Squashed commit of the following:

commit 7c6b0f2 Merge: f10ace6 26f4f19 Author: ~ . ~ <[email protected]> Date: Fri Jan 10 11:49:42 2025 -0500 Merge branch 'canary' of https://github.com/wandmagic/fedramp-automation into canary commit f10ace6 Author: ~ . ~ <[email protected]> Date: Wed Jan 8 11:06:00 2025 -0500 use latest server build commit d7af65c Author: ~ . ~ <[email protected]> Date: Tue Jan 7 22:21:48 2025 -0500 hotfix missing expect tag commit ee65d47 Author: ~ . ~ <[email protected]> Date: Tue Jan 7 17:17:54 2025 -0500 use preview versions of oscal tools commit b9ca17a Author: Gabeblis <[email protected]> Date: Tue Jan 7 13:12:47 2025 -0500 Add 'inventory-item-has-software-name' constraint and tests (GSA#1038) commit f556138 Author: Gabeblis <[email protected]> Date: Tue Jan 7 13:11:13 2025 -0500 Add `inventory-item-has-software-version` constraint (GSA#1039) * Add 'inventory-item-has-software-version' constraint and tests * Add 'inventory-item-has-software-version' constraint and tests commit 60ba7f7 Author: wandmagic <[email protected]> Date: Fri Jan 10 11:15:47 2025 -0500 add inventory item constraints (GSA#1063) * add inventory item constraints * update example file Co-Authored-By: A.J. Stein <[email protected]> * improve scan type constraint * massage constraints * improve constraint content * Update src/validations/constraints/fedramp-external-constraints.xml Co-authored-by: Gabeblis <[email protected]> * Update src/validations/constraints/fedramp-external-constraints.xml Co-authored-by: Gabeblis <[email protected]> * Update fedramp-external-constraints.xml * Update fedramp-external-constraints.xml * Squashed commit of the following: commit d7b0623 Author: wandmagic <[email protected]> Date: Tue Jan 7 14:47:44 2025 -0500 fix constraints (GSA#1070) commit fc50a42 Author: wandmagic <[email protected]> Date: Fri Jan 3 14:21:47 2025 -0500 hotfix develop (GSA#1064) * Squashed commit of the following: commit 18a02c9 Author: wandmagic <[email protected]> Date: Wed Jan 8 09:37:15 2025 -0500 Hotfix styles (GSA#1076) * style guide hotfix * Update fedramp-external-constraints.xml commit 60b3c50 Author: DimitriZhurkin <[email protected]> Date: Wed Jan 8 07:14:14 2025 -0700 Add the inter-boundary-component-has-information-type constraint (GSA#1066) * Add the inter-boundary-component-has-information-type constraint * clean up ssp-inter-boundary-component-has-information-type-INVALID.xml commit d7b0623 Author: wandmagic <[email protected]> Date: Tue Jan 7 14:47:44 2025 -0500 fix constraints (GSA#1070) commit fc50a42 Author: wandmagic <[email protected]> Date: Fri Jan 3 14:21:47 2025 -0500 hotfix develop (GSA#1064) * Squashed commit of the following: commit 8c1a343 Author: Gabeblis <[email protected]> Date: Thu Jan 9 11:45:37 2025 -0500 Add new metapath target to 'security-level' constraint (GSA#1079) commit 608080d Author: wandmagic <[email protected]> Date: Thu Jan 9 09:29:17 2025 -0500 add additional sample content (GSA#1081) commit 1f55a73 Author: Gabeblis <[email protected]> Date: Thu Jan 9 09:22:28 2025 -0500 Correct constraint message. (GSA#1085) commit 18a02c9 Author: wandmagic <[email protected]> Date: Wed Jan 8 09:37:15 2025 -0500 Hotfix styles (GSA#1076) * style guide hotfix * Update fedramp-external-constraints.xml commit 60b3c50 Author: DimitriZhurkin <[email protected]> Date: Wed Jan 8 07:14:14 2025 -0700 Add the inter-boundary-component-has-information-type constraint (GSA#1066) * Add the inter-boundary-component-has-information-type constraint * clean up ssp-inter-boundary-component-has-information-type-INVALID.xml commit d7b0623 Author: wandmagic <[email protected]> Date: Tue Jan 7 14:47:44 2025 -0500 fix constraints (GSA#1070) commit fc50a42 Author: wandmagic <[email protected]> Date: Fri Jan 3 14:21:47 2025 -0500 hotfix develop (GSA#1064) --------- Co-authored-by: A.J. Stein <[email protected]> Co-authored-by: Gabeblis <[email protected]> commit 5e3f386 Author: wandmagic <[email protected]> Date: Fri Jan 10 09:25:07 2025 -0500 make build (GSA#1080) commit 8c1a343 Author: Gabeblis <[email protected]> Date: Thu Jan 9 11:45:37 2025 -0500 Add new metapath target to 'security-level' constraint (GSA#1079) commit 608080d Author: wandmagic <[email protected]> Date: Thu Jan 9 09:29:17 2025 -0500 add additional sample content (GSA#1081) commit 1f55a73 Author: Gabeblis <[email protected]> Date: Thu Jan 9 09:22:28 2025 -0500 Correct constraint message. (GSA#1085) commit 26f4f19 Author: ~ . ~ <[email protected]> Date: Wed Jan 8 11:06:00 2025 -0500 use latest server build commit 18a02c9 Author: wandmagic <[email protected]> Date: Wed Jan 8 09:37:15 2025 -0500 Hotfix styles (GSA#1076) * style guide hotfix * Update fedramp-external-constraints.xml commit 60b3c50 Author: DimitriZhurkin <[email protected]> Date: Wed Jan 8 07:14:14 2025 -0700 Add the inter-boundary-component-has-information-type constraint (GSA#1066) * Add the inter-boundary-component-has-information-type constraint * clean up ssp-inter-boundary-component-has-information-type-INVALID.xml commit dd20034 Author: ~ . ~ <[email protected]> Date: Tue Jan 7 22:21:48 2025 -0500 hotfix missing expect tag commit b4d3df5 Author: ~ . ~ <[email protected]> Date: Tue Jan 7 17:17:54 2025 -0500 use preview versions of oscal tools commit d7b0623 Author: wandmagic <[email protected]> Date: Tue Jan 7 14:47:44 2025 -0500 fix constraints (GSA#1070) commit 719cf2c Author: Gabeblis <[email protected]> Date: Tue Jan 7 13:12:47 2025 -0500 Add 'inventory-item-has-software-name' constraint and tests (GSA#1038) commit ec7affc Author: Gabeblis <[email protected]> Date: Tue Jan 7 13:11:13 2025 -0500 Add `inventory-item-has-software-version` constraint (GSA#1039) * Add 'inventory-item-has-software-version' constraint and tests * Add 'inventory-item-has-software-version' constraint and tests commit fc50a42 Author: wandmagic <[email protected]> Date: Fri Jan 3 14:21:47 2025 -0500 hotfix develop (GSA#1064) commit d8a9ec9 Author: DimitriZhurkin <[email protected]> Date: Fri Jan 3 11:20:23 2025 -0700 Add connection-security constraint (issue GSA#961) (GSA#1021) * Add connection-security constraint (issue GSA#961) * change fedramp ns to http * Add help-url commit 1648871 Author: Kylie Hunter <[email protected]> Date: Fri Jan 3 13:02:59 2025 -0500 Image has checksum (GSA#1053) * test scaffolds added * initial attempt at writing pass and fail content * feature file * revised target to appropriate place * removed old target * added in proper ns * Update src/validations/constraints/fedramp-external-constraints.xml Co-authored-by: A.J. Stein <[email protected]> * AJ suggestion for more complete example * added comments --------- Co-authored-by: A.J. Stein <[email protected]> commit 962a9c0 Author: Gabeblis <[email protected]> Date: Fri Jan 3 12:31:04 2025 -0500 Add 'inventory-item-or-component-has-asset-id' constraint and tests (GSA#1056) commit 836b224 Author: Rene Tshiteya <[email protected]> Date: Fri Jan 3 12:25:35 2025 -0500 Fix implemented-component component-uuid references (GSA#1059) Fix component issues commit 7018c20 Author: Gabeblis <[email protected]> Date: Fri Jan 3 12:24:47 2025 -0500 Add 'inventory-item-has-valid-mac-address' constraint and tests (GSA#1057)
wandmagic · Jan 10, 2025 · cdf2fa6 · cdf2fa6
1 parent 84914e6
commit cdf2fa6
Show file tree

Hide file tree

Showing 14 changed files with 125 additions and 36 deletions.
diff --git a/.github/workflows/run-tests.yml b/.github/workflows/run-tests.yml
@@ -8,6 +8,7 @@ on:
     branches:
       - master
       - develop
+      - canary
       - 'feature/**'  # This will match any branch starting with "feature"
 
   pull_request:

diff --git a/.tool-versions b/.tool-versions
@@ -1,2 +1,2 @@
-oscal-cli 2.4.0
-oscal-server v1.0.0-SNAPSHOT-6363f60-20241202160440
+oscal-cli 2.5.0-SNAPSHOT
+oscal-server v1.0.0-SNAPSHOT-6773e8b-20250108155951
diff --git a/features/fedramp_extensions.feature b/features/fedramp_extensions.feature
@@ -11,9 +11,6 @@ Scenario Outline: Documents that should be valid are pass
 Examples:
 | valid_file     |
 | ../../../content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml |
-# | ../../../content/rev5/examples/ssp/xml/fedramp-poam-example.oscal.xml |
-# | ../../../content/rev5/examples/ssp/xml/fedramp-ap-example.oscal.xml |
-# | ../../../content/rev5/examples/ssp/xml/fedramp-ar-example.oscal.xml |
 
 @full-coverage
 Scenario: Preparing constraint coverage analysis
@@ -98,7 +95,6 @@ Examples:
   | has-network-architecture-diagram-link-href-target |
   | has-network-architecture-diagram-link-rel |
   | has-network-architecture-diagram-link-rel-allowed-value |
-  | has-poam-resource |
   | has-policy |
   | has-procedure |
   | has-published-date |
@@ -130,6 +126,8 @@ Examples:
   | inventory-item-and-component-has-public |
   | inventory-item-has-function |
   | inventory-item-has-scan-type |
+  | inventory-item-has-software-name |
+  | inventory-item-has-software-version |
   | inventory-item-has-valid-mac-address |
   | inventory-item-has-vendor-name |
   | inventory-item-or-component-has-asset-id |
@@ -167,12 +165,6 @@ Examples:
   | scan-type-has-remarks |
   | security-level |
   | security-sensitivity-level-matches-security-impact-level |
-  | ssp-component-has-poam-link |
-  | ssp-has-legacy-poam-warning |
-  | ssp-poam-item-exists |
-  | ssp-poam-link-has-resource-fragment |
-  | ssp-poam-link-references-valid-resource |
-  | ssp-poam-resource-has-oscal-link |
   | statement-has-this-system-component |
   | unique-inventory-item-asset-id |
   | used-by-link-references-component |
@@ -340,8 +332,6 @@ Examples:
   | has-network-architecture-diagram-link-rel-PASS.yaml |
   | has-network-architecture-diagram-link-rel-allowed-value-FAIL.yaml |
   | has-network-architecture-diagram-link-rel-allowed-value-PASS.yaml |
-  | has-poam-resource-FAIL.yaml |
-  | has-poam-resource-PASS.yaml |
   | has-policy-FAIL.yaml |
   | has-policy-PASS.yaml |
   | has-procedure-FAIL.yaml |
@@ -400,10 +390,6 @@ Examples:
   | inventory-item-allows-authenticated-scan-PASS.yaml |
   | inventory-item-and-component-has-public-FAIL.yaml |
   | inventory-item-and-component-has-public-PASS.yaml |
-  | inventory-item-has-function-FAIL.yaml |
-  | inventory-item-has-function-PASS.yaml |
-  | inventory-item-has-scan-type-FAIL.yaml |
-  | inventory-item-has-scan-type-PASS.yaml |
   | inventory-item-has-valid-mac-address-FAIL.yaml |
   | inventory-item-has-valid-mac-address-PASS.yaml |
   | inventory-item-has-vendor-name-FAIL.yaml |
@@ -478,18 +464,6 @@ Examples:
   | security-level-PASS.yaml |
   | security-sensitivity-level-matches-security-impact-level-FAIL.yaml |
   | security-sensitivity-level-matches-security-impact-level-PASS.yaml |
-  | ssp-component-has-poam-link-FAIL.yaml |
-  | ssp-component-has-poam-link-PASS.yaml |
-  | ssp-has-legacy-poam-warning-FAIL.yaml |
-  | ssp-has-legacy-poam-warning-PASS.yaml |
-  | ssp-poam-item-exists-FAIL.yaml |
-  | ssp-poam-item-exists-PASS.yaml |
-  | ssp-poam-link-has-resource-fragment-FAIL.yaml |
-  | ssp-poam-link-has-resource-fragment-PASS.yaml |
-  | ssp-poam-link-references-valid-resource-FAIL.yaml |
-  | ssp-poam-link-references-valid-resource-PASS.yaml |
-  | ssp-poam-resource-has-oscal-link-FAIL.yaml |
-  | ssp-poam-resource-has-oscal-link-PASS.yaml |
   | statement-has-this-system-component-FAIL.yaml |
   | statement-has-this-system-component-PASS.yaml |
   | unique-inventory-item-asset-id-FAIL.yaml |

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -8,7 +8,7 @@
     "federalist": "make init-repo && npm run build:validation-ui && npm run link:validation-ui",
     "link:validation-ui": "ln -sf ./src/web/dist _site",
     "test": "cross-env-shell NODE_OPTIONS=\"--loader ts-node/esm --no-warnings --experimental-specifier-resolution=node\" cucumber-js",
-    "test:server": "cross-env-shell OSCAL_EXECUTOR='oscal-server' NODE_OPTIONS=\"--loader ts-node/esm --no-warnings --experimental-specifier-resolution=node\" cucumber-js",
+    "test:server": "cross-env-shell OSCAL_SERVER_PATH='${process.cwd()}' OSCAL_EXECUTOR='oscal-server' NODE_OPTIONS=\"--loader ts-node/esm --no-warnings --experimental-specifier-resolution=node\" cucumber-js",
     "test:parallel": "cross-env-shell NODE_OPTIONS=\"--loader ts-node/esm --no-warnings --experimental-specifier-resolution=node\" cucumber-js  --parallel 4 2>/dev/null 2>NUL",
     "test:failed": "cross-env NODE_OPTIONS=\"--loader ts-node/esm --no-warnings --experimental-specifier-resolution=node\" cucumber-js -p rerun",
     "test:constraints": "cross-env NODE_OPTIONS=\"--loader ts-node/esm --no-warnings --experimental-specifier-resolution=node\" cucumber-js --tags @constraints",
@@ -28,7 +28,7 @@
     "inquirer": "^10.1.8",
     "js-yaml": "^4.1.0",
     "jsdom": "^25.0.0",
-    "oscal": "2.0.7",
+    "oscal": "2.0.8-rc5",
     "ts-node": "^10.9.2",
     "xml-formatter": "^3.6.3",
     "xml2js": "^0.6.2"

diff --git a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml
@@ -930,6 +930,7 @@ that represents the whole system.</p>
       <prop name="inherited-uuid" value="22222222-0000-4000-9001-009000000001"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="nature-of-agreement" value="sla"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="end-of-life-date" value="2025-12-31"/>
+      <prop ns="http://fedramp.gov/ns/oscal" name="end-of-life-date" value="2025-12-31"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="authentication-method" value="yes">
         <remarks>
           <p>If 'yes', describe the authentication method.</p>
@@ -2317,6 +2318,7 @@ approved.</p>
         <p>Legacy Example (No implemented-component).</p>
       </description>
       <prop name="asset-id" value="unique-asset-ID-01"/>
+      <prop name="software-version" value="software-version"/>
       <prop name="ipv4-address" value="10.1.1.1"/>
       <prop name="ipv6-address" value="2001:db8:3333:4444:5555:6666:7777:8888"/>
       <prop name="virtual" value="no"/>

diff --git a/src/validations/constraints/content/ssp-inventory-item-has-software-name-INVALID.xml b/src/validations/constraints/content/ssp-inventory-item-has-software-name-INVALID.xml
@@ -0,0 +1,13 @@
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0" uuid="11111111-2222-4000-8000-000000000000">
+  <system-implementation>
+    <component uuid="11111111-2222-4000-8000-009000000007" type="software">
+      <!-- <prop name="software-name" value="software-name"/> Missing software-name in linked component-->
+    </component>
+    <inventory-item uuid="11111111-2222-4000-8000-011000000001">
+      <prop name="asset-type" value="operating-system"/>
+      <!-- <prop name="software-name" value="software-name"/> Missing software-name in inventory-item.-->
+      <implemented-component component-uuid="11111111-2222-4000-8000-009000000007">
+      </implemented-component>
+    </inventory-item>
+  </system-implementation>
+</system-security-plan>
diff --git a/src/validations/constraints/content/ssp-inventory-item-has-software-version-INVALID.xml b/src/validations/constraints/content/ssp-inventory-item-has-software-version-INVALID.xml
@@ -0,0 +1,13 @@
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0" uuid="11111111-2222-4000-8000-000000000000">
+  <system-implementation>
+    <component uuid="11111111-2222-4000-8000-009000000007" type="software">
+      <!-- <prop name="software-version" value="software-version"/> Missing software-version in linked component-->
+    </component>
+    <inventory-item uuid="11111111-2222-4000-8000-011000000001">
+      <prop name="asset-type" value="operating-system"/>
+      <!-- <prop name="software-version" value="software-version"/> Missing software-version in inventory-item.-->
+      <implemented-component component-uuid="11111111-2222-4000-8000-009000000007">
+      </implemented-component>
+    </inventory-item>
+  </system-implementation>
+</system-security-plan>
diff --git a/src/validations/constraints/fedramp-external-allowed-values.xml b/src/validations/constraints/fedramp-external-allowed-values.xml
@@ -479,6 +479,7 @@
         <metapath target="/system-security-plan/system-characteristics/security-impact-level/(security-objective-confidentiality|security-objective-integrity|security-objective-availability)"/>
         <metapath target="/system-security-plan/system-characteristics/system-information/information-type/(confidentiality-impact|integrity-impact|availability-impact)/(base|selected)"/> 
         <metapath target="/system-security-plan/system-implementation/leveraged-authorization"/>
+        <metapath target="/system-security-plan/system-implementation/leveraged-authorization"/>
         <constraints>
             <let var="security-level-target" expression="if (prop[@name='impact-level' and @ns='http://fedramp.gov/ns/oscal']) then prop[@name='impact-level' and @ns='http://fedramp.gov/ns/oscal']/@value else ."/>
             <allowed-values id="security-level" target="$security-level-target" allow-other="no" level="ERROR">

diff --git a/src/validations/constraints/fedramp-external-constraints.xml b/src/validations/constraints/fedramp-external-constraints.xml
@@ -123,9 +123,11 @@
             <index-has-key id='extraneous-implemented-requirements' target="//implemented-requirement" name="index-imported-controls" level="WARNING">
                 <formal-name>Additional Controls Implemented Not in Baseline</formal-name>
                 <description>A FedRAMP SSP SHOULD NOT include extraneous controls outside of the FedRAMP baseline.</description>
+                <description>A FedRAMP SSP SHOULD NOT include extraneous controls outside of the FedRAMP baseline.</description>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/6-security-controls/#implementation-status"/>
                 <key-field target="@control-id"/>
                 <message>A FedRAMP SSP SHOULD NOT include extraneous controls outside of the FedRAMP baseline. Extraneous control: ({@control-id}).</message>
+                <message>A FedRAMP SSP SHOULD NOT include extraneous controls outside of the FedRAMP baseline. Extraneous control: ({@control-id}).</message>
             </index-has-key>
             <index-has-key id="has-required-parameters" target="$required-parameters-map" name="index-implemented-parameters" level="ERROR">
                 <formal-name>Required Parameters Must Be Set</formal-name>
@@ -733,6 +735,7 @@
         </constraints>
     </context>
 
+
     <context>
         <metapath target="/system-security-plan/system-implementation/inventory-item"/>
         <constraints>
@@ -766,6 +769,51 @@
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
                 <message>In a FedRAMP SSP, each inventory item that has a MAC address MUST format the MAC address correctly.</message>
             </expect>
+            <expect id="inventory-item-has-software-name" target=".[prop[@name='asset-type' and @value=('operating-system', 'container', 'image')] or ../component[uuid=$component-uuid and type='software']]" test="count(prop[@name=('software-name', 'os-name')]) = 1 or count(../component[@uuid=$component-uuid]/prop[@name=('software-name', 'os-name')]) = 1" level="ERROR">
+                <formal-name>Inventory Item Has Software Name</formal-name>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
+                <message>In a FedRAMP SSP, each inventory item MUST include the software name in the inventory item itself or within the linked component.</message>
+            <let var ="implemented-component" expression="../component[@uuid=$component-uuid]"/>
+            <expect id="authenticated-scan-no-has-remarks" target="prop[@name='allows-authenticated-scan' and @value='no']" test="if ($high-sensitivity or $moderate-sensitivity) then exists(remarks) else true()" level="ERROR">
+                <formal-name>Authenticated Scan No Has Remarks</formal-name>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
+                <message>A FedRAMP SSP MUST provide justification for any high or moderate impact system inventory item that does not support authenticated scans.</message>
+            </expect>
+             <expect id="high-impact-inventory-item-has-asset-owner" target="." test="if ($high-sensitivity) then count(./responsible-party[@role-id=('asset-owner', 'asset-administrator')] | $implemented-component/responsible-role[@role-id=('asset-owner', 'asset-administrator')][count(party[@uuid=./party-uuid]) >= 1]) >= 1 else true()" level="ERROR">
+                <formal-name>High Impact Inventory Item Has Asset Owner</formal-name>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
+                <message>For HIGH-impact systems, every inventory-item MUST identify an asset-owner or administrator property either within the inventory-item itself, or within the component linked by the inventory-item.</message>
+            </expect>
+            <expect id="inventory-item-has-function" target="." test="exists(prop[@name='function']/remarks) or exists($implemented-component/prop[@name='function']/remarks)" level="ERROR">
+                <formal-name>Inventory Item Has Function</formal-name>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
+                <message>Every inventory-item MUST provide remarks to describe the function of the item, either within the inventory-item itself, or within the component linked by the inventory-item.</message>
+            </expect>
+            <expect id="inventory-item-has-scan-type" target="." test="count(prop[@name='scan-type' and @ns='http://fedramp.gov/ns/oscal']) >= 1 or count($implemented-component/prop[@name='scan-type' and @ns='http://fedramp.gov/ns/oscal']) >= 1" level="ERROR">
+                <formal-name>Inventory Item Has Scan Type</formal-name>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
+                <message>Every inventory-item MUST indicate one or more scan type(s), either within the inventory-item itself, or within the component linked by the inventory-item.</message>
+            </expect>
+            <expect id="inventory-item-has-software-version" target=".[prop[@name='asset-type' and @value=('operating-system', 'container', 'image')] or ../component[uuid=$component-uuid and type='software']]" test="count(prop[@name=('software-version', 'os-version')]) = 1 or count(../component[@uuid=$component-uuid]/prop[@name=('software-version', 'os-version')]) = 1" level="ERROR">
+                <formal-name>Inventory Item Has Software Version</formal-name>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
+                <message>In a FedRAMP SSP, each inventory item MUST include the software version in the inventory item itself or within the linked component.</message>
+            </expect>
+            <expect id="inventory-item-has-software-name" target=".[prop[@name='asset-type' and @value=('operating-system', 'container', 'image')] or ../component[uuid=$component-uuid and type='software']]" test="count(prop[@name=('software-name', 'os-name')]) = 1 or count(../component[@uuid=$component-uuid]/prop[@name=('software-name', 'os-name')]) = 1" level="ERROR">
+                <formal-name>Inventory Item Has Software Name</formal-name>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
+                <message>In a FedRAMP SSP, each inventory item MUST include the software name in the inventory item itself or within the linked component.</message>
+            </expect>
+            <expect id="inventory-item-has-software-version" target=".[prop[@name='asset-type' and @value=('operating-system', 'container', 'image')] or ../component[uuid=$component-uuid and type='software']]" test="count(prop[@name=('software-version', 'os-version')]) = 1 or count(../component[@uuid=$component-uuid]/prop[@name=('software-version', 'os-version')]) = 1" level="ERROR">
+                <formal-name>Inventory Item Has Software Version</formal-name>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
+                <message>In a FedRAMP SSP, each inventory item MUST include the software version in the inventory item itself or within the linked component.</message>
+            </expect>
+             <expect id="inventory-item-has-valid-mac-address" target=".[prop[@name='mac-address']]/prop[@name='mac-address']" test="matches(@value, '^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})|([0-9a-fA-F]{4}\\.[0-9a-fA-F]{4}\\.[0-9a-fA-F]{4})$')" level="ERROR">
+                <formal-name>Inventory Item Has Valid Mac Address</formal-name>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
+                <message>In a FedRAMP SSP, each inventory item that has a MAC address MUST format the MAC address correctly.</message>
+            </expect>
             <expect id="inventory-item-has-vendor-name" target="." test="count(prop[@name='vendor-name' and @ns='http://fedramp.gov/ns/oscal']) >= 1 or count(../component[@uuid=$component-uuid]/prop[@name='vendor-name' and @ns='http://fedramp.gov/ns/oscal']) >= 1" level="ERROR">
                 <formal-name>Inventory Item Has Vendor Name</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
@@ -859,6 +907,7 @@
             'si-1_smt.a' : 'at least one procedure that addresses System and Information Integrity MUST be associated with SI-1 part a.',
             'sr-1_smt.a' : 'at least one procedure that addresses Supply Chain Risk Management MUST be associated with SR-1 part a.'}"/>
             <let var="component-uuid" expression="by-component/@component-uuid"/>
+            <let var="component-uuid" expression="by-component/@component-uuid"/>
             <expect id="has-policy" target=".[@statement-id=$control-statement-ids]" test="some $uuid in $component-uuid satisfies count(../../../system-implementation/component[@uuid=$component-uuid and @type='policy']) >= 1" level="ERROR">
                 <formal-name>Has Policy</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/6-security-controls/#organization-policy-and-procedure-statements"/>
-Original file line number
+Diff line change
@@ Expand Up / @@ -8,6 +8,7 @@ on: @@
         branches:
           - master
           - develop
+          - canary
           - 'feature/**'  # This will match any branch starting with "feature"
       pull_request:
@@ Expand Down @@