inspec-core 4.22.22 → 4.23.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: feb9a92b579da111caf36845c7ba22e6d0831233d59c5f6f5de0212aa8ef529c
-  data.tar.gz: 945341a0aa073b969ce15e35d058246af5584d3ddfb94a5b7ffbd86cb8162254
+  metadata.gz: a2786d0d36c3218a4d79f4578c4a814469115787d4470fa81d422b05b2025462
+  data.tar.gz: a0d30c7b81dbb4e58e6b9e8c0447f0855ce1f94f223c1f4f5861a03dfce2ce6c
 SHA512:
-  metadata.gz: 148281428e3b5d2855a2c89eccb3a29e4b159933b025049d9852eab4336b9ffb0f267bb48701b208c06fc71ce2c173fe175466622b3ec535ddb4a2692d3d927f
-  data.tar.gz: ac2e46f5dc21b7359b76df729d6b47c0f51f1f8bd272872121477204f3422d49028982a39a01df60a4ae796f03ccb41f6a448a994e22e2feb7e4d946b574cc27
+  metadata.gz: 915bbf9f4302c5fe2e8a41bc131b935bc42861cd4f76d0163ef1aeddc231cdbaf1f653ffd621bb79e5a531baa941e59852b34550d114bf30d95d4eb2ff5aa876
+  data.tar.gz: d7b5f80f550bf092aaa0faaf660225f99e3e4d6b600d9a89a45c0648b752a00cac5e30aaaf74fdb940bb135b2ae2ae02112f9617adbe6c25abc46c10d9492c5d

data/inspec-core.gemspec

@@ -24,7 +24,7 @@ Gem::Specification.new do |spec|
 
   # Implementation dependencies
   spec.add_dependency "chef-telemetry",     "~> 1.0"
-  spec.add_dependency "license-acceptance", ">= 0.2.13", "< 2.0"
+  spec.add_dependency "license-acceptance", ">= 0.2.13", "< 3.0"
   spec.add_dependency "thor",               ">= 0.20", "< 2.0"
   spec.add_dependency "json_schemer",       ">= 0.2.1", "< 0.2.12"
   spec.add_dependency "method_source",      ">= 0.8", "< 2.0"

data/lib/inspec/base_cli.rb

@@ -158,6 +158,10 @@ module Inspec
       option :silence_deprecations, type: :array,
         banner: "[all]|[GROUP GROUP...]",
         desc: "Suppress deprecation warnings. See install_dir/etc/deprecations.json for list of GROUPs or use 'all'."
+      option :diff, type: :boolean, default: true,
+        desc: "Use --no-diff to suppress 'diff' output of failed textual test results."
+      option :sort_results_by, type: :string, default: "file", banner: "--sort-results-by=none|control|file|random",
+        desc: "After normal execution order, results are sorted by control ID, or by file (default), or randomly. None uses legacy unsorted mode."
     end
 
     def self.format_platform_info(params: {}, indent: 0, color: 39)

data/lib/inspec/config.rb

@@ -405,6 +405,18 @@ module Inspec
       @plugin_cfg = data
     end
 
+    def validate_sort_results_by!(option_value)
+      expected = %w{
+        none
+        control
+        file
+        random
+      }
+      return if expected.include? option_value
+
+      raise Inspec::ConfigError::Invalid, "--sort-results-by must be one of #{expected.join(", ")}"
+    end
+
     #-----------------------------------------------------------------------#
     #                         Merging Options
     #-----------------------------------------------------------------------#
@@ -435,6 +447,7 @@ module Inspec
       finalize_parse_reporters(options)
       finalize_handle_sudo(options)
       finalize_compliance_login(options)
+      finalize_sort_results(options)
 
       Thor::CoreExt::HashWithIndifferentAccess.new(options)
     end
@@ -509,6 +522,12 @@ module Inspec
       end
     end
 
+    def finalize_sort_results(options)
+      if options.key?("sort_results_by")
+        validate_sort_results_by!(options["sort_results_by"])
+      end
+    end
+
     class Defaults
       DEFAULTS = {
         exec: {

data/lib/inspec/input.rb

@@ -171,7 +171,7 @@ module Inspec
     # are free to go higher.
     DEFAULT_PRIORITY_FOR_VALUE_SET = 60
 
-    attr_reader :description, :events, :identifier, :name, :required, :title, :type
+    attr_reader :description, :events, :identifier, :name, :required, :sensitive, :title, :type
 
     def initialize(name, options = {})
       @name = name
@@ -264,6 +264,7 @@ module Inspec
       @required = options[:required] if options.key?(:required)
       @identifier = options[:identifier] if options.key?(:identifier) # TODO: determine if this is ever used
       @type = options[:type] if options.key?(:type)
+      @sensitive = options[:sensitive] if options.key?(:sensitive)
     end
 
     def make_creation_event(options)
@@ -320,7 +321,7 @@ module Inspec
 
     def to_hash
       as_hash = { name: name, options: {} }
-      %i{description title identifier type required value}.each do |field|
+      %i{description title identifier type required value sensitive}.each do |field|
         val = send(field)
         next if val.nil?
 
@@ -334,7 +335,7 @@ module Inspec
     #--------------------------------------------------------------------------#
 
     def to_s
-      "Input #{name} with #{current_value}"
+      "Input #{name} with value " + (sensitive ? "*** (senstive)" : "#{current_value}")
     end
 
     #--------------------------------------------------------------------------#

data/lib/inspec/input_registry.rb

@@ -29,6 +29,8 @@ module Inspec
     def_delegator :inputs_by_profile, :select
     def_delegator :profile_aliases, :key?, :profile_alias?
 
+    attr_accessor :cache_inputs
+
     def initialize
       # Keyed on String profile_name => Hash of String input_name => Input object
       @inputs_by_profile = {}
@@ -43,6 +45,9 @@ module Inspec
         activator.activate!
         activator.implementation_class.new
       end
+
+      # Activate caching for inputs by default
+      @cache_inputs = true
     end
 
     #-------------------------------------------------------------#
@@ -84,7 +89,7 @@ module Inspec
 
       # Find or create the input
       inputs_by_profile[profile_name] ||= {}
-      if inputs_by_profile[profile_name].key?(input_name)
+      if inputs_by_profile[profile_name].key?(input_name) && cache_inputs
         inputs_by_profile[profile_name][input_name].update(options)
       else
         inputs_by_profile[profile_name][input_name] = Inspec::Input.new(input_name, options)
@@ -316,6 +321,7 @@ module Inspec
         profile_name,
         type: input_options[:type],
         required: input_options[:required],
+        sensitive: input_options[:sensitive],
         event: evt
       )
     end

data/lib/inspec/plugin/v2/plugin_types/reporter.rb

@@ -1,18 +1,20 @@
 require_relative "../../../run_data"
+require_relative "../../../utils/run_data_filters"
 
 module Inspec::Plugin::V2::PluginType
   class Reporter < Inspec::Plugin::V2::PluginBase
     register_plugin_type(:reporter)
+    include Inspec::Utils::RunDataFilters
 
     attr_reader :run_data
 
     def initialize(config)
       @config = config
 
-      # Trim the run_data while still a Hash; if it is huge, this
+      # Filter the run_data while still a Hash; if it is huge, this
       # saves on conversion time
       @run_data = config[:run_data] || {}
-      apply_report_resize_options
+      apply_run_data_filters_to_hash
 
       unless Inspec::RunData.compatible_schema?(self.class.run_data_schema_constraints)
         # Best we can do is warn here, the InSpec run has finished
@@ -24,26 +26,6 @@ module Inspec::Plugin::V2::PluginType
       @output = ""
     end
 
-    # This is a temporary duplication of code from lib/inspec/reporters/base.rb
-    # To be DRY'd up once the core reporters become plugins...
-    # Apply options such as message truncation and removal of backtraces
-    def apply_report_resize_options
-      runtime_config = Inspec::Config.cached.respond_to?(:final_options) ? Inspec::Config.cached.final_options : {}
-
-      message_truncation = runtime_config[:reporter_message_truncation] || "ALL"
-      @trunc = message_truncation == "ALL" ? -1 : message_truncation.to_i
-      include_backtrace = runtime_config[:reporter_backtrace_inclusion].nil? ? true : runtime_config[:reporter_backtrace_inclusion]
-
-      @run_data[:profiles]&.each do |p|
-        p[:controls].each do |c|
-          c[:results]&.map! do |r|
-            r.delete(:backtrace) unless include_backtrace
-            process_message_truncation(r)
-          end
-        end
-      end
-    end
-
     def output(str, newline = true)
       @output << str
       @output << "\n" if newline
@@ -61,14 +43,5 @@ module Inspec::Plugin::V2::PluginType
     def self.run_data_schema_constraints
       raise NotImplementedError, "#{self.class} must implement a `run_data_schema_constraints` class method to declare its compatibiltity with the RunData API."
     end
-
-    private
-
-    def process_message_truncation(result)
-      if result.key?(:message) && result[:message] != "" && @trunc > -1 && result[:message].length > @trunc
-        result[:message] = result[:message][0...@trunc] + "[Truncated to #{@trunc} characters]"
-      end
-      result
-    end
   end
 end

data/lib/inspec/reporters/base.rb

@@ -1,30 +1,17 @@
+require_relative "../utils/run_data_filters"
+
 module Inspec::Reporters
   class Base
+    include Inspec::Utils::RunDataFilters
+
     attr_reader :run_data
 
     def initialize(config)
       @config = config
-      @run_data = config[:run_data]
-      apply_report_resize_options unless @run_data.nil?
-      @output = ""
-    end
-
-    # Apply options such as message truncation and removal of backtraces
-    def apply_report_resize_options
-      runtime_config = Inspec::Config.cached.respond_to?(:final_options) ? Inspec::Config.cached.final_options : {}
+      @run_data = config[:run_data] || {}
+      apply_run_data_filters_to_hash
 
-      message_truncation = runtime_config[:reporter_message_truncation] || "ALL"
-      @trunc = message_truncation == "ALL" ? -1 : message_truncation.to_i
-      include_backtrace = runtime_config[:reporter_backtrace_inclusion].nil? ? true : runtime_config[:reporter_backtrace_inclusion]
-
-      @run_data[:profiles]&.each do |p|
-        p[:controls].each do |c|
-          c[:results]&.map! do |r|
-            r.delete(:backtrace) unless include_backtrace
-            process_message_truncation(r)
-          end
-        end
-      end
+      @output = ""
     end
 
     def output(str, newline = true)
@@ -40,14 +27,5 @@ module Inspec::Reporters
     def render
       raise NotImplementedError, "#{self.class} must implement a `#render` method to format its output."
     end
-
-    private
-
-    def process_message_truncation(result)
-      if result.key?(:message) && result[:message] != "" && @trunc > -1 && result[:message].length > @trunc
-        result[:message] = result[:message][0...@trunc] + "[Truncated to #{@trunc} characters]"
-      end
-      result
-    end
   end
 end

data/lib/inspec/resources/postgres_session.rb

@@ -26,12 +26,13 @@ module Inspec::Resources
     supports platform: "windows"
     desc "Use the postgres_session InSpec audit resource to test SQL commands run against a PostgreSQL database."
     example <<~EXAMPLE
-      sql = postgres_session('username', 'password', 'host')
+      sql = postgres_session('username', 'password', 'host', 'port')
       query('sql_query', ['database_name'])` contains the query and (optional) database to execute
 
       # default values:
       # username: 'postgres'
       # host: 'localhost'
+      # port: 5432
       # db: databse == db_user running the sql query
 
       describe sql.query('SELECT * FROM pg_shadow WHERE passwd IS NULL;') do
@@ -39,10 +40,11 @@ module Inspec::Resources
       end
     EXAMPLE
 
-    def initialize(user, pass, host = nil)
+    def initialize(user, pass, host = nil, port = nil)
       @user = user || "postgres"
       @pass = pass
       @host = host || "localhost"
+      @port = port || 5432
     end
 
     def query(query, db = [])
@@ -64,7 +66,7 @@ module Inspec::Resources
 
     def create_psql_cmd(query, db = [])
       dbs = db.map { |x| "-d #{x}" }.join(" ")
-      "PGPASSWORD='#{@pass}' psql -U #{@user} #{dbs} -h #{@host} -A -t -c #{escaped_query(query)}"
+      "PGPASSWORD='#{@pass}' psql -U #{@user} #{dbs} -h #{@host} -p #{@port} -A -t -c #{escaped_query(query)}"
     end
   end
 end

data/lib/inspec/resources/processes.rb

@@ -138,7 +138,7 @@ module Inspec::Resources
           command: 8,
         }
       else
-        command = "ps axo label,pid,pcpu,pmem,vsz,rss,tty,stat,start,time,user:32,command"
+        command = "ps wwaxo label,pid,pcpu,pmem,vsz,rss,tty,stat,start,time,user:32,command"
         regex = /^(.+?)\s+(\d+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+(\w{3} \d{2}|\d{2}:\d{2}:\d{2})\s+([^ ]+)\s+([^ ]+)\s+(.*)$/
         field_map = {
           label: 1,

data/lib/inspec/run_data/profile.rb

@@ -96,11 +96,12 @@ module Inspec
           # There are probably others
           :value,
           :type,
-          :required
+          :required,
+          :sensitive
         ) do
           include HashLikeStruct
           def initialize(raw_opts_data)
-            %i{value type required}.each { |f| self[f] = raw_opts_data[f] }
+            %i{value type required sensitive}.each { |f| self[f] = raw_opts_data[f] }
           end
         end
       end

data/lib/inspec/utils/run_data_filters.rb

@@ -0,0 +1,104 @@
+module Inspec
+  module Utils
+    #   RunDataFilters is a mixin for core Reporters and plugin reporters.
+    # The methods operate on the run_data Hash (prior to any conversion to a
+    # full RunData object).
+    #   All methods here operate using the run_data accessor and modify
+    # its contents in place (if needed).
+    module RunDataFilters
+
+      # Long name, but we want to be clear this operates on the Hash
+      # This is the only method that client libraries need to call; any future
+      # feature growth should be handled internally here.
+      def apply_run_data_filters_to_hash
+        @config[:runtime_config] = Inspec::Config.cached || {}
+        apply_report_resize_options
+        redact_sensitive_inputs
+        suppress_diff_output
+        sort_controls
+      end
+
+      # Apply options such as message truncation and removal of backtraces
+      def apply_report_resize_options
+        runtime_config = @config[:runtime_config]
+
+        message_truncation = runtime_config[:reporter_message_truncation] || "ALL"
+        @trunc = message_truncation == "ALL" ? -1 : message_truncation.to_i
+        include_backtrace = runtime_config[:reporter_backtrace_inclusion].nil? ? true : runtime_config[:reporter_backtrace_inclusion]
+
+        @run_data[:profiles]&.each do |p|
+          p[:controls].each do |c|
+            c[:results]&.map! do |r|
+              r.delete(:backtrace) unless include_backtrace
+              process_message_truncation(r)
+            end
+          end
+        end
+      end
+
+      # Find any inputs with :sensitive = true and replace their values with "***"
+      def redact_sensitive_inputs
+        @run_data[:profiles]&.each do |p|
+          p[:inputs]&.each do |i|
+            next unless i[:options][:sensitive]
+
+            i[:options][:value] = "***"
+          end
+        end
+      end
+
+      # Optionally suppress diff output in the message field
+      def suppress_diff_output
+        return if @config[:runtime_config][:diff]
+
+        @run_data[:profiles]&.each do |p|
+          p[:controls]&.each do |c|
+            c[:results]&.each do |r|
+              next unless r[:message] # :message only set on failure
+
+              pos = r[:message].index("\n\nDiff:")
+              next unless pos # Only textual tests get Diffs
+
+              r[:message] = r[:message].slice(0, pos)
+            end
+          end
+        end
+      end
+
+      # Optionally sort controls within each profile in report
+      def sort_controls
+        sort_type = @config[:runtime_config][:sort_results_by]
+        return unless sort_type
+        return if sort_type == "none"
+
+        @run_data[:profiles]&.each do |p|
+          p[:controls] ||= []
+          p[:groups] ||= []
+
+          case sort_type
+          when "control"
+            p[:controls].sort_by! { |c| c[:id] }
+          when "random"
+            p[:controls].shuffle!
+          when "file"
+            # Sort the controls by file, but preserve order within the file.
+            # Files are called "groups" in the run_data, and the filename is in the id.
+            sorted_control_ids = p[:groups].sort_by { |g| g[:id] }.map { |g| g[:controls] }.flatten
+            controls_by_id = {}
+            p[:controls].each { |c| controls_by_id[c[:id]] = c }
+            p[:controls] = sorted_control_ids.map { |cid| controls_by_id[cid] }
+          end
+        end
+      end
+
+      private
+
+      def process_message_truncation(result)
+        if result.key?(:message) && result[:message] != "" && @trunc > -1 && result[:message].length > @trunc
+          result[:message] = result[:message][0...@trunc] + "[Truncated to #{@trunc} characters]"
+        end
+        result
+      end
+    end
+  end
+end

data/lib/inspec/version.rb

@@ -1,3 +1,3 @@
 module Inspec
-  VERSION = "4.22.22".freeze
+  VERSION = "4.23.4".freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: inspec-core
 version: !ruby/object:Gem::Version
-  version: 4.22.22
+  version: 4.23.4
 platform: ruby
 authors:
 - Chef InSpec Team
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-08-26 00:00:00.000000000 Z
+date: 2020-09-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: chef-telemetry
@@ -33,7 +33,7 @@ dependencies:
         version: 0.2.13
     - - "<"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '3.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -43,7 +43,7 @@ dependencies:
         version: 0.2.13
     - - "<"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '3.0'
 - !ruby/object:Gem::Dependency
   name: thor
   requirement: !ruby/object:Gem::Requirement
@@ -638,6 +638,7 @@ files:
 - lib/inspec/utils/object_traversal.rb
 - lib/inspec/utils/parser.rb
 - lib/inspec/utils/pkey_reader.rb
+- lib/inspec/utils/run_data_filters.rb
 - lib/inspec/utils/simpleconfig.rb
 - lib/inspec/utils/spdx.rb
 - lib/inspec/utils/spdx.txt