Add bad constraint id, help-url map-fed for #798

We will wrap with this approach, but it should demonstrate this approach
will not work and template strings, wrapped with a TVT handlers or not,
just get processed as strings. The specification is unclear if this
approach could ever be supported outside of `message` anyway, but it
escaped my memory until today's standup.

src/validations/constraints/fedramp-external-constraints.xml

@@ -195,23 +195,28 @@
     </context>
 
     <context>
-        <metapath target="system-security-plan/control-implementation/implemented-requirement/statement/by-component" />        
+        <metapath target="system-security-plan/control-implementation/implemented-requirement/statement" />        
         <constraints>
-            <let var="statement-id" expression="('ac-1_smt.a', 'ac-2_smt.b')"/>
-            <let var="control-id" expression="../../../@control-id"/>
-            <let var="component-uuid" expression="@component-uuid"/>
-            <expect id="control-statement-missing-policy-component" target=".[../@statement-id = $statement-id]" test="../../../../system-implementation/component[@uuid = $component-uuid and @type='policy']">
-                <formal-name>Required Attachment is Present</formal-name>
+            <let var="policy-statements" expression="map{
+                    'ac-1_smt.a': map{
+                        'id': 'has-ac1-policy-example',
+                        'message': 'Policy example 1.',
+                        'help-url': 'https://automate.fedramp.gov/example/docs/attachments/ac-1',
+                    }
+                }"/>
+            <let var="procedure-statements" expression="map{
+                    'ac-1_smt.a': 'Procedure example 1.'
+                }"/>
+            <expect id="{$policy-controls(@statement-id)('help-url')}" target=".[@statement-id = map:keys($policy-statements)]" test="exists(../../../system-implementation/component[@uuid = by-component-uuid/@component-uuid and @type='policy'])" level="ERROR">
+                <formal-name>Required Policy Attachment is Present</formal-name>
+                <prop name="help-url"  namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" value="{$policy-controls(@statement-id)('help-url')}" />
+                <message>{$policy-statements(@statement-id)('message')}</message>
+            </expect>
+            <expect id="control-statement-missing-procedure-component" target=".[@statement-id = map:keys($procedure-statements)]" test="exists(../../../system-implementation/component[@uuid = by-component/@component-uuid and @type='process-procedure'])">
+                <formal-name>Required Procedure Attachment is Present</formal-name>
                 <prop name="help-url"  namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" value="https://automate.fedramp.gov/placeholder" />
-                <message>A FedRAMP SSP MUST define attachments that document control implementation in a policy component. Control statement {../@statement-id} is missing such a policy component.</message>
-            </expect>
-            <expect id="control-statement-missing-policy-component"
-            target=".[../@statement-id = $statement-id]"
-            test="../../../../system-implementation/component[@uuid = $component-uuid and @type='process-procedure']">
-                <formal-name>Required Attachment is Present</formal-name>
-                <prop name="help-url"  namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" value="https://automate.fedramp.gov/placeholder" />
-                <message>A FedRAMP SSP MUST define attachments that document control implementation in a policy component. Control statement {../@statement-id} is missing such a policy component.</message>
-            </expect>            
+                <message>{$policy-statements(@statement-id)('message')}</message>
+            </expect>       
         </constraints>
     </context>