train-k8s-container-mitre 2.0.0 → 2.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d3fb5eed626b5b0237f0b191baf0a6d9044c41c768a1fcf144e28163bb53e489
-  data.tar.gz: 33208b23e20238d127a60db0e7165a6a4aa405a31b59ed66a80472d467755647
+  metadata.gz: af608609f892f66f0f7210823ce896919a01be49eacf9181be6b5ec451ad6e7f
+  data.tar.gz: 81f951dba94aca48878c00208baaada55af3e2f4b7fc614d48f23c85dc47cd84
 SHA512:
-  metadata.gz: b5bd3221b2ca510b600c75994a777fa37eccec5fc4b208f0f1f03bac2f6f849a3bfcef4bef4d4c5fdc9d8abc35927430772cea1b64f20d848fc81f90944251be
-  data.tar.gz: 9b1c7f1b4b4f96f87ab6eeeaad58f5f22a70476c3c659b5dae02f4b6b6e210ed67cef01809674c91d4b76c8e81593b66bdd2cd6607eba5015aec8ae4645dcb57
+  metadata.gz: 85ca8fb769a50ea96f91276822e171cbfdf2b43cc7debcbf4c2a5699953a6ec024535b50c0d7a9cd94f8511dd167e8168f7262fb23fb3a2f6f4811abfff7b8e5
+  data.tar.gz: d71d192ea3808b3879d78b44a3e292c516d8e70298ce012c97567605d8e059dbfb64948ee17d1d05da7e30885ac5115ee6d88e8ebdd6b85bed83eef1b80ec976

data/.release-please-manifest.json

@@ -0,0 +1,3 @@
+{
+  ".": "2.0.1"
+}

data/CHANGELOG.md

@@ -5,154 +5,142 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## [Unreleased]
+## [2.0.0] - 2025-12-05
 
 ### Added
 
-- **ci**: Real STIG profile execution (canonical-ubuntu-22.04-lts-stig-baseline)
-- **ci**: Same-pod container-to-container scanning test
-- **ci**: Pod-to-pod scanning with cinc-scanner Docker image
+- Migrate to Train plugin v2 with multi-platform support and security improvements ([#1](https://github.com/mitre/train-k8s-container/issues/1))
+- Migrate to Train plugin v2 with multi-platform support and security improvements
+- Fix platform detection using Detect + Context pattern
+- **ci**: Add real STIG profile and same-pod container-to-container tests
 
 ### Documentation
 
-- MITRE standards documentation (LICENSE.md, NOTICE.md, CODE_OF_CONDUCT.md)
-- CONTRIBUTING.md with development workflow
-- DEVELOPMENT.md with local testing guide (kind cluster setup)
-- README.md rewrite with MITRE branding and comprehensive usage docs
-- SECURITY.md with MITRE SAF contact info
+- Add MITRE standards documentation and release workflow
+- Update CHANGELOG.md with git-cliff format
+- Rewrite CHANGELOG with accurate v2.0.0 content
 
 ### Fixed
 
-- **ci**: Use pre-built cinc-scanner:local image for same-pod testing
-- **platform**: Detect+Context pattern for accurate OS detection
+- **ci**: Fix distroless test, Dockerfile, and shellcheck warnings
+- **ci**: Fix kubectl cp glob pattern for same-pod test
+- **ci**: Use pre-built cinc-scanner:local for same-pod testing
+- Remove gemspec warnings for RubyGems publishing
 
 ### Miscellaneous Tasks
 
-- Switch from InSpec to Cinc Auditor (open source, license-free)
-- Add git-cliff configuration for automated changelog generation
-- Add release-tag.yml workflow for RubyGems publication
+- Switch from InSpec to Cinc Auditor (license-free)
+- Add git-cliff configuration for changelog generation
+- Add git-cliff to release workflow for automated changelog
+- Use official git-cliff-action for changelog generation
+- Rename gem to train-k8s-container-mitre for RubyGems publishing
 
-## [2.0.0] - 2025-10-04
+### Refactor
 
-### Breaking Changes
+- DRY improvements, CI enhancements, and distroless support
 
-- **BREAKING**: Namespace changed from `Train::K8s::Container` to `TrainPlugins::K8sContainer` (Train v2 standard)
-- **BREAKING**: File structure changed from `lib/train/k8s/container/*` to `lib/train-k8s-container/*`
-- Ruby requirement: >= 3.1
+### Testing
 
-### Added
+- **integration**: Update platform tests for Detect+Context pattern
 
-- **Platform Detection**: Detect+Context pattern using `Train::Platforms::Detect.scan(self)`
-  - Returns actual OS (ubuntu, alpine, centos) so InSpec resources work correctly
-  - Adds `kubernetes` and `container` families for transport awareness
-  - Fallback platform for distroless/minimal containers
-- **Shell Detection**: Tiered detection with automatic fallback
-  - Unix: bash → sh → ash → zsh
-  - Windows: cmd.exe → powershell.exe → pwsh.exe (scaffolded, not tested)
-  - Linux family detection from /etc/os-release
-- **Security Hardening**:
-  - ANSI escape sequence sanitization (CVE-2021-25743 mitigation)
-  - Command injection prevention with Shellwords.escape
-  - RFC 1123 validation for pod/container names
-- **Error Handling**:
-  - Custom error classes (ConnectionError, CommandError, ValidationError)
-  - Retry logic with exponential backoff for transient failures
-- **CI/CD Pipeline**:
-  - GitHub Actions with kind cluster integration tests
-  - Multi-version Ruby (3.1, 3.2, 3.3) and Kubernetes (1.29, 1.30, 1.31) matrix
-  - Security scanning (TruffleHog, bundler-audit, SBOM generation)
-  - Pod-to-pod testing with InSpec running inside cluster
-- **Code Quality**:
-  - Cookstyle linting (replaced deprecated chefstyle)
-  - 95%+ test coverage with SimpleCov
-  - Unit tests (mocked) and integration tests (real kubectl)
-
-### Changed
-
-- Transport: Proper Train v2 plugin API implementation
-- Connection: Lazy initialization of kubectl client
-- Platform: Uses Train's built-in detection instead of force_platform!
+## [1.3.1] - 2024-03-05
 
 ### Fixed
 
-- Shell detection command escaping
-- Platform detection accuracy (returns real OS, not generic k8s-container)
-- Thread safety in session management
+- Fix run command to be run with Bourne shell to execute commands
 
-### Security
+This is to make sure we are able to run all OS resource commands
 
-- ANSI injection prevention (sanitizes terminal escape sequences)
-- Command escaping with Shellwords
-- Input validation for Kubernetes resource names
+Signed-off-by: Sathish Babu <sbabu@progress.com>
 
-### Components
-
-| File | Purpose |
-|------|---------|
-| `transport.rb` | Train v2 plugin registration |
-| `connection.rb` | URI parsing, connection management |
-| `kubectl_exec_client.rb` | kubectl command execution |
-| `platform.rb` | Detect+Context platform detection |
-| `shell_detector.rb` | Shell availability detection |
-| `ansi_sanitizer.rb` | CVE-2021-25743 mitigation |
-| `kubernetes_name_validator.rb` | RFC 1123 validation |
-| `retry_handler.rb` | Exponential backoff retry logic |
-
-## [1.3.1] - 2024-03-05
+## [1.3.0] - 2024-01-31
 
-### Fixed
+### Testing
 
-- Fix run command to use Bourne shell for OS resource commands ([#21](https://github.com/inspec/train-k8s-container/pull/21))
+- Test file connections
 
-## [1.3.0] - 2024-01-31
+Signed-off-by: Sathish Babu <sbabu@progress.com>
 
-### Added
+## [1.2.1] - 2024-01-18
 
-- Add support for file connections ([#19](https://github.com/inspec/train-k8s-container/pull/19))
+## [1.2.0] - 2024-01-16
 
-## [1.2.1] - 2024-01-18
+## [1.1.2] - 2024-01-16
 
 ### Fixed
 
-- Fix for undefined method presence ([#17](https://github.com/inspec/train-k8s-container/pull/17))
-
-## [1.2.0] - 2024-01-16
+- Fix connection spec
 
-### Changed
+Signed-off-by: Sathish Babu <sbabu@progress.com>
+- Fix specs to use mocks over real connections
 
-- Update README and InSpec compatibility ([#15](https://github.com/inspec/train-k8s-container/pull/15))
+Signed-off-by: Sathish Babu <sbabu@progress.com>
 
-## [1.1.2] - 2024-01-16
+## [1.1.1] - 2024-01-15
 
 ### Fixed
 
-- Connection to container improvements ([#14](https://github.com/inspec/train-k8s-container/pull/14))
+- Fix typo with spec
 
-## [1.1.1] - 2024-01-15
+Signed-off-by: Sathish Babu <sbabu@progress.com>
 
 ### Testing
 
-- Specs for transporter ([#13](https://github.com/inspec/train-k8s-container/pull/13))
+- Test connection
+
+Signed-off-by: Sathish Babu <sbabu@progress.com>
 
 ## [1.1.0] - 2024-01-11
 
-### Added
+### Testing
+
+- Test kubectl exec client
 
-- kubectl exec client implementation ([#10](https://github.com/inspec/train-k8s-container/pull/10))
+Signed-off-by: Sathish Babu <sbabu@progress.com>
+- Test connection and platform
+
+Signed-off-by: Sathish Babu <sbabu@progress.com>
 
 ## [1.0.0] - 2024-01-11
 
-### Added
+## [0.0.7] - 2024-01-11
+
+## [0.0.6] - 2024-01-09
+
+## [0.0.5] - 2024-01-02
+
+## [0.0.4] - 2023-11-20
+
+## [0.0.3] - 2023-11-15
+
+### DELETE
+
+- Remove files not required for the library
+
+### ENHANCE
+
+- Minor improvement with gemspec and rakefile
+
+### GEM
+
+- Initialize repo with bundle gem train-k8s-container
+
+### Miscellaneous Tasks
+
+- Add doc dir with a sample readme
+
+## [0.0.2] - 2023-11-15
+
+### CONFIG
 
-- Initial transporter for k8s container ([#9](https://github.com/inspec/train-k8s-container/pull/9))
+- Add basic expeditor config
+- Add basic verify pipeline
+- Add subscriptions to expeditor config
+- Add basic coverage pipeline template
+- Add configurations for sonarscanner in verify and update coverage pipeline
 
-## Pre-1.0 Releases
+### DOC
 
-- **0.0.7** - Pipeline updates
-- **0.0.6** - Version bumper
-- **0.0.5** - Apache v2.0 license
-- **0.0.4** - SonarQube integration
-- **0.0.3** - Initial repo setup
-- **0.0.2** - Expeditor configuration
+- Add empty changelog required for expeditor
 
 <!-- generated by git-cliff -->

data/VERSION

@@ -1 +1 @@
-2.0.0
+2.0.1

data/lib/train-k8s-container-mitre.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+# Shim file for gem name compatibility
+# The gem is named 'train-k8s-container-mitre' for RubyGems publishing,
+# but the internal library structure uses 'train-k8s-container'.
+# This allows `require 'train-k8s-container-mitre'` to work when
+# InSpec/Cinc loads the plugin by gem name.
+
+require_relative 'train-k8s-container'

data/release-please-config.json

@@ -0,0 +1,29 @@
+{
+  "$schema": "https://raw.githubusercontent.com/googleapis/release-please/main/schemas/config.json",
+  "release-type": "ruby",
+  "packages": {
+    ".": {
+      "package-name": "train-k8s-container-mitre",
+      "changelog-path": "CHANGELOG.md",
+      "bump-minor-pre-major": true,
+      "bump-patch-for-minor-pre-major": true,
+      "extra-files": [
+        "VERSION"
+      ],
+      "version-file": "lib/train-k8s-container/version.rb"
+    }
+  },
+  "changelog-sections": [
+    {"type": "feat", "section": "Features"},
+    {"type": "fix", "section": "Bug Fixes"},
+    {"type": "perf", "section": "Performance Improvements"},
+    {"type": "revert", "section": "Reverts"},
+    {"type": "docs", "section": "Documentation"},
+    {"type": "style", "section": "Styles"},
+    {"type": "chore", "section": "Miscellaneous Chores"},
+    {"type": "refactor", "section": "Code Refactoring"},
+    {"type": "test", "section": "Tests"},
+    {"type": "build", "section": "Build System"},
+    {"type": "ci", "section": "Continuous Integration"}
+  ]
+}

metadata

@@ -1,13 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: train-k8s-container-mitre
 version: !ruby/object:Gem::Version
-  version: 2.0.0
+  version: 2.0.1
 platform: ruby
 authors:
 - MITRE SAF Team
+autorequire:
 bindir: bin
 cert_chain: []
-date: 1980-01-02 00:00:00.000000000 Z
+date: 2025-12-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: base64
@@ -45,6 +46,7 @@ files:
 - ".expeditor/coverage.pipeline.yml"
 - ".expeditor/update_version.sh"
 - ".expeditor/verify.pipeline.yml"
+- ".release-please-manifest.json"
 - ".rspec"
 - ".rubocop.yml"
 - CHANGELOG.md
@@ -58,8 +60,8 @@ files:
 - Rakefile
 - SECURITY.md
 - VERSION
-- cliff.toml
 - docs/README.md
+- lib/train-k8s-container-mitre.rb
 - lib/train-k8s-container.rb
 - lib/train-k8s-container/ansi_sanitizer.rb
 - lib/train-k8s-container/connection.rb
@@ -75,6 +77,7 @@ files:
 - lib/train-k8s-container/shell_detector.rb
 - lib/train-k8s-container/transport.rb
 - lib/train-k8s-container/version.rb
+- release-please-config.json
 - sonar-project.properties
 - train-k8s-container.gemspec
 homepage: https://github.com/mitre/train-k8s-container
@@ -86,6 +89,7 @@ metadata:
   changelog_uri: https://github.com/mitre/train-k8s-container/blob/main/CHANGELOG.md
   bug_tracker_uri: https://github.com/mitre/train-k8s-container/issues
   documentation_uri: https://github.com/mitre/train-k8s-container#readme
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -100,7 +104,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.7.2
+rubygems_version: 3.5.22
+signing_key:
 specification_version: 4
 summary: Train transport plugin for scanning Kubernetes containers with InSpec/Cinc
   Auditor.

data/cliff.toml

@@ -1,80 +0,0 @@
-# git-cliff configuration for train-k8s-container
-# See: https://git-cliff.org/docs/configuration
-
-[changelog]
-# changelog header
-header = """
-# Changelog
-
-All notable changes to this project will be documented in this file.
-
-The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
-and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
-
-"""
-# template for the changelog body
-body = """
-{% if version %}\
-    ## [{{ version | trim_start_matches(pat="v") }}] - {{ timestamp | date(format="%Y-%m-%d") }}
-{% else %}\
-    ## [Unreleased]
-{% endif %}\
-{% for group, commits in commits | group_by(attribute="group") %}
-    ### {{ group | striptags | trim | upper_first }}
-    {% for commit in commits %}
-        - {% if commit.scope %}**{{ commit.scope }}**: {% endif %}{{ commit.message | upper_first }}\
-    {% endfor %}
-{% endfor %}\n
-"""
-# remove the leading and trailing whitespace from the template
-trim = true
-# changelog footer
-footer = """
-<!-- generated by git-cliff -->
-"""
-
-[git]
-# parse the commits based on https://www.conventionalcommits.org
-conventional_commits = true
-# filter out the commits that are not conventional
-filter_unconventional = false
-# process each line of a commit as an individual commit
-split_commits = false
-# regex for preprocessing the commit messages
-commit_preprocessors = [
-    # Extract issue numbers from commit messages
-    { pattern = '\((\w+\s)?#([0-9]+)\)', replace = "([#${2}](https://github.com/mitre/train-k8s-container/issues/${2}))"},
-]
-# regex for parsing and grouping commits
-commit_parsers = [
-    { message = "^feat", group = "Added" },
-    { message = "^fix", group = "Fixed" },
-    { message = "^doc", group = "Documentation" },
-    { message = "^perf", group = "Performance" },
-    { message = "^refactor", group = "Refactor" },
-    { message = "^style", group = "Styling" },
-    { message = "^test", group = "Testing" },
-    { message = "^chore\\(release\\): prepare for", skip = true },
-    { message = "^chore\\(deps\\)", skip = true },
-    { message = "^chore\\(pr\\)", skip = true },
-    { message = "^chore\\(pull\\)", skip = true },
-    { message = "^chore|^ci", group = "Miscellaneous Tasks" },
-    { body = ".*security", group = "Security" },
-    { message = "^revert", group = "Revert" },
-]
-# protect breaking changes from being skipped due to matching a skipping commit_parser
-protect_breaking_commits = false
-# filter out the commits that are not matched by commit parsers
-filter_commits = false
-# glob pattern for matching git tags
-tag_pattern = "v[0-9]*"
-# regex for skipping tags
-skip_tags = ""
-# regex for ignoring tags
-ignore_tags = ""
-# sort the tags topologically
-topo_order = false
-# sort the commits inside sections by oldest/newest order
-sort_commits = "oldest"
-# limit the number of commits included in the changelog.
-# limit_commits = 42