Add the interconnection-component-has-local-protocol constraint #1089
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
There was a problem hiding this comment.
As an intermediate possibility to do the following?
- Update the PR and rebase to current
develop - Point it to the canary branch
- Review, and if approved, merge into the canary branch
Gabeblis
reviewed
Jan 15, 2025
Gabeblis
force-pushed
the
add-interconnection-component-has-local-protocol
branch
from
86254fd to
924f7d2
Compare
Gabeblis
changed the title
Gabeblis
requested changes
Jan 16, 2025
Comment on lines
+5
to
+46
| <component uuid="11111111-2222-4000-8000-009000200002" type="interconnection"> | ||
| <title>Authorized Connection Information System Name</title> | ||
| <description> | ||
| <p>Describe the purpose of the external system/service; specifically, provide reasons for connectivity (e.g., system monitoring, system alerting, download updates, etc.)</p> | ||
| </description> | ||
| <prop name="nature-of-agreement" value="contract" ns="http://fedramp.gov/ns/oscal"/> | ||
| <prop name="authentication-method" value="yes" ns="http://fedramp.gov/ns/oscal"> | ||
| <remarks> | ||
| <p>If 'yes', describe the authentication method in the remarks.</p> | ||
| <p>If 'no', explain why no authentication is used in the remarks.</p> | ||
| <p>If 'not-applicable', attest explain why authentication is not applicable in the remarks.</p> | ||
| </remarks> | ||
| </prop> | ||
| <prop name="information-type" class="incoming" value="C.3.5.1" ns="http://fedramp.gov/ns/oscal"/> | ||
| <prop name="information-type" class="incoming" value="C.3.5.8" ns="http://fedramp.gov/ns/oscal"/> | ||
| <!--prop name="ipv4-address" class="local" value="10.1.1.1"/> | ||
| <prop name="ipv6-address" class="local" value="::ffff:10.1.1.1"/--> | ||
| <prop name="ipv4-address" class="remote" value="10.2.2.2"/> | ||
| <prop name="ipv6-address" class="remote" value="::ffff:10.2.2.2"/> | ||
| <!--prop name="fqdn" class="local" value="www.example.com"/> | ||
| <prop name="uri" class="local" value="https://sample.com#content"/--> | ||
| <prop name="fqdn" class="remote" value="www.example.com"/> | ||
| <prop name="uri" class="remote" value="https://sample.com#content"/> | ||
| <prop name="connection-security" value="tls-1.3" ns="http://fedramp.gov/ns/oscal"/> | ||
| <!--link rel="uri" href="https://www.example.com#content"/--> | ||
| <status state="operational"/> | ||
| <responsible-role role-id="provider"> | ||
| <party-uuid>44444444-2222-4000-8000-004000000001</party-uuid> | ||
| </responsible-role> | ||
| <responsible-role role-id="isa-poc-remote"> | ||
| <party-uuid>11111111-2222-4000-8000-004000000008</party-uuid> | ||
| </responsible-role> | ||
| <responsible-role role-id="isa-poc-local"> | ||
| <party-uuid>11111111-2222-4000-8000-004000000008</party-uuid> | ||
| </responsible-role> | ||
| <responsible-role role-id="administrator"> | ||
| <prop name="privilege-uuid" value="11111111-2222-4000-8000-008000000004" ns="http://fedramp.gov/ns/oscal"/> | ||
| <party-uuid>11111111-2222-4000-8000-004000000010</party-uuid> | ||
| <party-uuid>11111111-2222-4000-8000-004000000011</party-uuid> | ||
| <party-uuid>11111111-2222-4000-8000-004000000012</party-uuid> | ||
| </responsible-role> | ||
| </component> |
There was a problem hiding this comment.
NON-BLOCKING: The constraint looks good, this is just to make the invalid test content a little more clear as to what is being tested.
Suggested change
| <component uuid="11111111-2222-4000-8000-009000200002" type="interconnection"> | |
| <title>Authorized Connection Information System Name</title> | |
| <description> | |
| <p>Describe the purpose of the external system/service; specifically, provide reasons for connectivity (e.g., system monitoring, system alerting, download updates, etc.)</p> | |
| </description> | |
| <prop name="nature-of-agreement" value="contract" ns="http://fedramp.gov/ns/oscal"/> | |
| <prop name="authentication-method" value="yes" ns="http://fedramp.gov/ns/oscal"> | |
| <remarks> | |
| <p>If 'yes', describe the authentication method in the remarks.</p> | |
| <p>If 'no', explain why no authentication is used in the remarks.</p> | |
| <p>If 'not-applicable', attest explain why authentication is not applicable in the remarks.</p> | |
| </remarks> | |
| </prop> | |
| <prop name="information-type" class="incoming" value="C.3.5.1" ns="http://fedramp.gov/ns/oscal"/> | |
| <prop name="information-type" class="incoming" value="C.3.5.8" ns="http://fedramp.gov/ns/oscal"/> | |
| <!--prop name="ipv4-address" class="local" value="10.1.1.1"/> | |
| <prop name="ipv6-address" class="local" value="::ffff:10.1.1.1"/--> | |
| <prop name="ipv4-address" class="remote" value="10.2.2.2"/> | |
| <prop name="ipv6-address" class="remote" value="::ffff:10.2.2.2"/> | |
| <!--prop name="fqdn" class="local" value="www.example.com"/> | |
| <prop name="uri" class="local" value="https://sample.com#content"/--> | |
| <prop name="fqdn" class="remote" value="www.example.com"/> | |
| <prop name="uri" class="remote" value="https://sample.com#content"/> | |
| <prop name="connection-security" value="tls-1.3" ns="http://fedramp.gov/ns/oscal"/> | |
| <!--link rel="uri" href="https://www.example.com#content"/--> | |
| <status state="operational"/> | |
| <responsible-role role-id="provider"> | |
| <party-uuid>44444444-2222-4000-8000-004000000001</party-uuid> | |
| </responsible-role> | |
| <responsible-role role-id="isa-poc-remote"> | |
| <party-uuid>11111111-2222-4000-8000-004000000008</party-uuid> | |
| </responsible-role> | |
| <responsible-role role-id="isa-poc-local"> | |
| <party-uuid>11111111-2222-4000-8000-004000000008</party-uuid> | |
| </responsible-role> | |
| <responsible-role role-id="administrator"> | |
| <prop name="privilege-uuid" value="11111111-2222-4000-8000-008000000004" ns="http://fedramp.gov/ns/oscal"/> | |
| <party-uuid>11111111-2222-4000-8000-004000000010</party-uuid> | |
| <party-uuid>11111111-2222-4000-8000-004000000011</party-uuid> | |
| <party-uuid>11111111-2222-4000-8000-004000000012</party-uuid> | |
| </responsible-role> | |
| </component> | |
| <component uuid="11111111-2222-4000-8000-009000200002" type="interconnection"> | |
| <!-- Missing at least one ipv4-address, ipv6-address, or URI. --> | |
| <!--<prop name="ipv4-address" class="local" value="10.1.1.1"/>--> | |
| <!--<prop name="ipv6-address" class="local" value="::ffff:10.1.1.1"/>--> | |
| <!--<link rel="uri" href="https://www.example.com#content"/>--> | |
| </component> |
Gabeblis
changed the title
Gabeblis
requested changes
Jan 16, 2025
There was a problem hiding this comment.
After looking at Brian's comment on issue #930, it looks like we're not looking for FDQN. I suggest you make these edits to align with his comments.
Comment on lines
+619
to
+623
| <expect id="interconnection-component-has-local-protocol" target="component[@type='interconnection']" test="count(prop[@class='local' and @name=('ipv4-address','ipv6-address','fqdn','uri')] | link[@rel='uri']) >= 1" level="ERROR"> | ||
| <formal-name>Interconnection Component Has Local Protocols</formal-name> | ||
| <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/"/> | ||
| <message>In a FedRAMP SSP, an interconnection component MUST have at least one local IPv4 Address, IPv6 Address, URI, or FQDN.</message> | ||
| </expect> |
There was a problem hiding this comment.
Suggested change
| <expect id="interconnection-component-has-local-protocol" target="component[@type='interconnection']" test="count(prop[@class='local' and @name=('ipv4-address','ipv6-address','fqdn','uri')] | link[@rel='uri']) >= 1" level="ERROR"> | |
| <formal-name>Interconnection Component Has Local Protocols</formal-name> | |
| <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/"/> | |
| <message>In a FedRAMP SSP, an interconnection component MUST have at least one local IPv4 Address, IPv6 Address, URI, or FQDN.</message> | |
| </expect> | |
| <expect id="interconnection-component-has-local-protocol" target="component[@type='interconnection']" test="count(prop[@class='local' and @name=('ipv4-address','ipv6-address')] | link[@rel='uri']) >= 1" level="ERROR"> | |
| <formal-name>Interconnection Component Has Local Protocols</formal-name> | |
| <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/"/> | |
| <message>In a FedRAMP SSP, an interconnection component MUST have at least one local IPv4 Address, IPv6 Address, or URI.</message> | |
| </expect> |
| # Driver for the invalid interconnection-component-has-local-protocol constraint unit test. | ||
| test-case: | ||
| name: The invalid interconnection-component-has-local-protocol constraint unit test. | ||
| description: Test that the FedRAMP SSP interconnection component does not have local IPv4 Address, IPv6 Address, URI, or FQDN. |
There was a problem hiding this comment.
Suggested change
| description: Test that the FedRAMP SSP interconnection component does not have local IPv4 Address, IPv6 Address, URI, or FQDN. | |
| description: Test that the FedRAMP SSP interconnection component does not have local IPv4 Address, IPv6 Address, or URI. |
| # Driver for the valid interconnection-component-has-local-protocol constraint unit test. | ||
| test-case: | ||
| name: The valid interconnection-component-has-local-protocol constraint unit test. | ||
| description: Test that the FedRAMP SSP interconnection component has at least one local IPv4 Address, IPv6 Address, URI, or FQDN. |
There was a problem hiding this comment.
Suggested change
| description: Test that the FedRAMP SSP interconnection component has at least one local IPv4 Address, IPv6 Address, URI, or FQDN. | |
| description: Test that the FedRAMP SSP interconnection component has at least one local IPv4 Address, IPv6 Address, or URI. |
DimitriZhurkin
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Committer Notes
This constraint tests the following scenario:
An interconnection component has at least one local IPv4 Address, IPv6 Address, URI, or FQDN.
IMPORTANT: This constraint is blocked until OSCAL adds the following props:
fqdnuriRelated issues:
All Submissions:
By submitting a pull request, you are agreeing to provide this contribution under the CC0 1.0 Universal public domain dedication.