inspec-core 7.0.95 → 7.1.7

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2e160d7044fa022329cb438d770054bb63107b59f219030464c709f6b1dcda93
-  data.tar.gz: 1dc6673dc552f75cb9b8671b0a466feb2c818f069112fac69aa63b1de568ef54
+  metadata.gz: d615f8a9108fd5631217d136cb8b29e8d1c44f6b049a53c2618907df84876fa8
+  data.tar.gz: 7745773bd58acc11ac0d8acc9cf7c7e3d1bcb945556a6686514d441a6b8375e0
 SHA512:
-  metadata.gz: a389860f421bec680c4db4462fc4cf5765073661cc1154f5fe57e823f7b4f33b10d1ecd22fb286d3a50cd467170645d460ba80b96515331bd2aec9eaa80d8579
-  data.tar.gz: 6133800736ed63493d37bca5b3727740b1a1ab7eadb9919ffc8b728f021604a9dd7bf1d1b388169566bc4e484b3fb2fc26845e05769f1dc2afa26f530fddf7a0
+  metadata.gz: 4aad4bdd8864cb072120a838b7e342d4d667f24d30cb1a160627f125d6ab9968888f6dc30b0391fed5241afc81c75c4d3bea5868fa6d8f0b26e2847c899d1885
+  data.tar.gz: a2f4f3c01f19816fd77c65db3ac2a737d23093d71dac78ee82bbede8b39816f18efc6f94a5f7ae718533f065f9b87e9f577eeb42545f4b3fc5f75e4880ef8f98

data/Gemfile

@@ -43,11 +43,14 @@ group :test do
   gem "m"
   gem "minitest-sprint", "~> 1.0"
   gem "minitest"
+  # Ruby 3.4+ extracts minitest-mock to a separate gem (bundled gem)
+  # Adding unconditionally as it's compatible with all Ruby versions
+  gem "minitest-mock"
   gem "mocha"
   gem "nokogiri"
   gem "pry-byebug"
   gem "pry"
-  gem "rake"
+  gem "rake", ">= 12.3.3"
   gem "simplecov"
   gem "simplecov_json_formatter"
   gem "webmock"

data/inspec-core.gemspec

@@ -50,7 +50,7 @@ Source code obtained from the Chef GitHub repository is made available under Apa
   spec.add_dependency "tty-table",                "~> 0.10"
   spec.add_dependency "tty-prompt",               "~> 0.17"
   spec.add_dependency "tomlrb",                   ">= 1.3", "< 2.1"
-  spec.add_dependency "addressable",              "~> 2.4"
+  spec.add_dependency "addressable",              "~> 2.9"
   spec.add_dependency "parslet",                  ">= 1.5", "< 3.0" # Pinned < 2.0, see #5389
   spec.add_dependency "semverse",                 "~> 3.0"
   spec.add_dependency "multipart-post",           "~> 2.0"
@@ -68,7 +68,7 @@ Source code obtained from the Chef GitHub repository is made available under Apa
   # which was causing a LoadError ('cannot load such file -- ast') for users/applications using 'inspec-core'.
   spec.add_dependency "cookstyle"
 
-  spec.add_dependency "train-core", "~> 3.13", ">= 3.13.4"
+  spec.add_dependency "train-core", "~> 3.16", ">= 3.16.1"
   # Minimum major version 1 is required for Chef licensing telemetry
   spec.add_dependency "chef-licensing", ">= 1.2.0"
 end

data/lib/inspec/iaf_file.rb

@@ -45,7 +45,7 @@ module Inspec
 
     def self.fetch_validation_key_from_github(keyname)
       URI.open("https://raw.githubusercontent.com/inspec/inspec/main/etc/keys/#{keyname}.pem.pub") do |r|
-        puts "Fetching validation key '#{keyname}' from github"
+        Inspec::Log.debug "Fetching validation key '#{keyname}' from github"
         dir = File.join(Inspec.config_dir, "keys")
         FileUtils.mkdir_p dir
         key_file = File.join(dir, "#{keyname}.pem.pub")

data/lib/inspec/reporters/json.rb

@@ -55,6 +55,11 @@ module Inspec::Reporters
     def extract_resource_id(r)
       # According to the RunData API, this is supposed to be an anonymous
       # class that represents a resource, with embedded instance methods....
+      # Prefer resource object if present and exposes resource_id
+      resource_candidate = r[:resource]
+      return resource_candidate.resource_id if resource_candidate.respond_to?(:resource_id)
+
+      # Fall back to resource_title
       resource_obj = r[:resource_title]
       return resource_obj.resource_id if resource_obj.respond_to?(:resource_id)
 
@@ -62,8 +67,13 @@ module Inspec::Reporters
       if resource_obj.is_a?(String)
         orig_str = resource_obj
         # Try to trim off the resource class - eg "File /some/path" => "/some/path"
-        trimmed_str = orig_str.sub(/^#{r[:resource_class]}/i, "").strip
-        trimmed_str.empty? ? orig_str : trimmed_str
+        resource_class = r[:resource_class].to_s
+        trimmed_str = orig_str.sub(/^#{Regexp.escape(resource_class)}/i, "").strip
+
+        # Cap the resource_id to a reasonable length to avoid bloating reports
+        max_length = 256
+        candidate = trimmed_str.empty? ? orig_str : trimmed_str
+        candidate.length > max_length ? candidate[0, max_length] : candidate
       else
         # Boo, InSpec is crazy, and we don't know what it possibly could be.
         # Failsafe for resource_id is empty string.

data/lib/inspec/resources/mssql_session.rb

@@ -30,9 +30,15 @@ module Inspec::Resources
         its('value') { should_not be_empty }
         its('value') { should cmp == 1 }
       end
+
+      # Trust the SQL Server TLS certificate when using sqlcmd
+      sql_tls = mssql_session(user: 'myuser', password: 'mypassword', trust_server_certificate: true)
+      describe sql_tls.query(\"SELECT SERVERPROPERTY('ProductVersion') as \\\"version\\\";\").row(0).column('version') do
+        its('value') { should_not be_empty }
+      end
     EXAMPLE
 
-    attr_reader :user, :password, :host, :port, :instance, :local_mode, :db_name
+    attr_reader :user, :password, :host, :port, :instance, :local_mode, :db_name, :trust_server_certificate
     def initialize(opts = {})
       @user = opts[:user]
       @password = opts[:password] || opts[:pass]
@@ -46,6 +52,7 @@ module Inspec::Resources
       end
       @instance = opts[:instance]
       @db_name = opts[:db_name]
+      @trust_server_certificate = !!opts[:trust_server_certificate] # rubocop:disable Style/DoubleNegation
 
       # check if sqlcmd is available
       raise Inspec::Exceptions::ResourceSkipped, "sqlcmd is missing" unless inspec.command("sqlcmd").exist?
@@ -57,6 +64,7 @@ module Inspec::Resources
       escaped_query = q.gsub(/\\/, "\\\\").gsub(/"/, '""').gsub(/\$/, '\\$')
       # surpress 'x rows affected' in SQLCMD with 'set nocount on;'
       cmd_string = "sqlcmd -Q \"set nocount on; #{escaped_query}\" -W -w 1024 -s ','"
+      cmd_string += " -C" if trust_server_certificate?
       cmd_string += " -U '#{@user}' -P '#{@password}'" unless @user.nil? || @password.nil?
       cmd_string += " -d '#{@db_name}'" unless @db_name.nil?
       unless local_mode?
@@ -94,6 +102,10 @@ module Inspec::Resources
       !!@local_mode # rubocop:disable Style/DoubleNegation
     end
 
+    def trust_server_certificate?
+      @trust_server_certificate
+    end
+
     def test_connection
       !query("select getdate()").empty?
     end

data/lib/inspec/resources/oracledb_session.rb

@@ -13,14 +13,29 @@ module Inspec::Resources
     supports platform: "windows"
     desc "Use the oracledb_session InSpec resource to test commands against an Oracle database"
     example <<~EXAMPLE
+      # Using password
       sql = oracledb_session(user: 'my_user', pass: 'password')
       describe sql.query(\"SELECT UPPER(VALUE) AS VALUE FROM V$PARAMETER WHERE UPPER(NAME)='AUDIT_SYS_OPERATIONS'\").row(0).column('value') do
         its('value') { should eq 'TRUE' }
       end
+
+      # CHEF-28019: Using TNS alias (recommended for TCPS/SSL connections)
+      sql = oracledb_session(
+        user: 'my_user',
+        password: 'password',
+        tns_alias: 'MYDB_TCPS',
+        env: {
+          'TNS_ADMIN' => '/path/to/tnsnames',
+          'LD_LIBRARY_PATH' => '/opt/oracle/instantclient'
+        }
+      )
+      describe sql.query('SELECT * FROM dual').row(0).column('dummy') do
+        its('value') { should eq 'X' }
+      end
     EXAMPLE
 
     attr_reader :bin, :db_role, :host, :password, :port, :service,
-                :su_user, :user
+                :su_user, :user, :tns_alias, :env_vars
 
     def initialize(opts = {})
       @user = opts[:user]
@@ -37,6 +52,11 @@ module Inspec::Resources
       @db_role = opts[:as_db_role]
       @sqlcl_bin = opts[:sqlcl_bin] || nil
       @sqlplus_bin = opts[:sqlplus_bin] || "sqlplus"
+
+      # CHEF-28019: Support for TNS alias and environment variables
+      @tns_alias = opts[:tns_alias]
+      @env_vars = opts[:env] || {}
+
       skip_resource "Option 'as_os_user' not available in Windows" if inspec.os.windows? && su_user
       fail_resource "Can't run Oracle checks without authentication" unless su_user || (user || password)
     end
@@ -77,8 +97,10 @@ module Inspec::Resources
     end
 
     def resource_id
-      if @user
-        "#{@host}-#{@port}-#{@user}"
+      if @tns_alias && !@tns_alias.empty?
+        "#{@tns_alias}-#{@user}" # e.g., "XEPDB1_TCPS-USER"
+      elsif @user
+        "#{@host}-#{@port}-#{@user}" # e.g., "localhost-1521-USER"
       elsif @su_user
         "#{@host}-#{@port}-#{@su_user}"
       else
@@ -88,10 +110,9 @@ module Inspec::Resources
 
     private
 
-    # 3 commands
-    # regular user password
-    # using a db_role
-    # su, using a db_role
+    # CHEF-28019: Build command with support for TNS alias and environment variables
+    # Existing behavior: regular user/password, using db_role, or su with db_role
+    # Added New behavior: TNS alias connections with optional env vars
     def command_builder(format_options, query)
       if @db_role.nil? || @su_user.nil?
         verified_query = verify_query(query)
@@ -116,7 +137,11 @@ module Inspec::Resources
         sql_postfix = %{ <<'EOC'\n#{format_options}\n#{verified_query}\nEXIT\n'EOC'} if shell_is_csh
       end
 
-      if @db_role.nil?
+      # CHEF-28019: New path for TNS alias connections
+      if @tns_alias && !@tns_alias.to_s.empty?
+        build_tns_command(format_options, verified_query, oracle_echo_str)
+      # Original paths preserved
+      elsif @db_role.nil?
         %{#{oracle_echo_str}#{sql_prefix}#{bin} #{user}/#{password}@#{host}:#{port}/#{@service}#{sql_postfix}}
       elsif @su_user.nil?
         %{#{oracle_echo_str}#{sql_prefix}#{bin} #{user}/#{password}@#{host}:#{port}/#{@service} as #{@db_role}#{sql_postfix}}
@@ -153,5 +178,35 @@ module Inspec::Resources
         Hashie::Mash.new([revised_row].to_h)
       end
     end
+
+    # CHEF-28019: Build TNS alias command with environment variables
+    def build_tns_command(format_options, verified_query, oracle_echo_str)
+      env_prefix = build_env_prefix
+      connect_string = build_connect_string
+      heredoc_content = "connect #{connect_string}\n#{format_options}\n#{verified_query}\nEXIT"
+
+      if @su_user
+        cmd = %{su - #{@su_user} -c "#{oracle_echo_str} #{env_prefix} #{@bin} -s /nolog <<'INSPECSQL'\n#{heredoc_content}\nINSPECSQL"}
+      else
+        cmd = %{#{oracle_echo_str}#{bin} -s /nolog <<'INSPECSQL'\n#{heredoc_content}\nINSPECSQL}
+        cmd = "#{env_prefix} #{cmd}" unless env_prefix.empty?
+      end
+
+      cmd
+    end
+
+    # CHEF-28019: Build Oracle connect string for TNS alias
+    def build_connect_string
+      connect_str = "#{@user}/#{@password}@#{@tns_alias}"
+      connect_str += " as #{@db_role}" if @db_role && !@su_user
+      connect_str
+    end
+
+    # CHEF-28019: Build environment variable prefix
+    def build_env_prefix
+      return "" if @env_vars.nil? || @env_vars.empty?
+
+      @env_vars.map { |k, v| "#{k}='#{v}'" }.join(" ")
+    end
   end
 end

data/lib/inspec/rule.rb

@@ -48,12 +48,23 @@ module Inspec
       return unless block_given?
 
       begin
-        instance_eval(&block)
-
-        # By applying waivers *after* the instance eval, we assure that
-        # waivers have higher precedence than only_if.
+        # Pre-check: apply waivers before evaluating the control block.
+        # If the control is waived with run: false, skip the block entirely
+        # to avoid eager resource evaluation (e.g., `command('find /').stdout`
+        # executing expensive commands for waived controls).
         __apply_waivers
 
+        unless @__skip_rule[:result] && @__skip_rule[:type] == :waiver
+          instance_eval(&block)
+
+          # Re-apply waivers after instance eval. This is a no-op in practice:
+          # run:false waivers are already handled by the pre-check above (the
+          # unless guard prevents instance_eval from running at all), and
+          # run:true / no-run-key waivers do not set a skip flag. Kept for
+          # defensive correctness in case waiver state changes during eval.
+          __apply_waivers
+        end
+
       rescue SystemStackError, StandardError => e
         # We've encountered an exception while trying to eval the code inside the
         # control block. We need to prevent the exception from bubbling up, and

data/lib/inspec/utils/install_context.rb

@@ -6,7 +6,6 @@ module Inspec
     def guess_install_context
       # These all work by simple path recognition
       return "chef-workstation" if chef_workstation_install?
-      return "omnibus" if omnibus_install?
       return "chefdk" if chefdk_install?
       return "habitat" if habitat_install?
 
@@ -19,8 +18,6 @@ module Inspec
       "unknown"
     end
 
-    private
-
     def chef_workstation_install?
       !!(src_root.start_with?("/opt/chef-workstation") || src_root.start_with?("C:/opscode/chef-workstation"))
     end
@@ -38,10 +35,6 @@ module Inspec
       !!src_root.match(%r{hab/pkgs/chef/inspec/\d+\.\d+\.\d+/\d{14}})
     end
 
-    def omnibus_install?
-      !!(src_root.start_with?("/opt/inspec") || src_root.start_with?("C:/opscode/inspec"))
-    end
-
     def rubygem_install?
       !!src_root.match(%r{gems/inspec-\d+\.\d+\.\d+})
     end

data/lib/inspec/utils/profile_ast_helpers.rb

@@ -24,6 +24,37 @@ module Inspec
           @memo = memo
         end
 
+        def extract_node_value(node)
+          case node.class.to_s
+          when "RuboCop::AST::HashNode"
+            # Handle hash nodes
+            values = {}
+            node.children.each do |pair_node|
+              values.merge!(pair_node.key.value => extract_node_value(pair_node.value))
+            end
+            values
+          when "RuboCop::AST::ArrayNode"
+            # Handle array nodes
+            node.children.map { |element| extract_node_value(element) }
+          else
+            # Handle simple nodes (strings, numbers, symbols, booleans, nil, etc.)
+            if node.respond_to?(:type)
+              case node.type
+              when :true
+                true
+              when :false
+                false
+              when :nil
+                nil
+              else
+                node.respond_to?(:value) ? node.value : node
+              end
+            else
+              node.respond_to?(:value) ? node.value : node
+            end
+          end
+        end
+
         def collect_input(input_children)
           input_name = input_children.children[2].value
 
@@ -39,15 +70,9 @@ module Inspec
                 if VALID_INPUT_OPTIONS.include?(child_node.key.value)
                   if child_node.value.class == RuboCop::AST::Node && REQUIRED_VALUES_MAP.key?(child_node.value.type)
                     opts.merge!(child_node.key.value => REQUIRED_VALUES_MAP[child_node.value.type])
-                  elsif child_node.value.class == RuboCop::AST::HashNode
-                    # Here value will be a hash
-                    values = {}
-                    child_node.value.children.each do |grand_child_node|
-                      values.merge!(grand_child_node.key.value => grand_child_node.value.value)
-                    end
-                    opts.merge!(child_node.key.value => values)
                   else
-                    opts.merge!(child_node.key.value => child_node.value.value)
+                    # Use the helper method to recursively extract values from any node type
+                    opts.merge!(child_node.key.value => extract_node_value(child_node.value))
                   end
                 end
               end
@@ -313,8 +338,11 @@ module Inspec
             collectors.push InputCollectorWithinControlBlock.new(@memo)
             collectors.push TestsCollector.new(control_data) if include_tests
 
-            begin_block.each_node do |node_within_control|
-              collectors.each { |collector| collector.process(node_within_control) }
+            # Handle empty control blocks (e.g., control "id" do end)
+            if begin_block
+              begin_block.each_node do |node_within_control|
+                collectors.each { |collector| collector.process(node_within_control) }
+              end
             end
 
             memo[:controls].push control_data

data/lib/inspec/utils/telemetry/base.rb

@@ -48,7 +48,7 @@ module Inspec
         payload = create_wrapper
 
         train_platform = opts[:runner].backend.backend.platform
-        payload[:platform] = train_platform.name
+        payload[:platform] = safe_platform_field(train_platform, :name)
 
         payload[:jobs] = [{
                             type: JOB_TYPE,
@@ -56,10 +56,10 @@ module Inspec
                             # Target platform info
                             environment: {
                               host: obscure(URI(opts[:runner].backend.backend.uri).host) || "unknown",
-                              os: train_platform.name,
-                              version: train_platform.release,
-                              architecture: train_platform.arch || "",
-                              id: train_platform.uuid,
+                              os: safe_platform_field(train_platform, :name) || "unknown",
+                              version: safe_platform_field(train_platform, :release) || "unknown",
+                              architecture: safe_platform_field(train_platform, :arch) || "unknown",
+                              id: safe_platform_field(train_platform, :uuid),
                             },
 
                             runtime: Inspec::VERSION,
@@ -125,6 +125,14 @@ module Inspec
         Digest::SHA2.new(256).hexdigest(cleartext)
       end
 
+      # Safely access platform fields that may not exist
+      def safe_platform_field(platform, field)
+        return nil if platform.nil?
+        return nil unless platform.respond_to?(field)
+
+        platform.send(field)
+      end
+
       def note_per_run_features(opts)
         note_all_invoked_features
         note_gem_dependency_usage(opts)

data/lib/inspec/version.rb

@@ -1,3 +1,3 @@
 module Inspec
-  VERSION = "7.0.95".freeze
+  VERSION = "7.1.7".freeze
 end

data/lib/plugins/inspec-habitat/lib/inspec-habitat/profile.rb

@@ -57,7 +57,7 @@ module InspecPlugins
         path = profile.root_path
         logger.debug("Setting up #{path} for Habitat...")
 
-        plan_file = File.join(path, "habitat", "plan.sh")
+        plan_file = File.join(path, "habitat", "x86_64-linux", "plan.sh")
         logger.info("Generating Habitat plan at #{plan_file}...")
         vars = {
           profile: profile,

data/lib/plugins/inspec-plugin-manager-cli/lib/inspec-plugin-manager-cli/cli_command.rb

@@ -426,7 +426,7 @@ module InspecPlugins
                  "at https://github.com/inspec/inspec/issues/new")
         ui.exit Inspec::UI::EXIT_PLUGIN_ERROR
       rescue Inspec::Plugin::V2::InstallError => e
-        # This change is required for Ruby 3.3 upgrade
+        # This change is compatible with various versions of Ruby, including Ruby 3.3
         # Using Inspec::Log::level breaks with error `undefined method nil` in Ruby log library
         Inspec::Log.debug e.backtrace
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: inspec-core
 version: !ruby/object:Gem::Version
-  version: 7.0.95
+  version: 7.1.7
 platform: ruby
 authors:
 - Chef InSpec Team
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2025-10-16 00:00:00.000000000 Z
+date: 2026-05-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: chef-telemetry
@@ -314,14 +314,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.4'
+        version: '2.9'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.4'
+        version: '2.9'
 - !ruby/object:Gem::Dependency
   name: parslet
   requirement: !ruby/object:Gem::Requirement
@@ -438,20 +438,20 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.13'
+        version: '3.16'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 3.13.4
+        version: 3.16.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.13'
+        version: '3.16'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 3.13.4
+        version: 3.16.1
 - !ruby/object:Gem::Dependency
   name: chef-licensing
   requirement: !ruby/object:Gem::Requirement