Move "Rules" back into Common Controls #443

adhilto · 2024-10-01T21:50:00Z

💡 Summary

Rules breaks the JSON output schema used for all the other baselines, increasing the complexity for downstream systems to process ScubaGoggles data.
Rules breaks the 1:1 control to test result ratio we so carefully maintain elsewhere, again increasing complexity for downstream systems.
Rules also increases the complexity of our own code.
Making Rules its own report makes it hard to interpret the results. For example, say you assess the just Common Controls baseline configure GWS.COMMONCONTROLS.13.1v0.3 to be omitted. Later, an analyst might look at the results and calculate that you omitted over half of the controls, when in reality you just omitted one.

There are several different ways you could implement this.

Make the details column read like "3/39 rules enabled. The following rules are disabled: [bulleted list of disabled rules]. The state of the following rules could not be determined: [bulleted list of rules without events]"
Make the details column read like "3/39 rules enabled. The following rules are disabled: [single-line comma-separated list of disabled rules]. The state of the following rules could not be determined: [single-line comma-separated list of rules without events]"
Make the details column read like "3/39 rules enabled. See the Rules table below for more details." And have a Rules table below the Common Controls results, similar to the CAP table below the AAD report in ScubaGear.

Personally, I think I'm partial to option number 2 above, but we should discuss this as a team to determine the best option.

adhilto added the enhancement label Oct 1, 2024