Add has-inventory-items

features/fedramp_extensions.feature

@@ -109,6 +109,8 @@ Examples:
   | has-incident-response-plan-PASS.yaml |
   | has-information-system-contingency-plan-FAIL.yaml |
   | has-information-system-contingency-plan-PASS.yaml |
+  | has-inventory-items-FAIL.yaml |
+  | has-inventory-items-PASS.yaml |
   | has-network-architecture-FAIL.yaml |
   | has-network-architecture-PASS.yaml |
   | has-network-architecture-diagram-FAIL.yaml |
@@ -273,14 +275,14 @@ Examples:
   | has-identity-assurance-level |
   | has-incident-response-plan |
   | has-information-system-contingency-plan |
+  | has-inventory-items |
   | has-network-architecture |
   | has-network-architecture-diagram |
   | has-network-architecture-diagram-caption |
   | has-network-architecture-diagram-description |
   | has-network-architecture-diagram-link |
   | has-network-architecture-diagram-link-rel |
   | has-network-architecture-diagram-link-rel-allowed-value |
-  | has-published-date |
   | has-rules-of-behavior |
   | has-security-impact-level |
   | has-security-sensitivity-level |
@@ -308,11 +310,8 @@ Examples:
   | resource-has-base64-or-rlink |
   | resource-has-title |
   | responsible-party-is-person |
-  | responsible-party-prepared-by |
-  | responsible-party-prepared-by-location-valid |
   | role-defined-authorizing-official-poc |
   | role-defined-information-system-security-officer |
-  | role-defined-prepared-by |
   | role-defined-system-owner |
   | scan-type |
   | security-level |

src/validations/constraints/content/ssp-all-VALID.xml

@@ -301,6 +301,25 @@
         <prop name="asset-id" value="DB-001" ns="http://csrc.nist.gov/ns/oscal"/>
       </implemented-component>
     </inventory-item>
+
+    <inventory-item uuid="77777777-0000-4000-9001-000000000007">
+      <description>
+        <p>Secondary database server</p>
+      </description>
+      <prop name="asset-id" value="DB-002" ns="http://csrc.nist.gov/ns/oscal"/>
+      <prop name="asset-type" value="database"/>
+      <prop name="allows-authenticated-scan" value="yes"/>
+      <prop name="public" value="no"/>
+      <prop name="virtual" value="yes"/>
+      <prop name="scan-type" value="database" ns="https://fedramp.gov/ns/oscal"/>
+      <responsible-party role-id="asset-owner">
+        <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
+      </responsible-party>
+      <implemented-component component-uuid="55555555-0000-4000-9001-000000000005">
+        <prop name="asset-id" value="DB-002" ns="http://csrc.nist.gov/ns/oscal"/>
+      </implemented-component>
+    </inventory-item>
+
   </system-implementation>
 
   <control-implementation>

src/validations/constraints/content/ssp-has-inventory-items-INVALID.xml

@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0"
+                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                      xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_ssp_schema.xsd"
+                      uuid="12345678-1234-4321-8765-123456789012">
+
+  <system-implementation>
+    <inventory-item uuid="77777777-0000-4000-9000-000000000007">
+      <description>
+        <p>Primary database server</p>
+      </description>
+      <prop name="asset-id" value="DB-001" ns="http://csrc.nist.gov/ns/oscal"/>
+      <prop name="asset-type" value="database"/>
+      <prop name="allows-authenticated-scan" value="yes"/>
+      <prop name="public" value="no"/>
+      <prop name="virtual" value="yes"/>
+      <prop name="scan-type" value="database" ns="https://fedramp.gov/ns/oscal"/>
+      <responsible-party role-id="asset-owner">
+        <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
+      </responsible-party>
+      <implemented-component component-uuid="55555555-0000-4000-9000-000000000005">
+        <prop name="asset-id" value="DB-001" ns="http://csrc.nist.gov/ns/oscal"/>
+      </implemented-component>
+    </inventory-item>
+  </system-implementation>
+
+</system-security-plan>

src/validations/constraints/fedramp-external-constraints.xml

@@ -5,7 +5,7 @@
     <!-- ================== -->
 
     <context>
-    	<metapath target="/(assessment-plan|assessment-results|plan-of-action-and-milestones|system-security-plan)/metadata"/>
+        <metapath target="//metadata"/>
         <constraints>
             <expect id="fedramp-version" target="." test="prop[@name='fedramp-version'][@ns='https://fedramp.gov/ns/oscal']">
                 <formal-name>Fedramp Version</formal-name>
@@ -16,11 +16,6 @@
                     <p>FedRAMP maintains an official list of the versions on <a href="https://github.com/GSA/fedramp-automation/releases">the fedramp-automation releases page</a>. Unless noted otherwise, a valid version is <a href="https://github.com/GSA/fedramp-automation/tags">a published tag name</a>.</p>
                 </remarks>
             </expect>
-            <expect id="marking" target="." test="prop[@name='marking']" level="ERROR">
-                <formal-name>FedRAMP data sensitivity classification identifier.</formal-name>
-                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/general-concepts/4-expressing-common-fedramp-template-elements-in-oscal/"/>
-            	<message>A FedRAMP document MUST have a marking that defines its data classification.</message>
-            </expect>
         </constraints>
     </context>
 
@@ -155,10 +150,6 @@
     <context>
         <metapath target="/system-security-plan/metadata"/>
         <constraints>
-            <let var="prepared-by-responsible-party-party-uuid" expression="responsible-party[@role-id eq 'prepared-by']/party-uuid"/>
-            <let var="prepared-by-party" expression="//party[@uuid eq $prepared-by-responsible-party-party-uuid]"/>
-            <let var="prepared-by-party-location-uuid" expression="//party[@uuid eq $prepared-by-responsible-party-party-uuid]/location-uuid"/>
-            <let var="prepared-by-location" expression="//location[@uuid eq $prepared-by-party-location-uuid]"/>
             <expect id="data-center-alternate" target="." test="count(/location/prop[@name eq 'type'][@value eq 'data-center'][@class eq 'alternate']) &gt; 0">
                 <formal-name>Data Center Alternate</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0"  name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#data-centers"/>
@@ -169,21 +160,11 @@
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0"  name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#data-centers"/>
                 <message>There MUST be at least two (2) data centers listed.</message>
             </expect>
-            <expect id="data-center-country-code" target="location[prop[@name='type' and @value='data-center']]" test="count(address/country) eq 1">
-                <formal-name>Data Center Has Country Code</formal-name>
-                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0"  name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#data-centers"/>
-                <message>Each data center address MUST contain a country code.</message>
-            </expect>
             <expect id="data-center-primary" target="." test="count(/location/prop[@name eq 'type'][@value eq 'data-center'][@class eq 'primary']) = 1">
                 <formal-name>Data Center Primary</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0"  name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#data-centers"/>
                 <message>There MUST be a single primary data center.</message>
             </expect>
-            <expect id="data-center-us" target="location[prop[@name='type' and @value='data-center']]" test="address/country eq 'US'">
-                <formal-name>Data Center In United States</formal-name>
-                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0"  name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#data-centers"/>
-                <message>Each data center MUST have an address that is within the United States.</message>
-            </expect>
             <index name="index-person-party-uuid" target="map:merge(party[@type='person'] ! map:entry(@uuid,.))?*">
             	<formal-name>Index of parties of type "person".</formal-name>
             	<description>This index is a list of the UUIDs of all of the parties that are type "person" in the document.</description>
@@ -195,16 +176,6 @@
                 <key-field target="party-uuid"/>
                 <message>For roles 'system-owner' and 'information-system-security-officer', the responsible-role party MUST be a party of type 'person'.</message>
             </index-has-key>
-            <expect id="responsible-party-prepared-by" target="." test="exists(responsible-party[@role-id eq 'prepared-by'])" level="ERROR">
-                <formal-name>Responsible Party Prepared By</formal-name>
-                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/general-concepts/4-expressing-common-fedramp-template-elements-in-oscal/#prepared-by-csp-self-prepared"/>
-                <message>A FedRAMP SSP MUST have a responsible party that defines which party performs the role of preparing the document.</message>
-            </expect>
-            <expect id="responsible-party-prepared-by-location-valid" target="." test="($prepared-by-party/address[@type='work'] and $prepared-by-party/address/addr-line and $prepared-by-party/address/city and $prepared-by-party/address/state and $prepared-by-party/address/postal-code) or ($prepared-by-location/address[@type='work'] and $prepared-by-location/address/addr-line and $prepared-by-location/address/city and $prepared-by-location/address/state and $prepared-by-location/address/postal-code)" level="ERROR">
-                <formal-name>Responsible Party Prepared By Location Valid</formal-name>
-                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/general-concepts/4-expressing-common-fedramp-template-elements-in-oscal/#prepared-by-csp-self-prepared"/>
-                <message>A FedRAMP SSP MUST have a responsible party for preparing the document, and that party MUST define an address.</message>
-            </expect>
             <expect id="role-defined-authorizing-official-poc" target="." test="role[@id eq 'authorizing-official-poc']" level="ERROR">
                 <formal-name>Role Defined Authorizing Official POC</formal-name>
                 <!-- TODO: Add supporting documentation to automate.fedramp.gov -->
@@ -216,11 +187,6 @@
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#assignment-of-security-responsibilities"/>
                 <message>A FedRAMP SSP MUST define a role for the point of contact for an information system security officer.</message>
             </expect>
-            <expect id="role-defined-prepared-by" target="." test="exists(role[@id eq 'prepared-by'])" level="ERROR">
-                <formal-name>Role Defined Prepared By</formal-name>
-                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/general-concepts/4-expressing-common-fedramp-template-elements-in-oscal/#prepared-by-csp-self-prepared"/>
-                <message>A FedRAMP SSP MUST define a role for preparing this document.</message>
-            </expect>
             <expect id="role-defined-system-owner" target="." test="role[@id eq 'system-owner']" level="ERROR">
                 <formal-name>Role Defined System Owner</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#information-system-owner"/>
@@ -472,16 +438,33 @@
             </expect>
         </constraints>
     </context>
+
+	<context>
+		<metapath target="/system-security-plan/system-implementation"/>
+		<constraints>
+			<expect id="has-inventory-items" target="." test="count(inventory-item) >= 2" level="ERROR">
+				<formal-name>System Implementation Has Inventory Items</formal-name>
+				<prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
+				<message>A FedRAMP SSP system implementation section MUST have at least one inventory item.</message>
+			</expect>
+		</constraints>
+	</context>
+
     <context>
-        <metapath target="/(assessment-plan|assessment-results|plan-of-action-and-milestones|system-security-plan)/metadata"/>
+        <metapath target="/system-security-plan/metadata/location"/>
         <constraints>
-            <expect id="has-published-date" target="." test="exists(published)" level="ERROR">
-                <formal-name>Has Published Date</formal-name>
-                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/general-concepts/4-expressing-common-fedramp-template-elements-in-oscal/#title-page"/>
-                <message>All documents submitted to FedRAMP MUST define a valid publication date.</message>
+            <expect id="data-center-country-code" target="." test="count(address/country) eq 1">
+                <formal-name>Data Center Has Country Code</formal-name>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0"  name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#data-centers"/>
+                <message>Each data center address MUST contain a country code.</message>
+            </expect>
+            <expect id="data-center-us" target="." test="address/country eq 'US'">
+                <formal-name>Data Center In United States</formal-name>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0"  name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#data-centers"/>
+                <message>Each data center MUST have an address that is within the United States.</message>
             </expect>
         </constraints>
-    </context>    
+    </context>
     <context>
         <metapath target="/(assessment-plan|assessment-results|plan-of-action-and-milestones|system-security-plan)/metadata/party"/>
         <constraints>
@@ -492,4 +475,5 @@
             </expect>
         </constraints>
     </context>
+
 </metaschema-meta-constraints>

src/validations/constraints/unit-tests/has-inventory-items-FAIL.yaml

@@ -0,0 +1,8 @@
+# Driver for the invalid has-inventory-items constraint unit test.
+test-case:
+  name: The invalid has-inventory-items constraint unit test.
+  description: Test that the FedRAMP SSP contains only one inventory item.
+  content: ../content/ssp-has-inventory-items-INVALID.xml
+  expectations:
+  - constraint-id: has-inventory-items
+    result: fail

src/validations/constraints/unit-tests/has-inventory-items-PASS.yaml

@@ -0,0 +1,8 @@
+# Driver for the valid has-inventory-items constraint unit test.
+test-case:
+  name: The valid has-inventory-items constraint unit test.
+  description: Test that the FedRAMP SSP contains the two or more inventory items.
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+  - constraint-id: has-inventory-items
+    result: pass