mirror of
https://github.com/inspec/inspec
synced 2024-11-14 00:47:10 +00:00
Extend nuke_waivers
Signed-off-by: Nick Schwaderer <nschwaderer@chef.io>
This commit is contained in:
parent
db3e2751d6
commit
ac8ee33b63
3 changed files with 34 additions and 1 deletions
|
@ -169,6 +169,9 @@ module Inspec
|
|||
option :command_timeout, type: :numeric, default: 3600,
|
||||
desc: "Maximum seconds to allow commands to run during execution. Default 3600.",
|
||||
long_desc: "Maximum seconds to allow commands to run during execution. Default 3600. A timed out command is considered an error."
|
||||
# TODO: Resolve how to access this in Profile.rb
|
||||
option :nuke_waivers, type: :boolean,
|
||||
desc: "EXPERIMENTAL: Waived controls are never read into InSpec"
|
||||
end
|
||||
|
||||
def self.help(*args)
|
||||
|
|
|
@ -212,6 +212,36 @@ module Inspec
|
|||
|
||||
locked_dependencies.each(&:collect_tests)
|
||||
|
||||
# TODO: if --nuke-waivers
|
||||
ui = Inspec::UI.new
|
||||
ui.red "*" * 80
|
||||
ui.red "\n\n"
|
||||
ui.red "--nuke-waivers is an experimental feature that stops\
|
||||
waived controls altogether from being read into InSpec. Use with caution."
|
||||
ui.red "\n\n"
|
||||
ui.red "*" * 80
|
||||
|
||||
## Find the waivers file
|
||||
collection_source_data_files = @runtime_profile.instance_variable_get(:@src).data_files
|
||||
waiver_path = collection_source_data_files.keys.grep(/waivers.yml$/).first
|
||||
|
||||
## Pull together waiver
|
||||
if waiver_path
|
||||
waived_controls = YAML.load(collection_source_data_files[waiver_path]).keys
|
||||
end
|
||||
regex_matcher = "(#{waived_controls.join('|')})"
|
||||
|
||||
## Purge tests (this could be doone in next block for performance)
|
||||
purged_tests = {}
|
||||
tests.each do |key, value|
|
||||
cleared_tests = value.split("control ").select do |element|
|
||||
!element&.match?(regex_matcher)
|
||||
end.join("control ")
|
||||
purged_tests[key] = cleared_tests
|
||||
end
|
||||
tests = purged_tests
|
||||
|
||||
# Collect tests
|
||||
tests.each do |path, content|
|
||||
next if content.nil? || content.empty?
|
||||
|
||||
|
|
|
@ -117,7 +117,7 @@ describe "waivers" do
|
|||
|
||||
describe "with --full-waivers flag" do
|
||||
# TODO: flag this functionality
|
||||
it "can execute when control namespace clashes with input" do
|
||||
it "can execute and not hit failures" do
|
||||
inspec("exec " + "#{waivers_profiles_path}/purely-broken-controls" + " --waiver-file #{waivers_profiles_path}/purely-broken-controls/files/waivers.yml" + " --no-create-lockfile" + " --no-color")
|
||||
|
||||
_(stdout).wont_include("Control Source Code Error")
|
||||
|
|
Loading…
Reference in a new issue