Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

assessment-plan/tasks/@type OR assessment-plan/tasks/@type/tasks/@Type formatting requirements inconsistent #631

Open
2 of 12 tasks
Telos-sa opened this issue Aug 21, 2024 · 0 comments
Open
2 of 12 tasks

assessment-plan/tasks/@type OR assessment-plan/tasks/@type/tasks/@Type formatting requirements inconsistent #631

Telos-sa opened this issue Aug 21, 2024 · 0 comments
Labels
bug Something isn't working model: sap scope: documentation

Comments

@Telos-sa
Copy link

Telos-sa commented Aug 21, 2024
edited
Loading

This relates to ...

  • the FedRAMP OSCAL Registry
  • the FedRAMP OSCAL baselines
  • the Guide to OSCAL-based FedRAMP Content
  • the Guide to OSCAL-based FedRAMP System Security Plans (SSP)
  • the Guide to OSCAL-based FedRAMP Security Assessment Plans (SAP)
  • the Guide to OSCAL-based FedRAMP Security Assessment Results (SAR)
  • the Guide to OSCAL-based FedRAMP Plan of Action and Milestones (POA&M)
  • the FedRAMP SSP OSCAL Template (JSON or XML Format)
  • the FedRAMP SAP OSCAL Template (JSON or XML Format)
  • the FedRAMP SAR OSCAL Template (JSON or XML Format)
  • the FedRAMP POA&M OSCAL Template (JSON or XML Format)
  • the FedRAMP OSCAL Validations

What happened?

The requirements for task type attribute and tasks structure in FedRAMP Automate Guidance conflict with OSCAL schema structure and will result in validation errors.

Relevant log output

[#/assessment-plan/tasks] #/assessment-plan/tasks: 5 schema violations found [file:///Users/13503/Desktop/SAP_Testing.json]
[ERROR] [#/assessment-plan/tasks/0/tasks/0] #/assessment-plan/tasks/0/tasks/0: required key [type] not found [file:///Users/13503/Desktop/SAP_Testing.json]
[ERROR] [#/assessment-plan/tasks/1/tasks] #/assessment-plan/tasks/1/tasks: 2 schema violations found [file:///Users/13503/Desktop/SAP_Testing.json]
[ERROR] [#/assessment-plan/tasks/1/tasks/0] #/assessment-plan/tasks/1/tasks/0: required key [type] not found [file:///Users/13503/Desktop/SAP_Testing.json]
[ERROR] [#/assessment-plan/tasks/1/tasks/1] #/assessment-plan/tasks/1/tasks/1: required key [type] not found [file:///Users/13503/Desktop/SAP_Testing.json]
[ERROR] [#/assessment-plan/tasks/2/tasks/0] #/assessment-plan/tasks/2/tasks/0: 2 schema violations found [file:///Users/13503/Desktop/SAP_Testing.json]
[ERROR] [#/assessment-plan/tasks/2/tasks/0] #/assessment-plan/tasks/2/tasks/0: required key [type] not found [file:///Users/13503/Desktop/SAP_Testing.json]

How do we replicate this issue?

The use of props instead of the type element will cause errors when validating against schema.

The examples for action represent an accurate schema structure:
image

But the examples for Role Based and Web Application testing do not have the type attribute carried to the recursive task element, causing a break:
image

Where, exactly?

Additional Guidance:

Here are two possible solutions, both of which remove the prop for type, and instead use the attribute, since it is not strict on content. Also, recommend validation tool support recursion checks, and/or a combination of all flat or all recursive. This way the source materials may not line up with examples, but should not impact the FedRAMP ability to validate.

EXAMPLES:
OPTION 1: ALL RECURSIVE AND A COLLECTION

<task uuid="task-uuid-value" type="web-application">
        <title>Web Application Tests</title>
        <task uuid="uuid-value" type="web-application">
            <title>Web Application Test #1</title>
            <prop name="login-url" ns="https://fedramp.gov/ns/oscal"
                value="https://service.offering.com/login"/>
            <prop name="login-id" ns="https://fedramp.gov/ns/oscal" value="test-user"/>
            <associated-activity activity-uuid="uuid-of-web-application-activity">
                <subject type="inventory-item">
                    <include-subject subject-uuid="uuid-of-SSP-inventory-item" 
                                    type="inventory-item" />
                </subject>
            </associated-activity>
        </task>
        <task uuid="uuid-value" type="web-application">
            <title>Web Application Test #2</title>
            <prop name="login-url" ns="https://fedramp.gov/ns/oscal"
                value="https://service.offering.com/login"/>
            <prop name="login-id" ns="https://fedramp.gov/ns/oscal" value="test-user"/>
            <associated-activity activity-uuid="uuid-of-web-application-activity">
                <subject type="inventory-item">
                    <include-subject subject-uuid="uuid-of-SSP-inventory-item" 
                                    type="inventory-item" />
                </subject>
            </associated-activity>
        </task>
</task>
<task uuid="task-uuid-value" type="role-based">
        <title>Web Application Tests</title>
        <task uuid="uuid-value" type="role-based">
            <title>Web Application Test #1</title>
            <prop name="login-url" ns="https://fedramp.gov/ns/oscal"
                value="https://service.offering.com/login"/>
            <prop name="login-id" ns="https://fedramp.gov/ns/oscal" value="test-user"/>
            <associated-activity activity-uuid="uuid-of-web-application-activity">
                <subject type="inventory-item">
                    <include-subject subject-uuid="uuid-of-SSP-inventory-item" 
                                    type="inventory-item" />
                </subject>
            </associated-activity>
        </task>
        <task uuid="uuid-value" type="role-based">
            <title>Web Application Test #1</title>
            <prop name="login-url" ns="https://fedramp.gov/ns/oscal"
                value="https://service.offering.com/login"/>
            <prop name="login-id" ns="https://fedramp.gov/ns/oscal" value="test-user"/>
            <associated-activity activity-uuid="uuid-of-web-application-activity">
                <subject type="inventory-item">
                    <include-subject subject-uuid="uuid-of-SSP-inventory-item" 
                                    type="inventory-item" />
                </subject>
            </associated-activity>
        </task>
</task>
<task uuid="17030aaf-7712-4228-8607-a5a97a785efa" type="action">
    <title>Actions</title>
    <task uuid="uuid-value" type="action">
        <title>Prepare Test Plan</title>
        <description>
            <p>optional description here</p>
        </description>
        <timing>
            <within-date-range start="2020-06-01T00:00:00Z" end="2020-06-15T00:00:00Z"/>
        </timing>
    </task>
</task>

OPTION 2:  FLAT TESTS

<task uuid="uuid-value" type="role-based">
    <title>Web Application Test #1</title>
    <prop name="login-url" ns="https://fedramp.gov/ns/oscal"
        value="https://service.offering.com/login"/>
    <prop name="login-id" ns="https://fedramp.gov/ns/oscal" value="test-user"/>
    <associated-activity activity-uuid="uuid-of-web-application-activity">
        <subject type="inventory-item">
            <include-subject subject-uuid="uuid-of-SSP-inventory-item" 
                            type="inventory-item" />
        </subject>
    </associated-activity>
</task>
<task uuid="uuid-value" type="web-application">
    <title>Web Application Test #2</title>
    <prop name="login-url" ns="https://fedramp.gov/ns/oscal"
        value="https://service.offering.com/login"/>
    <prop name="login-id" ns="https://fedramp.gov/ns/oscal" value="test-user"/>
    <associated-activity activity-uuid="uuid-of-web-application-activity">
        <subject type="inventory-item">
            <include-subject subject-uuid="uuid-of-SSP-inventory-item" 
                            type="inventory-item" />
        </subject>
    </associated-activity>
</task>
<task uuid="uuid-value" type="web-application">
    <title>Web Application Test #1</title>
    <prop name="login-url" ns="https://fedramp.gov/ns/oscal"
        value="https://service.offering.com/login"/>
    <prop name="login-id" ns="https://fedramp.gov/ns/oscal" value="test-user"/>
    <associated-activity activity-uuid="uuid-of-web-application-activity">
        <subject type="inventory-item">
            <include-subject subject-uuid="uuid-of-SSP-inventory-item" 
                            type="inventory-item" />
        </subject>
    </associated-activity>
</task>
<task uuid="uuid-value" type="web-application">
    <title>Web Application Test #2</title>
    <prop name="login-url" ns="https://fedramp.gov/ns/oscal"
        value="https://service.offering.com/login"/>
    <prop name="login-id" ns="https://fedramp.gov/ns/oscal" value="test-user"/>
    <associated-activity activity-uuid="uuid-of-web-application-activity">
        <subject type="inventory-item">
            <include-subject subject-uuid="uuid-of-SSP-inventory-item" 
                            type="inventory-item" />
        </subject>
    </associated-activity>
</task>
<task uuid="uuid-value" type="action">
    <title>Prepare Test Plan</title>
    <description>
        <p>optional description here</p>
    </description>
    <timing>
        <within-date-range start="2020-06-01T00:00:00Z" end="2020-06-15T00:00:00Z"/>
    </timing>
</task>

Other relevant details

No response
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working model: sap scope: documentation
Projects
FedRAMP Automation
Status: 🆕 New
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Rene2mt @Telos-sa @aj-stein-gsa