Open sunstonesecure-robert opened 2 months ago
JonZeolla
commented
2 months ago Right now we don't have any compatibility guarantees, so I would lean towards updating as volunteers have time to complete the work, but if there are valid use cases to support multiple we could also consider parametrization and adding a matrix of supported versions to the pipeline.
brandtkeller
commented
3 weeks ago Is there an expectation that the CSV file is always the source of truth?
Contemplating tooling to support CSV to OSCAL (and reverse use-cases) more generically but much of the reason for using OSCAL is the defined format for data vs CSV being arbitrary (without some standard in place).
I'd be willing to prototype some implementations and workflows around generation and maintenance - as well as possibly some stances (IE many versions of OSCAL vs updating to latest).
What is meant by "sync process"?
JonZeolla
commented
3 weeks ago Right now yes the CSV is the system of record. I am open to this changing. It was a simple place to start
brandtkeller
commented
3 weeks ago Without another interface... CSV may be the human readable form 🤔
https://github.com/cloud-native-security-controls/controls-catalog/blob/641bf4595e0bbe0dd443f63f2824c4e3644a9533/csv_to_oscal.py#L81
ATM this is now OSCAL 1.1.2 but probably by the time this gets going this will change. So a second aspect of this is how to maintain ongoing updates to OSCAL - wait for GHIs to be filed by users? or add version-specific scripts to find breakages? both? neither?
Also this is a good community volunteer item for wg-compliance to recruit help