-
Notifications
You must be signed in to change notification settings - Fork 183
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Develop a Testing Strategy and Requirements Document #321
Comments
3/7/2019 - @howieavp76 has just started. Has become top priority now that other issues are resolved. Expect significant progress by next status meeting. |
First draft of the requirements document is attached. It lays out the overall requirements, phases, and strategy for development. I was unclear on the Product Owner v/s Product Sponsor role but we can address those changes during the review/comment process for this document. |
I have also created the App Shell and began to frame out the testing harness. Assuming the requirements document is generally accepted, I can begin build out throughout the next sprint. Recommend closing this issue as the requirements document is complete (or closing after review/comment) and opening a new issue for Testing MVP 1. |
3/14/2019This document needs review. Early review of the document has identified a need to better document the initial set of tests to be implemented. Some discussion/brainstorming is needed to flesh out the initial test scope. Testing can then be iteratively enhanced on an ongoing basis. @wendellpiez and @david-waltermire-nist will meet early the week of 3/18 to identify initial test scope. @wendellpiez and @howieavp76 will update the test documentation to include this initial scope in the next sprint. |
03/21/2019@howieavp76 and @wendellpiez met today and got the necessary information to develop a harness. Understood how to do the testing. An API will be provided to testers. The issue identifies not the testing but the document that defines the testing methodology. The documentation will be provided leveraging the existing draft. MVP 1 - details,2 & 3 - higher level |
03/28/2019Not much progress was done due to @howieavp76 personal issues |
One thing that I would add to be helpful is to be able to send a request for validation remotely say from GitHub and get a response back as to being valid OSCAL or not. |
@howieavp76 - please remove asap the logo from the OSCAL page. We do not have any logo approved for use to start with. Also, NIST did not receive any logo files, so, as of today, this is not our logo because we do not have it. We can use a logo when we will have the approval from DoC. |
@iMichaela - no problem, I just had it on the test kit on my local box (it wasn't on the website). I have removed the logo as you see in the screenshot below. |
@redhatrises - completely agree. The front end sits on top of a set of validation APIs. The goal is to be able to run the code in a container locally to validate or to do remote calls via API as part of the CI/CD to validate. |
@iMichaela - I am rebasing to Wendell's latest version then I will push up the logo files so you have them. |
@howieavp76 is this testing interface something that you plan to merge into |
@anweiss - right now I have it as a separate project. I could easily merge it in but worry the Git management will get complex. Goal is to merge into the CI/CD pipeline. This could be done with a script to call the back-end API or curl commands to pass local files back for validation. I built a front-end so it is more approachable for the non-technical. This does not prohibit backend calls to script test processes in CI/CD. Hopefully, it will allow a best of both worlds approach. |
@anweiss - my other goal is to create a front end tool for creating OSCAL XML so that policy owners can convert their documents to OSCAL without having to be XML gurus. That would let people create new OSCAL files and then test them in the GUI to see how it works (why I called it the OSCAL UX). They could then test their new OSCAL XML directly in the tool to make sure it is compliant before using it in a downstream tool. Plan to make this super simple as a PoC of what should be possible to tool vendors. |
@howieavp76 We need to get on the same page. I'm already working on a tool to manage catalog and profile content. You've been in meetings where we discussed this, such as the working session where we discussed the milestone release target. |
@brianrufgsa - happy to chat more, this is not intended to compete or replace the tool you were working on. It is just a simple UI to show the basic functionality for schema validation. My scope is now to develop test documents that push all the edge cases and then run them in batch to make sure the schema holds up and the files created are valid. There is only overlap because I am on the very basic MVP side, this tool will diverge to be heavy focused on batching testing to integrate with the CI/CD going forward. Now that I have the basics in place for XML, will put the basics in place for JSON. From there, I can build the test sets, batch processes, and integration with CI/CD. The UI will never advance beyond basic PoC, the value is in the test suite and its comprehensive coverage. |
You could also take a look at GitHub actions for running these tests as part of CI/CD, rather than relying on an externally-managed testing API, server, etc. |
4/4/2019 @david-waltermire-nist proposing near-term testing should focus on steps in the CI/CD pipeline. For all PR submitted against NIST OSCAL Master Branch, we do the following:
Successful or failed completion of these actions are indicated as a status check in the PR. |
@brianrufgsa - thanks for the clarity on requirements. Met with Wendall today and talked through strategy. He will provide me with a key value pair of XML docs to validate against XSD schemas. I have a Python script built now that can be called via command line for this function. I tested it with 4 test examples and the results were as expected, see below: jareds-mbp:oscalTest jaredhowerton$ sh schemaTests.sh Once I get the right priority docs/schemas to test, I will update the file to run the full suite of validations and we can plug that into CI/CD. Still looking into the best way to do the transformation testing. I have an approach on the timestamp checking but haven't coded that yet. |
Another example with real data, attempting to validate the FedRAMP profiles against the OSCAL profile schema:
All of the FedRAMP profiles failed the initial validation but it looks like an easy fix to correct. |
@howieavp76 - Yes. The original FedRAMP profiles are out of alignment with the current syntax. They were built with an early tool that was more of a proof-of-concept. They have a few other short-falls as well. For example, they don't reflect subtle differences in FedRAMP's control objectives, nor have they been expanded to tag FedRAMP's critical controls. I've avoided updating them because I hope to have the new open-source tool ready in the next few weeks, and plan to use it to re-generate the FedRAMP profiles more completely and using the latest syntax. |
For the XML/XSD validation, I am using xmlint. It is open source with some a simple Python script that can be called from the command line. |
@brianrufgsa - sounds awesome :) . Hope to have the testing tools ready so that you can output your new OSCAL xml files and have them checked in the CI/CD. Will be really cool to see it all working end to end. |
@redhatrises - had not seen that but our approaches are similar. I added some more formatted output with some enhanced telemetry that could be parsed in CI/CD for pass/fail logic. I also am working on a batch file to comprehensively cover all of the schemas to supported files that are being published. Haven't started on JSON yet but have the first 7 tests working for XML/XSD validation for catalogs and profiles. |
@howieavp76 @brianrufgsa yep, the FedRAMP samples are "known invalid" until further notice. That's actually a comfort, it slipped my mind that would be the case. (And the tool appears to be wired correctly.) |
OSCAL Testing Requirements Document rev2.docx |
04/11/2019The document listed above covers all the requirements from @david-waltermire-nist, @wendellpiez and @brianrufgsa . The document should be a live document to accomodate teh agile development. |
OSCAL Testing Requirements Document rev3.docx |
PR submitted with test scripts to allow integration with CI/CD. See: Testing Framework #340 . In addition - attached is the latest requirements document that shows which tests have been implemented. NOTE: Many currently fail which was the expected outcome. |
04-19-19@david-waltermire-nist will review the testing requirements document and then comment or close this issue. |
04/25/2019Waiting on @david-waltermire-nist to provide the comments. |
5/2/2019pending on @david-waltermire-nist to provide feedback |
5/9/2019@david-waltermire-nist to email @howieavp76 to setup meeting to discuss CI/CD integration. @david-waltermire-nist investigating NIST-approved build services as part of this effort. |
We have unit and round trip testing. This was implemented a long time ago. Closing. |
User Story:
As an OSCAL content owner, I need to document requirements for testing to allow future stage prototyping and development
Goals:
OSCAL testing requirements document
Dependencies:
N/A
Acceptance Criteria
NIST approval of the requirements document
The text was updated successfully, but these errors were encountered: