Merge branch 'develop' into constraints/issue-1040

GSA · Jan 14, 2025 · 4de0faf · 4de0faf
2 parents 8357cbd + 35fe9a3
commit 4de0faf
Show file tree

Hide file tree

Showing 10 changed files with 99 additions and 1 deletion.
diff --git a/features/fedramp_extensions.feature b/features/fedramp_extensions.feature
@@ -38,6 +38,7 @@ Examples:
   | cia-impact-has-selected |
   | cloud-service-model |
   | component-has-authentication-method |
+  | component-has-diagram-label |
   | component-has-non-provider-responsible-role |
   | component-has-provider-responsible-role |
   | component-has-used-by-link |
@@ -125,6 +126,7 @@ Examples:
   | inventory-item-allows-authenticated-scan |
   | inventory-item-and-component-has-public |
   | inventory-item-has-asset-type |
+  | inventory-item-has-diagram-label |
   | inventory-item-has-function |
   | inventory-item-has-scan-type |
   | inventory-item-has-valid-mac-address |
@@ -217,6 +219,8 @@ Examples:
   | cloud-service-model-PASS.yaml |
   | component-has-authentication-method-FAIL.yaml |
   | component-has-authentication-method-PASS.yaml |
+  | component-has-diagram-label-FAIL.yaml |
+  | component-has-diagram-label-PASS.yaml |
   | component-has-non-provider-responsible-role-FAIL.yaml |
   | component-has-non-provider-responsible-role-PASS.yaml |
   | component-has-used-by-link-FAIL.yaml |
@@ -391,6 +395,8 @@ Examples:
   | inventory-item-and-component-has-public-PASS.yaml |
   | inventory-item-has-asset-type-FAIL.yaml |
   | inventory-item-has-asset-type-PASS.yaml |
+  | inventory-item-has-diagram-label-FAIL.yaml |
+  | inventory-item-has-diagram-label-PASS.yaml |
   | inventory-item-has-function-FAIL.yaml |
   | inventory-item-has-function-PASS.yaml |
   | inventory-item-has-scan-type-FAIL.yaml |

diff --git a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml
@@ -1041,6 +1041,7 @@ these datails are derived from other content in this SSP.</p>
         <p>An authorized service provided by the Awesome Cloud leveraged authorization.</p>
         <p>Describe the service and what it is used for.</p>
       </description>
+      <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/>
       <prop name="leveraged-authorization-uuid" value="11111111-2222-4000-8000-019000000001"/>
       <prop name="implementation-point" value="external"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="information-type" class="incoming" value="C.3.5.1"/>
@@ -1102,6 +1103,7 @@ leveraged-authorization assembly:</p>
         <p>An non-authorized service provided by the Awesome Cloud leveraged authorization.</p>
         <p>Describe the service and what it is used for.</p>
       </description>
+      <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/>
       <prop name="implementation-point" value="external"/>
       <prop name="connection-security" value="tls-1.3" ns="http://fedramp.gov/ns/oscal"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="direction" value="outgoing"/>
@@ -1197,6 +1199,7 @@ leveraged-authorization assembly:</p>
       <description>
         <p>An external system to which this system shares an interconnection.</p>
       </description>
+      <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/>
       <prop name="implementation-point" value="external"/>
       <prop name="direction" value="incoming" ns="http://fedramp.gov/ns/oscal"/>
       <prop name="direction" value="outgoing" ns="http://fedramp.gov/ns/oscal"/>
@@ -1285,6 +1288,7 @@ and "system-poc-technical"</p>
         <p>Describe the purpose of the external system/service; specifically, provide reasons
 for connectivity (e.g., system monitoring, system alerting, download updates, etc.)</p>
       </description>
+      <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/>
       <prop name="implementation-point" value="external"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="direction" value="incoming"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="direction" value="outgoing"/>
@@ -1430,6 +1434,7 @@ here.</p>
         <p>A service provided by an external system other than the leveraged system.</p>
         <p>Describe the service and what it is used for.</p>
       </description>
+      <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/>
       <prop name="implementation-point" value="external"/>
       <!--<prop name="direction" value="outgoing"/>-->
       <prop name="leveraged-authorization-uuid" value="11111111-2222-4000-8000-019000000001"/>
@@ -1521,7 +1526,7 @@ leveraged-authorization assembly:</p>
         <p>A service provided by an external system other than the leveraged system.</p>
         <p>Describe the service and what it is used for.</p>
       </description>
-
+      <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/>
       <prop name="implementation-point" value="internal"/>
       <prop name="public" value="no"/>
       <prop name="connection-security" value="tls-1.3" ns="http://fedramp.gov/ns/oscal"/>
@@ -1598,6 +1603,7 @@ property.</p>
       <description>
         <p>None</p>
       </description>
+      <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/>
       <prop name="asset-type" value="cli"/>
       <prop name="implementation-point" value="internal"/>
       <prop name="connection-security" value="tls-1.3" ns="http://fedramp.gov/ns/oscal"/>
@@ -1741,6 +1747,7 @@ compliance (e.g., Module in Process).</p>
       <description>
         <p>FUNCTION: Describe typical component function.</p>
       </description>
+      <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/>
       <prop name="asset-type" value="operating-system"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/>
       <prop name="vendor-name" value="Vendor Name"/>
@@ -1762,6 +1769,7 @@ compliance (e.g., Module in Process).</p>
       <description>
         <p>FUNCTION: Describe typical component function.</p>
       </description>
+      <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/>
       <prop name="asset-type" value="operating-system"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/>
       <prop name="vendor-name" value="Vendor Name"/>
@@ -1783,6 +1791,7 @@ compliance (e.g., Module in Process).</p>
       <description>
         <p>FUNCTION: This container image is the base operating system used in the example. A notional CSP, like Awesome Cloud, would update and customize this image for business, reliability, and security needs.</p>
       </description>
+      <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/>
       <prop name="asset-type" value="image"/>
       <prop name="checksum" ns="http://fedramp.gov/ns/oscal" value="504931a74cb58330cafb9f59f5e553af3cc63af205dc955f7f80dc981276def0"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/>
@@ -1808,6 +1817,7 @@ compliance (e.g., Module in Process).</p>
       <description>
         <p>FUNCTION: Describe typical component function.</p>
       </description>
+      <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/>
       <prop name="asset-type" value="database"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="database"/>
@@ -1830,6 +1840,7 @@ compliance (e.g., Module in Process).</p>
       <description>
         <p>None</p>
       </description>
+      <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/>
       <prop name="asset-type" value="operating-system"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/>
       <prop name="baseline-configuration-name" value="Baseline Config. Name"/>
@@ -1841,6 +1852,7 @@ compliance (e.g., Module in Process).</p>
       <description>
         <p>None</p>
       </description>
+      <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/>
       <prop name="connection-security" value="tls-1.3" ns="http://fedramp.gov/ns/oscal"/>
       <prop name="implementation-point" value="external"/>
       <prop name="direction" value="incoming" ns="http://fedramp.gov/ns/oscal"/>
@@ -1886,6 +1898,7 @@ compliance (e.g., Module in Process).</p>
       <description>
         <p>None</p>
       </description>
+      <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/>
       <prop name="asset-type" value="appliance"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="web"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="login-url" value="https://admin.offering.com/login"/>
@@ -2268,6 +2281,7 @@ approved.</p>
       <description>
         <p>Email Service</p>
       </description>
+      <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/>
       <prop name="connection-security" value="tls-1.3" ns="http://fedramp.gov/ns/oscal"/>
       <prop name="implementation-point" value="external"/>
       <prop name="direction" value="incoming" ns="http://fedramp.gov/ns/oscal"/>
@@ -2310,6 +2324,7 @@ approved.</p>
       <description>
         <p>Legacy Example (No implemented-component).</p>
       </description>
+      <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/>
       <prop name="asset-id" value="unique-asset-ID-01"/>
       <prop name="ipv4-address" value="10.1.1.1"/>
       <prop name="ipv6-address" value="2001:db8:3333:4444:5555:6666:7777:8888"/>
@@ -2364,6 +2379,7 @@ approved.</p>
       <description>
         <p>Component Inventory Example</p>
       </description>
+      <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/>
       <prop name="asset-id" value="unique-asset-ID-02"/>
       <prop name="ipv4-address" value="10.2.2.2"/>
       <prop name="ipv6-address" value="0000:0000:0000:0000:0000:ffff:0a02:0202"/>
@@ -2407,6 +2423,7 @@ approved.</p>
       <description>
         <p>None.</p>
       </description>
+      <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/>
       <prop name="asset-id" value="unique-asset-ID-03"/>
       <prop name="asset-type" value="web-server"/>
       <prop name="virtual" value="yes"/>
@@ -2429,6 +2446,7 @@ approved.</p>
       <description>
         <p>None.</p>
       </description>
+      <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/>
       <prop name="asset-id" value="unique-asset-ID-04"/>
       <prop name="asset-type" value="appliance"/>
       <prop name="virtual" value="yes"/>
@@ -2446,6 +2464,7 @@ approved.</p>
       <description>
         <p>None.</p>
       </description>
+      <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/>
       <prop name="asset-id" value="unique-asset-ID-05"/>
       <prop name="asset-type" value="firewall"/>
       <prop name="ipv4-address" value="10.5.5.5"/>
@@ -2467,6 +2486,7 @@ approved.</p>
       <description>
         <p>None.</p>
       </description>
+      <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/>
       <prop name="asset-id" value="unique-asset-ID-06"/>
       <prop name="ipv4-address" value="10.6.6.6"/>
       <prop name="ipv6-address" value="0000:0000:0000:0000:0000:ffff:0a06:0606"/>
@@ -2492,6 +2512,7 @@ approved.</p>
       <description>
         <p>None.</p>
       </description>
+      <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/>
       <prop name="asset-id" value="unique-asset-ID-07"/>
       <prop name="asset-type" value="switch"/>
       <prop name="ipv4-address" value="10.7.7.7"/>
@@ -2512,6 +2533,7 @@ approved.</p>
       <description>
         <p>None.</p>
       </description>
+      <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/>
       <prop name="asset-id" value="unique-asset-ID-08"/>
       <prop name="asset-type" value="web-server"/>
       <prop name="ipv4-address" value="10.8.8.8"/>
@@ -2536,6 +2558,7 @@ approved.</p>
       <description>
         <p>Email-Service</p>
       </description>
+      <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/>
       <prop name="asset-id" value="unique-asset-ID-09"/>
       <prop name="asset-type" value="email-server"/>
       <prop name="ipv4-address" value="10.10.10.100"/>

diff --git a/src/validations/constraints/content/ssp-component-has-diagram-label-INVALID.xml b/src/validations/constraints/content/ssp-component-has-diagram-label-INVALID.xml
@@ -0,0 +1,10 @@
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0" uuid="11111111-2222-4000-8000-000000000000">
+  <system-implementation>
+    <component uuid="11111111-2222-4000-8000-009000000007" type="hardware">
+      <!-- <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/> Missing "diagram-label" prop. -->
+    </component>
+    <inventory-item uuid="11111111-2222-4000-8000-011000000001">
+      <implemented-component component-uuid="11111111-2222-4000-8000-009000000005"/>
+    </inventory-item>
+  </system-implementation>
+</system-security-plan>
diff --git a/src/validations/constraints/content/ssp-inventory-item-has-diagram-label-INVALID.xml b/src/validations/constraints/content/ssp-inventory-item-has-diagram-label-INVALID.xml
@@ -0,0 +1,10 @@
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0" uuid="11111111-2222-4000-8000-000000000000">
+  <system-implementation>
+    <component uuid="11111111-2222-4000-8000-009000000007" type="process-procedure">
+      <!-- <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/> Missing "diagram-label" prop. -->
+    </component>
+    <inventory-item uuid="11111111-2222-4000-8000-011000000001">
+      <!-- <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/> Missing "diagram-label" prop. -->
+    </inventory-item>
+  </system-implementation>
+</system-security-plan>
diff --git a/src/validations/constraints/fedramp-external-allowed-values.xml b/src/validations/constraints/fedramp-external-allowed-values.xml
@@ -61,6 +61,7 @@
                 <enum value="privacy-impact-assessment">Privacy Impact Assessment</enum>
                 <enum value="information-system-contingency-plan">Information System Contingency Plan</enum>
                 <enum value="configuration-management-plan">configuration-management-plan</enum>
+                <enum value="fedramp-poam">A Plan of Action and Milestones represented either using the FedRAMP template or FedRAMP-compliant OSCAL.</enum>
                 <remarks>
                     <p>Not all values apply to all FedRAMP artifacts.</p>
                 </remarks>
@@ -100,6 +101,8 @@
                 <enum value="this-system">The system as a whole.</enum>
                 <enum value="system">An external system, which may be a leveraged system or the other side of an interconnection.</enum>
                 <enum value="network">A physical or virtual network.</enum>
+                <enum value="client">A client that may use a service.</enum>
+                <enum value="connection">A logical connection between two or more network nodes.</enum>
             </allowed-values>
 
             <allowed-values id="connection-security" target="system-implementation/component/prop[@name='connection-security' and @ns='http://fedramp.gov/ns/oscal']/@value" allow-other="yes" level="WARNING">

diff --git a/src/validations/constraints/fedramp-external-constraints.xml b/src/validations/constraints/fedramp-external-constraints.xml
@@ -586,11 +586,17 @@
         <metapath target="/system-security-plan/system-implementation"/>
         <constraints>
             <let var="inter-boundary-component" expression="component[(@type=('service','software') and not(prop[@name='leveraged-authorization-uuid']) and prop[@name='implementation-point' and @value='external']) or (@type='interconnection') or (@type=('service','software') and prop[@name='implementation-point' and @value='internal'] and (prop[@name='communicates-externally' and @value='yes' and @ns='http://fedramp.gov/ns/oscal']))]"/>
+            <let var="inventory-linked-component-uuids" expression="inventory-item/implemented-component/@component-uuid"/>
             <expect id="authentication-method-has-remarks" target="//component[(@type='system' and ./prop[@name='leveraged-authorization-uuid']) or (@type='service' and not(./prop[@name='leveraged-authorization-uuid']) and ./prop[@name='implementation-point' and @value='external']) or (@type='interconnection') or (@type='service' and ./prop[@name='implementation-point' and @value='internal'] and ./prop[@name='direction']) or (@type='software' and ./prop[@name='asset-type' and @value='cli'] and ./prop[@name='direction'])]" test="count(./prop[@name='authentication-method' and @ns='http://fedramp.gov/ns/oscal'])  = count(./prop[@name='authentication-method' and @ns='http://fedramp.gov/ns/oscal']/remarks)" level="ERROR">
                 <formal-name>Authentication Method Has Remarks</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#leveraged-fedramp-authorized-services"/>
                 <message>Each authentication method in a FedRAMP SSP MUST have a remarks field.</message>
             </expect>
+            <expect id="component-has-diagram-label" target="component[not(@uuid=$inventory-linked-component-uuids) and @type=('hardware', 'software', 'service', 'interconnection')]" test="count(prop[@name='diagram-label' and @ns='http://fedramp.gov/ns/oscal']) = 1" level="ERROR">
+                <formal-name>Component Has Diagram Label</formal-name>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
+                <message>In a FedRAMP SSP, each hardware, software, service, and interconnection component MUST include the diagram label.</message>
+            </expect>
             <expect id="component-has-used-by-link" target="component[protocol]" test="count(link[@rel='used-by']) >= 1" level="ERROR">
                 <formal-name>Component Has Used-By Link</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#ports-protocols-and-services"/>
@@ -692,6 +698,10 @@
                 <formal-name>Inventory Item Has Asset-Type</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
                 <message>In a FedRAMP SSP, each inventory item MUST define the asset type either in the inventory item itself or within the linked component.</message>
+            <expect id="inventory-item-has-diagram-label" target="." test="count(prop[@name='diagram-label' and @ns='http://fedramp.gov/ns/oscal']) >= 1 or count(../component[@uuid=$component-uuid]/prop[@name='diagram-label' and @ns='http://fedramp.gov/ns/oscal']) >= 1" level="ERROR">
+                <formal-name>Inventory Item Has Diagram Label</formal-name>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
+                <message>In a FedRAMP SSP, each inventory item MUST include the diagram label either in the inventory item itself or within the linked component.</message>
             </expect>
             <expect id="inventory-item-has-function" target="." test="exists(prop[@name='function']/remarks) or exists($implemented-component/prop[@name='function']/remarks)" level="ERROR">
                 <formal-name>Inventory Item Has Function</formal-name>

diff --git a/src/validations/constraints/unit-tests/component-has-diagram-label-FAIL.yaml b/src/validations/constraints/unit-tests/component-has-diagram-label-FAIL.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Negative Test for component-has-diagram-label
+  description: >-
+    This test case validates the behavior of constraint
+    component-has-diagram-label
+  content: ../content/ssp-component-has-diagram-label-INVALID.xml
+  expectations:
+    - constraint-id: component-has-diagram-label
+      result: fail
diff --git a/src/validations/constraints/unit-tests/component-has-diagram-label-PASS.yaml b/src/validations/constraints/unit-tests/component-has-diagram-label-PASS.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Positive Test for component-has-diagram-label
+  description: >-
+    This test case validates the behavior of constraint
+    component-has-diagram-label
+  content: ../../../content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml
+  expectations:
+    - constraint-id: component-has-diagram-label
+      result: pass
diff --git a/src/validations/constraints/unit-tests/inventory-item-has-diagram-label-FAIL.yaml b/src/validations/constraints/unit-tests/inventory-item-has-diagram-label-FAIL.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Negative Test for inventory-item-has-diagram-label
+  description: >-
+    This test case validates the behavior of constraint
+    inventory-item-has-diagram-label
+  content: ../content/ssp-inventory-item-has-diagram-label-INVALID.xml
+  expectations:
+    - constraint-id: inventory-item-has-diagram-label
+      result: fail