Extend nuke_waivers

Signed-off-by: Nick Schwaderer <nschwaderer@chef.io>
This commit is contained in:
Nick Schwaderer 2020-12-04 15:13:12 +00:00 committed by Clinton Wolfe
parent db3e2751d6
commit ac8ee33b63
3 changed files with 34 additions and 1 deletions

View file

@ -169,6 +169,9 @@ module Inspec
option :command_timeout, type: :numeric, default: 3600,
desc: "Maximum seconds to allow commands to run during execution. Default 3600.",
long_desc: "Maximum seconds to allow commands to run during execution. Default 3600. A timed out command is considered an error."
# TODO: Resolve how to access this in Profile.rb
option :nuke_waivers, type: :boolean,
desc: "EXPERIMENTAL: Waived controls are never read into InSpec"
end
def self.help(*args)

View file

@ -212,6 +212,36 @@ module Inspec
locked_dependencies.each(&:collect_tests)
# TODO: if --nuke-waivers
ui = Inspec::UI.new
ui.red "*" * 80
ui.red "\n\n"
ui.red "--nuke-waivers is an experimental feature that stops\
waived controls altogether from being read into InSpec. Use with caution."
ui.red "\n\n"
ui.red "*" * 80
## Find the waivers file
collection_source_data_files = @runtime_profile.instance_variable_get(:@src).data_files
waiver_path = collection_source_data_files.keys.grep(/waivers.yml$/).first
## Pull together waiver
if waiver_path
waived_controls = YAML.load(collection_source_data_files[waiver_path]).keys
end
regex_matcher = "(#{waived_controls.join('|')})"
## Purge tests (this could be doone in next block for performance)
purged_tests = {}
tests.each do |key, value|
cleared_tests = value.split("control ").select do |element|
!element&.match?(regex_matcher)
end.join("control ")
purged_tests[key] = cleared_tests
end
tests = purged_tests
# Collect tests
tests.each do |path, content|
next if content.nil? || content.empty?

View file

@ -117,7 +117,7 @@ describe "waivers" do
describe "with --full-waivers flag" do
# TODO: flag this functionality
it "can execute when control namespace clashes with input" do
it "can execute and not hit failures" do
inspec("exec " + "#{waivers_profiles_path}/purely-broken-controls" + " --waiver-file #{waivers_profiles_path}/purely-broken-controls/files/waivers.yml" + " --no-create-lockfile" + " --no-color")
_(stdout).wont_include("Control Source Code Error")