Fix Bug Issue GSA#940

src/validations/constraints/content/ssp-all-VALID.xml

@@ -525,50 +525,56 @@
   </remarks>
 </resource>
 
+    <resource uuid="d2eb3c18-6754-4e3a-a933-03d289e3fad5">
+      <title>Boundary Diagram</title>
+      <description>
+        <p>The primary authorization boundary diagram.</p>
+      </description>
+      <prop name="type" value="image" class="authorization-boundary" />
+      <rlink href="./attachments/diagrams/boundary.png"/>
+      <base64 filename="logo.png" media-type="image/png">00000000</base64>
+      <remarks>
+        <p>Section 8.1, Figure 8-1 Authorization Boundary Diagram (graphic)</p>
+        <p>This should be referenced in the system-characteristics/authorization-boundary/diagram/link/@href flag using a value of "#11111111-2222-4000-8000-001000000054"</p>
+        <p>May use <code>rlink</code> with a relative path, or embedded as <code>base64</code>.</p>
+        <p>FedRAMP prefers <code>base64</code> for images and diagrams.</p>
+        <p>Images must be in sufficient resolution to read all detail when rendered in a browser via HTML5.</p>
+      </remarks>
+    </resource>
 
-<resource uuid="d2eb3c18-6754-4e3a-a933-03d289e3fad5">
-  <title>Authorization Boundary</title>
-  <description>
-     <p>Authorization Boundary Diagram</p>
-  </description>
-  <prop ns="https://fedramp.gov/ns/oscal" name="type" value="plan"/>
-  <prop name="published" value="2023-01-01T00:00:00Z"/>
-  <prop name="version" value="Document Version"/>
-  <rlink href="./documents/AuthBoundary.docx" media-type="application/msword"/>
-  <base64 filename="AuthBoundary.docx" media-type="application/msword">00000000</base64>
-  <remarks>
-     <p>May use <code>rlink</code> with a relative path, or embedded as <code>base64</code>.</p>
-  </remarks>
-</resource>
-
-<resource uuid="61081e81-850b-43c1-bf43-1ecbddcb9e7f">
-  <title>Network Architecture</title>
-  <description>
-     <p>Network Architecture Diagram</p>
-  </description>
-  <prop ns="https://fedramp.gov/ns/oscal" name="type" value="plan"/>
-  <prop name="published" value="2023-01-01T00:00:00Z"/>
-  <prop name="version" value="Document Version"/>
-  <rlink href="./documents/NetworkArchitecture.docx" media-type="application/msword"/>
-  <base64 filename="NetworkArchitecture.docx" media-type="application/msword">00000000</base64>
-  <remarks>
-     <p>May use <code>rlink</code> with a relative path, or embedded as <code>base64</code>.</p>
-  </remarks>
-</resource>
+    <resource uuid="61081e81-850b-43c1-bf43-1ecbddcb9e7f">
+      <title>Network Diagram</title>
+      <description>
+        <p>The primary network diagram.</p>
+      </description>
+      <prop name="type" value="image" class="network-architecture" />
+      <!-- Use rlink and/or base64 -->
+      <rlink href="./attachments/diagrams/network.png"/>
+      <base64 filename="network.png" media-type="image/png">00000000</base64>
+      <remarks>
+        <p>Section 8.1, Figure 8-2 Network Diagram (graphic)</p>
+        <p>This should be referenced in the system-characteristics/network-architecture/diagram/link/@href flag using a value of "#11111111-2222-4000-8000-001000000055"</p>
+        <p>May use <code>rlink</code> with a relative path, or embedded as <code>base64</code>.</p>
+        <p>FedRAMP prefers <code>base64</code> for images and diagrams.</p>
+        <p>Images must be in sufficient resolution to read all detail when rendered in a browser via HTML5.</p>
+      </remarks>
+    </resource>
 
-<resource uuid="ac5d7535-f3b8-45d3-bf3b-735c82c64547">
-  <title>Data Flow</title>
-  <description>
-     <p>Data flow Diagram</p>
-  </description>
-  <prop ns="https://fedramp.gov/ns/oscal" name="type" value="plan"/>
-  <prop name="published" value="2023-01-01T00:00:00Z"/>
-  <prop name="version" value="Document Version"/>
-  <rlink href="./documents/Dataflo.docx" media-type="application/msword"/>
-  <base64 filename="Dataflow.docx" media-type="application/msword">00000000</base64>
-  <remarks>
-     <p>May use <code>rlink</code> with a relative path, or embedded as <code>base64</code>.</p>
-  </remarks>
-</resource>
+    <resource uuid="ac5d7535-f3b8-45d3-bf3b-735c82c64547">
+      <title>Data Flow Diagram</title>
+      <description>
+        <p>The primary data flow diagram.</p>
+      </description>
+      <prop name="type" value="image" class="data-flow" />
+      <rlink href="./attachments/diagrams/dataflow.png"/>
+      <base64 filename="dataflow.png" media-type="image/png">00000000</base64>
+      <remarks>
+        <p>Section 8.1, Figure 8-3 Data Flow Diagram (graphic)</p>
+        <p>This should be referenced in the system-characteristics/data-flow/diagram/link/@href flag using a value of "#11111111-2222-4000-8000-001000000056"</p>
+        <p>May use <code>rlink</code> with a relative path, or embedded as <code>base64</code>.</p>
+        <p>FedRAMP prefers <code>base64</code> for images and diagrams.</p>
+        <p>Images must be in sufficient resolution to read all detail when rendered in a browser via HTML5.</p>
+      </remarks>
+    </resource>
   </back-matter>
 </system-security-plan>

src/validations/constraints/content/ssp-has-authorization-boundary-diagram-link-href-target-VALID-1.xml

@@ -169,7 +169,7 @@
             <description>
                <p>A diagram-specific explanation.</p>
             </description>
-            <link href="./diagram.png" rel="diagram"/>
+            <link href="./ssp-all-VALID.xml" rel="diagram"/>
             <caption>Authorization Boundary Diagram</caption>
          </diagram>
     </authorization-boundary>

src/validations/constraints/content/ssp-has-data-flow-diagram-link-href-target-VALID-1.xml

@@ -193,7 +193,7 @@
         <description>
           <p>A diagram-specific explanation.</p>
         </description>
-        <link href="./diagram.png" rel="diagram"/>
+        <link href="./ssp-all-VALID.xml" rel="diagram"/>
         <caption>Data Flow Diagram</caption>
       </diagram>
     </data-flow>

src/validations/constraints/content/ssp-has-network-architecture-diagram-link-href-target-INVALID.xml

@@ -1,9 +1,6 @@
 <system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_ssp_schema.xsd" uuid="12345678-1234-4321-8765-123456789012">
   <system-characteristics>
     <network-architecture>
-      <description>
-        <p>A holistic, top-level explanation of the network architecture.</p>
-      </description>
       <diagram uuid="e97c3395-433a-48c1-8cc7-dd1e1555941c">
         <link href="#61081e81-850b-43c1-bf43-1ecbddcb9e7f" rel="diagram"/>
       </diagram>

src/validations/constraints/content/ssp-has-network-architecture-diagram-link-href-target-VALID-1.xml

@@ -181,7 +181,7 @@
         <description>
           <p>A diagram-specific explanation.</p>
         </description>
-        <link href="./diagram.png" rel="diagram"/>
+        <link href="./ssp-all-VALID.xml" rel="diagram"/>
         <caption>Network Diagram</caption>
       </diagram>
     </network-architecture>

src/validations/constraints/fedramp-external-constraints.xml

@@ -56,9 +56,9 @@
     <context>
         <metapath target="/system-security-plan"/>
         <constraints>
-            <let var="authorization-boundary-link" expression="system-characteristics/authorization-boundary/diagram/link/@href"/>
-            <let var="data-flow-link" expression="system-characteristics/data-flow/diagram/link/@href"/>
-            <let var="network-architecture-link" expression="system-characteristics/network-architecture/diagram/link/@href"/>
+            <let var="authorization-boundary-href" expression="system-characteristics/authorization-boundary/diagram/link/@href"/>
+            <let var="data-flow-href" expression="system-characteristics/data-flow/diagram/link/@href"/>
+            <let var="network-architecture-href" expression="system-characteristics/network-architecture/diagram/link/@href"/>
             <let var="import-profile-href" expression="import-profile/@href"/>
             <let var="resolved-import-profile-href" expression="if (starts-with($import-profile-href, '#')) then back-matter/resource[@uuid = substring($import-profile-href, 2)]/rlink/@href else $import-profile-href"/>
             <let var="sensitivity-level-floor" expression=
@@ -72,17 +72,17 @@
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#leveraged-fedramp-authorized-services"/>
                 <message>A FedRAMP SSP MUST include at least one authentication method for each leveraged system.</message>
             </expect>
-            <expect id="has-authorization-boundary-diagram-link-href-target" target="." test="not(starts-with(system-characteristics/authorization-boundary/diagram/link/@href, '#')) or exists(//resource[@uuid eq substring-after($authorization-boundary-link, '#')])" level="ERROR">
+            <expect id="has-authorization-boundary-diagram-link-href-target" target="." test="doc-available(resolve-uri(system-characteristics/authorization-boundary/diagram/link[not(starts-with(@href, '#'))]/@href)) or count(//resource[@uuid=substring-after($authorization-boundary-href, '#') and prop[@name='type' and @value='image' and @class='authorization-boundary']]) = 1" level="ERROR">
                 <formal-name>Has Authorization Boundary Diagram Link Href Target</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#authorization-boundary"/>
                 <message>A FedRAMP SSP MUST include an authorization boundary diagram.</message>
             </expect>
-            <expect id="has-data-flow-diagram-link-href-target" target="." test="not(starts-with(system-characteristics/data-flow/diagram/link/@href, '#')) or exists(//resource[@uuid eq substring-after($data-flow-link, '#')])" level="ERROR">
+            <expect id="has-data-flow-diagram-link-href-target" target="." test="doc-available(resolve-uri(system-characteristics/data-flow/diagram/link[not(starts-with(@href, '#'))]/@href)) or count(//resource[@uuid=substring-after($data-flow-href, '#') and prop[@name='type' and @value='image' and @class='data-flow']]) = 1" level="ERROR">
                 <formal-name>Has Data Flow Diagram Link Href Target</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#data-flow"/>
                 <message>A FedRAMP SSP MUST include a data flow diagram.</message>
             </expect>
-            <expect id="has-network-architecture-diagram-link-href-target" target="." test="not(starts-with(system-characteristics/network-architecture/diagram/link/@href, '#')) or exists(//resource[@uuid eq substring-after($network-architecture-link, '#')])" level="ERROR">
+            <expect id="has-network-architecture-diagram-link-href-target" target="." test="doc-available(resolve-uri(system-characteristics/network-architecture/diagram/link[not(starts-with(@href, '#'))]/@href)) or count(//resource[@uuid=substring-after($network-architecture-href, '#') and prop[@name='type' and @value='image' and @class='network-architecture']]) = 1" level="ERROR">
                 <formal-name>Has Network Architecture Diagram Link Href Target</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#network-architecture"/>
                 <message>A FedRAMP SSP MUST include a network architecture diagram.</message>