train-k8s-container-mitre 2.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: d3fb5eed626b5b0237f0b191baf0a6d9044c41c768a1fcf144e28163bb53e489
+  data.tar.gz: 33208b23e20238d127a60db0e7165a6a4aa405a31b59ed66a80472d467755647
+SHA512:
+  metadata.gz: b5bd3221b2ca510b600c75994a777fa37eccec5fc4b208f0f1f03bac2f6f849a3bfcef4bef4d4c5fdc9d8abc35927430772cea1b64f20d848fc81f90944251be
+  data.tar.gz: 9b1c7f1b4b4f96f87ab6eeeaad58f5f22a70476c3c659b5dae02f4b6b6e210ed67cef01809674c91d4b76c8e81593b66bdd2cd6607eba5015aec8ae4645dcb57

data/.expeditor/buildkite/coverage.sh

@@ -0,0 +1,46 @@
+#!/bin/bash
+
+echo "--- This is the coverage pipeline for train-k8s-container"
+
+# Fetch tokens from vault ASAP so that long-running tests don't cause our vault token to expire
+echo "--- installing vault"
+export VAULT_VERSION=1.13.0
+export VAULT_HOME=$HOME/vault
+curl --create-dirs -sSLo $VAULT_HOME/vault.zip https://releases.hashicorp.com/vault/$VAULT_VERSION/vault_${VAULT_VERSION}_linux_amd64.zip
+unzip -o $VAULT_HOME/vault.zip -d $VAULT_HOME
+
+if [ -n "${CI_ENABLE_COVERAGE:-}" ]; then
+  echo "--- fetching Sonar token from vault"
+  # TODO: Update the path to the key within the key-value store `secret/trains-k8s-container/sonar` is just a dummy placeholder
+  export SONAR_TOKEN=$($VAULT_HOME/vault kv get -field token secret/inspec/train-k8s-container/sonar)
+
+  if [ -n "${SONAR_TOKEN:-}" ]; then
+    echo "  ++ SONAR_TOKEN set successfully"
+  else
+    echo "  !! SONAR_TOKEN not set - exiting "
+    exit 1 # TODO: Remove this line if we wish not to exit
+  fi
+fi
+
+# If coverage is enabled, then we need to pick up the coverage/coverage.json file
+if [ -n "${CI_ENABLE_COVERAGE:-}" ]; then
+  echo "--- installing sonarscanner"
+  export SONAR_SCANNER_VERSION=4.7.0.2747
+  export SONAR_SCANNER_HOME=$HOME/.sonar/sonar-scanner-$SONAR_SCANNER_VERSION-linux
+  curl --create-dirs -sSLo $HOME/.sonar/sonar-scanner.zip https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-$SONAR_SCANNER_VERSION-linux.zip
+  unzip -o $HOME/.sonar/sonar-scanner.zip -d $HOME/.sonar/
+  export PATH=$SONAR_SCANNER_HOME/bin:$PATH
+  export SONAR_SCANNER_OPTS="-server"
+
+  # Delete the vendor/ directory.
+  # Excluding it using sonar.exclusions, appears to get ignored,
+  # ending up analyzing the gemfile install which blows the analysis.
+  echo "--- deleting installed gems"
+  rm -rf vendor/
+
+  # See sonar-project.properties for additional settings
+  echo "--- running sonarscanner"
+  sonar-scanner \
+  -Dsonar.sources=. \
+  -Dsonar.host.url=https://sonar.progress.com
+fi

data/.expeditor/buildkite/run_linux_tests.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+set -ue
+
+export USER="root"
+export LANG=C.UTF-8 LANGUAGE=C.UTF-8
+
+echo "--- bundle install"
+bundle config --local path vendor/bundle
+bundle install --jobs=7 --retry=3
+
+echo "+++ bundle exec task"
+bundle exec $@
+RAKE_EXIT=$?
+
+exit $RAKE_EXIT

data/.expeditor/config.yml

@@ -0,0 +1,61 @@
+# Documentation available at https://expeditor.chef.io/docs/getting-started/
+---
+
+project:
+  alias: train-k8s-container
+
+# https://expeditor.chef.io/docs/integrations/slack/
+slack:
+  notify_channel: inspec-notify
+
+# https://expeditor.chef.io/docs/integrations/rubygems/
+# This publish is triggered by the `built_in:publish_rubygems` artifact_action.
+rubygems:
+  - train-k8s-container
+
+# https://expeditor.chef.io/docs/integrations/github/
+github:
+  # This deletes the GitHub PR branch after successfully merged into the release branch
+  delete_branch_on_merge: true
+  # The tag format to use (e.g. v1.0.0)
+  version_tag_format: "v{{version}}"
+  # allow bumping the minor release via label
+  minor_bump_labels:
+    - "Expeditor: Bump Version Minor"
+  # allow bumping the major release via label
+  major_bump_labels:
+    - "Expeditor: Bump Version Major"
+
+pipelines:
+  - verify:
+      description: Pull Request validation tests
+      # public: true # Uncomment to make this pipeline public
+  - coverage:
+      description: Generate test coverage report
+      trigger: pull_request
+
+changelog:
+  rollup_header: Changes not yet released to rubygems.org
+
+
+subscriptions:
+  # These actions are taken, in order they are specified, anytime a Pull Request is merged.
+  - workload: pull_request_merged:{{github_repo}}:{{release_branch}}:*
+    actions:
+      - built_in:bump_version:
+          ignore_labels:
+            - "Expeditor: Skip Version Bump"
+            - "Expeditor: Skip All"
+      - bash:.expeditor/update_version.sh:
+           only_if: built_in:bump_version
+      - built_in:update_changelog:
+          ignore_labels:
+            - "Expeditor: Skip Changelog"
+            - "Expeditor: Skip All"
+      - built_in:build_gem:
+          only_if: built_in:bump_version
+
+  - workload: project_promoted:{{agent_id}}:*
+    actions:
+      - built_in:rollover_changelog
+      - built_in:publish_rubygems

data/.expeditor/coverage.pipeline.yml

@@ -0,0 +1,19 @@
+---
+expeditor:
+  defaults:
+    buildkite:
+      timeout_in_minutes: 45
+      retry:
+        automatic:
+          limit: 1
+
+steps:
+
+  - label: coverage-pipeline-with-ruby-3.0
+    command:
+      - CI_ENABLE_COVERAGE=1 /workdir/.expeditor/buildkite/coverage.sh
+    expeditor:
+      secrets: true
+      executor:
+        docker:
+          image: ruby:3.0

data/.expeditor/update_version.sh

@@ -0,0 +1,12 @@
+#!/bin/sh
+#
+# After a PR merge, Chef Expeditor will bump the PATCH version in the VERSION file.
+# It then executes this file to update any other files/components with that new version.
+#
+
+set -evx
+
+sed -i -r "s/VERSION = \".*\"/VERSION = \"$(cat VERSION)\"/" lib/train/k8s/container/version.rb
+
+# Once Expeditor finishes executing this script, it will commit the changes and push
+# the commit as a new tag corresponding to the value in the VERSION file.

data/.expeditor/verify.pipeline.yml

@@ -0,0 +1,44 @@
+---
+expeditor:
+  cached_folders:
+    - vendor
+  defaults:
+    buildkite:
+      retry:
+        automatic:
+          limit: 1
+      timeout_in_minutes: 30
+
+steps:
+
+- label: lint-chefstyle
+  command:
+    - /workdir/.expeditor/buildkite/run_linux_tests.sh "rake style"
+  expeditor:
+    executor:
+      docker:
+        image: ruby:3.0
+
+- label: run-specs-ruby-3.0
+  command:
+    - /workdir/.expeditor/buildkite/run_linux_tests.sh "rake spec"
+  expeditor:
+    executor:
+      docker:
+        image: ruby:3.0
+
+- label: run-specs-ruby-3.1
+  command:
+    - /workdir/.expeditor/buildkite/run_linux_tests.sh "rake spec"
+  expeditor:
+    executor:
+      docker:
+        image: ruby:3.1
+
+- label: run-specs-ruby-3.1
+  command:
+    - /workdir/.expeditor/buildkite/run_linux_tests.sh "rake spec"
+  expeditor:
+    executor:
+      docker:
+        image: ruby:3.1

data/.rspec

@@ -0,0 +1,4 @@
+--require spec_helper
+--color
+--format documentation
+--tag ~integration

data/.rubocop.yml

@@ -0,0 +1,57 @@
+AllCops:
+  TargetRubyVersion: 3.1  # Match gemspec minimum (InSpec 6.x embedded Ruby)
+  NewCops: enable
+  SuggestExtensions: false
+  Exclude:
+    - vendor/**/*
+
+# Naming/FileName - train-k8s-container.rb is correct gem convention
+Naming/FileName:
+  Enabled: false
+
+# Metrics - Transport plugins need larger classes for connection/platform management
+# Following InSpec ecosystem standard (train-kubernetes, inspec-aws disable these)
+Metrics/ClassLength:
+  Enabled: false  # InSpec plugins inherently have larger connection classes
+
+Metrics/ParameterLists:
+  Max: 7  # Ruby 3.1+ keyword arguments are self-documenting and preferred
+
+Metrics/AbcSize:
+  Enabled: false
+
+Metrics/CyclomaticComplexity:
+  Enabled: false
+
+Metrics/PerceivedComplexity:
+  Enabled: false
+
+Metrics/MethodLength:
+  Enabled: false
+
+# RSpec tests will have longer blocks - acceptable
+Metrics/BlockLength:
+  Exclude:
+    - spec/**/*_spec.rb
+
+# Allow reasonable line length (Chef standard is 150)
+Layout/LineLength:
+  Max: 150
+
+# Gemspec - Support Ruby >= 3.1 (InSpec 6.x) but develop on 3.3
+Gemspec/RequiredRubyVersion:
+  Enabled: false
+
+# Use consistent style for percent literals (avoid flip-flopping during autocorrect)
+Style/PercentLiteralDelimiters:
+  PreferredDelimiters:
+    default: '[]'
+    '%w': '[]'
+    '%i': '[]'
+
+# Trailing commas in multiline (Chef standard)
+Style/TrailingCommaInArrayLiteral:
+  EnforcedStyleForMultiline: consistent_comma
+
+Style/TrailingCommaInHashLiteral:
+  EnforcedStyleForMultiline: consistent_comma

data/CHANGELOG.md

@@ -0,0 +1,158 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+### Added
+
+- **ci**: Real STIG profile execution (canonical-ubuntu-22.04-lts-stig-baseline)
+- **ci**: Same-pod container-to-container scanning test
+- **ci**: Pod-to-pod scanning with cinc-scanner Docker image
+
+### Documentation
+
+- MITRE standards documentation (LICENSE.md, NOTICE.md, CODE_OF_CONDUCT.md)
+- CONTRIBUTING.md with development workflow
+- DEVELOPMENT.md with local testing guide (kind cluster setup)
+- README.md rewrite with MITRE branding and comprehensive usage docs
+- SECURITY.md with MITRE SAF contact info
+
+### Fixed
+
+- **ci**: Use pre-built cinc-scanner:local image for same-pod testing
+- **platform**: Detect+Context pattern for accurate OS detection
+
+### Miscellaneous Tasks
+
+- Switch from InSpec to Cinc Auditor (open source, license-free)
+- Add git-cliff configuration for automated changelog generation
+- Add release-tag.yml workflow for RubyGems publication
+
+## [2.0.0] - 2025-10-04
+
+### Breaking Changes
+
+- **BREAKING**: Namespace changed from `Train::K8s::Container` to `TrainPlugins::K8sContainer` (Train v2 standard)
+- **BREAKING**: File structure changed from `lib/train/k8s/container/*` to `lib/train-k8s-container/*`
+- Ruby requirement: >= 3.1
+
+### Added
+
+- **Platform Detection**: Detect+Context pattern using `Train::Platforms::Detect.scan(self)`
+  - Returns actual OS (ubuntu, alpine, centos) so InSpec resources work correctly
+  - Adds `kubernetes` and `container` families for transport awareness
+  - Fallback platform for distroless/minimal containers
+- **Shell Detection**: Tiered detection with automatic fallback
+  - Unix: bash → sh → ash → zsh
+  - Windows: cmd.exe → powershell.exe → pwsh.exe (scaffolded, not tested)
+  - Linux family detection from /etc/os-release
+- **Security Hardening**:
+  - ANSI escape sequence sanitization (CVE-2021-25743 mitigation)
+  - Command injection prevention with Shellwords.escape
+  - RFC 1123 validation for pod/container names
+- **Error Handling**:
+  - Custom error classes (ConnectionError, CommandError, ValidationError)
+  - Retry logic with exponential backoff for transient failures
+- **CI/CD Pipeline**:
+  - GitHub Actions with kind cluster integration tests
+  - Multi-version Ruby (3.1, 3.2, 3.3) and Kubernetes (1.29, 1.30, 1.31) matrix
+  - Security scanning (TruffleHog, bundler-audit, SBOM generation)
+  - Pod-to-pod testing with InSpec running inside cluster
+- **Code Quality**:
+  - Cookstyle linting (replaced deprecated chefstyle)
+  - 95%+ test coverage with SimpleCov
+  - Unit tests (mocked) and integration tests (real kubectl)
+
+### Changed
+
+- Transport: Proper Train v2 plugin API implementation
+- Connection: Lazy initialization of kubectl client
+- Platform: Uses Train's built-in detection instead of force_platform!
+
+### Fixed
+
+- Shell detection command escaping
+- Platform detection accuracy (returns real OS, not generic k8s-container)
+- Thread safety in session management
+
+### Security
+
+- ANSI injection prevention (sanitizes terminal escape sequences)
+- Command escaping with Shellwords
+- Input validation for Kubernetes resource names
+
+### Components
+
+| File | Purpose |
+|------|---------|
+| `transport.rb` | Train v2 plugin registration |
+| `connection.rb` | URI parsing, connection management |
+| `kubectl_exec_client.rb` | kubectl command execution |
+| `platform.rb` | Detect+Context platform detection |
+| `shell_detector.rb` | Shell availability detection |
+| `ansi_sanitizer.rb` | CVE-2021-25743 mitigation |
+| `kubernetes_name_validator.rb` | RFC 1123 validation |
+| `retry_handler.rb` | Exponential backoff retry logic |
+
+## [1.3.1] - 2024-03-05
+
+### Fixed
+
+- Fix run command to use Bourne shell for OS resource commands ([#21](https://github.com/inspec/train-k8s-container/pull/21))
+
+## [1.3.0] - 2024-01-31
+
+### Added
+
+- Add support for file connections ([#19](https://github.com/inspec/train-k8s-container/pull/19))
+
+## [1.2.1] - 2024-01-18
+
+### Fixed
+
+- Fix for undefined method presence ([#17](https://github.com/inspec/train-k8s-container/pull/17))
+
+## [1.2.0] - 2024-01-16
+
+### Changed
+
+- Update README and InSpec compatibility ([#15](https://github.com/inspec/train-k8s-container/pull/15))
+
+## [1.1.2] - 2024-01-16
+
+### Fixed
+
+- Connection to container improvements ([#14](https://github.com/inspec/train-k8s-container/pull/14))
+
+## [1.1.1] - 2024-01-15
+
+### Testing
+
+- Specs for transporter ([#13](https://github.com/inspec/train-k8s-container/pull/13))
+
+## [1.1.0] - 2024-01-11
+
+### Added
+
+- kubectl exec client implementation ([#10](https://github.com/inspec/train-k8s-container/pull/10))
+
+## [1.0.0] - 2024-01-11
+
+### Added
+
+- Initial transporter for k8s container ([#9](https://github.com/inspec/train-k8s-container/pull/9))
+
+## Pre-1.0 Releases
+
+- **0.0.7** - Pipeline updates
+- **0.0.6** - Version bumper
+- **0.0.5** - Apache v2.0 license
+- **0.0.4** - SonarQube integration
+- **0.0.3** - Initial repo setup
+- **0.0.2** - Expeditor configuration
+
+<!-- generated by git-cliff -->

data/CODE_OF_CONDUCT.md

@@ -0,0 +1,13 @@
+# Code of Conduct
+
+This project adopts the [Contributor Covenant](https://www.contributor-covenant.org/version/2/1/code_of_conduct/) as our code of conduct.
+
+## Our Pledge
+
+We are committed to making participation in this project a welcoming experience for everyone.
+
+## Enforcement
+
+Instances of unacceptable behavior may be reported to the project team at [saf@mitre.org](mailto:saf@mitre.org).
+
+For the full text of our code of conduct, please see: https://www.contributor-covenant.org/version/2/1/code_of_conduct/

data/CONTRIBUTING.md

@@ -0,0 +1,161 @@
+# Contributing to train-k8s-container
+
+Thank you for your interest in contributing to the train-k8s-container plugin! We welcome contributions from the community.
+
+## Development Workflow
+
+We use a standard GitFlow workflow:
+
+### Quick Setup
+
+```bash
+# Fork and clone
+git clone https://github.com/YOUR_USERNAME/train-k8s-container.git
+cd train-k8s-container
+bundle install
+
+# Run tests
+bundle exec rspec
+```
+
+### Step by Step
+
+1. **Fork** the repository on GitHub
+2. **Clone** your fork locally
+3. **Create a feature branch** from `main`:
+   ```bash
+   git checkout -b feature/your-feature-name
+   ```
+4. **Make your changes** with appropriate tests
+5. **Run the test suite** to ensure everything passes:
+   ```bash
+   bundle install
+   bundle exec rspec
+   bundle exec rake style
+   ```
+6. **Commit your changes** with clear, descriptive messages
+7. **Push** to your fork and **create a Pull Request**
+
+## Code Requirements
+
+All contributions must meet our quality standards before merging.
+
+### Testing
+
+- **All new functionality must include tests**
+- **Tests must pass**: `bundle exec rspec`
+- **Maintain or improve code coverage** (currently 95%+)
+
+### Code Style
+
+- **Follow existing Ruby style conventions**
+- **Run linting**: `bundle exec rake style` or `bundle exec rubocop`
+- **No RuboCop violations**
+
+### Documentation
+
+- **Update README.md** for user-facing changes
+- **Add inline documentation** for new methods
+- **Update DEVELOPMENT.md** for development workflow changes
+
+## Types of Contributions
+
+### Bug Reports
+
+Help us fix problems by providing detailed bug reports.
+
+**Requirements:**
+- Use GitHub Issues with the "bug" label
+- Include steps to reproduce
+- Provide InSpec/Cinc and Ruby version information
+- Include relevant log output with `-l debug`
+
+### Feature Requests
+
+We love new ideas! Please discuss before implementing.
+
+**Process:**
+- Open a GitHub Issue with the "enhancement" label
+- Describe the use case and expected behavior
+- Discuss implementation approach before coding
+
+### Code Contributions
+
+- Bug fixes
+- New features
+- Documentation improvements
+- Test coverage improvements
+
+## Development Setup
+
+See [DEVELOPMENT.md](DEVELOPMENT.md) for detailed local development and testing instructions, including:
+
+- Setting up a kind cluster for integration testing
+- Running unit tests vs integration tests
+- Testing with real Kubernetes pods
+- Debugging tips
+
+## Testing Guidelines
+
+### Unit Tests
+
+- Test all public methods
+- Mock external dependencies (kubectl, kubernetes API)
+- Fast execution (< 30 seconds total)
+
+### Integration Tests
+
+- Test real kubectl connectivity
+- Use kind cluster for testing
+- Document any manual testing requirements
+
+### Running Tests
+
+```bash
+# Unit tests only (fast, no kubectl required)
+bundle exec rspec spec/train-k8s-container
+
+# Integration tests (requires kind cluster)
+bundle exec rspec spec/integration
+
+# All tests
+bundle exec rspec
+
+# With coverage report
+bundle exec rspec
+open coverage/index.html
+```
+
+## Pull Request Process
+
+1. **Update Documentation**: Ensure README and relevant docs are updated
+2. **Test Coverage**: Maintain or improve test coverage percentage
+3. **Security Review**: Run `bundle audit` and check for vulnerabilities
+4. **Code Review**: Address feedback from maintainers
+5. **CI Passing**: All GitHub Actions checks must pass
+6. **Merge**: Maintainers will merge approved PRs
+
+## Release Process
+
+Releases are managed by project maintainers:
+
+1. Version bump in `VERSION` file
+2. Update `CHANGELOG.md`
+3. Create release tag (e.g., `v2.0.0`)
+4. GitHub Actions automatically publishes to RubyGems.org
+
+## Getting Help
+
+- **Questions**: Open a GitHub Discussion or Issue
+- **Real-time help**: Email [saf@mitre.org](mailto:saf@mitre.org)
+- **Security issues**: Email [saf-security@mitre.org](mailto:saf-security@mitre.org)
+
+## Community
+
+- Follow our [Code of Conduct](CODE_OF_CONDUCT.md)
+- Be respectful and collaborative
+- Help others learn and contribute
+
+## License
+
+By contributing, you agree that your contributions will be licensed under the same Apache-2.0 license that covers the project.