Chef Blogs

Understanding and Rectifying Imperfect Waiver Files

Sarthak Vasal | Posted on | Chef Infra | Chef InSpec

What is a Waiver File?

Waivers enable users to justify exceptions to specific controls where compliance is not met. The YAML-based waiver file comprises code blocks that specify the control to be exempted and the rationale behind granting the exemption.

Optionally, an end date can be configured within the waiver, providing a means to track when a control is expected to be remediated. In cases where a control is deemed irrelevant, leaving the end date blank makes the waiver permanent. This system provides accountability and transparency in managing compliance exceptions.

A waiver file identifies:

  • Which controls are waived
  • Why is it waived with a description
  • Whether they should be skipped from running (optional)
  • What the end date is for the waiver (optional)

Example, in YAML:

Malformed Waiver Files

A malformed waiver is a waiver file within a compliance management system that deviates from the expected and correct format. Such waivers typically have errors in syntax, structure or content, preventing proper interpretation and execution by the system or tools responsible for compliance monitoring. Progress Chef InSpec now exits and displays an error if it detects the waiver file being malformed or corrupted. As opposed to earlier where the system would immediately recognize the waiver file as flawed yet continue to execute the entire profile, which might take hours, before ultimately delivering unusable results.

Let’s look at a few cases of malformed waiver files and how Chef InSpec reacts to it.

Case 1:

Upon executing a waiver file with malformed data, for example:

Missing colon in line 5, will throw an error saying “could not find expected ‘:’” and exit:

Case 2:

Upon executing an invalid file, for example a file with just a string:

It throws a parsing error as follows:

Case 3:

In case of a missing required parameter, in this case, “justification,” which is a required parameter has been misspelled:

Also, if there exist random unwanted parameters:

This scenario will throw errors for the missing required parameters and warnings for the unwanted ones:

Now that we understand the problem, what’s the solution?

Cookstyle

Because even the most seasoned chefs sometimes need a recipe for fixing those “Oops, I burned the code!” moments.

Cookstyle is a code linting tool designed to enhance the quality of your Progress Chef Infra and Chef InSpec audit cookbooks. It identifies and automatically rectifies issues related to style, syntax and logic errors, aiding you in producing more polished and error-free code.

Catch common cookbook coding mistakes, cleanup portions of code that are no longer necessary and detect deprecations that prevent cookbooks from running on the latest releases of Chef Infra or Chef InSpec Client, all by a single command.

Cookstyle is run from the command line, typically against a single cookbook and the Ruby files contained within it:

cookstyle /path/to/cookbook

Cookstyle may also be run from the root of an individual cookbook directory: cookstyle .

This will give you an output with the following data:

  • The number of files found and examined. For example: Inspecting 8 files
  • The results of those files as a series of symbols. For example: CWCWCCCC
  • For each symbol, the file name, line number, character number, type of issue or error, description of the issue or error and the location in the source code at which the issue or error is located

Every symbol corresponds to a specific type of issue:

Most of the Cookstyle warnings, can be easily fixed using the autocorrect Cookstyle command. From the cases mentioned previously in this blog, case 1 and 3 can be rectified automatically by running the command:

cookstyle -a

In conclusion, verifying the integrity of waiver files is crucial for the integrity of waiver files is crucial for supporting transparency and accountability in compliance management systems. Malformed waiver files, characterized by syntax, structure or content errors, can lead to issues in interpretation and execution by compliance monitoring tools.

The enhanced functionality of Chef InSpec promptly detects and exits upon encountering malformed waiver files, preventing the execution of flawed profiles.

To rectify these issues, the usage of Cookstyle, a powerful code linting tool designed for Chef Infra and Chef InSpec audit cookbooks is the recommended practice. Cookstyle not only identifies issues related to style, syntax and logic errors but also provides an automated means to rectify them. By running Cookstyle on the command line, users can catch common coding mistakes, clean up unnecessary code portions and detect deprecations, ultimately producing more polished and error-free code.

So, the next time you are about to push your cookbooks, ask yourself: Did you “Cookstyle” your code? Because pushing untested code is like jumping into the ocean without checking for sharks.

Learn More

  • Waivers - A technical blog on executing waiver files on Chef platforms
  • Cookstyle - The official documentation for cookstyle and how to use it