inspec-core 6.8.11 → 6.8.24
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/etc/deprecations.json +5 -0
- data/lib/inspec/dsl.rb +5 -0
- data/lib/inspec/input_registry.rb +1 -1
- data/lib/inspec/reporters/automate.rb +2 -2
- data/lib/inspec/resources/auditd.rb +1 -1
- data/lib/inspec/resources/port.rb +2 -2
- data/lib/inspec/resources/postgres_session.rb +8 -4
- data/lib/inspec/resources/yum.rb +1 -1
- data/lib/inspec/utils/deprecated_core_resources_list.rb +25 -0
- data/lib/inspec/utils/deprecation/deprecator.rb +2 -1
- data/lib/inspec/utils/licensing_config.rb +1 -1
- data/lib/inspec/utils/parser.rb +19 -9
- data/lib/inspec/version.rb +1 -1
- data/lib/plugins/inspec-compliance/README.md +11 -1
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/cli.rb +4 -2
- data/lib/plugins/inspec-plugin-manager-cli/lib/inspec-plugin-manager-cli/cli_command.rb +4 -2
- metadata +3 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: '06894dd5c2b09dac3432041d74b257a5b25dd00c9c0a2d623e7343e6a651e1b6'
|
4
|
+
data.tar.gz: 20592025afc13ecdcae95fcde514b8bc4b5855358e93dcef24365d15aa773eb1
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 2d0a1749cfa6f3d1f517f31e5bc722f85ad5ecf8dd4d155df88afcc41c76c93ba21bba3749b534fd1515a724af17bedc706755606a4a3c109a655ef891bc0e0d
|
7
|
+
data.tar.gz: 2f0b14a4f79fad859d931a8d0427d88306beb44b7b4f8698910a053d383ebc05a28b9b440c7164cfd5f712d56ba08aeb35afa51b21ef1c5f157b4fb525dd2d3c
|
data/etc/deprecations.json
CHANGED
@@ -73,6 +73,11 @@
|
|
73
73
|
"action": "exit",
|
74
74
|
"suffix": "This resource was removed in InSpec 4.0."
|
75
75
|
},
|
76
|
+
"core_resource_moved_to_rp": {
|
77
|
+
"action": "warn",
|
78
|
+
"suffix": "This resource will be moved to a separate resource pack. Additional details will be provided with the InSpec 7 release.",
|
79
|
+
"comment": "Deprecation notice for core resource which are getting moved to resource packs."
|
80
|
+
},
|
76
81
|
"resource_iis_website": {
|
77
82
|
"action": "exit",
|
78
83
|
"suffix": "This resource was removed in InSpec 4.0.",
|
data/lib/inspec/dsl.rb
CHANGED
@@ -2,6 +2,7 @@
|
|
2
2
|
require "inspec/log"
|
3
3
|
require "inspec/plugin/v2"
|
4
4
|
require "inspec/utils/deprecated_cloud_resources_list"
|
5
|
+
require "inspec/utils/deprecated_core_resources_list"
|
5
6
|
|
6
7
|
module Inspec::DSL
|
7
8
|
attr_accessor :backend
|
@@ -38,6 +39,10 @@ module Inspec::DSL
|
|
38
39
|
return unless backend
|
39
40
|
|
40
41
|
begin
|
42
|
+
include DeprecatedCoreResourcesList
|
43
|
+
if CORE_RESOURCES_DEPRECATED.include? id
|
44
|
+
Inspec.deprecate(:core_resource_moved_to_rp, "The resource '#{id}' will not be part of the InSpec 7 core.")
|
45
|
+
end
|
41
46
|
require "inspec/resources/#{id}"
|
42
47
|
rescue LoadError => e
|
43
48
|
include DeprecatedCloudResourcesList
|
@@ -173,7 +173,7 @@ module Inspec
|
|
173
173
|
raise ArgumentError, "ERROR: An '=' is required when using --input. Usage: --input input_name1=input_value1 input2=value2"
|
174
174
|
end
|
175
175
|
end
|
176
|
-
pair = pair.match(
|
176
|
+
pair = pair.match(/^([^=]+)=(.*)$/)
|
177
177
|
input_name, input_value = pair[1], pair[2]
|
178
178
|
input_value = parse_cli_input_value(input_name, input_value)
|
179
179
|
evt = Inspec::Input::Event.new(
|
@@ -66,9 +66,9 @@ module Inspec::Reporters
|
|
66
66
|
# Then it downgrades the 160bit SHA1 to a 128bit
|
67
67
|
# then we format it as a valid UUIDv5.
|
68
68
|
def uuid_from_string(string)
|
69
|
-
hash = Digest::
|
69
|
+
hash = Digest::SHA256.new
|
70
70
|
hash.update(string)
|
71
|
-
ary = hash.digest.unpack("NnnnnN")
|
71
|
+
ary = hash.digest[0, 16].unpack("NnnnnN")
|
72
72
|
ary[2] = (ary[2] & 0x0FFF) | (5 << 12)
|
73
73
|
ary[3] = (ary[3] & 0x3FFF) | 0x8000
|
74
74
|
# rubocop:disable Style/FormatString
|
@@ -193,7 +193,7 @@ module Inspec::Resources
|
|
193
193
|
#
|
194
194
|
# @return [Array[String,String]]
|
195
195
|
def action_list_for(line)
|
196
|
-
action_list = line.scan(/-a ([
|
196
|
+
action_list = line.scan(/-a ([^,\s]+),([^,\s]+)(?:\s|$)/).flatten
|
197
197
|
|
198
198
|
# Actions and lists can be in either order
|
199
199
|
valid_actions = %w{never always}
|
@@ -300,7 +300,7 @@ module Inspec::Resources
|
|
300
300
|
def parse_netstat_line(line)
|
301
301
|
# parse each line
|
302
302
|
# 1 - Socket, 2 - Proto, 3 - Receive-Q, 4 - Send-Q, 5 - Local address, 6 - Foreign Address, 7 - State
|
303
|
-
parsed = /^(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)
|
303
|
+
parsed = /^(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)(?:\s+(\S+))?\s+(\S+)$/.match(line)
|
304
304
|
return {} if parsed.nil?
|
305
305
|
|
306
306
|
# parse ip4 and ip6 addresses
|
@@ -488,7 +488,7 @@ module Inspec::Resources
|
|
488
488
|
# 1 - Proto, 2 - Recv-Q, 3 - Send-Q, 4 - Local Address, 5 - Foreign Address, 6 - State, 7 - User, 8 - Inode, 9 - PID/Program name
|
489
489
|
# * UDP lines have an empty State column and the Busybox variant lacks
|
490
490
|
# the User and Inode columns.
|
491
|
-
reg =
|
491
|
+
reg = /^(?<proto>\S+)\s+(\S+)\s+(\S+)\s+(?<local_addr>\S+)\s+(?<foreign_addr>\S+)\s+(?:\S+\s+){0,2}(?<pid_prog>\S+)$/
|
492
492
|
parsed = reg.match(line)
|
493
493
|
|
494
494
|
return {} if parsed.nil? || line.match(/^proto/i)
|
@@ -1,7 +1,7 @@
|
|
1
1
|
# copyright: 2015, Vulcano Security GmbH
|
2
2
|
|
3
3
|
require "shellwords" unless defined?(Shellwords)
|
4
|
-
|
4
|
+
require "cgi" unless defined?(CGI)
|
5
5
|
module Inspec::Resources
|
6
6
|
class Lines
|
7
7
|
attr_reader :output, :exit_status
|
@@ -74,6 +74,10 @@ module Inspec::Resources
|
|
74
74
|
Shellwords.escape(query)
|
75
75
|
end
|
76
76
|
|
77
|
+
def encoded_password(password)
|
78
|
+
CGI.escape(password)
|
79
|
+
end
|
80
|
+
|
77
81
|
def create_psql_cmd(query, db = [])
|
78
82
|
dbs = db.map { |x| "#{x}" }.join(" ")
|
79
83
|
|
@@ -82,14 +86,14 @@ module Inspec::Resources
|
|
82
86
|
# Socket connection only enabled for non-windows platforms
|
83
87
|
# Windows does not support unix domain sockets
|
84
88
|
option_port = @port.nil? ? "" : "-p #{@port}" # add explicit port if specified
|
85
|
-
"psql -d postgresql://#{@user}:#{@pass}@/#{dbs}?host=#{@socket_path} #{option_port} -A -t -w -c #{escaped_query(query)}"
|
89
|
+
"psql -d postgresql://#{@user}:#{encoded_password(@pass)}@/#{dbs}?host=#{@socket_path} #{option_port} -A -t -w -c #{escaped_query(query)}"
|
86
90
|
else
|
87
91
|
# Host in connection string establishes tcp/ip connection
|
88
92
|
if inspec.os.windows?
|
89
93
|
warn "Socket based connection not supported in windows, connecting using host" if @socket_path
|
90
|
-
"psql -d postgresql://#{@user}:#{@pass}@#{@host}:#{@port}/#{dbs} -A -t -w -c \"#{query}\""
|
94
|
+
"psql -d postgresql://#{@user}:#{encoded_password(@pass)}@#{@host}:#{@port}/#{dbs} -A -t -w -c \"#{query}\""
|
91
95
|
else
|
92
|
-
"psql -d postgresql://#{@user}:#{@pass}@#{@host}:#{@port}/#{dbs} -A -t -w -c #{escaped_query(query)}"
|
96
|
+
"psql -d postgresql://#{@user}:#{encoded_password(@pass)}@#{@host}:#{@port}/#{dbs} -A -t -w -c #{escaped_query(query)}"
|
93
97
|
end
|
94
98
|
end
|
95
99
|
end
|
data/lib/inspec/resources/yum.rb
CHANGED
@@ -0,0 +1,25 @@
|
|
1
|
+
module DeprecatedCoreResourcesList
|
2
|
+
CORE_RESOURCES_DEPRECATED = %i{
|
3
|
+
docker_container
|
4
|
+
docker_image
|
5
|
+
docker_plugin
|
6
|
+
docker_service
|
7
|
+
elasticsearch
|
8
|
+
ibmdb2_conf
|
9
|
+
ibmdb2_session
|
10
|
+
mongodb
|
11
|
+
mongodb_conf
|
12
|
+
mongodb_session
|
13
|
+
podman
|
14
|
+
podman_container
|
15
|
+
podman_image
|
16
|
+
podman_network
|
17
|
+
podman_pod
|
18
|
+
podman_volume
|
19
|
+
rabbitmq_config
|
20
|
+
ssh_config
|
21
|
+
ssh_key
|
22
|
+
sybase_conf
|
23
|
+
sybase_session
|
24
|
+
}.freeze
|
25
|
+
end
|
@@ -61,7 +61,8 @@ module Inspec
|
|
61
61
|
|
62
62
|
suffix += (" (used at " + opts[:used_at_stack_frame].path + ":" + opts[:used_at_stack_frame].lineno.to_s + ")") if opts.key?(:used_at_stack_frame)
|
63
63
|
|
64
|
-
"
|
64
|
+
keyword = group.name.to_s == "core_resource_moved_to_rp" ? "CHANGE NOTICE: " : "DEPRECATION: "
|
65
|
+
keyword + prefix + message + suffix
|
65
66
|
end
|
66
67
|
|
67
68
|
def called_from_control?
|
@@ -4,7 +4,7 @@ ChefLicensing.configure do |config|
|
|
4
4
|
config.chef_product_name = "InSpec"
|
5
5
|
config.chef_entitlement_id = "3ff52c37-e41f-4f6c-ad4d-365192205968"
|
6
6
|
config.chef_executable_name = "inspec"
|
7
|
-
config.license_server_url = "https://services.chef.io/licensing"
|
7
|
+
config.license_server_url = ENV["CHEF_LICENSE_SERVER"] || "https://services.chef.io/licensing"
|
8
8
|
config.logger = Inspec::Log
|
9
9
|
end
|
10
10
|
|
data/lib/inspec/utils/parser.rb
CHANGED
@@ -72,15 +72,23 @@ module Inspec
|
|
72
72
|
if includes_whitespaces?(mount_line)
|
73
73
|
# Device-/Sharenames and Mountpoints including whitespaces require special treatment:
|
74
74
|
# We use the keyword ' type ' to split up and rebuild the desired array of fields
|
75
|
-
|
76
|
-
fs_path =
|
77
|
-
|
78
|
-
|
75
|
+
# Split the mount line by the keyword ' type '
|
76
|
+
fs_path, other_opts = mount_line.split(" type ", 2)
|
77
|
+
|
78
|
+
# Manually split fs_path into the filesystem and path parts
|
79
|
+
fs, path = fs_path.split(" on ", 2)
|
80
|
+
|
81
|
+
# Start building the mount array
|
79
82
|
mount = [fs, "on", path, "type"]
|
80
|
-
|
83
|
+
|
84
|
+
# Split the remaining options by spaces
|
85
|
+
other_opts = other_opts.split(/\s+/)
|
86
|
+
|
87
|
+
# Concatenate the options to the mount array
|
88
|
+
mount.concat(other_opts)
|
81
89
|
else
|
82
|
-
#
|
83
|
-
mount = mount_line.
|
90
|
+
# If no whitespace, simply split by spaces
|
91
|
+
mount = mount_line.split(/\s+/)
|
84
92
|
end
|
85
93
|
|
86
94
|
# parse device and type
|
@@ -109,8 +117,10 @@ module Inspec
|
|
109
117
|
|
110
118
|
# Device-/Sharename or Mountpoint includes whitespaces?
|
111
119
|
def includes_whitespaces?(mount_line)
|
112
|
-
|
113
|
-
|
120
|
+
# Split the mount_line by " on "
|
121
|
+
parts = mount_line.split(" on ")
|
122
|
+
# Check if either part contains spaces
|
123
|
+
parts.any? { |part| part.include?(" ") }
|
114
124
|
end
|
115
125
|
end
|
116
126
|
|
data/lib/inspec/version.rb
CHANGED
@@ -14,8 +14,18 @@ To use the CLI, this InSpec add-on adds the following commands:
|
|
14
14
|
* `$ inspec automate profiles` - list all available Compliance profiles
|
15
15
|
* `$ inspec exec compliance://profile` - runs a Compliance profile
|
16
16
|
* `$ inspec automate upload path/to/local/profile` - uploads a local profile to Chef Automate/Chef Compliance
|
17
|
+
* `$ inspec automate upload path/to/local/profile --legacy` - uploads a local profile to Chef Automate/Chef Compliance using legacy functionalities of inspec check and inspec export
|
18
|
+
|
19
|
+
*Options*:
|
20
|
+
```
|
21
|
+
[--overwrite], [--no-overwrite] # Overwrite existing profile on Server.
|
22
|
+
[--owner=OWNER] # Owner that should own the profile
|
23
|
+
[--legacy], [--no-legacy] # Enable legacy functionality, activating both legacy export and legacy check.
|
24
|
+
|
25
|
+
uploads a local profile to Chef Automate
|
26
|
+
```
|
17
27
|
* `$ inspec automate logout` - logout of Chef Automate/Chef Compliance
|
18
|
-
|
28
|
+
|
19
29
|
Similar to these CLI commands are:
|
20
30
|
|
21
31
|
* `$ inspec compliance login` - authentication of the API token against Chef Automate/Chef Compliance
|
@@ -136,6 +136,8 @@ module InspecPlugins
|
|
136
136
|
desc: "Overwrite existing profile on Server."
|
137
137
|
option :owner, type: :string, required: false,
|
138
138
|
desc: "Owner that should own the profile"
|
139
|
+
option :legacy, type: :boolean, default: false,
|
140
|
+
desc: "Enable legacy functionality, activating both legacy export and legacy check."
|
139
141
|
def upload(path) # rubocop:disable Metrics/MethodLength, Metrics/AbcSize, Metrics/PerceivedComplexity, Metrics/CyclomaticComplexity
|
140
142
|
Inspec.with_feature("inspec-cli-compliance-upload") {
|
141
143
|
config = InspecPlugins::Compliance::Configuration.new
|
@@ -169,7 +171,7 @@ module InspecPlugins
|
|
169
171
|
puts msg
|
170
172
|
}
|
171
173
|
|
172
|
-
result = profile.check
|
174
|
+
result = options["legacy"] ? profile.legacy_check : profile.check
|
173
175
|
unless result[:summary][:valid]
|
174
176
|
error.call("Profile check failed. Please fix the profile before upload.")
|
175
177
|
else
|
@@ -205,7 +207,7 @@ module InspecPlugins
|
|
205
207
|
generated = true
|
206
208
|
archive_path = Dir::Tmpname.create([profile_name, ".tar.gz"]) {}
|
207
209
|
puts "Generate temporary profile archive at #{archive_path}"
|
208
|
-
profile.archive({ output: archive_path, ignore_errors: false, overwrite: true })
|
210
|
+
profile.archive({ output: archive_path, ignore_errors: false, overwrite: true, legacy_export: options["legacy"] })
|
209
211
|
else
|
210
212
|
archive_path = path
|
211
213
|
end
|
@@ -425,8 +425,10 @@ module InspecPlugins
|
|
425
425
|
"our apologies for the misunderstanding, and open an issue " \
|
426
426
|
"at https://github.com/inspec/inspec/issues/new")
|
427
427
|
ui.exit Inspec::UI::EXIT_PLUGIN_ERROR
|
428
|
-
rescue Inspec::Plugin::V2::InstallError
|
429
|
-
|
428
|
+
rescue Inspec::Plugin::V2::InstallError => e
|
429
|
+
# This change is compatible with various versions of Ruby, including Ruby 3.3
|
430
|
+
# Using Inspec::Log::level breaks with error `undefined method nil` in Ruby log library
|
431
|
+
Inspec::Log.debug e.backtrace
|
430
432
|
|
431
433
|
results = installer.search(plugin_name, exact: true)
|
432
434
|
source_host = URI(options[:source] || "https://rubygems.org/").host
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: inspec-core
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 6.8.
|
4
|
+
version: 6.8.24
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Chef InSpec Team
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2025-01-23 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: chef-telemetry
|
@@ -734,6 +734,7 @@ files:
|
|
734
734
|
- lib/inspec/utils/convert.rb
|
735
735
|
- lib/inspec/utils/database_helpers.rb
|
736
736
|
- lib/inspec/utils/deprecated_cloud_resources_list.rb
|
737
|
+
- lib/inspec/utils/deprecated_core_resources_list.rb
|
737
738
|
- lib/inspec/utils/deprecation.rb
|
738
739
|
- lib/inspec/utils/deprecation/config_file.rb
|
739
740
|
- lib/inspec/utils/deprecation/deprecator.rb
|