Skip to content
This repository has been archived by the owner on Dec 12, 2023. It is now read-only.

Commit

Permalink
Check for Additional Extraneous Implemented Requirements for Controls (
Browse files Browse the repository at this point in the history 
…#34)

* Fix analysis report looping bug.

Since we were looping through items that are > 1, we were starting to
loop through the 2nd item of a list of reports (//reports/report) in a
analysis template in a variable. Noticed this when looking at result of
a lv:report() on implemented-requirements.

* Woops, misread docs syntax.

* Fix-up actual assertion.

* Add tests.

* Fix spacing issue.

* And fix misleading comment for negative test.
  • Loading branch information
@ohsh6o
ohsh6o authored Dec 7, 2020
1 parent 29244b7 commit 32ad779
Show file tree
Hide file tree
Showing 2 changed files with 48 additions and 2 deletions.
6 changes: 4 additions & 2 deletions resources/validations/src/ssp.sch
View file
Original file line number Diff line number Diff line change
Expand Up @@ -179,9 +179,9 @@
<xsl:otherwise> items total. </xsl:otherwise>
</xsl:choose>
<xsl:for-each select="$analysis/reports/report">
<xsl:if test="position() gt 1 and not(position() eq last())">
<xsl:if test="position() gt 0 and not(position() eq last())">
<xsl:value-of select="current()/@count"/> set as <xsl:value-of select="current()/@value"/>, </xsl:if>
<xsl:if test="position() gt 1 and position() eq last()"
<xsl:if test="position() gt 0 and position() eq last()"
> and <xsl:value-of select="current()/@count"/> set as <xsl:value-of select="current()/@value"/>.</xsl:if>
<xsl:sequence select="."/>
</xsl:for-each>
Expand Down Expand Up @@ -217,8 +217,10 @@
<sch:let name="required-controls" value="$selected-profile/*//o:control"/>
<sch:let name="implemented" value="o:implemented-requirement"/>
<sch:let name="missing" value="$required-controls[not(@id = $implemented/@control-id)]"/>
<sch:let name="extraneous" value="$implemented[not(@control-id = $required-controls/@id)]"/>
<sch:report id="each-required-control-report" test="count($required-controls) > 0">The following <sch:value-of select="count($required-controls)"/><sch:value-of select="if (count($required-controls)=1) then ' control' else ' controls'"/> are required: <sch:value-of select="$required-controls/@id"/></sch:report>
<sch:assert id="incomplete-implementation-requirements" test="not(exists($missing))">This SSP has not implemented <sch:value-of select="count($missing)"/><sch:value-of select="if (count($missing)=1) then ' control' else ' controls'"/>: <sch:value-of select="$missing/@id"/></sch:assert>
<sch:assert id="extraneous-implemented-requirements" test="not(exists($extraneous))">This SSP has implemented <sch:value-of select="count($extraneous)"/> extraneous<sch:value-of select="if (count($extraneous)=1) then ' control' else ' controls'"/> not needed given the selected profile: <sch:value-of select="$extraneous/@control-id"/></sch:assert>
<sch:let name="results" value="$ok-values => lv:analyze(//o:implemented-requirement/o:annotation[@name='implementation-status'])"/>
<sch:let name="total" value="$results/reports/@count"/>
<sch:report id="control-implemented-requirements-stats" test="count($results/errors/error) = 0"><sch:value-of select="$results => lv:report() => normalize-space()"/></sch:report>
Expand Down
44 changes: 44 additions & 0 deletions resources/validations/test/ssp.xspec
View file
Original file line number Diff line number Diff line change
Expand Up @@ -111,6 +111,50 @@
<x:expect-assert id="incomplete-implementation-requirements" label="it is invalid."/>
</x:scenario>
</x:scenario>
<x:scenario label="when an extraneous control not required by the profile is implemented">
<x:context>
<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0">
<system-characteristics>
<!--
NOTE: At this time, 800-53 control AC-5 is not required
for the FedRAMP LOW profile. It is required for the FedRAMP
HIGH profile, so this is extraneous.
-->
<security-sensitivity-level>low</security-sensitivity-level>
</system-characteristics>
<control-implementation>
<implemented-requirement control-id="ac-5" uuid="373c8a10-7885-4209-9e55-0b69747cb6b9">
<annotation name="implementation-status" ns="https://fedramp.gov/ns/oscal" value="implemented">
<remarks></remarks>
</annotation>
</implemented-requirement>
</control-implementation>
</system-security-plan>
</x:context>
<x:expect-assert id="extraneous-implemented-requirements" label="it is invalid."/>
</x:scenario>
<x:scenario label="when no extraneous control is implemented except those required by the profile">
<x:context>
<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0">
<system-characteristics>
<!--
NOTE: At this time, 800-53 control AC-1 is required for
the FedRAMP LOW profile. It is required for the FedRAMP
HIGH profile, so this is extraneous.
-->
<security-sensitivity-level>low</security-sensitivity-level>
</system-characteristics>
<control-implementation>
<implemented-requirement control-id="ac-1" uuid="4b81d5aa-2149-4b7b-ab28-69e390226784">
<annotation name="implementation-status" ns="https://fedramp.gov/ns/oscal" value="partial">
<remarks></remarks>
</annotation>
</implemented-requirement>
</control-implementation>
</system-security-plan>
</x:context>
<x:expect-not-assert id="extraneous-implemented-requirements" label="it is valid."/>
</x:scenario>
</x:scenario>
<x:scenario label="For FedRAMP Automation helper functions">
<x:scenario label="with if-empty-default">
Expand Down

0 comments on commit 32ad779

Please sign in to comment.