Closed butler54 closed 3 years ago
Will add more details - a placeholder for now.
Based on discussion with Anca this is a need. The question is what language with which we express constraints. This looks promising https://github.com/amer-ali/jsontron - much like schematron would look like for xml.
This issue is on validate an acceptable design only. I've tagged it for Sprint 2 with Shaila and Jeff both on this. I think this may be more work than we think.
@jeffdmgit Here is the jsontron tutorial as discussed: https://amer-ali.github.io/jsontron/Jsontron-tutorial-v1.pdf
Related issues open in usnistgov/metaschema
Summary (need-to-be-verified)
Code
The integration branch https://github.com/david-waltermire-nist/OSCAL/tree/metaschema-m4-integration has a working version of this.
Data validation using jsontron https://github.com/amer-ali/jsontron - Example
Goal: All assessment result observation properties MUST be of ns (namespace) "IBM"
Sample JSON to validate sample-OSCAL-assessment-result-observation.json
{
"sample_ar_observation":{
"uuid":"",
"title":"CIS CentOS Linux 7 Benchmark 2.2.0:1.1.1.1, 192.168.122.4, Sep 11, 2020 at 5:12 PM AEST",
"description":"IBM S&CC scan, CIS CentOS Linux 7 Benchmark 2.2.0:1.1.1.1, 192.168.122.4, 2020-09-11T17:12:00+1000",
"properties":[
{
"ns": "IBM",
"class": "id",
"name": "scan",
"value": "SGA Centos validation - Sep 11, 2020 at 5_12 PM AEST"
},
{
"ns": "IBM",
"class": "id",
"name": "profile-name",
"value": "CIS CentOS Linux 7 Benchmark 2.2.0"
},
{
"ns": "IBM",
"class": "id",
"name": "rule",
"value": "1.1.1.1"
}
]
}
}
Sample rule to be used by jsontron rule-OSCAL-assessment-result-observation.json
{
"schema": {
"id": "OSCAL AR Observation Rules",
"title": "Schematron Semantic Validation",
"schemaVersion": "V1",
"queryBinding": "jsonpath",
"pattern": [
{
"id": "observation_properties",
"title": "OSCAL AR Observation Properties",
"abstract": false,
"rule": [
{
"id": "ns_ibm",
"abstract": false,
"context": "$.sample_ar_observation.properties.*",
"assert": [
{
"id": "assertid1",
"test": "jp.query(contextNode, '$..ns') == 'IBM'",
"message": "Assert 1: All observation properties MUST be of ns (namespace) IBM"
}
]
}
]
}
]
}
}
Command node $JSONValidator -i sample-OSCAL-assessment-result-observation.json -r rule-OSCAL-assessment-result-observation.json -d
Output
Starting Semantic Validation ......... Parsing Pattern: observation_properties 1 Pattern(s) Requested. 1 Pattern(s) Processed. 0 Pattern(s) Ignored. THIS INSTANCE IS SEMANTICALLY VALID Completed Semantic Validation ......... Total Errors Found: 0 Total Warnings Found: 1 Total Validations: 3 Total Failed Assertions: 0 Full Validation Report :
Report {
errors: [],
warnings: [
{
schInstance: [Object [global]],
schema: [Object],
attribute: 'Phase',
message: 'Parsing Warning. No phase found ',
detail: "This schema doesn't have any phase defined . All Patterns will be processed."
}
],
validations: [
{
schRule: [Object],
ruleContext: [Array],
assertionid: 'assertid1',
assertionTest: "jp.query(contextNode, '$..ns') == 'IBM'",
message: 'successful',
assertionValid: true
},
{
schRule: [Object],
ruleContext: [Array],
assertionid: 'assertid1',
assertionTest: "jp.query(contextNode, '$..ns') == 'IBM'",
message: 'successful',
assertionValid: true
},
{
schRule: [Object],
ruleContext: [Array],
assertionid: 'assertid1',
assertionTest: "jp.query(contextNode, '$..ns') == 'IBM'",
message: 'successful',
assertionValid: true
}
],
finalValidationReport: [],
valid: true
}
Oct 21: Discussion
Attachched image based on latest discussion.
Oct 26: Discussion
From validation perspective, the expected scenario is:
To be discussed:
@butler54 @jeffdmgit Here is the response from the OSCAL team on the issue of Validating extra-schema constraints over JSON: https://github.com/usnistgov/OSCAL/issues/726
@vikas-agarwal76 - based on the exchange protocol requirements we should revisit this as an issue.
Issue description / feature objectives
Fedramp (as an example) have defined expected values / conformance within the OSCAL schema (see here:https://github.com/GSA/fedramp-automation/blob/master/documents/FedRAMP_OSCAL_Registry.xlsx) It would be a good feature if validation could be extended with a conformance format of some type.
Completion Criteria