InSpec:定义依赖项时为 "Cannot load <profile> since it is not listed as a dependency"

Question

在 InSpec 1.9.0 中，我定义了以下具有依赖性的配置文件，包括依赖配置文件中的所有控件。

但是，执行时出现错误，指示配置文件“未列为依赖项”

我错过了什么？

---

• inspec.yml:

  name: my-profile
  version: 0.0.1
  supports:
    - os-family: unix
  depends:
    - name: ssh-baseline
      url: https://github.com/dev-sec/ssh-baseline/archive/master.zip
  

• controls/include_ssh_baseline.rb:

  include_controls 'ssh-baseline'
  

• 命令:

  inspec exec my-profile -t ssh://<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="691c1a0c1b2901061a1d470d0604080007" rel="noreferrer noopener nofollow">[email protected]</a>
  

• 执行配置文件的结果:

  Cannot load ssh-baseline since it is not listed as a dependency
  of my-profile.

  Dependencies available from this context are:
   
   

  (两个空行)

我没有看到语法错误。这几乎是 InSpec Profiles 中的复制粘贴示例页。

以下依赖项定义(git 而不是 url)也会导致与上面相同的错误消息:

depends:
  - name: ssh-baseline
    git: https://github.com/dev-sec/ssh-baseline.git

Answer 1

inspec.lock 文件在第一次配置文件执行时创建，并包含对依赖项的引用。如果您逐步构建配置文件，您最终可能会得到一个不包含依赖项的 inspec.yml 文件(从第一次运行开始):

---
lockfile_version: 1
depends: []

如果您希望反射(reflect)对 inspec.yml 的更改，则需要删除该文件，或者在配置文件目录中运行以下命令:

inspec vendor --overwrite

---

参见Vendoring dependencies (它没有提到 --overwrite，但如果它不存在，它会立即抛出错误):

When you execute a local profile, the inspec.yml file will be read in order to source any profile dependencies. It will then cache the dependencies locally and generate an inspec.lock file. If you add or update dependencies in inspec.yml, please refresh the lock file by either:

• running inspec vendor inside the profile directory; or
• deleting inspec.lock before running inspec exec