inspec-core 7.0.38.beta → 7.0.95

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9f295e7d99ec735932c005e949cf99cbb1184780d52eae109cec87faf27501c8
-  data.tar.gz: b9fe70883d7593b0d6c7ce51067c7fb2b26154a88981d4ff6458f1f3306518b1
+  metadata.gz: 2e160d7044fa022329cb438d770054bb63107b59f219030464c709f6b1dcda93
+  data.tar.gz: 1dc6673dc552f75cb9b8671b0a466feb2c818f069112fac69aa63b1de568ef54
 SHA512:
-  metadata.gz: 0f35167f971fcdd9d71a43bf7d6e4baf97ae9f0ac9b16b8ebe33103b15e4fee3892d34f8f2a9c0ef1a499e1860d3a8c2e4080acc20cf5415929c013bc97b0972
-  data.tar.gz: cf3bfdfa97c737abcd3f054a6eb4899de5831e2ebebc8a4e9907865835560ff979acb2a86ccce37059dfb0075fc2d628fbdeb3045357a02ad01a9ea22842e462
+  metadata.gz: a389860f421bec680c4db4462fc4cf5765073661cc1154f5fe57e823f7b4f33b10d1ecd22fb286d3a50cd467170645d460ba80b96515331bd2aec9eaa80d8579
+  data.tar.gz: 6133800736ed63493d37bca5b3727740b1a1ab7eadb9919ffc8b728f021604a9dd7bf1d1b388169566bc4e484b3fb2fc26845e05769f1dc2afa26f530fddf7a0

data/Gemfile

@@ -42,7 +42,7 @@ group :test do
   gem "json_schemer"
   gem "m"
   gem "minitest-sprint", "~> 1.0"
-  gem "minitest", "5.15.0"
+  gem "minitest"
   gem "mocha"
   gem "nokogiri"
   gem "pry-byebug"
@@ -55,4 +55,4 @@ end
 
 group :deploy do
   gem "inquirer"
-end
+end

data/etc/deprecations.json

@@ -73,6 +73,11 @@
       "action": "exit",
       "suffix": "This resource was removed in InSpec 4.0."
     },
+    "core_resource_moved_to_rp": {
+      "action": "exit",
+      "suffix": "This resource has been moved to a separate gem. Please include the appropriate gem in your dependencies to continue using this resource.",
+      "comment": "Deprecation notice for core resources which are now distributed as gems. Update your profile dependencies accordingly."
+    },
     "resource_iis_website": {
       "action": "exit",
       "suffix": "This resource was removed in InSpec 4.0.",
@@ -139,6 +144,30 @@
     "docker.+":{
       "gem": "inspec-docker-resources",
       "message": "The Inspec docker resources are moved out of InSpec core and will be installed as gem"
+    },
+    "ibmdb2.+":{
+      "gem": "inspec-ibmdb2-resources",
+      "message": "The Inspec ibmdb2 resources are moved out of InSpec core and will be installed as gem"
+    },
+    "mongodb.+":{
+      "gem": "inspec-mongodb-resources",
+      "message": "The Inspec mongodb resources are moved out of InSpec core and will be installed as gem"
+    },
+    "opa.+":{
+      "gem": "inspec-opa-resources",
+      "message": "The Inspec opa resources are moved out of InSpec core and will be installed as gem"
+    },
+    "podman.+":{
+      "gem": "inspec-podman-resources",
+      "message": "The Inspec podman resources are moved out of InSpec core and will be installed as gem"
+    },
+    "rabbitmq.+":{
+      "gem": "inspec-rabbitmq-resources",
+      "message": "The Inspec rabbitmq resources are moved out of InSpec core and will be installed as gem"
+    },
+    "sybase.+":{
+      "gem": "inspec-sybase-resources",
+      "message": "The Inspec sybase resources are moved out of InSpec core and will be installed as gem"
     }
   }
 }

data/inspec-core.gemspec

@@ -35,11 +35,11 @@ Source code obtained from the Chef GitHub repository is made available under Apa
   spec.add_dependency "license-acceptance",       ">= 0.2.13", "< 3.0"
   # TODO: We should remove the thor pinning in next upcoming releases currently it's breaking our unit test in cli_args_test for aliases due to
   # recent changes made in thor library REF: https://github.com/rails/thor/releases/tag/v1.3.0 & https://github.com/rails/thor/pull/800
-  spec.add_dependency "thor",                     ">= 0.20", "< 1.3.0"
+  spec.add_dependency "thor",                     ">= 0.20", "< 1.5.0"
   spec.add_dependency "method_source",            ">= 0.8", "< 2.0"
-  spec.add_dependency "rubyzip",                  ">= 1.2.2", "< 3.0"
+  spec.add_dependency "rubyzip",                  ">= 1.2.2", "< 4.0"
   spec.add_dependency "rspec",                    ">= 3.9", "<= 3.14"
-  spec.add_dependency "rspec-its",                "~> 1.2"
+  spec.add_dependency "rspec-its",                ">= 1.2", "< 3.0"
   spec.add_dependency "pry",                      "~> 0.13"
   spec.add_dependency "hashie",                   ">= 3.4", "< 6.0"
   spec.add_dependency "mixlib-log",               "~> 3.0"
@@ -49,19 +49,26 @@ Source code obtained from the Chef GitHub repository is made available under Apa
   spec.add_dependency "faraday-follow_redirects", "~> 0.3"
   spec.add_dependency "tty-table",                "~> 0.10"
   spec.add_dependency "tty-prompt",               "~> 0.17"
-  spec.add_dependency "tomlrb",                   ">= 1.2", "< 2.1"
+  spec.add_dependency "tomlrb",                   ">= 1.3", "< 2.1"
   spec.add_dependency "addressable",              "~> 2.4"
-  spec.add_dependency "parslet",                  ">= 1.5", "< 2.0" # Pinned < 2.0, see #5389
+  spec.add_dependency "parslet",                  ">= 1.5", "< 3.0" # Pinned < 2.0, see #5389
   spec.add_dependency "semverse",                 "~> 3.0"
   spec.add_dependency "multipart-post",           "~> 2.0"
 
+  # Gem dependency needed with Ruby 3.4 upgrade
+  # TODO : Remove the dependency on mutex_m once the 'chef-licensing' gem is released with the fix
+  # spec.add_dependency "mutex_m",                  "~> 0.2.0"
+  spec.add_dependency "syslog",                   "~> 0.1"
+  spec.add_dependency "csv",                      "~> 3.0"
+  spec.add_dependency "ostruct",                  ">= 0.1", "< 0.7"
+
   # cookstyle support for inspec check
   # This was initially included in 'inspec.gemspec' to keep 'chef-client' lightweight.
   # However, it has been moved to 'inspec-core.gemspec' due to a dependency on the 'ast' gem,
   # which was causing a LoadError ('cannot load such file -- ast') for users/applications using 'inspec-core'.
   spec.add_dependency "cookstyle"
 
-  spec.add_dependency "train-core", ">= 3.11.0"
+  spec.add_dependency "train-core", "~> 3.13", ">= 3.13.4"
   # Minimum major version 1 is required for Chef licensing telemetry
-  spec.add_dependency "chef-licensing", ">= 1.0.2"
+  spec.add_dependency "chef-licensing", ">= 1.2.0"
 end

data/lib/inspec/archive/tar.rb

@@ -1,4 +1,5 @@
 require "rubygems/package" unless defined?(Gem::Package)
+require "rubygems/package/tar_writer" unless defined?(Gem::Package::TarWriter)
 
 module Inspec::Archive
   class TarArchiveGenerator

data/lib/inspec/backend.rb

@@ -1,4 +1,6 @@
 # copyright: 2015, Dominik Richter
+# Copyright © 2015-2025 Progress Software Corporation and/or its subsidiaries or affiliates.
+# All Rights Reserved.
 
 require "train"
 require "inspec/config"

data/lib/inspec/base_cli.rb

@@ -165,6 +165,16 @@ module Inspec
         desc: "A list of paths to the ssh config file, e.g ~/.ssh/config or /etc/ssh/ssh_config."
       option :podman_url, type: :string,
         desc: "Provides the path to the Podman API endpoint. Defaults to unix:///run/user/$UID/podman/podman.sock for rootless container, unix:///run/podman/podman.sock for rootful container (for this you need to execute inspec as root user)."
+      option :socks_proxy, type: :string,
+         desc: "SOCKS5H proxy URL to tunnel the WinRM connection (e.g., socks5h://proxy-host:1080)."
+      option :socks_user, type: :string,
+         desc: "Username for authenticating with the SOCKS5 proxy."
+      option :socks_password, type: :string, lazy_default: -1,
+         desc: "Password for authenticating with the SOCKS5 proxy."
+      option :kerberos_realm, type: :string,
+         desc: "Kerberos realm used for authentication."
+      option :kerberos_service, type: :string,
+         desc: "Kerberos service principal name (e.g., HTTP, HOST)."
     end
 
     def self.profile_options
@@ -370,7 +380,7 @@ module Inspec
     # get the log level
     # DEBUG < INFO < WARN < ERROR < FATAL < UNKNOWN
     def get_log_level(level)
-      valid = %w{debug info warn error fatal}
+      valid = %w{trace debug info warn error fatal}
 
       if valid.include?(level)
         l = level
@@ -378,7 +388,7 @@ module Inspec
         l = "info"
       end
 
-      Logger.const_get(l.upcase)
+      Mixlib::Log.const_get(l.upcase)
     end
 
     def pretty_handle_exception(exception)

data/lib/inspec/cached_fetcher.rb

@@ -85,8 +85,9 @@ module Inspec
     end
 
     def assert_cache_sanity!
-      # TODO: update this to handle gem resource pack dependencies
+      # do not check cache sanity if the target is a gem or a resource pack
       # which are known by a special prefix on their cache key or by having the :gem key
+      return if target.respond_to?(:key?) && target.key?(:gem)
       return unless target.respond_to?(:key?) && target.key?(:sha256)
 
       exception_message = <<~EOF

data/lib/inspec/cli.rb

@@ -1,4 +1,6 @@
 # Copyright 2015 Dominik Richter
+# Copyright © 2015-2025 Progress Software Corporation and/or its subsidiaries or affiliates.
+# All Rights Reserved.
 
 require "inspec/utils/deprecation/deprecator"
 require "inspec/dist"

data/lib/inspec/dependencies/cache.rb

@@ -16,6 +16,7 @@ module Inspec
   #
   class Cache
     attr_reader :path
+
     def initialize(path = nil)
       @path = path || File.join(Inspec.config_dir, "cache")
       FileUtils.mkdir_p(@path) unless File.directory?(@path)
@@ -59,12 +60,9 @@ module Inspec
       return false if key.nil? || key.empty?
 
       if key.start_with?("gem:")
-        # A gem installation
-        (_, gem_name, version) = key.split(":")
-        loader = Inspec::Plugin::V2::Loader.new
-        !loader.find_gem_directory(gem_name, version).nil?
-
-      elsif key.start_with?("gem_path:")
+        # check if the gem is installed in InSpec Config DIR or if it is present as cache in cache DIR
+        !gemspec_path_for(key).nil? || File.directory?(base_path_for(key))
+      elsif key.start_with?("gem_path:") # TODO: remove this as it will be redundant with the introduction of SHA256 key
         # Gem installed as explicit path reference, as in testing / development
         entry_point_path = key.sub(/^gem_path:/, "")
         File.exist?(entry_point_path)
@@ -88,10 +86,10 @@ module Inspec
     #
     def base_path_for(key)
       if key.start_with?("gem:")
-        # A gem installation
-        (_, gem_name, version) = key.split(":")
-        loader = Inspec::Plugin::V2::Loader.new
-        loader.find_gem_directory(gem_name, version)
+        # fetch the Gem installed path and if the gem is not available in the installed DIR
+        # construct the cache path where it can be found
+        # At this point this path will be used both for writing and reading the gem cache
+        gemspec_path_for(key) || File.join(@path, key)
 
       elsif key.start_with?("gem_path:")
         # Gem installed as explicit path reference, as in testing / development
@@ -122,9 +120,7 @@ module Inspec
       locked = false
       path = base_path_for(key)
       # For archive there is no need to lock the directory so we skip those and return false for archive formatted cache
-      if File.directory?(path)
-        locked = File.exist?("#{path}/.lock")
-      end
+      locked = File.exist?("#{path}/.lock") if File.directory?(path)
       locked
     end
 

data/lib/inspec/dsl.rb

@@ -1,7 +1,11 @@
 # copyright: 2015, Dominik Richter
+# Copyright © 2015-2025 Progress Software Corporation and/or its subsidiaries or affiliates.
+# All Rights Reserved.
+
 require "inspec/log"
 require "inspec/plugin/v2"
 require "inspec/utils/deprecated_cloud_resources_list"
+require "inspec/utils/deprecated_core_resources_list"
 
 module Inspec::DSL
   attr_accessor :backend
@@ -49,7 +53,8 @@ module Inspec::DSL
         # Install if needed
         cfg = Inspec::Config.cached
         unless cfg.final_options[:auto_install_gems]
-          raise Inspec::Plugin::V2::InstallRequiredError, "resource pack gem '#{gem_name}' is required for resource '#{id}' support (consider --auto-install-gems)"
+          Inspec.deprecate(:core_resource_moved_to_rp, "The resource pack gem '#{gem_name}' is required for resource '#{id}' support (consider --auto-install-gems).")
+
         end
 
         Inspec::Plugin::V2::Installer.instance.ensure_installed gem_name

data/lib/inspec/fetcher/gem.rb

@@ -8,9 +8,7 @@ module Inspec::Fetcher
     # Gem fetcher's priority should be lowest because gem profiles are only executables via inspec metadata
 
     def self.resolve(target)
-      if target.is_a?(Hash) && target.key?(:gem)
-        resolve_from_hash(target)
-      end
+      resolve_from_hash(target) if target.is_a?(Hash) && target.key?(:gem)
     end
 
     def self.resolve_from_hash(target)
@@ -32,15 +30,13 @@ module Inspec::Fetcher
     def fetch(path)
       plugin_installer = Inspec::Plugin::V2::Installer.instance
 
-      # Determine if gem is installed
-      have_plugin = false
       Inspec::Log.debug("GemFetcher fetching #{@gem_name} v" + (@version || "ANY"))
 
-      if @version
-        have_plugin = plugin_installer.plugin_version_installed?(@gem_name, @version)
-      else
-        have_plugin = plugin_installer.plugin_installed?(@gem_name)
-      end
+      have_plugin = if @version
+                      plugin_installer.plugin_version_installed?(@gem_name, @version)
+                    else
+                      plugin_installer.plugin_installed?(@gem_name)
+                    end
 
       unless have_plugin
         # Install
@@ -48,10 +44,26 @@ module Inspec::Fetcher
         Inspec::Log.debug("GemFetcher - install request for #{@gem_name}")
         if @gem_path
           # No version permitted
-          plugin_installer.install(@gem_name, path: @gem_path)
+          plugin_installer.install(@gem_name, gem: @gem_name, path: @gem_path)
         else
           # Passing an extra gem argument to enable detecting gem based plugins
-          plugin_installer.install(@gem_name, version: @version, source: @source, gem: @gem_name )
+          plugin_installer.install(@gem_name, version: @version, source: @source, gem: @gem_name)
+        end
+      end
+
+      # Usually this `path` is cache path
+      # We want to copy installed gem to cache path so it can be vendored
+      # and read again as a cache
+      if path
+        loader = Inspec::Plugin::V2::Loader.new
+        gem_dir_path = loader.find_gem_directory(@gem_name, @version)
+        if gem_dir_path
+          # Cache the gem file
+          FileUtils.mkdir_p(path)
+          FileUtils.cp_r(gem_dir_path, path)
+          @archive_path = path
+        else
+          @archive_path = @target
         end
       end
 
@@ -61,9 +73,7 @@ module Inspec::Fetcher
       @target
     end
 
-    def archive_path
-      @target
-    end
+    attr_reader :archive_path
 
     def writable?
       # Gem based profile is not writable because it is not cached in lockfile
@@ -72,13 +82,15 @@ module Inspec::Fetcher
 
     def cache_key
       # This special value is interpreted by Inspec::Cache.exists?
-      # gem:gemname:version
-      # gem_path:/filesystem/path/entrypoint.rb
-
-      if @gem_path
-        "gem_path:#{@gem_path}"
-      else
-        "gem:#{@gem_name}:#{@version}"
+      # SHA256 on gem:gemname:version
+      # SHA256 on gem_path:/filesystem/path/entrypoint.rb
+      @cache_key ||= begin
+        key = if @gem_path
+                "gem_path:#{@gem_path}"
+              else
+                "gem:#{@gem_name}:#{gem_version}"
+              end
+        OpenSSL::Digest.hexdigest("SHA256", key)
       end
     end
 
@@ -91,9 +103,15 @@ module Inspec::Fetcher
     end
 
     def resolved_source
-      h = { gem: @gem_name, version: @version, gem_path: @gem_path }
+      h = { gem: @gem_name, version: gem_version, gem_path: @gem_path }
       h[:sha256] = sha256
       h
     end
+
+    private
+
+    def gem_version
+      @version || Inspec::Plugin::V2::Loader.find_gemspec_of(@gem_name)&.version&.to_s
+    end
   end
 end

data/lib/inspec/fetcher/git.rb

@@ -68,11 +68,21 @@ module Inspec::Fetcher
       else
         Dir.mktmpdir do |working_dir|
           checkout(working_dir)
+          if git_only_or_empty?(working_dir)
+            # If the temporary working directory is empty after checkout,
+            # this means the git repository did not contain any files (or the checkout failed).
+            # In this case, remove the destination directory to avoid
+            # leaving an empty or invalid profile directory.
+            if Dir.exist?(destination_path)
+              FileUtils.rm_rf(destination_path)
+            end
+            raise Inspec::FetcherFailure, "Profile git dependency failed for #{@remote_url} - no files found in the repository."
+          end
           if @relative_path
             perform_relative_path_fetch(destination_path, working_dir)
           else
             Inspec::Log.debug("Checkout of #{resolved_ref.nil? ? @remote_url : resolved_ref} successful. " \
-                              "Moving checkout to #{destination_path}")
+                                "Moving checkout to #{destination_path}")
             FileUtils.cp_r(working_dir + "/.", destination_path)
           end
         end
@@ -80,6 +90,16 @@ module Inspec::Fetcher
       @repo_directory
     end
 
+    def git_only_or_empty?(dir)
+      return false unless Dir.exist?(dir)
+
+      children = Dir.children(dir)
+      # Return true if:
+      # - directory is completely empty
+      # - or it contains only one entry: '.git'
+      children.empty? || (children - [".git"]).empty?
+    end
+
     def perform_relative_path_fetch(destination_path, working_dir)
       Inspec::Log.debug("Checkout of #{resolved_ref.nil? ? @remote_url : resolved_ref} successful. " \
                         "Moving #{@relative_path} to #{destination_path}")

data/lib/inspec/file_provider.rb

@@ -1,4 +1,5 @@
 require "rubygems/package" unless defined?(Gem::Package)
+require "rubygems/package/tar_header" unless defined?(Gem::Package::TarHeader)
 require "pathname" unless defined?(Pathname)
 require "zlib" unless defined?(Zlib)
 require "zip" unless defined?(Zip)

data/lib/inspec/input_registry.rb

@@ -173,7 +173,7 @@ module Inspec
             raise ArgumentError, "ERROR: An '=' is required when using --input. Usage: --input input_name1=input_value1 input2=value2"
           end
         end
-        pair = pair.match(/(.*?)=(.*)/)
+        pair = pair.match(/^([^=]+)=(.*)$/)
         input_name, input_value = pair[1], pair[2]
         input_value = parse_cli_input_value(input_name, input_value)
         evt = Inspec::Input::Event.new(

data/lib/inspec/metadata.rb

@@ -1,4 +1,6 @@
 # Copyright 2015 Dominik Richter
+# Copyright © 2015-2025 Progress Software Corporation and/or its subsidiaries or affiliates.
+# All Rights Reserved.
 
 require "logger"
 require "rubygems/version"

data/lib/inspec/plugin/v2/gem_source_manager.rb

@@ -28,16 +28,23 @@ module Inspec::Plugin::V2
     private
 
     def chef_rubygems_server
-      "https://#{DEFAULT_USERNAME}:#{licenses_string}@#{DEFAULT_CHEF_RUBY_GEMS_SERVER}"
+      # If there are no license keys, return nil to avoid adding an invalid source
+      "https://#{DEFAULT_USERNAME}:#{licenses_string}@#{DEFAULT_CHEF_RUBY_GEMS_SERVER}" unless licenses_string.empty?
     end
 
     def register_source(source)
+      return if source.nil? # If the source is nil, we don't want to add it
+
       gem_source = Gem::Source.new(source)
       sources << gem_source unless sources.include?(gem_source)
+    rescue StandardError => e
+      raise StandardError, "Unable to add gem source #{source}: #{e.message}"
     end
 
     def licenses_string
       ChefLicensing.license_keys.join(",")
+    rescue StandardError
+      ""
     end
   end
 end

data/lib/inspec/plugin/v2/installer.rb

@@ -285,7 +285,16 @@ module Inspec::Plugin::V2
     #===================================================================#
 
     def install_from_path(requested_plugin_name, opts)
-      # Nothing to do here; we will later update the plugins file with the path.
+      return unless gem_based_plugin?(opts)
+
+      local_gem_path = opts[:path]
+      Inspec::Log.debug("Installing #{requested_plugin_name} from path #{local_gem_path}")
+      raise InstallError, "Gem File not found: #{local_gem_path}" unless File.exist?(local_gem_path)
+
+      gem_installer = Gem::Installer.at(local_gem_path, install_dir: gem_path, ignore_dependencies: true, document: [])
+      gem_installer.install
+
+      Inspec::Log.debug("Installed gem from path: #{local_gem_path} to #{gem_path}")
     end
 
     def install_from_gem_file(requested_plugin_name, opts)
@@ -339,6 +348,9 @@ module Inspec::Plugin::V2
       set_available_for_resolution = build_gem_request_universe(extra_request_sets, gem_to_force_update)
 
       # Solve the dependency (that is, find a way to install the new plugin and anything it needs)
+      # [WARN]: Gem::RequestSet cannot resolve from multiple directories
+      # So all dependent gems will be resolved to the GEM_HOME/Gem.default_dir directory
+      # assuming everything will be installed in the same dir
       request_set = Gem::RequestSet.new(new_plugin_dependency)
 
       begin
@@ -372,6 +384,15 @@ module Inspec::Plugin::V2
           requested_gemspec = activation_request.full_spec
           next if requested_gemspec.activated?
 
+          # The specs at this point are pointed to GEM_HOME/Gem.default_dir directory
+          # because of the resolved set's assumption that we will install Gems in the same directory
+          # In many cases, RubyGems has already loaded gems from default dir
+          # Hence at this point it is really only a sanity check
+          # And if the requested_gemspec_file has not been downloaded in this default dir do not activate it
+          # Activation will be taken care after the downloads
+          requested_gemspec_file = File.join(requested_gemspec.gem_dir, "#{requested_gemspec.name}.gemspec")
+          next unless File.exist?(requested_gemspec_file) || File.exist?(requested_gemspec.spec_file)
+
           # activate the requested gemspec from the Gem::RequestSet
           requested_gemspec.activate unless loaded_recent_most_version_of?(requested_gemspec)
         end
@@ -396,7 +417,7 @@ module Inspec::Plugin::V2
           File.write(path_inside_source, spec.to_ruby)
         end
       end
-
+      loader.activate_managed_gems_for_plugin(new_plugin_dependency.name)
       # Locate the GemVersion for the new dependency and return it
       solution.detect { |g| g.name == new_plugin_dependency.name }.version
     end

data/lib/inspec/plugin/v2/loader.rb

@@ -70,7 +70,9 @@ module Inspec::Plugin::V2
             require plugin_details.entry_point
           else
             load_path = plugin_details.entry_point
-            load_path += ".rb" unless plugin_details.entry_point.end_with?(".rb")
+            next if load_path.end_with?(".gem") # local resource pack's path will have gem path
+
+            load_path += ".rb" unless load_path.end_with?(".rb")
             load load_path
           end
           plugin_details.loaded = true

data/lib/inspec/profile.rb

@@ -1,4 +1,6 @@
 # Copyright 2015 Dominik Richter
+# Copyright © 2015-2025 Progress Software Corporation and/or its subsidiaries or affiliates.
+# All Rights Reserved.
 
 require "forwardable" unless defined?(Forwardable)
 require "openssl" unless defined?(OpenSSL)
@@ -299,7 +301,14 @@ module Inspec
       # # Pull together waiver
       waived_control_ids = []
       waiver_paths.each do |waiver_path|
-        waiver_content = YAML.load_file(waiver_path)
+        # Ruby 3.1 treats YAML load as a dangerous operation by default, requiring us to declare date and time classes as permitted
+        # It's not a valid option in 3.0.x
+        if Gem.ruby_version >= Gem::Version.new("3.1.0")
+          waiver_content = ::YAML.load_file(waiver_path, permitted_classes: [Date, Time])
+        else
+          waiver_content = YAML.load_file(waiver_path)
+        end
+
         unless waiver_content
           # Note that we will have already issued a detailed warning
           Inspec::Log.error "YAML parsing error in #{waiver_path}"
@@ -628,7 +637,7 @@ module Inspec
                                                                               include_tests: include_tests)
 
         # Collect all metadata defined in the control block and inputs defined inside the control block
-        src.ast.each_node { |n|
+        src.ast&.each_node { |n|
           ctl_id_collector.process(n)
           input_collector.process(n)
         }
@@ -690,7 +699,7 @@ module Inspec
       }
       source_location_ref = @source_reader.target.abs_path(control_filename)
       Inspec::Profile::AstHelper::TitleCollector.new(group_data)
-        .process(src.ast.child_nodes.first) # Picking the title defined for the whole controls file
+        .process(src.ast&.child_nodes&.first) # Picking the title defined for the whole controls file
       group_controls = @info_from_parse[:controls].select { |control| control[:source_location][:ref] == source_location_ref }
       group_data[:controls] = group_controls.map { |control| control[:id] }
 

data/lib/inspec/reporters/automate.rb

@@ -66,9 +66,9 @@ module Inspec::Reporters
     # Then it downgrades the 160bit SHA1 to a 128bit
     # then we format it as a valid UUIDv5.
     def uuid_from_string(string)
-      hash = Digest::SHA1.new
+      hash = Digest::SHA256.new
       hash.update(string)
-      ary = hash.digest.unpack("NnnnnN")
+      ary = hash.digest[0, 16].unpack("NnnnnN")
       ary[2] = (ary[2] & 0x0FFF) | (5 << 12)
       ary[3] = (ary[3] & 0x3FFF) | 0x8000
       # rubocop:disable Style/FormatString

data/lib/inspec/resources/audit_policy.rb

@@ -39,11 +39,17 @@ module Inspec::Resources
       # expected result:
       # Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting
       # WIN-MB8NINQ388J,System,Kerberos Authentication Service,{0CCE9242-69AE-11D9-BED3-505054503030},No Auditing,
-      result ||= inspec.command("Auditpol /get /subcategory:'#{key}' /r").stdout
+      auditpol_cmd = "Auditpol /get /subcategory:'#{key}' /r"
+      result ||= inspec.command(auditpol_cmd)
+
+      unless result.exit_status == 0
+        error = result.stdout + "\n" + result.stderr
+        raise Inspec::Exceptions::ResourceFailed, "Error while executing #{auditpol_cmd} command: #{error}"
+      end
 
       # find line
       target = nil
-      result.each_line do |s|
+      result.stdout.each_line do |s|
         target = s.strip if s =~ /\b.*#{key}.*\b/
       end
 

data/lib/inspec/resources/auditd.rb

@@ -193,7 +193,7 @@ module Inspec::Resources
     #
     # @return [Array[String,String]]
     def action_list_for(line)
-      action_list = line.scan(/-a ([^,]+),([^ ]+)\s?/).flatten
+      action_list = line.scan(/-a ([^,\s]+),([^,\s]+)(?:\s|$)/).flatten
 
       # Actions and lists can be in either order
       valid_actions = %w{never always}

data/lib/inspec/resources/port.rb

@@ -300,7 +300,7 @@ module Inspec::Resources
     def parse_netstat_line(line)
       # parse each line
       # 1 - Socket, 2 - Proto, 3 - Receive-Q, 4 - Send-Q, 5 - Local address, 6 - Foreign Address, 7 - State
-      parsed = /^(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)?\s+(\S+)/.match(line)
+      parsed = /^(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)(?:\s+(\S+))?\s+(\S+)$/.match(line)
       return {} if parsed.nil?
 
       # parse ip4 and ip6 addresses
@@ -488,7 +488,7 @@ module Inspec::Resources
       # 1 - Proto, 2 - Recv-Q, 3 - Send-Q, 4 - Local Address, 5 - Foreign Address, 6 - State, 7 - User, 8 - Inode, 9 - PID/Program name
       # * UDP lines have an empty State column and the Busybox variant lacks
       # the User and Inode columns.
-      reg =  /^(?<proto>\S+)\s+(\S+)\s+(\S+)\s+(?<local_addr>\S+)\s+(?<foreign_addr>\S+)\s+(\S+)?\s+((\S+)\s+(\S+)\s+)?(?<pid_prog>\S+)/
+      reg = /^(?<proto>\S+)\s+(\S+)\s+(\S+)\s+(?<local_addr>\S+)\s+(?<foreign_addr>\S+)\s+(?:\S+\s+){0,2}(?<pid_prog>\S+)$/
       parsed = reg.match(line)
 
       return {} if parsed.nil? || line.match(/^proto/i)