[DONOTMERGE] Add inter-boundary-component-direction-incoming-has-ipv-…

…uri constraint

features/fedramp_extensions.feature

@@ -92,7 +92,6 @@ Examples:
   | has-rules-of-behavior |
   | has-security-impact-level |
   | has-security-sensitivity-level |
-  | has-separation-of-duties-matrix |
   | has-system-id |
   | has-system-name-short |
   | has-user-guide |
@@ -104,6 +103,7 @@ Examples:
   | information-type-has-confidentiality-impact |
   | information-type-has-integrity-impact |
   | information-type-system |
+  | inter-boundary-component-direction-incoming-has-ipv-uri |
   | inter-boundary-component-has-direction |
   | interconnection-direction |
   | interconnection-security |
@@ -299,8 +299,6 @@ Examples:
   | has-security-impact-level-PASS.yaml |
   | has-security-sensitivity-level-FAIL.yaml |
   | has-security-sensitivity-level-PASS.yaml |
-  | has-separation-of-duties-matrix-FAIL.yaml |
-  | has-separation-of-duties-matrix-PASS.yaml |
   | has-system-id-FAIL.yaml |
   | has-system-id-PASS.yaml |
   | has-system-name-short-FAIL.yaml |
@@ -323,6 +321,8 @@ Examples:
   | information-type-id-PASS.yaml |
   | information-type-system-FAIL.yaml |
   | information-type-system-PASS.yaml |
+  | inter-boundary-component-direction-incoming-has-ipv-uri-FAIL.yaml |
+  | inter-boundary-component-direction-incoming-has-ipv-uri-PASS.yaml |
   | inter-boundary-component-has-direction-FAIL.yaml |
   | inter-boundary-component-has-direction-PASS.yaml |
   | interconnection-direction-FAIL.yaml |

src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml

@@ -1196,6 +1196,12 @@
          </prop>
 
          <prop name="inherited-uuid" value="22222222-0000-4000-9001-009000000001" />
+
+         <prop ns="https://fedramp.gov/ns/oscal" name="ipv4-address" class="local" value="10.1.1.3"/>
+         <prop ns="https://fedramp.gov/ns/oscal" name="ipv6-address" class="local" value="::ffff:10.1.1.3"/>
+         <prop ns="https://fedramp.gov/ns/oscal" name="ipv4-address" class="remote" value="10.2.2.3"/>
+         <prop ns="https://fedramp.gov/ns/oscal" name="ipv6-address" class="remote" value="::ffff:10.2.2.3"/>
+
          <link rel="used-by" href="#11111111-2222-4000-8000-009000000000"/>
 
          <status state="operational"/>
@@ -1781,6 +1787,14 @@
          <prop ns="https://fedramp.gov/ns/oscal" name="scan-type" value="database"/>
          <prop name="baseline-configuration-name" value="Baseline Config. Name"/>
          <prop name="allows-authenticated-scan" value="yes"/>
+
+
+         <prop ns="https://fedramp.gov/ns/oscal" name="ipv4-address" class="local" value="10.1.1.4"/>
+         <prop ns="https://fedramp.gov/ns/oscal" name="ipv6-address" class="local" value="::ffff:10.1.1.4"/>
+         <prop ns="https://fedramp.gov/ns/oscal" name="ipv4-address" class="remote" value="10.2.2.4"/>
+         <prop ns="https://fedramp.gov/ns/oscal" name="ipv6-address" class="remote" value="::ffff:10.2.2.4"/>   
+
+
          <link href="#11111111-2222-4000-8000-009000500006" rel="used-by" />
          <status state="operational"/>
          <responsible-role role-id="admin">
@@ -2192,6 +2206,12 @@
                <p>If 'not-applicable', attest explain why authentication is not applicable in the remarks.</p>
             </remarks>
          </prop>
+
+         <prop ns="https://fedramp.gov/ns/oscal" name="ipv4-address" class="local" value="10.1.1.5"/>
+         <prop ns="https://fedramp.gov/ns/oscal" name="ipv6-address" class="local" value="::ffff:10.1.1.5"/>
+         <prop ns="https://fedramp.gov/ns/oscal" name="ipv4-address" class="remote" value="10.2.2.5"/>
+         <prop ns="https://fedramp.gov/ns/oscal" name="ipv6-address" class="remote" value="::ffff:10.2.2.5"/>
+
          <link href="#11111111-2222-4000-8000-009000500005" rel="used-by" />
          <!-- is-scanned prop applies to inventory-item (not component) -->
          <!-- <prop name="is-scanned" value="yes"/> -->

src/validations/constraints/content/ssp-inter-boundary-component-direction-incoming-has-ipv-uri-INVALID.xml

@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0"
+                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                      xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_ssp_schema.xsd"
+                      uuid="12345678-1234-4321-8765-123456789012">
+
+  <system-implementation>
+
+    <component uuid="77777777-0000-4000-9000-000000000008" type="service">
+      <title>Communication Service System</title>
+      <description>
+        <p>A network communication service system.</p>
+      </description>
+      <prop name="inherited-uuid" value="11111111-0000-4000-9001-000000000001"/>
+      <prop name="implementation-point" value="external"/>
+      <prop name="direction" value="incoming" ns="https://fedramp.gov/ns/oscal"/>
+      <prop name="nature-of-agreement" ns="https://fedramp.gov/ns/oscal" value="isa"/>
+      <status state="operational"/>
+    </component>
+
+  </system-implementation>
+
+</system-security-plan>

src/validations/constraints/fedramp-external-constraints.xml

@@ -545,6 +545,11 @@
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
                 <message>A FedRAMP SSP system implementation section MUST have at least two inventory items.</message>
             </expect>
+            <expect id="inter-boundary-component-direction-incoming-has-ipv-uri" target="$inter-boundary-component" test="if (prop[@name='direction' and @value='incoming']) then exists(prop[@class='local' and @name=('ipv4-address','ipv6-address')]) or exists(link[@rel='uri']) else true()" level="ERROR">
+               <formal-name>Inter-Boundary Incoming Communication Direction Has an IPV Address or a URI</formal-name>
+               <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#external-systems-and-services-not-having-fedramp-authorization"/>
+               <message>Component {@uuid} ({path(.)}) MUST have at least one local ipv4 address, ipv6 address, or a URI to an API.</message>
+            </expect>
             <expect id="inter-boundary-component-has-direction" target="$inter-boundary-component" test="count(prop[@name='direction']) >= 1 and count(prop[@name='direction' and @value='incoming']) &lt;= 1 and count(prop[@name='direction' and @value='outgoing']) &lt;= 1" level="ERROR">
                 <formal-name>Inter-Boundary Component Has Direction</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#external-systems-and-services-not-having-fedramp-authorization"/>

src/validations/constraints/unit-tests/inter-boundary-component-direction-incoming-has-ipv-uri-FAIL.yaml

@@ -0,0 +1,8 @@
+# Driver for the invalid inter-boundary-component-direction-incoming-has-ipv-uri constraint unit test.
+test-case:
+  name: The invalid inter-boundary-component-direction-incoming-has-ipv-uri constraint unit test.
+  description: Test that the FedRAMP SSP inter-boundary incoming communication component does not have a local ipv4 address, ipv6 address, or a URI to an API.
+  content: ../content/ssp-inter-boundary-component-direction-incoming-has-ipv-uri-INVALID.xml
+  expectations:
+  - constraint-id: inter-boundary-component-direction-incoming-has-ipv-uri
+    result: fail

src/validations/constraints/unit-tests/inter-boundary-component-direction-incoming-has-ipv-uri-PASS.yaml

@@ -0,0 +1,8 @@
+# Driver for the valid inter-boundary-component-direction-incoming-has-ipv-uri constraint unit test.
+test-case:
+  name: The valid inter-boundary-component-direction-incoming-has-ipv-uri constraint unit test.
+  description: Test that the FedRAMP SSP inter-boundary incoming communication component has at least one local ipv4 address, ipv6 address, or a URI to an API.
+  content: ../../../content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml
+  expectations:
+  - constraint-id: inter-boundary-component-direction-incoming-has-ipv-uri
+    result: pass