Assessment Findings don't account for multiple components evaluating against the same Control ID

defenseunicorns / lula

The Compliance Validator

Apache License 2.0

125 stars 22 forks source link

Assessment Findings don't account for multiple components evaluating against the same Control ID #500

Open meganwolf0 opened 4 weeks ago

meganwolf0 commented 4 weeks ago

Environment

Device and OS:
App version:
Kubernetes distro:
Kubernetes version:
provider:

[ ] kyverno
[ ] opa

Steps to reproduce

Aggregate multiple components that specify the same control
lula validate -f <oscal.yaml>

Expected result

Assessment results model should report on each Finding, or at least document the individual implemented requirement text/information

Actual Result

Findings takes only one implemented requirement text/data, which omits information that might be relevant/important from other implemented requirements

Visual Proof (screenshots, videos, text, etc)

Severity/Priority

Medium

Additional Context

brandtkeller commented 2 weeks ago

@meganwolf0 Can you elaborate on:

Assessment results model should report on each Finding, or at least document the individual implemented requirement text/information

Is this with respect to a Finding description only being from one implemented-requirement?

meganwolf0 commented 2 weeks ago

@meganwolf0 Can you elaborate on:

Assessment results model should report on each Finding, or at least document the individual implemented requirement text/information

Is this with respect to a Finding description only being from one implemented-requirement?

Yeah - basically that only the text from one implemented requirement is pulled into findings.description, so you're losing some info there if there are multiple components implementing the Control