Add 'used-by-link-references-component' constraint

features/fedramp_extensions.feature

@@ -137,6 +137,7 @@ Examples:
   | security-level |
   | security-sensitivity-level-matches-security-impact-level |
   | unique-inventory-item-asset-id |
+  | used-by-link-references-component |
   | user-authentication |
   | user-has-authorized-privilege |
   | user-has-role-id |
@@ -385,6 +386,8 @@ Examples:
   | security-sensitivity-level-matches-security-impact-level-PASS.yaml |
   | unique-inventory-item-asset-id-FAIL.yaml |
   | unique-inventory-item-asset-id-PASS.yaml |
+  | used-by-link-references-component-FAIL.yaml |
+  | used-by-link-references-component-PASS.yaml |
   | user-authentication-FAIL.yaml |
   | user-authentication-PASS.yaml |
   | user-has-authorized-privilege-FAIL.yaml |

src/validations/constraints/content/ssp-used-by-link-references-component-INVALID.xml

@@ -0,0 +1,11 @@
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0" uuid="11111111-2222-4000-8000-000000000000">
+  <system-implementation>
+    <!-- <component uuid="11111111-2222-4000-8000-009000000000" type="service">
+    </component> Missing the referenced component in the used-by link.-->
+    <component uuid="11111111-2222-4000-8000-009000200001" type="service">
+      <link rel="used-by" href="#11111111-2222-4000-8000-009000000000"/>
+      <protocol name="ftp" uuid="11111111-2222-4000-8000-010000000001">
+      </protocol>
+    </component>
+  </system-implementation>
+</system-security-plan>

src/validations/constraints/fedramp-external-constraints.xml

@@ -564,6 +564,11 @@
                     <p>A FedRAMP SSP's inventory item MUST have an Asset ID that is unique across all inventory items in the system and its components.</p>
                 </remarks>
             </is-unique>
+            <expect id="used-by-link-references-component" target="component[protocol]/link[@rel='used-by']" test="some $uuid in ../../component/@uuid satisfies $uuid = substring-after(@href, '#')" level="ERROR">
+                <formal-name>Used-By Link References Component</formal-name>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#ports-protocols-and-services"/>
+                <message>A FedRAMP SSP's component MUST reference components that use it via network communication. Component "{ string(../title) }" references a nonexistent component "{@href}".</message>
+            </expect>
         </constraints>
     </context>
 

src/validations/constraints/unit-tests/used-by-link-references-component-FAIL.yaml

@@ -0,0 +1,9 @@
+test-case:
+  name: Negative Test for used-by-link-references-component
+  description: >-
+    This test case validates the behavior of constraint
+    used-by-link-references-component
+  content: ../content/ssp-used-by-link-references-component-INVALID.xml
+  expectations:
+    - constraint-id: used-by-link-references-component
+      result: fail

src/validations/constraints/unit-tests/used-by-link-references-component-PASS.yaml

@@ -0,0 +1,9 @@
+test-case:
+  name: Positive Test for used-by-link-references-component
+  description: >-
+    This test case validates the behavior of constraint
+    used-by-link-references-component
+  content: ../../../content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml
+  expectations:
+    - constraint-id: used-by-link-references-component
+      result: pass