Extend nuke_waivers

Signed-off-by: Nick Schwaderer <nschwaderer@chef.io>
2024-11-14 00:47:10 +00:00 · 2020-12-04 15:13:12 +00:00 · 2020-12-04 15:13:12 +00:00 · ac8ee33b63
commit ac8ee33b63
parent db3e2751d6
3 changed files with 34 additions and 1 deletions
--- a/lib/inspec/base_cli.rb
+++ b/lib/inspec/base_cli.rb
@ -169,6 +169,9 @@ module Inspec
      option :command_timeout, type: :numeric, default: 3600,
        desc: "Maximum seconds to allow commands to run during execution. Default 3600.",
        long_desc: "Maximum seconds to allow commands to run during execution. Default 3600. A timed out command is considered an error."
+      # TODO: Resolve how to access this in Profile.rb
+      option :nuke_waivers, type: :boolean,
+        desc: "EXPERIMENTAL: Waived controls are never read into InSpec"
    end

    def self.help(*args)
--- a/lib/inspec/profile.rb
+++ b/lib/inspec/profile.rb
@ -212,6 +212,36 @@ module Inspec

        locked_dependencies.each(&:collect_tests)

+        # TODO: if --nuke-waivers
+        ui = Inspec::UI.new
+        ui.red "*" * 80
+        ui.red "\n\n"
+        ui.red "--nuke-waivers is an experimental feature that stops\
+ waived controls altogether from being read into InSpec. Use with caution."
+        ui.red "\n\n"
+        ui.red "*" * 80
+
+        ## Find the waivers file
+        collection_source_data_files = @runtime_profile.instance_variable_get(:@src).data_files
+        waiver_path = collection_source_data_files.keys.grep(/waivers.yml$/).first
+
+        ## Pull together waiver
+        if waiver_path
+          waived_controls = YAML.load(collection_source_data_files[waiver_path]).keys
+        end
+        regex_matcher = "(#{waived_controls.join('|')})"
+
+        ## Purge tests (this could be doone in next block for performance)
+        purged_tests = {}
+        tests.each do |key, value|
+          cleared_tests = value.split("control ").select do |element|
+            !element&.match?(regex_matcher)
+          end.join("control ")
+          purged_tests[key] = cleared_tests
+        end
+        tests = purged_tests
+
+        # Collect tests
        tests.each do |path, content|
          next if content.nil? || content.empty?

--- a/test/functional/waivers_test.rb
+++ b/test/functional/waivers_test.rb
@ -117,7 +117,7 @@ describe "waivers" do

  describe "with --full-waivers flag" do
    # TODO: flag this functionality
-    it "can execute when control namespace clashes with input" do
+    it "can execute and not hit failures" do
      inspec("exec " + "#{waivers_profiles_path}/purely-broken-controls" + " --waiver-file #{waivers_profiles_path}/purely-broken-controls/files/waivers.yml" + " --no-create-lockfile" + " --no-color")

      _(stdout).wont_include("Control Source Code Error")