inspec 1.16.1 → 1.17.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: d93468ebe9f076388557bbcebcc35028729e0e80
-  data.tar.gz: 20c57ff7acd7e352fdbba1169118e8a6b972abcd
+  metadata.gz: 2c165a6b8a6e0ec2ed55a4038e82a3bac56ab80b
+  data.tar.gz: 1a806307865e65cbd266caf0a8f3d0abe2b58257
 SHA512:
-  metadata.gz: fbc82e1eabcd30a6ee62cbc113cc01a33250c2133a8488761d51782057220b280a08d237ebb86aec05d7dede8c7684f508d80606d905344ec285a34f1defe2ef
-  data.tar.gz: 94d8329e70dc5c775bea9360e826bdc5ec2c98c44dc510ad5e5849b03b7959d59bfd532b2a11e191a066701fce5dab6d49347b0d322f3c5bb52df7316316b0e2
+  metadata.gz: 6b0ed9d55cc66ed12aaa28a51560cd3238970f215d764c56c96a75b329a41d9a05edc6bb2bece49a353b99b011b3168c76067599309d632f7d51b558a8033baa
+  data.tar.gz: 991eb89677b038a066fac3162685db305f807d1dc67cef40742ec8d778cef8ab6c2cce3c94411c9c6265c46744be37d5b2d09b9edfaf2ecec939fa4885c742c6

data/CHANGELOG.md

@@ -1,22 +1,59 @@
 # Change Log
 
-## [1.16.1](https://github.com/chef/inspec/tree/v1.16.1) (2017-03-06)
+## [1.17.0](https://github.com/chef/inspec/tree/v1.17.0) (2017-03-21)
+[Full Changelog](https://github.com/chef/inspec/compare/v1.16.1...v1.17.0)
+
+**Implemented enhancements:**
+
+- Need better error message for improper inspec.yml formatting [\#1549](https://github.com/chef/inspec/issues/1549)
+
+**Fixed bugs:**
+
+- cannot load such file -- nokogiri [\#1562](https://github.com/chef/inspec/issues/1562)
+- Failure to parse tcp6 URI [\#1521](https://github.com/chef/inspec/issues/1521)
+- json resource array index access not working [\#1560](https://github.com/chef/inspec/issues/1560)
+
+**Closed issues:**
+
+- Crontab regex matching [\#1526](https://github.com/chef/inspec/issues/1526)
+
+**Merged pull requests:**
+
+- Fix omnibus configuration [\#1579](https://github.com/chef/inspec/pull/1579) ([adamleff](https://github.com/adamleff))
+- moving the nokogiri reference into the gemspec file [\#1576](https://github.com/chef/inspec/pull/1576) ([jkerry](https://github.com/jkerry))
+- Hide Event Feature on Homepage [\#1563](https://github.com/chef/inspec/pull/1563) ([hannah-radish](https://github.com/hannah-radish))
+- Fix ObjectTraverser when accessing array values [\#1561](https://github.com/chef/inspec/pull/1561) ([adamleff](https://github.com/adamleff))
+- Add additional example for matching crontab commands [\#1559](https://github.com/chef/inspec/pull/1559) ([adamleff](https://github.com/adamleff))
+- Update file.md with example how to test symlinked files [\#1555](https://github.com/chef/inspec/pull/1555) ([nvtkaszpir](https://github.com/nvtkaszpir))
+- Provide better error message when inspec.yml is invalid [\#1552](https://github.com/chef/inspec/pull/1552) ([adamleff](https://github.com/adamleff))
+- try to use sysv fallback if is not producing proper output [\#1550](https://github.com/chef/inspec/pull/1550) ([chris-rock](https://github.com/chris-rock))
+- update readme for install scripts [\#1548](https://github.com/chef/inspec/pull/1548) ([chris-rock](https://github.com/chris-rock))
+- Fixing port check with v4 IPs in a v6 netstat line [\#1547](https://github.com/chef/inspec/pull/1547) ([adamleff](https://github.com/adamleff))
+- Fixing a typo [\#1536](https://github.com/chef/inspec/pull/1536) ([tescalada](https://github.com/tescalada))
+- windows\_task docs: Correct syntax error and misspelled word [\#1525](https://github.com/chef/inspec/pull/1525) ([spiffytech](https://github.com/spiffytech))
+
+## [v1.16.1](https://github.com/chef/inspec/tree/v1.16.1) (2017-03-06)
 [Full Changelog](https://github.com/chef/inspec/compare/v1.16.0...v1.16.1)
 
 **Fixed bugs:**
 
-- "inspec version" waits for connection timeout inside firewall [\#1537](https://github.com/chef/inspec/pull/1537) ([makotots](https://github.com/makotots))
+- "inspec version" waits for connection timeout inside firewall [\#1537](https://github.com/chef/inspec/issues/1537)
 
 **Merged pull requests:**
 
-- Avoid connection timeout of "inspec version" [\#1538](https://github.com/chef/inspec/pull/1538) ([makotots](https://github.com/makotots))
+- releasing 1.16.1 with a bug fix and omnibus fix [\#1540](https://github.com/chef/inspec/pull/1540) ([adamleff](https://github.com/adamleff))
 - Fix omnibus build after new JUnit formatter [\#1539](https://github.com/chef/inspec/pull/1539) ([adamleff](https://github.com/adamleff))
+- Avoid connection timeout of "inspec version" [\#1538](https://github.com/chef/inspec/pull/1538) ([makotots](https://github.com/makotots))
+- Write Habitat-driven InSpec output to svc\_var directory [\#1533](https://github.com/chef/inspec/pull/1533) ([adamleff](https://github.com/adamleff))
+- Updating .gitignore for Habitat and direnv [\#1531](https://github.com/chef/inspec/pull/1531) ([adamleff](https://github.com/adamleff))
+- Ready for review - inspec.io bug fixes, \#1440, \#1420, \#1465, \#1421, \#1437,\#1226, \#1494, \#1495 [\#1512](https://github.com/chef/inspec/pull/1512) ([hannah-radish](https://github.com/hannah-radish))
 
-## [1.16.0](https://github.com/chef/inspec/tree/v1.16.0) (2017-03-02)
+## [v1.16.0](https://github.com/chef/inspec/tree/v1.16.0) (2017-03-02)
 [Full Changelog](https://github.com/chef/inspec/compare/v1.15.0...v1.16.0)
 
 **Implemented enhancements:**
 
+- jUnit reports are hard to read [\#1438](https://github.com/chef/inspec/issues/1438)
 - Functional JUnit reporter [\#1454](https://github.com/chef/inspec/pull/1454) ([jkerry](https://github.com/jkerry))
 
 **Closed issues:**
@@ -25,6 +62,7 @@
 
 **Merged pull requests:**
 
+- 1.16.0 [\#1530](https://github.com/chef/inspec/pull/1530) ([adamleff](https://github.com/adamleff))
 - use -- for description of inspec login\_automate [\#1527](https://github.com/chef/inspec/pull/1527) ([chris-rock](https://github.com/chris-rock))
 - fix ident in cmp matcher docs [\#1524](https://github.com/chef/inspec/pull/1524) ([chris-rock](https://github.com/chris-rock))
 - Add Rake to Habitat build Gemfile [\#1520](https://github.com/chef/inspec/pull/1520) ([adamleff](https://github.com/adamleff))
@@ -2203,4 +2241,4 @@
 
 
 
-\* *This Change Log was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)*
+\* *This Change Log was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)*

data/Gemfile

@@ -8,7 +8,6 @@ if Gem::Version.new(RUBY_VERSION) < Gem::Version.new('2.2.2')
 end
 
 gem 'ffi', '>= 1.9.14'
-gem 'nokogiri', '~> 1.6'
 
 group :test do
   gem 'bundler', '~> 1.5'
@@ -32,17 +31,11 @@ group :integration do
   gem 'kitchen-dokken'
 end
 
-group :simulator do
-  gem 'github-markup'
-  gem 'redcarpet'
-  gem 'docker-api'
-end
-
 group :tools do
   gem 'pry', '~> 0.10'
   gem 'rb-readline'
   gem 'license_finder'
-  gem 'github_changelog_generator', '~> 1'
+  gem "github_changelog_generator", git: "https://github.com/chef/github-changelog-generator"
 end
 
 # gems for Maintainers.md generation

data/README.md

@@ -50,7 +50,15 @@ InSpec requires Ruby ( >1.9 ).
 
 ### Install as package
 
-The InSpec package is available for MacOS, RedHat, Ubuntu and Windows. Download the latest package at [InSpec Downloads](https://downloads.chef.io/inspec).
+The InSpec package is available for MacOS, RedHat, Ubuntu and Windows. Download the latest package at [InSpec Downloads](https://downloads.chef.io/inspec) or install InSpec via script:
+
+```
+# RedHat, Ubuntu, and macOS
+curl https://omnitruck.chef.io/install.sh | sudo bash -s -- -P inspec
+
+# Windows
+. { iwr -useb https://omnitruck.chef.io/install.ps1 } | iex; install -project inspec
+```
 
 ### Install it via rubygems.org
 

data/docs/resources/crontab.md.erb

@@ -60,3 +60,9 @@ The following examples show how to use this InSpec audit resource.
     describe crontab.where({'hour' => '*', 'minute' => '*'}) do
       its('entries.length') { should cmp '0' }
     end
+
+### Test that the logged-in user's crontab contains a single command that matches a mattern
+
+    describe crontab.where { command =~ /a partial command string/ } do
+      its('entries.length') { should cmp 1 }
+    end

data/docs/resources/file.md.erb

@@ -458,3 +458,25 @@ The following example shows how to use the `file` audit resource to verify if th
     describe command('pgrep ntp') do
        its('exit_status') { should eq 0 }
     end
+
+### Test parameters of symlinked file
+
+If you need to test the parameters of the target file for a symlink, you can use the `link_path` method for the `file` resource.
+
+For example, for the following symlink:
+
+    lrwxrwxrwx. 1 root root 11 03-10 17:56 /dev/virtio-ports/com.redhat.rhevm.vdsm -> ../vport2p1
+
+... you can write controls for both the link and the target.
+
+    describe file('/dev/virtio-ports/com.redhat.rhevm.vdsm') do
+      it { should be_symlink }
+    end
+
+    virito_port_vdsm = file('/dev/virtio-ports/com.redhat.rhevm.vdsm').link_path
+    describe file(virito_port_vdsm) do
+      it { should exist }
+      it { should be_character_device }
+      it { should be_owned_by 'ovirtagent' }
+      it { should be_grouped_into 'ovirtagent' }
+    end

data/docs/resources/json.md.erb

@@ -23,7 +23,7 @@ A `json` resource block declares the data to be tested. Assume the following JSO
 
 This file can be queried using:
 
-    describe json('/paht/to/name.json') do
+    describe json('/path/to/name.json') do
       its('name') { should eq 'hello' }
       its(['meta','creator']) { should eq 'John Doe' }
       its(['array', 1]) { should eq 'one' }

data/docs/resources/windows_task.md.erb

@@ -5,13 +5,13 @@ title: About the windows_task Resource
 # windows_task
 
 Use the `windows_task` Inspec audit resource to test a scheduled tasks configuration on a Windows platform. 
-Microsoft and application vendors use scheduled tasks to perform a varity of system maintaince tasks but system administrators can schedule their own.
+Microsoft and application vendors use scheduled tasks to perform a variety of system maintaince tasks but system administrators can schedule their own.
 
 ## Syntax
 
 A `windows_task` resource block declares the name of the task (as its full path) and tests its configuration:
 
-    describe windows_task('task name uri' do
+    describe windows_task('task name uri') do
       its('parameter') { should eq 'value' }
       it { should be_enabled }
     end
@@ -100,4 +100,4 @@ Next Run Time: N/A
 Status:        Ready
 Logon Mode:    Interactive/Background
 ...
-```
+```

data/examples/meta-profile/inspec.lock

@@ -9,10 +9,10 @@ depends:
 - name: ssl-benchmark
   resolved_source:
     url: https://github.com/dev-sec/ssl-benchmark/archive/master.tar.gz
-    sha256: 9ad48391d4e6efff0a13d06736c5b075fb021410e0a629e087bc21e9617d957c
+    sha256: 74b3437714871cca4505d9fc445c805968d56bc674855112bab187a5166f5a2d
   version_constraints: ">= 0"
 - name: windows-patch-benchmark
   resolved_source:
     url: https://github.com/chris-rock/windows-patch-benchmark/archive/master.tar.gz
-    sha256: 6bdab40a3fe9f9de4e7c87f4f3844fdcf2c5cba6f84089b68d47c72392b51fdc
+    sha256: eb00c95846aeb3f1cbc5106537dcbf550c910d65986d21a62f7deb69ea060dee
   version_constraints: ">= 0"

data/inspec.gemspec

@@ -37,7 +37,7 @@ Gem::Specification.new do |spec|
   spec.add_dependency 'mixlib-log'
   spec.add_dependency 'sslshake', '~> 1'
   spec.add_dependency 'parallel', '~> 1.9'
-  spec.add_dependency 'rspec_junit_formatter', '~> 0.2.3'
+  spec.add_dependency 'nokogiri', '~> 1.6'
   spec.add_dependency 'faraday', '>=0.9.0'
   spec.add_dependency 'toml', '~> 0.1'
 end

data/lib/inspec/rspec_json_formatter.rb

@@ -5,7 +5,6 @@
 
 require 'rspec/core'
 require 'rspec/core/formatters/json_formatter'
-require 'rspec_junit_formatter'
 
 # Vanilla RSpec JSON formatter with a slight extension to show example IDs.
 # TODO: Remove these lines when RSpec includes the ID natively

data/lib/inspec/version.rb

@@ -4,5 +4,5 @@
 # author: Christoph Hartmann
 
 module Inspec
-  VERSION = '1.16.1'.freeze
+  VERSION = '1.17.0'.freeze
 end

data/lib/resources/crontab.rb

@@ -21,6 +21,10 @@ module Inspec::Resources
       describe crontab.where({'hour' => '*', 'minute' => '*'}) do
         its('entries.length') { should cmp '0' }
       end
+
+      describe crontab.where { command =~ /a partial command string/ } do
+        its('entries.length') { should cmp 1 }
+      end
     "
 
     attr_reader :params

data/lib/resources/csv.rb

@@ -15,19 +15,36 @@ module Inspec::Resources
       end
     "
 
-    # override file load and parse hash from csv
+    # override the parse method from JsonConfig
+    # Assuming a header row of name,col1,col2, it will output an array of hashes like so:
+    #    [
+    #      { 'name' => 'row1', 'col1' => 'value1', 'col2' => 'value2' },
+    #      { 'name' => 'row2', 'col1' => 'value3', 'col2' => 'value4' }
+    #    ]
     def parse(content)
       require 'csv'
+
       # convert empty field to nil
       CSV::Converters[:blank_to_nil] = lambda do |field|
         field && field.empty? ? nil : field
       end
+
       # implicit conversion of values
       csv = CSV.new(content, headers: true, converters: [:all, :blank_to_nil])
+
       # convert to hash
       csv.to_a.map(&:to_hash)
     end
 
+    # override the value method from JsonConfig
+    # The format of the CSV hash as created by #parse is very different
+    # than what the YAML, JSON, and INI resources create, so using the
+    # #value method from JsonConfig (which uses ObjectTraverser.extract_value)
+    # doesn't make sense here.
+    def value(key)
+      @params.map { |x| x[key.first.to_s] }.compact
+    end
+
     def to_s
       "Csv #{@path}"
     end

data/lib/resources/port.rb

@@ -4,6 +4,7 @@
 
 require 'utils/parser'
 require 'utils/filter'
+require 'ipaddr'
 
 # TODO: currently we return local ip only
 # TODO: improve handling of same port on multiple interfaces
@@ -286,10 +287,25 @@ module Inspec::Resources
         ip6 = /^(\S+):(\d+)$/.match(net_addr)
         ip6addr = ip6[1]
         ip6addr = '::' if ip6addr =~ /^:::$/
-        # build uri
-        ip_addr = URI("addr://[#{ip6addr}]:#{ip6[2]}")
-        # replace []
-        host = ip_addr.host[1..ip_addr.host.size-2]
+
+        # v6 addresses need to end in a double-colon when using
+        # shorthand notation. netstat ends with a single colon.
+        # IPAddr will fail to properly parse an address unless it
+        # uses a double-colon for short-hand notation.
+        ip6addr += ':' if ip6addr =~ /\w:$/
+
+        # Check to see if this is a IPv4 address in a tcp6/udp6 line.
+        # If so, don't put brackets around the IP or URI won't know how
+        # to properly handle it.
+        # example: tcp6       0      0 127.0.0.1:8005          :::*                    LISTEN
+        if IPAddr.new(ip6addr).ipv4?
+          ip_addr = URI("addr://#{ip6addr}:#{ip6[2]}")
+          host = ip_addr.host
+        else
+          ip_addr = URI("addr://[#{ip6addr}]:#{ip6[2]}")
+          # strip []
+          host = ip_addr.host[1..ip_addr.host.size-2]
+        end
       else
         ip_addr = URI('addr://'+net_addr)
         host = ip_addr.host

data/lib/resources/service.rb

@@ -336,7 +336,7 @@ module Inspec::Resources
       status = inspec.command("#{service_ctl} status #{service_name}")
 
       # fallback for systemv services, those are not handled via `initctl`
-      return SysV.new(inspec).info(service_name) if status.exit_status.to_i != 0
+      return SysV.new(inspec).info(service_name) if status.exit_status.to_i != 0 || status.stdout == ''
 
       # @see: http://upstart.ubuntu.com/cookbook/#job-states
       # grep for running to indicate the service is there

data/lib/source_readers/inspec.rb

@@ -30,18 +30,25 @@ module SourceReaders
     # @param [FileProvider] target An instance of a FileProvider object that can list files and read them
     # @param [String] metadata_source eg. inspec.yml or metadata.rb
     def initialize(target, metadata_source)
-      @target = target
-      @metadata = Inspec::Metadata.from_ref(
-        metadata_source,
-        @target.read(metadata_source),
-        nil)
-
-      @tests = load_tests
+      @target    = target
+      @metadata  = load_metadata(metadata_source)
+      @tests     = load_tests
       @libraries = load_libs
     end
 
     private
 
+    def load_metadata(metadata_source)
+      Inspec::Metadata.from_ref(
+        metadata_source,
+        @target.read(metadata_source),
+        nil)
+    rescue Psych::SyntaxError => e
+      raise "Unable to parse inspec.yml: line #{e.line}, #{e.problem} #{e.context}"
+    rescue => e
+      raise "Unable to parse #{metadata_source}: #{e.class} -- #{e.message}"
+    end
+
     def load_tests
       tests = @target.files.find_all do |path|
         path.start_with?('controls') && path.end_with?('.rb')

data/lib/utils/object_traversal.rb

@@ -6,11 +6,12 @@ module ObjectTraverser
     key = keys.shift
     return nil if key.nil? || value.nil?
 
-    # if value is an array, iterate over each child
     if value.is_a?(Array)
-      value = value.map { |i|
-        extract_value([key], i)
-      }
+      value = if key.is_a?(Fixnum)
+                value[key]
+              elsif value.respond_to?(key.to_sym)
+                value.send(key.to_sym)
+              end
     else
       value = value[key.to_s].nil? ? nil : value[key.to_s]
     end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: inspec
 version: !ruby/object:Gem::Version
-  version: 1.16.1
+  version: 1.17.0
 platform: ruby
 authors:
 - Dominik Richter
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-03-06 00:00:00.000000000 Z
+date: 2017-03-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: train
@@ -205,19 +205,19 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '1.9'
 - !ruby/object:Gem::Dependency
-  name: rspec_junit_formatter
+  name: nokogiri
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.2.3
+        version: '1.6'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.2.3
+        version: '1.6'
 - !ruby/object:Gem::Dependency
   name: faraday
   requirement: !ruby/object:Gem::Requirement
@@ -386,9 +386,9 @@ files:
 - examples/meta-profile/controls/example.rb
 - examples/meta-profile/inspec.lock
 - examples/meta-profile/inspec.yml
-- examples/meta-profile/vendor/6bdab40a3fe9f9de4e7c87f4f3844fdcf2c5cba6f84089b68d47c72392b51fdc.tar.gz
-- examples/meta-profile/vendor/9ad48391d4e6efff0a13d06736c5b075fb021410e0a629e087bc21e9617d957c.tar.gz
+- examples/meta-profile/vendor/74b3437714871cca4505d9fc445c805968d56bc674855112bab187a5166f5a2d.tar.gz
 - examples/meta-profile/vendor/e25d521fb1093b4c23b31a7dc8f41b5540236f4a433960b151bc427523662ab6.tar.gz
+- examples/meta-profile/vendor/eb00c95846aeb3f1cbc5106537dcbf550c910d65986d21a62f7deb69ea060dee.tar.gz
 - examples/profile-attribute.yml
 - examples/profile-attribute/README.md
 - examples/profile-attribute/controls/example.rb