JonZeolla
commented
1 year ago OSCAL, XML, CSV, MD to start
Closed JonZeolla closed 1 year ago
JonZeolla
commented
1 year ago OSCAL, XML, CSV, MD to start
xee5ch
commented
1 year ago So I have started to build out local code to define a CNSWP catalog, a SSCP catalog, I can set up the resolver to combine them, and then export OSCAL JSON+XML+YAML. I will then need to talk about exporting out MD and CSV with some custom transformation scripts in a language/style of your choice. All of that can be run for CD in GitHub Actions.
When is your next meeting to discuss this and help you all move forward (if this appeals to you)? If this is moving a little too fast, I am also fine come to meet with all of you, understand who you are, what you want to accomplish, and better design a flow with those things in mind. Lemme know!
JonZeolla
commented
1 year ago @xee5ch I wouldn't worry about the MD/CSV side. I expect we will have those in this repo, but they may either be inputs or tangential to the oscal. I just noted them in my prior message so we could get linters on them and standardize formatting.
In the short-term if we can get our existing CSV schema to OSCAL that would be powerful because we have some people working on data improvements to the CSV in parallel
JonZeolla
commented
1 year ago Our next meeting is Tuesday the 23rd. We may have some time to discuss this but primarily we will be discussing https://github.com/cloud-native-security-controls/controls-catalog/issues/14 - the slack channel is another great place to get feedback. I'll x post this
xee5ch
commented
1 year ago @xee5ch I wouldn't worry about the MD/CSV side. I expect we will have those in this repo, but they may either be inputs or tangential to the oscal. I just noted them in my prior message so we could get linters on them and standardize formatting.
OK, thanks for the clarification.
In the short-term if we can get our existing CSV schema to OSCAL that would be powerful because we have some people working on data improvements to the CSV in parallel
Cool, OK. I will soon push up the catalogs and some resolution pipeline code in a PR branch for discussion/collaboration here. Maybe it gets discussed at another meeting if applicable.
JonZeolla
commented
1 year ago Perfect, thanks!
JonZeolla
commented
1 year ago @xee5ch were you interested in taking this work on? Didn't want to assign it to you without knowing for sure
xee5ch
commented
1 year ago @xee5ch were you interested in taking this work on? Didn't want to assign it to you without knowing for sure
I am definitely interested but got a little busy with work and extracurricular projects. Expect some work later in the week and over the coming weekend. :-)
I am sorry I did not come to today's meeting. I was teaching people how to set up GitHub Actions CI/CD for their OSCAL for colleagues at work work, and that took precedence today, but not moving forward!
JonZeolla
commented
1 year ago @xee5ch no worries! Sounds good, ty
xee5ch
commented
1 year ago OK, per conversation I am going to work on rounding off the two separate catalogs (one for CNSWP and the other for SSCP controls), build profile(s) to combine them and automate that in GHA as agreed.
There were also some open questions from today about how to track obsolete controls from v1 to v2 and updated new controls moved forward form v1 to v2 catalogs as well. @JonZeolla, where do you want me to draft out recommendations or a design on that? Let me know!
We should frame out some initial CI linters.