Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add constraint has-unique-asset-id #882

Closed
14 tasks done
aj-stein-gsa opened this issue Nov 7, 2024 · 2 comments · Fixed by #887
Closed
14 tasks done

Add constraint has-unique-asset-id #882

aj-stein-gsa opened this issue Nov 7, 2024 · 2 comments · Fixed by #887

Comments

@aj-stein-gsa
Copy link
Contributor

aj-stein-gsa commented Nov 7, 2024

Constraint Task

As a digital authorization package maintainer, to know that I have identified each inventory item with an individual unique ID for it to avoid passback, I want a check to ensure the SSP each inventory item has a unique ID.

Intended Outcome

Goal

Check for one or more inventory items or report an error.

Syntax

Create an is-unique constraint that checks each asset-id for an inventory item is unique.

Syntax Type

This is optional core OSCAL syntax.

Allowed Values

There are no relevant allowed values.

Metapath(s) to Content

/system-security-plan/system-implementation/inventory-item/asset-id

Purpose of the OSCAL Content

Automation will need to detect a unique asset-id for inventory item in the inventory.

Dependencies

No response

Acceptance Criteria

  • All OSCAL adoption content affected by the change in this issue have been updated in accordance with the Documentation Standards.
    • Explanation is present and accurate
    • sample content is present and accurate
    • Metapath is present, accurate, and does not throw a syntax exception using oscal-cli metaschema metapath eval -e "expression".
  • All constraints associated with the review task have been created
  • The appropriate example OSCAL file is updated with content that demonstrates the FedRAMP-compliant OSCAL presentation.
  • The constraint conforms to the FedRAMP Constraint Style Guide.
    • All automated and manual review items that identify non-conformance are addressed; or technical leads (David Waltermire; AJ Stein) have approved the PR and “override” the style guide requirement.
  • Known good test content is created for unit testing.
  • Known bad test content is created for unit testing.
  • Unit testing is configured to run both known good and known bad test content examples.
  • Passing and failing unit tests, and corresponding test vectors in the form of known valid and invalid OSCAL test files, are created or updated for each constraint.
  • A Pull Request (PR) is submitted that fully addresses the goals section of the User Story in the issue.
  • This issue is referenced in the PR.

Other information

No response

@brian-ruf
Copy link
Collaborator

Background

There is a known-issue with //inventory-item/prop[@name='asset-id'] in core OSCAL metaschema. (usnistgov/OSCAL#2043), where this property's existence is being incorrectly enforced in //inventory-item/implemented-components where it makes no sense, and not being enforced in //inventory-item. (We believe this was a simple matter of a constraint being inserted in the wrong location.)

NIST has not made a final decision on a resolution, and this issue raises the question of whether core OSCAL should even enforce this property or defer to organizations like FedRAMP to enforce.

In the mean time, FedRAMP requires this property.

Recommendation

FedRAMP should explicitly define a constraint that requires //inventory-item/prop[@name='asset-id'] [exactly 1], and only remove it if NIST elects to enforce it in their resolution for usnistgov/OSCAL#2043

@wandmagic
Copy link
Collaborator

see #887

@wandmagic wandmagic moved this from 🔖 Ready to 👀 In review in FedRAMP Automation Nov 12, 2024
@aj-stein-gsa aj-stein-gsa linked a pull request Nov 12, 2024 that will close this issue
7 tasks
@aj-stein-gsa aj-stein-gsa moved this from 👀 In review to 🏗 In progress in FedRAMP Automation Nov 15, 2024
@github-project-automation github-project-automation bot moved this from 👀 In review to ✅ Done in FedRAMP Automation Nov 19, 2024
@aj-stein-gsa aj-stein-gsa moved this from ✅ Done to 🚢 Ready to Ship in FedRAMP Automation Nov 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment