inspec-core 4.52.9 → 4.56.17

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a5fc9c31a9983866ff40fb11326a3c2bac04342e1d473b845e81639bbca88a8c
-  data.tar.gz: 6fd55b54b5c1510572fa963d2d4833a8f3132ae5cbfb1871a4662f8b3da720d9
+  metadata.gz: 9930c475b5a1e282ab613db458f60c77561db82d6c009d6c7254f5a3789132f5
+  data.tar.gz: 8a11ae471b5954568be5bf6fc88e52d974a5ac9cb83caf2a6560dd3dd26d55fe
 SHA512:
-  metadata.gz: d9f356b30301430dbeeeb599b696aacfc4ec1caaadafd61e6af40462db60fa400cd2bf4add6a682fe379c65ed4adb0f926a858e6b072066f06296821725f7f92
-  data.tar.gz: 25381065952aa3d460cedd9c56a5b389625b2ed11841f2085047e81444c3aa1d788338468c640f5c27403b4074a5649b825a3289e0b63cdc96d70e8450cc664c
+  metadata.gz: 0106f09ddcc1077650b6781631188dcb4231829b4e2b737680f49c6736b3c08001523d34a9398eb7499147dde9d22c4bbdd9058721c484424fe69933535e7557
+  data.tar.gz: b04b2c02c6d1009cee30a5ca32521d4c62e62fcf72727d0f720af5fa54da01029dbcd1b25656460f73d9d4cb7f3bf3b94b7e1f049479770a0a4848aa1f25034f

data/Gemfile

@@ -11,11 +11,6 @@ gem "inspec-bin", path: "./inspec-bin"
 
 gem "ffi", ">= 1.9.14", "!= 1.13.0", "!= 1.14.2"
 
-if Gem.ruby_version.to_s.start_with?("2.5")
-  # 16.7.23 required ruby 2.6+
-  gem "chef-utils", "< 16.7.23" # TODO: remove when we drop ruby 2.5
-end
-
 # inspec tests depend text output that changed in the 3.10 release
 # but our runtime dep is still 3.9+
 gem "rspec", ">= 3.10"
@@ -30,11 +25,7 @@ end
 group :test do
   gem "chefstyle", "~> 2.0.3"
   gem "concurrent-ruby", "~> 1.0"
-  if Gem.ruby_version.to_s.start_with?("2.5")
-    gem "html-proofer", "= 3.19.1" , platforms: :ruby # do not attempt to run proofer on windows
-  else
-    gem "html-proofer", platforms: :ruby # do not attempt to run proofer on windows
-  end
+  gem "html-proofer", platforms: :ruby # do not attempt to run proofer on windows
   gem "json_schemer", ">= 0.2.1", "< 0.2.19"
   gem "m"
   gem "minitest-sprint", "~> 1.0"
@@ -45,7 +36,8 @@ group :test do
   gem "pry", "~> 0.10"
   gem "rake", ">= 10"
   gem "ruby-progressbar", "~> 1.8"
-  gem "simplecov", "~> 0.18"
+  gem "simplecov", "~> 0.21"
+  gem "simplecov_json_formatter"
   gem "webmock", "~> 3.0"
 end
 

data/inspec-core.gemspec

@@ -13,7 +13,7 @@ Gem::Specification.new do |spec|
   spec.license       = "Apache-2.0"
   spec.require_paths = ["lib"]
 
-  spec.required_ruby_version = ">= 2.5"
+  spec.required_ruby_version = ">= 2.6"
 
   # the gemfile and gemspec are necessary for appbundler so don't remove it
   spec.files =
@@ -28,7 +28,7 @@ Gem::Specification.new do |spec|
   spec.add_dependency "thor",               ">= 0.20", "< 2.0"
   spec.add_dependency "method_source",      ">= 0.8", "< 2.0"
   spec.add_dependency "rubyzip",            ">= 1.2.2", "< 3.0"
-  spec.add_dependency "rspec",              ">= 3.9", "< 3.11"
+  spec.add_dependency "rspec",              ">= 3.9", "<= 3.11"
   spec.add_dependency "rspec-its",          "~> 1.2"
   spec.add_dependency "pry",                "~> 0.13"
   spec.add_dependency "hashie",             ">= 3.4", "< 5.0"

data/lib/inspec/config.rb

@@ -367,7 +367,11 @@ module Inspec
         .find_activators(plugin_type: :reporter)\
         .map(&:activator_name).map(&:to_s)
 
-      valid_types = rspec_built_in_formatters + inspec_reporters_that_are_not_yet_plugins + plugin_reporters
+      streaming_reporters = Inspec::Plugin::V2::Registry.instance\
+        .find_activators(plugin_type: :streaming_reporter)\
+        .map(&:activator_name).map(&:to_s)
+
+      valid_types = rspec_built_in_formatters + inspec_reporters_that_are_not_yet_plugins + plugin_reporters + streaming_reporters
 
       reporters.each do |reporter_name, reporter_config|
         raise NotImplementedError, "'#{reporter_name}' is not a valid reporter type." unless valid_types.include?(reporter_name)

data/lib/inspec/dependencies/requirement.rb

@@ -102,7 +102,8 @@ module Inspec
     end
 
     def fetcher
-      @fetcher ||= Inspec::CachedFetcher.new(opts, @cache)
+      @runner_options ||= (Inspec::Config.cached || {})
+      @fetcher ||= Inspec::CachedFetcher.new(opts, @cache, @runner_options)
     end
 
     # load dependencies of the dependency

data/lib/inspec/formatters/base.rb

@@ -70,6 +70,7 @@ module Inspec::Formatters
         name: platform(:name),
         release: platform(:release),
         target: backend_target,
+        target_id: platform(:uuid),
       }
     end
 
@@ -205,12 +206,13 @@ module Inspec::Formatters
     def platform(field)
       return nil if @backend.nil?
 
-      begin
-        @backend.platform[field]
-      rescue Train::Error => e
-        Inspec::Log.warn(e.message)
-        nil
-      end
+      @backend.platform[field]
+    rescue Train::PlatformUuidDetectionFailed
+      Inspec::Log.warn("Could not find platform target_id.")
+      nil
+    rescue Train::Error => e
+      Inspec::Log.warn(e.message)
+      nil
     end
 
     def backend_target

data/lib/inspec/library_eval_context.rb

@@ -30,6 +30,8 @@ module Inspec
 
       c3 = Class.new do
         include Inspec::DSL::RequireOverride
+        include Inspec::Resources
+
         def initialize(require_loader)
           @require_loader = require_loader
           @inspec_binding = nil

data/lib/inspec/plugin/v2/plugin_types/streaming_reporter.rb

@@ -0,0 +1,10 @@
+module Inspec::Plugin::V2::PluginType
+  class StreamingReporter < Inspec::Plugin::V2::PluginBase # TBD Superclass may need to change
+    register_plugin_type(:streaming_reporter)
+
+    #====================================================================#
+    #                StreamingReporter plugin type API
+    #====================================================================#
+    # Implementation classes must implement these methods.
+  end
+end

data/lib/inspec/profile_context.rb

@@ -68,6 +68,7 @@ module Inspec
     end
 
     def reload_dsl
+      @resource_registry.merge!(Inspec::Resource.new_registry)
       @control_eval_context = nil
     end
 
@@ -263,9 +264,3 @@ module Inspec
     end # DomainSpecificLunacy
   end # ProfileContext
 end
-
-if RUBY_VERSION < "2.5"
-  class Module
-    public :define_method
-  end
-end

data/lib/inspec/reporters/automate.rb

@@ -21,7 +21,7 @@ module Inspec::Reporters
       final_report[:type] = "inspec_report"
 
       final_report[:end_time] = Time.now.utc.strftime("%FT%TZ")
-      final_report[:node_uuid] = @config["node_uuid"] || @config["target_id"]
+      final_report[:node_uuid] = report[:platform][:target_id] || @config["node_uuid"] || @config["target_id"]
       raise Inspec::ReporterError, "Cannot find a UUID for your node. Please specify one via json-config." if final_report[:node_uuid].nil?
 
       final_report[:report_uuid] = @config["report_uuid"] || uuid_from_string(final_report[:end_time] + final_report[:node_uuid])

data/lib/inspec/reporters/json.rb

@@ -29,7 +29,7 @@ module Inspec::Reporters
       {
         name:      run_data[:platform][:name],
         release:   run_data[:platform][:release],
-        target_id: @config["target_id"],
+        target_id: run_data[:platform][:target_id] || @config["target_id"],
       }.reject { |_k, v| v.nil? }
     end
 

data/lib/inspec/resources/bash.rb

@@ -5,6 +5,8 @@ module Inspec::Resources
   class Bash < Cmd
     name "bash"
     supports platform: "unix"
+    supports platform: "esx"
+
     desc "Run a command or script in BASH."
     example <<~EXAMPLE
       describe bash('ls -al /') do

data/lib/inspec/resources/file.rb

@@ -61,6 +61,24 @@ module Inspec::Resources
       res.force_encoding("utf-8")
     end
 
+    # returns hash containing list of users/groups and their file permissions.
+    def user_permissions
+      return {} unless exist?
+
+      return skip_reource"`user_permissions` is not supported on your OS yet." unless inspec.os.windows?
+
+      @perms_provider.user_permissions(file)
+    end
+
+    # returns true if inheritance is enabled on file or folder
+    def inherited?
+      return false unless exist?
+
+      return skip_resource "`inherited?` is not supported on your OS yet." unless inspec.os.windows?
+
+      @perms_provider.inherited?(file)
+    end
+
     def contain(*_)
       raise "Contain is not supported. Please use standard RSpec matchers."
     end
@@ -244,6 +262,26 @@ module Inspec::Resources
   end
 
   class WindowsFilePermissions < FilePermissions
+
+    def user_permissions(file)
+      script = <<-EOH
+      $Acl = Get-Acl -Path #{file.path}
+      $Result = foreach ($Access in $acl.Access) {
+        [PSCustomObject]@{
+          $Access.IdentityReference.Value  = $Access.FileSystemRights.ToString()
+        }
+      }
+      $Result | ConvertTo-Json
+      EOH
+      result = inspec.powershell(script)
+      JSON.load(result.stdout).inject(&:merge) unless result.stdout.empty?
+    end
+
+    def inherited?(file)
+      cmd = inspec.command("(Get-Acl -Path #{file.path}).access| Where-Object {$_.IsInherited -eq $true} | measure | % { $_.Count }")
+      cmd.stdout.chomp == "0" ? false : true
+    end
+
     def check_file_permission_by_mask(_file, _access_type, _usergroup, _specific_user)
       raise "`check_file_permission_by_mask` is not supported on Windows"
     end

data/lib/inspec/resources/firewalld.rb

@@ -32,6 +32,17 @@ module Inspec::Resources
       .register_column(:interfaces, field: "interfaces")
       .register_column(:sources,    field: "sources")
       .register_column(:services,   field: "services")
+      .register_column(:target, field: "target")
+      .register_column(:ports, field: "ports")
+      .register_column(:protocols, field: "protocols")
+      .register_column(:forward_ports, field: "forward_ports")
+      .register_column(:source_ports, field: "source_ports")
+      .register_column(:icmp_blocks, field: "icmp_blocks")
+      .register_column(:rich_rules, field: "rich_rules")
+      .register_custom_matcher(:icmp_block_inversion?) { |x| x.params[0]["icmp_block_inversion"] }
+      .register_custom_matcher(:has_icmp_block_inversion_enabled?) { |x| x.params[0]["icmp_block_inversion"] }
+      .register_custom_matcher(:masquerade?) { |x| x.params[0]["masquerade"] }
+      .register_custom_matcher(:has_masquerade_enabled?) { |x| x.params[0]["masquerade"] }
 
     filter.install_filter_methods_on_resource(self, :params)
 
@@ -64,28 +75,28 @@ module Inspec::Resources
     end
 
     def has_service_enabled_in_zone?(query_service, query_zone = default_zone)
-      firewalld_command("--zone=#{query_zone} --query-service=#{query_service}") == "yes"
+      firewalld_command("--permanent --zone=#{query_zone} --query-service=#{query_service}") == "yes"
     end
 
     def service_ports_enabled_in_zone(query_service, query_zone = default_zone)
       # return: String of ports open
       # example: ['22/tcp', '4722/tcp']
-      firewalld_command("--zone=#{query_zone} --service=#{query_service} --get-ports --permanent").split(" ")
+      firewalld_command("--permanent --zone=#{query_zone} --service=#{query_service} --get-ports").split(" ")
     end
 
     def service_protocols_enabled_in_zone(query_service, query_zone = default_zone)
-      # return: String of protocoals open
+      # return: String of protocols open
       # example: ['icmp', 'ipv4', 'igmp']
-      firewalld_command("--zone=#{query_zone} --service=#{query_service} --get-protocols --permanent").split(" ")
+      firewalld_command("--permanent --zone=#{query_zone} --service=#{query_service} --get-protocols").split(" ")
     end
 
     def has_port_enabled_in_zone?(query_port, query_zone = default_zone)
-      firewalld_command("--zone=#{query_zone} --query-port=#{query_port}") == "yes"
+      firewalld_command("--permanent --zone=#{query_zone} --query-port=#{query_port}") == "yes"
     end
 
     def has_rule_enabled?(rule, query_zone = default_zone)
       rule = "rule #{rule}" unless rule.start_with?("rule")
-      firewalld_command("--zone=#{query_zone} --query-rich-rule='#{rule}'") == "yes"
+      firewalld_command("--permanent --zone=#{query_zone} --query-rich-rule='#{rule}'") == "yes"
     end
 
     def to_s
@@ -120,19 +131,82 @@ module Inspec::Resources
         "interfaces" => line.split(":")[1].split(" "),
         "services" => services_bound(zone),
         "sources" => sources_bound(zone),
+        "target" => target_bound(zone),
+        "icmp_block_inversion" => icmp_block_inversion_bound?(zone),
+        "ports" => ports_bound(zone),
+        "protocols" => protocols_bound(zone),
+        "masquerade" => masquerade_bound?(zone),
+        "forward_ports" => forward_ports_bound(zone),
+        "source_ports" => source_ports_bound(zone),
+        "icmp_blocks" => icmp_blocks_bound(zone),
+        "rich_rules" => rich_rules_bound(zone),
       }
     end
 
+    def target_bound(query_zone)
+      # result: a target bound for the zone
+      # example: 'DROP'
+      firewalld_command("--permanent --zone=#{query_zone} --get-target").strip
+    end
+
+    def icmp_block_inversion_bound?(query_zone)
+      # result: true/false whether inversion of icmp blocks has been enabled for a zone
+      # example: true
+      firewalld_command("--permanent --zone=#{query_zone} --query-icmp-block-inversion") == "yes"
+    end
+
+    def ports_bound(query_zone)
+      # result: a list of ports bound for a zone
+      # example: ['80/tcp', '443/tcp']
+      firewalld_command("--permanent --zone=#{query_zone} --list-ports").split(" ")
+    end
+
+    def protocols_bound(query_zone)
+      # result: a list of protocols added for a zone
+      # example: ['icmp', 'ipv4', 'igmp']
+      firewalld_command("--permanent --zone=#{query_zone} --list-protocols").split(" ")
+    end
+
+    def masquerade_bound?(query_zone)
+      # result: true/false whether IPv4 masquerading has been enabled for a zone
+      # example: true
+      firewalld_command("--permanent --zone=#{query_zone} --query-masquerade") == "yes"
+    end
+
+    def forward_ports_bound(query_zone)
+      # result: a list of IPv4 forward ports bound to a zone
+      # example: ['port=80:proto=tcp:toport=88', 'port=12345:proto=tcp:toport=54321:toaddr=192.168.1.3']
+      firewalld_command("--permanent --zone=#{query_zone} --list-forward-ports").split("\n")
+    end
+
+    def source_ports_bound(query_zone)
+      # result: a list of source ports bound to a zone
+      # example: ['80/tcp', '8080/tcp']
+      firewalld_command("--permanent --zone=#{query_zone} --list-source-ports").split(" ")
+    end
+
+    def icmp_blocks_bound(query_zone)
+      # result: a list of internet ICMP type blocks bound to a zone
+      # example: ['echo-request', 'echo-reply']
+      firewalld_command("--permanent --zone=#{query_zone} --list-icmp-blocks").split(" ")
+    end
+
+    def rich_rules_bound(query_zone)
+      # result: a list of rich language rules bound to a zone
+      # example: ['rule protocol value="ah" accept', 'rule service name="ftp" log limit value="1/m" audit accept']
+      firewalld_command("--permanent --zone=#{query_zone} --list-rich-rules").split("\n")
+    end
+
     def sources_bound(query_zone)
       # result: a list containing either an ip address or ip address with a mask, or a ipset or an ipset with the ipset prefix.
       # example: ['192.168.0.4', '192.168.0.0/16', '2111:DB28:ABC:12::', '2111:db89:ab3d:0112::0/64']
-      firewalld_command("--zone=#{query_zone} --list-sources").split(" ")
+      firewalld_command("--permanent --zone=#{query_zone} --list-sources").split(" ")
     end
 
     def services_bound(query_zone)
       # result: a list of services bound to a zone.
       # example: ['ssh', 'dhcpv6-client']
-      firewalld_command("--zone=#{query_zone} --list-services").split(" ")
+      firewalld_command("--permanent --zone=#{query_zone} --list-services").split(" ")
     end
 
     def firewalld_command(command)
@@ -145,4 +219,4 @@ module Inspec::Resources
       result.stdout.strip
     end
   end
-end
+end

data/lib/inspec/resources/grub_conf.rb

@@ -162,7 +162,7 @@ module Inspec::Resources
 
         current_kernel = file_line.split(" ", 2)[1]
         lines.drop(index + 1).each do |kernel_line|
-          if kernel_line =~ /^\s.*/
+          if kernel_line =~ /(?:^\s*\w+)/ && !(kernel_line =~ /^title.*/)
             option_type = kernel_line.split(" ")[0]
             line_options = kernel_line.split(" ").drop(1)
             if (menu_entry == conf["default"].to_i && @kernel == "default") || current_kernel == @kernel

data/lib/inspec/resources/iptables.rb

@@ -33,6 +33,7 @@ module Inspec::Resources
     def initialize(params = {})
       @table = params[:table]
       @chain = params[:chain]
+      @ignore_comments = params[:ignore_comments] || false
 
       # we're done if we are on linux
       return if inspec.os.linux?
@@ -59,8 +60,13 @@ module Inspec::Resources
       cmd = inspec.command(iptables_cmd)
       return [] if cmd.exit_status.to_i != 0
 
-      # split rules, returns array or rules
-      @iptables_cache = cmd.stdout.split("\n").map(&:strip)
+      if @ignore_comments
+        # split rules, returns array or rules without any comment
+        @iptables_cache = remove_comments_from_rules(cmd.stdout.split("\n"))
+      else
+        # split rules, returns array or rules
+        @iptables_cache = cmd.stdout.split("\n").map(&:strip)
+      end
     end
 
     def to_s
@@ -69,6 +75,16 @@ module Inspec::Resources
 
     private
 
+    def remove_comments_from_rules(rules)
+      rules.each do |rule|
+        next if rule.nil?
+
+        rule.gsub!(/ -m comment --comment "([^"]*)"/, "")
+        rule.strip
+      end
+      rules
+    end
+
     def find_iptables_or_error
       %w{/usr/sbin/iptables /sbin/iptables iptables}.each do |cmd|
         return cmd if inspec.command(cmd).exist?

data/lib/inspec/resources/kernel_parameters.rb

@@ -0,0 +1,58 @@
+module Inspec::Resources
+  class KernelParameters < Inspec.resource(1)
+    name "kernel_parameters"
+    supports platform: "unix"
+    desc "Use the kernel_parameters InSpec audit resource to test kernel parameters on Linux platforms."
+    example <<~EXAMPLE
+      describe kernel_parameters.where(parameter: /^net./ ) do
+        its('parameters') { should include 'net.ipv4.conf.all.forwarding' }
+      end
+
+      describe kernel_parameters.where(parameter: "net.ipv4.conf.all.forwarding") do
+        its('values') { should eq [0] }
+      end
+
+      describe kernel_parameters do
+        its('parameters') { should include 'net.ipv4.conf.all.forwarding' }
+        its('values') { should include 0 }
+      end
+    EXAMPLE
+
+    filter = FilterTable.create
+    filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
+    filter.register_column(:parameters, field: "parameter")
+      .register_column(:values, field: "value")
+    filter.install_filter_methods_on_resource(self, :params)
+
+    def initialize
+      # this resource is only supported on Linux
+      return skip_resource "The `kernel_parameters` resource is not supported on your OS." unless inspec.os.linux?
+    end
+
+    def to_s
+      "Kernel Parameters"
+    end
+
+    private
+
+    def params
+      cmd = inspec.command("/sbin/sysctl -a")
+      cmd.exit_status != 0 ? [] : parse_kernel_paramater(cmd.stdout)
+    end
+
+    def parse_kernel_paramater(stdout)
+      result = []
+      stdout.split("\n").each do |out|
+        splitted_output = out.split("=").map(&:strip)
+        result.push(
+          {
+            "parameter" => splitted_output[0],
+            "value" => splitted_output[1].to_i,
+          }
+        )
+      end
+      result
+    end
+
+  end
+end

data/lib/inspec/resources/mssql_session.rb

@@ -76,7 +76,7 @@ module Inspec::Resources
       if cmd.exit_status != 0 || out =~ /Sqlcmd: Error/
         raise Inspec::Exceptions::ResourceFailed, "Could not execute the sql query #{out}"
       else
-        DatabaseHelper::SQLQueryResult.new(cmd, parse_csv_result(cmd))
+        DatabaseHelper::SQLQueryResult.new(cmd, parse_csv_result(cmd.stdout))
       end
     end
 
@@ -94,9 +94,17 @@ module Inspec::Resources
       !query("select getdate()").empty?
     end
 
-    def parse_csv_result(cmd)
+    def parse_csv_result(stdout)
       require "csv" unless defined?(CSV)
-      table = CSV.parse(cmd.stdout, headers: true)
+
+      # replaces \n with \r since multiline data in older versions of database returns faulty
+      # formatted multiline data, example name\r\n----\r\nThis is\na multiline field\r\n
+      out = stdout.gsub("\n", "\r")
+      out = out.gsub("\r\r", "\r")
+
+      # row separator used since row delimiters \n (in linux) or \r\n (in windows)
+      # are converted to \r for consistency and handling faulty formatted multiline data
+      table = CSV.parse(out, headers: true, row_sep: "\r")
 
       # remove first row, since it will be a seperator line
       table.delete(0)

data/lib/inspec/resources/package.rb

@@ -26,6 +26,7 @@ module Inspec::Resources
       @cache = nil
       # select package manager
       @pkgman = nil
+      @latest_version = nil
 
       os = inspec.os
       if os.debian?
@@ -60,6 +61,15 @@ module Inspec::Resources
       info[:installed] == true
     end
 
+    def latest?(_provider = nil, _version = nil)
+      os = inspec.os
+      if os.solaris? || (%w{hpux aix}.include? os[:family])
+        raise Inspec::Exceptions::ResourceSkipped, "The `be_latest` matcher is not supported on your OS yet."
+      end
+
+      (!info[:only_version_no].nil? && !latest_version.nil?) && (info[:only_version_no] == latest_version)
+    end
+
     # returns true it the package is held (if the OS supports it)
     def held?(_provider = nil, _version = nil)
       info[:held] == true
@@ -82,6 +92,10 @@ module Inspec::Resources
       info[:version]
     end
 
+    def latest_version
+      @latest_version ||= ( @pkgman.latest_version(@package_name) || info[:latest_version] )
+    end
+
     def to_s
       "System Package #{@package_name}"
     end
@@ -107,6 +121,21 @@ module Inspec::Resources
       # combined into a `ResourceSkipped` exception message.
       []
     end
+
+    private
+
+    def fetch_latest_version(cmd_string)
+      cmd = inspec.command(cmd_string)
+      if cmd.exit_status != 0
+        raise Inspec::Exceptions::ResourceFailed, "Failed to fetch latest version. Error: #{cmd.stderr}"
+      else
+        fetch_version_no(cmd.stdout)
+      end
+    end
+
+    def fetch_version_no(output)
+      output.scan(/(?:(?:\d+)[.]){2,}(?:\d+)/).max_by { |s| Gem::Version.new(s) } unless output.nil?
+    end
   end
 
   # Debian / Ubuntu
@@ -124,14 +153,21 @@ module Inspec::Resources
       # If the package is installed and marked hold, Status is "hold ok installed"
       # If the package is removed and not purged, Status is "deinstall ok config-files" with exit_status 0
       # If the package is purged cmd fails with non-zero exit status
+
       {
         name: params["Package"],
         installed: params["Status"].split(" ")[2] == "installed",
         held: params["Status"].split(" ")[0] == "hold",
         version: params["Version"],
         type: "deb",
+        only_version_no: fetch_version_no(params["Version"]),
       }
     end
+
+    def latest_version(package_name)
+      cmd_string = "apt list #{package_name} -a"
+      fetch_latest_version(cmd_string)
+    end
   end
 
   # RHEL family
@@ -181,9 +217,15 @@ module Inspec::Resources
         installed: true,
         version: "#{v}-#{r}",
         type: "rpm",
+        only_version_no: "#{v}",
       }
     end
 
+    def latest_version(package_name)
+      cmd_string = "yum list #{package_name}"
+      fetch_latest_version(cmd_string)
+    end
+
     private
 
     def rpm_command(package_name)
@@ -216,11 +258,17 @@ module Inspec::Resources
         installed: true,
         version: pkg["installed"][0]["version"],
         type: "brew",
+        latest_version: pkg["versions"]["stable"],
+        only_version_no: pkg["installed"][0]["version"],
       }
     rescue JSON::ParserError => e
       raise Inspec::Exceptions::ResourceFailed,
             "Failed to parse JSON from `brew` command. Error: #{e}"
     end
+
+    def latest_version(package_name)
+      nil
+    end
   end
 
   # Arch Linux
@@ -240,8 +288,14 @@ module Inspec::Resources
         installed: true,
         version: params["Version"],
         type: "pacman",
+        only_version_no: fetch_version_no(params["Version"]),
       }
     end
+
+    def latest_version(package_name)
+      cmd_string = "pacman -Ss #{package_name} | grep #{package_name} | grep installed"
+      fetch_latest_version(cmd_string)
+    end
   end
 
   class HpuxPkg < PkgManagement
@@ -267,13 +321,20 @@ module Inspec::Resources
       pkg_info = cmd.stdout.split("\n").delete_if { |e| e =~ /^WARNING/i }
       pkg = pkg_info[0].split(" - ")[0]
 
+      version = pkg.partition("-")[2]
       {
         name: pkg.partition("-")[0],
         installed: true,
-        version: pkg.partition("-")[2],
+        version: version,
         type: "pkg",
+        only_version_no: fetch_version_no(version),
       }
     end
+
+    def latest_version(package_name)
+      cmd_string = "apk info #{package_name}"
+      fetch_latest_version(cmd_string)
+    end
   end
 
   class FreebsdPkg < PkgManagement
@@ -292,8 +353,14 @@ module Inspec::Resources
         installed: true,
         version: params["Version"],
         type: "pkg",
+        only_version_no: params["Version"],
       }
     end
+
+    def latest_version(package_name)
+      cmd_string = "pkg version -v | grep #{package_name}"
+      fetch_latest_version(cmd_string)
+    end
   end
 
   # Determines the installed packages on Windows using the Windows package registry entries.
@@ -339,8 +406,14 @@ module Inspec::Resources
         installed: true,
         version: package["DisplayVersion"],
         type: "windows",
+        only_version_no: package["DisplayVersion"],
       }
     end
+
+    def latest_version(package_name)
+      cmd_string = "Get-Package #{package_name} -AllVersions"
+      fetch_latest_version(cmd_string)
+    end
   end
 
   # AIX

data/lib/inspec/resources/registry_key.rb

@@ -105,6 +105,21 @@ module Inspec::Resources
       children_keys(@options[:path], filter)
     end
 
+    # returns hash containing users / groups and their permission
+    def user_permissions
+      return {} unless exists?
+
+      get_permissions(@options[:path])
+    end
+
+    # returns true if inheritance is enabled for registry key.
+    def inherited?
+      return false unless exists?
+
+      cmd = inspec.command("(Get-Acl -Path 'Registry::#{@options[:path]}').access| Where-Object {$_.IsInherited -eq $true} | measure | % { $_.Count }")
+      cmd.stdout.chomp == "0" ? false : true
+    end
+
     # returns nil, if not existent or value
     def method_missing(*keys)
       # allow the use of array syntax in an `its` block so that users
@@ -283,6 +298,21 @@ module Inspec::Resources
 
       key.start_with?("\\") ? key : "\\#{key}"
     end
+
+    def get_permissions(path)
+      script = <<~EOH
+      $path = '#{path}'
+      $Acl = Get-Acl -Path ('Registry::' + $path)
+      $Result = foreach ($Access in $acl.Access) {
+        [PSCustomObject]@{
+          $Access.IdentityReference = $Access.RegistryRights.ToString()
+        }
+      }
+      $Result | ConvertTo-Json
+      EOH
+      result = inspec.powershell(script)
+      JSON.load(result.stdout).inject(&:merge) unless result.stdout.empty?
+    end
   end
 
   class WindowsRegistryKey < RegistryKey

data/lib/inspec/resources/selinux.rb

@@ -84,8 +84,13 @@ module Inspec::Resources
 
     def initialize(selinux_path = "/etc/selinux/config")
       @path = selinux_path
-      cmd = inspec.command("sestatus")
+      if inspec.os.redhat? && inspec.os.name == "amazon"
+        lcmd = "/usr/sbin/sestatus"
+      else
+        lcmd = "sestatus"
+      end
 
+      cmd = inspec.command(lcmd)
       if cmd.exit_status != 0
         # `sestatus` command not found error message comes in stdout so handling both here
         out = cmd.stdout + "\n" + cmd.stderr

data/lib/inspec/resources/timezone.rb

@@ -0,0 +1,65 @@
+require "inspec/resources/command"
+
+module Inspec::Resources
+  class TimeZone < Cmd
+    name "timezone"
+    supports platform: "unix"
+    supports platform: "windows"
+
+    desc "Check for timezone configurations"
+    example <<~EXAMPLE
+      describe timezone do
+        its('identifier') { should eq 'Asia/Kolkata' }
+        its('name') { should eq 'IST' }
+        its('time_offset') { should eq '+0530' }
+      end
+    EXAMPLE
+
+    def initialize
+      @output = {}
+      os = inspec.os
+      cmd = if os.windows?
+              inspec.command("Get-TimeZone")
+            else
+              inspec.command("timedatectl status | grep -i 'Time zone'")
+            end
+      if cmd.exit_status != 0
+        raise Inspec::Exceptions::ResourceFailed, "Time Zone resource with error: #{cmd.stderr}"
+      else
+        if os.windows?
+          splitted_output = cmd.stdout.strip.gsub(/\r/, "").split("\n").select { |out| (out.include? "Id") || (out.include? "DisplayName") || (out.include? "BaseUtcOffset") }
+          @output["identifier"]  = split_and_fetch_last(splitted_output[1])
+          @output["name"]        = split_and_fetch_last(splitted_output[0])
+          @output["time_offset"] = split_and_fetch_last(splitted_output[2])
+        else
+          splitted_output = cmd.stdout.split(":")[-1]&.strip&.gsub(/[(),^]*/, "")&.split(" ") || []
+          @output["identifier"]  = splitted_output[0]
+          @output["name"]        = splitted_output[1]
+          @output["time_offset"] = splitted_output[2]
+        end
+      end
+    end
+
+    def identifier
+      @output["identifier"]
+    end
+
+    def name
+      @output["name"]
+    end
+
+    def time_offset
+      @output["time_offset"]
+    end
+
+    def to_s
+      "Time Zone resource"
+    end
+
+    private
+
+    def split_and_fetch_last(string_value)
+      string_value.split(" :")[-1].strip
+    end
+  end
+end

data/lib/inspec/resources.rb

@@ -41,6 +41,7 @@ require "inspec/resources/cassandradb_session"
 require "inspec/resources/cassandradb_conf"
 require "inspec/resources/cassandra"
 require "inspec/resources/crontab"
+require "inspec/resources/timezone"
 require "inspec/resources/dh_params"
 require "inspec/resources/directory"
 require "inspec/resources/docker"
@@ -72,6 +73,7 @@ require "inspec/resources/ip6tables"
 require "inspec/resources/iptables"
 require "inspec/resources/kernel_module"
 require "inspec/resources/kernel_parameter"
+require "inspec/resources/kernel_parameters"
 require "inspec/resources/key_rsa"
 require "inspec/resources/ksh"
 require "inspec/resources/limits_conf"

data/lib/inspec/runner_rspec.rb

@@ -123,6 +123,8 @@ module Inspec
     def set_optional_formatters
       return if @conf["reporter"].nil?
 
+      # This is a slightly modified version of the default RSpec JSON formatter
+      # No one in their right mind should be using this because we have a much better JSON reporter - named "json"
       if @conf["reporter"].key?("json-rspec")
         # We cannot pass in a nil output path. Rspec only accepts a valid string or a IO object.
         if @conf["reporter"]["json-rspec"]&.[]("file").nil?
@@ -133,6 +135,7 @@ module Inspec
         @conf["reporter"].delete("json-rspec")
       end
 
+      # These are built-in to rspec
       formats = @conf["reporter"].select { |k, _v| %w{documentation progress html}.include?(k) }
       formats.each do |k, v|
         # We cannot pass in a nil output path. Rspec only accepts a valid string or a IO object.
@@ -143,6 +146,33 @@ module Inspec
         end
         @conf["reporter"].delete(k)
       end
+
+      # Here we need to look for reporter names in the reporter option that
+      # are names of streaming reporter plugins. We load them, then tell RSpec to add them as formatters.
+      # They will have already been detected at this point (see v2_loader.load_all in cli.rb)
+      # but they will not be activated activated at this point.
+      # then list all plugins by type by name
+      reg = Inspec::Plugin::V2::Registry.instance
+      streaming_reporters = reg\
+        .find_activators(plugin_type: :streaming_reporter)\
+        .map(&:activator_name).map(&:to_s)
+
+      @conf["reporter"].each do |streaming_reporter_name, file_target|
+        # It could be a non-streaming reporter
+        next unless streaming_reporters.include? streaming_reporter_name
+
+        # Activate the plugin so the formatter ID gets registered with RSpec, presumably
+        activator = reg.find_activator(plugin_type: :streaming_reporter, activator_name: streaming_reporter_name.to_sym)
+        activator.activate!
+
+        # We cannot pass in a nil output path. Rspec only accepts a valid string or a IO object.
+        if file_target&.[]("file").nil?
+          RSpec.configuration.add_formatter(activator.implementation_class)
+        else
+          RSpec.configuration.add_formatter(activator.implementation_class, file_target["file"])
+        end
+        @conf["reporter"].delete(streaming_reporter_name)
+      end
     end
 
     # Configure the output formatter and stream to be used with RSpec.

data/lib/inspec/utils/filter.rb

@@ -114,6 +114,7 @@ module FilterTable
         raise(ArgumentError, "'#{decorate_symbols(raw_field_name)}' is not a recognized criterion - expected one of #{decorate_symbols(list_fields).join(", ")}'") unless field?(raw_field_name)
 
         populate_lazy_field(raw_field_name, desired_value) if is_field_lazy?(raw_field_name)
+        populate_lazy_instance_field(raw_field_name, desired_value) if is_field_lazy_instance?(raw_field_name)
         new_criteria_string += " #{raw_field_name} == #{desired_value.inspect}"
         filtered_raw_data = filter_raw_data(filtered_raw_data, raw_field_name, desired_value)
       end
@@ -188,6 +189,8 @@ module FilterTable
       is_field ||= list_fields.include?(proposed_field.to_sym)
       is_field ||= is_field_lazy?(proposed_field.to_s)
       is_field ||= is_field_lazy?(proposed_field.to_sym)
+      is_field ||= is_field_lazy_instance?(proposed_field.to_s)
+      is_field ||= is_field_lazy_instance?(proposed_field.to_sym)
 
       is_field
     end
@@ -210,6 +213,23 @@ module FilterTable
       mark_lazy_field_populated(field_name)
     end
 
+    def populate_lazy_instance_field(field_name, criterion)
+      return unless is_field_lazy_instance?(field_name)
+      return if field_populated?(field_name)
+
+      raw_data.each do |row|
+        next if row.key?(field_name) # skip row if pre-existing data is present
+
+        lazy_caller = callback_for_lazy_instance_field(field_name)
+        if lazy_caller.is_a?(Proc)
+          lazy_caller.call(row, criterion, resource_instance)
+        elsif lazy_caller.is_a?(Symbol)
+          resource_instance.send(lazy_caller, row, criterion, self)
+        end
+      end
+      mark_lazy_field_populated(field_name)
+    end
+
     def is_field_lazy?(sought_field_name)
       custom_properties_schema.values.any? do |property_struct|
         sought_field_name == property_struct.field_name && \
@@ -217,6 +237,13 @@ module FilterTable
       end
     end
 
+    def is_field_lazy_instance?(sought_field_name)
+      custom_properties_schema.values.any? do |property_struct|
+        sought_field_name == property_struct.field_name && \
+          property_struct.opts[:lazy_instance]
+      end
+    end
+
     def callback_for_lazy_field(field_name)
       return unless is_field_lazy?(field_name)
 
@@ -225,6 +252,14 @@ module FilterTable
       end.opts[:lazy]
     end
 
+    def callback_for_lazy_instance_field(field_name)
+      return unless is_field_lazy_instance?(field_name)
+
+      custom_properties_schema.values.find do |property_struct|
+        property_struct.field_name == field_name
+      end.opts[:lazy_instance]
+    end
+
     def field_populated?(field_name)
       @populated_lazy_columns[field_name]
     end
@@ -349,12 +384,18 @@ module FilterTable
       # args of the row struct; also the Struct class will already have provided
       # a setter for each field.
       @custom_properties.values.each do |property_info|
-        next unless property_info.opts[:lazy]
+        next unless property_info.opts[:lazy] || property_info.opts[:lazy_instance]
 
         field_name = property_info.field_name.to_sym
         row_eval_context_type.send(:define_method, field_name) do
           unless filter_table.field_populated?(field_name)
-            filter_table.populate_lazy_field(field_name, NoCriteriaProvided) # No access to criteria here
+            if property_info.opts[:lazy]
+              filter_table.populate_lazy_field(field_name, NoCriteriaProvided)
+            end # No access to criteria here
+            if property_info.opts[:lazy_instance]
+              filter_table.populate_lazy_instance_field(field_name,
+                                                        NoCriteriaProvided)
+            end
             # OK, the underlying raw data has the value in the first row
             # (because we would trigger population only on the first row)
             # We could just return the value, but we need to set it on this Struct in case it is referenced multiple times
@@ -449,7 +490,10 @@ module FilterTable
             result = where(nil)
             if custom_property_struct.opts[:lazy]
               result.populate_lazy_field(custom_property_struct.field_name, filter_criteria_value)
+            elsif custom_property_struct.opts[:lazy_instance]
+              result.populate_lazy_instance_field(custom_property_struct.field_name, filter_criteria_value)
             end
+
             result = where(nil).get_column_values(custom_property_struct.field_name) # TODO: the where(nil). is likely unneeded
             result = result.flatten.uniq.compact if custom_property_struct.opts[:style] == :simple
             result

data/lib/inspec/utils/run_data_filters.rb

@@ -65,7 +65,7 @@ module Inspec
             c[:results]&.each do |r|
               next unless r[:message] # :message only set on failure
 
-              pos = r[:message].index("\n\nDiff:")
+              pos = r[:message].index(/\n{1,2}Diff.*:/)
               next unless pos # Only textual tests get Diffs
 
               r[:message] = r[:message].slice(0, pos)

data/lib/inspec/version.rb

@@ -1,3 +1,3 @@
 module Inspec
-  VERSION = "4.52.9".freeze
+  VERSION = "4.56.17".freeze
 end

data/lib/plugins/inspec-compliance/lib/inspec-compliance/api.rb

@@ -84,7 +84,7 @@ module InspecPlugins
         return {} if data.nil? || data.empty?
 
         parsed = JSON.parse(data)
-        return {} unless parsed.key?("version") && !parsed["version"].empty?
+        return {} unless parsed.key?("build_timestamp") && !parsed["build_timestamp"].empty?
 
         parsed
       end

data/lib/plugins/inspec-compliance/lib/inspec-compliance/cli.rb

@@ -219,9 +219,10 @@ module InspecPlugins
       def version
         config = InspecPlugins::Compliance::Configuration.new
         info = InspecPlugins::Compliance::API.version(config)
-        if !info.nil? && info["version"]
-          puts "Name:    #{info["api"]}"
-          puts "Version: #{info["version"]}"
+        if !info.nil? && info["build_timestamp"]
+          # key info["api"] is not longer available in latest version api response
+          puts "Name: automate"
+          puts "Version: #{info["build_timestamp"]}"
         else
           puts "Could not determine server version."
           exit 1

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: inspec-core
 version: !ruby/object:Gem::Version
-  version: 4.52.9
+  version: 4.56.17
 platform: ruby
 authors:
 - Chef InSpec Team
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-12-20 00:00:00.000000000 Z
+date: 2022-03-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: chef-telemetry
@@ -117,7 +117,7 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '3.9'
-    - - "<"
+    - - "<="
       - !ruby/object:Gem::Version
         version: '3.11'
   type: :runtime
@@ -127,7 +127,7 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '3.9'
-    - - "<"
+    - - "<="
       - !ruby/object:Gem::Version
         version: '3.11'
 - !ruby/object:Gem::Dependency
@@ -479,6 +479,7 @@ files:
 - lib/inspec/plugin/v2/plugin_types/input.rb
 - lib/inspec/plugin/v2/plugin_types/mock.rb
 - lib/inspec/plugin/v2/plugin_types/reporter.rb
+- lib/inspec/plugin/v2/plugin_types/streaming_reporter.rb
 - lib/inspec/plugin/v2/registry.rb
 - lib/inspec/plugin/v2/status.rb
 - lib/inspec/profile.rb
@@ -554,6 +555,7 @@ files:
 - lib/inspec/resources/json.rb
 - lib/inspec/resources/kernel_module.rb
 - lib/inspec/resources/kernel_parameter.rb
+- lib/inspec/resources/kernel_parameters.rb
 - lib/inspec/resources/key_rsa.rb
 - lib/inspec/resources/ksh.rb
 - lib/inspec/resources/launchd_service.rb
@@ -619,6 +621,7 @@ files:
 - lib/inspec/resources/sys_info.rb
 - lib/inspec/resources/systemd_service.rb
 - lib/inspec/resources/sysv_service.rb
+- lib/inspec/resources/timezone.rb
 - lib/inspec/resources/toml.rb
 - lib/inspec/resources/upstart_service.rb
 - lib/inspec/resources/user.rb
@@ -788,7 +791,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.5'
+      version: '2.6'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="