Add interconnection component has remote protocol #1084
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
… will likely change over time to become better and more complete as an example.
Not all, but many, actions were pinned to old versions by tag and to an explicit SHA1 hash from the repo that are old enough to cause GHA error notices. Upgraded from these to current SHA1 hash for the most (692973e3d937129bcbf40652eb9f2f61becf3332) for recent v4.1.7 release. > The following actions uses node12 which is deprecated and will be forced to run on node16: actions/checkout@v2. For more info: https://github.blog/changelog/2023-06-13-github-actions-all-actions-will-run-on-node16-instead-of-node12-by-default/ > The following actions use a deprecated Node.js version and will be forced to run on node20: actions/checkout@v2. For more info: https://github.blog/changelog/2024-03-07-github-actions-all-actions-will-run-on-node20-instead-of-node16-by-default/ Source: https://github.com/GSA/fedramp-automation/actions/runs/10783353551
This directive is now obsolete, causes more noise in the GHA workflow run logs. https://forums.docker.com/t/docker-compose-yml-version-is-obsolete/141313
Dependabot still stinks about switching the target branch to rebase, recreate, or do whatever. More details in the longstanding issue. I give up! I cherry-picked the GSA#673 commit because the related docker command issues that fail those builds would be better fixed here, go figure. dependabot/dependabot-core#6692 Signed-off-by: dependabot[bot] <support@github.com>
Bumps [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) from 3.2.7 to 3.2.11. - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/v3.2.11/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v3.2.11/packages/vite) --- updated-dependencies: - dependency-name: vite dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…ts for use with OSCAL-cli.
* Introduce cucumber testing of yaml unit tests * introduce content generation and validation via CLI * use junit * eslint format
* Draft allowed values metaschema and YAML unit test. * automate content generation and validation via CLI (GSA#614) * Introduce cucumber testing of yaml unit tests * introduce content generation and validation via CLI * better test summary reporting * introduce constraint coverage checking + improve coverage * throw an error if we do not find the matching rule * store output in .sarif folder * update constraints & test strategy, allow for mixed results as failure test * pretty print sarif & correct file name output * add time to sarif output file * introduce validation-cache for performance Co-authored-by: David Waltermire <davewaltermire@gmail.com> Co-authored-by: Rene Tshiteya <rene-claude.tshiteya@gsa.gov> Co-authored-by: DimitriZhurkin <dimitri.zhurkin@noblis.org>
* Improve constraint coverage tests * Update features/steps/fedramp_extensions_steps.ts --------- Co-authored-by: David Waltermire <davewaltermire@gmail.com>
* Add README.md to OSCAL CLI instructions * Implemented reviewers' comments
* make test runner aware of informational constraint results * Update features/steps/fedramp_extensions_steps.ts Co-authored-by: A.J. Stein <aj@gsa.gov> * improve test runner to handle warn and informational tests better * Update fedramp_extensions_steps.ts --------- Co-authored-by: A.J. Stein <aj@gsa.gov>
* add make update command * add make constraint * improve first run on fresh constraint
* Constraint-specific CONTRIBUTING to its own dir Add the diagram of the constraint and testing components specific to this area of code base here and outline other sections to follow. * Reference prerequisites in README for install * Reorder CONTRIBUTING sections, add Metaschema one * Add references to relevant Metaschema docs * Add docs for new constraint tests * Sigh, whitespace from code blocks break numbering * Add detailed docs on modifying existing constraint * Shorten and clean up explanatory copy * Explain purpose of oscal-external constraints * Clarify oscal file for generic constraints only * Add guidance for using which FR constraints file * [skip ci] Docs for deleting tests, links to PR docs * Add @Rene2mt's feedback about testing one constraint by ID Clearly this guy constraints! Co-authored-by: Rene Tshiteya <rene-claude.tshiteya@gsa.gov> * [skip ci] Clean up typos, grammar, and missing info per @Rene2mt's PR feedback Co-authored-by: Rene Tshiteya <rene-claude.tshiteya@gsa.gov> --------- Co-authored-by: Rene Tshiteya <rene-claude.tshiteya@gsa.gov>
* Added constraints and tests for resource-has-(title/rlink) * metapath cleanup * Add comment Co-authored-by: A.J. Stein <aj@gsa.gov> * Add comment Co-authored-by: A.J. Stein <aj@gsa.gov> * Added or base64 condition * Cleanup * Edit constraint name --------- Co-authored-by: A.J. Stein <aj@gsa.gov>
…SA#666) * [skip ci] More appropriate README title for GSA#659 * [skip ci] Context for constraints, tools for GSA#659 Be sure to talk about the constraints and their relationship to the tool, do not just talk about the `oscal-cli` without context. Re-order some of the info, talk about target audience before install instructions. * [skip ci] Remove dupe copy of 'who for?' for GSA#659 * [skip ci] Subject is FR not only FR devs in GSA#659 * [skip ci] No more header numbers, add headers GSA#659 * [skip ci] Better intro and simple diagram for GSA#659 * [skip ci] Docker install prerequisites for GSA#659 * [skip ci] More install and command docs for GSA#659 * [skip ci] Clearer wording on OCI tool for GSA#659 * [skip ci] Feedback for GSA#659, re manual clone step * [skip ci] Remove dangling this for GSA#659 Thanks to @david-waltermire for catching that. * [skip ci] Align arguments docs, examples for GSA#659 Based on some more detailed feedback from @Rene2mt that matched other comments from Dave in the PR. * Good catch, @gabelis, fix numbering for GSA#659
* introduce data center constraints * complete data center constraints * Update src/validations/constraints/content/ssp-all-INVALID.xml Co-authored-by: A.J. Stein <aj@gsa.gov> * Update src/validations/constraints/content/ssp-all-VALID.xml Co-authored-by: A.J. Stein <aj@gsa.gov> * Update src/validations/constraints/content/ssp-location-INVALID.xml Co-authored-by: A.J. Stein <aj@gsa.gov> * remove allowed-type data center country code * Late review feedback: align country code example with constraint * Fix the correction that broke negative testing, sorry Paul --------- Co-authored-by: A.J. Stein <aj@gsa.gov>
…write perms dropping (GSA#665) * Add initial OCI spec for container for GSA#655 * Now add FR constraint files for GSA#655 * Woops, fix typo in clone path for fd_data_dl scratch container * Constraints in /opt/fedramp sudir, make it WORKDIR * Switch to Alpine Maven scratch image not Debian * Switch to Node for final image, install oscaljs * Add checkout data to final image * Fix missed parameterization of git image * Add non-default OCI image build target for make * Verify GPG signaure of oscal-cli build * Add clean target for OCI image builds * Allow for TLS bypass and proxy in Makefile Disable cert-checking for the local version that is built on laptops for GSA staff who make use of a VPN/proxy solution that intercept all TLS communication for security monitoring. This includes not just Docker, but also the containers as they build an image. Since production images will be made in GitHub Actions without the Makefile, these directives will be ignored. * Do not do slow git clone, use local COPY instead For speed, ease of access, and leave commit metadata from the container ID linked to the commit hash itself, just copy from the outside context of the image build. * Add publish target to Makefile with useful tags Also try docker push to GHCR to start before moving on the "in pipeline" build with GitHub Actions. * Fix repeat docker commands for correct tag-n-push * Correct the org.opencontainers.image.source label * Actions: perms for writing packages (ghcr.io) * Actions: follow GH tutorial, more perms added * Actions: build, sign, push, attest and OCI image This workflow change is the first attempt at building, pushing, and signing the validation-tools image to push to the ghcr.io registry. * Actions: ref_name for image tags problematic For both PRs and non-PR branches, that seems to cause problems for tags that we ought to avoid for now. * Actions: use action correctly, no manual labels * Actions: remove metadata from Dockerfile, use GHA * Actions: woops, forgot explicit checkout path Our GHA CI/CD checks out to `./git-content`, `.` by default so the action directive looking for context did not find the Dockerfile. * Actions: check if least privilege perms block push See more details in this reply and the larger context from others who cannot push a built container to ghcr.io. https://github.com/orgs/community/discussions/57724#discussioncomment-7779731 * Actions: scratch that, `write-all` blocked by org The github.com/GSA organization still blocks the write to an org-level package in very permissive move. Tips from the discussions posts did not help here. https://github.com/orgs/community/discussions/57724#discussioncomment-7779731 * Actions: add metadata action SHA options We need to force SHA1 long (not seven-digit short version to avoid collisions), remove both `sha-` prefix and remove suffix explicitly. * Actions, sigh, really remove `sha256` prefix again It seems that didn't stick the last time, so I will try this config again and follow the official custom hash label strategy from the action example from the official README. * Support MVP platforms, arm64 and amd64 If not we will only support modern Apple computers with modern M1 chips, not Intel environments for PC and older Macs. We need broad support for these top platforms. * Explicit platform option for buildx too for GSA#656 It seems this may be needed because I still get similar but different warnings on multi-platform docker builds when using on macOS on an Apple laptop with a M1 processor and amd64 processor for personal computers with Windows and Linux operating systems respectively. > WARNING: The requested image's platform (linux/amd64) does not match the detected host platform (linux/arm64/v3) and no specific platform was requested * Pin metadata action and update configs for GSA#656 - Had a slightly wrong version of docker/metadata-action that could not use annotations properly, hence no annotations on image. - Use annotations instead of custom override labels with that action. - Update docker/build-push-registry action to retrieve those labels as well. - Change subject name for attestation to end with `-attestation` suffix to make the GHCR registry entries less confusing. * Woops, attestation subject === image name for GSA#656 I re-read the dogs. Attestations will be uploaded to Sigstore but I will not busy up the registry with them every moment as it will make it even more confusing for novice users and advanced developers what data they are looking for by content-addressable git commit hash ID. * Explanatory comments on Dockerfile lint for GSA#656 For future analysis or assessment, I am leaving information in the Dockerfile as comments to address warning output in docker build and push flagging a potential finding re secrets based on variable names. ```sh 4 warnings found (use docker --debug to expand): - SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ARG "OSCAL_CLI_GPG_KEY") (line 20) - SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ARG "TEMURIN_APK_KEY_URL") (line 45) - FromAsCasing: 'as' and 'FROM' keywords' casing do not match (line 17) - FromAsCasing: 'as' and 'FROM' keywords' casing do not match (line 43) ``` They are IDs to secrets, not actually secrets, now I have documented it. * Attestations need explicit reg push off for GSA#656 Just removing it may not have done the trick.
* Added back-matter 'has' constraints * Set levels to 'ERROR'
* Actions: tighten when docker build runs and how - We do not want to fails build when staff and community make fork PRs. - We want to make sure the latest feature branch is tagged and deployed for now, stop push PR container builds before merge. * Actions: more explicit branch targeting I am not sure that syntax is air-tight with var == 'value1' || 'value2', so make it more explicit and have var on left side and right side of the boolean OR check. * Actions: even more explicit use startsWith syntax * Actions: one last attempt to force annotations
I had incorrectly put it on workflow_dispatch which will not help as needed.
* Add constraints and tests for issue GSA#942 * Update src/validations/constraints/fedramp-external-constraints.xml Co-authored-by: A.J. Stein <aj@gsa.gov> * Update src/validations/constraints/fedramp-external-allowed-values.xml Co-authored-by: A.J. Stein <aj@gsa.gov> * Update src/validations/constraints/fedramp-external-constraints.xml Co-authored-by: A.J. Stein <aj@gsa.gov> --------- Co-authored-by: A.J. Stein <aj@gsa.gov>
* introduce parameter requirements Co-Authored-By: A.J. Stein <aj@gsa.gov> * add warning constraint for aggregate params + remove them * Update src/validations/constraints/fedramp-external-constraints.xml Co-authored-by: Kylie Hunter <kylie.hunter@gsa.gov> --------- Co-authored-by: A.J. Stein <aj@gsa.gov> Co-authored-by: Kylie Hunter <kylie.hunter@gsa.gov>
* Update fedramp_extensions_steps.ts Co-Authored-By: A.J. Stein <aj@gsa.gov> * add has required response points * add tests --------- Co-authored-by: A.J. Stein <aj@gsa.gov>
* Fix constraints and constraint test files per issue GSA#773 * Update content extension namespace, identifier-type, and system * Update namespaces in constraints and unit test data files * Apply namespace changes to recent constraints and unit test files * Update src/content/rev5/templates/sap/xml/FedRAMP-SAP-OSCAL-Template.xml Co-authored-by: A.J. Stein <aj@gsa.gov> * Fix system-identifier, namespace, and system in example content files * Fix identifier-type and ns in constraints and unit test content files * Fix namespace references in new constraints * Fix new constraints * Fix namespace after rebase * Use local profile with relative path for GSA#828 Debugging indicates some tests are failing with the `https://` `@href` for `import-profile` for GitHub "raw" links again. --------- Co-authored-by: A.J. Stein <aj@gsa.gov>
* added matches constraint * added positive test case * fixed ns to be http not https * added unit test files * added features file * added invalid test case * fixed target * explicitly save feature branch * Update src/validations/constraints/fedramp-external-constraints.xml Co-authored-by: A.J. Stein <alexander.stein@gsa.gov> * Update src/validations/constraints/fedramp-external-constraints.xml Co-authored-by: A.J. Stein <alexander.stein@gsa.gov> * Update fedramp-external-constraints.xml to warn instead of error * add help link (must merge documentation first) --------- Co-authored-by: A.J. Stein <alexander.stein@gsa.gov>
* alphabetical constraints + fr119 * Update src/validations/styleguides/STYLE.md Co-authored-by: A.J. Stein <aj@gsa.gov> * Update STYLE.md * Update STYLE.md * Update STYLE.md * format document * use 100 lines not 200 * fix according to frr119 --------- Co-authored-by: A.J. Stein <aj@gsa.gov>
Fix component issues
* test scaffolds added * initial attempt at writing pass and fail content * feature file * revised target to appropriate place * removed old target * added in proper ns * Update src/validations/constraints/fedramp-external-constraints.xml Co-authored-by: A.J. Stein <alexander.stein@gsa.gov> * AJ suggestion for more complete example * added comments --------- Co-authored-by: A.J. Stein <alexander.stein@gsa.gov>
…#1066) * Add the inter-boundary-component-has-information-type constraint * clean up ssp-inter-boundary-component-has-information-type-INVALID.xml
* style guide hotfix * Update fedramp-external-constraints.xml
|
Created this PR by accident. Closing it. |
DimitriZhurkin
deleted the
add-interconnection-component-has-remote-protocol
branch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Committer Notes
{Please provide a description of what this PR accomplishes. Be sure to reference any issues addressed. If the PR is a work-in-progress submitted for early review, please submit the PR as a draft PR using the "Draft pull request" dropdown.}
All Submissions:
By submitting a pull request, you are agreeing to provide this contribution under the CC0 1.0 Universal public domain dedication.