Skip to content

Commit

Permalink
Use ancestor predicate check & workaround for GSA#940
Browse files Browse the repository at this point in the history 
After some debugging we determined that ancestor axis in a predicate is
not properly evaluating _unless_ you explicitly declare a namespace
binding declaration and use the prefix in this case. This variation
works around metashcema-framework/metaschema-java#291 to successfully
filter the target and evaluate the test.
  • Loading branch information
@Gabeblis @aj-stein-gsa
Gabeblis authored and aj-stein-gsa committed Dec 12, 2024
1 parent f010473 commit c9bff17
Showing 1 changed file with 39 additions and 19 deletions.
58 changes: 39 additions & 19 deletions src/validations/constraints/fedramp-external-constraints.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
<!-- ================== -->
<!-- FedRAMP Extensions -->
<!-- ================== -->

<namespace-binding prefix="o" uri="http://csrc.nist.gov/ns/oscal/1.0" />
<context>
<metapath target="//user"/>
<constraints>
Expand Down Expand Up @@ -47,9 +47,6 @@
<context>
<metapath target="/system-security-plan"/>
<constraints>
<let var="authorization-boundary-href" expression="system-characteristics/authorization-boundary/diagram/link/@href"/>
<let var="data-flow-href" expression="system-characteristics/data-flow/diagram/link/@href"/>
<let var="network-architecture-href" expression="system-characteristics/network-architecture/diagram/link/@href"/>
<let var="import-profile-href" expression="import-profile/@href"/>
<let var="resolved-import-profile-href" expression="if (starts-with($import-profile-href, '#')) then back-matter/resource[@uuid = substring($import-profile-href, 2)]/rlink/@href else $import-profile-href"/>
<let var="sensitivity-level-floor" expression=
Expand Down Expand Up @@ -80,21 +77,6 @@
<prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#external-systems-and-services-not-having-fedramp-authorization"/>
<message>A FedRAMP SSP MUST have each component describing leveraged systems, interconnections, or authorized services identify a "provider" role that references one responsible party.</message>
</expect>
<expect id="has-authorization-boundary-diagram-link-href-target" target="." test="doc-available(resolve-uri(system-characteristics/authorization-boundary/diagram/link[not(starts-with(@href, '#'))]/@href)) or count(//resource[@uuid=substring-after($authorization-boundary-href, '#') and prop[@name='type' and @value='image' and @class='authorization-boundary']]) = 1" level="ERROR">
<formal-name>Has Authorization Boundary Diagram Link Href Target</formal-name>
<prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#authorization-boundary"/>
<message>A FedRAMP SSP MUST include an authorization boundary diagram.</message>
</expect>
<expect id="has-data-flow-diagram-link-href-target" target="." test="doc-available(resolve-uri(system-characteristics/data-flow/diagram/link[not(starts-with(@href, '#'))]/@href)) or count(//resource[@uuid=substring-after($data-flow-href, '#') and prop[@name='type' and @value='image' and @class='data-flow']]) = 1" level="ERROR">
<formal-name>Has Data Flow Diagram Link Href Target</formal-name>
<prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#data-flow"/>
<message>A FedRAMP SSP MUST include a data flow diagram.</message>
</expect>
<expect id="has-network-architecture-diagram-link-href-target" target="." test="doc-available(resolve-uri(system-characteristics/network-architecture/diagram/link[not(starts-with(@href, '#'))]/@href)) or count(//resource[@uuid=substring-after($network-architecture-href, '#') and prop[@name='type' and @value='image' and @class='network-architecture']]) = 1" level="ERROR">
<formal-name>Has Network Architecture Diagram Link Href Target</formal-name>
<prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#network-architecture"/>
<message>A FedRAMP SSP MUST include a network architecture diagram.</message>
</expect>
<expect id="import-profile-has-available-document" target="import-profile" test="doc-available(resolve-uri($resolved-import-profile-href))" level="CRITICAL">
<formal-name>Import Profile has available document</formal-name>
<prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/3-working-with-oscal-files/#importing-the-fedramp-baseline"/>
Expand Down Expand Up @@ -639,4 +621,42 @@
</expect>
</constraints>
</context>

<context>
<metapath target="/system-security-plan/system-characteristics/authorization-boundary/diagram/link"/>
<constraints>
<let var="authorization-boundary-href" expression="@href"/>
<expect id="has-authorization-boundary-diagram-link-href-target"
target=".[ancestor::o:authorization-boundary and @rel='diagram']" test="doc-available(resolve-uri(.[not(starts-with(@href, '#'))]/@href)) or count(../../../../back-matter/resource[@uuid=substring-after($authorization-boundary-href, '#') and prop[@name='type' and @value='image' and @class='authorization-boundary']]) = 1" level="ERROR">
<formal-name>Has Authorization Boundary Diagram Link Href Target</formal-name>
<prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#authorization-boundary"/>
<message>A FedRAMP SSP MUST include an authorization boundary diagram.</message>
</expect>
</constraints>
</context>

<context>
<metapath target="/system-security-plan/system-characteristics/data-flow/diagram/link"/>
<constraints>
<let var="data-flow-href" expression="@href"/>
<expect id="has-data-flow-diagram-link-href-target" target=".[ancestor::o:data-flow and @rel='diagram']" test="doc-available(resolve-uri(.[not(starts-with(@href, '#'))]/@href)) or count(../../../../back-matter/resource[@uuid=substring-after($data-flow-href, '#') and prop[@name='type' and @value='image' and @class='data-flow']]) = 1" level="ERROR">
<formal-name>Has Data Flow Diagram Link Href Target</formal-name>
<prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#data-flow"/>
<message>A FedRAMP SSP MUST include a data flow diagram. DEBUG: href: {@href} rel: {@rel}</message>
</expect>
</constraints>
</context>

<context>
<metapath target="/system-security-plan/system-characteristics/network-architecture/diagram/link"/>
<constraints>
<let var="network-architecture-href" expression="@href"/>
<expect id="has-network-architecture-diagram-link-href-target" target=".[ancestor::o:network-architecture and @rel='diagram']" test="doc-available(resolve-uri(.[not(starts-with(@href, '#'))]/@href)) or count(../../../../back-matter/resource[@uuid=substring-after($network-architecture-href, '#') and prop[@name='type' and @value='image' and @class='network-architecture']]) = 1" level="ERROR">
<formal-name>Has Network Architecture Diagram Link Href Target</formal-name>
<prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#network-architecture"/>
<message>A FedRAMP SSP MUST include a network architecture diagram. DEBUG: href: {@href} rel: {@rel}</message>
</expect>
</constraints>
</context>

</metaschema-meta-constraints>

0 comments on commit c9bff17

Please sign in to comment.