inspec-core 4.28.0 → 4.29.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/inspec/control_eval_context.rb +29 -3
- data/lib/inspec/fetcher/git.rb +16 -2
- data/lib/inspec/profile.rb +11 -15
- data/lib/inspec/reporters/json.rb +6 -1
- data/lib/inspec/reporters/json_automate.rb +1 -1
- data/lib/inspec/resources/apt.rb +1 -1
- data/lib/inspec/version.rb +1 -1
- data/lib/plugins/inspec-init/templates/profiles/aws/README.md +10 -10
- data/lib/plugins/inspec-init/templates/profiles/aws/controls/example.rb +3 -3
- data/lib/plugins/inspec-init/templates/profiles/aws/{attributes.yml → inputs.yml} +0 -0
- data/lib/plugins/inspec-init/templates/profiles/aws/inspec.yml +2 -3
- data/lib/plugins/inspec-init/templates/profiles/gcp/README.md +7 -7
- data/lib/plugins/inspec-init/templates/profiles/gcp/controls/example.rb +1 -1
- data/lib/plugins/inspec-init/templates/profiles/gcp/{attributes.yml → inputs.yml} +0 -0
- data/lib/plugins/inspec-init/templates/profiles/gcp/inspec.yml +3 -4
- metadata +4 -4
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 43aae7e5dcfc25cdce0c7e606c9b6279dc861ad91e7b3bb335efc95600f25b07
|
4
|
+
data.tar.gz: 52ac9ef28da48806105475b63cfe980fb5ca84951abb2d396fa2527c928e1346
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 46988111aa54016cf1fa7b7be5b1d0d3cb2ab55c5e3d5d795ff45701e828795023e3a271130d71d6885d7f6f98aace1658abb36bc57bd672572faf81f0ae11bd
|
7
|
+
data.tar.gz: 56a9357b76e233dfbe31e32d10c2904c77045b2685dfdcbc7f7399a4d949dbf50d4469022bb0d6ad3c86ec47083f5cba177584e70378a5c441e2b63bd82aa089
|
@@ -53,8 +53,9 @@ module Inspec
|
|
53
53
|
|
54
54
|
def control(id, opts = {}, &block)
|
55
55
|
opts[:skip_only_if_eval] = @skip_only_if_eval
|
56
|
-
|
57
|
-
|
56
|
+
if control_exist_in_controls_list?(id) || controls_list_empty?
|
57
|
+
register_control(Inspec::Rule.new(id, profile_id, resources_dsl, opts, &block))
|
58
|
+
end
|
58
59
|
end
|
59
60
|
alias rule control
|
60
61
|
|
@@ -68,10 +69,14 @@ module Inspec
|
|
68
69
|
id = "(generated from #{loc} #{SecureRandom.hex})"
|
69
70
|
|
70
71
|
res = nil
|
72
|
+
|
71
73
|
rule = Inspec::Rule.new(id, profile_id, resources_dsl, {}) do
|
72
74
|
res = describe(*args, &block)
|
73
75
|
end
|
74
|
-
|
76
|
+
|
77
|
+
if control_exist_in_controls_list?(id) || controls_list_empty?
|
78
|
+
register_control(rule, &block)
|
79
|
+
end
|
75
80
|
|
76
81
|
res
|
77
82
|
end
|
@@ -176,5 +181,26 @@ module Inspec
|
|
176
181
|
"#{File.basename(path)}:#{line}"
|
177
182
|
end
|
178
183
|
end
|
184
|
+
|
185
|
+
# Returns true if configuration hash is not empty and it contains the list of controls is not empty
|
186
|
+
def profile_config_exist?
|
187
|
+
!@conf.empty? && @conf.key?("profile") && !@conf["profile"].include_controls_list.empty?
|
188
|
+
end
|
189
|
+
|
190
|
+
# Returns true if configuration hash is empty or configuration hash does not have the list of controls that needs to be included
|
191
|
+
def controls_list_empty?
|
192
|
+
!@conf.empty? && @conf.key?("profile") && @conf["profile"].include_controls_list.empty? || @conf.empty?
|
193
|
+
end
|
194
|
+
|
195
|
+
# Check if the given control exist in the --controls option
|
196
|
+
def control_exist_in_controls_list?(id)
|
197
|
+
if profile_config_exist?
|
198
|
+
id_exist_in_list = @conf["profile"].include_controls_list.any? do |inclusion|
|
199
|
+
# Try to see if the inclusion is a regex, and if it matches
|
200
|
+
inclusion == id || (inclusion.is_a?(Regexp) && inclusion =~ id)
|
201
|
+
end
|
202
|
+
end
|
203
|
+
id_exist_in_list
|
204
|
+
end
|
179
205
|
end
|
180
206
|
end
|
data/lib/inspec/fetcher/git.rb
CHANGED
@@ -62,7 +62,6 @@ module Inspec::Fetcher
|
|
62
62
|
def fetch(destination_path)
|
63
63
|
@repo_directory = destination_path # Might be the cache, or vendoring, or something else
|
64
64
|
FileUtils.mkdir_p(destination_path) unless Dir.exist?(destination_path)
|
65
|
-
|
66
65
|
if cloned?
|
67
66
|
checkout
|
68
67
|
else
|
@@ -126,10 +125,25 @@ module Inspec::Fetcher
|
|
126
125
|
elsif @tag
|
127
126
|
resolve_ref(@tag)
|
128
127
|
else
|
129
|
-
resolve_ref(
|
128
|
+
resolve_ref(default_ref)
|
130
129
|
end
|
131
130
|
end
|
132
131
|
|
132
|
+
def default_ref
|
133
|
+
command_string = "git remote show #{@remote_url}"
|
134
|
+
cmd = shellout(command_string)
|
135
|
+
unless cmd.exitstatus == 0
|
136
|
+
raise(Inspec::FetcherFailure, "Profile git dependency failed with default reference - #{@remote_url} - error running '#{command_string}': #{cmd.stderr}")
|
137
|
+
else
|
138
|
+
ref = cmd.stdout.lines.detect { |l| l.include? "HEAD branch:" }&.split(":")&.last&.strip
|
139
|
+
unless ref
|
140
|
+
raise(Inspec::FetcherFailure, "Profile git dependency failed with default reference - #{@remote_url} - error running '#{command_string}': NULL reference")
|
141
|
+
end
|
142
|
+
|
143
|
+
ref
|
144
|
+
end
|
145
|
+
end
|
146
|
+
|
133
147
|
def resolve_ref(ref_name)
|
134
148
|
command_string = "git ls-remote \"#{@remote_url}\" \"#{ref_name}*\""
|
135
149
|
cmd = shellout(command_string)
|
data/lib/inspec/profile.rb
CHANGED
@@ -225,14 +225,17 @@ module Inspec
|
|
225
225
|
end
|
226
226
|
@tests_collected = true
|
227
227
|
end
|
228
|
-
|
228
|
+
@runner_context.all_rules
|
229
229
|
end
|
230
230
|
|
231
|
-
|
232
|
-
|
231
|
+
# This creates the list of controls provided in the --controls options which need to be include
|
232
|
+
# for evaluation.
|
233
|
+
def include_controls_list
|
234
|
+
return [] if @controls.nil? || @controls.empty?
|
233
235
|
|
236
|
+
included_controls = @controls
|
234
237
|
# Check for anything that might be a regex in the list, and make it official
|
235
|
-
|
238
|
+
included_controls.each_with_index do |inclusion, index|
|
236
239
|
next if inclusion.is_a?(Regexp)
|
237
240
|
# Insist the user wrap the regex in slashes to demarcate it as a regex
|
238
241
|
next unless inclusion.start_with?("/") && inclusion.end_with?("/")
|
@@ -240,21 +243,14 @@ module Inspec
|
|
240
243
|
inclusion = inclusion[1..-2] # Trim slashes
|
241
244
|
begin
|
242
245
|
re = Regexp.new(inclusion)
|
243
|
-
|
246
|
+
included_controls[index] = re
|
244
247
|
rescue RegexpError => e
|
245
248
|
warn "Ignoring unparseable regex '/#{inclusion}/' in --control CLI option: #{e.message}"
|
246
|
-
|
247
|
-
end
|
248
|
-
end
|
249
|
-
include_list.compact!
|
250
|
-
|
251
|
-
controls_array.select do |c|
|
252
|
-
id = ::Inspec::Rule.rule_id(c)
|
253
|
-
include_list.any? do |inclusion|
|
254
|
-
# Try to see if the inclusion is a regex, and if it matches
|
255
|
-
inclusion == id || (inclusion.is_a?(Regexp) && inclusion =~ id)
|
249
|
+
included_controls[index] = nil
|
256
250
|
end
|
257
251
|
end
|
252
|
+
included_controls.compact!
|
253
|
+
included_controls
|
258
254
|
end
|
259
255
|
|
260
256
|
def load_libraries
|
@@ -8,7 +8,7 @@ module Inspec::Reporters
|
|
8
8
|
end
|
9
9
|
|
10
10
|
def report
|
11
|
-
{
|
11
|
+
output = {
|
12
12
|
platform: platform,
|
13
13
|
profiles: profiles,
|
14
14
|
statistics: {
|
@@ -16,6 +16,11 @@ module Inspec::Reporters
|
|
16
16
|
},
|
17
17
|
version: run_data[:version],
|
18
18
|
}
|
19
|
+
|
20
|
+
%w{passthrough}.each do |option|
|
21
|
+
output[option.to_sym] = @config[option] unless @config[option].nil?
|
22
|
+
end
|
23
|
+
output
|
19
24
|
end
|
20
25
|
|
21
26
|
private
|
@@ -24,7 +24,7 @@ module Inspec::Reporters
|
|
24
24
|
version: run_data[:version],
|
25
25
|
}
|
26
26
|
|
27
|
-
# optional
|
27
|
+
# optional jsonconfig passthrough options
|
28
28
|
%w{node_name environment roles job_uuid passthrough}.each do |option|
|
29
29
|
output[option.to_sym] = @config[option] unless @config[option].nil?
|
30
30
|
end
|
data/lib/inspec/resources/apt.rb
CHANGED
@@ -78,7 +78,7 @@ module Inspec::Resources
|
|
78
78
|
return @repo_cache if defined?(@repo_cache)
|
79
79
|
|
80
80
|
# load all lists
|
81
|
-
cmd = inspec.command("find /etc/apt/ -name
|
81
|
+
cmd = inspec.command("find /etc/apt/ -name \"*.list\" -exec sh -c 'cat {} || echo -n' \\;")
|
82
82
|
|
83
83
|
# @see https://help.ubuntu.com/community/Repositories/CommandLine#Explanation_of_the_Repository_Format
|
84
84
|
@repo_cache = cmd.stdout.lines.map do |raw_line|
|
data/lib/inspec/version.rb
CHANGED
@@ -2,7 +2,7 @@
|
|
2
2
|
|
3
3
|
This example shows the implementation of an InSpec profile for AWS.
|
4
4
|
|
5
|
-
## Create a profile
|
5
|
+
## Create a profile
|
6
6
|
|
7
7
|
```
|
8
8
|
$ inspec init profile --platform aws my-profile
|
@@ -15,12 +15,12 @@ Creating new profile at /Users/spaterson/my-profile
|
|
15
15
|
• Creating directory controls
|
16
16
|
• Creating file controls/example.rb
|
17
17
|
• Creating file inspec.yml
|
18
|
-
• Creating file
|
18
|
+
• Creating file inputs.yml
|
19
19
|
• Creating file libraries/.gitkeep
|
20
|
-
|
20
|
+
|
21
21
|
```
|
22
22
|
|
23
|
-
## Optionally update `
|
23
|
+
## Optionally update `inputs.yml` to point to your custom VPC
|
24
24
|
|
25
25
|
```
|
26
26
|
aws_vpc_id: 'custom-vpc-id'
|
@@ -32,11 +32,11 @@ The related control will simply be skipped if this is not provided. See the [In
|
|
32
32
|
|
33
33
|
### With a VPC Identifier
|
34
34
|
|
35
|
-
With a supplied VPC identifier in `
|
35
|
+
With a supplied VPC identifier in `inputs.yml` both of the example controls will run. The 'aws-single-vpc-exists-check' control will only check for a VPC identifier in the currently configured AWS SDK region e.g. `eu-west-2` in the below:
|
36
36
|
|
37
37
|
```
|
38
38
|
$ cd my-profile/
|
39
|
-
$ inspec exec . -t aws:// --
|
39
|
+
$ inspec exec . -t aws:// --input-file=inputs.yml
|
40
40
|
|
41
41
|
Profile: AWS InSpec Profile (my-profile)
|
42
42
|
Version: 0.1.0
|
@@ -111,13 +111,13 @@ Test Summary: 53 successful, 0 failures, 0 skipped
|
|
111
111
|
```
|
112
112
|
|
113
113
|
|
114
|
-
### Without Supplying a VPC Identifier
|
114
|
+
### Without Supplying a VPC Identifier
|
115
115
|
|
116
|
-
If no VPC identifier is supplied, the 'aws-single-vpc-exists-check' control is skipped and the other control runs. The `
|
116
|
+
If no VPC identifier is supplied, the 'aws-single-vpc-exists-check' control is skipped and the other control runs. The `inputs.yml` file does not have to be specified to InSpec in this case.
|
117
117
|
|
118
118
|
```
|
119
119
|
$ cd my-profile/
|
120
|
-
$ inspec exec . -t aws://
|
120
|
+
$ inspec exec . -t aws://
|
121
121
|
|
122
122
|
Profile: AWS InSpec Profile (my-profile)
|
123
123
|
Version: 0.1.0
|
@@ -189,4 +189,4 @@ Target: aws://eu-west-2
|
|
189
189
|
|
190
190
|
Profile Summary: 2 successful controls, 0 control failures, 1 control skipped
|
191
191
|
Test Summary: 52 successful, 0 failures, 1 skipped
|
192
|
-
```
|
192
|
+
```
|
@@ -2,11 +2,11 @@
|
|
2
2
|
|
3
3
|
title "Sample Section"
|
4
4
|
|
5
|
-
aws_vpc_id =
|
5
|
+
aws_vpc_id = input("aws_vpc_id")
|
6
6
|
|
7
7
|
# You add controls here
|
8
|
-
control "aws-single-vpc-exists-check" do
|
9
|
-
only_if { aws_vpc_id != "" }
|
8
|
+
control "aws-single-vpc-exists-check" do # A unique ID for this control.
|
9
|
+
only_if { aws_vpc_id != "" } # Only run this control if the `aws_vpc_id` input is provided.
|
10
10
|
impact 1.0 # The criticality, if this control fails.
|
11
11
|
title "Check to see if custom VPC exists." # A human-readable title.
|
12
12
|
describe aws_vpc(aws_vpc_id) do # The test itself.
|
File without changes
|
@@ -7,14 +7,13 @@ license: Apache-2.0
|
|
7
7
|
summary: An InSpec Compliance Profile For AWS
|
8
8
|
version: 0.1.0
|
9
9
|
inspec_version: '~> 4'
|
10
|
-
|
10
|
+
inputs:
|
11
11
|
- name: aws_vpc_id
|
12
12
|
required: false
|
13
13
|
# Below is deliberately left as a default empty string to allow the profile to run when this is not provided.
|
14
14
|
# Please see the README for more details.
|
15
|
-
|
15
|
+
value: ''
|
16
16
|
description: 'Optional Custom AWS VPC Id'
|
17
|
-
type: string
|
18
17
|
depends:
|
19
18
|
- name: inspec-aws
|
20
19
|
url: https://github.com/inspec/inspec-aws/archive/master.tar.gz
|
@@ -2,7 +2,7 @@
|
|
2
2
|
|
3
3
|
This example shows the implementation of an InSpec profile for GCP that depends on the [InSpec GCP Resource Pack](https://github.com/inspec/inspec-gcp). See the [README](https://github.com/inspec/inspec-gcp) for instructions on setting up appropriate GCP credentials.
|
4
4
|
|
5
|
-
## Create a profile
|
5
|
+
## Create a profile
|
6
6
|
|
7
7
|
```
|
8
8
|
$ inspec init profile --platform gcp my-profile
|
@@ -12,12 +12,12 @@ Create new profile at /Users/spaterson/my-profile
|
|
12
12
|
* Create directory controls
|
13
13
|
* Create file controls/example.rb
|
14
14
|
* Create file inspec.yml
|
15
|
-
* Create file
|
16
|
-
* Create file libraries/.gitkeep
|
17
|
-
|
15
|
+
* Create file inputs.yml
|
16
|
+
* Create file libraries/.gitkeep
|
17
|
+
|
18
18
|
```
|
19
19
|
|
20
|
-
## Update `
|
20
|
+
## Update `inputs.yml` to point to your project
|
21
21
|
|
22
22
|
```
|
23
23
|
gcp_project_id: 'my-gcp-project'
|
@@ -27,7 +27,7 @@ gcp_project_id: 'my-gcp-project'
|
|
27
27
|
|
28
28
|
```
|
29
29
|
$ cd gcp-profile/
|
30
|
-
$ inspec exec . -t gcp:// --
|
30
|
+
$ inspec exec . -t gcp:// --input-file=inputs.yml
|
31
31
|
|
32
32
|
Profile: GCP InSpec Profile (my-profile)
|
33
33
|
Version: 0.1.0
|
@@ -63,4 +63,4 @@ Target: gcp://local-service-account@my-gcp-project.iam.gserviceaccount.com
|
|
63
63
|
|
64
64
|
Profile Summary: 2 successful controls, 0 control failures, 0 controls skipped
|
65
65
|
Test Summary: 18 successful, 0 failures, 0 skipped
|
66
|
-
```
|
66
|
+
```
|
File without changes
|
@@ -6,14 +6,13 @@ copyright_email: you@example.com
|
|
6
6
|
license: Apache-2.0
|
7
7
|
summary: An InSpec Compliance Profile For GCP
|
8
8
|
version: 0.1.0
|
9
|
-
inspec_version: '>=
|
10
|
-
|
9
|
+
inspec_version: '>= 4'
|
10
|
+
inputs:
|
11
11
|
- name: gcp_project_id
|
12
12
|
required: true
|
13
13
|
description: 'The GCP project identifier.'
|
14
|
-
type: string
|
15
14
|
depends:
|
16
15
|
- name: inspec-gcp
|
17
16
|
url: https://github.com/inspec/inspec-gcp/archive/master.tar.gz
|
18
17
|
supports:
|
19
|
-
- platform: gcp
|
18
|
+
- platform: gcp
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: inspec-core
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 4.
|
4
|
+
version: 4.29.3
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Chef InSpec Team
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2021-03-
|
11
|
+
date: 2021-03-24 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: chef-telemetry
|
@@ -711,15 +711,15 @@ files:
|
|
711
711
|
- lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/reporter.rb
|
712
712
|
- lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/version.rb
|
713
713
|
- lib/plugins/inspec-init/templates/profiles/aws/README.md
|
714
|
-
- lib/plugins/inspec-init/templates/profiles/aws/attributes.yml
|
715
714
|
- lib/plugins/inspec-init/templates/profiles/aws/controls/example.rb
|
715
|
+
- lib/plugins/inspec-init/templates/profiles/aws/inputs.yml
|
716
716
|
- lib/plugins/inspec-init/templates/profiles/aws/inspec.yml
|
717
717
|
- lib/plugins/inspec-init/templates/profiles/azure/README.md
|
718
718
|
- lib/plugins/inspec-init/templates/profiles/azure/controls/example.rb
|
719
719
|
- lib/plugins/inspec-init/templates/profiles/azure/inspec.yml
|
720
720
|
- lib/plugins/inspec-init/templates/profiles/gcp/README.md
|
721
|
-
- lib/plugins/inspec-init/templates/profiles/gcp/attributes.yml
|
722
721
|
- lib/plugins/inspec-init/templates/profiles/gcp/controls/example.rb
|
722
|
+
- lib/plugins/inspec-init/templates/profiles/gcp/inputs.yml
|
723
723
|
- lib/plugins/inspec-init/templates/profiles/gcp/inspec.yml
|
724
724
|
- lib/plugins/inspec-init/templates/profiles/os/README.md
|
725
725
|
- lib/plugins/inspec-init/templates/profiles/os/controls/example.rb
|