fedramp-automation icon indicating copy to clipboard operation
fedramp-automation copied to clipboard
verified publisher icon GSA

JSON Template should validate or at least come pretty close

Open wandmagic opened this issue 1 year ago • 9 comments

This is a ...

fix - something needs to be different

This relates to ...

  • [ ] the FedRAMP OSCAL Registry
  • [ ] the FedRAMP OSCAL baselines
  • [ ] the Guide to OSCAL-based FedRAMP Content
  • [ ] the Guide to OSCAL-based FedRAMP System Security Plans (SSP)
  • [ ] the Guide to OSCAL-based FedRAMP Security Assessment Plans (SAP)
  • [ ] the Guide to OSCAL-based FedRAMP Security Assessment Results (SAR)
  • [ ] the Guide to OSCAL-based FedRAMP Plan of Action and Milestones (POA&M)
  • [X] the FedRAMP SSP OSCAL Template (JSON or XML Format)
  • [X] the FedRAMP SAP OSCAL Template (JSON or XML Format)
  • [X] the FedRAMP SAR OSCAL Template (JSON or XML Format)
  • [X] the FedRAMP POA&M OSCAL Template (JSON or XML Format)

User Story

as a oscal author, i'd like templates to come close to validation

Goals

clear steps to go from template to valid SSP

Dependencies

needs fedramp constraints version first release to be achievable

Acceptance Criteria

  • All FedRAMP Documents Related to OSCAL Adoption (https://github.com/GSA/fedramp-automation) affected by the changes in this issue have been updated.
  • A Pull Request (PR) is submitted that fully addresses the goals of this User Story. This issue is referenced in the PR.

Other information

No response

wandmagic avatar Aug 28 '24 21:08 wandmagic

@wandmagic, @devbytyler, just to be clear: this UUID collision is the only one you found?

aj-stein-gsa avatar Aug 28 '24 21:08 aj-stein-gsa

Hey @aj-stein-gsa, there is actually one other UUID collision. There are two components of type interconnection that have the same uuid. I generated the file with the basic scaffold arguments: fedramp-ssp, HIGH and then immediately tried to validate.

Index 'index-system-implementation-component-uuid' has duplicate key for items at paths '/system-security-plan/system-implementation[1]/component[6]' and '/system-security-plan/system-implementation[1]/component[15]' in file DOES_NOT_VALIDATE-FedRAMP-SSP-OSCAL-Template.json at line 1820, column 10
image image

devbytyler avatar Aug 28 '24 21:08 devbytyler

Hey @aj-stein-gsa, there is actually one other UUID collision. There are two components of type interconnection that have the same uuid. I generated the file with the basic scaffold arguments: fedramp-ssp, HIGH and then immediately tried to validate.

Index 'index-system-implementation-component-uuid' has duplicate key for items at paths '/system-security-plan/system-implementation[1]/component[6]' and '/system-security-plan/system-implementation[1]/component[15]' in file DOES_NOT_VALIDATE-FedRAMP-SSP-OSCAL-Template.json at line 1820, column 10

Sigh ok, thanks for the update. I guess we should find a way to backport the new constraint system to check for the obvious. I am afraid to git blame and find the dreaded @ohsh6o of AJ past had something to do with this, but I assume I will find out soon enough. New constraint checks in that feature branch brought in could fail commits on a branch or on a PR before it gets in there like it did in the past.

Thanks for the heads up.

aj-stein-gsa avatar Aug 28 '24 21:08 aj-stein-gsa

And while we're at it, there are a few other things causing the scaffold templates to fail validation:

  1. A component of type="leveraged-system" has several fields that are only "valid" (per nist) on an interconnection. For example: isa-title, isa-date, ipv4-address, ipv6-address, direction. Seems like the thing to do here is remove those fields from "leveraged-system".
Value 'isa-title' doesn't match one of 'allows-authenticated-scan, asset-id, asset-tag, asset-type, baseline-configuration-name, function, implementation-point, inherited-uuid, label, leveraged-authorization-uuid, marking, model, network-id, patch-level, public, release-date, sort-id, validation-reference, validation-type, version, virtual, or vlan-id' at path '/system-security-plan/system-implementation[1]/component[4]/prop[2]/@name' in file DOES_NOT_VALIDATE-FedRAMP-SSP-OSCAL-Template.json at line 1172, column 14
Value 'isa-title' doesn't match one of 'allows-authenticated-scan, asset-id, asset-tag, asset-type, baseline-configuration-name, function, implementation-point, inherited-uuid, label, leveraged-authorization-uuid, marking, model, network-id, patch-level, public, release-date, sort-id, validation-reference, validation-type, version, virtual, or vlan-id' at path '/system-security-plan/system-implementation[1]/component[4]/prop[2]/@name' in file DOES_NOT_VALIDATE-FedRAMP-SSP-OSCAL-Template.json at line 1172, column 14
Value 'isa-date' doesn't match one of 'allows-authenticated-scan, asset-id, asset-tag, asset-type, baseline-configuration-name, function, implementation-point, inherited-uuid, label, leveraged-authorization-uuid, marking, model, network-id, patch-level, public, release-date, sort-id, validation-reference, validation-type, version, virtual, or vlan-id' at path '/system-security-plan/system-implementation[1]/component[4]/prop[3]/@name' in file DOES_NOT_VALIDATE-FedRAMP-SSP-OSCAL-Template.json at line 1176, column 14
Value 'isa-date' doesn't match one of 'allows-authenticated-scan, asset-id, asset-tag, asset-type, baseline-configuration-name, function, implementation-point, inherited-uuid, label, leveraged-authorization-uuid, marking, model, network-id, patch-level, public, release-date, sort-id, validation-reference, validation-type, version, virtual, or vlan-id' at path '/system-security-plan/system-implementation[1]/component[4]/prop[3]/@name' in file DOES_NOT_VALIDATE-FedRAMP-SSP-OSCAL-Template.json at line 1176, column 14
Value 'ipv4-address' doesn't match one of 'allows-authenticated-scan, asset-id, asset-tag, asset-type, baseline-configuration-name, function, implementation-point, inherited-uuid, label, leveraged-authorization-uuid, marking, model, network-id, patch-level, public, release-date, sort-id, validation-reference, validation-type, version, virtual, or vlan-id' at path '/system-security-plan/system-implementation[1]/component[4]/prop[5]/@name' in file DOES_NOT_VALIDATE-FedRAMP-SSP-OSCAL-Template.json at line 1185, column 14
Value 'ipv4-address' doesn't match one of 'allows-authenticated-scan, asset-id, asset-tag, asset-type, baseline-configuration-name, function, implementation-point, inherited-uuid, label, leveraged-authorization-uuid, marking, model, network-id, patch-level, public, release-date, sort-id, validation-reference, validation-type, version, virtual, or vlan-id' at path '/system-security-plan/system-implementation[1]/component[4]/prop[5]/@name' in file DOES_NOT_VALIDATE-FedRAMP-SSP-OSCAL-Template.json at line 1185, column 14
Value 'ipv6-address' doesn't match one of 'allows-authenticated-scan, asset-id, asset-tag, asset-type, baseline-configuration-name, function, implementation-point, inherited-uuid, label, leveraged-authorization-uuid, marking, model, network-id, patch-level, public, release-date, sort-id, validation-reference, validation-type, version, virtual, or vlan-id' at path '/system-security-plan/system-implementation[1]/component[4]/prop[6]/@name' in file DOES_NOT_VALIDATE-FedRAMP-SSP-OSCAL-Template.json at line 1189, column 14
Value 'ipv6-address' doesn't match one of 'allows-authenticated-scan, asset-id, asset-tag, asset-type, baseline-configuration-name, function, implementation-point, inherited-uuid, label, leveraged-authorization-uuid, marking, model, network-id, patch-level, public, release-date, sort-id, validation-reference, validation-type, version, virtual, or vlan-id' at path '/system-security-plan/system-implementation[1]/component[4]/prop[6]/@name' in file DOES_NOT_VALIDATE-FedRAMP-SSP-OSCAL-Template.json at line 1189, column 14
Value 'direction' doesn't match one of 'allows-authenticated-scan, asset-id, asset-tag, asset-type, baseline-configuration-name, function, implementation-point, inherited-uuid, label, leveraged-authorization-uuid, marking, model, network-id, patch-level, public, release-date, sort-id, validation-reference, validation-type, version, virtual, or vlan-id' at path '/system-security-plan/system-implementation[1]/component[4]/prop[7]/@name' in file DOES_NOT_VALIDATE-FedRAMP-SSP-OSCAL-Template.json at line 1193, column 14
Value 'direction' doesn't match one of 'allows-authenticated-scan, asset-id, asset-tag, asset-type, baseline-configuration-name, function, implementation-point, inherited-uuid, label, leveraged-authorization-uuid, marking, model, network-id, patch-level, public, release-date, sort-id, validation-reference, validation-type, version, virtual, or vlan-id' at path '/system-security-plan/system-implementation[1]/component[4]/prop[7]/@name' in file DOES_NOT_VALIDATE-FedRAMP-SSP-OSCAL-Template.json at line 1193, column 14
  1. Something funky going on with Ports... template looks fine to me but resulting in a false finding saying that the end port is missing.
A start port exists, but an end point does not. To define a single port, the start and end should be the same value. in file DOES_NOT_VALIDATE-FedRAMP-SSP-OSCAL-Template.json at line 1799, column 18
An end point exists, but a start port does not. To define a single port, the start and end should be the same value. in file DOES_NOT_VALIDATE-FedRAMP-SSP-OSCAL-Template.json at line 1799, column 18
A start port exists, but an end point does not. To define a single port, the start and end should be the same value. in file DOES_NOT_VALIDATE-FedRAMP-SSP-OSCAL-Template.json at line 1810, column 18
An end point exists, but a start port does not. To define a single port, the start and end should be the same value. in file DOES_NOT_VALIDATE-FedRAMP-SSP-OSCAL-Template.json at line 1810, column 18
  1. Some cardinality issues...
The cardinality '0' is below the required minimum '1' for items matching 'prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='asset-id']'. in file DOES_NOT_VALIDATE-FedRAMP-SSP-OSCAL-Template.json at line 2057, column 14
The cardinality '0' is below the required minimum '1' for items matching 'prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='asset-id']'. in file DOES_NOT_VALIDATE-FedRAMP-SSP-OSCAL-Template.json at line 2193, column 14
The cardinality '0' is below the required minimum '1' for items matching 'prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='asset-id']'. in file DOES_NOT_VALIDATE-FedRAMP-SSP-OSCAL-Template.json at line 2237, column 14
The cardinality '0' is below the required minimum '1' for items matching 'prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='asset-id']'. in file DOES_NOT_VALIDATE-FedRAMP-SSP-OSCAL-Template.json at line 2281, column 14
The cardinality '0' is below the required minimum '1' for items matching 'prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='asset-id']'. in file DOES_NOT_VALIDATE-FedRAMP-SSP-OSCAL-Template.json at line 2321, column 14
The cardinality '0' is below the required minimum '1' for items matching 'prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='asset-id']'. in file DOES_NOT_VALIDATE-FedRAMP-SSP-OSCAL-Template.json at line 2365, column 14
The cardinality '0' is below the required minimum '1' for items matching 'prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='asset-id']'. in file DOES_NOT_VALIDATE-FedRAMP-SSP-OSCAL-Template.json at line 2405, column 14
The cardinality '0' is below the required minimum '1' for items matching 'prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='asset-id']'. in file DOES_NOT_VALIDATE-FedRAMP-SSP-OSCAL-Template.json at line 2449, column 14
The cardinality '0' is below the required minimum '1' for items matching 'rlink|base64'. in file DOES_NOT_VALIDATE-FedRAMP-SSP-OSCAL-Template.json at line 4779, column 10
  1. Didn't really look into this one yet
Value 'dataset' doesn't match one of 'marking, published, type, or version' at path '/system-security-plan/back-matter[1]/resource[1]/prop[1]/@name' in file DOES_NOT_VALIDATE-FedRAMP-SSP-OSCAL-Template.json at line 4783, column 14
Value 'dataset' doesn't match one of 'marking, published, type, or version' at path '/system-security-plan/back-matter[1]/resource[1]/prop[1]/@name' in file DOES_NOT_VALIDATE-FedRAMP-SSP-OSCAL-Template.json at line 4783, column 14
Value 'dataset' doesn't match one of 'marking, published, type, or version' at path '/system-security-plan/back-matter[1]/resource[1]/prop[2]/@name' in file DOES_NOT_VALIDATE-FedRAMP-SSP-OSCAL-Template.json at line 4788, column 14
Value 'dataset' doesn't match one of 'marking, published, type, or version' at path '/system-security-plan/back-matter[1]/resource[1]/prop[2]/@name' in file DOES_NOT_VALIDATE-FedRAMP-SSP-OSCAL-Template.json at line 4788, column 14
Value 'dataset' doesn't match one of 'marking, published, type, or version' at path '/system-security-plan/back-matter[1]/resource[1]/prop[3]/@name' in file DOES_NOT_VALIDATE-FedRAMP-SSP-OSCAL-Template.json at line 4793, column 14
Value 'dataset' doesn't match one of 'marking, published, type, or version' at path '/system-security-plan/back-matter[1]/resource[1]/prop[3]/@name' in file DOES_NOT_VALIDATE-FedRAMP-SSP-OSCAL-Template.json at line 4793, column 14
Value 'dataset' doesn't match one of 'marking, published, type, or version' at path '/system-security-plan/back-matter[1]/resource[1]/prop[4]/@name' in file DOES_NOT_VALIDATE-FedRAMP-SSP-OSCAL-Template.json at line 4798, column 14
Value 'dataset' doesn't match one of 'marking, published, type, or version' at path '/system-security-plan/back-matter[1]/resource[1]/prop[4]/@name' in file DOES_NOT_VALIDATE-FedRAMP-SSP-OSCAL-Template.json at line 4798, column 14
  1. Missing UUID or something
Key reference [77A1614A-57B3-4B32-9FEE-613A6520EC58] not found in index 'index-system-implementation-component-uuid-software' for item at path '/system-security-plan/system-implementation[1]/component[14]/link[2]' in file DOES_NOT_VALIDATE-FedRAMP-SSP-OSCAL-Template.json at line 1786, column 14

After fixing these things (by mostly commenting out the offending sections) I was able to get the whole thing to validate, so doesn't seem like we are too far away.

devbytyler avatar Aug 28 '24 21:08 devbytyler

@brian-ruf is this something you may have incidentally fixed during last night's work re standup? Let me know and we can adjust the scope and move it up the queue to speak to cross-ref and close as part of #802. (Yes I do know this is JSON but we should touch up XML and reconvert all of them anyway.)

aj-stein-gsa avatar Nov 06 '24 16:11 aj-stein-gsa

At most my SSP work may have inadvertantly fixed JSON validation issues. Haven't done much with the others yet. Later today I'll be able to convert the revised SSP to JSON and validate.

brian-ruf avatar Nov 06 '24 19:11 brian-ruf

At most my SSP work may have inadvertantly fixed JSON validation issues. Haven't done much with the others yet. Later today I'll be able to convert the revised SSP to JSON and validate.

Well push up a branch, sounds like good stuff. I am willing to take a look and factor in how we cross-ref the close of this related issue.

aj-stein-gsa avatar Nov 06 '24 21:11 aj-stein-gsa

@aj-stein-gsa I was on the road when I responded earlier. I did find and fix several UUID collisions last night when I moved to a easier-to-read UUID format. Here is the WIP: https://github.com/brian-ruf/fedramp-automation/blob/ssp-control-implementation-status/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml

brian-ruf avatar Nov 07 '24 03:11 brian-ruf

This will be fixed in the upcoming release once the pipeline builds the rendered copy in dist when tagged for a released and merged into master marking this one as ready to ship.

aj-stein-gsa avatar Mar 20 '25 14:03 aj-stein-gsa