inspec-core 5.21.29 → 5.22.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7f6f86730baadd988c363a823e5e46ba68c318e48b27bbaaba614ce7c33bb71c
-  data.tar.gz: f02ca42e9d4e525b82e9cfa61a04b122dc3b09c1e3c96f2ec4440c3fb3053f25
+  metadata.gz: 257ccbe0a55a1779ee75f8d6e9e8e0ff612990c123e5cdb10d8cf1e19dbade54
+  data.tar.gz: 820f9a0ec86451f48f65f229befe175cf937648ddb5669df1c8a7c27ebfb234b
 SHA512:
-  metadata.gz: 597fed943b00ed280a749f05c97d01e29b4d5a85034835e9f242990588b35b740bf56a886b65202777d68b79b5cbd1faf1a48a69c1a4f1f8a00a83ecdece3527
-  data.tar.gz: 13aa012d46677b3cd31614dcc118c62b1aa1656f3007d6b105f7822a3c25a45b1b1284eef9fb9e761cf5a03cd8209ffe8518d54ed355c189a2f141788a000694
+  metadata.gz: 8150cdd9aca6ac14ae762dd4b6d09867dab6651f0a0705a28f7256a94683a1fd59b7841bfc69e1a362c253d6c2a847d2e9a03b901dd20118ecc1566b4496a8a9
+  data.tar.gz: a3469cb7fa6786e1d9416e9493fed402ccfb6c8e6ac0a2d40a0029ab63c09b09671cf6729736899ed1a039ca75e36a6a57428deba9a8c5d6dbf0975711a06d13

data/Gemfile

@@ -34,7 +34,6 @@ group :test do
   gem "pry-byebug"
   gem "pry", "~> 0.10"
   gem "rake", ">= 10"
-  gem "ruby-progressbar", "~> 1.8"
   gem "simplecov", "~> 0.21"
   gem "simplecov_json_formatter"
   gem "webmock", "~> 3.0"

data/lib/inspec/base_cli.rb

@@ -100,11 +100,11 @@ module Inspec
       option :ssl, type: :boolean,
         desc: "Use SSL for transport layer encryption (WinRM)."
       option :ssl_peer_fingerprint, type: :string,
-        desc: "Specify peer fingerprint for SSL authentication, used in lieu of certificates"
+        desc: "Specify SSL peer fingerprint in place of certificates for SSL authentication (WinRM)."
       option :self_signed, type: :boolean,
         desc: "Allow remote scans with self-signed certificates (WinRM)."
       option :ca_trust_file, type: :string,
-        desc: "Specify CA trust file for SSL authentication"
+        desc: "Specify CA certificate required for SSL authentication (WinRM)."
       option :client_cert, type: :string,
         desc: "Specify client certificate for SSL authentication"
       option :client_key, type: :string,
@@ -121,32 +121,32 @@ module Inspec
         desc: "Read configuration from JSON file (`-` reads from stdin)."
       option :json_config, type: :string, hide: true
       option :proxy_command, type: :string,
-        desc: "Specifies the command to use to connect to the server"
+        desc: "Specifies the command to use to connect to the server."
       option :bastion_host, type: :string,
-        desc: "Specifies the bastion host if applicable"
+        desc: "Specifies the bastion host if applicable."
       option :bastion_user, type: :string,
-        desc: "Specifies the bastion user if applicable"
+        desc: "Specifies the bastion user if applicable."
       option :bastion_port, type: :string,
-        desc: "Specifies the bastion port if applicable"
+        desc: "Specifies the bastion port if applicable."
       option :insecure, type: :boolean, default: false,
-        desc: "Disable SSL verification on select targets"
+        desc: "Disable SSL verification on select targets."
       option :target_id, type: :string,
-        desc: "Provide a ID which will be included on reports - deprecated"
+        desc: "Provide an ID which will be included on reports - deprecated"
       option :winrm_shell_type, type: :string, default: "powershell",
-        desc: "Specify a shell type for winrm (eg. 'elevated' or 'powershell')"
+        desc: "Specify which shell type to use (powershell, elevated, or cmd), which defaults to powershell (WinRM)."
       option :docker_url, type: :string,
-        desc: "Provides path to Docker API endpoint (Docker)"
+        desc: "Provides path to Docker API endpoint (Docker). Defaults to unix:///var/run/docker.sock on Unix systems and tcp://localhost:2375 on Windows."
       option :ssh_config_file, type: :array,
-        desc: "A list of paths to the ssh config file, e.g ~/.ssh/config or /etc/ssh/ssh_config"
+        desc: "A list of paths to the ssh config file, e.g ~/.ssh/config or /etc/ssh/ssh_config."
       option :podman_url, type: :string,
-        desc: "Provides path to Podman API endpoint"
+        desc: "Provides the path to the Podman API endpoint. Defaults to unix:///run/user/$UID/podman/podman.sock for rootless container, unix:///run/podman/podman.sock for rootful container (for this you need to execute inspec as root user)."
     end
 
     def self.profile_options
       option :profiles_path, type: :string,
         desc: "Folder which contains referenced profiles."
       option :vendor_cache, type: :string,
-        desc: "Use the given path for caching dependencies. (default: ~/.inspec/cache)"
+        desc: "Use the given path for caching dependencies, (default: ~/.inspec/cache)."
       option :auto_install_gems, type: :boolean, default: false,
         desc: "Auto installs gem dependencies of the profile or resource pack."
     end
@@ -174,7 +174,7 @@ module Inspec
       option :input, type: :array, banner: "name1=value1 name2=value2",
         desc: "Specify one or more inputs directly on the command line, as --input NAME=VALUE. Accepts single-quoted YAML and JSON structures."
       option :input_file, type: :array,
-        desc: "Load one or more input files, a YAML file with values for the profile to use"
+        desc: "Load one or more input files, a YAML file with values for the profile to use."
       option :waiver_file, type: :array,
         desc: "Load one or more waiver files."
       option :attrs, type: :array,
@@ -182,14 +182,14 @@ module Inspec
       option :create_lockfile, type: :boolean,
         desc: "Write out a lockfile based on this execution (unless one already exists)"
       option :backend_cache, type: :boolean,
-        desc: "Allow caching for backend command output. (default: true)"
+        desc: "Allow caching for backend command output. (default: true)."
       option :show_progress, type: :boolean,
         desc: "Show progress while executing tests."
       option :distinct_exit, type: :boolean, default: true,
         desc: "Exit with code 101 if any tests fail, and 100 if any are skipped (default).  If disabled, exit 0 on skips and 1 for failures."
       option :silence_deprecations, type: :array,
         banner: "[all]|[GROUP GROUP...]",
-        desc: "Suppress deprecation warnings. See install_dir/etc/deprecations.json for list of GROUPs or use 'all'."
+        desc: "Suppress deprecation warnings. See install_dir/etc/deprecations.json for a list of GROUPs or use 'all'."
       option :diff, type: :boolean, default: true,
         desc: "Use --no-diff to suppress 'diff' output of failed textual test results."
       option :sort_results_by, type: :string, default: "file", banner: "--sort-results-by=none|control|file|random",
@@ -197,7 +197,7 @@ module Inspec
       option :filter_empty_profiles, type: :boolean, default: false,
         desc: "Filter empty profiles (profiles without controls) from the report."
       option :filter_waived_controls, type: :boolean,
-        desc: "Do not execute waived controls in InSpec at all. Must use with --waiver-file. Ignores `run` setting of waiver file."
+        desc: "Do not execute waived controls in InSpec at all. Must use with --waiver-file. Ignores the `run` setting of the waiver file."
       option :retain_waiver_data, type: :boolean,
         desc: "EXPERIMENTAL: Only works in conjunction with --filter-waived-controls, retains waiver data about controls that were skipped"
       option :command_timeout, type: :numeric,

data/lib/inspec/cli.rb

@@ -61,9 +61,9 @@ class Inspec::InspecCLI < Inspec::BaseCLI
   require "license_acceptance/cli_flags/thor"
   include LicenseAcceptance::CLIFlags::Thor
 
-  desc "json PATH", "read all tests in PATH and generate a JSON summary"
+  desc "json PATH", "read all tests in the PATH and generate a JSON summary."
   option :output, aliases: :o, type: :string,
-    desc: "Save the created profile to a path"
+    desc: "Save the created profile to a path."
   option :controls, type: :array,
     desc: "A list of controls to include. Ignore all other tests."
   option :tags, type: :array,
@@ -81,7 +81,7 @@ class Inspec::InspecCLI < Inspec::BaseCLI
   option :format, type: :string,
     desc: "The output format to use: json, raw, yaml. If valid format is not provided then it will use the default for the given 'what'."
   option :output, aliases: :o, type: :string,
-    desc: "Save the created output to a path"
+    desc: "Save the created output to a path."
   option :controls, type: :array,
     desc: "For --what=profile, a list of controls to include. Ignore all other tests."
   option :tags, type: :array,
@@ -145,9 +145,11 @@ class Inspec::InspecCLI < Inspec::BaseCLI
     pretty_handle_exception(e)
   end
 
-  desc "check PATH", "verify all tests at the specified PATH"
+  desc "check PATH", "Verify the metadata in the `inspec.yml` file,\
+  verify that control blocks have the correct fields (title, description, impact),\
+  and define that all controls have visible tests and the controls are not using deprecated InSpec DSL code"
   option :format, type: :string,
-    desc: "The output format to use doc (default), json. If valid format is not provided then it will use the default."
+    desc: "The output format to use. Valid values: `json` and `doc`. Default value: `doc`."
   option :with_cookstyle, type: :boolean,
     desc: "Enable or disable cookstyle checks.", default: false
   profile_options
@@ -228,10 +230,10 @@ class Inspec::InspecCLI < Inspec::BaseCLI
     vendor_deps(path, o)
   end
 
-  desc "archive PATH", "archive a profile to tar.gz (default) or zip"
+  desc "archive PATH", "Archive a profile to a tar file (default) or zip file."
   profile_options
   option :output, aliases: :o, type: :string,
-    desc: "Save the archive to a path"
+    desc: "Save the archive to a path."
   option :zip, type: :boolean, default: false,
     desc: "Generates a zip archive."
   option :tar, type: :boolean, default: false,
@@ -275,14 +277,10 @@ class Inspec::InspecCLI < Inspec::BaseCLI
     pretty_handle_exception(e)
   end
 
-  desc "exec LOCATIONS", "Run all tests at LOCATIONS."
+  desc "exec LOCATIONS", "Run all test files at the specified locations."
   long_desc <<~EOT
-    Run all test files at the specified LOCATIONS.
-
-    Loads the given profile(s) and fetches their dependencies if needed. Then
-    connects to the target and executes any controls contained in the profiles.
-    One or more reporters are used to generate output.
-
+    The subcommand loads the given profiles, fetches their dependencies if needed, then connects to the target and executes any controls in the profiles.
+    One or more reporters are used to generate the output.
     ```
     Exit codes:
         0  Normal exit, all tests passed
@@ -296,7 +294,7 @@ class Inspec::InspecCLI < Inspec::BaseCLI
 
     Below are some examples of using `exec` with different test LOCATIONS:
 
-    Automate:
+    Chef Automate:
       ```
       #{Inspec::Dist::EXEC_NAME} automate login
       #{Inspec::Dist::EXEC_NAME} exec compliance://username/linux-baseline
@@ -306,7 +304,7 @@ class Inspec::InspecCLI < Inspec::BaseCLI
       #{Inspec::Dist::EXEC_NAME} compliance login
       ```
 
-    Supermarket:
+    Chef Supermarket:
       ```
       #{Inspec::Dist::EXEC_NAME} exec supermarket://username/linux-baseline
       ```
@@ -343,12 +341,12 @@ class Inspec::InspecCLI < Inspec::BaseCLI
       #{Inspec::Dist::EXEC_NAME} exec https://github.com/dev-sec/linux-baseline.git
       ```
 
-    Web hosted fileshare (also supports .zip):
+    Web hosted file (also supports .zip):
       ```
       #{Inspec::Dist::EXEC_NAME} exec https://webserver/linux-baseline.tar.gz
       ```
 
-    Web hosted fileshare with basic authentication (supports .zip):
+    Web hosted file with basic authentication (supports .zip):
       ```
       #{Inspec::Dist::EXEC_NAME} exec https://username:password@webserver/linux-baseline.tar.gz
       ```
@@ -371,7 +369,7 @@ class Inspec::InspecCLI < Inspec::BaseCLI
     pretty_handle_exception(e)
   end
 
-  desc "detect", "detect the target OS"
+  desc "detect", "detects the target OS."
   target_options
   option :format, type: :string
   def detect
@@ -396,7 +394,7 @@ class Inspec::InspecCLI < Inspec::BaseCLI
     pretty_handle_exception(e)
   end
 
-  desc "shell", "open an interactive debugging shell"
+  desc "shell", "open an interactive debugging shell."
   target_options
   option :command, aliases: :c,
     desc: "A single command string to run instead of launching the shell"
@@ -455,7 +453,7 @@ class Inspec::InspecCLI < Inspec::BaseCLI
     pretty_handle_exception(e)
   end
 
-  desc "env", "Output shell-appropriate completion configuration"
+  desc "env", "Outputs shell-appropriate completion configuration."
   def env(shell = nil)
     p = Inspec::EnvPrinter.new(self.class, shell)
     p.print_and_exit!
@@ -481,7 +479,7 @@ class Inspec::InspecCLI < Inspec::BaseCLI
     puts Inspec::Telemetry::RunContextProbe.guess_run_context
   end
 
-  desc "version", "prints the version of this tool"
+  desc "version", "prints the version of this tool."
   option :format, type: :string
   def version
     if config["format"] == "json"
@@ -495,7 +493,7 @@ class Inspec::InspecCLI < Inspec::BaseCLI
 
   desc "clear_cache", "clears the InSpec cache. Useful for debugging."
   option :vendor_cache, type: :string,
-    desc: "Use the given path for caching dependencies. (default: ~/.inspec/cache)"
+    desc: "Use the given path for caching dependencies, (default: `~/.inspec/cache`)."
   def clear_cache
     o = config
     configure_logger(o)

data/lib/inspec/dependencies/dependency_set.rb

@@ -26,7 +26,7 @@ module Inspec
       dep_list = {}
       dependencies.each do |d|
         # if depedent profile does not have a source version then only name is used in dependency hash
-        key_name = (d.source_version ? "#{d.name}-#{d.source_version}" : "#{d.name}") rescue "#{d.name}"
+        key_name = (d.source_version.blank? ? "#{d.name}" : "#{d.name}-#{d.source_version}") rescue "#{d.name}"
         dep_list[key_name] = d
       end
       new(cwd, cache, dep_list, backend)
@@ -42,7 +42,7 @@ module Inspec
       dep_list = {}
       dep_tree.each do |d|
         # if depedent profile does not have a source version then only name is used in dependency hash
-        key_name = (d.source_version ? "#{d.name}-#{d.source_version}" : "#{d.name}") rescue d.name
+        key_name = (d.source_version.blank? ? "#{d.name}" : "#{d.name}-#{d.source_version}") rescue "#{d.name}"
         dep_list[key_name] = d
         dep_list.merge!(flatten_dep_tree(d.dependencies))
       end

data/lib/inspec/dsl.rb

@@ -91,14 +91,12 @@ module Inspec::DSL
     if profile_version
       new_profile_id = "#{profile_id}-#{profile_version}"
     else
-      # This scary regex is used to match version following semantic Versioning (SemVer). Thanks to https://ihateregex.io/expr/semver/
-      regex_for_semver = /(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?/
-      dependencies.list.keys.each do |key|
+      dependencies.list.each do |key, value|
         # 1. Fetching VERSION from a profile dependency name which is in a format NAME-VERSION.
         # 2. Matching original profile dependency name with profile name used with include or require control DSL.
-        fetching_semver = key.match(regex_for_semver).to_s
-        unless fetching_semver.nil? || fetching_semver.empty?
-          profile_id_key = key.split("-#{fetching_semver}")[0]
+        source_version = value.source_version
+        unless source_version.blank?
+          profile_id_key = key.split("-#{source_version}")[0]
           new_profile_id = key if profile_id_key == profile_id
         end
       end

data/lib/inspec/profile.rb

@@ -383,24 +383,25 @@ module Inspec
       @runner_context
     end
 
-    def collect_gem_dependencies(profile_context)
+    # This collects the gem dependencies data from parent and its dependent profiles
+    def collect_gem_dependencies
       gem_dependencies = []
-      all_profiles = []
-      profile_context.dependencies.list.values.each do |requirement|
-        all_profiles << requirement.profile
-      end
-      all_profiles << self
-      all_profiles.each do |profile|
+      # This collects the dependent profiles gem dependencies if any
+      locked_dependencies.dep_list.each do |_name, dep|
+        profile = dep.profile
         gem_dependencies << profile.metadata.gem_dependencies unless profile.metadata.gem_dependencies.empty?
       end
+      # Appends the parent profile gem dependencies which are available through metadata
+      gem_dependencies << metadata.gem_dependencies unless metadata.gem_dependencies.empty?
       gem_dependencies.flatten.uniq
     end
 
     # Loads the required gems specified in the Profile's metadata file from default inspec gems path i.e. ~/.inspec/gems
     # else installs and loads them.
     def load_gem_dependencies
-      gem_dependencies = collect_gem_dependencies(load_libraries)
+      gem_dependencies = collect_gem_dependencies
       gem_dependencies.each do |gem_data|
+
         dependency_loader = DependencyLoader.new
         if dependency_loader.gem_version_installed?(gem_data[:name], gem_data[:version]) ||
             dependency_loader.gem_installed?(gem_data[:name])

data/lib/inspec/resources/http.rb

@@ -304,11 +304,11 @@ module Inspec::Resources
           # Insecure not supported simply https://stackoverflow.com/questions/11696944/powershell-v3-invoke-webrequest-https-error
           cmd << "-MaximumRedirection #{max_redirects}" unless max_redirects.nil?
           request_headers["Authorization"] = """ '\"Basic ' + [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes(\"#{username}:#{password}\")) +'\"' """ unless username.nil? || password.nil?
-          request_header_string = nil
+          request_header_array = []
           request_headers.each do |k, v|
-            request_header_string << " #{k} = #{v}"
+            request_header_array << " '#{k}' = '#{v}'"
           end
-          cmd << "-Headers @{#{request_header_string.join(";")}}" unless request_header_string.nil?
+          cmd << "-Headers @{#{request_header_array.join(";")}}" unless request_header_array.empty?
           if params.nil?
             cmd << "'#{url}'"
           else

data/lib/inspec/resources/mongodb_session.rb

@@ -84,6 +84,11 @@ module Inspec::Resources
       options[:ssl_cert] = @ssl_cert unless @ssl_cert.nil?
       options[:ssl_ca_cert] = @ssl_ca_cert unless @ssl_ca_cert.nil?
 
+      # Setting the logger level to INFO as mongo gem version 2.13.2 is using DEBUG as the log level Ref: https://github.com/mongodb/mongo-ruby-driver/blob/v2.13.2/lib/mongo/logger.rb#L79
+      # Latest version of the mongo gem don't have this issue as it set to INFO level Ref: https://github.com/mongodb/mongo-ruby-driver/blob/master/lib/mongo/logger.rb#L82
+      # We pinned the version to 2.13.2 as the latest version of the mongo gem has broken symlink https://jira.mongodb.org/browse/RUBY-2546 which causes omnibus build failure.
+      # Once we get the latest version working we can remove logger level set here.
+      Mongo::Logger.logger.level = Logger::INFO
       @client = Mongo::Client.new([ "#{host}:#{port}" ], options)
 
     rescue => e

data/lib/inspec/resources/nftables.rb

@@ -0,0 +1,251 @@
+require "inspec/resources/command"
+require "json" unless defined?(JSON)
+
+# @see https://wiki.nftables.org/
+# @see https://www.netfilter.org/projects/nftables/manpage.html
+
+# rubocop:disable Style/ClassVars
+
+module Inspec::Resources
+  class NfTables < Inspec.resource(1)
+    name "nftables"
+    supports platform: "linux"
+    desc "Use the nftables InSpec audit resource to test rules and sets that are defined in nftables, which maintains tables of IP packet filtering rules. There may be more than one table. Each table contains one (or more) chains. A chain is a list of rules that match packets. When the rule matches, the rule defines what target to assign to the packet."
+    example <<~EXAMPLE
+      describe nftables(family:'inet', table:'filter', chain: 'INPUT') do
+        its('type') { should eq 'filter' }
+        its('hook') { should eq 'input' }
+        its('prio') { should eq 0 } # filter
+        its('policy') { should eq 'drop' }
+        it { should have_rule('tcp dport { 22, 80, 443 } accept') }
+      end
+    describe nftables(family: 'inet', table: 'filter', set: 'OPEN_PORTS') do
+      its('type') { should eq 'ipv4_addr . inet_proto . inet_service' }
+      its('flags') { should include 'interval' }
+      it { should have_element('1.1.1.1 . tcp . 25-27') }
+    end
+    EXAMPLE
+
+    @@bin = nil
+    @@nft_params = {}
+    @@nft_params["json"] = ""
+    @@nft_params["stateless"] = ""
+    @@nft_params["num"] = ""
+
+    def initialize(params = {})
+      @family = params[:family] || nil
+      @table = params[:table] || nil
+      @chain = params[:chain] || nil
+      @set = params[:set] || nil
+      @ignore_comments = params[:ignore_comments] || false
+      unless @@bin
+        @@bin = find_nftables_or_error
+      end
+
+      # Some old versions of `nft` do not support JSON output or stateless modifier
+      res = inspec.command("#{@@bin} --version").stdout
+      version = Gem::Version.new(/^nftables v(\S+) .*/.match(res)[1])
+      case
+      when version < Gem::Version.new("0.8.0")
+        @@nft_params["num"] = "-nn"
+      when version < Gem::Version.new("0.9.0")
+        @@nft_params["stateless"] = "-s"
+        @@nft_params["num"] = "-nn"
+      when version < Gem::Version.new("0.9.3")
+        @@nft_params["json"] = "-j"
+        @@nft_params["stateless"] = "-s"
+        @@nft_params["num"] = "-nn"
+      when version >= Gem::Version.new("0.9.3")
+        @@nft_params["json"] = "-j"
+        @@nft_params["stateless"] = "-s"
+        @@nft_params["num"] = "-y"
+        ## --terse
+      end
+
+      # family and table attributes are mandatory
+      fail_resource "nftables family and table are mandatory." if @family.nil? || @family.empty? || @table.nil? || @table.empty?
+      # chain name or set name has to be specified and are mutually exclusive
+      fail_resource "You must specify either a chain or a set name." if (@chain.nil? || @chain.empty?) && (@set.nil? || @set.empty?)
+      fail_resource "You must specify either a chain or a set name, not both." if !(@chain.nil? || @chain.empty?) && !(@set.nil? || @set.empty?)
+
+      # we're done if we are on linux
+      return if inspec.os.linux?
+
+      # ensures, all calls are aborted for non-supported os
+      @nftables_cache = {}
+      skip_resource "The `nftables` resource is not supported on your OS yet."
+    end
+
+    # Let's have a generic method to retrieve attributes for chains and sets
+    def _get_attr(name)
+      # Some attributes are valid for chains only, for sets only or for both
+      valid = {
+        "chains" => %w{hook policy prio type},
+        "sets" => %w{flags size type},
+      }
+
+      target_obj = @set.nil? ? "chains" : "sets"
+
+      if valid[target_obj].include?(name)
+        attrs = @set.nil? ? retrieve_chain_attrs : retrieve_set_attrs
+      else
+        raise Inspec::Exceptions::ResourceSkipped, "`#{name}` attribute is not valid for #{target_obj}"
+      end
+      # flags attribute is an array, if not retrieved ensure we return an empty array
+      # otherwise return an empty string
+      default = name == "flags" ? [] : ""
+      val = attrs.key?(name) ? attrs[name] : default
+      # When set type is has multiple data types it's retrieved as an array, make humans life easier
+      # by returning a string representation
+      if name == "type" && target_obj == "sets" && val.is_a?(Array)
+        return val.join(" . ")
+      end
+
+      val
+    end
+
+    # Create a method for each attribute
+    %i{flags hook policy prio size type}.each do |attr_method|
+      define_method attr_method do
+        _get_attr(attr_method.to_s)
+      end
+    end
+
+    def has_rule?(rule = nil, _family = nil, _table = nil, _chain = nil)
+      # checks if the rule is part of the chain
+      # for now, we expect an exact match
+      retrieve_chain_rules.any? { |line| line.casecmp(rule) == 0 }
+    end
+
+    def has_element?(element = nil, _family = nil, _table = nil, _chain = nil)
+      # checks if the element is part of the set
+      # for now, we expect an exact match
+      retrieve_set_elements.any? { |line| line.casecmp(element) == 0 }
+    end
+
+    def retrieve_set_elements
+      idx = "set_#{@family}_#{@table}_#{@set}"
+      return @nftables_cache[idx] if defined?(@nftables_cache) && @nftables_cache.key?(idx)
+
+      @nftables_cache = {} unless defined?(@nftables_cache)
+
+      elem_cmd = "list set #{@family} #{@table} #{@set}"
+      nftables_cmd = format("%s %s %s", @@bin, @@nft_params["stateless"], elem_cmd).strip
+
+      cmd = inspec.command(nftables_cmd)
+      return [] if cmd.exit_status.to_i != 0
+
+      @nftables_cache[idx] = cmd.stdout.gsub("\t", "").split("\n").reject { |line| line =~ /^(table|set|type|size|flags|typeof|auto-merge)/ || line =~ /^}$/ }.map { |line| line.sub("elements = {", "").sub("}", "").split(",") }.flatten.map(&:strip)
+    end
+
+    def retrieve_chain_rules
+      idx = "rule_#{@family}_#{@table}_#{@chain}"
+      return @nftables_cache[idx] if defined?(@nftables_cache) && @nftables_cache.key?(idx)
+
+      @nftables_cache = {} unless defined?(@nftables_cache)
+
+      # construct nftables command to read all rules of the given chain
+      chain_cmd = "list chain #{@family} #{@table} #{@chain}"
+      nftables_cmd = format("%s %s %s %s", @@bin, @@nft_params["stateless"], @@nft_params["num"], chain_cmd).strip
+
+      cmd = inspec.command(nftables_cmd)
+      return [] if cmd.exit_status.to_i != 0
+
+      rules = cmd.stdout.gsub("\t", "").split("\n").reject { |line| line =~ /^(table|chain)/ || line =~ /^}$/ }
+
+      if @ignore_comments
+        # split rules, returns array or rules without any comment
+        @nftables_cache[idx] = remove_comments_from_rules(rules)
+      else
+        # split rules, returns array or rules
+        @nftables_cache[idx] = rules.map(&:strip)
+      end
+    end
+
+    def retrieve_chain_attrs
+      idx = "chain_attrs_#{@family}_#{@table}_#{@chain}"
+      return @nftables_cache[idx] if defined?(@nftables_cache) && @nftables_cache.key?(idx)
+
+      @nftables_cache = {} unless defined?(@nftables_cache)
+
+      chain_cmd = "list chain #{@family} #{@table} #{@chain}"
+      nftables_cmd = format("%s %s %s %s", @@bin, @@nft_params["stateless"], @@nft_params["json"], chain_cmd).strip
+
+      cmd = inspec.command(nftables_cmd)
+      return {} if cmd.exit_status.to_i != 0
+
+      if @@nft_params["json"].empty?
+        res = cmd.stdout.gsub("\t", "").split("\n").select { |line| line =~ /^type/ }[0]
+        parsed = /type (\S+) hook (\S+) priority (\S+); policy (\S+);/.match(res)
+        @nftables_cache[idx] = { "type" => parsed[1], "hook" => parsed[2], "prio" => parsed[3].to_i, "policy" => parsed[4] }
+      else
+        @nftables_cache[idx] = JSON.parse(cmd.stdout)["nftables"].select { |line| line.key?("chain") }[0]["chain"]
+      end
+    end
+
+    def retrieve_set_attrs
+      idx = "set_attrs_#{@family}_#{@table}_#{@chain}"
+      return @nftables_cache[idx] if defined?(@nftables_cache) && @nftables_cache.key?(idx)
+
+      @nftables_cache = {} unless defined?(@nftables_cache)
+
+      chain_cmd = "list set #{@family} #{@table} #{@set}"
+      nftables_cmd = format("%s %s %s %s", @@bin, @@nft_params["stateless"], @@nft_params["json"], chain_cmd).strip
+
+      cmd = inspec.command(nftables_cmd)
+      return {} if cmd.exit_status.to_i != 0
+
+      if @@nft_params["json"].empty?
+        type = ""
+        size = 0
+        flags = []
+        res = cmd.stdout.gsub("\t", "").split("\n").select { |line| line =~ /^(type|size|flags)/ }
+        res.each do |line|
+          parsed = /^type (.*)/.match(line)
+          if parsed
+            type = parsed[1]
+          end
+          parsed = /^flags (.*)/.match(line)
+          if parsed
+            flags = parsed[1].split(",")
+          end
+          parsed = /^size (.*)/.match(line)
+          if parsed
+            size = parsed[1].to_i
+          end
+        end
+        @nftables_cache[idx] = { "type" => type, "size" => size, "flags" => flags }
+      else
+        @nftables_cache[idx] = JSON.parse(cmd.stdout)["nftables"].select { |line| line.key?("set") }[0]["set"]
+      end
+    end
+
+    def resource_id
+      to_s || "nftables"
+    end
+
+    def to_s
+      format("nftables (%s %s %s %s)", @family && "family: #{@family}", @table && "table: #{@table}", @chain && "chain: #{@chain}", @set && "set: #{@set}").strip
+    end
+
+    private
+
+    def remove_comments_from_rules(rules)
+      rules.each do |rule|
+        next if rule.nil?
+
+        rule.gsub!(/ comment "([^"]*)"/, "")
+        rule.strip
+      end
+      rules
+    end
+
+    def find_nftables_or_error
+      %w{/usr/sbin/nft /sbin/nft nft}.each do |cmd|
+        return cmd if inspec.command(cmd).exist?
+      end
+
+      raise Inspec::Exceptions::ResourceFailed, "Could not find `nft`"
+    end
+  end
+end

data/lib/inspec/resources/postgres_session.rb

@@ -81,7 +81,8 @@ module Inspec::Resources
         # Socket path and empty host in the connection string establishes socket connection
         # Socket connection only enabled for non-windows platforms
         # Windows does not support unix domain sockets
-        "psql -d postgresql://#{@user}:#{@pass}@/#{dbs}?host=#{@socket_path} -A -t -w -c #{escaped_query(query)}"
+        option_port = @port.nil? ? "" : "-p #{@port}" # add explicit port if specified
+        "psql -d postgresql://#{@user}:#{@pass}@/#{dbs}?host=#{@socket_path} #{option_port} -A -t -w -c #{escaped_query(query)}"
       else
         # Host in connection string establishes tcp/ip connection
         if inspec.os.windows?

data/lib/inspec/resources.rb

@@ -73,6 +73,7 @@ require "inspec/resources/mssql_sys_conf"
 require "inspec/resources/mysql"
 require "inspec/resources/mysql_conf"
 require "inspec/resources/mysql_session"
+require "inspec/resources/nftables"
 require "inspec/resources/nginx"
 require "inspec/resources/nginx_conf"
 require "inspec/resources/npm"

data/lib/inspec/utils/simpleconfig.rb

@@ -57,11 +57,18 @@ class SimpleConfig
     m = opts[:assignment_regex].match(line)
     return nil if m.nil?
 
+    values = parse_values(m, opts[:key_values])
+
     if opts[:multiple_values]
       @vals[m[1]] ||= []
-      @vals[m[1]].push(parse_values(m, opts[:key_values]))
+      if opts[:multiple_value_regex] # can be used only if multiple values is set as true
+        value_to_array = values.split(opts[:multiple_value_regex])
+        @vals[m[1]].concat(value_to_array)
+      else
+        @vals[m[1]].push(values)
+      end
     else
-      @vals[m[1]] = parse_values(m, opts[:key_values])
+      @vals[m[1]] = values
     end
   end
 
@@ -116,6 +123,7 @@ class SimpleConfig
       key_values: 1, # default for key=value, may require for 'key val1 val2 val3'
       standalone_comments: false,
       multiple_values: false,
+      multiple_value_regex: nil,
     }
   end
 end

data/lib/inspec/version.rb

@@ -1,3 +1,3 @@
 module Inspec
-  VERSION = "5.21.29".freeze
+  VERSION = "5.22.3".freeze
 end

data/lib/matchers/matchers.rb

@@ -148,7 +148,7 @@ RSpec::Matchers.define :be_resolvable do
   end
 end
 
-# matcher for iptables and ip6tables
+# matcher for iptables, ip6tables and nftables
 RSpec::Matchers.define :have_rule do |rule|
   match do |tables|
     tables.has_rule?(rule)
@@ -163,6 +163,13 @@ RSpec::Matchers.define :have_rule do |rule|
   end
 end
 
+# matcher for nftables sets
+RSpec::Matchers.define :have_element do |elem|
+  match do |sets|
+    sets.has_element?(elem)
+  end
+end
+
 # `be_in` matcher
 # You can use it in the following cases:
 # - check if an item or array is included in a given array

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: inspec-core
 version: !ruby/object:Gem::Version
-  version: 5.21.29
+  version: 5.22.3
 platform: ruby
 authors:
 - Chef InSpec Team
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-01-24 00:00:00.000000000 Z
+date: 2023-05-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: chef-telemetry
@@ -584,6 +584,7 @@ files:
 - lib/inspec/resources/mysql.rb
 - lib/inspec/resources/mysql_conf.rb
 - lib/inspec/resources/mysql_session.rb
+- lib/inspec/resources/nftables.rb
 - lib/inspec/resources/nginx.rb
 - lib/inspec/resources/nginx_conf.rb
 - lib/inspec/resources/noop.rb