Tasks/issue 5

.gitignore

@@ -1,2 +1,7 @@
 documents/source
-utils
+utils
+.history/*
+
+resources/validations/src/ssp.xsl
+resources/validations/report
+resources/validations/target

.gitmodules

@@ -2,3 +2,9 @@
 	path = oscal
 	url = https://github.com/usnistgov/OSCAL.git
 	branch = master
+[submodule "resources/validations/test/xspec"]
+	path = resources/validations/lib/xspec
+	url = https://github.com/xspec/xspec.git
+[submodule "resources/validations/src/schematron"]
+	path = resources/validations/lib/schematron
+	url = https://github.com/schematron/schematron.git

resources/validations/README.md

@@ -0,0 +1,42 @@
+Schematron Validations for OSCAL
+===
+
+project structure
+---
+
+`/src` for the sch files
+`/lib` for toolchain dependencies (e.g. Schematron)
+`/report/test` for XSpec outputs
+`/report/schematron` for final validations in Schematron SVRL reporting format
+`/target` for intermediary and compiled artifacts (e.g. XSLT stylesheets)
+`/test` for any XSpec or other testing artifacts
+`/test/demo` xml files for validating XSpec against
+
+To validate xml files using schematron
+---
+
+example
+
+`./validate_with_schematron.sh test/demo/FedRAMP-SSP-OSCAL-Template.xml`
+
+you must pass in a file name you want validated as argument `$1`. by default it will compile and validate the input with all `src/*.sch` files.
+
+if you wish to override the default version (currently 10.2) of `SAXON HE`, you may pass it as the argument `$2`
+
+
+
+To Run Tests
+---
+
+```sh
+cd /path/to/fedramp-automation/resources/validations
+export SAXON_CP=yourpath/Saxon-HE-X.Y.Z.jar
+export TEST_DIR=$(pwd)/report/test
+lib/xspec/bin/xspec.sh -s -j test/test_all.xspec
+```
+
+Adding tests to the harness
+---
+
+To add new tests, add an import to the `test-all.xpec`
+ex: `<x:import href="new_test.xspec" />`

resources/validations/bin/validate_with_schematron.sh

@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+
+if [ ! -e  "$1" ]; then
+    echo "no file input for report, exiting"
+    exit 1
+fi
+DOC_TO_VALIDATE="$1"
+echo "doc requested to be validated: ${DOC_TO_VALIDATE}"
+
+# Delete pre-existing XSLT report
+rm -rf target/*.xsl;
+SAXON_VERSION=$2
+SAXON_VERSION=${SAXON_VERSION:-10.2}
+
+echo "using saxon version ${SAXON_VERSION}"
+
+mvn -q org.apache.maven.plugins:maven-dependency-plugin:2.1:get \
+    -DrepoUrl=https://mvnrepository.com/ \
+    -DartifactId=Saxon-HE \
+    -DgroupId=net.sf.saxon \
+    -Dversion="${SAXON_VERSION}"
+
+# Delete pre-existing SVRL report
+rm -rf report/schematron/*.results.xml
+
+for qualifiedSchematronName in src/*.sch; do
+    [ -e "${qualifiedSchematronName}" ] || continue
+
+    # compute name without .sch
+    schematronName=${qualifiedSchematronName##*/}
+    schematronRoot=${schematronName%.*}
+
+    # Use Saxon XSL transform to convert our Schematron to pure XSL 2.0 stylesheet
+    saxon_jar=~/.m2/repository/net/sf/saxon/Saxon-HE/"${SAXON_VERSION}"/Saxon-HE-"${SAXON_VERSION}".jar
+    java -cp "${saxon_jar}" net.sf.saxon.Transform -o:target/"${schematronRoot}".xsl -s:"${qualifiedSchematronName}" lib/schematron/trunk/schematron/code/iso_svrl_for_xslt2.xsl
+    echo "compiling: ${qualifiedSchematronName} to: target/${schematronRoot}.xsl"
+
+    # Use Saxon XSL transform to use XSL-ified Schematron rules to analyze full FedRAMP-SSP-OSCAL template
+    # and dump the result into reports.
+    reportName="report/schematron/${DOC_TO_VALIDATE}__${schematronRoot}.results.xml"
+    echo "validating doc: ${DOC_TO_VALIDATE} with ${qualifiedSchematronName} output found in ${reportName}"
+    java -cp "${saxon_jar}" net.sf.saxon.Transform -o:"${reportName}" -s:"${DOC_TO_VALIDATE}" target/"${schematronRoot}".xsl
+done

resources/validations/src/ssp.sch

@@ -0,0 +1,41 @@
+<sch:schema xmlns:sch="http://purl.oclc.org/dsdl/schematron" queryBinding="xslt2"
+    xmlns:sqf="http://www.schematron-quickfix.com/validator/process"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:o="http://csrc.nist.gov/ns/oscal/1.0">
+
+<sch:ns prefix="f"     uri="https://fedramp.gov/ns/oscal"/>
+<sch:ns prefix="o"     uri="http://csrc.nist.gov/ns/oscal/1.0"/>
+<sch:ns prefix="oscal" uri="http://csrc.nist.gov/ns/oscal/1.0"/>
+
+<sch:title>FedRAMP System Security Plan Validations</sch:title>
+
+<sch:let name="values" value="doc(resolve-uri('../../xml/fedramp_values.xml'))"/>
+<sch:let name="levels" value="$values/f:fedramp-values/f:value-set[@name='security-sensitivity-level']/f:allowed-values/f:enum/@value"/>
+
+<sch:let name="low-p"  value="doc(resolve-uri('../../../baselines/xml/FedRAMP_LOW-baseline_profile.xml'))"/>
+<sch:let name="mod-p"  value="doc(resolve-uri('../../../baselines/xml/FedRAMP_MODERATE-baseline_profile.xml'))"/>
+<sch:let name="high-p" value="doc(resolve-uri('../../../baselines/xml/FedRAMP_HIGH-baseline_profile.xml'))"/>
+
+<sch:pattern>
+    <sch:rule context="o:system-security-plan/o:system-characteristics/o:security-sensitivity-level">
+        <sch:assert test=". = $levels"><sch:value-of select="./name()"/> is an invalid value <sch:value-of select="."/></sch:assert>
+    </sch:rule>
+</sch:pattern>
+<sch:pattern>
+    <sch:rule context="o:system-security-plan">
+        <sch:let name="all" value="o:control-implementation/o:implemented-requirement[o:annotation[@name='implementation-status']]"/>
+        <sch:let name="planned" value="o:control-implementation/o:implemented-requirement[o:annotation[@name='implementation-status' and @value='planned']]"/>
+        <sch:let name="partial" value="o:control-implementation/o:implemented-requirement[o:annotation[@name='implementation-status' and @value='partial']]"/>
+        <sch:report test="true()">I see <sch:value-of select="count($partial)"/> partial<sch:value-of select="if (count($partial)=1) then ' control implementation' else ' control implementations'"/>.</sch:report>
+        <sch:report test="true()">I see <sch:value-of select="count($planned)"/> planned<sch:value-of select="if (count($planned)=1) then ' control implementation' else ' control implementations'"/>.</sch:report>
+        <sch:report test="true()">I see <sch:value-of select="count($all)"/> total<sch:value-of select="if (count($all)=1) then ' control implementation' else ' control implementations'"/>.</sch:report>
+    </sch:rule>
+    <sch:rule context="/o:system-security-plan/o:control-implementation">
+        <sch:let name="required" value="$low-p/o:profile/o:import/o:include/o:call"/>
+        <sch:let name="implemented" value="o:implemented-requirement"/>
+        <sch:let name="missing" value="$required[not(@control-id = $implemented/@control-id)]"/>
+        <sch:report test="true()">The following <sch:value-of select="count($required)"/><sch:value-of select="if (count($required)=1) then ' control' else ' controls'"/> are required: <sch:value-of select="$required/@control-id"/></sch:report>
+        <sch:assert test="count($missing) = 0">This SSP has not implemented <sch:value-of select="count($missing)"/><sch:value-of select="if (count($missing)=1) then ' control' else ' controls'"/>: <sch:value-of select="$missing/@control-id"/></sch:assert>
+    </sch:rule>
+</sch:pattern>
+</sch:schema>