Squashed commit of the following:

commit 719cf2c Author: Gabeblis <[email protected]> Date: Tue Jan 7 13:12:47 2025 -0500 Add 'inventory-item-has-software-name' constraint and tests (GSA#1038) commit ec7affc Author: Gabeblis <[email protected]> Date: Tue Jan 7 13:11:13 2025 -0500 Add `inventory-item-has-software-version` constraint (GSA#1039) * Add 'inventory-item-has-software-version' constraint and tests * Add 'inventory-item-has-software-version' constraint and tests commit fc50a42 Author: wandmagic <[email protected]> Date: Fri Jan 3 14:21:47 2025 -0500 hotfix develop (GSA#1064) commit d8a9ec9 Author: DimitriZhurkin <[email protected]> Date: Fri Jan 3 11:20:23 2025 -0700 Add connection-security constraint (issue GSA#961) (GSA#1021) * Add connection-security constraint (issue GSA#961) * change fedramp ns to http * Add help-url commit 1648871 Author: Kylie Hunter <[email protected]> Date: Fri Jan 3 13:02:59 2025 -0500 Image has checksum (GSA#1053) * test scaffolds added * initial attempt at writing pass and fail content * feature file * revised target to appropriate place * removed old target * added in proper ns * Update src/validations/constraints/fedramp-external-constraints.xml Co-authored-by: A.J. Stein <[email protected]> * AJ suggestion for more complete example * added comments --------- Co-authored-by: A.J. Stein <[email protected]> commit 962a9c0 Author: Gabeblis <[email protected]> Date: Fri Jan 3 12:31:04 2025 -0500 Add 'inventory-item-or-component-has-asset-id' constraint and tests (GSA#1056) commit 836b224 Author: Rene Tshiteya <[email protected]> Date: Fri Jan 3 12:25:35 2025 -0500 Fix implemented-component component-uuid references (GSA#1059) Fix component issues commit 7018c20 Author: Gabeblis <[email protected]> Date: Fri Jan 3 12:24:47 2025 -0500 Add 'inventory-item-has-valid-mac-address' constraint and tests (GSA#1057)
wandmagic · Jan 13, 2025 · 042a250 · 042a250
1 parent cd473dc
commit 042a250
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 52 deletions.
diff --git a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml
@@ -2444,10 +2444,8 @@ approved.</p>
       <prop name="ipv6-address" value="0000:0000:0000:0000:0000:ffff:0a04:0404"/>
       <prop name="is-scanned" value="yes"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="vendor-name" value="Vendor"/>
-      <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="other">
-        <remarks><p>a different kind of scan</p></remarks>
-      </prop>
-      <implemented-component component-uuid="11111111-2222-4000-8000-009000500006"/>
+      <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/>
+      <implemented-component component-uuid="11111111-2222-4000-8000-009000000007"/>
     </inventory-item>
     <inventory-item uuid="11111111-2222-4000-8000-011000000005">
       <description>
@@ -2486,14 +2484,7 @@ approved.</p>
           <p>Asset wasn't running at time of scan.</p>
         </remarks>
       </prop>
-      <prop name="function" value="Required brief, text-based description.">
-        <remarks>
-          <p>Required, longer, formatted description.</p>
-        </remarks>
-      </prop>
-
-      <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/>
-      <implemented-component component-uuid="11111111-2222-4000-8000-009000500007"/>
+      <implemented-component component-uuid="11111111-2222-4000-8000-009000000007"/>
     </inventory-item>
     <inventory-item uuid="11111111-2222-4000-8000-011000000007">
       <description>
@@ -2531,13 +2522,7 @@ approved.</p>
           <p>Asset wasn't running at time of scan.</p>
         </remarks>
       </prop>
-      <prop name="function" value="Required brief, text-based description.">
-        <remarks>
-          <p>Optional, longer, formatted description.</p>
-        </remarks>
-      </prop>
-      <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/>
-      <implemented-component component-uuid="11111111-2222-4000-8000-009000500005"/>
+      <implemented-component component-uuid="11111111-2222-4000-8000-009000000007"/>
     </inventory-item>
     <inventory-item uuid="11111111-2222-4000-8000-011000000009">
       <description>

diff --git a/src/validations/constraints/fedramp-external-constraints.xml b/src/validations/constraints/fedramp-external-constraints.xml
@@ -667,7 +667,7 @@
             </expect>
             <expect id="image-has-checksum" target="//component[@type='software' and ./prop[@name='asset-type' and @value='image']]" test="count(./prop[@name='checksum' and @ns='http://fedramp.gov/ns/oscal']) = 1" level="ERROR">
                 <formal-name>Container Image Has Checksum Property</formal-name>
-                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="insert-help-url-here"/>
                 <message>In a FedRAMP SSP, a component that describes a container or operating system image MUST define a checksum property.</message>
             </expect>
             <expect id="information-type-has-class" target="component/prop[@name='information-type' and @ns='http://fedramp.gov/ns/oscal']" test="exists(@class)" level="ERROR">
@@ -729,7 +729,6 @@
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#ports-protocols-and-services"/>
                 <message>A FedRAMP SSP's component MUST reference the existing component(s) that use it via network communication. However, component "{../@uuid}" references a nonexistent component "{@href}".</message>
             </expect>
-
         </constraints>
     </context>
 
@@ -740,37 +739,6 @@
             <let var="high-sensitivity" expression="../../system-characteristics/security-sensitivity-level='fips-199-high'"/>
             <let var="moderate-sensitivity" expression="../../system-characteristics/security-sensitivity-level='fips-199-moderate'"/>
             <let var ="component-uuid" expression="implemented-component/@component-uuid"/>
-            <let var ="implemented-component" expression="../component[@uuid=$component-uuid]"/>
-            <expect id="authenticated-scan-no-has-remarks" target="prop[@name='allows-authenticated-scan' and @value='no']" test="if ($high-sensitivity or $moderate-sensitivity) then exists(remarks) else true()" level="ERROR">
-                <formal-name>Authenticated Scan No Has Remarks</formal-name>
-                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
-                <message>A FedRAMP SSP MUST provide justification for any high or moderate impact system inventory item that does not support authenticated scans.</message>
-            </expect>
-             <expect id="high-impact-inventory-item-has-asset-owner" target="." test="if ($high-sensitivity) then count(./responsible-party[@role-id=('asset-owner', 'asset-administrator')] | $implemented-component/responsible-role[@role-id=('asset-owner', 'asset-administrator')][count(party[@uuid=./party-uuid]) >= 1]) >= 1 else true()" level="ERROR">
-                <formal-name>High Impact Inventory Item Has Asset Owner</formal-name>
-                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
-                <message>For HIGH-impact systems, every inventory-item MUST identify an asset-owner or administrator property either within the inventory-item itself, or within the component linked by the inventory-item.</message>
-            </expect>
-            <expect id="inventory-item-has-function" target="." test="exists(prop[@name='function']/remarks) or exists($implemented-component/prop[@name='function']/remarks)" level="ERROR">
-                <formal-name>Inventory Item Has Function</formal-name>
-                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
-                <message>Every inventory-item MUST provide remarks to describe the function of the item, either within the inventory-item itself, or within the component linked by the inventory-item.</message>
-            </expect>
-            <expect id="inventory-item-has-scan-type" target="." test="count(prop[@name='scan-type' and @ns='http://fedramp.gov/ns/oscal']) >= 1 or count($implemented-component/prop[@name='scan-type' and @ns='http://fedramp.gov/ns/oscal']) >= 1" level="ERROR">
-                <formal-name>Inventory Item Has Scan Type</formal-name>
-                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
-                <message>Every inventory-item MUST indicate one or more scan type(s), either within the inventory-item itself, or within the component linked by the inventory-item.</message>
-            </expect>
-            <expect id="inventory-item-has-software-version" target=".[prop[@name='asset-type' and @value=('operating-system', 'container', 'image')] or ../component[uuid=$component-uuid and type='software']]" test="count(prop[@name=('software-version', 'os-version')]) = 1 or count(../component[@uuid=$component-uuid]/prop[@name=('software-version', 'os-version')]) = 1" level="ERROR">
-                <formal-name>Inventory Item Has Software Version</formal-name>
-                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
-                <message>In a FedRAMP SSP, each inventory item MUST include the software version in the inventory item itself or within the linked component.</message>
-            </expect>
-             <expect id="inventory-item-has-valid-mac-address" target=".[prop[@name='mac-address']]/prop[@name='mac-address']" test="matches(@value, '^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})|([0-9a-fA-F]{4}\\.[0-9a-fA-F]{4}\\.[0-9a-fA-F]{4})$')" level="ERROR">
-                <formal-name>Inventory Item Has Valid Mac Address</formal-name>
-                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
-                <message>In a FedRAMP SSP, each inventory item that has a MAC address MUST format the MAC address correctly.</message>
-            </expect>
             <expect id="inventory-item-has-vendor-name" target="." test="count(prop[@name='vendor-name' and @ns='http://fedramp.gov/ns/oscal']) >= 1 or count(../component[@uuid=$component-uuid]/prop[@name='vendor-name' and @ns='http://fedramp.gov/ns/oscal']) >= 1" level="ERROR">
                 <formal-name>Inventory Item Has Vendor Name</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>