,0 +1,67 @@
+require "inspec/fetcher"
+require "inspec/metadata"
+
+module SourceReaders
+  class GemReader < Inspec.source_reader(1)
+    name "gem"
+    priority 20
+
+    def self.resolve(target)
+      return new(target) unless target.files.grep(/gemspec/).empty?
+
+      nil
+    end
+
+    attr_reader :metadata, :metadata_src, :tests, :libraries, :data_files, :target, :readme
+
+    # This creates a new instance of an InSpec Gem-packaged profile source reader
+    # As of July 2024 only resource packs, not controls, may be packaged as gems
+    #
+    # @param [FileProvider] target An instance of a FileProvider object that can list files and read them
+    def initialize(target)
+      @target     = target
+      @metadata   = load_metadata(target.files.grep("inspec.yml").first)
+      @tests      = {} # TODO - one day support controls?
+      @libraries  = load_libs
+      @data_files = {}
+      @readme     = load_readme
+    end
+
+    private
+
+    def load_metadata(metadata_source)
+      @metadata_src = @target.read(metadata_source)
+      Inspec::Metadata.from_ref(
+        metadata_source,
+        @metadata_src,
+        nil
+      )
+    rescue Psych::SyntaxError => e
+      raise "Unable to parse inspec.yml: line #{e.line}, #{e.problem} #{e.context}"
+    rescue => e
+      raise "Unable to parse #{metadata_source}: #{e.class} -- #{e.message}"
+    end
+
+    def find_all(regexp)
+      @target.files.grep(regexp)
+    end
+
+    def load_all(regexp)
+      find_all(regexp)
+        .map { |path| file = @target.read(path); [path, file] if file }
+        .compact
+        .to_h
+    end
+
+    def load_libs
+      # Legacy resource packs (inspec-gcp, inspec-aws, etc) have resources in old locations
+      load_all(%r{^libraries/.*\.rb$})
+      # New resource packs have them here
+      load_all(%r{^lib/.*/resources/.*\.rb$})
+    end
+
+    def load_readme
+      load_all(/README.md/)
+    end
+  end
+end