Closed wendellpiez closed 4 years ago
wendellpiez
commented
4 years ago I spun off a small Schematron to perform simple link checking from calls on controls from profiles.
@brianrufgsa this is what I see when I apply it to the FedRAMP baselines:
Indeed, when I look at the catalogs cited by FedRAMP HIGH and MODERATE, they do not have the -fr suffix. (It's just ac-8.)
I will make a PR with the Schematron in it and report back.
Meanwhile these can be repaired easily enough.
brian-ruf
commented
4 years ago @wendellpiez This is very helpful! It accounts for an error I noticed in the resolved profile catalogs recently, but haven't had a chance to track down.
For what it's worth, the fedramp catalog has ac-8.fr (dot, not dash) under an empty ac-8, as a way of inserting it as a child control to AC-8. (If there is a more appropriate way to do this, please let me know.)
The problem is there are dashes in the profiles instead of dots. (ac-8-fr should be ac-8.fr) When the more robust alter/add syntax is available, I'll make this correction along with those changes and push the fix.
david-waltermire
commented
4 years ago This work is being done in PR #546. PR #516 contains a schema fix, which has been merged into master. PR #546 needs to be rebased against master to pickup these changes.
david-waltermire
commented
4 years ago PR #539 implements a link checker that needs to be implemented in the CI/CD pipeline.
@wendellpiez is writing an issue to integrate this into the CI/CD pipeline.
Describe the bug
As observed by one of our workshop participants, at least one call to a control from a profile is broken. (I can report more on where it is.)
Who is the bug affecting?
Anyone who tries to use one of the broken profiles.
Expected behavior (i.e. solution)
No links in published profiles should be broken.
Other Comments
This bug could be banished forever with a validation check (under CI/CD) that would detect broken references to controls from profiles. An old Schematron is in the repo and could be refitted to current models and tested (although note that profile resolution or at least its selection logic is a dependency for a comprehensive solution).