inspec-core 4.56.20 → 4.56.58

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c5cd060fe45d6cb0fa653922f1fa8c63e723e8736bfa3c4b821e7a4f1e109fae
-  data.tar.gz: 5c5ceb1b63e19b6311d7ef9a5ce601b98a782397439b3e97dcc4f590c9ca739b
+  metadata.gz: c9817a3eab9cc59b2a73fff43f35ecb954d48b9a16b2e1e1a7eb44bbd1389420
+  data.tar.gz: 410c6d2786f8cccc6690593e5db3bb03be0bc77444ea8fab9504213b9594102c
 SHA512:
-  metadata.gz: 3a028a6ea4d48e8eba83804548abc255ac2fb2ecfd76d450223cc24eab43f84382dec1de8813fd7b9f7284ffd1ef7f8a9948724850469296d086dd9c9bb55173
-  data.tar.gz: 534d17549cbf55ffc635a4a9f0689372093debd6f2bbe020f15d606619b451c5441bd2266a8f092024409d0bbe3715d5b7bb7bebf695bba0f23ae2b4112f8553
+  metadata.gz: c93dd109c5676294db7ecc9dd944769df71badcf3df9d116583b7429a07da78087fa3f1194d6d2cfe0acc6ecf8483abba72fe3d490b2439f01e736bdf41cce3d
+  data.tar.gz: 62058048a64e284a585c4a38f4a906d3aeab03142287726393e71ae8088b8f766d2eed97bd7a4b75446d3b74e2dd469b70906b1c5d3d61b4dd1863eeeee2d68d

data/Gemfile

@@ -23,42 +23,27 @@ group :omnibus do
 end
 
 group :test do
-  gem "chefstyle", "~> 2.0.3"
+  gem "chefstyle", "~> 2.2.2"
   gem "concurrent-ruby", "~> 1.0"
-  gem "html-proofer", platforms: :ruby # do not attempt to run proofer on windows
-  gem "json_schemer", ">= 0.2.1", "< 0.2.19"
+  gem "json_schemer", ">= 0.2.1", "< 2.0.1"
   gem "m"
   gem "minitest-sprint", "~> 1.0"
-  gem "minitest", "~> 5.5"
-  gem "mocha", "~> 1.1"
+  gem "minitest", "5.15.0"
+  gem "mocha", "~> 2.1"
   gem "nokogiri", "~> 1.9"
   gem "pry-byebug"
   gem "pry", "~> 0.10"
   gem "rake", ">= 10"
-  gem "ruby-progressbar", "~> 1.8"
   gem "simplecov", "~> 0.21"
   gem "simplecov_json_formatter"
   gem "webmock", "~> 3.0"
-end
 
-group :deploy do
-  gem "inquirer"
-end
-
-# Only include Test Kitchen support if we are on Ruby 2.7 or higher
-# as chef-zero support requires Ruby 2.6
-# See https://github.com/inspec/inspec/pull/5341
-if Gem.ruby_version >= Gem::Version.new("2.7.0")
-  group :kitchen do
-    gem "berkshelf"
-    gem "chef", ">= 16.0" # Required to allow net-ssh > 6
-    gem "test-kitchen", ">= 2.8"
-    gem "kitchen-inspec", ">= 2.0"
-    gem "kitchen-dokken", ">= 2.11"
-    gem "git"
+  if Gem.ruby_version >= Gem::Version.new("3.0.0")
+    # html-proofer has a dep on io-event, which is ruby-3 only
+    gem "html-proofer", "~> 3.19.4", platforms: :ruby # do not attempt to run proofer on windows. Pinned to 3.19.4 as test is breaking in updated versions.
   end
 end
 
-if Gem.ruby_version < Gem::Version.new("2.7.0")
-  gem "activesupport", "6.1.4.4"
+group :deploy do
+  gem "inquirer"
 end

data/inspec-core.gemspec

@@ -25,10 +25,12 @@ Gem::Specification.new do |spec|
   # Implementation dependencies
   spec.add_dependency "chef-telemetry",     "~> 1.0", ">= 1.0.8" # 1.0.8+ removes the http dep
   spec.add_dependency "license-acceptance", ">= 0.2.13", "< 3.0"
-  spec.add_dependency "thor",               ">= 0.20", "< 2.0"
+  # TODO: We should remove the thor pinning in next upcoming releases currently it's breaking our unit test in cli_args_test for aliases due to
+  # recent changes made in thor library REF: https://github.com/rails/thor/releases/tag/v1.3.0 & https://github.com/rails/thor/pull/800
+  spec.add_dependency "thor",               ">= 0.20", "< 1.3.0"
   spec.add_dependency "method_source",      ">= 0.8", "< 2.0"
   spec.add_dependency "rubyzip",            ">= 1.2.2", "< 3.0"
-  spec.add_dependency "rspec",              ">= 3.9", "<= 3.11"
+  spec.add_dependency "rspec",              ">= 3.9", "<= 3.13"
   spec.add_dependency "rspec-its",          "~> 1.2"
   spec.add_dependency "pry",                "~> 0.13"
   spec.add_dependency "hashie",             ">= 3.4", "< 5.0"

data/lib/inspec/cli.rb

@@ -189,6 +189,10 @@ class Inspec::InspecCLI < Inspec::BaseCLI
     desc: "Fallback to using local archives if fetching fails."
   option :ignore_errors, type: :boolean, default: false,
     desc: "Ignore profile warnings."
+  option :check, type: :boolean, default: false,
+    desc: "Run profile check before archiving."
+  option :export, type: :boolean, default: false,
+    desc: "Export the profile to inspec.json and include in archive"
   def archive(path)
     o = config
     diagnose(o)
@@ -203,7 +207,7 @@ class Inspec::InspecCLI < Inspec::BaseCLI
     vendor_deps(path, vendor_options)
 
     profile = Inspec::Profile.for_target(path, o)
-    result = profile.check
+    result = profile.check if o[:check]
 
     if result && !o[:ignore_errors] == false
       o[:logger].info "Profile check failed. Please fix the profile before generating an archive."

data/lib/inspec/dependencies/dependency_set.rb

@@ -25,7 +25,9 @@ module Inspec
     def self.from_array(dependencies, cwd, cache, backend)
       dep_list = {}
       dependencies.each do |d|
-        dep_list[d.name] = d
+        # if depedent profile does not have a source version then only name is used in dependency hash
+        key_name = (d.source_version.blank? ? "#{d.name}" : "#{d.name}-#{d.source_version}") rescue "#{d.name}"
+        dep_list[key_name] = d
       end
       new(cwd, cache, dep_list, backend)
     end
@@ -39,7 +41,9 @@ module Inspec
     def self.flatten_dep_tree(dep_tree)
       dep_list = {}
       dep_tree.each do |d|
-        dep_list[d.name] = d
+        # if depedent profile does not have a source version then only name is used in dependency hash
+        key_name = (d.source_version.blank? ? "#{d.name}" : "#{d.name}-#{d.source_version}") rescue "#{d.name}"
+        dep_list[key_name] = d
         dep_list.merge!(flatten_dep_tree(d.dependencies))
       end
       dep_list

data/lib/inspec/dsl.rb

@@ -5,13 +5,13 @@ require "inspec/plugin/v2"
 module Inspec::DSL
   attr_accessor :backend
 
-  def require_controls(id, &block)
-    opts = { profile_id: id, include_all: false, backend: @backend, conf: @conf, dependencies: @dependencies }
+  def require_controls(id, version = nil, &block)
+    opts = { profile_id: id, include_all: false, backend: @backend, conf: @conf, dependencies: @dependencies, profile_version: version }
     ::Inspec::DSL.load_spec_files_for_profile(self, opts, &block)
   end
 
-  def include_controls(id, &block)
-    opts = { profile_id: id, include_all: true, backend: @backend, conf: @conf, dependencies: @dependencies }
+  def include_controls(id, version = nil, &block)
+    opts = { profile_id: id, include_all: true, backend: @backend, conf: @conf, dependencies: @dependencies, profile_version: version }
     ::Inspec::DSL.load_spec_files_for_profile(self, opts, &block)
   end
 
@@ -76,7 +76,23 @@ module Inspec::DSL
   def self.load_spec_files_for_profile(bind_context, opts, &block)
     dependencies = opts[:dependencies]
     profile_id = opts[:profile_id]
-    dep_entry = dependencies.list[profile_id]
+    profile_version = opts[:profile_version]
+
+    new_profile_id = nil
+    if profile_version
+      new_profile_id = "#{profile_id}-#{profile_version}"
+    else
+      dependencies.list.each do |key, value|
+        # 1. Fetching VERSION from a profile dependency name which is in a format NAME-VERSION.
+        # 2. Matching original profile dependency name with profile name used with include or require control DSL.
+        source_version = value.source_version
+        unless source_version.blank?
+          profile_id_key = key.split("-#{source_version}")[0]
+          new_profile_id = key if profile_id_key == profile_id
+        end
+      end
+    end
+    dep_entry = new_profile_id ? dependencies.list[new_profile_id] : dependencies.list[profile_id]
 
     if dep_entry.nil?
       raise <<~EOF

data/lib/inspec/env_printer.rb

@@ -35,7 +35,7 @@ module Inspec
     private
 
     def print_completion_for_shell
-      erb = ERB.new(File.read(completion_template_path), nil, "-")
+      erb = ERB.new(File.read(completion_template_path), trim_mode: "-")
       puts erb.result(TemplateContext.new(@command_class).get_bindings)
     end
 

data/lib/inspec/fetcher/git.rb

@@ -41,6 +41,7 @@ module Inspec::Fetcher
       @ref = opts[:ref]
       @remote_url = expand_local_path(remote_url)
       @repo_directory = nil
+      @resolved_ref = nil
       @relative_path = opts[:relative_path] if opts[:relative_path] && !opts[:relative_path].empty?
     end
 
@@ -70,7 +71,7 @@ module Inspec::Fetcher
           if @relative_path
             perform_relative_path_fetch(destination_path, working_dir)
           else
-            Inspec::Log.debug("Checkout of #{resolved_ref} successful. " \
+            Inspec::Log.debug("Checkout of #{resolved_ref.nil? ? @remote_url : resolved_ref} successful. " \
                               "Moving checkout to #{destination_path}")
             FileUtils.cp_r(working_dir + "/.", destination_path)
           end
@@ -80,14 +81,14 @@ module Inspec::Fetcher
     end
 
     def perform_relative_path_fetch(destination_path, working_dir)
-      Inspec::Log.debug("Checkout of #{resolved_ref} successful. " \
+      Inspec::Log.debug("Checkout of #{resolved_ref.nil? ? @remote_url : resolved_ref} successful. " \
                         "Moving #{@relative_path} to #{destination_path}")
       unless File.exist?("#{working_dir}/#{@relative_path}")
         # Cleanup the destination path - otherwise we'll have an empty dir
         # in the cache, which is enough to confuse the cache reader
         # This is a courtesy, assuming we're writing to the cache; if we're
         # vendoring to something more complex, don't bother.
-        FileUtils.rmdir(destination_path) if Dir.empty?(destination_path)
+        FileUtils.rm_r(destination_path) if Dir.exist?(destination_path)
 
         raise Inspec::FetcherFailure, "Cannot find relative path '#{@relative_path}' " \
                                       "within profile in git repo specified by '#{@remote_url}'"
@@ -96,9 +97,16 @@ module Inspec::Fetcher
     end
 
     def cache_key
-      return resolved_ref unless @relative_path
-
-      OpenSSL::Digest.hexdigest("SHA256", resolved_ref + @relative_path)
+      cache_key = if @relative_path && !resolved_ref.nil?
+                    OpenSSL::Digest.hexdigest("SHA256", resolved_ref + @relative_path)
+                  elsif @relative_path && resolved_ref.nil?
+                    OpenSSL::Digest.hexdigest("SHA256", @remote_url + @relative_path)
+                  elsif resolved_ref.nil?
+                    OpenSSL::Digest.hexdigest("SHA256", @remote_url)
+                  else
+                    resolved_ref
+                  end
+      cache_key
     end
 
     def archive_path
@@ -106,7 +114,11 @@ module Inspec::Fetcher
     end
 
     def resolved_source
-      source = { git: @remote_url, ref: resolved_ref }
+      if resolved_ref.nil?
+        source = { git: @remote_url }
+      else
+        source = { git: @remote_url, ref: resolved_ref }
+      end
       source[:relative_path] = @relative_path if @relative_path
       source
     end
@@ -125,33 +137,27 @@ module Inspec::Fetcher
                         elsif @tag
                           resolve_ref(@tag)
                         else
-                          resolve_ref(default_ref)
+                          resolve_ref
                         end
     end
 
-    def default_ref
-      command_string = "git remote show #{@remote_url}"
+    def resolve_ref(ref_name = nil)
+      command_string = if ref_name.nil?
+                         # Running git ls-remote command helps to raise error if git URL is invalid and avoids cache_key creation
+                         "git ls-remote \"#{@remote_url}\""
+                       else
+                         "git ls-remote \"#{@remote_url}\" \"#{ref_name}*\""
+                       end
       cmd = shellout(command_string)
-      unless cmd.exitstatus == 0
-        raise(Inspec::FetcherFailure, "Profile git dependency failed with default reference - #{@remote_url} - error running '#{command_string}': #{cmd.stderr}")
+      raise(Inspec::FetcherFailure, "Profile git dependency failed for #{@remote_url} - error running '#{command_string}': #{cmd.stderr}") unless cmd.exitstatus == 0
+
+      if ref_name.nil?
+        ref = nil
       else
-        ref = cmd.stdout.lines.detect { |l| l.include? "HEAD branch:" }&.split(":")&.last&.strip
+        ref = parse_ls_remote(cmd.stdout, ref_name)
         unless ref
-          raise(Inspec::FetcherFailure, "Profile git dependency failed with default reference - #{@remote_url} - error running '#{command_string}': NULL reference")
+          raise Inspec::FetcherFailure, "Profile git dependency failed - unable to resolve #{ref_name} to a specific git commit for #{@remote_url}"
         end
-
-        ref
-      end
-    end
-
-    def resolve_ref(ref_name)
-      command_string = "git ls-remote \"#{@remote_url}\" \"#{ref_name}*\""
-      cmd = shellout(command_string)
-      raise(Inspec::FetcherFailure, "Profile git dependency failed for #{@remote_url} - error running '#{command_string}': #{cmd.stderr}") unless cmd.exitstatus == 0
-
-      ref = parse_ls_remote(cmd.stdout, ref_name)
-      unless ref
-        raise Inspec::FetcherFailure, "Profile git dependency failed - unable to resolve #{ref_name} to a specific git commit for #{@remote_url}"
       end
 
       ref
@@ -200,7 +206,14 @@ module Inspec::Fetcher
 
     def checkout(dir = @repo_directory)
       clone(dir)
-      git_cmd("checkout #{resolved_ref}", dir)
+      # In case of branch, tag or git reference is not provided by User the resolved_ref will always be nil
+      # and will always checkout the default HEAD branch, else it will checkout specific branch, tag or git reference.
+      if resolved_ref.nil?
+        git_cmd("checkout", dir)
+      else
+        git_cmd("checkout #{resolved_ref}", dir)
+      end
+
       @repo_directory
     end
 
@@ -208,6 +221,8 @@ module Inspec::Fetcher
       cmd = shellout("git #{cmd}", cwd: dir)
       cmd.error!
       cmd.status
+    rescue Mixlib::ShellOut::ShellCommandFailed => e
+      raise Inspec::FetcherFailure, "Error while running git command. #{e.message} "
     rescue Errno::ENOENT
       raise Inspec::FetcherFailure, "Profile git dependency failed for #{@remote_url} - to use git sources, you must have git installed."
     end

data/lib/inspec/fetcher/url.rb

@@ -262,7 +262,7 @@ module Inspec::Fetcher
 
       open(target, opts)
 
-    rescue SocketError, Errno::ECONNREFUSED, OpenURI::HTTPError => e
+    rescue SocketError, Net::OpenTimeout, Errno::ECONNREFUSED, OpenURI::HTTPError => e
       raise Inspec::FetcherFailure, "Profile URL dependency #{target} could not be fetched: #{e.message}"
     end
 

data/lib/inspec/formatters/base.rb

@@ -1,5 +1,6 @@
 require "rspec/core"
 require "rspec/core/formatters/base_formatter"
+require "set" unless defined?(Set)
 
 module Inspec::Formatters
   class Base < RSpec::Core::Formatters::BaseFormatter

data/lib/inspec/profile.rb

@@ -617,7 +617,6 @@ module Inspec
     end
 
     # generates a archive of a folder profile
-    # assumes that the profile was checked before
     def archive(opts)
       # check if file exists otherwise overwrite the archive
       dst = archive_name(opts)
@@ -634,31 +633,34 @@ module Inspec
       # TODO ignore all .files, but add the files to debug output
 
       # Generate temporary inspec.json for archive
-      Inspec::Utils::JsonProfileSummary.produce_json(
-        info: info,
-        write_path: "#{root_path}inspec.json",
-        suppress_output: true
-      )
+      if opts[:export]
+        Inspec::Utils::JsonProfileSummary.produce_json(
+          info: info, # TODO: conditionalize and call info_from_parse
+          write_path: "#{root_path}inspec.json",
+          suppress_output: true
+        )
+      end
 
       # display all files that will be part of the archive
       @logger.debug "Add the following files to archive:"
       files.each { |f| @logger.debug "    " + f }
-      @logger.debug "    inspec.json"
+      @logger.debug "    inspec.json" if opts[:export]
 
+      archive_files = opts[:export] ? files.push("inspec.json") : files
       if opts[:zip]
         # generate zip archive
         require "inspec/archive/zip"
         zag = Inspec::Archive::ZipArchiveGenerator.new
-        zag.archive(root_path, files.push("inspec.json"), dst)
+        zag.archive(root_path, archive_files, dst)
       else
         # generate tar archive
         require "inspec/archive/tar"
         tag = Inspec::Archive::TarArchiveGenerator.new
-        tag.archive(root_path, files.push("inspec.json"), dst)
+        tag.archive(root_path, archive_files, dst)
       end
 
       # Cleanup
-      FileUtils.rm_f("#{root_path}inspec.json")
+      FileUtils.rm_f("#{root_path}inspec.json") if opts[:export]
 
       @logger.info "Finished archive generation."
       true
@@ -756,10 +758,12 @@ module Inspec
         return Pathname.new(name)
       end
 
-      name = params[:name] ||
+      # Using metadata to fetch basic info of name and version
+      metadata = @source_reader.metadata.params
+      name = metadata[:name] ||
         raise("Cannot create an archive without a profile name! Please "\
              "specify the name in metadata or use --output to create the archive.")
-      version = params[:version] ||
+      version = metadata[:version] ||
         raise("Cannot create an archive without a profile version! Please "\
              "specify the version in metadata or use --output to create the archive.")
       ext = opts[:zip] ? "zip" : "tar.gz"
@@ -787,7 +791,12 @@ module Inspec
         f = load_rule_filepath(prefix, rule)
         load_rule(rule, f, controls, groups)
       end
-      params[:inputs] = Inspec::InputRegistry.list_inputs_for_profile(@profile_id)
+      if @profile_id.nil?
+        # identifying inputs using profile name
+        params[:inputs] = Inspec::InputRegistry.list_inputs_for_profile(params[:name])
+      else
+        params[:inputs] = Inspec::InputRegistry.list_inputs_for_profile(@profile_id)
+      end
       params
     end
 

data/lib/inspec/resources/cassandradb_session.rb

@@ -1,10 +1,11 @@
 module Inspec::Resources
   class Lines
-    attr_reader :output
+    attr_reader :output, :exit_status
 
-    def initialize(raw, desc)
+    def initialize(raw, desc, exit_status)
       @output = raw
       @desc = desc
+      @exit_status = exit_status
     end
 
     def to_s
@@ -40,7 +41,7 @@ module Inspec::Resources
       if cmd.exit_status != 0 || out =~ /Unable to connect to any servers/ || out.downcase =~ /^error:.*/
         raise Inspec::Exceptions::ResourceFailed, "Cassandra query with errors: #{out}"
       else
-        Lines.new(cmd.stdout.strip, "Cassandra query: #{q}")
+        Lines.new(cmd.stdout.strip, "Cassandra query: #{q}", cmd.exit_status)
       end
     end
 

data/lib/inspec/resources/file.rb

@@ -65,7 +65,7 @@ module Inspec::Resources
     def user_permissions
       return {} unless exist?
 
-      return skip_reource"`user_permissions` is not supported on your OS yet." unless inspec.os.windows?
+      return skip_resource "`user_permissions` is not supported on your OS yet." unless inspec.os.windows?
 
       @perms_provider.user_permissions(file)
     end

data/lib/inspec/resources/ibmdb2_session.rb

@@ -1,10 +1,11 @@
 module Inspec::Resources
   class Lines
-    attr_reader :output
+    attr_reader :output, :exit_status
 
-    def initialize(raw, desc)
+    def initialize(raw, desc, exit_status)
       @output = raw
       @desc = desc
+      @exit_status = exit_status
     end
 
     def to_s
@@ -58,7 +59,7 @@ module Inspec::Resources
       if cmd.exit_status != 0 || out =~ /Can't connect to IBM Db2 / || out.downcase =~ /^error:.*/
         raise Inspec::Exceptions::ResourceFailed, "IBM Db2 connection error: #{out}"
       else
-        Lines.new(cmd.stdout.strip, "IBM Db2 Query: #{q}")
+        Lines.new(cmd.stdout.strip, "IBM Db2 Query: #{q}", cmd.exit_status)
       end
     end
 

data/lib/inspec/resources/mongodb_session.rb

@@ -4,9 +4,10 @@ module Inspec::Resources
   class Lines
     attr_reader :params
 
-    def initialize(raw, desc)
+    def initialize(raw, desc, exit_status = nil)
       @params = raw
       @desc = desc
+      @exit_status = exit_status
     end
 
     def to_s
@@ -79,6 +80,11 @@ module Inspec::Resources
       options[:ssl_cert] = @ssl_cert unless @ssl_cert.nil?
       options[:ssl_ca_cert] = @ssl_ca_cert unless @ssl_ca_cert.nil?
 
+      # Setting the logger level to INFO as mongo gem version 2.13.2 is using DEBUG as the log level Ref: https://github.com/mongodb/mongo-ruby-driver/blob/v2.13.2/lib/mongo/logger.rb#L79
+      # Latest version of the mongo gem don't have this issue as it set to INFO level Ref: https://github.com/mongodb/mongo-ruby-driver/blob/master/lib/mongo/logger.rb#L82
+      # We pinned the version to 2.13.2 as the latest version of the mongo gem has broken symlink https://jira.mongodb.org/browse/RUBY-2546 which causes omnibus build failure.
+      # Once we get the latest version working we can remove logger level set here.
+      Mongo::Logger.logger.level = Logger::INFO
       @client = Mongo::Client.new([ "#{host}:#{port}" ], options)
 
     rescue => e

data/lib/inspec/resources/oracledb_session.rb

@@ -91,22 +91,31 @@ module Inspec::Resources
         verified_query = verify_query(escaped_query)
       end
 
-      sql_prefix, sql_postfix = "", ""
+      sql_prefix, sql_postfix, oracle_echo_str = "", "", ""
       if inspec.os.windows?
         sql_prefix = %{@'\n#{format_options}\n#{verified_query}\nEXIT\n'@ | }
       else
         sql_postfix = %{ <<'EOC'\n#{format_options}\n#{verified_query}\nEXIT\nEOC}
+        # oracle_query_string is echoed to be able to extract the query output clearly
+        oracle_echo_str = %{echo 'oracle_query_string';}
+      end
+
+      # Resetting sql_postfix if system is using AIX OS and C shell installation for oracle
+      if inspec.os.aix?
+        command_to_fetch_shell = @su_user ? %{su - #{@su_user} -c "env | grep SHELL"} : %{env | grep SHELL}
+        shell_is_csh = inspec.command(command_to_fetch_shell).stdout&.include? "/csh"
+        sql_postfix = %{ <<'EOC'\n#{format_options}\n#{verified_query}\nEXIT\n'EOC'} if shell_is_csh
       end
 
       if @db_role.nil?
-        %{#{sql_prefix}#{bin} #{user}/#{password}@#{host}:#{port}/#{@service}#{sql_postfix}}
+        %{#{oracle_echo_str}#{sql_prefix}#{bin} #{user}/#{password}@#{host}:#{port}/#{@service}#{sql_postfix}}
       elsif @su_user.nil?
-        %{#{sql_prefix}#{bin} #{user}/#{password}@#{host}:#{port}/#{@service} as #{@db_role}#{sql_postfix}}
+        %{#{oracle_echo_str}#{sql_prefix}#{bin} #{user}/#{password}@#{host}:#{port}/#{@service} as #{@db_role}#{sql_postfix}}
       else
         # oracle_query_string is echoed to be able to extract the query output clearly
         # su - su_user in certain versions of oracle returns a message
         # Example of msg with query output: The Oracle base remains unchanged with value /oracle\n\nVALUE\n3\n
-        %{su - #{@su_user} -c "echo 'oracle_query_string'; env ORACLE_SID=#{@service} #{@bin} / as #{@db_role}#{sql_postfix}"}
+        %{su - #{@su_user} -c "#{oracle_echo_str} env ORACLE_SID=#{@service} #{@bin} / as #{@db_role}#{sql_postfix}"}
       end
     end
 

data/lib/inspec/resources/postgres_session.rb

@@ -4,9 +4,9 @@ require "shellwords" unless defined?(Shellwords)
 
 module Inspec::Resources
   class Lines
-    attr_reader :output
+    attr_reader :output, :exit_status
 
-    def initialize(raw, desc)
+    def initialize(raw, desc, exit_status)
       @output = raw
       @desc = desc
     end
@@ -58,9 +58,9 @@ module Inspec::Resources
       if cmd.exit_status != 0 && ( out =~ /could not connect to/ || out =~ /password authentication failed/ ) && out.downcase =~ /error:/
         raise Inspec::Exceptions::ResourceFailed, "PostgreSQL connection error: #{out}"
       elsif cmd.exit_status != 0 && out.downcase =~ /error:/
-        Lines.new(out, "PostgreSQL query with error: #{query}")
+        Lines.new(out, "PostgreSQL query with error: #{query}", cmd.exit_status)
       else
-        Lines.new(cmd.stdout.strip, "PostgreSQL query: #{query}")
+        Lines.new(cmd.stdout.strip, "PostgreSQL query: #{query}", cmd.exit_status)
       end
     end
 

data/lib/inspec/resources/processes.rb

@@ -43,7 +43,7 @@ module Inspec::Resources
 
       all_cmds = ps_axo
       @list = all_cmds.find_all do |hm|
-        hm[:command] =~ grep
+        hm[:command] =~ grep || hm[:process_name] =~ grep
       end
     end
 
@@ -73,6 +73,7 @@ module Inspec::Resources
       .register_column(:time,     field: "time")
       .register_column(:users,    field: "user")
       .register_column(:commands, field: "command")
+      .register_column(:process_name, field: "process_name")
       .install_filter_methods_on_resource(self, :filtered_processes)
 
     private
@@ -87,9 +88,9 @@ module Inspec::Resources
       if os.linux?
         command, regex, field_map = ps_configuration_for_linux
       elsif os.windows?
-        command = '$Proc = Get-Process -IncludeUserName | Where-Object {$_.Path -ne $null } | Select-Object PriorityClass,Id,CPU,PM,VirtualMemorySize,NPM,SessionId,Responding,StartTime,TotalProcessorTime,UserName,Path | ConvertTo-Csv -NoTypeInformation;$Proc.Replace("""","").Replace("`r`n","`n")'
+        command = '$Proc = Get-Process -IncludeUserName | Select-Object PriorityClass,Id,CPU,PM,VirtualMemorySize,NPM,SessionId,Responding,StartTime,TotalProcessorTime,UserName,Path,ProcessName | ConvertTo-Csv -NoTypeInformation;$Proc.Replace("""","").Replace("`r`n","`n")'
         # Wanted to use /(?:^|,)([^,]*)/; works on rubular.com not sure why here?
-        regex = /^(.+),(.+),(.+),(.+),(.+),(.+),(.+),(.+),(.+),(.+),(.+),(.+)$/
+        regex = /^(.*),(.*),(.*),(.*),(.*),(.*),(.*),(.*),(.*),(.*),(.*),(.*),(.*)$/
         field_map = {
           pid: 2,
           cpu: 3,
@@ -102,6 +103,7 @@ module Inspec::Resources
           time: 10,
           user: 11,
           command: 12,
+          process_name: 13,
         }
       else
         command = "ps axo pid,pcpu,pmem,vsz,rss,tty,stat,start,time,user,command"
@@ -193,7 +195,7 @@ module Inspec::Resources
 
         # build a hash of process data that we'll turn into a struct for FilterTable
         process_data = {}
-        %i{label pid cpu mem vsz rss tty stat start time user command}.each do |param|
+        %i{label pid cpu mem vsz rss tty stat start time user command process_name}.each do |param|
           # not all operating systems support all fields, so skip the field if we don't have it
           process_data[param] = line[field_map[param]] if field_map.key?(param)
         end

data/lib/inspec/resources/service.rb

@@ -182,7 +182,9 @@ module Inspec::Resources
       when "aix"
         SrcMstr.new(inspec)
       when "amazon"
-        if os[:release] =~ /^20\d\d/
+        # If `initctl` exists on the system, use `Upstart`. Else use `Systemd` since all-new Amazon Linux supports `systemctl`.
+        # This way, it is not dependent on the version of Amazon Linux.
+        if inspec.command("initctl").exist? || inspec.command("/sbin/initctl").exist?
           Upstart.new(inspec, service_ctl)
         else
           Systemd.new(inspec, service_ctl)
@@ -603,7 +605,7 @@ module Inspec::Resources
       return nil if srv.nil? || srv[0].nil?
 
       # extract values from service
-      parsed_srv = /^(?<pid>[0-9-]+)\t(?<exit>[0-9]+)\t(?<name>\S*)$/.match(srv[0])
+      parsed_srv = /^(?<pid>[0-9-]+)\t(?<exit>[\-0-9]+)\t(?<name>\S*)$/.match(srv[0])
       enabled = !parsed_srv["name"].nil? # it's in the list
 
       # check if the service is running

data/lib/inspec/rule.rb

@@ -358,7 +358,7 @@ module Inspec
         # YAML will automagically give us a Date or a Time.
         # If transcoding YAML between languages (e.g. Go) the date might have also ended up as a String.
         # A string that does not represent a valid time results in the date 0000-01-01.
-        if [Date, Time].include?(expiry.class) || (expiry.is_a?(String) && Time.new(expiry).year != 0)
+        if [Date, Time].include?(expiry.class) || (expiry.is_a?(String) && Time.parse(expiry).year != 0)
           expiry = expiry.to_time if expiry.is_a? Date
           expiry = Time.parse(expiry) if expiry.is_a? String
           if expiry < Time.now # If the waiver expired, return - no skip applied

data/lib/inspec/secrets/yaml.rb

@@ -16,7 +16,13 @@ module Secrets
 
     # array of yaml file paths
     def initialize(target)
-      @inputs = ::YAML.load_file(target)
+      # Ruby 3.1 treats YAML load as a dangerous operation by default, requiring us to declare date and time classes as permitted
+      # It's not a valid option in 3.0.x
+      if Gem.ruby_version >= Gem::Version.new("3.1.0")
+        @inputs = ::YAML.load_file(target, permitted_classes: [Date, Time])
+      else
+        @inputs = ::YAML.load_file(target)
+      end
 
       if @inputs == false || !@inputs.is_a?(Hash)
         Inspec::Log.warn("#{self.class} unable to parse #{target}: invalid YAML or contents is not a Hash")

data/lib/inspec/version.rb

@@ -1,3 +1,3 @@
 module Inspec
-  VERSION = "4.56.20".freeze
+  VERSION = "4.56.58".freeze
 end

data/lib/matchers/matchers.rb

@@ -225,7 +225,11 @@ RSpec::Matchers.define :cmp do |first_expected| # rubocop:disable Metrics/BlockL
   end
 
   def boolean?(value)
-    %w{true false}.include?(value.downcase)
+    if value.respond_to?("downcase")
+      %w{true false}.include?(value.downcase)
+    else
+      value.is_a?(TrueClass) || value.is_a?(FalseClass)
+    end
   end
 
   def version?(value)
@@ -252,6 +256,8 @@ RSpec::Matchers.define :cmp do |first_expected| # rubocop:disable Metrics/BlockL
       return actual.send(op, expected.to_i)
     elsif expected.is_a?(String) && boolean?(expected) && [true, false].include?(actual)
       return actual.send(op, to_boolean(expected))
+    elsif boolean?(expected) && %w{true false}.include?(actual)
+      return actual.send(op, expected.to_s)
     elsif expected.is_a?(Integer) && actual.is_a?(String) && integer?(actual)
       return actual.to_i.send(op, expected)
     elsif expected.is_a?(Float) && float?(actual)

data/lib/plugins/inspec-reporter-html2/templates/body.html.erb

@@ -7,21 +7,21 @@
     <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
     <style type="text/css">
     /* Must inline all CSS files, this is a single-file output that may be airgapped */
-    <%= ERB.new(File.read(css_path), nil, nil, "_css").result(binding)  %>
+    <%= ERB.new(File.read(css_path), eoutvar: "_css").result(binding)  %>
     </style>
     <script type="text/javascript">
     // <![CDATA[
     /* Must inline all JavaScript files, this is a single-file output that may be airgapped */
-    <%= ERB.new(File.read(js_path), nil, nil, "_js").result(binding)  %>
+    <%= ERB.new(File.read(js_path), eoutvar: "_js").result(binding)  %>
     // ]]>
     </script>
   </head>
   <body onload="pageLoaded()">
-    <%= ERB.new(File.read(template_path + "/selector.html.erb"), nil, nil, "_select").result(binding)  %>
+    <%= ERB.new(File.read(template_path + "/selector.html.erb"), eoutvar: "_select").result(binding)  %>
     <div class="inspec-report">
     <h1><%= Inspec::Dist::PRODUCT_NAME %> Report</h1>
     <% run_data.profiles.each do |profile| %>
-      <%= ERB.new(File.read(template_path + "/profile.html.erb"), nil, nil, "_prof").result(binding)  %>
+      <%= ERB.new(File.read(template_path + "/profile.html.erb"), eoutvar: "_prof").result(binding)  %>
     <% end %>
 
     <div class="inspec-summary">

data/lib/plugins/inspec-reporter-html2/templates/control.html.erb

@@ -71,7 +71,7 @@
   </table>
 
   <% control.results.each do |result| %>
-    <%= ERB.new(File.read(template_path + "/result.html.erb"), nil, nil, "_rslt").result(binding)  %>
+    <%= ERB.new(File.read(template_path + "/result.html.erb"), eoutvar: "_rslt").result(binding)  %>
   <% end %>
 
 </div>

data/lib/plugins/inspec-reporter-html2/templates/profile.html.erb

@@ -17,7 +17,7 @@
 
   <% if profile.status == "loaded" %>
     <% profile.controls.each do |control| %>
-      <%= ERB.new(File.read(template_path + "/control.html.erb"), nil, nil, "_ctl").result(binding)  %>
+      <%= ERB.new(File.read(template_path + "/control.html.erb"), eoutvar: "_ctl").result(binding)  %>
     <% end %>
   <% end %>
 </div>

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: inspec-core
 version: !ruby/object:Gem::Version
-  version: 4.56.20
+  version: 4.56.58
 platform: ruby
 authors:
 - Chef InSpec Team
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-04-19 00:00:00.000000000 Z
+date: 2023-10-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: chef-telemetry
@@ -59,7 +59,7 @@ dependencies:
         version: '0.20'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: 1.3.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -69,7 +69,7 @@ dependencies:
         version: '0.20'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: 1.3.0
 - !ruby/object:Gem::Dependency
   name: method_source
   requirement: !ruby/object:Gem::Requirement
@@ -119,7 +119,7 @@ dependencies:
         version: '3.9'
     - - "<="
       - !ruby/object:Gem::Version
-        version: '3.11'
+        version: '3.13'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -129,7 +129,7 @@ dependencies:
         version: '3.9'
     - - "<="
       - !ruby/object:Gem::Version
-        version: '3.11'
+        version: '3.13'
 - !ruby/object:Gem::Dependency
   name: rspec-its
   requirement: !ruby/object:Gem::Requirement