search

docker-archive / oscalkit

NIST OSCAL SDK and CLI
https://docker.github.io/oscalkit/
Other
36 stars 23 forks source link

Add modify-add feature #52

Closed minhaj10p closed 5 years ago

minhaj10p commented 5 years ago

Description

Attempts to process manipulation attributes in the profile modify section. Linking to #12.

Feature set

  1. Concurrent import chain traversal is enabled to fetch the root catalog for each import
  2. Recursively searches the import chain for the controls/subcontrols referenced by the root profile for add manipulation attribute
  3. Appends parts with the same class instead of adding a new part
minhaj10p commented 5 years ago

Currently this PR is shutting down unit tests as import chain traversal isn't possible without file system. If you can approve, we can commit mock profiles to pass those tests.

anweiss commented 5 years ago

@minhaj10p would it be possible to include the mocks in this PR?

minhaj10p commented 5 years ago

@minhaj10p would it be possible to include the mocks in this PR?

Sure. I can create a folder and put some profiles in it. Another thing just occurred to me is that we always put the manipulation attributes in the same profile so it never has to go in the find the manipulation attribute in the import chain. I can try and see if that works.

minhaj10p commented 5 years ago

@anweiss Tests updated. All are passing now with 73.0% code coverage

minhaj10p commented 5 years ago

@anweiss Let me know if theres anything you need changed in this pull request. Thanks.

anweiss commented 5 years ago

@minhaj10p I tested this on my end with the FedRAMP High profile, and it looks like it's appending some erroneous structs. For example:

Parts: []catalog.Part{
    catalog.Part{
        Id:    "ir-9_smt",
        Class: "statement",
        Title: "",
    },

    catalog.Part{
        Id:    "ir-9_gdn",
        Class: "guidance",
        Title: "",
    },

    catalog.Part{
        Id:    "ir-9_obj",
        Class: "objective",
        Title: "",
    },

    catalog.Part{
        Id:    "",
        Class: "assessment",
        Title: "",
    },

    catalog.Part{
        Id:    "",
        Class: "assessment",
        Title: "",
    },

    catalog.Part{
        Id:    "",
        Class: "assessment",
        Title: "",
    },

    catalog.Part{
        Id:    "",
        Class: "justification",
        Title: "",
    },
},

Note the empty "assessment" and "justification" parts.

Also as far as the Prose, you should be able to just include it in your template.

minhaj10p commented 5 years ago

@minhaj10p I tested this on my end with the FedRAMP High profile, and it looks like it's appending some erroneous structs. For example:

Parts: []catalog.Part{
  catalog.Part{
      Id:    "ir-9_smt",
      Class: "statement",
      Title: "",
  },

  catalog.Part{
      Id:    "ir-9_gdn",
      Class: "guidance",
      Title: "",
  },

  catalog.Part{
      Id:    "ir-9_obj",
      Class: "objective",
      Title: "",
  },

  catalog.Part{
      Id:    "",
      Class: "assessment",
      Title: "",
  },

  catalog.Part{
      Id:    "",
      Class: "assessment",
      Title: "",
  },

  catalog.Part{
      Id:    "",
      Class: "assessment",
      Title: "",
  },

  catalog.Part{
      Id:    "",
      Class: "justification",
      Title: "",
  },
},

Note the empty "assessment" and "justification" parts.

Also as far as the Prose, you should be able to just include it in your template.

@anweiss These erroneous looking part's are coming from the NIST-80053 catalog where the parts have no ids and only classes

         <part class="assessment">
            <prop class="method">EXAMINE</prop>
            <part class="objects">
               <p>Incident response policy</p>
               <p>procedures addressing information spillage</p>
               <p>incident response plan</p>
               <p>records of information spillage alerts/notifications, list of personnel who should receive alerts of information spillage</p>
               <p>list of actions to be performed regarding information spillage</p>
               <p>other relevant documents or records</p>
            </part>
         </part>
         <part class="assessment">
            <prop class="method">INTERVIEW</prop>
            <part class="objects">
               <p>Organizational personnel with incident response responsibilities</p>
               <p>organizational personnel with information security responsibilities</p>
            </part>
         </part>
         <part class="assessment">
            <prop class="method">TEST</prop>
            <part class="objects">
               <p>Organizational processes for information spillage response</p>
               <p>automated mechanisms supporting and/or implementing information spillage response actions and related communications</p>
            </part>
         </part>

I haven't been able to implement nested part in our code generation. The last part with justification class comes from the profile with no id in the profile. They look erroneous probably because it doesn't have the Prose section populated.

It looks somewhat like this if just included in the template

    catalog.Part{
        Id:  "ir-9_obj",
        Class: "objective",
        Title: "",
        Prose: "{{ } [] [p] [{{http://csrc.nist.gov/ns/oscal/1.0 p} [] [] [] [] [] [] [] [] [] [] [] Determine if the organization:  }] [] [] []
        }",
anweiss commented 5 years ago

@minhaj10p ah ok. That makes sense. I'll try to see what I can come up with re. nested parts and prose to help you out on this.

minhaj10p commented 5 years ago

@anweiss if you merge this, let me know so I can rebase the other dependent branches.

anweiss commented 5 years ago

@minhaj10p after speaking internally with @justincormack, we can go ahead and merge this. Thanks again for your patience.