Merge branch 'master' of https://github.com/inspec/inspec into auditd_conf_readers

.expeditor/release.omnibus.yml

@@ -25,7 +25,7 @@ builder-to-testers-map:
   mac_os_x-10.14-x86_64:
     - mac_os_x-10.14-x86_64
     - mac_os_x-10.15-x86_64
-    - mac_os_x-11.0-x86_64
+    - mac_os_x-11-x86_64
   sles-12-x86_64:
     - sles-12-x86_64
     - sles-15-x86_64

CHANGELOG.md

@@ -1,16 +1,26 @@
 # Change Log
 <!-- usage documentation: http://expeditor-docs.es.chef.io/configuration/changelog/ -->
-<!-- latest_release 4.26.14 -->
-## [v4.26.14](https://github.com/inspec/inspec/tree/v4.26.14) (2021-02-26)
+<!-- latest_release 4.27.1 -->
+## [v4.27.1](https://github.com/inspec/inspec/tree/v4.27.1) (2021-03-10)
 
-#### Bug Fixes
-- Don&#39;t pass -u on AIX in crontab command [#5418](https://github.com/inspec/inspec/pull/5418) ([clintoncwolfe](https://github.com/clintoncwolfe))
+#### Merged Pull Requests
+- Update README to add note about Ruby 2.5 support [#5424](https://github.com/inspec/inspec/pull/5424) ([clintoncwolfe](https://github.com/clintoncwolfe))
 <!-- latest_release -->
 
 <!-- release_rollup since=4.26.13 -->
 ### Changes since 4.26.13 release
 
+#### Enhancements
+- Fixes #5373 : Add option to filter empty profiles from report [#5425](https://github.com/inspec/inspec/pull/5425) ([Vasu1105](https://github.com/Vasu1105)) <!-- 4.27.0 -->
+
+#### Merged Pull Requests
+- Update README to add note about Ruby 2.5 support [#5424](https://github.com/inspec/inspec/pull/5424) ([clintoncwolfe](https://github.com/clintoncwolfe)) <!-- 4.27.1 -->
+- Clarify include matcher docs on crontab resource [#5419](https://github.com/inspec/inspec/pull/5419) ([clintoncwolfe](https://github.com/clintoncwolfe)) <!-- 4.26.17 -->
+- Fix backtrace occurs when using `cmp` to compare nil to an expectation [#5427](https://github.com/inspec/inspec/pull/5427) ([Vasu1105](https://github.com/Vasu1105)) <!-- 4.26.16 -->
+- Remove .0 from macos builder name [#5413](https://github.com/inspec/inspec/pull/5413) ([clintoncwolfe](https://github.com/clintoncwolfe)) <!-- 4.26.15 -->
+
 #### Bug Fixes
+- Add git to Docker build [#5420](https://github.com/inspec/inspec/pull/5420) ([clintoncwolfe](https://github.com/clintoncwolfe)) <!-- 4.26.15 -->
 - Don&#39;t pass -u on AIX in crontab command [#5418](https://github.com/inspec/inspec/pull/5418) ([clintoncwolfe](https://github.com/clintoncwolfe)) <!-- 4.26.14 -->
 <!-- release_rollup -->
 

Dockerfile

@@ -26,6 +26,9 @@ RUN apt-get update && \
     rpm2cpio /tmp/inspec.rpm | cpio -idmv && \
     rm -rf /tmp/inspec.rpm
 
+# Install any packages that make life easier for an InSpec installation
+RUN apt-get install -y git
+
 ENTRYPOINT ["inspec"]
 CMD ["help"]
 VOLUME ["/share"]

README.md

@@ -55,7 +55,12 @@ inspec exec test.rb -t docker://container_id
 
 ## Installation
 
-Chef InSpec requires Ruby ( >= 2.5 ).
+Chef InSpec requires Ruby ( >= 2.6 ). Ruby 2.5 support is limited and requires Bundler with an entry in the Gemfile:
+
+```
+  # 16.7.23 required ruby 2.6+
+  gem "chef-utils", "< 16.7.23"
+```
 
 Note: Versions of Chef InSpec 4.0 and later require accepting the EULA to use. Please visit the [license acceptance page](https://docs.chef.io/chef_license_accept.html) on the Chef docs site for more information.
 

VERSION

@@ -1 +1 @@
-4.26.14
+4.27.1

docs-chef-io/content/inspec/cli.md

@@ -146,7 +146,7 @@ This subcommand has additional options:
     Specify which transport to use, defaults to negotiate (WinRM).
 * ``--winrm-shell-type=WINRM_SHELL_TYPE``
     Specify which shell type to use (powershell,elevated or cmd), defaults to powershell (WinRM).
-    
+
 ## env
 
 Output shell-appropriate completion configuration
@@ -332,6 +332,8 @@ This subcommand has additional options:
     Whether to use disable sspi authentication, defaults to false (WinRM).
 * ``--winrm-transport=WINRM_TRANSPORT``
     Specify which transport to use, defaults to negotiate (WinRM).
+* ``--filter-empty-profiles``, ``--no-filter-empty-profiles``
+    Filter empty profiles (profiles without controls) from the report.
 
 ## help
 

docs-chef-io/content/inspec/resources/crontab.md

@@ -25,12 +25,18 @@ This resource first became available in v1.15.0 of InSpec.
 
 ## Syntax
 
-A `crontab` resource block declares a user (which defaults to the current user, if not specified), and then the details to be tested, such as the schedule elements for each crontab entry or the commands itself:
+A `crontab` resource block declares a user (which defaults to the current user) and the details to be tested, such as the schedule elements for each crontab entry or the exact commands themselves:
 
     describe crontab do
       its('commands') { should include '/some/scheduled/task.sh' }
     end
 
+{{< note >}}
+
+The `include` matcher in this context specifies the entire list of commands that the crontab should include and not a particular substring that should be included by a command. The `include` matcher always matches a complete command invocation, including options and arguments.
+
+{{< /note >}}
+
 The path to the system crontab can also be supplied via:
 
     describe crontab(path: '/etc/cron.d/some_crontab') do
@@ -46,7 +52,7 @@ The following examples show how to use this Chef InSpec audit resource.
 ### Test that root's crontab has a particular command
 
     describe crontab('root') do
-      its('commands') { should include '/path/to/some/script' }
+      its('commands') { should include '/path/to/some/script -option arg' }
     end
 
 ### Test that myuser's crontab entry for command '/home/myuser/build.sh' runs every minute

inspec-bin/lib/inspec-bin/version.rb

@@ -1,5 +1,5 @@
 # This file managed by automation - do not edit manually
 module InspecBin
   INSPECBIN_ROOT = File.expand_path("..", __dir__)
-  VERSION = "4.26.14".freeze
+  VERSION = "4.27.1".freeze
 end

lib/inspec/base_cli.rb

@@ -164,6 +164,8 @@ module Inspec
         desc: "Use --no-diff to suppress 'diff' output of failed textual test results."
       option :sort_results_by, type: :string, default: "file", banner: "--sort-results-by=none|control|file|random",
         desc: "After normal execution order, results are sorted by control ID, or by file (default), or randomly. None uses legacy unsorted mode."
+      option :filter_empty_profiles, type: :boolean, default: false,
+        desc: "Filter empty profiles (profiles without controls) from the report."
     end
 
     def self.help(*args)

lib/inspec/utils/run_data_filters.rb

@@ -13,6 +13,7 @@ module Inspec
       def apply_run_data_filters_to_hash
         @config[:runtime_config] = Inspec::Config.cached || {}
         apply_report_resize_options
+        filter_empty_profiles
         redact_sensitive_inputs
         suppress_diff_output
         sort_controls
@@ -36,6 +37,14 @@ module Inspec
         end
       end
 
+      # Filters profiles from report which don't have controls in it.
+      def filter_empty_profiles
+        runtime_config = @config[:runtime_config]
+        if runtime_config[:filter_empty_profiles] && @run_data[:profiles].count > 1
+          @run_data[:profiles].delete_if { |p| p[:controls].empty? }
+        end
+      end
+
       # Find any inputs with :sensitive = true and replace their values with "***"
       def redact_sensitive_inputs
         @run_data[:profiles]&.each do |p|

lib/inspec/version.rb

@@ -1,3 +1,3 @@
 module Inspec
-  VERSION = "4.26.14".freeze
+  VERSION = "4.27.1".freeze
 end

lib/matchers/matchers.rb

@@ -287,7 +287,7 @@ RSpec::Matchers.define :cmp do |first_expected| # rubocop:disable Metrics/BlockL
   end
 
   def format_actual(actual)
-    actual = "0%o" % actual if octal?(@expected)
+    actual = "0%o" % actual if octal?(@expected) && !actual.nil?
     "\n%s\n     got: %s\n\n(compared using `cmp` matcher)\n" % [format_expectation(false), actual]
   end
 

test/fixtures/profiles/dependencies/resource-pack/inspec.yml

@@ -0,0 +1,10 @@
+name: resource-pack
+title: InSpec Profile
+maintainer: The Authors
+copyright: The Authors
+copyright_email: you@example.com
+license: Apache-2.0
+summary: An InSpec Compliance Profile
+version: 0.1.0
+supports:
+  platform: os

test/fixtures/profiles/dependencies/resource-pack/libraries/example_config.rb

@@ -0,0 +1,15 @@
+class ExampleConfig < Inspec.resource(1)
+  name 'example_config'
+
+  desc "Example's resource description ..."
+
+  example "
+    describe example_config do
+      its('version') { should eq('1.0') }
+    end
+  "
+
+  def version
+    "1.0"
+  end
+end

test/fixtures/profiles/dependencies/uses-resource-pack/controls/example.rb

@@ -0,0 +1,18 @@
+# copyright: 2018, The Authors
+
+title "sample section"
+
+# you can also use plain tests
+describe file("/tmp") do
+  it { should be_directory }
+end
+
+# you add controls here
+control "tmp-1.0" do                        # A unique ID for this control
+  impact 0.7                                # The criticality, if this control fails.
+  title "Create /tmp directory"             # A human-readable title
+  desc "An optional description..."
+  describe file("/tmp") do                  # The actual test
+    it { should be_directory }
+  end
+end

test/fixtures/profiles/dependencies/uses-resource-pack/inspec.yml

@@ -0,0 +1,13 @@
+name: uses-resource-pack
+title: InSpec Profile
+maintainer: The Authors
+copyright: The Authors
+copyright_email: you@example.com
+license: Apache-2.0
+summary: An InSpec Compliance Profile
+version: 0.1.0
+supports:
+  platform: os
+depends:
+  - name: resource-pack
+    path: ../resource-pack

test/functional/inspec_exec_json_test.rb

@@ -421,6 +421,28 @@ describe "inspec exec with json formatter" do
     end
   end
 
+  describe "JSON reporter" do
+    describe "with --no-filter-empty-profiles option" do
+      let(:run_result) { run_inspec_process("exec #{profile_path}/dependencies/uses-resource-pack --no-filter-empty-profiles", json: true) }
+      let(:profiles) { @json["profiles"] }
+
+      it "does not filter the empty profiles(profiles without controls)" do
+        _(run_result.stderr).must_be_empty
+        _(profiles.count).must_equal 2
+      end
+    end
+
+    describe "with --filter-empty-profiles option" do
+      let(:run_result) { run_inspec_process("exec #{profile_path}/dependencies/uses-resource-pack --filter-empty-profiles", json: true) }
+      let(:profiles) { @json["profiles"] }
+
+      it "does filter the empty profiles (profiles without controls)" do
+        _(run_result.stderr).must_be_empty
+        _(profiles.count).must_equal 1
+      end
+    end
+  end
+
   describe "JSON reporter using the --sort-results-by option" do
     let(:run_result) { run_inspec_process("exec #{profile_path}/sorted-results/sort-me-1 --sort-results-by #{sort_option}", json: true) }
     let(:control_order) { @json["profiles"][0]["controls"].map { |c| c["id"] }.join("") }

test/unit/matchers/matchers_test.rb

@@ -55,6 +55,7 @@ describe "inspec matchers" do
       assert_cmp "happy", "happy"
       assert_cmp "HAPPY", "happy" # case insensitive
       refute_cmp "happy", "unhappy"
+      refute_cmp "happy", nil
     end
 
     it "String cmp String w/o ==" do
@@ -65,21 +66,25 @@ describe "inspec matchers" do
     it "String cmp String w/ versions " do
       assert_cmp "1.0", "1.0"
       refute_cmp "1.0.0", "1.0"
+      refute_cmp "1.0", nil
     end
 
     it "Regexp cmp String" do
       assert_cmp(/abc/, "xxx abc zzz")
       refute_cmp(/yyy/, "xxx abc zzz")
+      refute_cmp(/yyy/, nil)
     end
 
     it "Regexp cmp Int" do
       assert_cmp(/42/, 42)
       refute_cmp(/yyy/, 42)
+      refute_cmp(/yyy/, nil)
     end
 
     it "String (int) cmp Integer" do
       assert_cmp "42", 42
       refute_cmp "42", 420
+      refute_cmp "42", nil
     end
 
     it "String (bool) cmp Bool" do
@@ -89,45 +94,54 @@ describe "inspec matchers" do
       assert_cmp "false", false
       assert_cmp "FALSE", false
       refute_cmp "false", true
+      refute_cmp "false", nil
     end
 
     it "Int cmp String(int)" do
       assert_cmp 42, "42"
       refute_cmp 420, "42"
+      refute_cmp 420, nil
     end
 
     it "Int cmp String(!int)" do
       refute_cmp 42, :not_int
+      refute_cmp 42, nil
     end
 
     it "Float cmp Float" do
       assert_cmp 3.14159, 3.14159
       refute_cmp 3.14159, 42.0
+      refute_cmp 3.14159, nil
     end
 
     it "Float cmp String(float)" do
       assert_cmp 3.14159, "3.14159"
       refute_cmp 3.14159, "3.1415926"
+      refute_cmp 3.14159, nil
     end
 
     it "Float cmp String(!float)" do
       refute_cmp 3.14159, :not_float
+      refute_cmp 3.14159, nil
     end
 
     it "String cmp Symbol" do
       assert_cmp "abc", :abc
       assert_cmp "abc", :ABC
+      refute_cmp "abc", nil
     end
 
     it "String(oct) cmp Int" do
       assert_cmp "0777", 0777
       refute_cmp "0777", 0777 + 1
       refute_cmp "0999", 0 # bad octal regexp
+      refute_cmp "0777", nil
     end
 
     it "String(!oct) cmp Int" do
       obj = Object.new
       refute_cmp obj, 0x42
+      refute_cmp obj, nil
     end
 
     it "should test XXX" do