Squashed commit of the following:

commit 18a02c9 Author: wandmagic <156969148+wandmagic@users.noreply.github.com> Date: Wed Jan 8 09:37:15 2025 -0500 Hotfix styles (#1076) * style guide hotfix * Update fedramp-external-constraints.xml commit 60b3c50 Author: DimitriZhurkin <dimitri.zhurkin@noblis.org> Date: Wed Jan 8 07:14:14 2025 -0700 Add the inter-boundary-component-has-information-type constraint (#1066) * Add the inter-boundary-component-has-information-type constraint * clean up ssp-inter-boundary-component-has-information-type-INVALID.xml commit d7b0623 Author: wandmagic <156969148+wandmagic@users.noreply.github.com> Date: Tue Jan 7 14:47:44 2025 -0500 fix constraints (#1070) commit fc50a42 Author: wandmagic <156969148+wandmagic@users.noreply.github.com> Date: Fri Jan 3 14:21:47 2025 -0500 hotfix develop (#1064)
GSA · Jan 8, 2025 · 0defc68 · 0defc68
1 parent bb3e302
commit 0defc68
Show file tree

Hide file tree

Showing 7 changed files with 105 additions and 35 deletions.
diff --git a/features/fedramp_extensions.feature b/features/fedramp_extensions.feature
@@ -119,6 +119,7 @@ Examples:
   | information-type-has-confidentiality-impact |
   | information-type-has-integrity-impact |
   | information-type-system |
+  | inter-boundary-component-has-information-type |
   | interconnection-direction |
   | interconnection-security |
   | inventory-item-allows-authenticated-scan |
@@ -377,6 +378,8 @@ Examples:
   | information-type-id-PASS.yaml |
   | information-type-system-FAIL.yaml |
   | information-type-system-PASS.yaml |
+  | inter-boundary-component-has-information-type-FAIL.yaml |
+  | inter-boundary-component-has-information-type-PASS.yaml |
   | interconnection-direction-FAIL.yaml |
   | interconnection-direction-PASS.yaml |
   | interconnection-security-FAIL.yaml |

diff --git a/features/steps/fedramp_extensions_steps.ts b/features/steps/fedramp_extensions_steps.ts
@@ -1,23 +1,22 @@
-import { BeforeAll, BeforeStep, Given, Then, When, setDefaultTimeout, world } from "@cucumber/cucumber";
+import { BeforeAll, Given, Then, When, setDefaultTimeout } from "@cucumber/cucumber";
 import { expect } from "chai";
 import {
+  existsSync,
+  mkdirSync,
   readFileSync,
   readdirSync,
   unlinkSync,
   writeFileSync,
-  mkdirSync,
-  existsSync,
 } from "fs";
 import { load } from "js-yaml";
-import { executeOscalCliCommand, resolveProfile, resolveProfileDocument, validateDocument} from "oscal";
-import {checkServerStatus} from 'oscal/dist/server.js'
-import { dirname, join,parse, resolve } from "path";
-import { Exception, Log, Result } from "sarif";
+import { JSDOM } from 'jsdom';
+import { executeOscalCliCommand, formatSarifOutput, resolveProfileDocument, validateDocument } from "oscal";
+import { checkServerStatus } from 'oscal/dist/server.js';
+import { dirname, join, parse, resolve } from "path";
+import { Log } from "sarif";
 import { fileURLToPath } from "url";
-import { parseString } from "xml2js";
-import {JSDOM} from 'jsdom'
 import { promisify } from "util";
-import {formatSarifOutput} from 'oscal'
+import { parseString } from "xml2js";
 let executor: 'oscal-cli'|'oscal-server' = process.env.OSCAL_EXECUTOR as 'oscal-cli'|'oscal-server' || 'oscal-cli'
 const quiet = process.env.OSCAL_TEST_QUIET === 'true'
 
@@ -686,6 +685,7 @@ Then('I should have valid results {string}', async function (fileToValidate) {
 
 Then('I should verify that all constraints follow the style guide constraint', async function () {
   const baseDir = join(__dirname, '..', '..');
+  const styleGuidePath = join(baseDir, 'src', 'validations', 'styleguides', 'fedramp-constraint-style.xml');
   const constraintDir = join(baseDir, 'src', 'validations', 'constraints');
   const constraintFiles = readdirSync(constraintDir).filter(file => 
     file.startsWith('fedramp') && file.endsWith('.xml')
@@ -701,7 +701,15 @@ Then('I should verify that all constraints follow the style guide constraint', a
       const fileContent = readFileSync(filePath, 'utf8');
       const dom = new JSDOM(fileContent, { contentType: 'text/xml' });
       const document = dom.window.document;
-
+      const {isValid,log} = await validateDocument(filePath,{flags:['disable-schema'],quiet,extensions:[styleGuidePath],module:"http://csrc.nist.gov/ns/oscal/metaschema/1.0"},executor)
+      writeFileSync(
+        join(
+          __dirname,
+          "../../sarif/",
+          fileName.split(".xml").join("").toString()+".sarif"
+        ),JSON.stringify(log, null,"\t"))  
+      const formattedErrors = (formatSarifOutput(log));
+      formattedErrors&&errors.push(formattedErrors)
       // Process each 'constraints' block separately
       document.querySelectorAll('constraints').forEach(constraintsNode => {
         // Get direct child elements with IDs within this constraints block

diff --git a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml
@@ -1200,6 +1200,10 @@ leveraged-authorization assembly:</p>
       <prop name="implementation-point" value="external"/>
       <prop name="direction" value="incoming" ns="http://fedramp.gov/ns/oscal"/>
       <prop name="direction" value="outgoing" ns="http://fedramp.gov/ns/oscal"/>
+
+      <prop ns="http://fedramp.gov/ns/oscal" name="information-type" class="incoming" value="C.3.5.1"/>
+      <prop ns="http://fedramp.gov/ns/oscal" name="information-type" class="outgoing" value="C.3.5.8"/>
+
       <prop name="connection-security" value="tls-1.3" ns="http://fedramp.gov/ns/oscal"/>
       <prop name="asset-type" value="saas"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="authentication-method" value="yes">
@@ -1841,6 +1845,10 @@ compliance (e.g., Module in Process).</p>
       <prop name="implementation-point" value="external"/>
       <prop name="direction" value="incoming" ns="http://fedramp.gov/ns/oscal"/>
       <prop name="direction" value="outgoing" ns="http://fedramp.gov/ns/oscal"/>
+
+      <prop ns="http://fedramp.gov/ns/oscal" name="information-type" class="incoming" value="C.3.5.1"/>
+      <prop ns="http://fedramp.gov/ns/oscal" name="information-type" class="outgoing" value="C.3.5.8"/>
+
       <prop ns="http://fedramp.gov/ns/oscal" name="authentication-method" value="yes">
         <remarks>
           <p>If 'yes', describe the authentication method.</p>
@@ -2264,6 +2272,10 @@ approved.</p>
       <prop name="implementation-point" value="external"/>
       <prop name="direction" value="incoming" ns="http://fedramp.gov/ns/oscal"/>
       <prop name="direction" value="outgoing" ns="http://fedramp.gov/ns/oscal"/>
+
+      <prop ns="http://fedramp.gov/ns/oscal" name="information-type" class="incoming" value="C.3.5.1"/>
+      <prop ns="http://fedramp.gov/ns/oscal" name="information-type" class="outgoing" value="C.3.5.8"/>
+
       <prop ns="http://fedramp.gov/ns/oscal" name="authentication-method" value="yes">
         <remarks>
           <p>If 'yes', describe the authentication method.</p>

diff --git a/...dations/constraints/content/ssp-inter-boundary-component-has-information-type-INVALID.xml b/...dations/constraints/content/ssp-inter-boundary-component-has-information-type-INVALID.xml
@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<?xml-model href="https://github.com/usnistgov/OSCAL/releases/download/v1.1.3/oscal_ssp_schema.xsd" schematypens="http://www.w3.org/2001/XMLSchema" title="OSCAL complete schema"?>
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0" uuid="df903c4c-6bb5-4b78-8a71-c5baa06a9f2e">
+   <system-implementation>
+      <component uuid="67ecaba6-e5be-4c92-9731-e55825689e8f" type="service">
+         <title>Service B</title>
+         <description>
+            <p>An non-authorized service provided by the Awesome Cloud leveraged authorization.</p>
+            <p>Describe the service and what it is used for.</p>
+         </description>
+         <prop name="implementation-point" value="external"/>
+         <prop name="connection-security" value="non-fedramp-value" ns="https://fedramp.gov/ns/oscal"/>
+         <prop ns="https://fedramp.gov/ns/oscal" name="provider" value="self"/>
+         <prop ns="https://fedramp.gov/ns/oscal" name="still-supported" value="yes"/>
+         <prop ns="https://fedramp.gov/ns/oscal" name="authentication-method" value="yes">
+            <remarks>
+               <p>If 'yes', describe the authentication method.</p>
+               <p>If 'no', explain why no authentication is used.</p>
+               <p>If 'not-applicable', attest explain why authentication is not applicable in the remarks.</p>
+            </remarks>
+         </prop>
+         <prop name="poam-item-uuid" ns="https://fedramp.gov/ns/oscal" value="11111111-3333-4000-8000-000000000001"/>
+         <prop name="poam-id" ns="https://fedramp.gov/ns/oscal" value="ID-0001"/>
+         <link rel="provided-by" href="#11111111-2222-4000-8000-009000100001"/>
+         <status state="operational"/>
+         <responsible-role role-id="admin">
+         </responsible-role>
+         <responsible-role role-id="provider">
+            <party-uuid>33333333-2222-4000-8000-004000000001</party-uuid>
+         </responsible-role>
+         <remarks>
+            <p>Each non-authorized leveraged service must be expressed as a "service" component.</p>
+         </remarks>
+      </component>
+   </system-implementation>
+</system-security-plan>
diff --git a/src/validations/constraints/fedramp-external-constraints.xml b/src/validations/constraints/fedramp-external-constraints.xml
@@ -585,7 +585,7 @@
     <context>
         <metapath target="/system-security-plan/system-implementation"/>
         <constraints>
-            <let var="inter-boundary-component" expression="component[(@type=('service','software') and not(prop[@name='leveraged-authorization-uuid']) and prop[@name='implementation-point' and @value='external']) or (@type='interconnection') or (@type=('service', 'software') and prop[@name='implementation-point' and @value='internal'] and (prop[@name='communicates-externally' and @value='yes' and @ns='http://fedramp.gov/ns/oscal']))]"/>
+            <let var="inter-boundary-component" expression="component[(@type=('service','software') and not(prop[@name='leveraged-authorization-uuid']) and prop[@name='implementation-point' and @value='external']) or (@type='interconnection') or (@type=('service','software') and prop[@name='implementation-point' and @value='internal'] and (prop[@name='communicates-externally' and @value='yes' and @ns='http://fedramp.gov/ns/oscal']))]"/>
             <expect id="authentication-method-has-remarks" target="//component[(@type='system' and ./prop[@name='leveraged-authorization-uuid']) or (@type='service' and not(./prop[@name='leveraged-authorization-uuid']) and ./prop[@name='implementation-point' and @value='external']) or (@type='interconnection') or (@type='service' and ./prop[@name='implementation-point' and @value='internal'] and ./prop[@name='direction']) or (@type='software' and ./prop[@name='asset-type' and @value='cli'] and ./prop[@name='direction'])]" test="count(./prop[@name='authentication-method' and @ns='http://fedramp.gov/ns/oscal'])  = count(./prop[@name='authentication-method' and @ns='http://fedramp.gov/ns/oscal']/remarks)" level="ERROR">
                 <formal-name>Authentication Method Has Remarks</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#leveraged-fedramp-authorized-services"/>
@@ -603,19 +603,29 @@
             </expect>
             <expect id="image-has-checksum" target="//component[@type='software' and ./prop[@name='asset-type' and @value='image']]" test="count(./prop[@name='checksum' and @ns='http://fedramp.gov/ns/oscal']) = 1" level="ERROR">
                 <formal-name>Container Image Has Checksum Property</formal-name>
-                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="insert-help-url-here"/>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
                 <message>In a FedRAMP SSP, a component that describes a container or operating system image MUST define a checksum property.</message>
             </expect>
             <expect id="information-type-has-class" target="component/prop[@name='information-type' and @ns='http://fedramp.gov/ns/oscal']" test="exists(@class)" level="ERROR">
                 <formal-name>Information Type Has Class</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#leveraged-fedramp-authorized-services"/>
                 <message>In a FedRAMP SSP, each information type property in a component MUST categorize the class of data flow as incoming to the system, outgoing from the system, or both.</message>
             </expect>
+            <expect id="inter-boundary-component-has-information-type" target="$inter-boundary-component" test="count(prop[@name='information-type' and @ns='http://fedramp.gov/ns/oscal']) &gt;= 1" level="ERROR">
+                <formal-name>Inter-Boundary Component Has Information Type</formal-name>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#system-information-and-information-types"/>
+                <message>An inter-boundary communication component {@uuid} ({path(.)}) MUST have at least one information-type property.</message>
+            </expect>
             <expect id="inventory-item-and-component-has-public" target="(inventory-item | component[@type='service' and prop[@name='implementation-point' and @value='internal']])" test="count(prop[@name='public']) = 1" level="ERROR">
                 <formal-name>Inventory Item and Component Has Public</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
                 <message>In a FedRAMP SSP, each inventory item and internal service component MUST state if they are public-facing.</message>
             </expect>
+            <expect id="inventory-item-or-component-has-asset-id" target="(inventory-item)| (component[@type='software' and prop[@name='asset-type' and @value='image']])" test="count(prop[@name='asset-id']) = 1" level="ERROR">
+                <formal-name>Inventory Item or Component Has Asset ID</formal-name>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
+                <message>In a FedRAMP SSP, each inventory item and software image component MUST include the asset ID.</message>
+            </expect>
             <expect id="leveraged-authorization-has-authorization-type" target="leveraged-authorization" test="count(prop[@name='authorization-type'][@ns='http://fedramp.gov/ns/oscal']) = 1" level="ERROR">
                 <formal-name>Leveraged Authorization Has Authorization Type</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#leveraged-fedramp-authorized-services"/>
@@ -659,16 +669,6 @@
         </constraints>
     </context>
 
-    <context>
-        <metapath target="/system-security-plan/system-implementation"/>
-        <constraints>
-            <expect id="inventory-item-or-component-has-asset-id" target="(inventory-item)| (component[@type='software' and prop[@name='asset-type' and @value='image']])" test="count(prop[@name='asset-id']) = 1" level="ERROR">
-                <formal-name>Inventory Item or Component Has Asset ID</formal-name>
-                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
-                <message>In a FedRAMP SSP, each inventory item and software image component MUST include the asset ID.</message>
-            </expect>
-        </constraints>
-    </context>
 
     <context>
         <metapath target="/system-security-plan/system-implementation/inventory-item"/>
@@ -681,7 +681,7 @@
             <expect id="authenticated-scan-no-has-remarks" target="prop[@name='allows-authenticated-scan' and @value='no']" test="if ($high-sensitivity or $moderate-sensitivity) then exists(remarks) else true()" level="ERROR">
                 <formal-name>Authenticated Scan No Has Remarks</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
-                <message>FedRAMP requires CSPs to provide justification for any high or moderate impact system inventory item that does not support authenticated scans.</message>
+                <message>A FedRAMP SSP MUST provide justification for any high or moderate impact system inventory item that does not support authenticated scans.</message>
             </expect>
              <expect id="high-impact-inventory-item-has-asset-owner" target="." test="if ($high-sensitivity) then count(./responsible-party[@role-id=('asset-owner', 'asset-administrator')] | $implemented-component/responsible-role[@role-id=('asset-owner', 'asset-administrator')][count(party[@uuid=./party-uuid]) >= 1]) >= 1 else true()" level="ERROR">
                 <formal-name>High Impact Inventory Item Has Asset Owner</formal-name>
@@ -796,6 +796,7 @@
             'sc-1_smt.a' : 'at least one procedure that addresses System and Communications Protection MUST be associated with SC-1 part a.',
             'si-1_smt.a' : 'at least one procedure that addresses System and Information Integrity MUST be associated with SI-1 part a.',
             'sr-1_smt.a' : 'at least one procedure that addresses Supply Chain Risk Management MUST be associated with SR-1 part a.'}"/>
+            <let var="component-uuid" expression="by-component/@component-uuid"/>
             <expect id="has-policy" target=".[@statement-id=$control-statement-ids]" test="some $uuid in $component-uuid satisfies count(../../../system-implementation/component[@uuid=$component-uuid and @type='policy']) >= 1" level="ERROR">
                 <formal-name>Has Policy</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/6-security-controls/#organization-policy-and-procedure-statements"/>
@@ -806,6 +807,11 @@
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/6-security-controls/#organization-policy-and-procedure-statements"/>
                 <message>In a FedRAMP SSP, {$procedure-messages(./@statement-id)}</message>
             </expect>
+            <expect id="statement-has-this-system-component" target="." test="count(../../../system-implementation/component[@type='this-system' and @uuid=$component-uuid]) = 1" level="ERROR">
+                <formal-name>Statement Has This System Component</formal-name>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/6-security-controls/#response-this-system-component"/>
+                <message>In a FedRAMP SSP, each control implementation statement MUST have one "this-system" by-component.</message>
+            </expect>
         </constraints>
     </context>
 
@@ -825,17 +831,6 @@
         </constraints>
     </context>
 
-    <context>
-        <metapath target="/system-security-plan/control-implementation/implemented-requirement/statement"/>
-        <constraints>
-            <let var="component-uuid" expression="by-component/@component-uuid"/>
-            <expect id="statement-has-this-system-component" target="." test="count(../../../system-implementation/component[@type='this-system' and @uuid=$component-uuid]) = 1" level="ERROR">
-                <formal-name>Statement Has This System Component</formal-name>
-                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/6-security-controls/#response-this-system-component"/>
-                <message>In a FedRAMP SSP, each control implementation statement MUST have one "this-system" by-component.</message>
-            </expect>
-        </constraints>
-    </context>
 
     <context>
         <metapath target="/system-security-plan/system-characteristics/authorization-boundary/diagram/link"/>

diff --git a/...alidations/constraints/unit-tests/inter-boundary-component-has-information-type-FAIL.yaml b/...alidations/constraints/unit-tests/inter-boundary-component-has-information-type-FAIL.yaml
@@ -0,0 +1,8 @@
+# Driver for the invalid inter-boundary-component-has-information-type constraint unit test.
+test-case:
+  name: The invalid inter-boundary-component-has-information-type constraint unit test.
+  description: Test that the FedRAMP SSP inter-boundary communication component does not have the "information-type" property.
+  content: ../content/ssp-inter-boundary-component-has-information-type-INVALID.xml
+  expectations:
+  - constraint-id: inter-boundary-component-has-information-type
+    result: fail