fix style guide error

GSA · Dec 30, 2024 · c2932e2 · c2932e2
2 parents 56efc61 + d8965c1
commit c2932e2
Show file tree

Hide file tree

Showing 9 changed files with 173 additions and 65 deletions.
diff --git a/features/fedramp_extensions.feature b/features/fedramp_extensions.feature
@@ -93,6 +93,8 @@ Examples:
   | has-network-architecture-diagram-link-rel |
   | has-network-architecture-diagram-link-rel-allowed-value |
   | has-poam-resource |
+  | has-policy |
+  | has-procedure |
   | has-published-date |
   | has-required-parameters |
   | has-required-response-points |
@@ -318,6 +320,10 @@ Examples:
   | has-network-architecture-diagram-link-rel-allowed-value-PASS.yaml |
   | has-poam-resource-FAIL.yaml |
   | has-poam-resource-PASS.yaml |
+  | has-policy-FAIL.yaml |
+  | has-policy-PASS.yaml |
+  | has-procedure-FAIL.yaml |
+  | has-procedure-PASS.yaml |
   | has-published-date-FAIL.yaml |
   | has-published-date-PASS.yaml |
   | has-required-parameters-FAIL.yaml |

diff --git a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml
diff --git a/src/validations/constraints/content/ssp-has-policy-and-procedure-INVALID.xml b/src/validations/constraints/content/ssp-has-policy-and-procedure-INVALID.xml
@@ -0,0 +1,22 @@
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0" uuid="11111111-2222-4000-8000-000000000000">
+  <system-implementation>
+    <component uuid="11111111-2222-4000-8000-009000000000" type="this-system">
+    </component>
+    <!-- <component uuid="11111111-2222-4000-8000-009000600001" type="policy">
+    </component> (AC) No component that has matching uuid and a type of "policy".-->
+    <!-- <component uuid="11111111-2222-4000-8000-009000800001" type="process-procedure">
+    </component> (AC) No component that has matching uuid and a type of "process-procedure".-->
+  </system-implementation>
+  <control-implementation>
+    <implemented-requirement uuid="11111111-2222-4000-8000-012000000001" control-id="ac-1">
+      <statement statement-id="ac-1_smt.a" uuid="11111111-2222-4000-8000-012000010100">
+        <by-component component-uuid="11111111-2222-4000-8000-009000000000" uuid="11111111-2222-4000-8000-012000010101">
+        </by-component>
+        <by-component component-uuid="11111111-2222-4000-8000-009000600001" uuid="11111111-2222-4000-8000-012000010102">
+        </by-component>
+        <by-component component-uuid="11111111-2222-4000-8000-009000800001" uuid="11111111-2222-4000-8000-012000010103">
+        </by-component>
+      </statement>
+    </implemented-requirement>
+  </control-implementation>
+</system-security-plan>
diff --git a/src/validations/constraints/fedramp-external-constraints.xml b/src/validations/constraints/fedramp-external-constraints.xml
@@ -736,6 +736,68 @@
             </expect>
         </constraints>
     </context>
+
+    <context>
+        <metapath target="/system-security-plan/control-implementation/implemented-requirement/statement"/>
+        <constraints>
+            <let var="control-statement-ids" expression="('ac-1_smt.a', 'at-1_smt.a', 'au-1_smt.a', 'ca-1_smt.a', 'cm-1_smt.a', 'cp-1_smt.a', 'ia-1_smt.a', 'ir-1_smt.a', 'ma-1_smt.a', 'mp-1_smt.a', 'pe-1_smt.a', 'pl-1_smt.a', 'ps-1_smt.a', 'ra-1_smt.a', 'sa-1_smt.a', 'sc-1_smt.a', 'si-1_smt.a', 'sr-1_smt.a')"/>
+            <let var="component-uuid" expression="by-component/@component-uuid"/>
+            <let var="policy-messages" expression=
+            "map{'ac-1_smt.a' : 'a policy that addresses Access Control MUST be associated with AC-1 part a.', 
+            'at-1_smt.a' : 'a policy that addresses Awareness and Training MUST be associated with AT-1 part a.', 
+            'au-1_smt.a' : 'a policy that addresses Audit and Accountability MUST be associated with AU-1 part a.', 
+            'ca-1_smt.a' : 'a policy that addresses Assessment, Authorization, and Monitoring MUST be associated with CA-1 part a.', 
+            'cm-1_smt.a' : 'a policy that addresses Configuration Management MUST be associated with CM part a.', 
+            'cp-1_smt.a' : 'a policy that addresses Contingency Planning MUST be associated with CP-1 part a.',
+            'ia-1_smt.a' : 'a policy that addresses Identification and Authentication MUST be associated with ACIA1 part a.',
+            'ir-1_smt.a' : 'a policy that addresses Incident Response MUST be associated with IR-1 part a.',
+            'ma-1_smt.a' : 'a policy that addresses Maintenance MUST be associated with MA-1 part a.',
+            'mp-1_smt.a' : 'a policy that addresses Media Protection MUST be associated with MP-1 part a.',
+            'pe-1_smt.a' : 'a policy that addresses Physical and Environmental Protection MUST be associated with PE-1 part a.',
+            'pl-1_smt.a' : 'a policy that addresses Planning MUST be associated with PL-1 part a.',
+            'ps-1_smt.a' : 'a policy that addresses Personnel Security MUST be associated with PS-1 part a.',
+            'ra-1_smt.a' : 'a policy that addresses Risk Assessment MUST be associated with RA-1 part a.',
+            'sa-1_smt.a' : 'a policy that addresses System and Services Acquisition MUST be associated with SA-1 part a.',
+            'sc-1_smt.a' : 'a policy that addresses System and Communications Protection MUST be associated with SC-1 part a.',
+            'si-1_smt.a' : 'a policy that addresses System and Information Integrity MUST be associated with SI-1 part a.',
+            'sr-1_smt.a' : 'a policy that addresses Supply Chain Risk Management MUST be associated with SR-1 part a.'}"/>
+            <let var="procedure-messages" expression=
+            "map{'ac-1_smt.a' : 'at least one procedure that addresses Access Control MUST be associated with AC-1 part a.', 
+            'at-1_smt.a' : 'at least one procedure that addresses Awareness and Training MUST be associated with AT-1 part a.', 
+            'au-1_smt.a' : 'at least one procedure that addresses Audit and Accountability MUST be associated with AU-1 part a.', 
+            'ca-1_smt.a' : 'at least one procedure that addresses Assessment, Authorization, and Monitoring MUST be associated with CA-1 part a.', 
+            'cm-1_smt.a' : 'at least one procedure that addresses Configuration Management MUST be associated with CM1 part a.',
+            'cp-1_smt.a' : 'at least one procedure that addresses Contingency Planning MUST be associated with CP-1 part a.',
+            'ia-1_smt.a' : 'at least one procedure that addresses Incident Response MUST be associated with IA-1 part a.',
+            'ir-1_smt.a' : 'at least one procedure that addresses Incident Response MUST be associated with IR-1 part a.',
+            'ma-1_smt.a' : 'at least one procedure that addresses Maintenance MUST be associated with MA-1 part a.',
+            'mp-1_smt.a' : 'at least one procedure that addresses Media Protection MUST be associated with MP-1 part a.',
+            'pe-1_smt.a' : 'at least one procedure that addresses Physical and Environmental Protection MUST be associated with PE-1 part a.',
+            'pl-1_smt.a' : 'at least one procedure that addresses Planning MUST be associated with PL-1 part a.',
+            'ps-1_smt.a' : 'at least one procedure that addresses Personnel Security MUST be associated with PS-1 part a.',
+            'ra-1_smt.a' : 'at least one procedure that addresses Risk Assessment MUST be associated with RA-1 part a.',
+            'sa-1_smt.a' : 'at least one procedure that addresses System and Services Acquisition MUST be associated with SA-1 part a.',
+            'sc-1_smt.a' : 'at least one procedure that addresses System and Communications Protection MUST be associated with SC-1 part a.',
+            'si-1_smt.a' : 'at least one procedure that addresses System and Information Integrity MUST be associated with SI-1 part a.',
+            'sr-1_smt.a' : 'at least one procedure that addresses Supply Chain Risk Management MUST be associated with SR-1 part a.'}"/>
+            <let var="component-uuid" expression="by-component/@component-uuid"/>
+            <expect id="has-policy" target=".[@statement-id=$control-statement-ids]" test="some $uuid in $component-uuid satisfies count(../../../system-implementation/component[@uuid=$component-uuid and @type='policy']) >= 1" level="ERROR">
+                <formal-name>Has Policy</formal-name>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/6-security-controls/#organization-policy-and-procedure-statements"/>
+                <message>In a FedRAMP SSP, {$policy-messages(./@statement-id)}</message>
+            </expect>
+            <expect id="has-procedure" target=".[@statement-id=$control-statement-ids]" test="some $uuid in $component-uuid satisfies count(../../../system-implementation/component[@uuid=$component-uuid and @type='process-procedure']) >= 1" level="ERROR">
+                <formal-name>Has Procedure</formal-name>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/6-security-controls/#organization-policy-and-procedure-statements"/>
+                <message>In a FedRAMP SSP, {$procedure-messages(./@statement-id)}</message>
+            </expect>
+            <expect id="statement-has-this-system-component" target="." test="count(../../../system-implementation/component[@type='this-system' and @uuid=$component-uuid]) = 1" level="ERROR">
+                <formal-name>Statement Has This System Component</formal-name>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/6-security-controls/#response-this-system-component"/>
+                <message>In a FedRAMP SSP, each control implementation statement MUST have one "this-system" by-component.</message>
+            </expect>
+        </constraints>
+    </context>
 
     <context>
         <metapath target="/system-security-plan/control-implementation/implemented-requirement/statement/by-component"/>
@@ -753,17 +815,6 @@
         </constraints>
     </context>
 
-    <context>
-        <metapath target="/system-security-plan/control-implementation/implemented-requirement/statement"/>
-        <constraints>
-            <let var="component-uuid" expression="by-component/@component-uuid"/>
-            <expect id="statement-has-this-system-component" target="." test="count(../../../system-implementation/component[@type='this-system' and @uuid=$component-uuid]) = 1" level="ERROR">
-                <formal-name>Statement Has This System Component</formal-name>
-                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/6-security-controls/#response-this-system-component"/>
-                <message>In a FedRAMP SSP, each control implementation statement MUST have one "this-system" by-component.</message>
-            </expect>
-        </constraints>
-    </context>
 
     <context>
         <metapath target="/system-security-plan/system-characteristics/authorization-boundary/diagram/link"/>

diff --git a/src/validations/constraints/unit-tests/has-policy-FAIL.yaml b/src/validations/constraints/unit-tests/has-policy-FAIL.yaml
@@ -0,0 +1,7 @@
+test-case:
+  name: Negative Test for has-policy
+  description: This test case validates the behavior of constraint has-policy
+  content: ../content/ssp-has-policy-and-procedure-INVALID.xml
+  expectations:
+    - constraint-id: has-policy
+      result: fail
diff --git a/src/validations/constraints/unit-tests/has-policy-PASS.yaml b/src/validations/constraints/unit-tests/has-policy-PASS.yaml
@@ -0,0 +1,7 @@
+test-case:
+  name: Positive Test for has-policy
+  description: This test case validates the behavior of constraint has-policy
+  content: ../../../content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml
+  expectations:
+    - constraint-id: has-policy
+      result: pass
diff --git a/src/validations/constraints/unit-tests/has-procedure-FAIL.yaml b/src/validations/constraints/unit-tests/has-procedure-FAIL.yaml
@@ -0,0 +1,7 @@
+test-case:
+  name: Negative Test for has-procedure
+  description: This test case validates the behavior of constraint has-procedure
+  content: ../content/ssp-has-policy-and-procedure-INVALID.xml
+  expectations:
+    - constraint-id: has-procedure
+      result: fail
diff --git a/src/validations/constraints/unit-tests/has-procedure-PASS.yaml b/src/validations/constraints/unit-tests/has-procedure-PASS.yaml
@@ -0,0 +1,7 @@
+test-case:
+  name: Positive Test for has-procedure
+  description: This test case validates the behavior of constraint has-procedure
+  content: ../../../content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml
+  expectations:
+    - constraint-id: has-procedure
+      result: pass
diff --git a/src/validations/styleguides/fedramp-constraint-style.xml b/src/validations/styleguides/fedramp-constraint-style.xml
@@ -49,7 +49,7 @@
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://github.com/GSA/fedramp-automation/blob/develop/src/validations/styleguides/STYLE.md#frr109"/>
                 <message>A FedRAMP constraint MUST include a message describing the requirement.</message>
             </expect>
-            <expect id="frr112" target="//expect" test="matches(message, '(MUST|MUST NOT|REQUIRED|SHALL|SHALL NOT|SHOULD|SHOULD NOT|RECOMMENDED|MAY|OPTIONAL)')" level="ERROR">
+            <expect id="frr112" target="//expect" test="matches(message, '(MUST|MUST NOT|REQUIRED|SHALL|SHALL NOT|SHOULD|SHOULD NOT|RECOMMENDED|MAY|OPTIONAL|\{\$[^}]+\})')" level="ERROR">
                 <formal-name>IETF BCP14 Keywords in Constraint Messages</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://github.com/GSA/fedramp-automation/blob/develop/src/validations/styleguides/STYLE.md#frr112"/>
                 <message>A FedRAMP constraint MUST include one of the IETF BCP14 keywords in the message.</message>